HTTP Network Analysis Payload Blind SQL Injection

we can see in the plain
strings logs

we can see if the logs is scrambled

but we can see the payload of sqli in the form username= lets extract it.

username=1%27+and+%28select+sleep%281%29+from+user+where+BINARY+substring%28secretdata%2C179%2C1%29+%3D+CHAR%28126%29%29+%23+&password
Copy

Url decode :

username=1'+and+(select+sleep(1)+from+user+where+BINARY+substring(secretdata,179,1)+=+CHAR(126))+#+&password
Copy

we can do in scripting , because we know the attacker using blind sql to get correct username and compare to spesific CHAR.

import io
import re
import urllib.parse

class Read():
    def __init__(self, filename):
        self.filename = filename

    # read a raw logs
    def read(self) -> io.TextIOWrapper:
        return open(self.filename, 'r', errors='ignore')
    
    # filter to get latest values of the secret data because this blind sqli
    def get_latest_values(self,l=list) -> dict:
        latest_values = {}
        for line in l:
            category, value = map(int, line.split(" : "))
            latest_values[category] = value

        return latest_values


def main():
    r = Read('logs')
    content = r.read().read()  
    output = []
    # filter only the payload
    username_payload = re.findall('username=(.*?)&submit=Login', content)
    for username in username_payload:
        username = urllib.parse.unquote(username)

        # separate secret data and the char 
        match = re.findall(r'substring\(secretdata,(.*?),1\)\+=\+CHAR\((.*?)\)', username)
        for secret, chars in match:
            output.append(f'{secret} : {chars}')


    latest_values = r.get_latest_values(output)
    for _, value in latest_values.items():
        print(f'{chr(int(value))}', end="")


if __name__ == "__main__":
    main()
Copy

just extract the correct chr. that is the latest values of the secretdata,iterator,1