# Configuration file generated by sqlsus 0.7.1 package conf; # do not remove this line use strict; use warnings; # # Note: only the values that differ from sqlsus defaults are mandatory, so you can have a configuration file with only a few lines in it # # All these values will be overriden by the variables you have set in sqlsus in a saved session, provided that $allow_override == 1 (which is the default, see below) # For example : # - first run: you launch sqlsus with no cookie defined. # before the second run, you configure a cookie in your configuration file # - second run: the cookie is still empty, because the value has been overriden by the one saved # # In this case, you need to change the value of the cookie inside sqlsus using "set cookie " # You can always store you running configuration by using "genconf " inside sqlsus # ############################### ########### GENERAL ########### # Start of the url used for the injection # In inband/union mode, it is generally a good idea to append "AND 0" so that the real query returns nothing # Ex : our $url_start = "http://localhost/script.php?id=1'"; our $url_start = ""; # End of the url used for the injection # When possible, it is generally a good idea to use "#" here, so that our queries won't be polluted by the original one # Ex : our $url_end = "#"; our $url_end = ""; # Use POST instead of GET our $post = 0; # Use blind injection ? # set it to 1 for boolean-based blind injection # set it to 2 for time-based blind injection (requires MySQL >= 5.0.12) our $blind = 0; # In boolean-based blind mode, string to be found in the HTML if the statement is true our $blind_string = ""; # In time-based blind mode, how long in seconds (can be a float) to sleep() when the statement is true # You must specify a value higher than the maximum delay to be expected in normal conditions our $blind_sleep = 2; # Allow the values specified in the configuration file to be overriden by the ones you have set in sqlsus (in a saved session) our $allow_override = 1; # User agent to use for HTTP queries our $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"; # Display "debug" messages our $debug = 0; # Char (not string) to display when something is null / not found our $null_substitute = "~"; # Hex encode strings in the query ? # ie: "sqlsus" will be sent as 0x73716c737573, thus escaping quotes filtering our $hex_encode_strings = 1; # Maximum running processes used to retrieve data (+main process +hits counter process) our $processes = 10; # Amount of seconds to sleep after each server hit. (can be a float) # Note that it does not take the query / answer time in consideration, it's just a simple sleep() after a hit our $sleep_after_hit = 0; # -- maximum amount of data we can send at once -- # Typically, we are restricted either by the web server (URL size) or by the layer underneath (PHP / suhosin) # Only one of the 2 variables can be set (non 0) at a time, and it will be the only one to be used by sqlsus # If both are set to 0, using "start" or "autoconf max_sendable", sqlsus will find which restriction apply, and set the variable(s) accordingly # Maximum amount of data we can send at once to the target (+ the size of the URL itself) our $max_url_length = 0; # Maximum amount of data we can send through the injection point our $max_inj_length = 0; # ------------------------------------------------ # Max subqueries per query # Note that setting a really big value here (ie: 900), as well as a high value for max_url_length (when using POST for example), may result in a potentially long computation time for the queries to be prepared our $max_subqueries = 70; # Convert spaces to /**/ our $convert_spaces = 0; # Shall we consider cookies at all ? our $use_cookie_jar = 1; # Cookie to use, separate name=value pairs with ; # This will only have an effect if $use_cookie_jar = 1 our $cookie = ""; # Proxy (HTTP / socks) # Example for TOR proxying : our $proxy = "socks://localhost:9050"; our $proxy = ""; # Credentials our $cred_realm = ""; our $cred_user = ""; our $cred_password = ""; # What HTTP error codes shall we retry on ? our @http_error_codes = qw(408 500 501 502 503 504); # Maximum number of times to retry per thread/process on a HTTP error code our $http_error_retries = 10; # Variables to get in %target when using "start" our %target_keys = ( database => 'database()', version => 'version()', user => 'current_user' ); ############################### ############ DATA ############# # Maximum length before the data returned in the HTML is truncated # Only used by "download" for the moment our $max_returned_length = 65530; # Where to put the data (sessions, files, database(s) dump) our $datapath = "/root/.sqlsus"; # Where to save downloaded files (via the "download" command) # such files will be stored in ./$datapath/SERVERNAME/$filespath our $filespath = "files"; # Binary mode (hex encode in mysql, and hex decode in sqlsus) # This mode uses twice as much bandwith as in non binary mode # binary mode is useful for : # - in blind mode : retrieving non ASCII characters (UTF8 ?) or ones not listed in $default_range (see below) # - in general : retrieving binary content our $binary = 0; ############################### ######### INBAND MODE ######### # Maximum number of columns to be used in the UNION statement # This is used at "start" (or "autoconf select_columns") our $max_select_cols = 50; # Columns usable for (inband) injection using union # example : # our @columns = qw(0 0 1 0 1); # 5 columns for union, 3rd and 5th can be used to see the result of the query # The first "1" will be used as the injection spot # # Note that actual values will be used (0 or 1) (except the 1 replaced as the injection spot) in the UNION select query, which might not be what you want # You can change the entries (but the "1" you want to use) to whatever value suits you # Unless this variable is set, sqlsus will auto-detect the suitable number of columns to be used for injection our @columns = qw(); # How to union our $union_select = "UNION ALL SELECT BINARY"; ############################### ######### BLIND MODE ########## # ASCII chars to brute force if no regex matched our $default_range = join (',', (9,10,32..126)); # Regular expressions to test against each item retrieved on a blind injection # and the corresponding ASCII values # NOTE: # - the values MUST be sorted # - the regexs will be tried in order our @regex_rlike = ( # num "^[0-9]+\$", join (',',(48..57)), # lower alpha "^[a-z_. @]+\$", join (',',(32,46,64,95,97..122)), # lower hex "^[a-f0-9]+\$", join (',',(48..57,97..102)), # upper hex "^[A-F0-9]+\$", join (',',(48..57,65..70)), # upper alpha "^[A-Z_. @]+\$", join (',',(32,46,64,65..90,95)), # mixed alpha "^[A-Za-z_. @]+\$", join (',',(32,46,64,65..90,95,97..122)), # alnum "^[a-z0-9._@]+\$", join (',',(46,48..57,64,95,97..122)), # datetime "^[0-9 [.hyphen-minus.]:]+\$", join (',',(32,45,48..57,58)), # mixed alnum + stuff "^[A-Za-z0-9._@+/ [.hyphen-minus.][.apostrophe.][.quotation-mark.]%]+\$", join (',',(32,34,37,39,43,45,46,47,48..57,64,65..90,95,97..122)) ); # Maximum length above which an item won't be bruteforced # Set it high enough if you intend to download files our $blind_max_length = 4096; ############################### ########## TAKEOVER ########### # Document root, on the web server, of the website we are injecting through # This MUST be accurate for sqlsus to be able to upload its backdoor by automatically crawling for candidate directories # Also, the web and mysql server must obviously be on the same box our $document_root = "/var/www/"; # List of (relative to document root path) directories to try to upload backdoor to # Leave empty for auto detection by crawling the web server # ex : our @upload_directories = ("/upload"); our @upload_directories = (); # Maximum depth to look at when crawling the web server for directories our $crawler_depth = 5; # URL of the uploader script, if already uploaded our $uploader = ""; # What remote filename to use when uploading the tiny uploader our $uploader_name = ".u.php"; # URL of the backdoor, if already uploaded our $backdoor = ""; # What remote filename to use when uploading the backdoor our $backdoor_name = ".b.php"; ############################### ########### BRUTE ############# # Dynamic string to use for column/table names bruteforcing # It will be "magically" (perl speaking) incremented and prefix with $table_prefix when applicable our $brute_start_string = "aaa"; # String to begin the table/column name with # ex : our $start_string = "cms_"; our $table_prefix = ""; # For each table name, also try an uppercase version for the first char only our $uc_first = 1; # For each table name, also try an uppercase version (for all chars) our $uc_all = 0; # Tables dictionnary our @brute_tables_dict = qw(login logins user users group groups perm permissions perms admin admins administrators staff customer customers client clients config configuration member members name names password passwords); # Columns dictionnary our @brute_columns_dict = qw(id admin login name user username email emailaddress mail e_mail tel phone number telephone address adress street pw pwd pass password);