Thứ Sáu, 16 tháng 8, 2013

SQL Injection Scanner

I coded this long time ago, was the first tool I coded in python just to learn the language, it's not very complex but does a pretty good job anyway. 
Here's the code:

#!/usr/bin/python #    Copyright (C) 2010 <xrrrx@ymail.com> #    This program is free software: you can redistribute it and/or modify #    it under the terms of the GNU General Public License as published by #    the Free Software Foundation, either version 3 of the License, or #    at your option) any later version. #     #    This program is distributed in the hope that it will be useful, #    but WITHOUT ANY WARRANTY; without even the implied warranty of #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the #    GNU General Public License for more details. #     #    You should have received a copy of the GNU General Public License #    along with this program.  If not, see <http://www.gnu.org/licenses/>. 
from multiprocessing import Process from xgoogle.search import GoogleSearchSearchError
from itertools import count
import urllib2from itertools import count import urllib2sysargparse

global strSQLi

strSQLi 
strSQLi = ["error in your SQL syntax"# GENERIC
                      "Syntax error at"# GENERIC
                      "You have an error in your SQL"# MYSQL
                      "Division by zero in"# MYSQL
                      "not a valid MySQL result"# MYSQL
                      "Call to a member function"# MYSQL
                      "Microsoft JET Database"# MSACCESS
                      "ODBC Microsoft Access Driver" # MSACCESS
                      "Microsoft OLE DB Provider for SQL Server"# MSSQL
                      "Unclosed quotation mark"# MSSQL
                      "Microsoft OLE DB Provider for Oracle"# ORACLE
                      "Macromedia][SQLServer JDBC Driver]"# COLDFUSION

def split(alistwanted_parts=1):
        length len(alist)
    return [     return [ alist[i*length // wanted_parts: (i+1)*length // wanted_parts]
                          for i in range(wanted_parts) ]

def checkSQLi(resultsi):
        # test single quote
        for result in results[i]:
        try:
            if(        try:             if(args.verbose>='2'):
                print                 print "[INFO] Testing URL: %s" result.url
                        if not "=" in result.url:
                if(                if(args.verbose>='2'):
                    print                     print "[INFO] No params available for injection for: %s" result.url
                                continue
                        response urllib2.urlopen(result.url.replace("=""='"))
                        html response.read()
                except Exceptione:
            if(            if(args.verbose>='1'):
                print                 print "[ERROR] %s" e
                        continue
                except KeyboardInterrupt:
            return             return False
                else:
            if(            if(checkSQLiStr(html)):
                    print                     print "[INFO] URL: %s" result.url
                                        print "       Possible vulnerable!"
                        else:
                if(                if(args.verbose>='1'):
                    print                     print "[INFO] URL: %s" result.url
                                        print "       Not vulnerable."
        return False

def checkSQLiStr
def checkSQLiStr(html):
    return     return any(checkStr in html for checkStr in strSQLi)

def main():
        tries 0
        while True:
        try:
            if(        try:             if(args.verbose>='1' and tries 0):
                print                 print "[WARNING] (%d) Retrying google search query" tries
                        if(tries>=args.retry):
                if(                if(args.verbose>='1'):
                    print                     print "[ERROR] Maximum retries reached..."
                                sys.exit()
            else:
                            else:                 tries tries 1
            googleSearch             googleSearch GoogleSearch(args.keyword)
                        googleSearch.page args.page
            googleSearch            googleSearch.results_per_page 100
                        print args.keyword
                        for i in count():
                                allResults googleSearch.get_results()
                if                 if not allResults# no more results (pages) were found
                                        break
                                splitResults split(allResultsargs.threads)
                                processes = [Process(target=checkSQLiargs=(splitResults,i)) for i in range(args.threads)]
                if(                if(args.verbose>='1'):
                    print                     print "[INFO] Starting %d threads..." args.threads
                                for p in processes:
                                        p.start()
                for                 for p in processes:
                                        p.join()
                                tries 0
                        print "Finished..."
                        sys.exit()
                        # finished
                except SearchErrore:
            if(            if(args.verbose>='2'):
                print                 print "[ERROR] Search failed: %s" e
                        continue
                except KeyboardInterrupt:
            print             print "Suspended by user..."
                        sys.exit()

if 
if __name__ == '__main__':
        parser argparse.ArgumentParser()
        parser.add_argument('-v'dest='verbose', default='0'help='Verbosity level'choices='012')
        parser.add_argument('-p'dest='page'type=int, default='0'help='Start google search from page')
        parser.add_argument('-s'dest='stop'type=int, default='5'help='Stop at -s page')
        parser.add_argument('-r'dest='retry'type=int, default='4'help='Amount of times to retry after google search timeout')
        parser.add_argument('-t'dest='threads'type=int, default='2'help='Threads for checking SQLi in query results')
        group parser.add_argument_group('required arguments')
        group.add_argument('-k'dest='keyword'help='Keywords to use on google query'required=True)
        args parser.parse_args()
    print     print "Starting..."
        main()
        sys.exit()  

Required libraries:
http://argparse.googlecode.com/svn/trunk/argparse.py https://github.com/pkrumins/xgoogle (this one needs fixes,you can fix it yourself or download this one http://www.mediafire.com/?7a175lzzipm3x3s) 

Usage:

usagescanner.py [-h] [-{0,1,2}] [-p PAGE] [-s STOP] [-r RETRY]
[-[-t THREADS] -k KEYWORD

optional arguments
optional arguments:
--h, --help show this help message and exit
--{0,1,2Verbosity level -p PAGE Start google search from page -s STOP Stop at -s page -r RETRY Amount of times to retry after google search timeout -t THREADS Threads for checking SQLi in query results

Example
Example./scanner.py -'somekeyword inurl:"php?id="' -t 5 -v 1   


xargs can be used to feed google dorks from a file.

It basically scrape results from google with the keyword you input and try test for sql injection. It only checks for error based injections with single quote triggers, the idea was to add more injection methods, more search engines and other features, but I never continued the development, it still gave me thousands of vulnerable targets.

So if someone would like to improve it or add some feature please share it.

+ Lưu File Đó dưới dạng đuôi python ( *.py ).Phải cài Python trước để sử dụng..
+ Có Readme Kèm Theo + Example
+ Site Lỗi Sẽ Được Lưu Dưới Dạng Txt nằm cùng thư mục python bạn chạy

Nguồn: VNCno1

Chuyên Mục: , , ,
Người đăng: vào lúc

Không có nhận xét nào:

Đăng ký: Đăng Nhận xét (Atom)