PBlind
PBlind is little utility to help exploiting blind sql injection vulnerabilities.
The idea is not to have an exhaustive tool that pretends to do all the scanning, detection and exploitation, there are very good tools in doing that, including proxy strike. The tool is designed just to help in exploiting the problem and obtaining all data, that´s all. In my oppinion, the problem when designing a tool for automatic exploitation of blind sql injection is that injections are heterogeneous by nature, so when creating such a tool you quickly get lost into all the cases resulting in something difficult to work with. PBlind just get the essence of the explotaition, that is, automating all the attack but only after a little previous thinking ;) In fact, the tool was created more than 2 years ago and only to help in private audits, but all this time has proved to be useful, so that´s why it gets public.
Use:
First take a look at this video showing pblind in action. Video
As you can see, there are very few options:
* -n number of threads to use
* -b type of database to attack (in case we know)
The program performs a little checking to ensure the vulnerability exists and a fingerprinting of the database in case it is unknown. Once all the checking is done, PBlind throws a thread for any letter in the result (15 by default) and performs a dicotomic search using its ascii value for each of them, thus performing really fast.
As the core is very simple, it can be easily modified in order to automate any attack, like adding a new loop to get all the tables from the database, for example (in fact, this is what I use to do).
So, the key of all the hack is in the "injectHere" clause you use with PBlind, and here is where you have to use your brain. As many times it is enough using a global variable to check the injection exists (typically user()), many times you want to go beyond. Its as simple as changing this clause with a more complicated one, like "select username from users limit 1", and so on. Your imagination is the limit.
Todo:
In case you want to help here, there are many things to improve, including the following:
* - database fingerprinting
* -new methods for comparison of results (wc, diff, excluding html structure, searching for a key word, etc.)
* -automating most common selects
* -include db2 and postresql (although they are not really common)
* -post parameters
Known issues:
In fast connections and responses from the database, sometimes python has problems when handling several open sockets and crashes (that´s why there is a sleep in the code :P).
Note:
New version without using the curse library, that was causing problems to Windows users. New one should work ok!
Download
* PBlind v1.0 (31/03/2008)
referensi: http://www.edge-security.com/pblind.php and echo....
The idea is not to have an exhaustive tool that pretends to do all the scanning, detection and exploitation, there are very good tools in doing that, including proxy strike. The tool is designed just to help in exploiting the problem and obtaining all data, that´s all. In my oppinion, the problem when designing a tool for automatic exploitation of blind sql injection is that injections are heterogeneous by nature, so when creating such a tool you quickly get lost into all the cases resulting in something difficult to work with. PBlind just get the essence of the explotaition, that is, automating all the attack but only after a little previous thinking ;) In fact, the tool was created more than 2 years ago and only to help in private audits, but all this time has proved to be useful, so that´s why it gets public.
Use:
First take a look at this video showing pblind in action. Video
As you can see, there are very few options:
* -n number of threads to use
* -b type of database to attack (in case we know)
The program performs a little checking to ensure the vulnerability exists and a fingerprinting of the database in case it is unknown. Once all the checking is done, PBlind throws a thread for any letter in the result (15 by default) and performs a dicotomic search using its ascii value for each of them, thus performing really fast.
As the core is very simple, it can be easily modified in order to automate any attack, like adding a new loop to get all the tables from the database, for example (in fact, this is what I use to do).
So, the key of all the hack is in the "injectHere" clause you use with PBlind, and here is where you have to use your brain. As many times it is enough using a global variable to check the injection exists (typically user()), many times you want to go beyond. Its as simple as changing this clause with a more complicated one, like "select username from users limit 1", and so on. Your imagination is the limit.
Todo:
In case you want to help here, there are many things to improve, including the following:
* - database fingerprinting
* -new methods for comparison of results (wc, diff, excluding html structure, searching for a key word, etc.)
* -automating most common selects
* -include db2 and postresql (although they are not really common)
* -post parameters
Known issues:
In fast connections and responses from the database, sometimes python has problems when handling several open sockets and crashes (that´s why there is a sleep in the code :P).
Note:
New version without using the curse library, that was causing problems to Windows users. New one should work ok!
Download
* PBlind v1.0 (31/03/2008)
referensi: http://www.edge-security.com/pblind.php and echo....
0 komentar: