-
-
[原创][求助]sssqlmaps(GUI) - 利用python和sqlmap实现的SQL注入批量检测工具
-
发表于: 2023-2-14 15:07
-
简介
我们在进行进行漏洞扫描时候,sqlmap往往是最常使用的工具之一了
SQLMap 是一个自动化的SQL注入工具,其主要功能是扫描、发现并利用给定URL的SQL注入漏洞,内置了很多绕过插件,支持的数据库是MySQL 、Oracle 、PostgreSQL 、Microsoft SQL Server、Microsoft Access 、IBM DB2, SQ Lite 、Firebird 、Sybase和SAPMaxDB 。
但是在使用中,我们往往得一个个扫描,如果是单个网站还好,若是多个网站(我们往往在挖洞过程中,在资产检索平台导出的一堆数据),所以本次利用python和sqlmap开发出了sssqlmaps工具,很大效率的增加了我们漏洞扫描的效率。
sssqlmaps v1.0
本软件的原理还是利用 subprocess 运行命令行的sqlmap程序,所以使用时候确认本机已有sqlmap并且加入环境变量可以直接运行,例如我在Mac环境或者kali中直接可以运行,而在win中需要在sqlmap.py 所在路径下 将77行注释掉,78行注释取消掉,也就是运行本段:
result = subprocess.run(['python', 'sqlmap.py', '-u', url] + params.split() + ['--batch'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
各位大佬们也可以用此方法做出各种各样工具的批量扫描工具,身为小菜鸡的我在此就不做过多阐述了,代码:
"""
============================
# -*- coding: utf-8 -*-
# @Time : 2023/2/14 11:02
# @Author : Denceun_siwei
# @FileName: sssqlmaps.py
# @Software: PyCharm
===========================
"""
import tkinter as tk
from tkinter import ttk
from tkinter import filedialog
import subprocess
import threading
class Application(tk.Tk):
def __init__(self):
super().__init__()
self.title("sssqlmaps v1.0 - SQL注入批量检测工具 By.思维")
self.geometry("900x750")
self.columns = ("URL", "Injection", "Payload")
self.tree = ttk.Treeview(self, columns=self.columns, show="headings")
for col in self.columns:
self.tree.heading(col, text=col)
self.tree.column(col, width=100, anchor="center")
self.tree.pack(fill="both", expand=True)
self.text_widget = tk.Text(self, height=20)
self.text_widget.pack(fill="x")
self.text_widget.tag_configure("bold_text", font=("TkDefaultFont", 20, "bold"))
self.text_widget.tag_add("bold_text", "1.0", "end")
buttons_frame = tk.Frame(self)
buttons_frame.pack(fill="x", pady=10)
import_data_btn = tk.Button(buttons_frame, text="导入URL", command=self.import_data)
import_data_btn.pack(side="left", padx=10)
tk.Label(buttons_frame, text="sqlmap -u url --batch").pack(side="left")
self.params_entry = tk.Entry(buttons_frame, width=50)
self.params_entry.pack(side="left", padx=10)
self.params_entry.insert(0, "--level 3")
self.run_btn = tk.Button(buttons_frame, text="运行", command=self.run)
self.run_btn.pack(side="left", padx=10)
clear_btn = tk.Button(buttons_frame, text="清空", command=self.clear_content)
clear_btn.pack(side="left", padx=10)
def import_data(self):
file_path = filedialog.askopenfilename(defaultextension=".txt", filetypes=[("Text Files", "*.txt")])
if file_path:
self.tree.delete(*self.tree.get_children())
with open(file_path, "r") as file:
for line in file:
line = line.strip().split(",")
self.tree.insert("", "end", values=line)
def run(self):
params = self.params_entry.get()
# print(params)
self.run_btn.config(text="正在运行", state="disabled")
thread = threading.Thread(target=self._run_scan, args=(params,))
thread.start()
def _run_scan(self, params):
for item in self.tree.get_children():
url = self.tree.item(item)["values"][0]
result = subprocess.run(['sqlmap', '-u', url] + params.split() + ['--batch'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# result = subprocess.run(['python', 'sqlmap.py', '-u', url] + params.split() + ['--batch'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
result_output = result.stdout.decode("utf-8") + result.stderr.decode("utf-8")
self.text_widget.insert("end", result_output)
self.text_widget.update()
if "Parameter: " in result_output:
self.tree.set(item, "Injection", "Yes")
payload_start = result_output.index("Payload:") + len("Payload:")
payload_end = result_output.index("\n", payload_start)
self.tree.set(item, "Payload", result_output[payload_start:payload_end].strip())
else:
self.tree.set(item, "Injection", "No")
self.run_btn.config(text="运行", state="normal")
def clear_content(self):
self.text_widget.delete("1.0", "end")
for item in self.tree.get_children():
self.tree.set(item, "URL", "")
self.tree.set(item, "Injection", "")
self.tree.set(item, "Payload", "")
if __name__ == "__main__":
app = Application()
app.mainloop()小弟刚学,大佬勿喷【可怜】
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
