From 7486672d56bac2a2e348b2711bc68ac719e9a16e Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Thu, 26 Dec 2024 08:30:37 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/sqlmap-master/tamper/base64encode.py | 24 ++++++--- src/sqlmap-master/tamper/between.py | 52 ++++++++++--------- src/sqlmap-master/tamper/binary.py | 43 +++++++-------- src/sqlmap-master/tamper/bluecoat.py | 38 +++++++++----- src/sqlmap-master/tamper/chardoubleencode.py | 35 +++++++------ src/sqlmap-master/tamper/charencode.py | 49 ++++++++++------- src/sqlmap-master/tamper/charunicodeencode.py | 48 +++++++++++------ src/sqlmap-master/tamper/charunicodeescape.py | 37 ++++++++----- 8 files changed, 196 insertions(+), 130 deletions(-) diff --git a/src/sqlmap-master/tamper/base64encode.py b/src/sqlmap-master/tamper/base64encode.py index 9e81dc9..ff35fd2 100644 --- a/src/sqlmap-master/tamper/base64encode.py +++ b/src/sqlmap-master/tamper/base64encode.py @@ -5,20 +5,28 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.convert import encodeBase64 -from lib.core.enums import PRIORITY +from lib.core.convert import encodeBase64 # 导入Base64编码函数 +from lib.core.enums import PRIORITY # 导入优先级枚举 -__priority__ = PRIORITY.LOW +__priority__ = PRIORITY.LOW # 设置优先级为低 def dependencies(): pass def tamper(payload, **kwargs): - """ - Base64-encodes all characters in a given payload + """ + 这个函数用于篡改(tamper)输入的payload,将所有字符进行Base64编码。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + 对输入的payload进行Base64编码,这可以用于绕过某些对特殊字符有限制的安全防护措施。 - >>> tamper("1' AND SLEEP(5)#") - 'MScgQU5EIFNMRUVQKDUpIw==' + 示例: + >>> tamper("1' AND SLEEP(5)#") + 'MScgQU5EIFNMRUVQKDUpIw==' """ - return encodeBase64(payload, binary=False) if payload else payload + return encodeBase64(payload, binary=False) if payload else payload # 如果payload不为空,则对其进行Base64编码,binary=False表示结果为ASCII字符串 diff --git a/src/sqlmap-master/tamper/between.py b/src/sqlmap-master/tamper/between.py index d07e224..41fd980 100644 --- a/src/sqlmap-master/tamper/between.py +++ b/src/sqlmap-master/tamper/between.py @@ -16,44 +16,46 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #' + 这个函数用于篡改(tamper)输入的payload,将大于操作符('>)替换为'NOT BETWEEN 0 AND #',将等于操作符('=')替换为'BETWEEN # AND #'。 - Tested against: - * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + 测试情况: + * 微软 SQL Server 2005 + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The BETWEEN clause is SQL standard. Hence, this tamper script - should work against all (?) databases - - >>> tamper('1 AND A > B--') - '1 AND A NOT BETWEEN 0 AND B--' - >>> tamper('1 AND A = B--') - '1 AND A BETWEEN B AND B--' - >>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()') - '1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()' + 注意: + * 这个替换很有用,可以绕过那些只过滤大于字符的弱Web应用防火墙。 + * BETWEEN子句是SQL标准。因此,这个tamper脚本应该适用于所有数据库。 + + 示例: + >>> tamper('1 AND A > B--') + '1 AND A NOT BETWEEN 0 AND B--' + >>> tamper('1 AND A = B--') + '1 AND A BETWEEN B AND B--' + >>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()') + '1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()' """ - retVal = payload - if payload: + retVal = payload # 初始化返回值 + + if payload:# 如果payload不为空 + # 使用正则表达式查找并替换大于操作符('>) match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload) - if match: + if match: # 如果找到匹配项 _ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 替换匹配项 else: - retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) + retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) # 替换大于操作符 - if retVal == payload: + if retVal == payload: # 如果返回值未改变,尝试替换等于操作符('=) match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^=]+?)\s*=\s*([\w()]+)\s*", payload) - if match: + if match:# 如果找到匹配项 _ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _)# 替换匹配项 + - return retVal + return retVal# 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/binary.py b/src/sqlmap-master/tamper/binary.py index b0151a3..023047f 100644 --- a/src/sqlmap-master/tamper/binary.py +++ b/src/sqlmap-master/tamper/binary.py @@ -16,28 +16,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - Injects keyword binary where possible - - Requirement: - * MySQL - - >>> tamper('1 UNION ALL SELECT NULL, NULL, NULL') - '1 UNION ALL SELECT binary NULL, binary NULL, binary NULL' - >>> tamper('1 AND 2>1') - '1 AND binary 2>binary 1' - >>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END') - 'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END' + 这个函数用于篡改(tamper)输入的payload,注入MySQL中的关键字'binary',以尝试绕过某些安全防护措施。 + + 要求: + * 仅适用于MySQL数据库。 + + 示例: + >>> tamper('1 UNION ALL SELECT NULL, NULL, NULL') + '1 UNION ALL SELECT binary NULL, binary NULL, binary NULL' + >>> tamper('1 AND 2>1') + '1 AND binary 2>binary 1' + >>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END') + 'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END' """ - retVal = payload + retVal = payload # 初始化返回值 - if payload: - retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) - retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal) - retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal) - retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal) - retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal) - retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) - retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) + if payload: # 如果payload不为空 + retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) # 替换NULL为binary NULL + retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal)# 在THEN和ELSE后的数字或十六进制值前添加binary关键字 + retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal)# 在数字比较操作中添加binary关键字 + retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal)# 在AND或OR条件后的数字前添加binary关键字 + retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal)# 在比较操作符前的数字前添加binary关键字 + retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) # 在十六进制值前添加binary关键字 + retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) # 移除多余的binary关键字 - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/bluecoat.py b/src/sqlmap-master/tamper/bluecoat.py index 7438d30..46e34e5 100644 --- a/src/sqlmap-master/tamper/bluecoat.py +++ b/src/sqlmap-master/tamper/bluecoat.py @@ -5,11 +5,12 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re# 导入正则表达式模块 -from lib.core.data import kb -from lib.core.enums import PRIORITY +from lib.core.data import kb # 导入知识库(包含SQL关键字等信息) +from lib.core.enums import PRIORITY # 导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -17,34 +18,45 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE + 这个函数用于篡改(tamper)输入的payload,通过替换空格字符和等号来绕过Blue Coat SGOS的WAF。 - Requirement: - * Blue Coat SGOS with WAF activated as documented in - https://kb.bluecoat.com/index?page=content&id=FAQ2147 + 功能: + * 将SQL语句后的空格替换为有效的随机空白字符。 + * 将等号(=)替换为LIKE操作符。 - Tested against: + 要求: + * Blue Coat SGOS,且WAF已激活,参考文档:https://kb.bluecoat.com/index?page=content&id=FAQ2147 + + 测试情况: * MySQL 5.1, SGOS - Notes: - * Useful to bypass Blue Coat's recommended WAF rule configuration + 注意: + * 这个篡改方法对于绕过Blue Coat推荐的WAF规则配置很有用。 - >>> tamper('SELECT id FROM users WHERE id = 1') - 'SELECT%09id FROM%09users WHERE%09id LIKE 1' + 示例: + >>> tamper('SELECT id FROM users WHERE id = 1') + 'SELECT%09id FROM%09users WHERE%09id LIKE 1' """ def process(match): + """ + 辅助函数,用于处理正则匹配的结果。 + 将匹配到的SQL关键字替换为带有%09(制表符)的版本。 + """ word = match.group('word') if word.upper() in kb.keywords: return match.group().replace(word, "%s%%09" % word) else: return match.group() - retVal = payload + retVal = payload # 初始化返回值 if payload: + # 替换SQL关键字后跟非单词字符或字符串末尾的空格 retVal = re.sub(r"\b(?P[A-Z_]+)(?=[^\w(]|\Z)", process, retVal) + # 将等号替换为LIKE操作符 retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) + # 移除多余的%09空格 retVal = retVal.replace("%09 ", "%09") return retVal diff --git a/src/sqlmap-master/tamper/chardoubleencode.py b/src/sqlmap-master/tamper/chardoubleencode.py index ea711b4..6e032fc 100644 --- a/src/sqlmap-master/tamper/chardoubleencode.py +++ b/src/sqlmap-master/tamper/chardoubleencode.py @@ -5,10 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 导入字符串处理模块 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 导入优先级枚举 +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -16,27 +17,31 @@ def dependencies(): def tamper(payload, **kwargs): """ - Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554) + 这个函数用于篡改(tamper)输入的payload,通过双重URL编码所有字符(不处理已经编码的字符)。 - Notes: - * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset + 注意: + * 这个技术很有用,可以绕过一些不进行双重URL解码的弱Web应用防火墙。 - >>> tamper('SELECT FIELD FROM%20TABLE') - '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' + 示例: + >>> tamper('SELECT FIELD FROM%20TABLE') + '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' """ - retVal = payload + retVal = payload # 初始化返回值 - if payload: - retVal = "" - i = 0 - while i < len(payload): + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + + while i < len(payload): # 遍历payload中的每个字符 + # 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行双重编码 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += '%%25%s' % payload[i + 1:i + 3] - i += 3 + i += 3 # 移动索引,跳过已处理的三个字符 else: + # 对未编码的字符进行双重URL编码 retVal += '%%25%.2X' % ord(payload[i]) - i += 1 + i += 1 # 移动索引,处理下一个字符 - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/charencode.py b/src/sqlmap-master/tamper/charencode.py index 181f978..6806af2 100644 --- a/src/sqlmap-master/tamper/charencode.py +++ b/src/sqlmap-master/tamper/charencode.py @@ -5,45 +5,54 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 导入字符串常量库,用于处理字符和十六进制数字 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 设置优先级为最低 def dependencies(): pass def tamper(payload, **kwargs): """ - URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) + 这个函数用于篡改(tamper)输入的payload,通过URL编码所有字符(不处理已经编码的字符)。 - Tested against: + 功能: + * 将输入的SQL语句中的所有字符进行URL编码。 + * 例如,将'SELECT'转换为'%53%45%4C%45%43%54'。 + + 测试情况: * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset - * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS + 注意: + * 这个方法对于绕过一些非常弱的Web应用防火墙很有用,这些防火墙在处理请求时不进行URL解码。 + * Web服务器会传递解码后的版本,因此应该适用于任何数据库管理系统(DBMS)。 - >>> tamper('SELECT FIELD FROM%20TABLE') - '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' + 示例: + >>> tamper('SELECT FIELD FROM%20TABLE') + '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' """ - retVal = payload - if payload: - retVal = "" - i = 0 + retVal = payload # 初始化返回值为输入的payload + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 检查当前字符是否为%且后面两个字符是十六进制数字(已编码的字符) if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: - retVal += payload[i:i + 3] - i += 3 + retVal += payload[i:i + 3] # 如果是已编码的字符,直接添加到返回值 + i += 3 # 移动索引,跳过已处理的三个字符 else: - retVal += '%%%.2X' % ord(payload[i]) - i += 1 + # 对未编码的字符进行URL编码,并添加到返回值 + retVal += '%%%.2X' % ord(payload[i])# 将字符转换为其ASCII值的十六进制表示 + i += 1 # 移动索引,处理下一个字符 + - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/charunicodeencode.py b/src/sqlmap-master/tamper/charunicodeencode.py index 6e8b429..c8f72ce 100644 --- a/src/sqlmap-master/tamper/charunicodeencode.py +++ b/src/sqlmap-master/tamper/charunicodeencode.py @@ -8,46 +8,62 @@ See the file 'LICENSE' for copying permission import os import string -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST # 设置优先级为最低 def dependencies(): + """ + 这个函数用于在运行时检查依赖关系,并给出警告信息。 + + 功能: + - 显示一条单次警告消息,指出当前的tamper脚本仅适用于ASP或ASP.NET Web应用程序。 + """ singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0]) def tamper(payload, **kwargs): """ - Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) + 这个函数用于篡改(tamper)输入的payload,通过Unicode-URL编码所有字符(不处理已经编码的字符)。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 将输入的payload中的字符转换为Unicode-URL编码格式(例如,'SELECT'转换为'%u0053%u0045%u004C%u0045%u0043%u0054')。 - Requirement: - * ASP - * ASP.NET + 要求: + * 仅适用于ASP和ASP.NET环境。 - Tested against: + 测试情况: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 - Notes: - * Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset + 注意: + * 这个篡改方法对于绕过那些在处理请求前不进行Unicode URL解码的弱Web应用防火墙很有用。 - >>> tamper('SELECT FIELD%20FROM TABLE') - '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' + 示例: + >>> tamper('SELECT FIELD%20FROM TABLE') + '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: - retVal = "" - i = 0 + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行Unicode-URL编码 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "%%u00%s" % payload[i + 1:i + 3] i += 3 else: + # 对未编码的字符进行Unicode-URL编码,并添加到返回值 retVal += '%%u%.4X' % ord(payload[i]) i += 1 diff --git a/src/sqlmap-master/tamper/charunicodeescape.py b/src/sqlmap-master/tamper/charunicodeescape.py index 8fe05c0..41d47a6 100644 --- a/src/sqlmap-master/tamper/charunicodeescape.py +++ b/src/sqlmap-master/tamper/charunicodeescape.py @@ -5,35 +5,48 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 导入字符串常量库,用于处理字符和十六进制数字 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def tamper(payload, **kwargs): """ - Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) + 这个函数用于篡改(tamper)输入的payload,通过Unicode转义非编码字符(不处理已经编码的字符)。 - Notes: - * Useful to bypass weak filtering and/or WAFs in JSON contexes + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - >>> tamper('SELECT FIELD FROM TABLE') - '\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045' + 功能: + - 将输入的payload中的字符转换为Unicode转义序列(例如,'SELECT'转换为'\u0053\u0045\u004C\u0045\u0043\u0054')。 + + 注意: + * 这个方法对于绕过在JSON上下文中的弱过滤和/或Web应用防火墙(WAFs)很有用。 + + 示例: + >>> tamper('SELECT FIELD FROM TABLE') + '\\u0053\\u0045\\u004C\\u0045\\u0043\\u0054 \\u0020\\u0046\\u0049\\u0045\\u004C\\u0044 \\u0046\\u0052\\u004F\\u004D \\u0054\\u0041\\u0042\\u004C\\u0045' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + - if payload: - retVal = "" - i = 0 + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行Unicode转义 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "\\u00%s" % payload[i + 1:i + 3] i += 3 else: + # 对未编码的字符进行Unicode转义,并添加到返回值 retVal += '\\u%.4X' % ord(payload[i]) - i += 1 + i += 1 # 移动索引,处理下一个字符 return retVal