• Stars
    star
    673
  • Rank 67,060 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created almost 13 years ago
  • Updated almost 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SQL Injection Exploitation Tool

#BBQSQL# A Blind SQL Injection Exploitation Tool

Table Of Contents

What is BBQSQL?##

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Overview of Readme

We tried to write the tool in such a way that it would be very self explanatory when setting up an attack in the UI. However, for sake of thoroughness we have included a detailed Readme that should provide you additional insight on the specifics of each configuration option. One thing to note is that every configuration option in the UI has a description associated with it, so if you do choose to fire up the tool without reading this page you should be able to hack your way through an attack.

High Level Usage

Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting. Read on for details.

Install

This should be straight forward, but what ever is. Try running:

sudo pip install bbqsql

If that doesn't work for you, you can install from source. The tool requires gevent,requests.

BBQSQL Options

In the menu you will see a place for BBQSQL options. Here you specify the following options:

query

This is described in greater detail below query syntax overview.

csv_output_file

The name of a file to output the results to. Leave this blank if you dont want output to a file.

technique

BBQSQL utilizes two techniques when conducting a blind SQL injection attack. The first and default technique used is binary_search. See Wikipedia for more information.

The second technique you can use is frequency_search. Frequency searching is based on an analysis of the English language to determine the frequency in which a letter will occur. This search method is very fast against non-entropic data, but can be slow against non-english or obfuscated data.

You can specify either binary_search or frequency_search as the value for this parameter.

comparison_attr

This specifies the type of SQL injection you have discovered. Here you can set which attribute of the http response bbqsql should look at to determine true/false.

You can specify: status_code, url, time, size, text, content, encoding, cookies, headers, or history

If you have identified sql injection that results in a different server status code set 'status_code' here. If the cookie is different set 'cookie'. If the response size is different set 'size'. You get the jist.

concurrency

Concurrency is based on the gevent library in Python. Functionally, it appears to act like threading but the specifics of how this works can be seen in our DefCon talk here [insert link here]. This setting controls the amount of concurrency to run the attack with. This is useful for throttling the requests and speeding up attack times. For really high performance web-servers such as nginx, we have been able to set the concurrency to 75. By default this is set to '30'.

Query Syntax Overview

If you run into a SQL injection vulnerability that has some weird quirks (such as certain characters can't be included or functions like ASCII/CHAR do not work), you have probably found yourself writing some sort of script with your custom injection syntax. BBQSQL takes out the scripting part and provides a way for you to paste in your custom query syntax and exploit with ease.

The query input is where you will construct your query used to exfiltrate information from the database. The assumption is that you already have identified SQL injection on a vulnerable parameter, and have tested a query that is successful.

Below is an example query you can use to construct your query.

In this example, the attacker is looking to select the database version:

vulnerable_parameter'; if(ASCII(SUBSTRING((SELECT @@version LIMIT 1 OFFSET ${row_index}) , ${char_index} ,1))) ${comparator:>}ASCII(${char_val}) WAITFOR DELAY '0\:0\:0${sleep}'; --

The query syntax is based around placeholders which tell BBQSQL how to execute the attack.

You need to provide the following placeholders of information in order for the attack to work. Once you put these in your query, bbqSQL will do the rest:

${row_index}: This tells bbqSQL to iterate rows here. Since we are using LIMIT we can view n number of row depending on ${row_index} value.

${char_index}: This tells bbqSQL which character from the subselect to query.

${char_val}: This tells bbqSQL where to compare the results from the subselect to validate the result.

${comparator}: This is how you tell BBQSQL to compare the responses to determine if the result is true or not. By default, the > symbol is used.

${sleep}: This is optional but tells bbqSQL where to insert the number of seconds to sleep when performing time based SQL injection.

Not all of these place holders are required. For example, if you have discovered semi-blind boolean based SQL injection you can omit the ${sleep} parameter.

HTTP Parameters

BBQSQL has many http parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

  • files
  • headers
  • cookies
  • url
  • allow_redirects
  • proxies
  • data
  • method
  • auth

You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template the tool wont know where to insert the query.

files

Provide files to be sent with the request. Set the value to the path and BBQSQL will take care of opening/including the file.

headers

HTTP headers to be sent with the requests. This can be a string or a dictionary. For example:

{"User-Agent":"bbqsql"} or "User-Agent: bbqsql"

cookies

A dictionary or string of cookies to be sent with the request. For example:

{"PHPSESSIONID":"123123"} or PHPSESSIONID=123123;JSESSIONID=foobar

url

Specify a url that the requests should be sent to.

allow_redirects

This is a boolean that determines wether http redirects will be follwed when making requests.

proxies

Specify an http proxy to be used for the request as a dictionary. For example:

{"http": "10.10.1.10:3128","https": "10.10.1.10:1080"}

data

Specify post data to be sent along with the request. This can be a string or a dictionary. For example:

{"input_field":"value"} or input_field=value

method

Specify the method for the http request. Valid methods are

'get','options','head','post','put','patch','delete'

auth

Specify a tuple of username and password to be used for http basic authentication. For example:

("myusername","mypassword")

Export Config

After you have setup your attack in the UI, you can export the configuration file. You will see the option when you run the tool. The exported configuration file uses ConfigParser, and is easy to read. An example configuration file can be seen below:

`[Request Config] url = http://example.com/sqlivuln/index.php?username=user1&password=secret${injection} method = GET

[HTTP Config] query = ' and ASCII(SUBSTR((SELECT data FROM data LIMIT 1 OFFSET ${row_index:1}),${char_index:1},1))${comparator:>}${char_val:0} # technique = binary_search comparison_attr = size concurrency = 30`

This is useful if you plan on resuming an attack or maybe just adjusting the query but don't want to go through the hassle of reconfiguring every option.

Import Config

You can also import a config from the command line or from the user interface. To import a config from the command line just run bbqsl with the following options:

bbqsql -c config_file

When you load a config file either via command line or the user interface, the same validation routines are run on the paramters to make sure that are valid.

Custom Hooks

Sometimes you need to do something really crazy. Maybe do you need to encrypt the values going into a field before sending the request or maybe you need to triple URL encode. Regardless, these situations make other tools impossible to use. BBQSQL allows you to define "hook" functions that the tool will call at various points throughout the request. For example, you can specify a pre_request function that takes the request as its argument, does whatever mutations are necessary, and returns the modified request to be sent on to the server.

To implement this, create a Python file and specify hook functions. The available function names are listed bellow. In your hooks file, you can define as few or as many of these hooks functions as you would like. Then, in the bbqsql_options section of the menue, you can specify the location of your hooks_file. BBQSQL will suck in this file and use whatever hooks you defined.

It is important that the hooks functions you specify have the exact names specified bellow or else BBQSQL won't know which hook to call when. The args function receives one parameter that contains all the arguments that are being used to create the HTTP request. The pre_request function receives the request object before it is sent. The post_request function receives the request object after it has been sent. The response function receives the response object before it is returned to BBQSQL.

The following hooks are made available:

args: A dictionary of the arguments being sent to Request().

pre_request: The Request object, directly before being sent.

post_request: The Request object, directly after being sent.

response: The response generated from a Request.

For more information on how these hooks work and on how your hooks dictionary should look, check out the requests library documentation on its hooks

An example hooks file might look like this:

# file: hooks.py
import time

def pre_request(req):
    """
    this hook replaces a placeholder with the current time
    expecting the url to look like this:
        http://www.google.com?k=v&time=PLACEHOLDER
    """
    req.url = req.url.replace('PLACEHOLDER',str(time.time()))
    return req

Found a Bug?

Submit any bug fixes or feature requests to https://github.com/Neohapsis/bbqsql/

Can I Help?

Please! We see this being a great starting place to build a fully capable sql injection framework. Feel free to fork the code and we can merge your changes if they are useful.

What's Up With the Name?

BBQ is absolutely delicious and so is SQL injection!

More Repositories

1

enum4linux

enum4Linux is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts
Perl
936
star
2

NeoPI

Python
462
star
3

linikatz

linikatz is a tool to attack AD on UNIX
C
425
star
4

creddump7

Python
357
star
5

rdp-sec-check

rdp-sec-check is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services)
Perl
166
star
6

suddensix

IPV6 MITM attack tool
Shell
92
star
7

udp-proto-scanner

udp-proto-scanner is a Perl script which discovers UDP services by sending triggers to a list of hosts
Perl
86
star
8

unix-audit

Framework for generating audit commands for Unix security audits
Shell
65
star
9

mptcp-abuse

A collection of tools and resources to explore MPTCP on your network. Initially released at Black Hat USA 2014.
Python
58
star
10

udpy_proto_scanner

udpy_proto_scanner is a Python script which discovers UDP services by sending triggers to a list of hosts
Python
40
star
11

QRCode-Video-Data-Exfiltration

Exfiltrate data with QR code videos generated from files by HTML5/JS.
JavaScript
35
star
12

presentations

Presentations from the CX Security Labs team
28
star
13

ssl-cipher-suite-enum

ssl-cipher-suite enum is a Perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS)
Perl
28
star
14

sslxray

sslxray is an SSL/TLS scanning tool designed to detect a wide range of issues
Python
22
star
15

log4j

Detection rules to look for Log4J usage and exploitation
YARA
18
star
16

http-dir-enum

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.
Perl
15
star
17

httpShell

CoffeeScript
14
star
18

WXPolicyEnforcer

Injectable Windows DLL which enforces a W^X memory policy on a process
C
14
star
19

sudo-parser

sudo-parser is a tool to audit complex sudoers files
Perl
13
star
20

CVE-2015-5119_walkthrough

Archive from the article CVE-2015-5119 Flash ByteArray UaF: A beginner's walkthrough
ActionScript
13
star
21

tlsplayback

tlsplayback is a set of Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers by exploiting 0-RTT
Python
12
star
22

mat

MAT is a tool to assess mobile applications
HTML
5
star
23

secdump

secdump is a simple meterpreter module that uploads and runs gsecdump
Ruby
4
star
24

FreeRDP-pth

FreeRDP-pth is a slightly modified version of FreeRDP that tries to authenticate using a password hash instead of a password
C
4
star
25

onesixtyone

Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies
C
3
star
26

SSHatter

SSHatter is a Perl script to perform brute force attacks on SSH
Perl
3
star
27

UNIXSocketScanner

UNIXSocketScanner is a Perl script to scan UNIX domain sockets
Perl
2
star
28

cspCalculator

cspCalculator is a PoC implementation of a dynamic Content Security Policy creator
JavaScript
2
star
29

ms08-067-check

MS08-067 check is Python script which can anonymously check if a target machine or a list of target machines are affected by MS08-067 vulnerability
Python
2
star
30

allthevhosts

allthevhosts is a tool to scrape a series of web applications (including Bing and You Get Signalโ€™s database) and looks at Subject Alternative Names in the SSL certificate to find as many web applications which resolve to an IP address as possible
Python
2
star
31

detect-horizontal-user-brute-force-attack

PowerShell PoC for detecting horizontal user brute force attacks
PowerShell
1
star
32

rmiInfo

rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities
Java
1
star
33

bsql-brute-forcer

bsql-brute-forcer is a Perl script allows extraction of data from Blind SQL Injections
Perl
1
star
34

iker

iker is a Python script to analyse the security of the key exchange phase in IPsec based VPNs
Python
1
star
35

nbtscan

NBTscan is a program for scanning IP networks for NetBIOS name information
C
1
star
36

hoppy

hoppy is a Python script to probe HTTP options and perform scanning for information disclosure issues
Python
1
star
37

ownCloud_RCE_CVE-2013-0303

ownCloud PoC for CVE-2013-0303
Python
1
star
38

acccheck

acccheck is a Perl script is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol
Perl
1
star
39

massSSgrab

massSSgrab is a tool that uses the JCIFS library to grab copies of both system and SAM files from โ€œC:\windows\repair\โ€ directory from multiple hosts
Java
1
star
40

vessl

vessl is a bash script that can fetch and verify the SSL certificate of a remote server
Shell
1
star
41

protoanal

Protocol analysis is a Python module which can be used in scripted analysis or interactively using ipython
Python
1
star
42

tcpy_scanner

Fast cross-platform TCP Connect Scanner written in Python
Python
1
star
43

viewstate

Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder
C
1
star
44

NVAPT

NVAPT is a set of shell scripts for a Not Very Advanced Persistent Threat PoC for iOS
Shell
1
star
45

apache-users

apache-users is a Perl script for finding user home directories that are exposed from Apache web server
Perl
1
star
46

AMES

AMES is a tool to parse the new Nessus output files and autogenerate an easy to copy and paste command line exploit using Metasploit CLI
Python
1
star
47

osboxdeploy

OSBoxDeploy is a set of Ansible playbooks and associated artefacts to deploy OpenStack compute hosted Docker containers. It is work in progress, so do not expect too much, too soon
Python
1
star
48

MIBparse

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as โ€˜snmpwalkโ€™
Perl
1
star
49

bannergrab

BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services
C
1
star
50

openssl3-nov2022

Detection rules to look for OpenSSL 3.x usage and exploitation
1
star
51

ManySSL

ManySSL is a Perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS)
Perl
1
star
52

smaSHeM

smaSHeM is a System V shared memory segment manipulator
Shell
1
star
53

wordpress-build-review

WordPress Build Review is a tool to check the basic security settings in a WordPress installation
Shell
1
star
54

RPDscan

RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations
Python
1
star
55

crash

crash is a tool to catch crashes from OS X applications and print debugging information such as registers, disassembled code and a memory dump of the stack
C
1
star
56

mysql-bruteforcer

MySQL Bruteforcer is a Python script to assess the strength of the local MySQL access passwords
Python
1
star
57

whitepapers

Papers from the CX Security Labs team
1
star
58

HeaderCheck

HeaderCheck is a Python script used to check the security settings of various headers returned by web servers
Python
1
star
59

get-dhcp-opts

get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options
Python
1
star
60

whoislikeaboss

whoislikeaboss is a tool that takes the IP addresses given in a file (one per line), and will give you the range and owner of each of the addresses (with duplicates removed) so you can spot anything that looks fishy before you start testing
Python
1
star
61

winlanfoe

winlanfoe is a tool that parses the output from enum4linux and displays Domain/Workgroup membership, IP address, Operating System (OS) information and if a host is a domain controller
Perl
1
star