Use Python to automatically enter the questionnaire, and use python to enter the questionnaire

Use Python to automatically enter the questionnaire, and use python to enter the questionnaire

0X00 Preface

The school is about to start. I can see all kinds of surveys in the space. I just remembered that I haven't done it yet. I don't catch a cold with this meaningless questionnaire, so I plan to use "special effects", that is, python. By the way, I will review python for a long time. Next, the show starts ......

0X01 code writing ideas

First, create a questionnaire

You can enter a questionnaire and submit it. Enable Burpsuite to intercept data packets before submission.

Some of the intercepted data packets are url encoded, which is not conducive to analysis. You can use the Burpsuite encoding module to decode and replace the data.

Through observation, we can find that, post a string of strange data submitdata = 1 $2} 2 $3} 3 $3} 4 $4} 5 $3} 6 $2} 7 $4} 8 $2} 9 $3} 10 $3. After careful analysis, we can see that the data probably means that submitdata = question $ option number} Question $ option number }........

With this information, you can start writing python programs.

The running result is as follows:

It seems that the website has other anti-crawler mechanisms. After several forms are submitted consecutively, the verification code is displayed. Do we need to add the verification code recognition function to the program at this time? In fact, we don't need to. First, we can analyze the header information intercepted by Burpsuite to see how the website uses it to identify that we use crawlers to submit a questionnaire.

Through some tests, I found that when I submitted three questionnaires consecutively, I submitted three questionnaires with another IP address, that is, I submitted six questionnaires consecutively, and did not trigger the anti-crawler mechanism of the website. Therefore, we can guess the frequency of each other's IP address-based questionnaire submission to identify crawlers. You may think that we can submit a questionnaire through a free agent on the Internet. For example

Does that mean we need to add the free proxy IP extraction function to the python code? NO! In another way, you will encounter a problem in the CTF competition. For example, if your IP address is from Germany, you can get the flag. Therefore, our idea is to spoof data headers, forge our IP addresses, and cheat servers. The following describes several ways to forge an IP address.

X-Client-IP:1.1.1.1X-Remote-IP:2.2.2.2X-Remote-Addr:3.3.3.3X-Originating-IP:4.4.4.4X-Forwarded-For:5.5.5.5

Every one of us tries, and then we can see the source of our questionnaire in the background statistics.

Here we can find that X-Forwarded-For can be used to bypass. We will use this method to add the X-Forwarded-For field to the header information. Therefore, the modified script is as follows:

The running result is as follows:

Go to the background to check the statistics

So far, we have achieved a perfect solution. If you want to remove the IP addresses outside China of the questionnaire, you can collect the IP address segments in China and add them to the program.

0X02 conclusion

You can usually use what you have learned in your real life. When you encounter difficulties, don't worry, think more, and find the best solution. For example, I did not add a verification code recognition module in the code, nor used a proxy to bypass the anti-crawler mechanism of the website. Instead, I analyzed the anti-crawler mechanism of the website, you can use the learned security knowledge (HTTP Header Spoofing) to easily solve the problem and complete the task with the shortest code.