Simple script to automate brutforcing blind sql injection vulnerabilities
Switch branches/tags
Nothing to show
Clone or download
Latest commit 59de8f2 Jul 16, 2017

README.md

Blindy

Simple script for running brute-force blind MySql injection

Note: this script was created for fun, helpful in some ctf challenges :)

description

  • The script will run through queries listed in sets in provided file and try to brute-force any place where {} placeholder is found.
  • GET & POST http methods are supported
  • Http HEADERS are supported in the same way as other parameters
  • In default mode, script looks for negative pattern (text that is not visible when injection succeeds)
  • With --positive flag one can switch to looking for expected response

command line interface

$ python3 blindy.py --help
usage: blindy.py [-h] [-X HTTP_METHOD] -p PARAMETER [-H HTTP_HEADER]
                 [-f FILENAME] -r PATTERN [--positive] [-s QUERY_SET] [-e]
                 [-v]
                 url

Run blind sql injection using brute force

positional arguments:
  url                   Target url

optional arguments:
  -h, --help            show this help message and exit
  -X HTTP_METHOD, --http-method HTTP_METHOD
                        Http method: (GET (default), POST)
  -p PARAMETER, --parameter PARAMETER
                        Parameter, e.g. name=value, name={}
  -H HTTP_HEADER, --http-header HTTP_HEADER
                        Http headers, e.g. X-Custom_header:value,
                        X-Custom_header:{}
  -f FILENAME, --filename FILENAME
                        File with commands in json, default queries.json
  -r PATTERN, --pattern PATTERN
                        Regular expression
  --positive            Injection was successfull if pattern IS PRESENT in
                        response
  -s QUERY_SET, --query-set QUERY_SET
                        Json key for query set, default to ['login']
  -e, --encode          Url encode payload
  -v, --verbose         Print full info what's going on

==================== [example usage] ===================

Bruteforce POST `query_param` parameter:
$ python3 blindy.py http://localhost/index.php -X POST -p query_param={} -p submit=1 -r "Wrong param" -s "['blind']"

Bruteforce POST `query_param` parameter part:
$ python3 blindy.py http://localhost/index.php -X POST -p "query_param=login {}" -p submit=1 -H 'Cookie: PHPSESSID=sdfsdgvdvsdvs' -r "Wrong param" -s "['blind']"

Bruteforce `X-Custom-Header` in GET request - use single query from set:
$ python3 blindy.py http://localhost/index.php -X GET -p admin=1 -H "X-Custom_header: {}" -r "Wrong param" -s "['blind'][0]"

Simple check a list of queries against `username` parameter (negative pattern):
$ python3 blindy.py http://localhost/login.php -X POST -p username={} -p submit=1 -r "Wrong username" -s "['login']"

Simple check a list of queries against `username` parameter (positive pattern):
$ python3 blindy.py http://localhost/login.php -X POST -p username={} -p submit=1 -r "Welcome back, admin" --positive -s "['login']"

running tests

python3 -m unittest blindy_test.py