Tuesday, October 11, 2011

The Mole - SQL Injection exploitation tool

The Mole is a command line interface SQL Injection exploitation tool.
This application, developed in python, is able to exploit both union-based and blind boolean-based injections.

Every action The Mole can execute is triggered by a specific command. All this application requires in order to exploit a SQL Injection is the URL(including the parameters) and a needle(a string) that appears in the server's response whenever the injection parameter generates a valid query, and does not appear otherwise. Note that the vulnerable parameter must be the last one on the URL.

So far, The Mole supports Mysql, Mssql and Postgres, but we expect to include other DBMSs.

Edit: to read an updated and more detailed tutorial, please visit: http://themole.nasel.com.ar/?q=tutorial.


Executing The Mole

In order to execute The Mole, you require only python3 and python3-lxml. Once you execute it, a shell prompt will be printed, waiting for commands. You can additionally use some program arguments:

-u URL: Use this to set the URL which contains the vulnerability. This is the same as using the "url" command.

-n NEEDLE: Use this to set the needle to be found in the requested page. This is the same as using the "needle" command.

-t THREADS: Use THREADS threads while performing queries.

Commands

This is a list of all supported commands:
- url [URL]: Gets/sets the URL. This can also be provided as an argument to the application, using the "-u" parameter.

- needle [NEEDLE]: Gets/sets the NEEDLE. This can also be provided as an  argument to the application, using the "-n" parameter.

- dbinfo: Fetch current user name, database name and DBMS version.

- schemas: Fetchs the schemas(databases) from the server. The results obtained will be cached, so further calls to this command will return the cached entries. See "fetch" command.

- tables <SCHEMA>: Fetchs the tables for the schema SCHEMA. The results obtained will be cached, so further calls to this command will return the cached entries. See "fetch" command.
e.g: "tables mysql"

- columns <SCHEMA> <TABLE>: Fetchs the columns for the table TABLE, in the schema SCHEMA. The results obtained will be cached, so further calls to this command will return the cached entries. See "fetch" command.
e.g: "columns mysql user"

- query <SCHEMA> <TABLE> COLUMN1[,COLUMN2[,COLUMN3[...]]] [where COND]:
Perform a query to fetch every column given, using the table TABLE located in the schema SCHEMA. A "where condition" can be given. Note that The Mole will take care of any string conversions required on the condition. Therefore, you can use string literals(using single quotes) even if the server escapes them. Note that no caching is performed when executing this command.
e.g: query mysql user User,Password where User = 'root'

- fetch [args]: This command calls schemas, tables or columns commands depending on the arguments given, forcing them to refetch entries, even if they have already been dumped. This is useful when, after having stopped a query in the middle of it, you want to fetch all of the results and not just those that you were able to dump before stopping it.
e.g: "fetch columns mysql user"

- cookie [COOKIE]: Gets/sets a cookie to be sent in each HTTP request's headers.

- mode
<union|blind>: Sets the SQL Injection exploitation method. By
default, union mode is used. If the injection cannot be exploited using
this mode, change it to blind using "mode blind" and try again. Nothing else has to be configured to go from union to blind mode, as long as you have already set the URL and needle.

- prefix [PREFIX]: Gets/sets the prefix for each request. The prefix
will be appended to the URL's vulnerable parameter on each request.

- suffix [SUFFIX]: Gets/sets the suffix for each request. The suffix
will be appended after the injection code on the URL's vulnerable  parameter.

- verbose
<on|off>: Sets the verbose mode on and off. When this mode is on, each request's parameters will be printed out.

- output
<pretty|plain>: Sets the output style. When pretty output mode is enabled(this is the default), queries result will be printed on a
tidy box, using column names and each row will be aligned. The drawback is that this method requires the whole query to finish before printing results, so you might want to use "plain" output if you seek immediate results. In contrast, plain mode prints each result as soon as it is recovered.
e.g:
Pretty output might print results like this:

+------------------------------------------------------------------------------------------+
 | User    | Password                                                               |
+------------------------------------------------------------------------------------------+
 | blabla  | *2B0DDEE3597240B595689260B53D411F515B806D |
 | foobar  | *641B2485F1789F7A6BEE986648B83A899D96793B |
+------------------------------------------------------------------------------------------+

While plain output will print them like this:

User, Password:
blabla, *2B0DDEE3597240B595689260B53D411F515B806D
foobar, *641B2485F1789F7A6BEE986648B83A899D96793B

- timeout [TIMEOUT]: Gets/Sets the timeout between requests. Use this if the server contains some kind of IDS system that returns HTTP error when executing lots of requests in a short amount of time. Note that TIMEOUT can be a floating point number, so you can set "0.5" as the timeout.

- usage
<COMMAND>: Print the usage for the command COMMAND.

- exit: Exit The Mole.
Example

This is a video of The Mole exploiting a SQL Injection, first using union mode, and then using blind mode:



Download

In order to download The Mole, you can visit the project's sourceforge entry: https://sourceforge.net/projects/themole.