Automate Blind SQL Injection with Python.

Overview

Automatic Blind SQL Injection

Automate Blind SQL Injection with Python.

This tool programmed in Python exploits a Blind SQL Injection via the response time with the SQL command called sleep, it also checks the correct character with the command called substr.

Modules:

1. Actual DataBase

image

Actual DataBase Module is the first module. This module dumps the name of the database in which you are via the SQL command called database(), once we have this thanks to a double for loop we can test all the letters of the alphabet in each of the positions, and when the letter is correct the sleep() command puts the web to sleep and that is when the character is discovered

2. All DataBases

The second module it's called All Databases, with same way of working than module one, this module do the same but changing the payload. The new payload is like this:

SELECT schema_name FROM information_schema.schemata- --

And every time it finishes discovering all the characters in a database it adds a comma ", " and starts with the following, like this:

image

3. Tables

The third module catch the results from all database module, and dump every tables from every databases founded in module 2. It is a module that takes a long time to finish but it works correctly.

image

4. Columns Discover

The fourth module is the one used to discover columns, in this case, since the execution of the previous module was already quite long, now it allows you to only discover the columns of the table that interests you, like this:

image

5. Columns Dumper

The fifth module is used to dump the columns that interest you from the table and the database that you choose, you have to manually write the (database/table/column) and if you want to dump two columns it would be like this (database/table/column1:column2)

image

Basic Usage

python3 sqli_blind.py -u target_url -d "'username':'anything','password':'sadasdsa'"

image

And with -time flag you can add time of responses to avoid false positives.

image

Author: S12

Youtube Channel: https://www.youtube.com/channel/UCKILJTZISRLxQmiUgwg94Hw

Contact: [email protected]

You might also like...

Secure-Behavioral Design for Run-time Delegation of Lateral-Injection Attack Secure Strategies

MuSI — Secure-Behavioral Design for Run-time Delegation of Lateral Injection Attack Security Strategies. Description: A Secure-Behavioral design that

Jun 8, 2022

dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection.

dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection.

Deepfake Offensive Toolkit dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection. dot is cr

Sep 30, 2022

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection Another exploit in OGNL Land Description Confluence is a web-

Jul 29, 2022

[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE)

[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE)

CVE-2022-26134 - OGNL injection vulnerability. Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confl

Aug 24, 2022

CVE-2022-26134 - Pre-Auth Remote Code Execution via OGNL Injection

[-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution via OGNL Injection Usage usage: exploit.py [-h] [-f FILE] [-c CMD] [-p LPORT] [-l LHOST

Jul 5, 2022

Apache Spark Command Injection PoC Exploit for CVE-2022-33891

CVE-2022-33891 PoC PoC for CVE-2022-33891, with ability to set custom payloads. Not vulnerable by default; vulnerable when: ./spark-submit --conf spar

Sep 11, 2022

「💥」CVE-2022-33891 - Apache Spark Command Injection

「💥」CVE-2022-33891 - Apache Spark Command Injection

「 💥 」CVE-2022-33891 Description The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an aut

Sep 21, 2022

App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

Vulnerable Web App: ssti-flask-hacking-playground This is small application vulnerable to Server Side Template Injection (SSTI) in Flask/Jinja2. The v

Sep 18, 2022

Official implementation for the paper "On deceiving malware classification with section injection"

On deceiving malware classification with section injection This repo provides the official implementation for "On deceiving malware classification wit

Sep 12, 2022
Owner
null
CRUD com python e SQL server(T-SQL)

?? Crud pyodbc T-SQL(SQL Server) CRUD com a biblioteca do python e SQL server(T-SQL). Acesse o código aqui! Esse projeto me ajuda a aprender e entende

Cloreto 1 Apr 14, 2022
PyTorch implements `Blind Super-Resolution With Iterative Kernel Correction` paper.

SFTMD-PyTorch Overview This repository contains an op-for-op PyTorch reimplementation of Blind Super-Resolution With Iterative Kernel Correction. Tabl

Lorna 1 Apr 1, 2022
This is an official implementation of the CVPR2022 paper "Blind2Unblind: Self-Supervised Image Denoising with Visible Blind Spots".

Blind2Unblind: Self-Supervised Image Denoising with Visible Blind Spots Blind2Unblind Citing Blind2Unblind @inproceedings{wang2022blind2unblind, tit

demonsjin 37 Sep 5, 2022
Official PyTorch implementation of the paper "Deep Constrained Least Squares for Blind Image Super-Resolution", CVPR 2022.

Deep Constrained Least Squares for Blind Image Super-Resolution [Paper] This is the official implementation of 'Deep Constrained Least Squares for Bli

MEGVII Research 111 Sep 23, 2022
RAW-based blind denoising, 1st place in MegCup 2022 (Team Feedback)

MegCup 2022 Team Feedback This repository is the 1st place solution (Team Feedback) in 2022 MegCup RAW image denoising. Here is the 3rd place solution

韩凌昊 38 Jul 2, 2022
RAW-based blind denoising, 3rd place in MegCup 2022 (Team Feedforward)

MegCup 2022 Team Feedforward This repository is the official MegEngine implementation of the 3rd place solution (Team Feedforward) in 2022 MegCup RAW

Xin Jin 27 Jul 2, 2022
PyTorch codes for "Towards Robust Blind Face Restoration with Codebook Lookup Transformer"

Towards Robust Blind Face Restoration with Codebook Lookup Transformer Paper | Project Page | Video Shangchen Zhou, Kelvin C.K. Chan, Chongyi Li, Chen

Shangchen Zhou 659 Oct 1, 2022
CVE-2022-25260 JetBrains Hub pre-auth semi-blind server-side request forgery (SSRF)

CVE-2022-25260 JetBrains Hub pre-auth semi-blind server-side request forgery (SSRF) Requirements JetBrains Hub <2021.1.14276 JetBrains Hub before 2021

Yurii Sanin 3 Sep 13, 2022
Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)

Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE) CVE: CVE-2022-22947 CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)

Crowsec Edtech 27 Sep 20, 2022
PoC for CVE-2022-22954 - VMware Workspace ONE Access Freemarker Server-Side Template Injection

CVE-2022-22954 PoC - VMware Workspace ONE Access Freemarker Server-Side Template Injection A vulnerability, which was classified as very critical, was

DrDv 5 Jul 15, 2022