# Configuration file generated by sqlsus 0.5rc1 package conf; # do not remove this line use strict; use warnings; # # Note: only the values that differ from sqlsus defaults are mandatory, so you can have a configuration file with only a few lines in it. # # All these values will be overriden by the variables you have set in sqlsus in a saved session, provided that $allow_override == 1 (which is the default, see below) # For example : # - first run: you launch sqlsus with no cookie defined. # before the second run, you configure a cookie in your configuration file # - second run: the cookie is still empty, because the value has been overriden by the one saved. # # In this case, you need to change the value of the cookie inside sqlsus using "set cookie " # ############################### ########### GENERAL ########### # Start of the url used for the injection # In inband/union mode, it is generally a good idea to append "AND 1=0" so that the real query returns nothing. # Ex : our $url_start = "http://localhost/script.php?id=1'"; our $url_start = ""; # End of the url used for the injection # When possible, it is generally a good idea to use "#" here, so that our queries won't be polluted by the original one. # Ex : our $url_end = "#"; our $url_end = ""; # Use POST instead of GET our $post = 0; # Use blind injection ? our $blind = 0; # In blind mode, string to be found in the HTML if the statement is true our $string_to_match = ""; # Allow the values specified in the configuration file to be overriden by the ones you have set in sqlsus (in a saved session). our $allow_override = 1; # User agent to use for HTTP queries our $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"; # Display "debug" messages our $debug = 0; # Char (not string) to display when something is null / not found our $null_substitute = "~"; # Hex encode strings in the query ? # ie: "sqlsus" will be sent as 0x73716c737573, thus escaping quotes filtering. our $hex_encode_strings = 1; # Maximum running processes used to retrieve data (+main process +hits counter process) our $processes = 10; # Amount of seconds to sleep after each server hit. (can be a float) # note that it does not take the query / answer time in consideration, it's just a simple sleep() after a hit. our $sleep_after_hit = 0; # Max chars we can inject. # if you are using injection via POST, you can set it to a big value, and control the behaviour of sqlsus via max_subqueries # you can let sqlsus find the best value by executing "autoconf max_sendable" inside sqlsus our $max_sendable = 8000; # Max subqueries per query # Note that setting a really big value here (ie: 900), as well as a high value for max_sendable (when using POST for example), may result in a potentially long computation time for the queries to be prepared. our $max_subqueries = 50; # Convert spaces to /**/ our $convert_spaces = 0; # Shall we consider cookies at all ? our $use_cookie_jar = 1; # Cookie to use, separate name=value pairs with ; # This will only have an effect if $use_cookie_jar = 1 our $cookie = ""; # HTTP proxy our $http_proxy = ""; # Credentials our $cred_realm = ""; our $cred_user = ""; our $cred_password = ""; # What HTTP error codes shall we retry on ? our @http_error_codes = qw(408 500 501 502 503 504); # Maximum number of times to retry per thread/process on a HTTP error code our $http_error_retries = 10; # Variables to get in %target when using "start" our %target_keys = ( database => 'database()', version => 'version()', user => 'current_user' ); ############################### ############ DATA ############# # Maximum length before the data returned in the HTML is truncated # Only used by "download" for the moment our $max_returned_length = 65530; # Where to put the data (sessions, files, database(s) dump) our $datapath = "/root/.sqlsus"; # Where to save downloaded files (via the "download" command) # such files will be stored in ./$datapath/SERVERNAME/$filespath our $filespath = "files"; # Binary mode # - hex encode in mysql, and hex decode in sqlsus # uses twice as much bandwith as in non binary mode. our $binary = 0; ############################### ######### INBAND MODE ######### # Maximum number of columns to try in the union statement our $max_select_cols = 50; # Columns usable for (inband) injection using union # example : # our @columns = qw(0 0 1 0 1); # 5 columns for union, 3rd and 5th can be used to see the result of the query # The first "1" will be used as the injection spot. # # Note that actual values will be used (0 or 1) (except the 1 replaced as the injection spot) in the UNION select query, which might not be what you want. # You can change the entries (but the "1" you want to use) to whatever value suits you # Unless this variable is set, sqlsus will auto-detect the suitable number of columns to be used for injection. our @columns = qw(); # How to union our $union_select = "UNION ALL SELECT BINARY"; ############################### ######### BLIND MODE ########## # Chars to brute force if no regex matched our $default_range = join (',', (32..126)); # Regular expressions to test against each item retrieved on a blind injection # and the corresponding ASCII values. # NOTE: # - the values MUST be sorted. # - the regexs will be tried in order. our @regex_rlike = ( # num "^[0-9]+\$", join (',',(48..57)), # lower alpha "^[a-z_. @]+\$", join (',',(32,46,64,95,97..122)), # lower hex "^[a-f0-9]+\$", join (',',(48..57,97..102)), # upper hex "^[A-F0-9]+\$", join (',',(48..57,65..70)), # upper alpha "^[A-Z_. @]+\$", join (',',(32,46,64,65..90,95)), # mixed alpha "^[A-Za-z_. @]+\$", join (',',(32,46,64,65..90,95,97..122)), # alnum "^[a-z0-9._@]+\$", join (',',(46,48..57,64,95,97..122)), # datetime "^[0-9 [.hyphen-minus.]:]+\$", join (',',(32,45,48..57,58)), # mixed alnum + stuff "^[A-Za-z0-9._78/ [.hyphen-minus.][.apostrophe.][.quotation-mark.]%]+\$", join (',',(32,34,37,39,43,45,46,47,48..57,64,65..90,95,97..122)) ); # Max length above which an item won't be bruteforced # Set it high enough if you intend to download files our $blind_max_length = 4096; ############################### ########## TAKEOVER ########### # Document root on the web server our $document_root = "/var/www/"; # List of (relative to document root path) directories to try to upload backdoor to # leave empty for auto detection by crawling the web server # ex : our @upload_directories = ("/upload"); our @upload_directories = (); # Maximum depth to look at when crawling the web server for directories our $crawler_depth = 3; # URL of the uploader script, if already uploaded our $uploader = ""; # What remote filename to use when uploading the tiny uploader our $uploader_name = ".u.php"; # URL of the backdoor, if already uploaded our $backdoor = ""; # What remote filename to use when uploading the backdoor our $backdoor_name = ".b.php"; ############################### ########### BRUTE ############# # Dynamic string to use for column/table names bruteforcing # it will be "magically" (perl speaking) incremented and prefix with $table_prefix when applicable. our $brute_start_string = "aaa"; # String to begin the table/column name with # ex : our $start_string = "cms_"; our $table_prefix = ""; # For each table name, also try an uppercase version for the first char only our $uc_first = 1; # For each table name, also try an uppercase version our $uc_all = 0; # Tables dictionnary our @brute_tables_dict = qw(login logins user users group groups perm permissions perms admin admins administrators staff customer customers client clients config configuration member members name names password passwords); # Columns dictionnary our @brute_columns_dict = qw(id admin login name user username email emailaddress mail e_mail tel phone number telephone address adress street pw pwd pass password);