####################################################################
# version 1.0                                                      #
#                                                                  #
# sqlcheck.sh -> Mysql information, tables and fields              #
# sqldata.sh  -> Obtain values from the database (user, pass, ...) #
#                                                                  #
# by Pepelux (pepelux@enye-sec.org)                                #
#                                                                  #
# Website: http://www.enye-sec.org                                 #
# Blog:    http://www.enye-sec.org/pepelux                         #
####################################################################

# This script is for educational use only


##### REQUIREMENTS #####
# lynx navigator
# and linux :)


###############
# sqlcheck.sh #
###############

##### HOW DOES IT WORK #####
# This script exploits a vulnerable webpage injecting SQL code and doesn't use
# quotes to exploit it.
# Mysql doesn't show errors in the screen. For that we have to check the fields
# using the TRUE or FALSE method.
#
# To obtain information about the mysql we use:
# 	(SELECT SUBSTRING(Version(),1,1)=CHAR(52))>0
# 	(SELECT SUBSTRING(Database(),1,1)=CHAR(52))>0
# This compare if the first character is > 4 and depending if the result is
# true or false we can check the next character
#
# To obtain information about tables and fields we use:
# 	(SELECT COUNT(*) FROM table)>0
# 	(SELECT COUNT(field) FROM table)>0
#
# Tables and fields checking is by brute force and use two files:
#	tables.txt -> contain the tables you'd like to check
#	fields.txt -> contain the fields you'd like to check for each table


##### USAGE #####
# ./sqlcheck.sh <vulnerable_url> <string_to_compare> [-v] [-m] [-f]
#
# <vulnerable_url> is the URI to exploit. 
#	For example: http://www.domain.com/dir/show.php?id=5
#
# <string_to_compare> is a piece of string that only appears in the correct 
#                     call and doesn't appear with a bad call.
#
#	For example, suppose this webpage:
#	If you load http://www.dom.com/show.php?id=5 you'll see:
#		Hello Pepelux. You are the user number 5
#
#	And writting http://www.dom.com/show.php?id=5 and 1=0
#		Error! User not found
#
# 	In this example a possible string to compare is 'Hello' or 'Error'.
#
# [-v] verbose mode
#
# [-m] search minimun mysql values: Version(), Database() and User()
#
# [-f] search full mysql values: Version(), Database(), Database(), User(),
#      System_user(), Session_user(),Current_user() and Connection_id()


##### EXAMPLES #####
# ./sqlcheck.sh www.dom.com/show.php?id=5 "Hello:" 
# ./sqlcheck.sh www.dom.com/show.php?id=5 "Hello:" -v -m
# ./sqlcheck.sh www.dom.com/show.php?id=5 "Hello:" -f



##############
# sqldata.sh #
##############

##### HOW DOES IT WORK #####
# This script exploits a vulnerable webpage injecting SQL code and doesn't use
# quotes to exploit it.
# Mysql doesn't show errors in the screen. For that we have to check the fields
# using the TRUE or FALSE method.
#
# To obtain information about tables and fields we use:
# 	(SELECT COUNT(*) FROM t_users WHERE SUBSTRING(user,1,1)=CHAR(52))>0


##### USAGE #####
# ./sqldata.sh <vulnerable_url> <string_to_compare> <table> <field1>
#              [<value_field1> <field2>]
#
# <vulnerable_url> is the URI to exploit. 
#	For example: http://www.domain.com/dir/show.php?id=5
#
# <string_to_compare> is a piece of string that only appears in the correct 
#                     call and doesn't appear with a bad call.
#
#	For example, suppose this webpage:
#	If you load http://www.dom.com/show.php?id=5 you'll see:
#		Hello Pepelux. You are the user number 5
#
#	And writting http://www.dom.com/show.php?id=5 and 1=0
#		Error! User not found
#
# 	In this example a possible string to compare is 'Hello' or 'Error'.
#
# <table> a table known. You can search table names with sqlcheck.sh. For
#         example if you'd like to search data for the t_users table.
#
# <field1> a field known for the table. You can search data for the 
#          table.field. For example field user from table t_users: t_users.user
#
# <value_field1> if you know a value for field1 you can search a field2. For 
#                example we are going to search the password for the user 
#                admin. In this case value_field1 is 'admin'
#
# <field2> a field to search if you know the first field. In the example before
#          table is 't_users', field1 is 'user', value_field1 is 'admin' and
#          field2 id 'pass'


##### EXAMPLES #####
# Table: t_users / Field: user
# We'd like to obtain all 'user' from the table 't_users'
# ./sqldata.sh www.dom.com/show.php?id=5 "Hello:" t_users user
#
# Table: t_users / Fields: user and pass
# We'd like to obtain the 'pass' for the 'user' 'admin'
# ./sqldata.sh www.dom.com/show.php?id=5 "Hello:" t_users user admin pass
#
# Table: t_users / Fields: id and email
# We'd like to obtain the 'email' for the user with 'id' '14'
# ./sqldata.sh www.dom.com/show.php?id=5 "Hello:" t_users id 14 email
#
# Table: t_users / Field: pass
# We'd like to obtain all 'pass' from the table 't_users'
# ./sqldata.sh www.dom.com/show.php?id=5 "Hello:" t_users pass

