0
点赞
收藏
分享

微信扫一扫

OverTheWire攻关过程-Natas模块30


我们打开关卡lv30,登陆查看信息


OverTheWire攻关过程-Natas模块30_mysql


我们可以看到是一个标准的登陆框


OverTheWire攻关过程-Natas模块30_sql注入_02


可能存在注入?

我们先看源码


OverTheWire攻关过程-Natas模块30_mysql_03


是perl语言的文件


END

if ('POST' eq request_method && param('username') && param('password')){
    my $dbh = DBI->connect( "DBI:mysql:natas30","natas30", "<censored>", {'RaiseError' => 1});
    my $query="Select * FROM users where username =".$dbh->quote(param('username')) . " and password =".$dbh->quote(param('password')); 

    my $sth = $dbh->prepare($query);
    $sth->execute();
    my $ver = $sth->fetch();
    if ($ver){
        print "win!<br>";
        print "here is your result:<br>";
        print @$ver;
    }
    else{
        print "fail :(";
    }
    $sth->finish();
    $dbh->disconnect();
}

print <<END;


看到又是sql注入,

关键在与构造查询语句


查看大神的分析


OverTheWire攻关过程-Natas模块30_sql注入_04


我们根据大神的思路进行


打开bp抓包


OverTheWire攻关过程-Natas模块30_查询语句_05


采用post方法


OverTheWire攻关过程-Natas模块30_sql注入_06


修改数据包


payload为


username=natas31&password='xxx' or 1=1 &password=2


OverTheWire攻关过程-Natas模块30_sql注入_07


得到密码


OverTheWire攻关过程-Natas模块30_mysql_08


参考文章

Natas30 Writeup(sql注入) - zhengna - 博客园 (cnblogs.com)

举报

相关推荐

0 条评论