Adaptive http-sql bruteforce V2! Readme LAST NEWS --------- Maintenance is abandoned so dab at http://www.unsec.net has ported this to perl. His version is much more efective and complete with tons of options. Try it!! Main changes from V1 ------------------------------- mysqlbf now supports https protocol. That's leading to get a better coding structure for this proyect. Files required for installation ------------------------------- - mysqlbf.c - Source file of the bruteforce application - mysqlst.c - stucture reaver of mysql - mysqlget.c - file donwloader - Develop packages for your operating system Compiling instructions ---------------------- Program can be compiled in linux/windows systems withouth problem. Compiling in linux: $ gcc mysqlbf.c -o mysqlbf Compiling in windows using vc++ \ cl /MD /DWIN32 mysqlbf.c ws2_32.lib compiling with ssl support now needs: Compiling in linux: $ gcc mysqlbf.c -o mysqlbf -DmSSL -lssl Compiling in windows using vc++ \ cl mysqlbf.c /DWIN32 /DmSSL libeay32.lib ssleay32.lib ws2_32.lib Id:\openssl-path\inc32\ Installation instructions ------------------------- The program is not intended to be a system utility, just a pentest tool, that's why there's no make or install program included in the distribution. Copy the binary file wherever you want or need to. Remember that leave security analysis programs in globals paths could be a security flaw in production systems, as they can be used withouth previos permission by other users. Program use ----------- To use the program correctly you need to know that the script you're going to test has a sql injection. There's no casual successfull use of this tool. The first aproach is to see if we can get a sql valid result modifing the query. If we get a script that when 'arg' parameters meets a value on database retuns it's particular data, the we can continue. Try to figure it with a basic example: http://host/app/file.php?arg=1 This will return a readable text in the html page like : *user 1 is named "James"* We need a match for the bruteforce. We need that 'James' for the arg 1. Program examples ---------------- Now we know the match when arg=1 - Simplest bruteforce against a sql injection to get sql version mysqlbf http://host/app/file.php?arg=1 version() James - Determining database name mysqlbf http://host/app/file.php?arg=1 Database() James .... If we know the select sent to the sql server, we can get also the values returned: select a.user, s.priv from aprivil s, auser a where s.user=a.name and a.arg=1 It's possible to get any field of the tables for the selected record: mysqlbf http://host/app/file.php?arg=1 a.pwd James mysqlbf http://host/app/file.php?arg=1 a.email James mysqlbf http://host/app/file.php?arg=1 s.title James (NOTE: pwd and email are valid fields in the table auser. title is a valid field in the table aprivil, james is the word that only appears when TRUE) Release comments ---------------- Current supported charsets are : - default: general ascii charset: "abcdefghijklmnopqrstuvwxyz0123456789$.-()[]{}@=/\\|#?¿&·!<>ñÑ" - * md5 specific charset: "abcdef0123456789$." - ! numerical only charset: "0123456789" The sintax [c]sql-val[:length][=initval] has been mantained for general use, allow sentences like these: - a.name=Jo - *a.name=joni - !a.age=2 // note that ! is only for numerical. - a.name:6 - *a.hash:12=jo Current readable (mysql-based) objects are: - version(), database() - user(), system_user(), session_user(), current_user() - last_insert_id(), connection_id() - all data available in the requested query. If the file dict.txt exists in current directory it would be used to perform a charset sort. Last version allow header comments in dictionary and also fixes several error messages. The adaptive modeling dictionary works well when there's no excesive words in it. In some cases you'll need to especify a better charset in those cases. Notes ----- TODO: -fix dict code. -allow personal charsets. -allow timming betwen requests. -allow bouncer decoy. -autoadd word to dictonary. SQLGET ------ It's a more sophisticated software.. refer to reversing.org website for information about using it. Also, you'll find some instructions in the source code. SQLST ----- Mysql data reaver.. code was removed from this public release! Best wishes, Ilo--, ilo@reversing.org http://www.reversing.org