##################################################################################
# WU-5QLi-5C4NN3R (WU-5C4NN3R) #
# ---------------------------- #
# Autor: c0d3Lib™ - Released on 05-Sep-2015. #
# Site URL : http://blog.indonesiancoder.com #
# Contact : bytekod32[at]gmail.com #
# Thanks to Antihackerlink Repository and IndonesianCoder (IDC). #
# #
# Proof Of Concept (POC). #
# ---------------------- #
# Example - Save this page as 'index.php' #
# Cut Here --------------------------------------------------------------------- #
# <?php
# $mysql_hostname = "localhost";
# $mysql_user = "root";
# $mysql_password = "";
# $mysql_database = "db_autoload";
# $connection = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) or die ("Please check your connection");
# mysql_select_db($mysql_database, $connection) or die("Please check your database");
#
# $strSQL = mysql_query("SELECT emp_idx FROM `employees`);
# while($row = mysql_fetch_array($strSQL)){
# echo $row['emp_id'];
# }
# ?>
# ------------------------------------------------------------------------------ #
# Note : put a wrong query at column 'emp_id'. #
# The result will be : #
# -------------------- #
# Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\csvsample\index.php
##################################################################################
#!/usr/bin/perl
use strict;
use LWP::UserAgent;
system("CLS");
system("COLOR A");
my $site = $ARGV[0];
my $ua = new LWP::UserAgent;
my $response = $ua->get($site);
if(@ARGV != 1) {
print "\n
\tWU-5QLi-5C4NN3R (WU-5C4NN3R)
\t\t bY
\t\t::c0d3Lib::\n
\tfile : wu5c4nr.pl
\thow to use : $0 <site>
\texe : $0 site.com\n";
exit(0);
};
my $run = &wu3xec($site);
print $run;
exit(0);
sub wu3xec {
my $auth = $_[0];
my $errtxt = &checkvulns($auth); # Check the 1st page.
if (length($errtxt)>0) {
print "[+] Check Lynx : $auth\r";
print $errtxt;
exit(0);
}
my @level0n3 = &pr1ntth3lynx($auth);
shift(@level0n3);
foreach my $link(@level0n3) { # Check all the Links at Level 0n3.
my @leveltw0 =&pr1ntth3lynx($link);
my $errtxt = &ch3ckth3lynx($link);
if (length($errtxt)>0) {
print $errtxt;
exit(0);
}
shift(@leveltw0);
foreach my $link(@leveltw0) { # Check all the Links at Level tw0.
my @leveltr33 =&pr1ntth3lynx($link);
my $errtxt = &ch3ckth3lynx($link);
if (length($errtxt)>0) {
print $errtxt;
exit(0);
}
shift(@leveltr33);
foreach my $link(@leveltr33) { # Check all the Links at Level thr33.
my @levelf0ur =&pr1ntth3lynx($link);
my $errtxt = &ch3ckth3lynx($link);
if (length($errtxt)>0) {
print $errtxt;
exit(0);
}
shift(@levelf0ur);
}
}
}
if (length(my $errtxt)<=0) {
my $printtext = "\n[+] No SQL Injection Vulnerability/s Found!\n\n";
$printtext .= "\t::c0d3Lib::\n";
my $output = $printtext;
}
}
sub pr1ntth3lynx {
my $lynx = $_[0];
my $response = $ua->get($lynx);
if ($response->is_success) {
my $html = $response->content;
my @lines = split(/<a href=/,$html);
my @lynxlevel= "";
my $linecnt = 0;
my $line = "";
my $find = '">';
system("title [+] Please wait while queue the links ...");
foreach $line(@lines) {
my $htmlcnt = &ridnextline($linecnt,$html,@lines);
for (my $i=0;$i<=$htmlcnt;$i++) {
if ($linecnt==0){
my $got = substr($html,(length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[$linecnt])+9),$i);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==1){
my $got = substr($html,(length($lines[0])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==2){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==3){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==4){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==5){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==6){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==7){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==8){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==9){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==10){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==11){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
if ($linecnt==12){
my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[11])+9) + (length($lines[$linecnt])+9+$i),2);
if ($got eq $find) {
my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[11])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
push(@lynxlevel, $lynx);
goto n3xtL1n3;
}
}
}
print "[+] Check Lynx : $lynx\r";
n3xtL1n3:
$linecnt++;
}
return @lynxlevel;
}
}
sub ch3ckth3lynx {
my $lynx = $_[0];
system("title [+] Please wait while working ...");
for (my $a=0;$a<=length($lynx);$a++) {
my $got = substr($lynx,$a,1);
my $find = '=';
if ($got eq $find) {
my $nulynx = substr($lynx,0,$a) . "=-100\n";
my $txtmsg = &checkvulns($nulynx);
return $txtmsg;
}
}
}
sub errmessage {
my $got = $_[0];
my $nulynx = $_[1];
my $printtext = "\n[+] The url $nulynx is $got\n\n";
$printtext .= "\t::c0d3Lib::\n";
open (FILE, '>','i:\savelinks.txt');
print (FILE "$printtext");
close (FILE);
return $printtext;
}
sub ridnextline {
my $linecnt = $_[0];
my $html = $_[1];
my @lines = $_[2];
if ($linecnt==0){ my $htmlcnt = (length($html) - length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==1){ my $htmlcnt = (length($html) - length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==2){ my $htmlcnt = (length($html) - length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==3){ my $htmlcnt = (length($html) - length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==4){ my $htmlcnt = (length($html) - length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==5){ my $htmlcnt = (length($html) - length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==6){ my $htmlcnt = (length($html) - length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==7){ my $htmlcnt = (length($html) - length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==8){ my $htmlcnt = (length($html) - length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==9){ my $htmlcnt = (length($html) - length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==10){ my $htmlcnt = (length($html) - length($lines[$linecnt-10]) + length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==11){ my $htmlcnt = (length($html) - length($lines[$linecnt-11]) + length($lines[$linecnt-10]) + length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
if ($linecnt==12){ my $htmlcnt = (length($html) - length($lines[$linecnt-12]) + length($lines[$linecnt-11]) + length($lines[$linecnt-10]) + length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
}
sub checkvulns {
my $nulynx = $_[0];
my $response = $ua->get($nulynx);
if ($response->is_success) {
my @errname = ("SQL syntax","Microsoft JET Database","ODBC Microsoft Access Driver","Microsoft OLE DB Provider for SQL Server","Unclosed quotation mark","mysql_fetch_array()","mysql_num_rows()","Microsoft OLE DB Provider for Oracle","Warning: mysql_fetch_assoc()","Warning: session_start()","Warning: getimagesize()",
"Warning: is_writable()","Warning: Unknown()","Warning: session_start()","Warning: mysql_result()","Warning: mysql_query()","Warning: mysql_num_rows()","Warning: array_merge()","Warning: preg_match()","Warning: require()");
my $errname = "";
foreach $errname(@errname) {
my $errorhtml = $response->content;
my @finderror = split($errname,$errorhtml);
my $errfound = "";
my $got = "";
foreach $errfound(@finderror) {
if($errfound =~m/SQL syntax/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Microsoft JET Database/ || $errfound =~m/ODBC Microsoft Access Driver/)
{$got="Vulnerable MS Access!";}
elsif($errfound =~m/Microsoft OLE DB Provider for SQL Server/ || $errfound =~m/Unclosed quotation mark/)
{$got="Vulnerable MSSQL!";}
elsif($errfound =~m/mysql_fetch_array()/ || $errfound =~m/mysql_num_rows()/)
{$got="Vulnerable Blind Possible!";}
elsif($errfound =~m/Microsoft OLE DB Provider for Oracle/)
{$got="Vulnerable Oracle!";}
elsif($errfound =~m/Warning: mysql_fetch_assoc()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: session_start()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: getimagesize()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: is_writable()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: getimagesize()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: Unknown()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: session_start()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: mysql_result()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: mysql_query()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: mysql_num_rows()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: array_merge()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: preg_match()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: filesize()/)
{$got="Vulnerable MySQL!";}
elsif($errfound =~m/Warning: require()/)
{$got="Vulnerable MySQL!";}
else {$got="not found!"};
}
if ($got=~m/not found!/) {
my $output = "";
return $output;
} else {
my $output = &errmessage($got,$nulynx);
return $output;
}
}
}
}
#E0F!
0 komentar:
Post a Comment
I just a newbie and student, don't using this article for criminal