#!/usr/bin/env python
"""
Blind SQL Module for Grabber v0.1
Copyright (C) 2006 - Romain Gaucher - http://rgaucher.info
"""
import sys
from grabber import getContent_POST, getContent_GET
from grabber import getContentDirectURL_GET, getContentDirectURL_POST
from grabber import single_urlencode
# order of the Blind SQL operations
orderBSQL = {'AND' : 'TEST', 'TEST' : ['OR','COMMENT','ESCAPE','EVASION']}
overflowStr = ""
for k in range(0,512):
overflowStr += '9'
def detect_sql(output, ):
listWords = ["SQL","MySQL","sql","mysql"]
for wrd in listWords:
if output.count(wrd) > 0:
return True
return False
def equal(h1,h2):
if h1 == h2:
return True
return False
def generateOutput(url, gParam, instance,method,type):
astr = "\n\t%s\n\t%s\n\t%s\n\t%s" % (method,url,gParam,str(instance),type)
if method in ("get","GET"):
# print the real URL
p = (url+"?"+gParam+"="+single_urlencode(str(instance)))
astr += "\n\t%s" % p
astr += "\n\n"
return astr
def generateOutputLong(url, urlString ,method,type, allParams = {}):
astr = "\n\t%s\n\t%s\n\t%s" % (method,url,type)
if method in ("get","GET"):
# print the real URL
p = (url+"?"+urlString)
astr += "\n\t%s" % (p)
else:
astr += "\n\t"
for k in allParams:
astr += "\n\t\t%s" % (k, allParams[k])
astr += "\n\t"
astr += "\n\n"
return astr
def permutations(L):
if len(L) == 1:
yield [L[0]]
elif len(L) >= 2:
(a, b) = (L[0:1], L[1:])
for p in permutations(b):
for i in range(len(p)+1):
yield b[:i] + a + b[i:]
def process(url, database, attack_list):
plop = open('results/bsql_GrabberAttacks.xml','w')
plop.write("\n")
for u in database.keys():
if len(database[u]['GET']):
print "Method = GET ", u
# single parameter testing
for gParam in database[u]['GET']:
defaultValue = database[u]['GET'][gParam]
defaultReturn = getContent_GET(u,gParam,defaultValue)
if defaultReturn == None:
continue
# get the AND statments
for andSQL in attack_list['AND']:
tmpError = getContent_GET(u,gParam,andSQL)
if tmpError == None:
continue
if equal(defaultReturn.read(), tmpError.read()):
# dive here :)
basicError = getContent_GET(u,gParam,'')
overflowErS = getContent_GET(u,gParam,overflowStr)
if basicError == None or overflowErS == None:
continue
if equal(basicError.read(), overflowErS.read()):
for key in orderBSQL[orderBSQL['AND']]:
for instance in attack_list[key]:
tmpError = getContent_GET(u,gParam,instance)
if tmpError == None:
continue
if equal(basicError.read(), tmpError.read()):
# should be an error
# print u,gParam,instance
plop.write(generateOutput(u,gParam,instance,"GET",key))
else:
# report a overflow possible error
#print u,gParam, "overflow"
plop.write(generateOutput(u,gParam,"99999...99999","GET","Overflow"))
"""
# see the permutations
if len(database[u]['GET'].keys()) > 1:
for typeOfInjection in attack_list:
for instance in attack_list[typeOfInjection]:
url = ""
for gParam in database[u]['GET']:
url += ("%s=%s&" % (gParam, single_urlencode(str(instance))))
handle = getContentDirectURL_GET(u,url)
if handle != None:
output = handle.read()
if detect_sql(output):
# generate the info...
plop.write(generateOutputLong(u,url,"GET",typeOfInjection))
"""
if len(database[u]['POST']):
print "Method = POST ", u
# single parameter testing
for gParam in database[u]['POST']:
defaultValue = database[u]['POST'][gParam]
defaultReturn = getContent_POST(u,gParam,defaultValue)
if defaultReturn == None:
continue
# get the AND statments
for andSQL in attack_list['AND']:
tmpError = getContent_POST(u,gParam,andSQL)
if tmpError == None:
continue
if equal(defaultReturn.read(), tmpError.read()):
# dive here :)
basicError = getContent_POST(u,gParam,'')
overflowErS = getContent_POST(u,gParam,overflowStr)
if basicError == None or overflowErS == None:
continue
if equal(basicError.read(), overflowErS.read()):
for key in orderBSQL[orderBSQL['AND']]:
for instance in attack_list[key]:
tmpError = getContent_POST(u,gParam,instance)
if tmpError == None:
continue
if equal(basicError.read(), tmpError.read()):
# should be an error
plop.write(generateOutput(u,gParam,instance,"POST",key))
else:
# report a overflow possible error
plop.write(generateOutput(u,gParam,"99999...99999","POST","Overflow"))
plop.write("\n\n")
plop.close()
return ""