ciscocxsecurity / bbqsql Goto Github PK
View Code? Open in Web Editor NEWSQL Injection Exploitation Tool
License: Other
SQL Injection Exploitation Tool
License: Other
i need hep in time method
while i put this value in query
if(ASCII(SUBSTRING((SELECT @@Version LIMIT 1 OFFSET ${row_index}) , ${char_index} ,1))) ${comparator:>}ASCII(${char_val}) WAITFOR DELAY '0:0:0${sleep}'
but this didnt work it give true and bbqsql then stop
sure my value is not correct so what is the solution
this is the output before it stop
Injecting into 'url' parameter
It looks like this: http://www.x.com/y/z.php?action=get_new_price&id_pack=58&pack_page=1&productsAttribute[]=73231&products_exclude[]=1%20if%28ASCII%28SUBSTRING%28%28SELECT%20%40%40version%20LIMIT%201%20OFFSET%200%29%20%2C%201%20%2C1%29%29%29%20%3EASCII%28%29%20WAITFOR%20DELAY%20%270%5C%3A0%5C%3A0%27&qty=1&qtys[]=1
we will be treating this as a 'true' response
for the sample requests, the response's 'time' were the following :
[0.3397238254547119, 0.16059422492980957, 0.16398906707763672, 0.1356668472290039]
$ sudo pip install bbqsql
Collecting bbqsql
Using cached BBQSQL-1.2.tar.gz
Collecting gevent (from bbqsql)
Using cached gevent-1.0.1.tar.gz
Collecting requests<1.0 (from bbqsql)
Using cached requests-0.14.2.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 20, in
File "/tmp/pip-build-t6900f9w/requests/setup.py", line 6, in
import requests
File "/tmp/pip-build-t6900f9w/requests/requests/init.py", line 52, in
from . import utils
File "/tmp/pip-build-t6900f9w/requests/requests/utils.py", line 22, in
from .compat import parse_http_list as _parse_list_header
File "/tmp/pip-build-t6900f9w/requests/requests/compat.py", line 112, in
from .packages import chardet2 as chardet
ImportError: cannot import name 'chardet2'
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-t6900f9w/requests
simple import chardet
topical for python 3
The way SQL map displays results after a query is finished running is nice. Basically they format the table like
*Here is my Query *
Results
*Results
*Results
*78 rows and took 389 seconds
They then clip any query that is more than I think 80 Rows (since viewing that in a terminal window can be a little much) and default to spit the output in a file if the query returns back a ton of data (think dumping 80,000 hashes for example).
It would be nice to have a place with a few example queries (starting points). Not sure how to render the examples (either a text file, or maybe you could hit a key in the menu to print them to the screen).
Hello. I am new to BBQ SQL, but I can't seem to find discussions on syntax anywhere online. It's probably intuitive if I try enough things, but would it be possible to include sample url inputs and http queries in the readme?
People are emailing me with install issues.... Fix setup.py
Parse and store cookies received in response headers. Send these cookies for future requests. This will allow for apps that have cookies w/ built in timeouts.
when trying to install with
sudo pip install bbqsql
i get the following error
error: could not create '/System/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7/greenlet': Operation not permitted
This is because from EL Capitan OS X no longer allows software to be installed in system directories,
not even by root.
Is there an option to set a different install directory?
check how hard it is to use the hooks from the api
interface exists from concurrency, but it hasn't been implemented yet in blindtechnique
The row length shouldn't be bumped up in size based on the longest row.
I installed BBQSQL-1.1.tar.gz via pip with gevent-0.13.8.tar.gz, requests-0.14.0.tar.gz and greenlet-0.4.0.zip. I configure bbqsql to target a local web script which just logs the query string. Strangely the log-file just shows these query strings:
id=%7Binjection%7D
In short, the placeholder is not used. I'm sorry if the configuration is faulty or I overlooked something obvious, but I tested it on two machines and I can't see the problem.
Regards
Andreas
The exported config:
[Request Config]
url = http://localhost/cgi-bin/x.cgi?id={injection}
method = GET
[HTTP Config]
query = ' and ASCII(SUBSTR((SELECT data FROM data ORDER BY id LIMIT 1 OFFSET ${row_index:1}),${char_index:1},1))${comparator:>}${char_val:0} #
technique = binary_search
comparison_attr = size
concurrency = 30
The script:
echo "Content-type: text/plain"
echo ""
echo "$QUERY_STRING" >> /tmp/sql.log
The GUI display when running a 2nd binary search flashes in/out as well as looks as if it freezes up. Seems to pull the data correctly however.
Ubuntu VM ... running demo ... the prompt on the menu takes several seconds to popup. This makes entering stuff a little painful.
Hello,
Any tricks for disabling SSLv3 support. I'm running on Debian testing OS.
I have just installed that with : pip install bbqsql
Traceback (most recent call last):
File "/usr/local/bin/bbqsql", line 3, in
from bbqsql import *
File "/usr/local/lib/python2.7/dist-packages/bbqsql/init.py", line 31, in
from menu import bbqMenu
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/init.py", line 1, in
from bbq_menu import bbqMenu
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/bbq_menu.py", line 4, in
from config import RequestsConfig,bbqsqlConfig
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/config.py", line 13, in
from gevent import socket
File "/usr/local/lib/python2.7/dist-packages/gevent/socket.py", line 659, in
from gevent.ssl import sslwrap_simple as ssl, SSLError as sslerror, SSLSocket as SSLType
File "/usr/local/lib/python2.7/dist-packages/gevent/ssl.py", line 386, in
def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
NameError: name 'PROTOCOL_SSLv3' is not defined
Thanks in advance.
I get this message when I try to run the demo.
I think the version on pip is fairly outdated
I don't think this is a big need, but some folks just love command line. I could work on this probably but I don't think this should be high on the milesone list.
Saw that it was removed, we should include an example somewhere...What do you think?
Some Weird checks have been in place on the server which i am testing. It doesn’t allow me to use SUBSTRING function of mysql which takes in SUBSTRING(str, pos, len). But i want to use LEFT function LEFT(string, length). I think so this function is not supported yet by bbqsql or i dont know how to utilize it.
The test_server.py craps out in osx if it receives more than ~35 concurrent requests. Any thoughts on this?
I am unable to install BBQSQL:
andrew@andrew-desktop:~$ sudo pip2.7 install bbqsql
Collecting bbqsql
Downloading BBQSQL-1.2.tar.gz (41kB)
100% |████████████████████████████████| 51kB 1.1MB/s
Requirement already satisfied: gevent in /usr/local/lib/python2.7/dist-packages/gevent-1.2.2-py2.7-linux-x86_64.egg (from bbqsql)
Collecting requests<1.0 (from bbqsql)
Downloading requests-0.14.2.tar.gz (361kB)
100% |████████████████████████████████| 368kB 1.3MB/s
Complete output from command python setup.py egg_info:
running egg_info
creating pip-egg-info/requests.egg-info
writing pip-egg-info/requests.egg-info/PKG-INFO
writing top-level names to pip-egg-info/requests.egg-info/top_level.txt
writing dependency_links to pip-egg-info/requests.egg-info/dependency_links.txt
writing manifest file 'pip-egg-info/requests.egg-info/SOURCES.txt'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-build-vUnK60/requests/setup.py", line 69, in <module>
'Programming Language :: Python :: 3.3',
File "/usr/lib/python2.7/distutils/core.py", line 151, in setup
dist.run_commands()
File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/egg_info.py", line 279, in run
self.find_sources()
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/egg_info.py", line 294, in find_sources
mm.run()
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/egg_info.py", line 525, in run
self.add_defaults()
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/egg_info.py", line 561, in add_defaults
sdist.add_defaults(self)
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/py36compat.py", line 34, in add_defaults
self._add_defaults_python()
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/sdist.py", line 133, in _add_defaults_python
build_py = self.get_finalized_command('build_py')
File "/usr/lib/python2.7/distutils/cmd.py", line 311, in get_finalized_command
cmd_obj = self.distribution.get_command_obj(command, create)
File "/usr/lib/python2.7/distutils/dist.py", line 845, in get_command_obj
klass = self.get_command_class(command)
File "/usr/local/lib/python2.7/dist-packages/setuptools/dist.py", line 491, in get_command_class
self.cmdclass[command] = cmdclass = ep.load()
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2302, in load
return self.resolve()
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2308, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/local/lib/python2.7/dist-packages/setuptools/command/build_py.py", line 12, in <module>
from six.moves import map, filter, filterfalse
ImportError: cannot import name filterfalse
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-vUnK60/requests/
Hi there,
I'm running a fresh Kali rolling box with the latest updates. I watched the video (https://www.youtube.com/watch?v=I4XRnuAA-aA) and am attempting some tests in my own network, but no matter what values I feed BBQSL, it bombs with:
Traceback (most recent call last):
File "/usr/bin/bbqsql", line 16, in
bbqMenu()
File "/usr/lib/python2.7/dist-packages/bbqsql/menu/bbq_menu.py", line 182, in init
bbq = bbqsql.BlindSQLi(**attack_config)
File "/usr/lib/python2.7/dist-packages/bbqsql/lib/api.py", line 128, in init
self.requester = requester_type(comparison_attr=comparison_attr, *_kwargs)
File "/usr/lib/python2.7/dist-packages/bbqsql/lib/requester.py", line 122, in init
self.session = requests.session(_args,**kwargs)
TypeError: session() takes no arguments (2 given)
Seems like it might be a system config issue rather than something with the tool? Not sure. Any ideas?
Thanks,
Brian
First time I tried to use bbqsql. But when i go to run the exploit i get errors. So i just tried with default configuration but same error.
Here is the error:
Traceback (most recent call last):
File "/usr/bin/bbqsql", line 16, in
bbqMenu()
File "/usr/lib/python2.7/dist-packages/bbqsql/menu/bbq_menu.py", line 182, in init
bbq = bbqsql.BlindSQLi(**attack_config)
File "/usr/lib/python2.7/dist-packages/bbqsql/lib/api.py", line 128, in init
self.requester = requester_type(comparison_attr=comparison_attr, **kwargs)
File "/usr/lib/python2.7/dist-packages/bbqsql/lib/requester.py", line 122, in init
self.session = requests.session(*args,**kwargs)
TypeError: session() takes no arguments (2 given)
Get a readme.md finished before the talk. I'm working on this now, it's gonna take a bit of time but I should be able to finish before we talk.
add a timer to the console showing how long the test has been running and requests/time.
requires vs. required. dont have time to figure it out right now
If we only have n
rows to query, only iterate that amount on row_index
. For example, if I know I have 1 row in my result set, it should only iterate the column index.
We need to determine what our HTTP request will look like. Bellow are the
available HTTP parameters. Please enter the number of the parameter you
would like to edit. When you are done setting up the HTTP parameters,
you can type 'done' to keep going.
0) files
1) headers
2) cookies
3) url
Value: http://natas15.natas.labs.overthewire.org/index.php
4) allow_redirects
5) proxies
6) data
Value: {'username': 'natas16'}
7) method
Value: post
8) auth
Traceback (most recent call last):
File "/usr/local/bin/bbqsql", line 16, in
bbqMenu()
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/bbq_menu.py", line 100, in init
requests_config.run_config()
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/config.py", line 259, in run_config
print "\t Value: %s" % self[key]['value']
TypeError: not all arguments converted during string formatting
Frequency search seems to be broken.
If you run X number of queries, data should be formatted nicely into CSV files (either one per query or maybe one monolithic csv file). CSV files should contain enough information to be useful (URL hit, Query run, etc.) as well as the data itself.
Because settings.py imports requester.py we almost have a circular import problem. I want to start getting rid of settings.py. With the exception of some of the color settings, it just causes too much coupling.
i need hep in time method
while i put this value in query
if(ASCII(SUBSTRING((SELECT @@Version LIMIT 1 OFFSET ${row_index}) , ${char_index} ,1))) ${comparator:>}ASCII(${char_val}) WAITFOR DELAY '0:0:0${sleep}'
but this didnt work it give true and bbqsql then stop
sure my value is not correct so what is the solution
this is the output before it stop
Injecting into 'url' parameter
It looks like this: http://www.x.com/y/z.php?action=get_new_price&id_pack=58&pack_page=1&productsAttribute[]=73231&products_exclude[]=1%20if%28ASCII%28SUBSTRING%28%28SELECT%20%40%40version%20LIMIT%201%20OFFSET%200%29%20%2C%201%20%2C1%29%29%29%20%3EASCII%28%29%20WAITFOR%20DELAY%20%270%5C%3A0%5C%3A0%27&qty=1&qtys[]=1
we will be treating this as a 'true' response
for the sample requests, the response's 'time' were the following :
[0.3397238254547119, 0.16059422492980957, 0.16398906707763672, 0.1356668472290039]
Hi!
I'm trying to run your tool BBQSQL. First I tried to install it using the current version from github and after that I installed it with "pip install bbqsql". The program starts, I enter the URL and finally select "5) Run Exploit" and I get an error. The error for both the github and the pip version is almost identical and looks like this:
Traceback (most recent call last):
File "/usr/local/bin/bbqsql", line 16, in <module>
bbqMenu()
File "/usr/local/lib/python2.6/dist-packages/bbqsql/menu/bbq_menu.py", line 182, in __init__
bbq = bbqsql.BlindSQLi(**attack_config)
File "/usr/local/lib/python2.6/dist-packages/bbqsql/lib/api.py", line 128, in __init__
self.requester = requester_type(comparison_attr=comparison_attr, **kwargs)
File "/usr/local/lib/python2.6/dist-packages/bbqsql/lib/requester.py", line 122, in __init__
self.session = requests.session(*args,**kwargs)
TypeError: session() takes no arguments (2 given)
I'm using BackTrack 5 RC2 (32 bit) and the following packages are installed:
root@bt:~# pip install bbqsql
Requirement already satisfied: bbqsql in /usr/local/lib/python2.6/dist-packages
Requirement already satisfied: gevent in /usr/local/lib/python2.6/dist-packages/gevent-0.13.8-py2.6-linux-i686.egg (from bbqsql)
Requirement already satisfied: requests in /usr/local/lib/python2.6/dist-packages/requests-1.1.0-py2.6.egg (from bbqsql)
Requirement already satisfied: argparse in /usr/local/lib/python2.6/dist-packages/argparse-1.2.1-py2.6.egg (from bbqsql)
Requirement already satisfied: greenlet in /usr/local/lib/python2.6/dist-packages/greenlet-0.4.0-py2.6-linux-i686.egg (from gevent->bbqsql)
Installing collected packages: argparse, bbqsql, gevent, greenlet, requests
Successfully installed bbqsql
Thank you and kind regards,
Martin
I don't think anyone has ever used this tool.
bbqsql> 5
Traceback (most recent call last):
File "/usr/local/bin/bbqsql", line 16, in
bbqMenu()
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/bbq_menu.py", line 182, in init
bbq = bbqsql.BlindSQLi(**attack_config)
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/api.py", line 128, in init
self.requester = requester_type(comparison_attr=comparison_attr, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/requester.py", line 122, in init
self.session = requests.session(_args,**kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests-0.14.1-py2.7.egg/requests/sessions.py", line 328, in session
return Session(**kwargs)
TypeError: init() got an unexpected keyword argument 'data'
root@btoews-ubuntu:/var/www/sqlivuln/public_html#
Needs to have ASCII smoke coming off of it.
When i run the application it throws this error back:
Traceback (most recent call last):
File "/usr/local/bin/bbqsql", line 3, in
from bbqsql import *
File "/usr/local/lib/python2.7/dist-packages/bbqsql/init.py", line 30, in
from lib import *
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/init.py", line 1, in
import api
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/api.py", line 3, in
from .technique import *
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/technique.py", line 8, in
from gevent.coros import Semaphore
ImportError: No module named coros
I installed the latest version, and beforehand purged what was there before.
ACE
Thanks for this wonderful bbqsql Team.
You have saved me from doing a little script in order to do a special SQLInyection.
The problem is that when I run the attack ((5) Run Exploit) the program breaks with:
bbqsql> 5
Traceback (most recent call last):
File "/usr/local/bin/bbqsql", line 16, in
bbqMenu()
File "/usr/local/lib/python2.7/dist-packages/bbqsql/menu/bbq_menu.py", line 182, in init
bbq = bbqsql.BlindSQLi(**attack_config)
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/api.py", line 128, in init
self.requester = requester_type(comparison_attr=comparison_attr, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/bbqsql/lib/requester.py", line 122, in init
self.session = requests.session(_args,**kwargs)
TypeError: session() takes no arguments (5 given)
I have read that I have to downgrade the requests to 0.14.2
(sudo pip install requests==0.14.2 --upgrade) but that didn't work.
Right now i have:
requests 1.1.0
gevent 0.13.8
greenlet 0.4.0
And the config file have:
XXX@XXX:~/XXXXX/$ cat attack.cfg
[Request Config]
url = http://XXXXXX.php?XXXXX=XXX${injection}
headers = {'{'"User-Agent"'': ''"Mozilla/5.0 (compatible; Googlebot/2.1; +http'}'}
allow_redirects = False
proxies = {'http': 'XX.XX.XX.XX:80'}
method = GET
[HTTP Config]
query = and ASCII( SUBSTR( ( CURRENT_USER ( ) ) ,${char_index:1} , 1 ) ) ${comparator:>}${char_val:0}
csv_output_file = XXXX
technique = binary_search
comparison_attr = size
concurrency = 10
Thanks for all! :)
Fefa
right now, if things don't work, you never know why.
I would like to change things so there are two overall modes:
- a database dumping mode (the current mode)
- a debugging mode that prints each url that is attempted and whether is is getting evaluated as true/false. Maybe in debug mode it wouldn't try to run the attack, but just makes the necessary requests for establishing true/false (the initial requests that are made before the attack.).
Alternatively, it could make the setup requests and then prompt the user to see if they look right.
Patt Madden's idea of looking at the probability to decide where to split for the binary search
if you hit the delete key when typing a url things get all scrambled like on the screen.
Some sort of curses interface would be nice
I think this is a gevent or libevent bug
I'll probably get to this today.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.