##################################################################################
# WU-5QLi-5C4NN3R (WU-5C4NN3R)													 #
# ----------------------------													 #
# Autor: c0d3Lib™ - Released on 05-Sep-2015.									 #
# Site URL : http://blog.indonesiancoder.com									 #
# Contact : bytekod32[at]gmail.com												 #
# Thanks to Antihackerlink Repository and IndonesianCoder (IDC).				 #
#																				 #
# Proof Of Concept (POC).														 #
# ---------------------- 														 #
# Example - Save this page as 'index.php'										 #
# Cut Here --------------------------------------------------------------------- #
# <?php
# $mysql_hostname = "localhost";
# $mysql_user = "root";
# $mysql_password = "";
# $mysql_database = "db_autoload";
# $connection = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) or die ("Please check your connection");
# mysql_select_db($mysql_database, $connection) or die("Please check your database");
#
# $strSQL = mysql_query("SELECT emp_idx FROM `employees`);
# while($row = mysql_fetch_array($strSQL)){
#	echo $row['emp_id'];
# }
# ?>
# ------------------------------------------------------------------------------ #
# Note : put a wrong query at column 'emp_id'. 									 #
# The result will be :															 #
# --------------------															 #
# Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\csvsample\index.php
##################################################################################
#!/usr/bin/perl
use strict;
use LWP::UserAgent;

system("CLS");
system("COLOR A");

my $site = $ARGV[0];
my $ua	 = new LWP::UserAgent;
my $response = $ua->get($site);

if(@ARGV != 1) {
print "\n
\tWU-5QLi-5C4NN3R (WU-5C4NN3R)
\t\t    bY
\t\t::c0d3Lib::\n
\tfile : wu5c4nr.pl
\thow to use : $0 <site>
\texe  : $0 site.com\n";
exit(0);
};

my $run = &wu3xec($site);
print $run;
exit(0);

sub wu3xec {
	my $auth = $_[0];
	my $errtxt = &checkvulns($auth);		# Check the 1st page.
	if (length($errtxt)>0) {
		print "[+] Check Lynx : $auth\r";
		print $errtxt;
		exit(0);
	}
	my @level0n3 = &pr1ntth3lynx($auth);	
	shift(@level0n3);			
	foreach my $link(@level0n3) {			# Check all the Links at Level 0n3.		
		my @leveltw0 =&pr1ntth3lynx($link);		
		my $errtxt = &ch3ckth3lynx($link);		
		if (length($errtxt)>0) {
			print $errtxt;
			exit(0);
		}
		shift(@leveltw0);		
		foreach my $link(@leveltw0) {		# Check all the Links at Level tw0.			
			my @leveltr33 =&pr1ntth3lynx($link);			
			my $errtxt = &ch3ckth3lynx($link);
			if (length($errtxt)>0) {
				print $errtxt;
				exit(0);
			}			
			shift(@leveltr33);
			foreach my $link(@leveltr33) {	# Check all the Links at Level thr33.
				my @levelf0ur =&pr1ntth3lynx($link);				
				my $errtxt = &ch3ckth3lynx($link);
				if (length($errtxt)>0) {
					print $errtxt;
					exit(0);
				}
				shift(@levelf0ur);
			}
		}		
	}
	if (length(my $errtxt)<=0) {
		my $printtext = "\n[+] No SQL Injection Vulnerability/s Found!\n\n";
		$printtext .= "\t::c0d3Lib::\n";
		my $output = $printtext;
	}
}

sub pr1ntth3lynx {
	my $lynx	 = $_[0];
	my $response = $ua->get($lynx);
	if ($response->is_success) {
		my $html	 = $response->content;
		my @lines	 = split(/<a href=/,$html);	
		my @lynxlevel= "";
		my $linecnt  = 0;
		my $line	 = "";
		my $find	 = '">';
		system("title [+] Please wait while queue the links ...");	
		foreach $line(@lines) {
			my $htmlcnt = &ridnextline($linecnt,$html,@lines);			
			for (my $i=0;$i<=$htmlcnt;$i++) {				
				if ($linecnt==0){ 
					my $got = substr($html,(length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[$linecnt])+9),$i);						
						push(@lynxlevel, $lynx);						
						goto n3xtL1n3;
					}
				}
				if ($linecnt==1){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
						push(@lynxlevel, $lynx);						
						goto n3xtL1n3;
					}
				}
				if ($linecnt==2){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);	
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==3){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[$linecnt])+9+$i),2); 
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==4){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==5){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==6){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);		
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==7){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);		
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==8){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);		
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==9){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);		
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==10){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);		
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==11){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);		
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}
				if ($linecnt==12){ 
					my $got = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[11])+9) + (length($lines[$linecnt])+9+$i),2);
					if ($got eq $find) {				
						my $lynx = substr($html,(length($lines[0])+9) + (length($lines[1])+9) + (length($lines[2])+9) + (length($lines[3])+9) + (length($lines[4])+9) + (length($lines[5])+9) + (length($lines[6])+9) + (length($lines[7])+9) + (length($lines[8])+9) + (length($lines[9])+9) + (length($lines[10])+9) + (length($lines[11])+9) + (length($lines[$linecnt])+9-$linecnt),$i+$linecnt);
						push(@lynxlevel, $lynx);
						goto n3xtL1n3;
					}
				}				
			}
			print "[+] Check Lynx : $lynx\r";
			n3xtL1n3:
			$linecnt++;
		}		
		return @lynxlevel;
	}		
}

sub ch3ckth3lynx {
	my $lynx = $_[0];
	system("title [+] Please wait while working ...");
	for (my $a=0;$a<=length($lynx);$a++) {
		my $got  = substr($lynx,$a,1);
		my $find = '=';
		if ($got eq $find) {			
			my $nulynx = substr($lynx,0,$a) . "=-100\n";
			my $txtmsg = &checkvulns($nulynx);
			return $txtmsg;			
		}
	}	
}

sub errmessage {
	my $got		= $_[0];
	my $nulynx	= $_[1];	
	my $printtext = "\n[+] The url $nulynx is $got\n\n";
	$printtext .= "\t::c0d3Lib::\n";
	open  (FILE, '>','i:\savelinks.txt');
	print (FILE "$printtext");
	close (FILE);
	return $printtext;
}

sub ridnextline {
	my $linecnt = $_[0];
	my $html	= $_[1];
	my @lines	= $_[2];
	if ($linecnt==0){ my $htmlcnt = (length($html) - length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }	
	if ($linecnt==1){ my $htmlcnt = (length($html) - length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==2){ my $htmlcnt = (length($html) - length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==3){ my $htmlcnt = (length($html) - length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==4){ my $htmlcnt = (length($html) - length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==5){ my $htmlcnt = (length($html) - length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==6){ my $htmlcnt = (length($html) - length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==7){ my $htmlcnt = (length($html) - length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==8){ my $htmlcnt = (length($html) - length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==9){ my $htmlcnt = (length($html) - length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==10){ my $htmlcnt = (length($html) - length($lines[$linecnt-10]) + length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==11){ my $htmlcnt = (length($html) - length($lines[$linecnt-11]) + length($lines[$linecnt-10]) + length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
	if ($linecnt==12){ my $htmlcnt = (length($html) - length($lines[$linecnt-12]) + length($lines[$linecnt-11]) + length($lines[$linecnt-10]) + length($lines[$linecnt-9]) + length($lines[$linecnt-8]) + length($lines[$linecnt-7]) + length($lines[$linecnt-6]) + length($lines[$linecnt-5]) + length($lines[$linecnt-4]) + length($lines[$linecnt-3]) + length($lines[$linecnt-2]) + length($lines[$linecnt-1]) + length($lines[$linecnt]) + 9 x ($linecnt+1)-9); return $htmlcnt; }
}

sub checkvulns {
	my $nulynx	 = $_[0];
	my $response = $ua->get($nulynx);
	if ($response->is_success) {				
		my @errname	= ("SQL syntax","Microsoft JET Database","ODBC Microsoft Access Driver","Microsoft OLE DB Provider for SQL Server","Unclosed quotation mark","mysql_fetch_array()","mysql_num_rows()","Microsoft OLE DB Provider for Oracle","Warning: mysql_fetch_assoc()","Warning: session_start()","Warning: getimagesize()",
					   "Warning: is_writable()","Warning: Unknown()","Warning: session_start()","Warning: mysql_result()","Warning: mysql_query()","Warning: mysql_num_rows()","Warning: array_merge()","Warning: preg_match()","Warning: require()");
		my $errname	= "";
		foreach $errname(@errname) {
			my $errorhtml = $response->content;		
			my @finderror = split($errname,$errorhtml);	
			my $errfound = "";
			my $got = "";
			foreach $errfound(@finderror) {				
				if($errfound =~m/SQL syntax/)
					{$got="Vulnerable MySQL!";}    
				elsif($errfound =~m/Microsoft JET Database/ || $errfound =~m/ODBC Microsoft Access Driver/)
					{$got="Vulnerable MS Access!";}   
				elsif($errfound =~m/Microsoft OLE DB Provider for SQL Server/ || $errfound =~m/Unclosed quotation mark/)
					{$got="Vulnerable MSSQL!";}
				elsif($errfound =~m/mysql_fetch_array()/ || $errfound =~m/mysql_num_rows()/)
					{$got="Vulnerable Blind Possible!";}    
				elsif($errfound =~m/Microsoft OLE DB Provider for Oracle/)
					{$got="Vulnerable Oracle!";}
				elsif($errfound =~m/Warning: mysql_fetch_assoc()/)
					{$got="Vulnerable MySQL!";}	
				elsif($errfound =~m/Warning: session_start()/)
					{$got="Vulnerable MySQL!";}    
				elsif($errfound =~m/Warning: getimagesize()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: is_writable()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: getimagesize()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: Unknown()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: session_start()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: mysql_result()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: mysql_query()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: mysql_num_rows()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: array_merge()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: preg_match()/)
					{$got="Vulnerable MySQL!";}	
				elsif($errfound =~m/Warning: filesize()/)
					{$got="Vulnerable MySQL!";}
				elsif($errfound =~m/Warning: require()/)
					{$got="Vulnerable MySQL!";}
				else {$got="not found!"};
			}
			if ($got=~m/not found!/) {				
				my $output = "";
				return $output;
			} else {
				my $output = &errmessage($got,$nulynx);				
				return $output;
			}						
		}
	}
}
#E0F!