pentoo-overlay/dev-db/sqlsus/files/sqlsus.conf

# Configuration file generated by sqlsus 0.7.1
package conf; # do not remove this line
use strict;
use warnings;

#
# Note: only the values that differ from sqlsus defaults are mandatory, so you can have a configuration file with only a few lines in it
#
# All these values will be overriden by the variables you have set in sqlsus in a saved session, provided that $allow_override == 1 (which is the default, see below)
# For example :
# - first run: you launch sqlsus with no cookie defined.
# before the second run, you configure a cookie in your configuration file
# - second run: the cookie is still empty, because the value has been overriden by the one saved
#
# In this case, you need to change the value of the cookie inside sqlsus using "set cookie <cookie>"
# You can always store you running configuration by using "genconf <filename>" inside sqlsus
#

###############################
########### GENERAL ###########

# Start of the url used for the injection
# In inband/union mode, it is generally a good idea to append "AND 0" so that the real query returns nothing
# Ex : our $url_start = "http://localhost/script.php?id=1'";
our $url_start = "";

# End of the url used for the injection
# When possible, it is generally a good idea to use "#" here, so that our queries won't be polluted by the original one
# Ex : our $url_end = "#";
our $url_end = "";

# Use POST instead of GET
our $post = 0;

# Use blind injection ?
# set it to 1 for boolean-based blind injection
# set it to 2 for time-based blind injection (requires MySQL >= 5.0.12)
our $blind = 0;

# In boolean-based blind mode, string to be found in the HTML if the statement is true
our $blind_string = "";

# In time-based blind mode, how long in seconds (can be a float) to sleep() when the statement is true
# You must specify a value higher than the maximum delay to be expected in normal conditions
our $blind_sleep = 2;

# Allow the values specified in the configuration file to be overriden by the ones you have set in sqlsus (in a saved session)
our $allow_override = 1;

# User agent to use for HTTP queries
our $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)";

# Display "debug" messages
our $debug = 0;

# Char (not string) to display when something is null / not found
our $null_substitute = "~";

# Hex encode strings in the query ?
# ie: "sqlsus" will be sent as 0x73716c737573, thus escaping quotes filtering
our $hex_encode_strings = 1;

# Maximum running processes used to retrieve data (+main process +hits counter process)
our $processes = 10;

# Amount of seconds to sleep after each server hit. (can be a float)
# Note that it does not take the query / answer time in consideration, it's just a simple sleep() after a hit
our $sleep_after_hit = 0;

# -- maximum amount of data we can send at once --

# Typically, we are restricted either by the web server (URL size) or by the layer underneath (PHP / suhosin)
# Only one of the 2 variables can be set (non 0) at a time, and it will be the only one to be used by sqlsus
# If both are set to 0, using "start" or "autoconf max_sendable", sqlsus will find which restriction apply, and set the variable(s) accordingly

# Maximum amount of data we can send at once to the target (+ the size of the URL itself)
our $max_url_length = 0;

# Maximum amount of data we can send through the injection point
our $max_inj_length = 0;

# ------------------------------------------------

# Max subqueries per query
# Note that setting a really big value here (ie: 900), as well as a high value for max_url_length (when using POST for example), may result in a potentially long computation time for the queries to be prepared
our $max_subqueries = 70;

# Convert spaces to /**/
our $convert_spaces = 0;

# Shall we consider cookies at all ?
our $use_cookie_jar = 1;

# Cookie to use, separate name=value pairs with ;
# This will only have an effect if $use_cookie_jar = 1
our $cookie = "";

# Proxy (HTTP / socks)
# Example for TOR proxying : our $proxy = "socks://localhost:9050";
our $proxy = "";

# Credentials
our $cred_realm = "";
our $cred_user = "";
our $cred_password  = "";

# What HTTP error codes shall we retry on ?
our @http_error_codes = qw(408 500 501 502 503 504);

# Maximum number of times to retry per thread/process on a HTTP error code
our $http_error_retries = 10;

# Variables to get in %target when using "start"
our %target_keys = ( 
	database => 'database()',
	version => 'version()',
	user => 'current_user'
 );

###############################
############ DATA #############

# Maximum length before the data returned in the HTML is truncated
# Only used by "download" for the moment
our $max_returned_length = 65530;

# Where to put the data (sessions, files, database(s) dump)
our $datapath = "/root/.sqlsus";

# Where to save downloaded files (via the "download" command)
# such files will be stored in ./$datapath/SERVERNAME/$filespath
our $filespath = "files";

# Binary mode (hex encode in mysql, and hex decode in sqlsus)
# This mode uses twice as much bandwith as in non binary mode
# binary mode is useful for :
# - in blind mode : retrieving non ASCII characters (UTF8 ?) or ones not listed in $default_range (see below)
# - in general    : retrieving binary content
our $binary = 0;

###############################
######### INBAND MODE #########

# Maximum number of columns to be used in the UNION statement
# This is used at "start" (or "autoconf select_columns")
our $max_select_cols = 50;

# Columns usable for (inband) injection using union
# example :
# our @columns = qw(0 0 1 0 1);
# 5 columns for union, 3rd and 5th can be used to see the result of the query
# The first "1" will be used as the injection spot
#
# Note that actual values will be used (0 or 1) (except the 1 replaced as the injection spot) in the UNION select query, which might not be what you want
# You can change the entries (but the "1" you want to use) to whatever value suits you
# Unless this variable is set, sqlsus will auto-detect the suitable number of columns to be used for injection
our @columns = qw();

# How to union
our $union_select = "UNION ALL SELECT BINARY";

###############################
######### BLIND MODE ##########

# ASCII chars to brute force if no regex matched
our $default_range = join (',', (9,10,32..126));

# Regular expressions to test against each item retrieved on a blind injection
# and the corresponding ASCII values
# NOTE:
# - the values MUST be sorted
# - the regexs will be tried in order
our @regex_rlike = (
	# num
	"^[0-9]+\$", join (',',(48..57)),
	# lower alpha
	"^[a-z_. @]+\$", join (',',(32,46,64,95,97..122)),
	# lower hex
	"^[a-f0-9]+\$", join (',',(48..57,97..102)),
	# upper hex
	"^[A-F0-9]+\$", join (',',(48..57,65..70)),
	# upper alpha
	"^[A-Z_. @]+\$", join (',',(32,46,64,65..90,95)),
	# mixed alpha
	"^[A-Za-z_. @]+\$", join (',',(32,46,64,65..90,95,97..122)),
	# alnum
	"^[a-z0-9._@]+\$", join (',',(46,48..57,64,95,97..122)),
	# datetime
	"^[0-9 [.hyphen-minus.]:]+\$", join (',',(32,45,48..57,58)),
	# mixed alnum + stuff
	"^[A-Za-z0-9._@+/ [.hyphen-minus.][.apostrophe.][.quotation-mark.]%]+\$", join (',',(32,34,37,39,43,45,46,47,48..57,64,65..90,95,97..122))
);

# Maximum length above which an item won't be bruteforced
# Set it high enough if you intend to download files
our $blind_max_length = 4096;


###############################
########## TAKEOVER ###########

# Document root, on the web server, of the website we are injecting through
# This MUST be accurate for sqlsus to be able to upload its backdoor by automatically crawling for candidate directories
# Also, the web and mysql server must obviously be on the same box
our $document_root = "/var/www/";

# List of (relative to document root path) directories to try to upload backdoor to
# Leave empty for auto detection by crawling the web server
# ex : our @upload_directories = ("/upload");
our @upload_directories = ();

# Maximum depth to look at when crawling the web server for directories
our $crawler_depth = 5;

# URL of the uploader script, if already uploaded
our $uploader = "";

# What remote filename to use when uploading the tiny uploader
our $uploader_name = ".u.php";

# URL of the backdoor, if already uploaded
our $backdoor = "";

# What remote filename to use when uploading the backdoor
our $backdoor_name = ".b.php";


###############################
########### BRUTE #############

# Dynamic string to use for column/table names bruteforcing
# It will be "magically" (perl speaking) incremented and prefix with $table_prefix when applicable
our $brute_start_string = "aaa";

# String to begin the table/column name with
# ex : our $start_string = "cms_";
our $table_prefix = "";

# For each table name, also try an uppercase version for the first char only
our $uc_first = 1;

# For each table name, also try an uppercase version (for all chars)
our $uc_all = 0;

# Tables dictionnary
our @brute_tables_dict = qw(login logins user users group groups perm permissions perms admin admins administrators staff customer customers client clients config configuration member members name names password passwords);

# Columns dictionnary
our @brute_columns_dict = qw(id admin login name user username email emailaddress mail e_mail tel phone number telephone address adress street pw pwd pass password);