每次遇到有关于写脚本的题都不能很好的做出来。。。这里总结一下
例题一
网址:http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php
分析题目:
每次刷新页面答案都不一样,且要求2秒内提交答案,即速度。所以我们使用python脚本来完成。
分析网页: 提交前: 1
2
3
4
5
6
7
8
9
10
11
12
13<html>
<head>
<meta http-equiv=Content-Type content="text/html;charset=utf-8">
</head>
<body>
<form action="" method="post">
请在2秒内口算结果并提交!<br/>
9421*53328+452*(9421+53328)=<input type="text" name="v"/>
<input type="submit" value="提交"/>
</form>
</body>
</html>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42# coding:utf-8
import re
import requests
#from bs4 import BeautifulSoup 也可选择使用BeautifulSoup来筛选元素值
url = 'http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php'
s = requests.session()
r = s.get(url)
# get方法会返回一个<class 'requests.models.Response'>,Response对象,该对象中有content属性
#Help on property:
# Content of the response, in bytes.
#该属性内容为一个二进制流
#type(r.content)
#<class 'bytes'>
content = r.content.decode('utf-8') #解码完后为'str'类型数据
# 编译正则表达式模式,返回模式对象。
num = re.findall(re.compile(r'<br/>\s+(.*?)='), content)[0]
# 要计算的式子
print(num)
print('\n')
# 要传输的式子结果
print(eval(num))
print('\n')
# 根据页面源代码构造payload
payload = {'v':eval(num)} # 页面源码中post参数名为`v`
# post提交上去
flag = s.post(url,data=payload)
html = flag.content.decode('utf-8')
#soup = BeautifulSoup(html, 'html.parser')
print(html)
#print(soup.body)1
2
3
4
5
6
7
8
9
10
11
125107*75974+314*(5107+75974)
413458652
<html>
<head>
<meta http-equiv=Content-Type content="text/html;charset=utf-8">
</head>
<body>key is 123iohHKHJ%^&*(jkh </body>
</html>1
2
3
4
5
6
7
8
9
10
11
12<head>
<title>下面的表达式的值是秋名山的车速</title>
<meta charset="UTF-8">
</head>
<p>亲请在2s内计算老司机的车速是多少</p>
<div>1655515983+1143156749*1810018454+183925029-1536435370*523208394*796423009+96579596+1879478086*852622341*1491753191=?;</div>
<style>
div,p{
text-align: center;
margin: 0 auto;
}
</style>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17# coding:utf-8
import requests
from bs4 import BeautifulSoup as BP
url = "http://123.206.87.240:8002/qiumingshan/"
s = requests.session() # 必须使用session()会话对象,不然提交的时候式子又会变,结果对不上
r = s.get(url)
html = r.content.decode('utf-8')
soup = BP(html,'html.parser')
num1 = soup.div
num2 = num1.get_text()
payload = {'value':eval(num2)}
flag = s.post(url,data=payload)
print(flag.content.decode('utf-8'))