How to use Python to automate questionnaire completion

This article mainly introduces the use of Python to automatically fill out the questionnaire related information, the need for friends can refer to the following

0x00 Preface

Fast Start school, see the space inside various to fill in the questionnaire, I just think of looks like I also haven't done. For this pointless questionnaire, I am not very cold, so I intend to use "stunt" to complete, that is, Python, by the way to review Python, really long time useless. Below, the show begins ...

0x01 Code Writing Ideas

First create a questionnaire

We fill out a questionnaire and submit it, open Burpsuite intercept packet before submitting

For the intercepted packet analysis, some of the URL encoding is not conducive to analysis, you can use the Burpsuite encoding module decoding replacement, so that the analysis of the

By observing, you can find that post has a bunch of strange data submitdata=1$2}2$3}3$3}4$4}5$3}6$2}7$4}8$2}9$3}10$3. Careful analysis can see that the data is probably the meaning of the submitdata= question $ option number} question number $ option number} Title $ option number} ...

With this information, you can start writing Python programs.

The operation results are as follows

It seems that the site has other anti-crawler mechanisms, after the continuous submission of several forms, there is a verification code. Are we going to add a function that identifies the verification code to the program at this point? In fact, we can first analyze the Burpsuite intercepted the header information, to see exactly how the site is the way to identify that we are using crawlers to submit questionnaires.

Through a test, I found that when I submitted 3 questionnaires in succession, and another IP to submit 3 questionnaires, that is, the continuous submission of 6 questionnaires, and did not trigger the site anti-crawler mechanism. So we can guess each other based on the frequency of the IP submission questionnaire to identify the crawler. As you can see here, we may be able to submit a questionnaire through a free agent online. such as these

Does that mean we also add the ability to extract free proxy ips into Python code? No no no! Another way of thinking, in the CTF competition will encounter a problem, such as your IP is from Germany can get flag. So, our idea is to do data Baotou spoofing, fake our IP, fooled the server. Here are a few ways to fake IP.

x-client-ip:1.1.1.1x-remote-ip:2.2.2.2x-remote-addr:3.3.3.3x-originating-ip:4.4.4.4x-forwarded-for:5.5.5.5

We try each one, and then we can see the source of our questionnaires in the background.

Here we find that with x-forwarded-for can be bypassed, as we use this method in the header information to add the X-forwarded-for field, so the modified script is as follows

The operation results are as follows

Go back to the background and look at statistics.

At this point, we are the perfect solution to the task. If you want to get rid of the survey of foreign IP address, you can collect the Chinese IP address segment, and then add the program, processing can be.

0x02 Summary

We can usually put the learning things into real life, when encountering difficulties do not panic, think more, find the best solution. For example, I did not add code identification module, and do not go through the proxy way to bypass the site's anti-crawler mechanism, but through the analysis of the site's anti-crawler mechanism, and use the Learned Security knowledge (HTTP header spoofing) Easy to solve the problem, using the shortest code to complete the task perfectly.