_ sqlsus is an open source MySQL injection and takeover tool, written in perl. _
Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…Whenever relevant, sqlsus will mimic a MySQL console output.
sqlsus focuses on speed and efficiency , optimising the available injection space, making the best use (I can think of) of MySQL functions.It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit. Using multithreading on top of that, sqlsus is an extremely fast database dumper , be it for inband or blind injection. If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server. It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..
sqlsus has been designed to work on Linux. If it works on other platforms, that’s good.
If it doesn’t work on your platform, well.. grab a Linux box.
You will need the following perl modules :
And a proper Term::ReadLine package is definitely recommended (yet not mandatory)
You will probably also want to install sqlite3, the command line interface for SQLite 3.
Or, if you are on a debian system :
apt-get install libwww-perl libdbd-sqlite3-perl libhtml-linkextractor-perl libterm-readline-gnu-perl liblwp-protocol-socks-perl sqlite3
It also requires previous SQL injection knowledge, and.. well.. a brain helps.
information_schemadatabase, or if it doesn’t exist, sqlsus will help you bruteforce the names of the tables and columns.
If your query is likely to return more than one row, sqlsus will use as many subqueries it can use at a time (per query), staying under a configurable limit. Therefore, it can grab up to thousands of records in just 1 server hit (depending on the available injection space) (cf inband demo ) Once you have found an inband injection, you need to find the correct number of columns for UNION. sqlsus will do the job for you, identifying the needed number of columns, and which of them are suitable for injection. To speed things up, multithreading (actually, multiple processes (fork)) can be used.
Blind injection is supported, using conditional responses, and multithreading (actually, again, multiple processes (fork)).
The engine has been optimised in speed and server hit :
If the database user has the FILE privilege, and if you can use quotes in your injection (mandatory for a SELECT INTO OUTFILE), then sqlsus will help you place a php backdoor on the remote system, recursively looking for writable directories. You can use
download <file> from sqlsus shell, to download an arbitrary (world readable) file from the remote server. The file will be stored in the local filesystem, rebuilding the path tree to the file in the
data directory. sqlsus has the ability to crawl the website at a configurable depth, looking for all the directories it can find, via hypertext links, img links, etc… Then, it tries to upload a tiny php uploader on each candidate directory until it finds one world writable, later used to upload the backdoor itself. All sqlsus needs (besides what has been said above) is the document_root used server side. You can find it by downloading/reading the relevant files on the web server. It ships with a PHP backdoor you can upload and a controller, to help you execute system commands, PHP commands, and SQL queries as if you were sitting on a normal direct MySQL connection.
Source && Download