Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sqli template

Browse Source
This commit is contained in:
Roman Hergenreder 2024-02-24 16:08:04 +01:00
parent 5a2508e524
commit 4b02f0bf25
2 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sqli.py
View File

@ -22,7 +22,7 @@ class SQLi(ABC):
if not binary_search: if not binary_search:
cur_int = 1 cur_int = 1
while self.blind_sqli(f"({query})>{cur_int}"): while self.blind_sqli(f"({query})>{cur_int}", verbose):
cur_int += 1 cur_int += 1
return cur_int return cur_int
@ -30,16 +30,15 @@ class SQLi(ABC):
min_value = 1 min_value = 1
max_value = 1 max_value = 1
while self.blind_sqli(f"({query})>{max_value}"): while self.blind_sqli(f"({query})>{max_value}", verbose):
min_value = max_value + 1 min_value = max_value + 1
max_value = max_value * 2 max_value = max_value * 2
max_value = max_value - 1
while True: while True:
cur_int = (min_value + max_value) // 2 cur_int = (min_value + max_value) // 2
if self.blind_sqli(f"({query})>{cur_int}"): if self.blind_sqli(f"({query})>{cur_int}", verbose):
min_value = cur_int + 1 min_value = cur_int + 1
elif self.blind_sqli(f"({query})<{cur_int}"): elif self.blind_sqli(f"({query})<{cur_int}", verbose):
max_value = cur_int - 1 max_value = cur_int - 1
else: else:
return cur_int return cur_int
@ -67,7 +66,7 @@ class SQLi(ABC):
found = False found = False
query = self.build_query(f"ascii(substr({column},{len(cur_str) + 1},1))", table, condition, offset) query = self.build_query(f"ascii(substr({column},{len(cur_str) + 1},1))", table, condition, offset)
for c in charset: for c in charset:
if self.blind_sqli(f"({query})={ord(c)}"): if self.blind_sqli(f"({query})={ord(c)}", verbose):
found = True found = True
cur_str += c cur_str += c
if verbose: if verbose:
@ -93,6 +92,12 @@ class SQLi(ABC):
return rows return rows
# Following methods need to be implemented in the exploit
@abstractmethod
def blind_sqli(self, condition: str, verbose=False) -> bool:
pass
# Following methods will be implemented by MySQLi, PostgreSQLi, ...
@abstractmethod @abstractmethod
def get_database_version(self, verbose=False): def get_database_version(self, verbose=False):
pass pass
@ -105,10 +110,6 @@ class SQLi(ABC):
def get_current_database(self, verbose=False): def get_current_database(self, verbose=False):
pass pass
@abstractmethod
def blind_sqli(self, condition: str, verbose=False) -> bool:
pass
@abstractmethod @abstractmethod
def get_table_names(self, schema: str, verbose=False): def get_table_names(self, schema: str, verbose=False):
pass pass

1
template.py
View File

@ -102,6 +102,7 @@ import urllib.parse
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
from hackingscripts import util, rev_shell from hackingscripts import util, rev_shell
from hackingscripts.fileserver import HttpFileServer from hackingscripts.fileserver import HttpFileServer
from hackingscripts.sqli import MySQLi, PostgreSQLi
from urllib3.exceptions import InsecureRequestWarning from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)