this script was created to solve these 3 portswigger’s Blind SQLi labs:
- Blind SQL injection with conditional responses
- Blind SQL injection with conditional errors
- Blind SQL injection with time delays and information retrieval
1. Install Dependencies: Install the required Python libraries using pip:
pip install requests
2. Run the Script: Execute the main script:
python main.py
or run it in your IDE 3. Follow the Prompts:
- Choose the SQL injection method (1 for Conditional Response, 2 for Conditional Errors, 3 for Time Delays).
- Enter the headers starting from the Host header (press Enter twice to finish).
What it does: Allows the script to interact with web servers by making HTTP requests and handling responses. How it's used:
- Making HTTP Requests:
session = requests.Session()
- Creates a session object to manage cookies and other parameters across multiple requests.
- Sending GET Requests:
response = session.get(url, headers=headers, cookies=cookie)
- Sends a GET request to the specified URL.
- Custom headers and cookies can be passed as parameters.
- Accessing Response:
response.text
: Retrieves the response body as a string.response.status_code
: Retrieves the HTTP status code of the response.
What it does: Provides a way to run tasks concurrently (at the same time). How it's used:
- Creating Executor:
with concurrent.futures.ThreadPoolExecutor() as executor:
- Creates a pool of worker threads to execute tasks.
- Submitting Tasks:
executor.submit(task_function, args)
- Submits a task (function) to be executed asynchronously.
- Example:
executor.submit(test_function, arg1, arg2)
- Waiting for Tasks to Complete:
for future in concurrent.futures.as_completed(futures):
- Waits for submitted tasks to complete.
- Example:
for future in concurrent.futures.as_completed(futures): pass
What it does: Allows the script to execute multiple tasks concurrently by creating and managing multiple threads of execution. How it's used:
- Creating a Lock:
lock = threading.Lock()
- Creates a lock object to synchronize access to a shared resource.
- Acquiring and Releasing the Lock:
with lock:
- Acquires the lock before accessing the shared resource and releases it afterward.
- Ensures that only one thread can access the critical section (shared resource) at a time to prevent data corruption.
- Example:
- In the script, a lock is used to ensure thread-safe access to the
found_password
list. - Before modifying or accessing
found_password
, a thread acquires the lock usingwith lock:
. - Once the critical section is executed, the lock is released automatically.
- This ensures that only one thread can modify
found_password
at a time, preventing race conditions and ensuring data integrity.
- In the script, a lock is used to ensure thread-safe access to the
- Get User Headers: The script prompts the user to input HTTP headers. This information is crucial for making authenticated requests to the target application.
- Process Headers: The headers are processed to extract essential details such as the target URL,
TrackingId
, andsession
values from the cookies. - Choose Injection Method: The user is prompted to choose one of three SQL injection methods:
- Conditional Response: Determines if a condition is true based on changes in the HTTP response body.
- Conditional Errors: Uses server errors to infer information.
- Time Delays: Uses time-based SQL injections to determine if a condition is true by measuring response times.
- Retrieve Password: The script tests each character of the password for the administrator user. It constructs SQL injection payloads and sends requests in parallel to speed up the process. The correct character for each position is determined based on the chosen method.
- Output: The script outputs the retrieved password and the time taken to find it.