burpsuite扫描web目录
1.进行抓包
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234424359-1443753130.png)
2.将其发送到lntruder
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234436296-1708180026.png)
3.使用替换脚本替换掉/
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234511468-1865482463.png)
4.替换![]()
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234518781-238332459.png)
5.替换结果
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234531484-442079171.png)
6.将多余的$$删除,在/后面添加$$ //$$就是payload
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234541828-562000752.png)
7.测试结果
![](https://images2017.cnblogs.com/blog/1174022/201802/1174022-20180203234554218-471602628.png)
替换脚本代码:
import os import re user = input('Please enter the dictionary path:') def config(): path="{}".format(user) if os.path.exists(path): print('[+]Dictionary file existence') print(user) else: print('[-]The target dictionary does not exist') exit() def replace(): path=user foropen=open(path,'r') wlcw="" for line in foropen: if re.search("/",line): line=re.sub("/","",line) wlcw+=line else: wlcw+line print('[*]In the rewriting...') wopen=open(path,'w') wopen.write(wlcw) wopen.close() foropen.close() replace()