This repository has been archived by the owner on Jan 18, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 83
/
Copy pathbsql.py
executable file
·150 lines (139 loc) · 5.08 KB
/
bsql.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/usr/bin/env python
"""
Blind SQL Module for Grabber v0.1
Copyright (C) 2006 - Romain Gaucher - http://rgaucher.info
"""
import sys
from grabber import getContent_POST, getContent_GET
from grabber import getContentDirectURL_GET, getContentDirectURL_POST
from grabber import single_urlencode
# order of the Blind SQL operations
orderBSQL = {'AND' : 'TEST', 'TEST' : ['OR','COMMENT','ESCAPE','EVASION']}
overflowStr = ""
for k in range(0,512):
overflowStr += '9'
def detect_sql(output, ):
listWords = ["SQL","MySQL","sql","mysql"]
for wrd in listWords:
if output.count(wrd) > 0:
return True
return False
def equal(h1,h2):
if h1 == h2:
return True
return False
def generateOutput(url, gParam, instance,method,type):
astr = "<bsql>\n\t<method>%s</method>\n\t<url>%s</url>\n\t<parameter name='%s'>%s</parameter>\n\t<type name='Blind SQL Injection Type'>%s</type>" % (method,url,gParam,str(instance),type)
if method in ("get","GET"):
# print the real URL
p = (url+"?"+gParam+"="+single_urlencode(str(instance)))
astr += "\n\t<result>%s</result>" % p
astr += "\n</bsql>\n"
return astr
def generateOutputLong(url, urlString ,method,type, allParams = {}):
astr = "<bsql>\n\t<method>%s</method>\n\t<url>%s</url>\n\t<type name='Blind SQL Injection Type'>%s</type>" % (method,url,type)
if method in ("get","GET"):
# print the real URL
p = (url+"?"+urlString)
astr += "\n\t<result>%s</result>" % (p)
else:
astr += "\n\t<parameters>"
for k in allParams:
astr += "\n\t\t<parameter name='%s'>%s</parameter>" % (k, allParams[k])
astr += "\n\t</parameters>"
astr += "\n</bsql>\n"
return astr
def permutations(L):
if len(L) == 1:
yield [L[0]]
elif len(L) >= 2:
(a, b) = (L[0:1], L[1:])
for p in permutations(b):
for i in range(len(p)+1):
yield b[:i] + a + b[i:]
def process(url, database, attack_list):
plop = open('results/bsql_GrabberAttacks.xml','w')
plop.write("<bsqlAttacks>\n")
for u in database.keys():
if len(database[u]['GET']):
print "Method = GET ", u
# single parameter testing
for gParam in database[u]['GET']:
defaultValue = database[u]['GET'][gParam]
defaultReturn = getContent_GET(u,gParam,defaultValue)
if defaultReturn == None:
continue
# get the AND statments
for andSQL in attack_list['AND']:
tmpError = getContent_GET(u,gParam,andSQL)
if tmpError == None:
continue
if equal(defaultReturn.read(), tmpError.read()):
# dive here :)
basicError = getContent_GET(u,gParam,'')
overflowErS = getContent_GET(u,gParam,overflowStr)
if basicError == None or overflowErS == None:
continue
if equal(basicError.read(), overflowErS.read()):
for key in orderBSQL[orderBSQL['AND']]:
for instance in attack_list[key]:
tmpError = getContent_GET(u,gParam,instance)
if tmpError == None:
continue
if equal(basicError.read(), tmpError.read()):
# should be an error
# print u,gParam,instance
plop.write(generateOutput(u,gParam,instance,"GET",key))
else:
# report a overflow possible error
#print u,gParam, "overflow"
plop.write(generateOutput(u,gParam,"99999...99999","GET","Overflow"))
"""
# see the permutations
if len(database[u]['GET'].keys()) > 1:
for typeOfInjection in attack_list:
for instance in attack_list[typeOfInjection]:
url = ""
for gParam in database[u]['GET']:
url += ("%s=%s&" % (gParam, single_urlencode(str(instance))))
handle = getContentDirectURL_GET(u,url)
if handle != None:
output = handle.read()
if detect_sql(output):
# generate the info...
plop.write(generateOutputLong(u,url,"GET",typeOfInjection))
"""
if len(database[u]['POST']):
print "Method = POST ", u
# single parameter testing
for gParam in database[u]['POST']:
defaultValue = database[u]['POST'][gParam]
defaultReturn = getContent_POST(u,gParam,defaultValue)
if defaultReturn == None:
continue
# get the AND statments
for andSQL in attack_list['AND']:
tmpError = getContent_POST(u,gParam,andSQL)
if tmpError == None:
continue
if equal(defaultReturn.read(), tmpError.read()):
# dive here :)
basicError = getContent_POST(u,gParam,'')
overflowErS = getContent_POST(u,gParam,overflowStr)
if basicError == None or overflowErS == None:
continue
if equal(basicError.read(), overflowErS.read()):
for key in orderBSQL[orderBSQL['AND']]:
for instance in attack_list[key]:
tmpError = getContent_POST(u,gParam,instance)
if tmpError == None:
continue
if equal(basicError.read(), tmpError.read()):
# should be an error
plop.write(generateOutput(u,gParam,instance,"POST",key))
else:
# report a overflow possible error
plop.write(generateOutput(u,gParam,"99999...99999","POST","Overflow"))
plop.write("\n</bsqlAttacks>\n")
plop.close()
return ""